diff options
| author | Werner Koch <wk@gnupg.org> | 2014-09-10 10:37:48 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2014-09-10 10:37:48 +0200 |
| commit | 84419f42da0fd436a9e0e669730157e74ce38b77 (patch) | |
| tree | dd82975cf054da5fa383c12670e7c84377a5cfed /dirmngr | |
| parent | dirmngr: Fix the ks_fetch command for the http scheme. (diff) | |
| download | gnupg2-84419f42da0fd436a9e0e669730157e74ce38b77.tar.xz gnupg2-84419f42da0fd436a9e0e669730157e74ce38b77.zip | |
dirmngr: Support https for KS_FETCH.
* dirmngr/ks-engine-hkp.c (cert_log_cb): Move to ...
* dirmngr/misc.c (cert_log_cb): here.
* dirmngr/ks-engine-http.c (ks_http_fetch): Support 307-redirection
and https.
--
Note that this requires that the root certificates are registered using
the --hkp-cacert option. Eventually we may introduce a separate
option to allow using different CAs for KS_FETCH and keyserver based
requests.
Diffstat (limited to 'dirmngr')
| -rw-r--r-- | dirmngr/ks-engine-hkp.c | 34 | ||||
| -rw-r--r-- | dirmngr/ks-engine-http.c | 12 | ||||
| -rw-r--r-- | dirmngr/misc.c | 33 | ||||
| -rw-r--r-- | dirmngr/misc.h | 4 |
4 files changed, 48 insertions, 35 deletions
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index 762ab4ab0..12b1778c6 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -880,40 +880,6 @@ ks_hkp_housekeeping (time_t curtime) } -/* Callback to print infos about the TLS certificates. */ -static void -cert_log_cb (http_session_t sess, gpg_error_t err, - const char *hostname, const void **certs, size_t *certlens) -{ - ksba_cert_t cert; - size_t n; - - (void)sess; - - if (!err) - return; /* No error - no need to log anything */ - - log_debug ("expected hostname: %s\n", hostname); - for (n=0; certs[n]; n++) - { - err = ksba_cert_new (&cert); - if (!err) - err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]); - if (err) - log_error ("error parsing cert for logging: %s\n", gpg_strerror (err)); - else - { - char textbuf[20]; - snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n); - dump_cert (textbuf, cert); - } - - ksba_cert_release (cert); - } -} - - - /* Send an HTTP request. On success returns an estream object at R_FP. HOSTPORTSTR is only used for diagnostics. If HTTPHOST is not NULL it will be used as HTTP "Host" header. If POST_CB is not diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c index aed3aaa84..e4c2b788b 100644 --- a/dirmngr/ks-engine-http.c +++ b/dirmngr/ks-engine-http.c @@ -38,6 +38,7 @@ ks_http_help (ctrl_t ctrl, parsed_uri_t uri) const char const data[] = "Handler for HTTP URLs:\n" " http://\n" + " https://\n" "Supported methods: fetch\n"; gpg_error_t err; @@ -58,11 +59,17 @@ gpg_error_t ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp) { gpg_error_t err; + http_session_t session = NULL; http_t http = NULL; int redirects_left = MAX_REDIRECTS; estream_t fp = NULL; char *request_buffer = NULL; + err = http_session_new (&session, NULL); + if (err) + goto leave; + http_session_set_log_cb (session, cert_log_cb); + *r_fp = NULL; once_more: err = http_open (&http, @@ -72,7 +79,8 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp) /* fixme: AUTH */ NULL, 0, /* fixme: proxy*/ NULL, - NULL, NULL, + session, + NULL, /*FIXME curl->srvtag*/NULL); if (!err) { @@ -112,6 +120,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp) case 301: case 302: + case 307: { const char *s = http_get_header (http, "Location"); @@ -157,6 +166,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp) leave: http_close (http, 0); + http_session_release (session); xfree (request_buffer); return err; } diff --git a/dirmngr/misc.c b/dirmngr/misc.c index 0bca5ee9a..25652a252 100644 --- a/dirmngr/misc.c +++ b/dirmngr/misc.c @@ -384,6 +384,39 @@ cert_log_subject (const char *text, ksba_cert_t cert) } +/* Callback to print infos about the TLS certificates. */ +void +cert_log_cb (http_session_t sess, gpg_error_t err, + const char *hostname, const void **certs, size_t *certlens) +{ + ksba_cert_t cert; + size_t n; + + (void)sess; + + if (!err) + return; /* No error - no need to log anything */ + + log_debug ("expected hostname: %s\n", hostname); + for (n=0; certs[n]; n++) + { + err = ksba_cert_new (&cert); + if (!err) + err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]); + if (err) + log_error ("error parsing cert for logging: %s\n", gpg_strerror (err)); + else + { + char textbuf[20]; + snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n); + dump_cert (textbuf, cert); + } + + ksba_cert_release (cert); + } +} + + /**************** * Remove all %xx escapes; this is done inplace. * Returns: New length of the string. diff --git a/dirmngr/misc.h b/dirmngr/misc.h index 928bf78ae..2dc298557 100644 --- a/dirmngr/misc.h +++ b/dirmngr/misc.h @@ -68,6 +68,10 @@ void dump_string (const char *string); TEXT. This is used for debugging. */ void dump_cert (const char *text, ksba_cert_t cert); +/* Callback to print infos about the TLS certificates. */ +void cert_log_cb (http_session_t sess, gpg_error_t err, + const char *hostname, const void **certs, size_t *certlens); + /* Return the host name and the port (0 if none was given) from the URL. Return NULL on error or if host is not included in the URL. */ |