[Pkg-gnupg-commit] [gnupg2] 16/21: dirmngr: Use system certs if --hkp-cacert is not used.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Sep 19 15:33:59 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg2.
commit df692a6167be5486f9a29da003a00292fd895176
Author: Werner Koch <wk at gnupg.org>
Date: Mon Sep 18 22:49:05 2017 +0200
dirmngr: Use system certs if --hkp-cacert is not used.
* dirmngr/certcache.c (any_cert_of_class): New var.
(put_cert): Set it.
(cert_cache_deinit): Clear it.
(cert_cache_any_in_class): New func.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Add hack to
override empty list of HKP certs.
--
This patch carries the changes for GNUTLS from commit
7c1613d41566f7d8db116790087de323621205fe over to NTBTLS. NTBTLS works
quite different and thus we need to do it this way.
Signed-off-by: Werner Koch <wk at gnupg.org>
---
dirmngr/certcache.c | 18 +++++++++++++++++-
dirmngr/certcache.h | 3 +++
dirmngr/http-ntbtls.c | 6 ++++++
3 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index b4e5381..56629fd 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -94,6 +94,10 @@ static int initialization_done;
/* Total number of non-permanent certificates. */
static unsigned int total_nonperm_certificates;
+/* For each cert class the corresponding bit is set if at least one
+ * certificate of that class is loaded permanetly. */
+static unsigned int any_cert_of_class;
+
#ifdef HAVE_W32_SYSTEM
/* We load some functions dynamically. Provide typedefs for tehse
@@ -343,7 +347,9 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
ci->permanent = !!permanent;
ci->trustclasses = trustclass;
- if (!permanent)
+ if (permanent)
+ any_cert_of_class |= trustclass;
+ else
total_nonperm_certificates++;
return 0;
@@ -758,6 +764,7 @@ cert_cache_deinit (int full)
}
total_nonperm_certificates = 0;
+ any_cert_of_class = 0;
initialization_done = 0;
release_cache_lock ();
}
@@ -814,6 +821,15 @@ cert_cache_print_stats (void)
}
+/* Return true if any cert of a class in MASK is permanently
+ * loaded. */
+int
+cert_cache_any_in_class (unsigned int mask)
+{
+ return !!(any_cert_of_class & mask);
+}
+
+
/* Put CERT into the certificate cache. */
gpg_error_t
cache_cert (ksba_cert_t cert)
diff --git a/dirmngr/certcache.h b/dirmngr/certcache.h
index 92529bf..8d64583 100644
--- a/dirmngr/certcache.h
+++ b/dirmngr/certcache.h
@@ -39,6 +39,9 @@ void cert_cache_deinit (int full);
/* Print some statistics to the log file. */
void cert_cache_print_stats (void);
+/* Return true if any cert of a class in MASK is permanently loaded. */
+int cert_cache_any_in_class (unsigned int mask);
+
/* Compute the fingerprint of the certificate CERT and put it into
the 20 bytes large buffer DIGEST. Return address of this buffer. */
unsigned char *cert_compute_fpr (ksba_cert_t cert, unsigned char *digest);
diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c
index 250db55..ea66a4d 100644
--- a/dirmngr/http-ntbtls.c
+++ b/dirmngr/http-ntbtls.c
@@ -91,6 +91,12 @@ gnupg_http_tls_verify_cb (void *opaque,
validate_flags |= VALIDATE_FLAG_TRUST_HKP;
if ((http_flags & HTTP_FLAG_TRUST_SYS))
validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
+
+ /* If HKP trust is requested and there are no HKP certificates
+ * configured, also try thye standard system certificates. */
+ if ((validate_flags & VALIDATE_FLAG_TRUST_HKP)
+ && !cert_cache_any_in_class (CERTTRUST_CLASS_HKP))
+ validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
}
if ((http_flags & HTTP_FLAG_NO_CRL))
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list