[Pkg-gnupg-commit] [gnupg2] 111/166: dirmngr: New Assuan option "http-crl".
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Mar 16 22:33:11 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch experimental
in repository gnupg2.
commit 493c142e582ff5ef1b5fdfcb9653715ef43e83e9
Author: Werner Koch <wk at gnupg.org>
Date: Tue Feb 21 09:37:07 2017 +0100
dirmngr: New Assuan option "http-crl".
* dirmngr/dirmngr.h (server_control_s): New flag 'http_no_crl'.
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set this flag.
* dirmngr/server.c (option_handler): New option "http-crl"
* dirmngr/http.h (HTTP_FLAG_NO_CRL): New flag.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Consult this flag.
* dirmngr/ks-engine-hkp.c (send_request): Set flag depending on CTRL.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (main): New option --no-crl.
--
This new option can be used to enable CRL checks on a per session
base. The default is not to use CRLs for https connections.
Signed-off-by: Werner Koch <wk at gnupg.org>
---
dirmngr/dirmngr.c | 1 +
dirmngr/dirmngr.h | 2 ++
dirmngr/http-ntbtls.c | 4 ++--
dirmngr/http.c | 1 +
dirmngr/http.h | 3 ++-
dirmngr/ks-engine-hkp.c | 4 +++-
dirmngr/ks-engine-http.c | 4 +++-
dirmngr/server.c | 5 +++++
dirmngr/t-http.c | 18 +++++++++++++++---
9 files changed, 34 insertions(+), 8 deletions(-)
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 5e6d983..f04d088 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -1492,6 +1492,7 @@ dirmngr_init_default_ctrl (ctrl_t ctrl)
ctrl->magic = SERVER_CONTROL_MAGIC;
if (opt.http_proxy)
ctrl->http_proxy = xstrdup (opt.http_proxy);
+ ctrl->http_no_crl = 1;
}
diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index 57e3372..b0b603f 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -190,6 +190,8 @@ struct server_control_s
int audit_events; /* Send audit events to client. */
char *http_proxy; /* The used http_proxy or NULL. */
+
+ unsigned int http_no_crl:1; /* Do not check CRLs for https. */
};
diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c
index 5686877..3038cae 100644
--- a/dirmngr/http-ntbtls.c
+++ b/dirmngr/http-ntbtls.c
@@ -78,8 +78,8 @@ gnupg_http_tls_verify_cb (void *opaque,
if ((http_flags & HTTP_FLAG_TRUST_SYS))
validate_flags |= VALIDATE_FLAG_SYSTRUST;
- /* FIXME: For now we don't use CRLs. */
- validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
+ if ((http_flags & HTTP_FLAG_NO_CRL))
+ validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
err = validate_cert_chain (ctrl, hostcert, NULL, validate_flags, NULL);
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 89e46ca..733018d 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -653,6 +653,7 @@ http_session_release (http_session_t sess)
* Valid values for FLAGS are:
* HTTP_FLAG_TRUST_DEF - Use the CAs set with http_register_tls_ca
* HTTP_FLAG_TRUST_SYS - Also use the CAs defined by the system
+ * HTTP_FLAG_NO_CRL - Do not consult CRLs for https.
*/
gpg_error_t
http_session_new (http_session_t *r_session,
diff --git a/dirmngr/http.h b/dirmngr/http.h
index 98ac4a3..331ee61 100644
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@@ -87,7 +87,8 @@ enum
HTTP_FLAG_IGNORE_IPv4 = 64, /* Do not use IPv4. */
HTTP_FLAG_IGNORE_IPv6 = 128, /* Do not use IPv6. */
HTTP_FLAG_TRUST_DEF = 256, /* Use the default CAs. */
- HTTP_FLAG_TRUST_SYS = 512 /* Also use the system defined CAs. */
+ HTTP_FLAG_TRUST_SYS = 512, /* Also use the system defined CAs. */
+ HTTP_FLAG_NO_CRL = 1024 /* Do not consult CRLs for https. */
};
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 4ca1e00..b6a0675 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -1123,7 +1123,9 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
*r_fp = NULL;
- err = http_session_new (&session, httphost, HTTP_FLAG_TRUST_DEF,
+ err = http_session_new (&session, httphost,
+ ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
+ | HTTP_FLAG_TRUST_DEF),
gnupg_http_tls_verify_cb, ctrl);
if (err)
goto leave;
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index 9352a0f..d4a6c8a 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -76,7 +76,9 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
once_more:
/* Note that we only use the system provided certificates with the
* fetch command. */
- err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_SYS,
+ err = http_session_new (&session, NULL,
+ ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
+ | HTTP_FLAG_TRUST_SYS),
gnupg_http_tls_verify_cb, ctrl);
if (err)
goto leave;
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 92bbc16..f726d1b 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -627,6 +627,11 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
if (dirmngr_use_tor ())
err = gpg_error (GPG_ERR_FORBIDDEN);
}
+ else if (!strcmp (key, "http-crl"))
+ {
+ int i = *value? atoi (value) : 0;
+ ctrl->http_no_crl = !i;
+ }
else
err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c
index c5bec89..68818de 100644
--- a/dirmngr/t-http.c
+++ b/dirmngr/t-http.c
@@ -199,6 +199,7 @@ main (int argc, char **argv)
unsigned int my_http_flags = 0;
int no_out = 0;
int tls_dbg = 0;
+ int no_crl = 0;
const char *cafile = NULL;
http_session_t session = NULL;
@@ -225,7 +226,8 @@ main (int argc, char **argv)
" --no-verify do not verify the certificate\n"
" --force-tls use HTTP_FLAG_FORCE_TLS\n"
" --force-tor use HTTP_FLAG_FORCE_TOR\n"
- " --no-out do not print the content\n",
+ " --no-out do not print the content\n"
+ " --no-crl do not consuilt a CRL\n",
stdout);
exit (0);
}
@@ -278,6 +280,11 @@ main (int argc, char **argv)
no_out = 1;
argc--; argv++;
}
+ else if (!strcmp (*argv, "--no-crl"))
+ {
+ no_crl = 1;
+ argc--; argv++;
+ }
else if (!strncmp (*argv, "--", 2))
{
fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
@@ -298,7 +305,9 @@ main (int argc, char **argv)
#if HTTP_USE_NTBTLS
log_info ("new session.\n");
- err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF,
+ err = http_session_new (&session, NULL,
+ ((no_crl? HTTP_FLAG_NO_CRL : 0)
+ | HTTP_FLAG_TRUST_DEF),
my_http_tls_verify_cb, NULL);
if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
@@ -313,7 +322,10 @@ main (int argc, char **argv)
http_register_tls_callback (verify_callback);
http_register_tls_ca (cafile);
- err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF, NULL, NULL);
+ err = http_session_new (&session, NULL,
+ ((no_crl? HTTP_FLAG_NO_CRL : 0)
+ | HTTP_FLAG_TRUST_DEF),
+ NULL, NULL);
if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list