diff options
| author | Werner Koch <wk@gnupg.org> | 2017-09-18 22:49:05 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2017-09-18 22:49:05 +0200 |
| commit | df692a6167be5486f9a29da003a00292fd895176 (patch) | |
| tree | 10d83f1fa7a1b46b59e9301c22ddc11a7b2b9cdc | |
| parent | po: Minor Grammar update of the Greek translation (diff) | |
| download | gnupg2-df692a6167be5486f9a29da003a00292fd895176.tar.xz gnupg2-df692a6167be5486f9a29da003a00292fd895176.zip | |
dirmngr: Use system certs if --hkp-cacert is not used.
* dirmngr/certcache.c (any_cert_of_class): New var.
(put_cert): Set it.
(cert_cache_deinit): Clear it.
(cert_cache_any_in_class): New func.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Add hack to
override empty list of HKP certs.
--
This patch carries the changes for GNUTLS from commit
7c1613d41566f7d8db116790087de323621205fe over to NTBTLS. NTBTLS works
quite different and thus we need to do it this way.
Signed-off-by: Werner Koch <wk@gnupg.org>
| -rw-r--r-- | dirmngr/certcache.c | 18 | ||||
| -rw-r--r-- | dirmngr/certcache.h | 3 | ||||
| -rw-r--r-- | dirmngr/http-ntbtls.c | 6 |
3 files changed, 26 insertions, 1 deletions
diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c index b4e538131..56629fdda 100644 --- a/dirmngr/certcache.c +++ b/dirmngr/certcache.c @@ -94,6 +94,10 @@ static int initialization_done; /* Total number of non-permanent certificates. */ static unsigned int total_nonperm_certificates; +/* For each cert class the corresponding bit is set if at least one + * certificate of that class is loaded permanetly. */ +static unsigned int any_cert_of_class; + #ifdef HAVE_W32_SYSTEM /* We load some functions dynamically. Provide typedefs for tehse @@ -343,7 +347,9 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass, ci->permanent = !!permanent; ci->trustclasses = trustclass; - if (!permanent) + if (permanent) + any_cert_of_class |= trustclass; + else total_nonperm_certificates++; return 0; @@ -758,6 +764,7 @@ cert_cache_deinit (int full) } total_nonperm_certificates = 0; + any_cert_of_class = 0; initialization_done = 0; release_cache_lock (); } @@ -814,6 +821,15 @@ cert_cache_print_stats (void) } +/* Return true if any cert of a class in MASK is permanently + * loaded. */ +int +cert_cache_any_in_class (unsigned int mask) +{ + return !!(any_cert_of_class & mask); +} + + /* Put CERT into the certificate cache. */ gpg_error_t cache_cert (ksba_cert_t cert) diff --git a/dirmngr/certcache.h b/dirmngr/certcache.h index 92529bf11..8d645836d 100644 --- a/dirmngr/certcache.h +++ b/dirmngr/certcache.h @@ -39,6 +39,9 @@ void cert_cache_deinit (int full); /* Print some statistics to the log file. */ void cert_cache_print_stats (void); +/* Return true if any cert of a class in MASK is permanently loaded. */ +int cert_cache_any_in_class (unsigned int mask); + /* Compute the fingerprint of the certificate CERT and put it into the 20 bytes large buffer DIGEST. Return address of this buffer. */ unsigned char *cert_compute_fpr (ksba_cert_t cert, unsigned char *digest); diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c index 250db556c..ea66a4d73 100644 --- a/dirmngr/http-ntbtls.c +++ b/dirmngr/http-ntbtls.c @@ -91,6 +91,12 @@ gnupg_http_tls_verify_cb (void *opaque, validate_flags |= VALIDATE_FLAG_TRUST_HKP; if ((http_flags & HTTP_FLAG_TRUST_SYS)) validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM; + + /* If HKP trust is requested and there are no HKP certificates + * configured, also try thye standard system certificates. */ + if ((validate_flags & VALIDATE_FLAG_TRUST_HKP) + && !cert_cache_any_in_class (CERTTRUST_CLASS_HKP)) + validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM; } if ((http_flags & HTTP_FLAG_NO_CRL)) |