dirmngr/src (8 files)
cvs user wk
cvs at cvs.gnupg.org
Wed Dec 1 17:03:48 CET 2004
Date: Wednesday, December 1, 2004 @ 17:11:15
Author: wk
Path: /cvs/dirmngr/dirmngr/src
Modified: ChangeLog Makefile.am crlfetch.c dirmngr.c dirmngr.h
dirmngr_ldap.c ldap.c validate.c
* Makefile.am (dirmngr_LDADD): Don't use LDAP_LIBS.
* validate.c (validate_cert_chain): Fixed test; as written in the
comment we want to do this only in daemon mode. For clarity
reworked by using a linked list of certificates and include root
and tragte certificate.
(check_revocations): Likewise. Introduced a recursion sentinel.
----------------+
ChangeLog | 21 ++++++++
Makefile.am | 2
crlfetch.c | 4 -
dirmngr.c | 2
dirmngr.h | 2
dirmngr_ldap.c | 19 +++++--
ldap.c | 2
validate.c | 143 +++++++++++++++++++++++++++++++++----------------------
8 files changed, 132 insertions(+), 63 deletions(-)
Index: dirmngr/src/ChangeLog
diff -u dirmngr/src/ChangeLog:1.30 dirmngr/src/ChangeLog:1.31
--- dirmngr/src/ChangeLog:1.30 Thu Nov 25 14:19:07 2004
+++ dirmngr/src/ChangeLog Wed Dec 1 17:11:14 2004
@@ -1,3 +1,24 @@
+2004-12-01 Werner Koch <wk at g10code.com>
+
+ * Makefile.am (dirmngr_LDADD): Don't use LDAP_LIBS.
+
+ * validate.c (validate_cert_chain): Fixed test; as written in the
+ comment we want to do this only in daemon mode. For clarity
+ reworked by using a linked list of certificates and include root
+ and tragte certificate.
+ (check_revocations): Likewise. Introduced a recursion sentinel.
+
+2004-11-30 Werner Koch <wk at g10code.com>
+
+ * crlfetch.c (ca_cert_fetch, crl_fetch_default): Do not use the
+ binary prefix as this will be handled in the driver.
+
+ * dirmngr_ldap.c: New option --log-with-pid.
+ (fetch_ldap): Handle LDAP_NO_SUCH_OBJECT.
+ * ldap.c (run_ldap_wrapper, start_cert_fetch_ldap): Use new log
+ option.
+
+
2004-11-25 Werner Koch <wk at g10code.com>
* Makefile.am (dirmngr_ldap_CFLAGS): Added GPG_ERROR_CFLAGS.
Index: dirmngr/src/Makefile.am
diff -u dirmngr/src/Makefile.am:1.21 dirmngr/src/Makefile.am:1.22
--- dirmngr/src/Makefile.am:1.21 Thu Nov 25 14:19:07 2004
+++ dirmngr/src/Makefile.am Wed Dec 1 17:11:14 2004
@@ -46,7 +46,7 @@
dirmngr_LDADD = ../jnlib/libjnlib.a @LIBOBJS@ @LIBASSUAN_LIBS@ \
- @LIBGCRYPT_LIBS@ @KSBA_LIBS@ @LDAP_LIBS@ $(PTH_LIBS)
+ @LIBGCRYPT_LIBS@ @KSBA_LIBS@ $(PTH_LIBS)
dirmngr_ldap_SOURCES = dirmngr_ldap.c i18n.h util.h \
no-libgcrypt.c no-libgcrypt.h
Index: dirmngr/src/crlfetch.c
diff -u dirmngr/src/crlfetch.c:1.22 dirmngr/src/crlfetch.c:1.23
--- dirmngr/src/crlfetch.c:1.22 Tue Nov 23 14:20:44 2004
+++ dirmngr/src/crlfetch.c Wed Dec 1 17:11:14 2004
@@ -137,7 +137,7 @@
"LDAP");
return gpg_error (GPG_ERR_NOT_SUPPORTED);
}
- return attr_fetch_ldap (ctrl, issuer, "certificateRevocationList;binary",
+ return attr_fetch_ldap (ctrl, issuer, "certificateRevocationList",
reader);
}
@@ -152,7 +152,7 @@
"LDAP");
return gpg_error (GPG_ERR_NOT_SUPPORTED);
}
- return attr_fetch_ldap (ctrl, dn, "cACertificate;binary", reader);
+ return attr_fetch_ldap (ctrl, dn, "cACertificate", reader);
}
Index: dirmngr/src/dirmngr.c
diff -u dirmngr/src/dirmngr.c:1.48 dirmngr/src/dirmngr.c:1.49
--- dirmngr/src/dirmngr.c:1.48 Wed Nov 24 15:45:27 2004
+++ dirmngr/src/dirmngr.c Wed Dec 1 17:11:14 2004
@@ -1363,7 +1363,7 @@
tattr = pth_attr_new();
pth_attr_set (tattr, PTH_ATTR_JOINABLE, 0);
- pth_attr_set (tattr, PTH_ATTR_STACK_SIZE, 256*1024);
+ pth_attr_set (tattr, PTH_ATTR_STACK_SIZE, 1024*1024);
pth_attr_set (tattr, PTH_ATTR_NAME, "dirmngr");
sigemptyset (&sigs );
Index: dirmngr/src/dirmngr.h
diff -u dirmngr/src/dirmngr.h:1.23 dirmngr/src/dirmngr.h:1.24
--- dirmngr/src/dirmngr.h:1.23 Wed Nov 24 15:44:01 2004
+++ dirmngr/src/dirmngr.h Wed Dec 1 17:11:14 2004
@@ -134,6 +134,8 @@
int status_fd; /* Only for non-server mode. */
struct server_local_s *server_local;
int force_crl_refresh; /* Always load a fresh CRL. */
+
+ int check_revocations_nest_level; /* Internal to check_revovations. */
};
typedef struct server_control_s *ctrl_t;
Index: dirmngr/src/dirmngr_ldap.c
diff -u dirmngr/src/dirmngr_ldap.c:1.5 dirmngr/src/dirmngr_ldap.c:1.6
--- dirmngr/src/dirmngr_ldap.c:1.5 Wed Nov 24 13:25:53 2004
+++ dirmngr/src/dirmngr_ldap.c Wed Dec 1 17:11:14 2004
@@ -64,7 +64,7 @@
oFilter,
oAttr,
- oDummy
+ oLogWithPID
};
@@ -86,6 +86,7 @@
{ oDN, "dn", 2, N_("|STRING|query DN STRING")},
{ oFilter, "filter", 2, N_("|STRING|use STRING as filter expression")},
{ oAttr, "attr", 2, N_("|STRING|return the attribute STRING")},
+ { oLogWithPID,"log-with-pid", 0, "@"},
{0}
};
@@ -208,6 +209,13 @@
case oDN: opt.dn = pargs.r.ret_str; break;
case oFilter: opt.filter = pargs.r.ret_str; break;
case oAttr: opt.attr = pargs.r.ret_str; break;
+ case oLogWithPID:
+ {
+ unsigned int oldflags;
+ log_get_prefix (&oldflags);
+ log_set_prefix (NULL, oldflags | JNLIB_LOG_WITH_PID);
+ }
+ break;
default : pargs.err = 2; break;
}
@@ -479,9 +487,12 @@
{
log_error (_("searching `%s' failed: %s\n"),
url, ldap_err2string (rc));
- /* FIXME: Need deinit (ld)? */
- /* Hmmm: Do we need to released MSG in case of an error? */
- return -1;
+ if (rc != LDAP_NO_SUCH_OBJECT)
+ {
+ /* FIXME: Need deinit (ld)? */
+ /* Hmmm: Do we need to released MSG in case of an error? */
+ return -1;
+ }
}
rc = print_ldap_entries (ld, msg, opt.multi? NULL:attr);
Index: dirmngr/src/ldap.c
diff -u dirmngr/src/ldap.c:1.39 dirmngr/src/ldap.c:1.40
--- dirmngr/src/ldap.c:1.39 Wed Nov 24 18:19:25 2004
+++ dirmngr/src/ldap.c Wed Dec 1 17:11:14 2004
@@ -713,6 +713,7 @@
}
if (opt.verbose)
argv[argc++] = "-vv";
+ argv[argc++] = "--log-with-pid";
if (proxy)
{
argv[argc++] = "--proxy";
@@ -1058,6 +1059,7 @@
}
if (opt.verbose)
argv[argc++] = "-vv";
+ argv[argc++] = "--log-with-pid";
argv[argc++] = "--multi";
if (opt.ldap_proxy)
{
Index: dirmngr/src/validate.c
diff -u dirmngr/src/validate.c:1.5 dirmngr/src/validate.c:1.6
--- dirmngr/src/validate.c:1.5 Wed Nov 24 13:25:53 2004
+++ dirmngr/src/validate.c Wed Dec 1 17:11:14 2004
@@ -40,6 +40,7 @@
for it. */
struct chain_item_s
{
+ struct chain_item_s *next;
ksba_cert_t cert; /* The certificate. */
unsigned char fpr[20]; /* Fingerprint of the certificate. */
int is_self_signed; /* This certificate is self-signed. */
@@ -180,31 +181,46 @@
return 0;
}
-/* Helper for validate_cert_chain. IDX is the index to the last
- element in the chain and NOT the length of the chain. */
+/* Helper for validate_cert_chain. */
static gpg_error_t
-check_revocations (ctrl_t ctrl, chain_item_t *chain, int idx)
+check_revocations (ctrl_t ctrl, chain_item_t chain)
{
gpg_error_t err = 0;
int any_revoked = 0;
int any_no_crl = 0;
int any_crl_too_old = 0;
+ chain_item_t ci;
+ assert (ctrl->check_revocations_nest_level >= 0);
- assert (idx >=0);
- if (!idx && !chain[0]->cert)
- return 0; /* Target certificate is a trusted root certificate. */
-
- for (;idx >= 0 && !err; idx--)
+ assert (chain);
+ if (!chain->next)
+ {
+ /* We only have one certificate in the chain. This is the
+ traget and the Root CA certificate. We can't do a
+ revocation check for the root certificate because this will
+ in most cases lead to a catch-22. */
+ return 0; /* Target certificate is a trusted root certificate. */
+ }
+
+ if (ctrl->check_revocations_nest_level > 10)
+ {
+ log_error (_("CRL checking too deeply nested\n"));
+ return gpg_error(GPG_ERR_BAD_CERT_CHAIN);
+ }
+ ctrl->check_revocations_nest_level++;
+
+
+ for (ci=chain; ci; ci = ci->next)
{
- assert (chain[idx]->cert);
+ assert (ci->cert);
- err = crl_cache_cert_isvalid (ctrl, chain[idx]->cert, 0);
+ err = crl_cache_cert_isvalid (ctrl, chain->cert, 0);
if (gpg_err_code (err) == GPG_ERR_NO_CRL_KNOWN)
{
- err = crl_cache_reload_crl (ctrl, chain[idx]->cert);
+ err = crl_cache_reload_crl (ctrl, chain->cert);
if (!err)
- err = crl_cache_cert_isvalid (ctrl, chain[idx]->cert, 0);
+ err = crl_cache_cert_isvalid (ctrl, chain->cert, 0);
}
switch (gpg_err_code (err))
{
@@ -215,6 +231,7 @@
default: break;
}
}
+ ctrl->check_revocations_nest_level--;
if (err)
@@ -248,14 +265,14 @@
ksba_isotime_t exptime;
int any_expired = 0;
int any_no_policy_match = 0;
- chain_item_t *chain;
+ chain_item_t chain;
if (r_exptime)
*r_exptime = 0;
*exptime = 0;
- if (opt.system_daemon)
+ if (!opt.system_daemon)
return 0; /* For backward compatibility we only do this in daemon
mode. */
@@ -264,16 +281,23 @@
if (DBG_X509)
dump_cert ("subject", cert);
-
- /* We walk up the the path until we find a trust anchor. */
+
subject_cert = cert;
maxdepth = 50;
-
- chain = xtrycalloc (maxdepth+1, sizeof *chain);
- if (!chain)
- return gpg_error_from_errno (errno);
+ chain = NULL;
depth = 0;
+ /* May the target certificate be used for OCSP response signing? */
+ if (mode == VALIDATE_MODE_OCSP)
+ {
+ err = cert_use_ocsp_p (cert);
+ }
+ /* May the certificate be used for CR signing. */
+ /* FIXME. */
+ if (err)
+ goto leave;
+
+ /* We walk up the the path until we find a trust anchor. */
for (;;)
{
/* Get the subject and issuer name from the current
@@ -390,6 +414,22 @@
if (err)
goto leave;
+ /* Prepend the certificate to our list. */
+ {
+ chain_item_t ci;
+
+ ci = xtrycalloc (1, sizeof *ci);
+ if (!ci)
+ {
+ err = gpg_error_from_errno (errno);
+ goto leave;
+ }
+ ksba_cert_ref (subject_cert);
+ ci->cert = subject_cert;
+ cert_compute_fpr (subject_cert, ci->fpr);
+ ci->next = chain;
+ chain = ci;
+ }
break; /* Okay: a self-signed certicate is an end-point. */
}
@@ -497,11 +537,22 @@
if (err)
goto leave; /* No. */
- /* Append the certificate to our list. */
- assert (depth <= maxdepth);
- ksba_cert_ref (subject_cert);
- chain[depth]->cert = subject_cert;
- cert_compute_fpr (subject_cert, chain[depth]->fpr);
+ /* Prepend the certificate to our list. */
+ {
+ chain_item_t ci;
+
+ ci = xtrycalloc (1, sizeof *ci);
+ if (!ci)
+ {
+ err = gpg_error_from_errno (errno);
+ goto leave;
+ }
+ ksba_cert_ref (subject_cert);
+ ci->cert = subject_cert;
+ cert_compute_fpr (subject_cert, ci->fpr);
+ ci->next = chain;
+ chain = ci;
+ }
if (opt.verbose)
log_info ("certificate is good\n");
@@ -520,34 +571,13 @@
err = gpg_error (GPG_ERR_NO_POLICY_MATCH);
}
-
- /* May the certificate be used for OCSP response signing. */
- if (mode == VALIDATE_MODE_OCSP && chain[0]->cert)
- {
- err = cert_use_ocsp_p (chain[0]->cert);
- }
-
- /* May the certificate be used for CR signing. */
-
- /* FIXME. */
-
-
if (!err)
{ /* Now that everything is fine, walk the chain and check each
certificate for revocations.
- chain[0] - The target certificate.
- chain[1] - The CA which signed chain[0]
- ...
- chain[depth] - The CA which signed chain[depth-1].
-
- Note that we do not include the root certificate in this list
- because we axiomatically know that it is trusted and there is
- no point to do futher investigations. DEPTH might be zero in
- case the target certificate is directly signed by the root
- certificate or there might even be no list at all (DEPTH is 0
- and chain[0]->cert is NULL) if the target certificate is the
- root certificate.
+ 1. item in the chain - The root certificate.
+ 2. item - the CA below the root
+ last item - the target certificate.
Now for each certificate in the chain check whether it has
been included in a CRL and thus be revoked. We don't do OCSP
@@ -556,8 +586,7 @@
our validity results to avoid double work. Far worse a
catch-22 may happen for an improper setup hierachy and we
need a way to break up this deadlock. */
-
- err = check_revocations (ctrl, chain, depth);
+ err = check_revocations (ctrl, chain);
}
@@ -568,10 +597,14 @@
ksba_cert_release (issuer_cert);
if (subject_cert != cert)
ksba_cert_release (subject_cert);
- for (; depth; depth--)
- if (chain[depth]->cert)
- ksba_cert_release (chain[depth]->cert);
- xfree (chain);
+ while (chain)
+ {
+ chain_item_t ci_next = chain->next;
+ if (chain->cert)
+ ksba_cert_release (chain->cert);
+ xfree (chain);
+ chain = ci_next;
+ }
return err;
}
More information about the Gnupg-commits
mailing list