diff options
| author | Werner Koch <[email protected]> | 2017-02-21 13:55:04 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2017-02-21 13:55:04 +0000 |
| commit | 831d014550863026dfefa774c961a21bd20c1e48 (patch) | |
| tree | a7ab8eb014de4a48375a4f3242e61aa7bfcef9b2 /dirmngr/http-ntbtls.c | |
| parent | dirmngr: Load --hkp-cacert values into the certificate cache. (diff) | |
| download | gnupg-831d014550863026dfefa774c961a21bd20c1e48.tar.gz gnupg-831d014550863026dfefa774c961a21bd20c1e48.zip | |
dirmngr: Add special treatment for the standard hkps pool to ntbtls.
* dirmngr/validate.h (VALIDATE_FLAG_SYSTRUST): Remove
(VALIDATE_FLAG_EXTRATRUST): Remove
(VALIDATE_FLAG_TRUST_SYSTEM): New.
(VALIDATE_FLAG_TRUST_CONFIG): New.
(VALIDATE_FLAG_TRUST_HKP): New.
(VALIDATE_FLAG_TRUST_HKPSPOOL): New.
(VALIDATE_FLAG_MASK_TRUST): New.
* dirmngr/validate.c (check_header_constants): New.
(validate_cert_chain): Call new function. Simplify call to
is_trusted_cert.
* dirmngr/crlcache.c (crl_parse_insert): Pass
VALIDATE_FLAG_TRUST_CONFIG to validate_cert_chain
* dirmngr/server.c (cmd_validate): Use VALDIATE_FLAG_TRUST_SYSTEM and
VALIDATE_FLAG_TRUST_CONFIG.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Check provided TLS
context. Set trustclass flags using the new VALIDATE_FLAG_TRUST
values.
* dirmngr/certcache.c (cert_cache_init): Load the standard pool
certificate prior to the --hkp-cacerts.
--
Note that this changes the way the standard cert is used: We require
that it is installed at /usr/share/gnupg and we do not allow to change
it. If this is not desired, the the standard cert can be removed or
replaced by a newer one.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'dirmngr/http-ntbtls.c')
| -rw-r--r-- | dirmngr/http-ntbtls.c | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c index 3038cae6b..00d6a58bf 100644 --- a/dirmngr/http-ntbtls.c +++ b/dirmngr/http-ntbtls.c @@ -41,20 +41,23 @@ gnupg_http_tls_verify_cb (void *opaque, void *tls_context) { ctrl_t ctrl = opaque; + ntbtls_t tls = tls_context; gpg_error_t err; int idx; ksba_cert_t cert; ksba_cert_t hostcert = NULL; unsigned int validate_flags; + const char *hostname; (void)http; (void)session; log_assert (ctrl && ctrl->magic == SERVER_CONTROL_MAGIC); + log_assert (!ntbtls_check_context (tls)); /* Get the peer's certs fron ntbtls. */ for (idx = 0; - (cert = ntbtls_x509_get_peer_cert (tls_context, idx)); idx++) + (cert = ntbtls_x509_get_peer_cert (tls, idx)); idx++) { if (!idx) hostcert = cert; @@ -73,10 +76,22 @@ gnupg_http_tls_verify_cb (void *opaque, } validate_flags = VALIDATE_FLAG_TLS; - /* if ((http_flags & HTTP_FLAG_TRUST_DEF)) */ - /* validate_flags |= VALIDATE_FLAG_??; */ - if ((http_flags & HTTP_FLAG_TRUST_SYS)) - validate_flags |= VALIDATE_FLAG_SYSTRUST; + + /* Are we using the standard hkps:// pool use the dedicated + * root certificate. */ + hostname = ntbtls_get_hostname (tls); + if (hostname + && !ascii_strcasecmp (hostname, "hkps.pool.sks-keyservers.net")) + { + validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; + } + else /* Use the certificates as requested from the HTTP module. */ + { + if ((http_flags & HTTP_FLAG_TRUST_DEF)) + validate_flags |= VALIDATE_FLAG_TRUST_HKP; + if ((http_flags & HTTP_FLAG_TRUST_SYS)) + validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM; + } if ((http_flags & HTTP_FLAG_NO_CRL)) validate_flags |= VALIDATE_FLAG_NOCRLCHECK; |