aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--dirmngr/dirmngr.c1
-rw-r--r--dirmngr/dirmngr.h2
-rw-r--r--dirmngr/http-ntbtls.c4
-rw-r--r--dirmngr/http.c1
-rw-r--r--dirmngr/http.h3
-rw-r--r--dirmngr/ks-engine-hkp.c4
-rw-r--r--dirmngr/ks-engine-http.c4
-rw-r--r--dirmngr/server.c5
-rw-r--r--dirmngr/t-http.c18
9 files changed, 34 insertions, 8 deletions
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 5e6d98367..f04d0881f 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -1492,6 +1492,7 @@ dirmngr_init_default_ctrl (ctrl_t ctrl)
ctrl->magic = SERVER_CONTROL_MAGIC;
if (opt.http_proxy)
ctrl->http_proxy = xstrdup (opt.http_proxy);
+ ctrl->http_no_crl = 1;
}
diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index 57e3372a0..b0b603f76 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -190,6 +190,8 @@ struct server_control_s
int audit_events; /* Send audit events to client. */
char *http_proxy; /* The used http_proxy or NULL. */
+
+ unsigned int http_no_crl:1; /* Do not check CRLs for https. */
};
diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c
index 5686877ec..3038cae6b 100644
--- a/dirmngr/http-ntbtls.c
+++ b/dirmngr/http-ntbtls.c
@@ -78,8 +78,8 @@ gnupg_http_tls_verify_cb (void *opaque,
if ((http_flags & HTTP_FLAG_TRUST_SYS))
validate_flags |= VALIDATE_FLAG_SYSTRUST;
- /* FIXME: For now we don't use CRLs. */
- validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
+ if ((http_flags & HTTP_FLAG_NO_CRL))
+ validate_flags |= VALIDATE_FLAG_NOCRLCHECK;
err = validate_cert_chain (ctrl, hostcert, NULL, validate_flags, NULL);
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 89e46ca22..733018de5 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -653,6 +653,7 @@ http_session_release (http_session_t sess)
* Valid values for FLAGS are:
* HTTP_FLAG_TRUST_DEF - Use the CAs set with http_register_tls_ca
* HTTP_FLAG_TRUST_SYS - Also use the CAs defined by the system
+ * HTTP_FLAG_NO_CRL - Do not consult CRLs for https.
*/
gpg_error_t
http_session_new (http_session_t *r_session,
diff --git a/dirmngr/http.h b/dirmngr/http.h
index 98ac4a31a..331ee61b8 100644
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@@ -87,7 +87,8 @@ enum
HTTP_FLAG_IGNORE_IPv4 = 64, /* Do not use IPv4. */
HTTP_FLAG_IGNORE_IPv6 = 128, /* Do not use IPv6. */
HTTP_FLAG_TRUST_DEF = 256, /* Use the default CAs. */
- HTTP_FLAG_TRUST_SYS = 512 /* Also use the system defined CAs. */
+ HTTP_FLAG_TRUST_SYS = 512, /* Also use the system defined CAs. */
+ HTTP_FLAG_NO_CRL = 1024 /* Do not consult CRLs for https. */
};
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 4ca1e0025..b6a06754f 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -1123,7 +1123,9 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
*r_fp = NULL;
- err = http_session_new (&session, httphost, HTTP_FLAG_TRUST_DEF,
+ err = http_session_new (&session, httphost,
+ ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
+ | HTTP_FLAG_TRUST_DEF),
gnupg_http_tls_verify_cb, ctrl);
if (err)
goto leave;
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index 9352a0f18..d4a6c8a63 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -76,7 +76,9 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
once_more:
/* Note that we only use the system provided certificates with the
* fetch command. */
- err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_SYS,
+ err = http_session_new (&session, NULL,
+ ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
+ | HTTP_FLAG_TRUST_SYS),
gnupg_http_tls_verify_cb, ctrl);
if (err)
goto leave;
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 92bbc160b..f726d1b35 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -627,6 +627,11 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
if (dirmngr_use_tor ())
err = gpg_error (GPG_ERR_FORBIDDEN);
}
+ else if (!strcmp (key, "http-crl"))
+ {
+ int i = *value? atoi (value) : 0;
+ ctrl->http_no_crl = !i;
+ }
else
err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c
index c5bec898b..68818de7a 100644
--- a/dirmngr/t-http.c
+++ b/dirmngr/t-http.c
@@ -199,6 +199,7 @@ main (int argc, char **argv)
unsigned int my_http_flags = 0;
int no_out = 0;
int tls_dbg = 0;
+ int no_crl = 0;
const char *cafile = NULL;
http_session_t session = NULL;
@@ -225,7 +226,8 @@ main (int argc, char **argv)
" --no-verify do not verify the certificate\n"
" --force-tls use HTTP_FLAG_FORCE_TLS\n"
" --force-tor use HTTP_FLAG_FORCE_TOR\n"
- " --no-out do not print the content\n",
+ " --no-out do not print the content\n"
+ " --no-crl do not consuilt a CRL\n",
stdout);
exit (0);
}
@@ -278,6 +280,11 @@ main (int argc, char **argv)
no_out = 1;
argc--; argv++;
}
+ else if (!strcmp (*argv, "--no-crl"))
+ {
+ no_crl = 1;
+ argc--; argv++;
+ }
else if (!strncmp (*argv, "--", 2))
{
fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
@@ -298,7 +305,9 @@ main (int argc, char **argv)
#if HTTP_USE_NTBTLS
log_info ("new session.\n");
- err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF,
+ err = http_session_new (&session, NULL,
+ ((no_crl? HTTP_FLAG_NO_CRL : 0)
+ | HTTP_FLAG_TRUST_DEF),
my_http_tls_verify_cb, NULL);
if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
@@ -313,7 +322,10 @@ main (int argc, char **argv)
http_register_tls_callback (verify_callback);
http_register_tls_ca (cafile);
- err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF, NULL, NULL);
+ err = http_session_new (&session, NULL,
+ ((no_crl? HTTP_FLAG_NO_CRL : 0)
+ | HTTP_FLAG_TRUST_DEF),
+ NULL, NULL);
if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-27 19:09:41 +0000