From 705d8e9cf0d109005b3441766270c0e584f7847d Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 25 Apr 2018 09:43:18 +0200 Subject: dirmngr: Implement CRL fetching via https. * dirmngr/http.h (HTTP_FLAG_TRUST_CFG): New flag. * dirmngr/http.c (http_register_cfg_ca): New. (http_session_new) [HTTP_USE_GNUTLS]: Implement new trust flag. * dirmngr/certcache.c (load_certs_from_dir): Call new function. (cert_cache_deinit): Ditto. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto. * dirmngr/ks-engine-http.c (ks_http_fetch): Add new args 'send_no_cache' and 'extra_http_trust_flags'. Change all callers to provide the default value. * dirmngr/crlfetch.c (crl_fetch): Rewrite to make use of ks_http_fetch. -- The old code simply did not use https for downloading of CRLS. Instead it rewrote https to http under the assumption that the CRL service was also available without encryption. Note that a CRL is self-standing and thus it does not need to have extra authenticity as provided by TLS. These days we should not use any unencrypted content and thus this patch. Be aware that cacert.org give a https CRL DP but that currently redirects to to http! This is a downgrade attack which we detect and don't allow. The outcome is that it is right now not possible to use CAcert certificates. Signed-off-by: Werner Koch --- dirmngr/ks-engine.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'dirmngr/ks-engine.h') diff --git a/dirmngr/ks-engine.h b/dirmngr/ks-engine.h index b5b4dd08b..ce51141bd 100644 --- a/dirmngr/ks-engine.h +++ b/dirmngr/ks-engine.h @@ -42,7 +42,9 @@ gpg_error_t ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri, /*-- ks-engine-http.c --*/ gpg_error_t ks_http_help (ctrl_t ctrl, parsed_uri_t uri); -gpg_error_t ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp); +gpg_error_t ks_http_fetch (ctrl_t ctrl, const char *url, int send_no_cache, + unsigned int extra_http_trust_flags, + estream_t *r_fp); /*-- ks-engine-finger.c --*/ -- cgit v1.2.3 From 1de4462974113ac18cf98f903e97cd1127fa842f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 25 Apr 2018 12:37:34 +0200 Subject: dirmngr: Allow redirection from https to http for CRLs * dirmngr/ks-engine.h (KS_HTTP_FETCH_NOCACHE): New flag. (KS_HTTP_FETCH_TRUST_CFG): Ditto. (KS_HTTP_FETCH_NO_CRL): Ditto. (KS_HTTP_FETCH_ALLOW_DOWNGRADE): Ditto. * dirmngr/ks-engine-http.c (ks_http_fetch): Replace args send_no_cache and extra_http_trust_flags by a new flags arg. Allow redirectiong from https to http it KS_HTTP_FETCH_ALLOW_DOWNGRADE is set. * dirmngr/loadswdb.c (fetch_file): Call with KS_HTTP_FETCH_NOCACHE. * dirmngr/ks-action.c (ks_action_get): Ditto. (ks_action_fetch): Ditto. * dirmngr/crlfetch.c (crl_fetch): Call with the appropriate flags. -- Signed-off-by: Werner Koch --- dirmngr/ks-engine.h | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'dirmngr/ks-engine.h') diff --git a/dirmngr/ks-engine.h b/dirmngr/ks-engine.h index ce51141bd..d28c6ab71 100644 --- a/dirmngr/ks-engine.h +++ b/dirmngr/ks-engine.h @@ -41,9 +41,15 @@ gpg_error_t ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri, const void *data, size_t datalen); /*-- ks-engine-http.c --*/ + +/* Flags for the ks_http_fetch. */ +#define KS_HTTP_FETCH_NOCACHE 1 /* Request no caching. */ +#define KS_HTTP_FETCH_TRUST_CFG 2 /* Requests HTTP_FLAG_TRUST_CFG. */ +#define KS_HTTP_FETCH_NO_CRL 4 /* Requests HTTP_FLAG_NO_CRL. */ +#define KS_HTTP_FETCH_ALLOW_DOWNGRADE 8 /* Allow redirect https -> http. */ + gpg_error_t ks_http_help (ctrl_t ctrl, parsed_uri_t uri); -gpg_error_t ks_http_fetch (ctrl_t ctrl, const char *url, int send_no_cache, - unsigned int extra_http_trust_flags, +gpg_error_t ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags, estream_t *r_fp); -- cgit v1.2.3