[svn] GnuPG - r5093 - in trunk: common doc g10 sm
svn author wk
cvs at cvs.gnupg.org
Thu Jul 23 17:18:59 CEST 2009
Author: wk
Date: 2009-07-23 17:18:58 +0200 (Thu, 23 Jul 2009)
New Revision: 5093
Modified:
trunk/common/ChangeLog
trunk/common/audit.c
trunk/common/audit.h
trunk/common/util.h
trunk/doc/ChangeLog
trunk/doc/DETAILS
trunk/doc/help.txt
trunk/g10/keygen.c
trunk/sm/ChangeLog
trunk/sm/certchain.c
Log:
Print status of CRL checks in the audit log.
Modified: trunk/common/ChangeLog
===================================================================
--- trunk/common/ChangeLog 2009-07-23 08:00:39 UTC (rev 5092)
+++ trunk/common/ChangeLog 2009-07-23 15:18:58 UTC (rev 5093)
@@ -1,3 +1,9 @@
+2009-07-23 Werner Koch <wk at g10code.com>
+
+ * util.h (GPG_ERR_NOT_ENABLED): New.
+ * audit.h (enum): Add AUDIT_CRL_CHECK.
+ * audit.c (proc_type_verify): Show CRL check result.
+
2009-07-06 Werner Koch <wk at g10code.com>
* get-passphrase.c (struct agentargs): Add SESSION_ENV and remove
Modified: trunk/doc/ChangeLog
===================================================================
--- trunk/doc/ChangeLog 2009-07-23 08:00:39 UTC (rev 5092)
+++ trunk/doc/ChangeLog 2009-07-23 15:18:58 UTC (rev 5093)
@@ -1,3 +1,7 @@
+2009-07-23 Werner Koch <wk at g10code.com>
+
+ * help.txt (gpgsm.crl-problem): New.
+
2009-07-22 Werner Koch <wk at g10code.com>
* scdaemon.texi, instguide.texi, gpgsm.texi, sysnotes.texi
Modified: trunk/sm/ChangeLog
===================================================================
--- trunk/sm/ChangeLog 2009-07-23 08:00:39 UTC (rev 5092)
+++ trunk/sm/ChangeLog 2009-07-23 15:18:58 UTC (rev 5093)
@@ -1,3 +1,7 @@
+2009-07-23 Werner Koch <wk at g10code.com>
+
+ * certchain.c (is_cert_still_valid): Emit AUDIT_CRL_CHECK.
+
2009-07-07 Werner Koch <wk at g10code.com>
* server.c (command_has_option): New.
Modified: trunk/common/audit.c
===================================================================
--- trunk/common/audit.c 2009-07-23 08:00:39 UTC (rev 5092)
+++ trunk/common/audit.c 2009-07-23 15:18:58 UTC (rev 5093)
@@ -251,8 +251,8 @@
}
/* Add a new event to the audit log. If CTX is NULL, this function
- does nothing. This version also adds the result of the oepration
- to the log.. */
+ does nothing. This version also adds the result of the operation
+ to the log. */
void
audit_log_ok (audit_ctx_t ctx, audit_event_t event, gpg_error_t err)
{
@@ -479,6 +479,8 @@
oktext = _("|audit-log-result|Not supported");
else if (!strcmp (oktext, "no-cert"))
oktext = _("|audit-log-result|No certificate");
+ else if (!strcmp (oktext, "disabled"))
+ oktext = _("|audit-log-result|Not enabled");
else if (!strcmp (oktext, "error"))
oktext = _("|audit-log-result|Error");
else
@@ -923,10 +925,32 @@
}
/* Show result of the CRL/OCSP check. */
- writeout_li (ctx, "-", "%s", _("CRL/OCSP check of certificates"));
- /* add_helptag (ctx, "gpgsm.ocsp-problem"); */
+ item = find_next_log_item (ctx, loopitem,
+ AUDIT_CRL_CHECK, AUDIT_NEW_SIG);
+ if (item)
+ {
+ const char *ok;
+ switch (gpg_err_code (item->err))
+ {
+ case 0: ok = "good"; break;
+ case GPG_ERR_CERT_REVOKED: ok = "bad"; break;
+ case GPG_ERR_NOT_ENABLED: ok = "disabled"; break;
+ case GPG_ERR_NO_CRL_KNOWN:
+ ok = _("no CRL found for certificate");
+ break;
+ case GPG_ERR_CRL_TOO_OLD:
+ ok = _("the available CRL is too old");
+ break;
+ default: ok = gpg_strerror (item->err); break;
+ }
+
+ writeout_li (ctx, ok, "%s", _("CRL/OCSP check of certificates"));
+ if (item->err
+ && gpg_err_code (item->err) != GPG_ERR_CERT_REVOKED
+ && gpg_err_code (item->err) != GPG_ERR_NOT_ENABLED)
+ add_helptag (ctx, "gpgsm.crl-problem");
+ }
-
leave_li (ctx);
}
while ((loopitem = find_next_log_item (ctx, loopitem, AUDIT_NEW_SIG, 0)));
Modified: trunk/common/audit.h
===================================================================
--- trunk/common/audit.h 2009-07-23 08:00:39 UTC (rev 5092)
+++ trunk/common/audit.h 2009-07-23 15:18:58 UTC (rev 5093)
@@ -139,6 +139,9 @@
/* Tells whether the root certificate is trusted. This event is
emmited durcing chain validation. */
+ AUDIT_CRL_CHECK, /* err */
+ /* Tells the status of a CRL or OCSP check. */
+
AUDIT_GOT_RECIPIENTS, /* int */
/* Records the number of recipients to be used for encryption.
This includes the recipients set by --encrypt-to but records 0
Modified: trunk/common/util.h
===================================================================
--- trunk/common/util.h 2009-07-23 08:00:39 UTC (rev 5092)
+++ trunk/common/util.h 2009-07-23 15:18:58 UTC (rev 5093)
@@ -25,6 +25,11 @@
#include <errno.h> /* We need errno. */
#include <gpg-error.h> /* We need gpg_error_t. */
+/* Add error codes available only in newer versions of libgpg-error. */
+#ifndef GPG_ERR_NOT_ENABLED
+#define GPG_ERR_NOT_ENABLED 179
+#endif
+
/* Hash function used with libksba. */
#define HASH_FNC ((void (*)(void *, const void*,size_t))gcry_md_write)
Modified: trunk/doc/DETAILS
===================================================================
--- trunk/doc/DETAILS 2009-07-23 08:00:39 UTC (rev 5092)
+++ trunk/doc/DETAILS 2009-07-23 15:18:58 UTC (rev 5093)
@@ -628,13 +628,13 @@
This is used to control smartcard operations.
Defined values for WHAT are:
1 = Request insertion of a card. Serialnumber may be given
- to request a specific card.
- 2 = Request removal of a card.
+ to request a specific card. Used by gpg 1.4 w/o scdaemon.
+ 2 = Request removal of a card. Used by gpg 1.4 w/o scdaemon.
3 = Card with serialnumber detected
4 = No card available.
5 = No card reader available
+ 6 = No card support available
-
PLAINTEXT <format> <timestamp> <filename>
This indicates the format of the plaintext that is about to be
written. The format is a 1 byte hex code that shows the
Modified: trunk/doc/help.txt
===================================================================
--- trunk/doc/help.txt 2009-07-23 08:00:39 UTC (rev 5092)
+++ trunk/doc/help.txt 2009-07-23 15:18:58 UTC (rev 5093)
@@ -357,9 +357,15 @@
your system administrator whether you should trust this certificate.
+.gpgsm.crl-problem
+# This tex is displayed by the audit log for problems with
+# the CRL or OCSP checking.
+Depending on your configuration a problem retrieving the CRL or
+performing an OCSP check occurred. There are a great variety of
+reasons why this did not work. Check the manual for possible
+solutions.
-
# Local variables:
# mode: default-generic
# coding: utf-8
Modified: trunk/g10/keygen.c
===================================================================
--- trunk/g10/keygen.c 2009-07-23 08:00:39 UTC (rev 5092)
+++ trunk/g10/keygen.c 2009-07-23 15:18:58 UTC (rev 5093)
@@ -1759,7 +1759,7 @@
}
-/* Ask for the key size. ALGO is the algorithjm. If PRIMARY_KEYSIZE
+/* Ask for the key size. ALGO is the algorithm. If PRIMARY_KEYSIZE
is not 0, the function asks for the size of the encryption
subkey. */
static unsigned
Modified: trunk/sm/certchain.c
===================================================================
--- trunk/sm/certchain.c 2009-07-23 08:00:39 UTC (rev 5092)
+++ trunk/sm/certchain.c 2009-07-23 15:18:58 UTC (rev 5093)
@@ -889,11 +889,17 @@
gpg_error_t err;
if (opt.no_crl_check && !ctrl->use_ocsp)
- return 0;
+ {
+ audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK,
+ gpg_error (GPG_ERR_NOT_ENABLED));
+ return 0;
+ }
err = gpgsm_dirmngr_isvalid (ctrl,
subject_cert, issuer_cert,
force_ocsp? 2 : !!ctrl->use_ocsp);
+ audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, err);
+
if (err)
{
if (!lm)
More information about the Gnupg-commits
mailing list