diff options
Diffstat (limited to 'dirmngr')
| -rw-r--r-- | dirmngr/dirmngr.c | 47 | ||||
| -rw-r--r-- | dirmngr/ks-engine-hkp.c | 27 | ||||
| -rw-r--r-- | dirmngr/sks-keyservers.netCA.pem | 32 |
3 files changed, 103 insertions, 3 deletions
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index 81da029a3..8f85e4883 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -40,6 +40,9 @@ # include <signal.h> #endif #include <npth.h> +#ifdef HTTP_USE_GNUTLS +# include <gnutls/gnutls.h> +#endif /*HTTP_USE_GNUTLS*/ #define JNLIB_NEED_LOG_LOGV @@ -92,6 +95,7 @@ enum cmd_and_opt_values { oDebugAll, oDebugWait, oDebugLevel, + oGnutlsDebug, oNoGreeting, oNoOptions, oHomedir, @@ -116,6 +120,7 @@ enum cmd_and_opt_values { oOCSPMaxPeriod, oOCSPCurrentPeriod, oMaxReplies, + oHkpCaCert, oFakedSystemTime, oForce, oAllowOCSP, @@ -195,11 +200,16 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_i (oMaxReplies, "max-replies", N_("|N|do not return more than N items in one query")), + ARGPARSE_s_s (oHkpCaCert, "hkp-cacert", + N_("|FILE|use the CA certifciates in FILE for HKP over TLS")), + + ARGPARSE_s_s (oSocketName, "socket-name", "@"), /* Only for debugging. */ ARGPARSE_s_u (oFakedSystemTime, "faked-system-time", "@"), /*(epoch time)*/ ARGPARSE_p_u (oDebug, "debug", "@"), ARGPARSE_s_n (oDebugAll, "debug-all", "@"), + ARGPARSE_s_i (oGnutlsDebug, "gnutls-debug", "@"), ARGPARSE_s_i (oDebugWait, "debug-wait", "@"), ARGPARSE_s_n (oNoGreeting, "no-greeting", "@"), ARGPARSE_s_s (oHomedir, "homedir", "@"), @@ -234,6 +244,9 @@ static char *current_logfile; /* Helper to implement --debug-level. */ static const char *debug_level; +/* Helper to set the GNUTLS log level. */ +static int opt_gnutls_debug = -1; + /* Flag indicating that a shutdown has been requested. */ static volatile int shutdown_pending; @@ -331,6 +344,20 @@ my_ksba_hash_buffer (void *arg, const char *oid, } +/* GNUTLS log function callback. */ +static void +my_gnutls_log (int level, const char *text) +{ + int n; + + n = strlen (text); + while (n && text[n-1] == '\n') + n--; + + log_debug ("gnutls:L%d: %.*s\n", level, n, text); +} + + /* Setup the debugging. With a LEVEL of NULL only the active debug flags are propagated to the subsystems. With LEVEL set, a specific set of debug flags is set; thus overriding all flags already @@ -382,6 +409,14 @@ set_debug (void) if (opt.debug & DBG_CRYPTO_VALUE ) gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1); + +#ifdef HTTP_USE_GNUTLS + if (opt_gnutls_debug >= 0) + { + gnutls_global_set_log_function (my_gnutls_log); + gnutls_global_set_log_level (opt_gnutls_debug); + } +#endif /*HTTP_USE_GNUTLS*/ } @@ -439,6 +474,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) opt.ocsp_signer = tmp; } FREE_STRLIST (opt.ignored_cert_extensions); + http_register_tls_ca (NULL); return 1; } @@ -449,6 +485,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) case oDebug: opt.debug |= pargs->r.ret_ulong; break; case oDebugAll: opt.debug = ~0; break; case oDebugLevel: debug_level = pargs->r.ret_str; break; + case oGnutlsDebug: opt_gnutls_debug = pargs->r.ret_int; break; case oLogFile: if (!reread) @@ -490,6 +527,10 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) case oMaxReplies: opt.max_replies = pargs->r.ret_int; break; + case oHkpCaCert: + http_register_tls_ca (pargs->r.ret_str); + break; + case oIgnoreCertExtension: add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str); break; @@ -628,6 +669,12 @@ main (int argc, char **argv) ksba_set_malloc_hooks (gcry_malloc, gcry_realloc, gcry_free ); ksba_set_hash_buffer_function (my_ksba_hash_buffer, NULL); + /* Init GNUTLS. */ +#ifdef HTTP_USE_GNUTLS + rc = gnutls_global_init (); + if (rc) + log_fatal ("gnutls_global_init failed: %s\n", gnutls_strerror (rc)); +#endif /*HTTP_USE_GNUTLS*/ /* Init Assuan. */ malloc_hooks.malloc = gcry_malloc; diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index fa616a0c0..c115cf562 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -628,12 +628,14 @@ ks_hkp_help (ctrl_t ctrl, parsed_uri_t uri) const char const data[] = "Handler for HKP URLs:\n" " hkp://\n" + " hkps://\n" "Supported methods: search, get, put\n"; gpg_error_t err; if (!uri) - err = ks_print_help (ctrl, " hkp"); - else if (uri->is_http && !strcmp (uri->scheme, "hkp")) + err = ks_print_help (ctrl, " hkp\n hkps"); + else if (uri->is_http && (!strcmp (uri->scheme, "hkp") + || !strcmp (uri->scheme, "hkps"))) err = ks_print_help (ctrl, data); else err = 0; @@ -747,6 +749,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, estream_t *r_fp) { gpg_error_t err; + http_session_t session = NULL; http_t http = NULL; int redirects_left = MAX_REDIRECTS; estream_t fp = NULL; @@ -754,6 +757,10 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, *r_fp = NULL; + err = http_session_new (&session, NULL); + if (err) + goto leave; + once_more: err = http_open (&http, post_cb? HTTP_REQ_POST : HTTP_REQ_GET, @@ -761,7 +768,8 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, /* fixme: AUTH */ NULL, httpflags, /* fixme: proxy*/ NULL, - NULL, NULL, + session, + NULL, /*FIXME curl->srvtag*/NULL); if (!err) { @@ -798,6 +806,13 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, goto leave; } + if (http_get_tls_info (http, NULL)) + { + /* Update the httpflags so that a redirect won't fallback to an + unencrypted connection. */ + httpflags |= HTTP_FLAG_FORCE_TLS; + } + switch (http_get_status_code (http)) { case 200: @@ -806,6 +821,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, case 301: case 302: + case 307: { const char *s = http_get_header (http, "Location"); @@ -837,6 +853,10 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, goto leave; } + /* FIXME: We should register a permanent redirection and whether a + host has ever used TLS so that future calls will always use + TLS. */ + fp = http_get_read_ptr (http); if (!fp) { @@ -851,6 +871,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, leave: http_close (http, 0); + http_session_release (session); xfree (request_buffer); return err; } diff --git a/dirmngr/sks-keyservers.netCA.pem b/dirmngr/sks-keyservers.netCA.pem new file mode 100644 index 000000000..24a2ad2e8 --- /dev/null +++ b/dirmngr/sks-keyservers.netCA.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV +BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u +ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw +MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP +c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr +cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I +6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj +MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F +45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS +FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx +Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4 +aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx +MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y +u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9 +p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP +fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G +A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY +TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR +OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u +gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/ +X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5 +gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB +UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04 +lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT +BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB +cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U +f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G +ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph +WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg== +-----END CERTIFICATE----- |