dirmngr: Implement CRL fetching via https.

* dirmngr/http.h (HTTP_FLAG_TRUST_CFG): New flag.
* dirmngr/http.c (http_register_cfg_ca): New.
(http_session_new) [HTTP_USE_GNUTLS]: Implement new trust flag.
* dirmngr/certcache.c (load_certs_from_dir): Call new function.
(cert_cache_deinit): Ditto.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Add new args
'send_no_cache' and 'extra_http_trust_flags'.  Change all callers to
provide the default value.
* dirmngr/crlfetch.c (crl_fetch): Rewrite to make use of
ks_http_fetch.
--

The old code simply did not use https for downloading of CRLS.
Instead it rewrote https to http under the assumption that the CRL
service was also available without encryption.  Note that a CRL is
self-standing and thus it does not need to have extra authenticity as
provided by TLS.  These days we should not use any unencrypted content
and thus this patch.

Be aware that cacert.org give a https CRL DP but that currently
redirects to to http!  This is a downgrade attack which we detect and
don't allow.  The outcome is that it is right now not possible to use
CAcert certificates.

Signed-off-by: Werner Koch <wk@gnupg.org>

1 files changed, 5 insertions, 0 deletions

diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index 56629fdda..adb005ec8 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -423,6 +423,9 @@ load_certs_from_dir (const char *dirname, unsigned int trustclass)
         log_info (_("certificate '%s' already cached\n"), fname);
       else if (!err)
         {
+          if ((trustclass & CERTTRUST_CLASS_CONFIG))
+            http_register_cfg_ca (fname);
+
           if (trustclass)
             log_info (_("trusted certificate '%s' loaded\n"), fname);
           else
@@ -763,6 +766,8 @@ cert_cache_deinit (int full)
         }
     }
 
+  http_register_cfg_ca (NULL);
+
   total_nonperm_certificates = 0;
   any_cert_of_class = 0;
   initialization_done = 0;