[git] GnuPG - branch, master, updated. gnupg-2.1.0beta3-425-g9e1c99f
by Werner Koch
cvs at cvs.gnupg.org
Mon May 19 09:47:06 CEST 2014
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via 9e1c99f8009f056c39a7465b91912c136b248e8f (commit)
via 45f15b2d767d4068f79fd5b123e9eeae08a0616d (commit)
from d2d9d4fb60e3f2160af6252335364d3aac4b7d17 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 9e1c99f8009f056c39a7465b91912c136b248e8f
Author: Werner Koch <wk at gnupg.org>
Date: Mon May 19 09:48:42 2014 +0200
dirmngr: Print certificates on failed TLS verification.
* dirmngr/ks-engine-hkp.c (cert_log_cb): New.
(send_request): Set callback.
--
We use the KSBA functions here because we have them anyway in Dirmngr.
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 3c25953..0f0baab 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -873,6 +873,40 @@ ks_hkp_housekeeping (time_t curtime)
}
+/* Callback to print infos about the TLS certificates. */
+static void
+cert_log_cb (http_session_t sess, gpg_error_t err,
+ const char *hostname, const void **certs, size_t *certlens)
+{
+ ksba_cert_t cert;
+ size_t n;
+
+ (void)sess;
+
+ if (!err)
+ return; /* No error - no need to log anything */
+
+ log_debug ("expected hostname: %s\n", hostname);
+ for (n=0; certs[n]; n++)
+ {
+ err = ksba_cert_new (&cert);
+ if (!err)
+ err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]);
+ if (err)
+ log_error ("error parsing cert for logging: %s\n", gpg_strerror (err));
+ else
+ {
+ char textbuf[20];
+ snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n);
+ dump_cert (textbuf, cert);
+ }
+
+ ksba_cert_release (cert);
+ }
+}
+
+
+
/* Send an HTTP request. On success returns an estream object at
R_FP. HOSTPORTSTR is only used for diagnostics. If HTTPHOST is
not NULL it will be used as HTTP "Host" header. If POST_CB is not
@@ -896,6 +930,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
err = http_session_new (&session, NULL);
if (err)
goto leave;
+ http_session_set_log_cb (session, cert_log_cb);
once_more:
err = http_open (&http,
commit 45f15b2d767d4068f79fd5b123e9eeae08a0616d
Author: Werner Koch <wk at gnupg.org>
Date: Mon May 19 09:47:18 2014 +0200
http: Add callback to help logging of server certificates.
* common/http.c (http_session_s): Add field cert_log_cb.
(http_session_set_log_cb): New.
(http_verify_server_credentials): Call callback.
diff --git a/common/http.c b/common/http.c
index 8a1ad67..4fc89d7 100644
--- a/common/http.c
+++ b/common/http.c
@@ -234,10 +234,12 @@ struct http_session_s
} verify;
char *servername; /* Malloced server name. */
#endif /*HTTP_USE_GNUTLS*/
+ /* A callback function to log details of TLS certifciates. */
+ void (*cert_log_cb) (http_session_t, gpg_error_t, const char *,
+ const void **, size_t *);
};
-
/* An object to save header lines. */
struct header_s
{
@@ -644,6 +646,18 @@ http_session_ref (http_session_t sess)
}
+void
+http_session_set_log_cb (http_session_t sess,
+ void (*cb)(http_session_t, gpg_error_t,
+ const char *hostname,
+ const void **certs, size_t *certlens))
+{
+ sess->cert_log_cb = cb;
+}
+
+
+
+
/* Start a HTTP retrieval and on success store at R_HD a context
pointer for completing the request and to wait for the response.
If HTTPHOST is not NULL it is used hor the Host header instead of a
@@ -2497,24 +2511,6 @@ http_verify_server_credentials (http_session_t sess)
return err;
}
- /* log_debug ("Server sent %u certs\n", certlistlen); */
- /* { */
- /* int i; */
- /* char fname[50]; */
- /* FILE *fp; */
-
- /* for (i=0; i < certlistlen; i++) */
- /* { */
- /* snprintf (fname, sizeof fname, "xc_%d.der", i); */
- /* fp = fopen (fname, "wb"); */
- /* if (!fp) */
- /* log_fatal ("Failed to create '%s'\n", fname); */
- /* if (fwrite (certlist[i].data, certlist[i].size, 1, fp) != 1) */
- /* log_fatal ("Error writing to '%s'\n", fname); */
- /* fclose (fp); */
- /* } */
- /* } */
-
rc = gnutls_x509_crt_init (&cert);
if (rc < 0)
{
@@ -2536,14 +2532,31 @@ http_verify_server_credentials (http_session_t sess)
if (!gnutls_x509_crt_check_hostname (cert, hostname))
{
log_error ("%s: %s\n", errprefix, "hostname does not match");
- log_info ("(expected '%s')\n", hostname);
if (!err)
err = gpg_error (GPG_ERR_GENERAL);
}
gnutls_x509_crt_deinit (cert);
+
if (!err)
sess->verify.rc = 0;
+
+ if (sess->cert_log_cb)
+ {
+ const void *bufarr[10];
+ size_t buflenarr[10];
+ size_t n;
+
+ for (n = 0; n < certlistlen && n < DIM (bufarr)-1; n++)
+ {
+ bufarr[n] = certlist[n].data;
+ buflenarr[n] = certlist[n].size;
+ }
+ bufarr[n] = NULL;
+ buflenarr[n] = 0;
+ sess->cert_log_cb (sess, err, hostname, bufarr, buflenarr);
+ }
+
return err;
#else /*!HTTP_USE_GNUTLS*/
(void)sess;
diff --git a/common/http.h b/common/http.h
index acfdc0f..416e220 100644
--- a/common/http.h
+++ b/common/http.h
@@ -98,6 +98,11 @@ gpg_error_t http_session_new (http_session_t *r_session,
http_session_t http_session_ref (http_session_t sess);
void http_session_release (http_session_t sess);
+void http_session_set_log_cb (http_session_t sess,
+ void (*cb)(http_session_t, gpg_error_t,
+ const char *,
+ const void **, size_t *));
+
gpg_error_t http_parse_uri (parsed_uri_t *ret_uri, const char *uri,
int no_scheme_check);
-----------------------------------------------------------------------
Summary of changes:
common/http.c | 53 +++++++++++++++++++++++++++++------------------
common/http.h | 5 +++++
dirmngr/ks-engine-hkp.c | 35 +++++++++++++++++++++++++++++++
3 files changed, 73 insertions(+), 20 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list