diff options
Diffstat (limited to 'dirmngr')
| -rw-r--r-- | dirmngr/Makefile.am | 1 | ||||
| -rw-r--r-- | dirmngr/certcache.c | 27 | ||||
| -rw-r--r-- | dirmngr/certcache.h | 2 | ||||
| -rw-r--r-- | dirmngr/crlcache.c | 48 | ||||
| -rw-r--r-- | dirmngr/crlcache.h | 9 | ||||
| -rw-r--r-- | dirmngr/crlfetch.c | 3 | ||||
| -rw-r--r-- | dirmngr/dirmngr.c | 18 | ||||
| -rw-r--r-- | dirmngr/dirmngr.h | 5 | ||||
| -rw-r--r-- | dirmngr/domaininfo.c | 13 | ||||
| -rw-r--r-- | dirmngr/fakecrl.c | 63 | ||||
| -rw-r--r-- | dirmngr/ldap.c | 2 | ||||
| -rw-r--r-- | dirmngr/server.c | 49 | ||||
| -rw-r--r-- | dirmngr/validate.c | 16 | ||||
| -rw-r--r-- | dirmngr/workqueue.c | 6 |
14 files changed, 202 insertions, 60 deletions
diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am index 1c8065dbb..feee2f5c8 100644 --- a/dirmngr/Makefile.am +++ b/dirmngr/Makefile.am @@ -58,6 +58,7 @@ endif noinst_HEADERS = dirmngr.h crlcache.h crlfetch.h misc.h dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c \ + fakecrl.c \ certcache.c certcache.h \ domaininfo.c \ workqueue.c \ diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c index 1e73d6f85..6b194f31c 100644 --- a/dirmngr/certcache.c +++ b/dirmngr/certcache.c @@ -768,7 +768,7 @@ cert_cache_init (strlist_t hkp_cacerts) initialization_done = 1; release_cache_lock (); - cert_cache_print_stats (); + cert_cache_print_stats (NULL); } /* Deinitialize the certificate cache. With FULL set to true even the @@ -811,7 +811,7 @@ cert_cache_deinit (int full) /* Print some statistics to the log file. */ void -cert_cache_print_stats (void) +cert_cache_print_stats (ctrl_t ctrl) { cert_item_t ci; int idx; @@ -848,16 +848,19 @@ cert_cache_print_stats (void) release_cache_lock (); - log_info (_("permanently loaded certificates: %u\n"), - n_permanent); - log_info (_(" runtime cached certificates: %u\n"), - n_nonperm); - log_info (_(" trusted certificates: %u (%u,%u,%u,%u)\n"), - n_trusted, - n_trustclass_system, - n_trustclass_config, - n_trustclass_hkp, - n_trustclass_hkpspool); + dirmngr_status_helpf (ctrl, + _("permanently loaded certificates: %u\n"), + n_permanent); + dirmngr_status_helpf (ctrl, + _(" runtime cached certificates: %u\n"), + n_nonperm); + dirmngr_status_helpf (ctrl, + _(" trusted certificates: %u (%u,%u,%u,%u)\n"), + n_trusted, + n_trustclass_system, + n_trustclass_config, + n_trustclass_hkp, + n_trustclass_hkpspool); } diff --git a/dirmngr/certcache.h b/dirmngr/certcache.h index 8d645836d..3a773636f 100644 --- a/dirmngr/certcache.h +++ b/dirmngr/certcache.h @@ -37,7 +37,7 @@ void cert_cache_init (strlist_t hkp_cacerts); void cert_cache_deinit (int full); /* Print some statistics to the log file. */ -void cert_cache_print_stats (void); +void cert_cache_print_stats (ctrl_t ctrl); /* Return true if any cert of a class in MASK is permanently loaded. */ int cert_cache_any_in_class (unsigned int mask); diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c index befc6b94b..9f0b910f3 100644 --- a/dirmngr/crlcache.c +++ b/dirmngr/crlcache.c @@ -125,6 +125,13 @@ # define O_BINARY 0 #endif + +/* Reason flags for an invalid CRL. */ +#define INVCRL_TOO_OLD 1 +#define INVCRL_UNKNOWN_EXTN 2 +#define INVCRL_GENERAL 127 + + static const char oidstr_crlNumber[] = "2.5.29.20"; /* static const char oidstr_issuingDistributionPoint[] = "2.5.29.28"; */ static const char oidstr_authorityKeyIdentifier[] = "2.5.29.35"; @@ -157,7 +164,7 @@ struct crl_cache_entry_s unsigned int cdb_use_count; /* Current use count. */ unsigned int cdb_lru_count; /* Used for LRU purposes. */ int dbfile_checked; /* Set to true if the dbfile_hash value has - been checked one. */ + been checked once. */ }; @@ -569,8 +576,8 @@ open_dir (crl_cache_t *r_cache) if (*line == 'i') { entry->invalid = atoi (line+1); - if (entry->invalid < 1) - entry->invalid = 1; + if (!entry->invalid) + entry->invalid = INVCRL_GENERAL; } else if (*line == 'u') entry->user_trust_req = 1; @@ -1395,7 +1402,7 @@ cache_isvalid (ctrl_t ctrl, const char *issuer_hash, { if (opt.verbose) log_info ("no system trust and client does not trust either\n"); - retval = CRL_CACHE_CANTUSE; + retval = CRL_CACHE_NOTTRUSTED; } else { @@ -1515,8 +1522,11 @@ crl_cache_cert_isvalid (ctrl_t ctrl, ksba_cert_t cert, case CRL_CACHE_DONTKNOW: err = gpg_error (GPG_ERR_NO_CRL_KNOWN); break; + case CRL_CACHE_NOTTRUSTED: + err = gpg_error (GPG_ERR_NOT_TRUSTED); + break; case CRL_CACHE_CANTUSE: - err = gpg_error (GPG_ERR_NO_CRL_KNOWN); + err = gpg_error (GPG_ERR_INV_CRL_OBJ); break; default: log_fatal ("cache_isvalid returned invalid status code %d\n", result); @@ -2097,7 +2107,7 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl, } } while (stopreason != KSBA_SR_READY); - assert (!err); + log_assert (!err); failure: @@ -2338,7 +2348,7 @@ crl_cache_insert (ctrl_t ctrl, const char *url, ksba_reader_t reader) nextupdate); if (!err2) err2 = gpg_error (GPG_ERR_CRL_TOO_OLD); - invalidate_crl |= 1; + invalidate_crl |= INVCRL_TOO_OLD; } } @@ -2353,7 +2363,7 @@ crl_cache_insert (ctrl_t ctrl, const char *url, ksba_reader_t reader) log_error (_("unknown critical CRL extension %s\n"), oid); if (!err2) err2 = gpg_error (GPG_ERR_INV_CRL); - invalidate_crl |= 2; + invalidate_crl |= INVCRL_UNKNOWN_EXTN; } if (gpg_err_code (err) == GPG_ERR_EOF || gpg_err_code (err) == GPG_ERR_NO_DATA ) @@ -2492,6 +2502,7 @@ list_one_crl_entry (crl_cache_t cache, crl_cache_entry_t e, estream_t fp) int rc; int warn = 0; const unsigned char *s; + unsigned int invalid; es_fputs ("--------------------------------------------------------\n", fp ); es_fprintf (fp, _("Begin CRL dump (retrieved via %s)\n"), e->url ); @@ -2516,13 +2527,20 @@ list_one_crl_entry (crl_cache_t cache, crl_cache_entry_t e, estream_t fp) !e->user_trust_req? "[system]" : e->check_trust_anchor? e->check_trust_anchor:"[missing]"); - if ((e->invalid & 1)) - es_fprintf (fp, _(" ERROR: The CRL will not be used " - "because it was still too old after an update!\n")); - if ((e->invalid & 2)) - es_fprintf (fp, _(" ERROR: The CRL will not be used " + invalid = e->invalid; + if ((invalid & INVCRL_TOO_OLD)) + { + invalid &= ~INVCRL_TOO_OLD; + es_fprintf (fp, _(" ERROR: The CRL will not be used " + "because it was still too old after an update!\n")); + } + if ((invalid & INVCRL_UNKNOWN_EXTN)) + { + invalid &= ~INVCRL_UNKNOWN_EXTN; + es_fprintf (fp, _(" ERROR: The CRL will not be used " "due to an unknown critical extension!\n")); - if ((e->invalid & ~3)) + } + if (invalid) /* INVCRL_GENERAL or some other bits are set. */ es_fprintf (fp, _(" ERROR: The CRL will not be used\n")); cdb = lock_db_file (cache, e); @@ -2714,8 +2732,6 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert) any_dist_point = 1; - if (opt.verbose) - log_info ("fetching CRL from '%s'\n", distpoint_uri); crl_close_reader (reader); err = crl_fetch (ctrl, distpoint_uri, &reader); if (err) diff --git a/dirmngr/crlcache.h b/dirmngr/crlcache.h index 0e60def8f..375943462 100644 --- a/dirmngr/crlcache.h +++ b/dirmngr/crlcache.h @@ -27,6 +27,7 @@ typedef enum CRL_CACHE_VALID = 0, CRL_CACHE_INVALID, CRL_CACHE_DONTKNOW, + CRL_CACHE_NOTTRUSTED, CRL_CACHE_CANTUSE } crl_cache_result_t; @@ -44,6 +45,7 @@ crl_sig_result_t; struct crl_cache_entry_s; typedef struct crl_cache_entry_s *crl_cache_entry_t; +/*-- crlcache.c --*/ void crl_cache_init (void); void crl_cache_deinit (void); @@ -67,4 +69,11 @@ gpg_error_t crl_cache_load (ctrl_t ctrl, const char *filename); gpg_error_t crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert); +/*-- fakecrl.c --*/ +crl_cache_result_t fakecrl_isvalid (ctrl_t ctrl, + const char *issuer_hash, + const char *cert_id); + + + #endif /* CRLCACHE_H */ diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c index a591a2b5a..5b6b648e2 100644 --- a/dirmngr/crlfetch.c +++ b/dirmngr/crlfetch.c @@ -175,6 +175,9 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader) if (!url) return gpg_error (GPG_ERR_INV_ARG); + if (opt.verbose) + log_info ("fetching CRL from '%s'\n", url); + err = http_parse_uri (&uri, url, 0); http_release_parsed_uri (uri); if (!err) /* Yes, our HTTP code groks that. */ diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index cbc693bd8..3c0818af9 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -158,6 +158,7 @@ enum cmd_and_opt_values { oConnectTimeout, oConnectQuickTimeout, oListenBacklog, + oFakeCRL, aTest }; @@ -274,7 +275,7 @@ static gpgrt_opt_t opts[] = { " points to serverlist")), ARGPARSE_s_i (oLDAPTimeout, "ldaptimeout", N_("|N|set LDAP timeout to N seconds")), - + ARGPARSE_s_s (oFakeCRL, "fake-crl", "@"), ARGPARSE_header ("OCSP", N_("Configuration for OCSP")), @@ -324,6 +325,7 @@ static struct debug_flags_s debug_flags [] = { DBG_NETWORK_VALUE, "network" }, { DBG_LOOKUP_VALUE , "lookup" }, { DBG_EXTPROG_VALUE, "extprog" }, + { DBG_KEEPTMP_VALUE, "keeptmp" }, { 77, NULL } /* 77 := Do not exit on "help" or "?". */ }; @@ -534,7 +536,7 @@ set_debug (void) select the highest debug value and would then clutter their disk with debug files which may reveal confidential data. */ if (numok) - opt.debug &= ~(DBG_HASHING_VALUE); + opt.debug &= ~(DBG_HASHING_VALUE|DBG_KEEPTMP_VALUE); } else { @@ -708,6 +710,8 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread) opt.ldaptimeout = DEFAULT_LDAP_TIMEOUT; ldapserver_list_needs_reset = 1; opt.debug_cache_expired_certs = 0; + xfree (opt.fake_crl); + opt.fake_crl = NULL; return 1; } @@ -870,6 +874,11 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread) opt.debug_cache_expired_certs = 0; break; + case oFakeCRL: + xfree (opt.fake_crl); + opt.fake_crl = *pargs->r.ret_str? xstrdup (pargs->r.ret_str) : NULL; + break; + default: return 0; /* Not handled. */ } @@ -2030,8 +2039,9 @@ handle_signal (int signo) break; case SIGUSR1: - cert_cache_print_stats (); - domaininfo_print_stats (); + /* See also cmd_getinfo:"stats". */ + cert_cache_print_stats (NULL); + domaininfo_print_stats (NULL); break; case SIGUSR2: diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h index e7591b998..bcb364e8d 100644 --- a/dirmngr/dirmngr.h +++ b/dirmngr/dirmngr.h @@ -104,6 +104,7 @@ struct int force; /* Force loading outdated CRLs. */ + char *fake_crl; /* Name of a file with faked CRL entries. */ unsigned int connect_timeout; /* Timeout for connect. */ unsigned int connect_quick_timeout; /* Shorter timeout for connect. */ @@ -166,6 +167,7 @@ struct #define DBG_NETWORK_VALUE 2048 /* debug network I/O. */ #define DBG_LOOKUP_VALUE 8192 /* debug lookup details */ #define DBG_EXTPROG_VALUE 16384 /* debug external program calls */ +#define DBG_KEEPTMP_VALUE 32768 /* keep some temporary files */ #define DBG_X509 (opt.debug & DBG_X509_VALUE) #define DBG_CRYPTO (opt.debug & DBG_CRYPTO_VALUE) @@ -177,6 +179,7 @@ struct #define DBG_NETWORK (opt.debug & DBG_NETWORK_VALUE) #define DBG_LOOKUP (opt.debug & DBG_LOOKUP_VALUE) #define DBG_EXTPROG (opt.debug & DBG_EXTPROG_VALUE) +#define DBG_KEEPTMP (opt.debug & DBG_KEEPTMP_VALUE) /* A simple list of certificate references. FIXME: Better use certlist_t also for references (Store NULL at .cert) */ @@ -264,7 +267,7 @@ gpg_error_t dirmngr_load_swdb (ctrl_t ctrl, int force); /*-- domaininfo.c --*/ -void domaininfo_print_stats (void); +void domaininfo_print_stats (ctrl_t ctrl); int domaininfo_is_wkd_not_supported (const char *domain); void domaininfo_set_no_name (const char *domain); void domaininfo_set_wkd_supported (const char *domain); diff --git a/dirmngr/domaininfo.c b/dirmngr/domaininfo.c index b41aef366..b6043be53 100644 --- a/dirmngr/domaininfo.c +++ b/dirmngr/domaininfo.c @@ -81,7 +81,7 @@ hash_domain (const char *domain) void -domaininfo_print_stats (void) +domaininfo_print_stats (ctrl_t ctrl) { int bidx; domaininfo_t di; @@ -112,11 +112,12 @@ domaininfo_print_stats (void) if (minlen == -1 || len < minlen) minlen = len; } - log_info ("domaininfo: items=%d chainlen=%d..%d nn=%d nf=%d ns=%d s=%d\n", - count, - minlen > 0? minlen : 0, - maxlen, - no_name, wkd_not_found, wkd_not_supported, wkd_supported); + dirmngr_status_helpf + (ctrl, "domaininfo: items=%d chainlen=%d..%d nn=%d nf=%d ns=%d s=%d\n", + count, + minlen > 0? minlen : 0, + maxlen, + no_name, wkd_not_found, wkd_not_supported, wkd_supported); } diff --git a/dirmngr/fakecrl.c b/dirmngr/fakecrl.c new file mode 100644 index 000000000..43b68a57a --- /dev/null +++ b/dirmngr/fakecrl.c @@ -0,0 +1,63 @@ +/* fakecrl.c - Debug code to test revocations. + * Copyright (C) 2023 g10 Code GmbH + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <https://www.gnu.org/licenses/>. + * SPDX-License-Identifier: GPL-3.0-or-later + */ + +/* + * For regression testing it is useful to have a way to claim that + * certain certificates are revoked. We achieve this with the + * --fake-crl option which takes a file name as argument. The format + * of the file is: empty lines and lines starting with a hash sign are + * ignored. A line with the issuer DN in brackets starts entries for + * this issuer. All following lines up to the next line with a + * bracket list revoked certificates. For each revoked certificate + * the hexadecimal encoded serial number is listed, followed by the + * revocation date in ISO 14 byte notation, optionally followed by a + * reason keyword. Example: + *--------------------- + * # Sample Fake CRL + * [CN=Bayern-Softtoken-Issuing-CA-2019,OU=IT-DLZ,O=Freistaat Bayern,C=DE] + * 7FD62B1A9EA5BBC84971183080717004 20221125T074346 + * 11223344556677 20230101T000000 key_compromise + * 0000000000000042 20221206T121200 certificate_hold + * + * [CN=CA IVBB Deutsche Telekom AG 18,OU=Bund,O=PKI-1-Verwaltung,C=DE] + * 735D1B97389F 20230210T083947 + *--------------------- + */ +#include <config.h> + +#include <stdio.h> +#include <stdlib.h> + +#include "dirmngr.h" +#include "crlcache.h" + + + +/* Returns 0 if the given certificate is not listed in the faked CRL + * or no fake CRL is configured. It is expected that the caller then + * consults the real CRL. */ +gpg_error_t +fakecrl_isvalid (ctrl_t ctrl, const char *issuer_hash, const char *cert_id) +{ + (void)ctrl; + (void)issuer_hash; + (void)cert_id; + return 0; +} diff --git a/dirmngr/ldap.c b/dirmngr/ldap.c index f9f6d5f1a..b80012d03 100644 --- a/dirmngr/ldap.c +++ b/dirmngr/ldap.c @@ -525,7 +525,7 @@ make_one_filter (const char *pattern, char **r_result) { /* We need just the BaseDN. This assumes that the Subject * is correcly stored in the DT. This is however not always - * the case and the actual DN is different ffrom the + * the case and the actual DN is different from the * subject. In this case we won't find anything. */ if (extfilt_need_escape (pattern) && !(pattern = pattern_buffer = extfilt_escape (pattern))) diff --git a/dirmngr/server.c b/dirmngr/server.c index fba2233d4..cd0839aad 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -1339,6 +1339,10 @@ cmd_isvalid (assuan_context_t ctx, char *line) } else if (only_ocsp) err = gpg_error (GPG_ERR_NO_CRL_KNOWN); + else if (opt.fake_crl && (err = fakecrl_isvalid (ctrl, issuerhash, serialno))) + { + /* We already got the error code. */ + } else { switch (crl_cache_isvalid (ctrl, @@ -1360,8 +1364,11 @@ cmd_isvalid (assuan_context_t ctx, char *line) goto again; } break; + case CRL_CACHE_NOTTRUSTED: + err = gpg_error (GPG_ERR_NOT_TRUSTED); + break; case CRL_CACHE_CANTUSE: - err = gpg_error (GPG_ERR_NO_CRL_KNOWN); + err = gpg_error (GPG_ERR_INV_CRL_OBJ); break; default: log_fatal ("crl_cache_isvalid returned invalid code\n"); @@ -1374,7 +1381,7 @@ cmd_isvalid (assuan_context_t ctx, char *line) /* If the line contains a SHA-1 fingerprint as the first argument, - return the FPR vuffer on success. The function checks that the + return the FPR buffer on success. The function checks that the fingerprint consists of valid characters and prints and error message if it does not and returns NULL. Fingerprints are considered optional and thus no explicit error is returned. NULL is @@ -1469,7 +1476,7 @@ cmd_checkcrl (assuan_context_t ctx, char *line) goto leave; } - assert (cert); + log_assert (cert); err = crl_cache_cert_isvalid (ctrl, cert, ctrl->force_crl_refresh); if (gpg_err_code (err) == GPG_ERR_NO_CRL_KNOWN) @@ -2785,13 +2792,14 @@ static const char hlp_getinfo[] = "Multi purpose command to return certain information. \n" "Supported values of WHAT are:\n" "\n" - "version - Return the version of the program.\n" - "pid - Return the process id of the server.\n" + "version - Return the version of the program\n" + "pid - Return the process id of the server\n" "tor - Return OK if running in Tor mode\n" "dnsinfo - Return info about the DNS resolver\n" - "socket_name - Return the name of the socket.\n" - "session_id - Return the current session_id.\n" + "socket_name - Return the name of the socket\n" + "session_id - Return the current session_id\n" "workqueue - Inspect the work queue\n" + "stats - Print stats\n" "getenv NAME - Return value of envvar NAME\n"; static gpg_error_t cmd_getinfo (assuan_context_t ctx, char *line) @@ -2860,6 +2868,12 @@ cmd_getinfo (assuan_context_t ctx, char *line) workqueue_dump_queue (ctrl); err = 0; } + else if (!strcmp (line, "stats")) + { + cert_cache_print_stats (ctrl); + domaininfo_print_stats (ctrl); + err = 0; + } else if (!strncmp (line, "getenv", 6) && (line[6] == ' ' || line[6] == '\t' || !line[6])) { @@ -3218,7 +3232,8 @@ dirmngr_status_help (ctrl_t ctrl, const char *text) /* Print a help status line using a printf like format. The function - * splits text at LFs. */ + * splits text at LFs. With CTRL beeing NULL, the function behaves + * like log_info. */ gpg_error_t dirmngr_status_helpf (ctrl_t ctrl, const char *format, ...) { @@ -3227,12 +3242,20 @@ dirmngr_status_helpf (ctrl_t ctrl, const char *format, ...) char *buf; va_start (arg_ptr, format); - buf = es_vbsprintf (format, arg_ptr); - err = buf? 0 : gpg_error_from_syserror (); + if (ctrl) + { + buf = es_vbsprintf (format, arg_ptr); + err = buf? 0 : gpg_error_from_syserror (); + if (!err) + err = dirmngr_status_help (ctrl, buf); + es_free (buf); + } + else + { + log_logv (GPGRT_LOGLVL_INFO, format, arg_ptr); + err = 0; + } va_end (arg_ptr); - if (!err) - err = dirmngr_status_help (ctrl, buf); - es_free (buf); return err; } diff --git a/dirmngr/validate.c b/dirmngr/validate.c index 399cca3a4..02db3c270 100644 --- a/dirmngr/validate.c +++ b/dirmngr/validate.c @@ -255,6 +255,7 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) int any_revoked = 0; int any_no_crl = 0; int any_crl_too_old = 0; + int any_not_trusted = 0; chain_item_t ci; log_assert (ctrl->check_revocations_nest_level >= 0); @@ -266,7 +267,8 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) return gpg_error(GPG_ERR_BAD_CERT_CHAIN); } ctrl->check_revocations_nest_level++; - + if (opt.verbose) + log_info ("[%d] start checking CRLs\n", ctrl->check_revocations_nest_level); for (ci=chain; ci; ci = ci->next) { @@ -293,17 +295,19 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) if (!err) err = crl_cache_cert_isvalid (ctrl, ci->cert, 0); } + if (opt.verbose) + log_info ("[%d] result of checking this CRL: %s\n", + ctrl->check_revocations_nest_level, gpg_strerror (err)); switch (gpg_err_code (err)) { case 0: err = 0; break; case GPG_ERR_CERT_REVOKED: any_revoked = 1; err = 0; break; case GPG_ERR_NO_CRL_KNOWN: any_no_crl = 1; err = 0; break; + case GPG_ERR_NOT_TRUSTED: any_not_trusted = 1; err = 0; break; case GPG_ERR_CRL_TOO_OLD: any_crl_too_old = 1; err = 0; break; default: break; } } - ctrl->check_revocations_nest_level--; - if (err) ; @@ -311,10 +315,16 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) err = gpg_error (GPG_ERR_CERT_REVOKED); else if (any_no_crl) err = gpg_error (GPG_ERR_NO_CRL_KNOWN); + else if (any_not_trusted) + err = gpg_error (GPG_ERR_NOT_TRUSTED); else if (any_crl_too_old) err = gpg_error (GPG_ERR_CRL_TOO_OLD); else err = 0; + if (opt.verbose) + log_info ("[%d] result of checking all CRLs: %s\n", + ctrl->check_revocations_nest_level, gpg_strerror (err)); + ctrl->check_revocations_nest_level--; return err; } diff --git a/dirmngr/workqueue.c b/dirmngr/workqueue.c index 2974f5d08..dcac48024 100644 --- a/dirmngr/workqueue.c +++ b/dirmngr/workqueue.c @@ -59,7 +59,7 @@ workqueue_dump_queue (ctrl_t ctrl) wqitem_t item; unsigned int count; - /* Temporarily detach the entiere workqueue so that other threads don't + /* Temporarily detach the entire workqueue so that other threads don't * get into our way. */ saved_workqueue = workqueue; workqueue = NULL; @@ -74,8 +74,8 @@ workqueue_dump_queue (ctrl_t ctrl) item->func? item->func (NULL, NULL): "nop", item->args, strlen (item->args) > 100? "[...]":""); - /* Restore then workqueue. Actually we append the saved queue do a - * possibly updated workqueue. */ + /* Restore the workqueue. Actually we append the saved queue to + * handle a possibly updated workqueue. */ if (!(item=workqueue)) workqueue = saved_workqueue; else |