diff options
| author | Daniel Kahn Gillmor <[email protected]> | 2015-10-20 03:48:30 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2016-01-22 10:53:49 +0000 |
| commit | afb8696126ff0babaab23e884ff5da008281e3b7 (patch) | |
| tree | 371c8a68e6a42b04da8a2e8e3bbcc9c91e6ddd2d | |
| parent | gpg: Rework gpg-conf.skel (diff) | |
| download | gnupg-afb8696126ff0babaab23e884ff5da008281e3b7.tar.gz gnupg-afb8696126ff0babaab23e884ff5da008281e3b7.zip | |
dirmngr: Use sks-keyservers CA by default for the hkps pool.
* dirmngr/Makefile.am (dist_pkgdata_DATA): Add sks-keyservers.netCA.pem.
* dirmngr/http.c (http_session_new): Add optional arg
intended_hostname and set a default cert.
* dirmngr/ks-engine-hkp.c (send_request): Pass httphost to
http_session_new.
--
Ship the certificate for the sks-keyservers hkps pool. If the user
has specified that they want to use
hkps://hkps.pool.sks-keyservers.net, and they have not specified any
hkp-cacert explicitly, then initialize the trust path with this
specific trust anchor.
Co-authored-by: [email protected]
Signed-off-by: Werner Koch <[email protected]>
| -rw-r--r-- | dirmngr/Makefile.am | 1 | ||||
| -rw-r--r-- | dirmngr/http.c | 31 | ||||
| -rw-r--r-- | dirmngr/http.h | 3 | ||||
| -rw-r--r-- | dirmngr/ks-engine-hkp.c | 2 | ||||
| -rw-r--r-- | dirmngr/ks-engine-http.c | 2 | ||||
| -rw-r--r-- | dirmngr/t-http.c | 2 |
6 files changed, 36 insertions, 5 deletions
diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am index c3bce0d98..1c74d1081 100644 --- a/dirmngr/Makefile.am +++ b/dirmngr/Makefile.am @@ -20,6 +20,7 @@ ## Process this file with automake to produce Makefile.in EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem +dist_pkgdata_DATA = sks-keyservers.netCA.pem bin_PROGRAMS = dirmngr dirmngr-client diff --git a/dirmngr/http.c b/dirmngr/http.c index 74b6911a3..aa33917be 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -562,7 +562,8 @@ http_session_release (http_session_t sess) /* Create a new session object which is currently used to enable TLS support. It may eventually allow reusing existing connections. */ gpg_error_t -http_session_new (http_session_t *r_session, const char *tls_priority) +http_session_new (http_session_t *r_session, const char *tls_priority, + const char *intended_hostname) { gpg_error_t err; http_session_t sess; @@ -600,6 +601,34 @@ http_session_new (http_session_t *r_session, const char *tls_priority) goto leave; } + /* If the user has not specified a CA list, and they are looking + * for the hkps pool from sks-keyservers.net, then default to + * Kristian's certificate authority: */ + if (!tls_ca_certlist + && intended_hostname + && !ascii_strcasecmp (intended_hostname, + "hkps.pool.sks-keyservers.net")) + { + char *pemname = make_filename_try (gnupg_datadir (), + "sks-keyservers.netCA.pem", NULL); + if (!pemname) + { + err = gpg_error_from_syserror (); + log_error ("setting CA from file '%s' failed: %s\n", + pemname, gpg_strerror (err)); + } + else + { + rc = gnutls_certificate_set_x509_trust_file + (sess->certcred, pemname, GNUTLS_X509_FMT_PEM); + if (rc < 0) + log_info ("setting CA from file '%s' failed: %s\n", + pemname, gnutls_strerror (rc)); + xfree (pemname); + } + } + + /* Add configured certificates to the session. */ for (sl = tls_ca_certlist; sl; sl = sl->next) { rc = gnutls_certificate_set_x509_trust_file diff --git a/dirmngr/http.h b/dirmngr/http.h index 64f55e12e..58b8c1ac7 100644 --- a/dirmngr/http.h +++ b/dirmngr/http.h @@ -98,7 +98,8 @@ void http_register_tls_callback (gpg_error_t (*cb)(http_t,http_session_t,int)); void http_register_tls_ca (const char *fname); gpg_error_t http_session_new (http_session_t *r_session, - const char *tls_priority); + const char *tls_priority, + const char *intended_hostname); http_session_t http_session_ref (http_session_t sess); void http_session_release (http_session_t sess); diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index f38f29a6b..598e614e3 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -991,7 +991,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, *r_fp = NULL; - err = http_session_new (&session, NULL); + err = http_session_new (&session, NULL, httphost); if (err) goto leave; http_session_set_log_cb (session, cert_log_cb); diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c index ae128ee12..c51c0ce9d 100644 --- a/dirmngr/ks-engine-http.c +++ b/dirmngr/ks-engine-http.c @@ -65,7 +65,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp) estream_t fp = NULL; char *request_buffer = NULL; - err = http_session_new (&session, NULL); + err = http_session_new (&session, NULL, NULL); if (err) goto leave; http_session_set_log_cb (session, cert_log_cb); diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c index 63662a286..9d5ea5fd2 100644 --- a/dirmngr/t-http.c +++ b/dirmngr/t-http.c @@ -262,7 +262,7 @@ main (int argc, char **argv) http_register_tls_callback (verify_callback); http_register_tls_ca (cafile); - err = http_session_new (&session, NULL); + err = http_session_new (&session, NULL, NULL); if (err) log_error ("http_session_new failed: %s\n", gpg_strerror (err)); |