gnupg/keyserver (ChangeLog gpgkeys_curl.c gpgkeys_ldap.c)
cvs user dshaw
cvs at cvs.gnupg.org
Sat Jan 22 04:19:16 CET 2005
Date: Saturday, January 22, 2005 @ 04:27:19
Author: dshaw
Path: /cvs/gnupg/gnupg/keyserver
Modified: ChangeLog gpgkeys_curl.c gpgkeys_ldap.c
* gpgkeys_ldap.c (main): Add "check-cert" option to disable SSL
certificate checking (which is on by default).
* gpgkeys_curl.c (main): Add "debug" option to match the LDAP helper.
Add "check-cert" option to disable SSL certificate checking (which is
on by default).
----------------+
ChangeLog | 9 +++++++++
gpgkeys_curl.c | 32 +++++++++++++++++++++++++-------
gpgkeys_ldap.c | 42 +++++++++++++++++++++++++++++++++++-------
3 files changed, 69 insertions(+), 14 deletions(-)
Index: gnupg/keyserver/ChangeLog
diff -u gnupg/keyserver/ChangeLog:1.106 gnupg/keyserver/ChangeLog:1.107
--- gnupg/keyserver/ChangeLog:1.106 Tue Jan 18 15:43:14 2005
+++ gnupg/keyserver/ChangeLog Sat Jan 22 04:27:19 2005
@@ -1,3 +1,12 @@
+2005-01-21 David Shaw <dshaw at grover.jabberwocky.com>
+
+ * gpgkeys_ldap.c (main): Add "check-cert" option to disable SSL
+ certificate checking (which is on by default).
+
+ * gpgkeys_curl.c (main): Add "debug" option to match the LDAP
+ helper. Add "check-cert" option to disable SSL certificate
+ checking (which is on by default).
+
2005-01-18 David Shaw <dshaw at grover.jabberwocky.com>
* gpgkeys_curl.c: Fix typo.
Index: gnupg/keyserver/gpgkeys_curl.c
diff -u gnupg/keyserver/gpgkeys_curl.c:1.9 gnupg/keyserver/gpgkeys_curl.c:1.10
--- gnupg/keyserver/gpgkeys_curl.c:1.9 Tue Jan 18 15:43:14 2005
+++ gnupg/keyserver/gpgkeys_curl.c Sat Jan 22 04:27:19 2005
@@ -82,12 +82,6 @@
curl_easy_setopt(curl,CURLOPT_FILE,output);
curl_easy_setopt(curl,CURLOPT_ERRORBUFFER,errorbuffer);
- if(verbose>1)
- {
- curl_easy_setopt(curl,CURLOPT_STDERR,console);
- curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
- }
-
res=curl_easy_perform(curl);
if(res!=0)
{
@@ -116,7 +110,7 @@
char line[MAX_LINE];
char *thekey=NULL;
unsigned int timeout=DEFAULT_KEYSERVER_TIMEOUT;
- long follow_redirects=5;
+ long follow_redirects=5,debug=0,check_cert=1;
console=stderr;
@@ -287,6 +281,22 @@
else if(start[16]=='\0')
follow_redirects=-1;
}
+ else if(strncasecmp(start,"debug",5)==0)
+ {
+ if(no)
+ debug=0;
+ else if(start[5]=='=')
+ debug=atoi(&start[6]);
+ else if(start[5]=='\0')
+ debug=1;
+ }
+ else if(strcasecmp(start,"check-cert")==0)
+ {
+ if(no)
+ check_cert=0;
+ else
+ check_cert=1;
+ }
continue;
}
@@ -337,6 +347,14 @@
curl_easy_setopt(curl,CURLOPT_MAXREDIRS,follow_redirects);
}
+ if(debug)
+ {
+ curl_easy_setopt(curl,CURLOPT_STDERR,console);
+ curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
+ }
+
+ curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,check_cert);
+
if(proxy[0])
curl_easy_setopt(curl,CURLOPT_PROXY,proxy);
Index: gnupg/keyserver/gpgkeys_ldap.c
diff -u gnupg/keyserver/gpgkeys_ldap.c:1.47 gnupg/keyserver/gpgkeys_ldap.c:1.48
--- gnupg/keyserver/gpgkeys_ldap.c:1.47 Fri Jan 14 00:37:26 2005
+++ gnupg/keyserver/gpgkeys_ldap.c Sat Jan 22 04:27:19 2005
@@ -1534,7 +1534,7 @@
{
int debug=0,port=0,arg,err,action=-1,ret=KEYSERVER_INTERNAL_ERROR;
char line[MAX_LINE];
- int version,failed=0,use_ssl=0,use_tls=0,bound=0;
+ int version,failed=0,use_ssl=0,use_tls=0,bound=0,check_cert=1;
struct keylist *keylist=NULL,*keyptr=NULL;
unsigned int timeout=DEFAULT_KEYSERVER_TIMEOUT;
@@ -1719,6 +1719,13 @@
else if(start[3]=='\0')
use_tls=1;
}
+ else if(strcasecmp(start,"check-cert")==0)
+ {
+ if(no)
+ check_cert=0;
+ else
+ check_cert=1;
+ }
else if(strncasecmp(start,"debug",5)==0)
{
if(no)
@@ -1868,8 +1875,9 @@
if(use_ssl)
{
-#if defined(LDAP_OPT_X_TLS_HARD) && defined(HAVE_LDAP_SET_OPTION)
+#if defined(LDAP_OPT_X_TLS) && defined(HAVE_LDAP_SET_OPTION)
int ssl=LDAP_OPT_X_TLS_HARD;
+
err=ldap_set_option(ldap,LDAP_OPT_X_TLS,&ssl);
if(err!=LDAP_SUCCESS)
{
@@ -1878,6 +1886,19 @@
fail_all(keylist,action,ldap_err_to_gpg_err(err));
goto fail;
}
+
+ if(!check_cert)
+ ssl=LDAP_OPT_X_TLS_NEVER;
+
+ err=ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&ssl);
+ if(err!=LDAP_SUCCESS)
+ {
+ fprintf(console,
+ "gpgkeys: unable to set certificate validation: %s\n",
+ ldap_err2string(err));
+ fail_all(keylist,action,ldap_err_to_gpg_err(err));
+ goto fail;
+ }
#else
fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
"not built with LDAPS support");
@@ -1915,15 +1936,22 @@
#if defined(HAVE_LDAP_START_TLS_S) && defined(HAVE_LDAP_SET_OPTION)
int ver=LDAP_VERSION3;
- err=LDAP_SUCCESS;
-
err=ldap_set_option(ldap,LDAP_OPT_PROTOCOL_VERSION,&ver);
if(err==LDAP_SUCCESS)
- err=ldap_start_tls_s(ldap,NULL,NULL);
+ {
+ if(check_cert)
+ ver=LDAP_OPT_X_TLS_HARD;
+ else
+ ver=LDAP_OPT_X_TLS_NEVER;
+
+ err=ldap_set_option(ldap,LDAP_OPT_X_TLS_REQUIRE_CERT,&ver);
+ if(err==LDAP_SUCCESS)
+ err=ldap_start_tls_s(ldap,NULL,NULL);
+ }
if(err!=LDAP_SUCCESS)
{
- if(use_tls==2 || verbose>2)
+ if(use_tls>=2 || verbose>2)
fprintf(console,"gpgkeys: unable to start TLS: %s\n",
ldap_err2string(err));
/* Are we forcing it? */
@@ -1952,7 +1980,7 @@
/* The LDAP keyserver doesn't require this, but it might be useful
if someone stores keys on a V2 LDAP server somewhere. (V3
doesn't require a bind). Leave this out for now since it is not
- clear if anyone server we're likely to use really cares, plus
+ clear if anyone's server we're likely to use really cares, plus
there are some servers that don't allow it. */
err=ldap_simple_bind_s(ldap,NULL,NULL);
More information about the Gnupg-commits
mailing list