[git] GnuPG - branch, master, updated. gnupg-2.1.11-157-g87de9e1
by Werner Koch
cvs at cvs.gnupg.org
Wed Apr 27 08:36:05 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via 87de9e19edf0311ca0342e15ef44ebe40e32861e (commit)
via c83c6f212e9bc98a9ea8dd8102bc16edd1a03050 (commit)
via c3aeda82b8d00b87a5af72b4075c487c10dfdf6b (commit)
via fd765df6a7883c3d841abeb657330a1aab4b7756 (commit)
via 07dbd061bd6c1f131f1d609b412675a128c5fe99 (commit)
from b7fa4960c292ef1a290d32b7f46bb741bbfc0923 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 87de9e19edf0311ca0342e15ef44ebe40e32861e
Author: Werner Koch <wk at gnupg.org>
Date: Wed Apr 27 08:34:29 2016 +0200
gpg: Add experimental AKL method "wkd" and option --with-wkd-hash.
* g10/getkey.c (parse_auto_key_locate): Add method "wkd".
(get_pubkey_byname): Implement that method. Also rename a variable.
* g10/call-dirmngr.c (gpg_dirmngr_wkd_get): New.
* g10/keyserver.c (keyserver_import_wkd): New.
* g10/test-stubs.c (keyserver_import_wkd): Add stub.
* g10/gpgv.c (keyserver_import_wkd): Ditto.
* g10/options.h (opt): Add field 'with_wkd_hash'.
(AKL_WKD): New.
* g10/gpg.c (oWithWKDHash): New.
(opts): Add option --with-wkd-hash.
(main): Set that option.
* g10/keylist.c (list_keyblock_print): Implement that option.
--
The Web Key Directory is an experimental feature to retrieve a key via
https. It is similar to OpenPGP DANE but also uses an encryption to
reveal less information about a key lookup.
For example the URI to lookup the key for Joe.Doe at Example.ORG is:
https://example.org/.well-known/openpgpkey/
hu/example.org/iy9q119eutrkn8s1mk4r39qejnbu3n5q
(line has been wrapped for rendering purposes). The hash is a
z-Base-32 encoded SHA-1 hash of the mail address' local-part. The
address wk at gnupg.org can be used for testing.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 0c43c55..c10678b 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1600,6 +1600,10 @@ mechanisms, in the order they are to be tried:
Locate a key using DANE, as specified
in draft-ietf-dane-openpgpkey-05.txt.
+ @item wkd
+ Locate a key using the Web Key Directory protocol.
+ This is an experimental method and semantics may change.
+
@item ldap
Using DNS Service Discovery, check the domain in question for any LDAP
keyservers to use. If this fails, attempt to locate the key using the
@@ -2235,6 +2239,11 @@ Print the ICAO spelling of the fingerprint in addition to the hex digits.
@opindex with-keygrip
Include the keygrip in the key listings.
+ at item --with-wkd-hash
+ at opindex with-wkd-hash
+Print a Web Key Directory indentifier along with each user ID in key
+listings. This is an experimental feature and semantics may change.
+
@item --with-secret
@opindex with-secret
Include info about the presence of a secret key in public key listings
diff --git a/g10/call-dirmngr.c b/g10/call-dirmngr.c
index e596533..b0f249e 100644
--- a/g10/call-dirmngr.c
+++ b/g10/call-dirmngr.c
@@ -1064,7 +1064,7 @@ gpg_dirmngr_ks_put (ctrl_t ctrl, void *data, size_t datalen, kbnode_t keyblock)
-/* Data callback for the DNS_CERT command. */
+/* Data callback for the DNS_CERT and WKD_GET commands. */
static gpg_error_t
dns_cert_data_cb (void *opaque, const void *data, size_t datalen)
{
@@ -1287,3 +1287,62 @@ gpg_dirmngr_get_pka (ctrl_t ctrl, const char *userid,
close_context (ctrl, ctx);
return err;
}
+
+
+
+/* Ask the dirmngr to retrieve a key via the Web Key Directory
+ * protocol. On success a new estream with the key is stored at
+ * R_KEY.
+ */
+gpg_error_t
+gpg_dirmngr_wkd_get (ctrl_t ctrl, const char *name, estream_t *r_key)
+{
+ gpg_error_t err;
+ assuan_context_t ctx;
+ struct dns_cert_parm_s parm;
+ char *line = NULL;
+
+ memset (&parm, 0, sizeof parm);
+
+ err = open_context (ctrl, &ctx);
+ if (err)
+ return err;
+
+ line = es_bsprintf ("WKD_GET -- %s", name);
+ if (!line)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ if (strlen (line) + 2 >= ASSUAN_LINELENGTH)
+ {
+ err = gpg_error (GPG_ERR_TOO_LARGE);
+ goto leave;
+ }
+
+ parm.memfp = es_fopenmem (0, "rwb");
+ if (!parm.memfp)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ err = assuan_transact (ctx, line, dns_cert_data_cb, &parm,
+ NULL, NULL, NULL, &parm);
+ if (err)
+ goto leave;
+
+ if (r_key)
+ {
+ es_rewind (parm.memfp);
+ *r_key = parm.memfp;
+ parm.memfp = NULL;
+ }
+
+ leave:
+ xfree (parm.fpr);
+ xfree (parm.url);
+ es_fclose (parm.memfp);
+ xfree (line);
+ close_context (ctrl, ctx);
+ return err;
+}
diff --git a/g10/call-dirmngr.h b/g10/call-dirmngr.h
index cdad645..4dc1e30 100644
--- a/g10/call-dirmngr.h
+++ b/g10/call-dirmngr.h
@@ -40,6 +40,8 @@ gpg_error_t gpg_dirmngr_dns_cert (ctrl_t ctrl,
gpg_error_t gpg_dirmngr_get_pka (ctrl_t ctrl, const char *userid,
unsigned char **r_fpr, size_t *r_fprlen,
char **r_url);
+gpg_error_t gpg_dirmngr_wkd_get (ctrl_t ctrl, const char *name,
+ estream_t *r_key);
#endif /*GNUPG_G10_CALL_DIRMNGR_H*/
diff --git a/g10/getkey.c b/g10/getkey.c
index 481e8dd..a3d29f5 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -1274,7 +1274,7 @@ get_pubkey_byname (ctrl_t ctrl, GETKEY_CTX * retctx, PKT_public_key * pk,
{
unsigned char *fpr = NULL;
size_t fpr_len;
- int did_key_byname = 0;
+ int did_akl_local = 0;
int no_fingerprint = 0;
const char *mechanism = "?";
@@ -1288,7 +1288,7 @@ get_pubkey_byname (ctrl_t ctrl, GETKEY_CTX * retctx, PKT_public_key * pk,
case AKL_LOCAL:
mechanism = "Local";
- did_key_byname = 1;
+ did_akl_local = 1;
if (retctx)
{
getkey_end (*retctx);
@@ -1321,6 +1321,13 @@ get_pubkey_byname (ctrl_t ctrl, GETKEY_CTX * retctx, PKT_public_key * pk,
glo_ctrl.in_auto_key_retrieve--;
break;
+ case AKL_WKD:
+ mechanism = "WKD";
+ glo_ctrl.in_auto_key_retrieve++;
+ rc = keyserver_import_wkd (ctrl, name, &fpr, &fpr_len);
+ glo_ctrl.in_auto_key_retrieve--;
+ break;
+
case AKL_LDAP:
mechanism = "LDAP";
glo_ctrl.in_auto_key_retrieve++;
@@ -1386,22 +1393,20 @@ get_pubkey_byname (ctrl_t ctrl, GETKEY_CTX * retctx, PKT_public_key * pk,
add_to_strlist (&namelist, fpr_string);
}
- else if (!rc && !fpr && !did_key_byname)
- /* The acquisition method said no failure occurred, but it
- didn't return a fingerprint. That's a failure. */
- {
- no_fingerprint = 1;
+ else if (!rc && !fpr && !did_akl_local)
+ { /* The acquisition method said no failure occurred, but
+ it didn't return a fingerprint. That's a failure. */
+ no_fingerprint = 1;
rc = GPG_ERR_NO_PUBKEY;
}
xfree (fpr);
fpr = NULL;
- if (!rc && !did_key_byname)
- /* There was no error and we didn't do a local lookup.
- This means that we imported a key into the local
- keyring. Try to read the imported key from the
- keyring. */
- {
+ if (!rc && !did_akl_local)
+ { /* There was no error and we didn't do a local lookup.
+ This means that we imported a key into the local
+ keyring. Try to read the imported key from the
+ keyring. */
if (retctx)
{
getkey_end (*retctx);
@@ -3195,6 +3200,7 @@ finish_lookup (GETKEY_CTX ctx, KBNODE keyblock)
if (DBG_LOOKUP)
log_debug ("\tsubkey has expired\n");
continue;
+
}
if (pk->timestamp > curtime && !opt.ignore_valid_from)
{
@@ -3769,6 +3775,8 @@ parse_auto_key_locate (char *options)
akl->type = AKL_PKA;
else if (ascii_strcasecmp (tok, "dane") == 0)
akl->type = AKL_DANE;
+ else if (ascii_strcasecmp (tok, "wkd") == 0)
+ akl->type = AKL_WKD;
else if ((akl->spec = parse_keyserver_uri (tok, 1)))
akl->type = AKL_SPEC;
else
diff --git a/g10/gpg.c b/g10/gpg.c
index b9d69a7..2f687fc 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -185,6 +185,7 @@ enum cmd_and_opt_values
oWithICAOSpelling,
oWithKeygrip,
oWithSecret,
+ oWithWKDHash,
oAnswerYes,
oAnswerNo,
oKeyring,
@@ -721,6 +722,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_n (oWithICAOSpelling, "with-icao-spelling", "@"),
ARGPARSE_s_n (oWithKeygrip, "with-keygrip", "@"),
ARGPARSE_s_n (oWithSecret, "with-secret", "@"),
+ ARGPARSE_s_n (oWithWKDHash, "with-wkd-hash", "@"),
ARGPARSE_s_s (oDisableCipherAlgo, "disable-cipher-algo", "@"),
ARGPARSE_s_s (oDisablePubkeyAlgo, "disable-pubkey-algo", "@"),
ARGPARSE_s_n (oAllowNonSelfsignedUID, "allow-non-selfsigned-uid", "@"),
@@ -2575,6 +2577,10 @@ main (int argc, char **argv)
opt.with_secret = 1;
break;
+ case oWithWKDHash:
+ opt.with_wkd_hash = 1;
+ break;
+
case oSecretKeyring:
/* Ignore this old option. */
break;
diff --git a/g10/gpgv.c b/g10/gpgv.c
index 19a2ff6..2a53e69 100644
--- a/g10/gpgv.c
+++ b/g10/gpgv.c
@@ -374,6 +374,17 @@ keyserver_import_pka (const char *name,unsigned char *fpr)
return -1;
}
+gpg_error_t
+keyserver_import_wkd (ctrl_t ctrl, const char *name,
+ unsigned char **fpr, size_t *fpr_len)
+{
+ (void)ctrl;
+ (void)name;
+ (void)fpr;
+ (void)fpr_len;
+ return GPG_ERR_BUG;
+}
+
int
keyserver_import_name (const char *name,struct keyserver_spec *spec)
{
diff --git a/g10/import.c b/g10/import.c
index 369be35..e9fc014 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1279,7 +1279,7 @@ import_one (ctrl_t ctrl,
{
xfree (*fpr);
/* Note that we need to compare against 0 here because
- COUNT gets only incremented after returning form this
+ COUNT gets only incremented after returning from this
function. */
if (!stats->count)
*fpr = fingerprint_from_pk (pk, NULL, fpr_len);
diff --git a/g10/keylist.c b/g10/keylist.c
index d71bf4f..0812d9c 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -1116,6 +1116,7 @@ list_keyblock_print (KBNODE keyblock, int secret, int fpr,
if (node->pkt->pkttype == PKT_USER_ID)
{
PKT_user_id *uid = node->pkt->pkt.user_id;
+ int indent;
if ((uid->is_expired || uid->is_revoked)
&& !(opt.list_options & LIST_SHOW_UNUSABLE_UIDS))
@@ -1133,25 +1134,46 @@ list_keyblock_print (KBNODE keyblock, int secret, int fpr,
|| (opt.list_options & LIST_SHOW_UID_VALIDITY))
{
const char *validity;
- int indent;
validity = uid_trust_string_fixed (pk, uid);
- indent =
- (keystrlen () + (opt.legacy_list_mode? 9:11)) -
- atoi (uid_trust_string_fixed (NULL, NULL));
-
+ indent = ((keystrlen () + (opt.legacy_list_mode? 9:11))
+ - atoi (uid_trust_string_fixed (NULL, NULL)));
if (indent < 0 || indent > 40)
indent = 0;
es_fprintf (es_stdout, "uid%*s%s ", indent, "", validity);
}
else
- es_fprintf (es_stdout, "uid%*s",
- (int) keystrlen () + (opt.legacy_list_mode? 10:12), "");
+ {
+ indent = keystrlen () + (opt.legacy_list_mode? 10:12);
+ es_fprintf (es_stdout, "uid%*s", indent, "");
+ }
print_utf8_buffer (es_stdout, uid->name, uid->len);
es_putc ('\n', es_stdout);
+ if (opt.with_wkd_hash)
+ {
+ char *mbox, *hash, *p;
+ char hashbuf[32];
+
+ mbox = mailbox_from_userid (uid->name);
+ if (mbox && (p = strchr (mbox, '@')))
+ {
+ *p++ = 0;
+ gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf,
+ mbox, strlen (mbox));
+ hash = zb32_encode (hashbuf, 8*20);
+ if (hash)
+ {
+ es_fprintf (es_stdout, " %*s%s@%s\n",
+ indent, "", hash, p);
+ xfree (hash);
+ }
+ }
+ xfree (mbox);
+ }
+
if ((opt.list_options & LIST_SHOW_PHOTOS) && uid->attribs != NULL)
show_photos (uid->attribs, uid->numattribs, pk, uid);
}
diff --git a/g10/keyserver-internal.h b/g10/keyserver-internal.h
index 6f6f430..f57dcaa 100644
--- a/g10/keyserver-internal.h
+++ b/g10/keyserver-internal.h
@@ -45,6 +45,8 @@ int keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode,
unsigned char **fpr,size_t *fpr_len);
gpg_error_t keyserver_import_pka (ctrl_t ctrl, const char *name,
unsigned char **fpr,size_t *fpr_len);
+gpg_error_t keyserver_import_wkd (ctrl_t ctrl, const char *name,
+ unsigned char **fpr, size_t *fpr_len);
int keyserver_import_name (ctrl_t ctrl,
const char *name,unsigned char **fpr,size_t *fpr_len,
struct keyserver_spec *keyserver);
diff --git a/g10/keyserver.c b/g10/keyserver.c
index e9ccb58..95ef441 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -2004,6 +2004,39 @@ keyserver_import_pka (ctrl_t ctrl, const char *name,
}
+/* Import a key using the Web Key Directory protocol. */
+gpg_error_t
+keyserver_import_wkd (ctrl_t ctrl, const char *name,
+ unsigned char **fpr, size_t *fpr_len)
+{
+ gpg_error_t err;
+ estream_t key;
+
+ err = gpg_dirmngr_wkd_get (ctrl, name, &key);
+ if (err)
+ ;
+ else if (key)
+ {
+ int armor_status = opt.no_armor;
+
+ /* Keys returned via WKD are in binary format. */
+ opt.no_armor = 1;
+
+ err = import_keys_es_stream (ctrl, key, NULL, fpr, fpr_len,
+ (opt.keyserver_options.import_options
+ | IMPORT_NO_SECKEY),
+ NULL, NULL);
+
+ opt.no_armor = armor_status;
+
+ es_fclose (key);
+ key = NULL;
+ }
+
+ return err;
+}
+
+
/* Import a key by name using LDAP */
int
keyserver_import_ldap (ctrl_t ctrl,
diff --git a/g10/options.h b/g10/options.h
index 1407b2f..0de0418 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -73,6 +73,7 @@ struct
int with_fingerprint; /* Option --with-fingerprint active. */
int with_keygrip; /* Option --with-keygrip active. */
int with_secret; /* Option --with-secret active. */
+ int with_wkd_hash; /* Option --with-wkd-hash. */
int fingerprint; /* list fingerprints */
int list_sigs; /* list signatures */
int print_pka_records;
@@ -245,6 +246,7 @@ struct
AKL_CERT,
AKL_PKA,
AKL_DANE,
+ AKL_WKD,
AKL_LDAP,
AKL_KEYSERVER,
AKL_SPEC
diff --git a/g10/test-stubs.c b/g10/test-stubs.c
index 74b6bf7..2edae18 100644
--- a/g10/test-stubs.c
+++ b/g10/test-stubs.c
@@ -186,6 +186,17 @@ keyserver_import_pka (const char *name,unsigned char *fpr)
return -1;
}
+gpg_error_t
+keyserver_import_wkd (ctrl_t ctrl, const char *name,
+ unsigned char **fpr, size_t *fpr_len)
+{
+ (void)ctrl;
+ (void)name;
+ (void)fpr;
+ (void)fpr_len;
+ return GPG_ERR_BUG;
+}
+
int
keyserver_import_name (const char *name,struct keyserver_spec *spec)
{
commit c83c6f212e9bc98a9ea8dd8102bc16edd1a03050
Author: Werner Koch <wk at gnupg.org>
Date: Wed Apr 27 08:20:25 2016 +0200
dirmngr: Add experimental command WKD_GET.
* dirmngr/server.c (cmd_wkd_get): New.
(register_commands): Add command WKD_GET.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/dirmngr/server.c b/dirmngr/server.c
index b976468..80ce5b5 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -1,7 +1,7 @@
/* server.c - LDAP and Keyserver access server
* Copyright (C) 2002 Klarälvdalens Datakonsult AB
* Copyright (C) 2003, 2004, 2005, 2007, 2008, 2009, 2011, 2015 g10 Code GmbH
- * Copyright (C) 2014 Werner Koch
+ * Copyright (C) 2014, 2015, 2016 Werner Koch
*
* This file is part of GnuPG.
*
@@ -621,7 +621,7 @@ static const char hlp_dns_cert[] =
" * Return the first record of any supported subtype\n"
" PGP Return the first record of subtype PGP (3)\n"
" IPGP Return the first record of subtype IPGP (6)\n"
- "If the content of a certifciate is available (PGP) it is returned\n"
+ "If the content of a certificate is available (PGP) it is returned\n"
"by data lines. Fingerprints and URLs are returned via status lines.\n"
"In --pka mode the fingerprint and if available an URL is returned.\n"
"In --dane mode the key is returned from RR type 61";
@@ -798,6 +798,75 @@ cmd_dns_cert (assuan_context_t ctx, char *line)
+static const char hlp_wkd_get[] =
+ "WKD_GET <user_id>\n"
+ "\n"
+ "Return the key for <user_id> from a Web Key Directory.\n";
+static gpg_error_t
+cmd_wkd_get (assuan_context_t ctx, char *line)
+{
+ ctrl_t ctrl = assuan_get_pointer (ctx);
+ gpg_error_t err = 0;
+ char *mbox = NULL;
+ char *domain; /* Points to mbox. */
+ char sha1buf[20];
+ char *uri = NULL;
+ char *encodedhash = NULL;
+
+ line = skip_options (line);
+
+ mbox = mailbox_from_userid (line);
+ if (!mbox || !(domain = strchr (mbox, '@')))
+ {
+ err = set_error (GPG_ERR_INV_USER_ID, "no mailbox in user id");
+ goto leave;
+ }
+ *domain++ = 0;
+
+ gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, mbox, strlen (mbox));
+ encodedhash = zb32_encode (sha1buf, 8*20);
+ if (!encodedhash)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+
+ uri = strconcat ("https://",
+ domain,
+ "/.well-known/openpgpkey/hu/",
+ domain,
+ "/",
+ encodedhash,
+ NULL);
+ if (!uri)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+
+ /* Setup an output stream and perform the get. */
+ {
+ estream_t outfp;
+
+ outfp = es_fopencookie (ctx, "w", data_line_cookie_functions);
+ if (!outfp)
+ err = set_error (GPG_ERR_ASS_GENERAL, "error setting up a data stream");
+ else
+ {
+ err = ks_action_fetch (ctrl, uri, outfp);
+ es_fclose (outfp);
+ }
+ }
+
+ leave:
+ xfree (uri);
+ xfree (encodedhash);
+ xfree (mbox);
+ return leave_cmd (ctx, err);
+}
+
+
+
static const char hlp_ldapserver[] =
"LDAPSERVER <data>\n"
"\n"
@@ -1076,7 +1145,7 @@ static const char hlp_checkocsp[] =
"Processing then takes place without further interaction; in\n"
"particular dirmngr tries to locate other required certificates by\n"
"its own mechanism which includes a local certificate store as well\n"
- "as a list of trusted root certifciates.\n"
+ "as a list of trusted root certificates.\n"
"\n"
"If the option --force-default-responder is given, only the default\n"
"OCSP responder will be used and any other methods of obtaining an\n"
@@ -2018,7 +2087,7 @@ cmd_ks_fetch (assuan_context_t ctx, char *line)
/* No options for now. */
line = skip_options (line);
- err = ensure_keyserver (ctrl);
+ err = ensure_keyserver (ctrl); /* FIXME: Why do we needs this here? */
if (err)
goto leave;
@@ -2261,6 +2330,7 @@ register_commands (assuan_context_t ctx)
const char * const help;
} table[] = {
{ "DNS_CERT", cmd_dns_cert, hlp_dns_cert },
+ { "WKD_GET", cmd_wkd_get, hlp_wkd_get },
{ "LDAPSERVER", cmd_ldapserver, hlp_ldapserver },
{ "ISVALID", cmd_isvalid, hlp_isvalid },
{ "CHECKCRL", cmd_checkcrl, hlp_checkcrl },
commit c3aeda82b8d00b87a5af72b4075c487c10dfdf6b
Author: Werner Koch <wk at gnupg.org>
Date: Wed Apr 27 08:18:37 2016 +0200
dirmngr: Use system provided root CAs with KS_FETCH.
* dirmngr/ks-engine-http.c (ks_http_fetch): Use HTTP_FLAG_TRUST_SYS.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index b996c25..00d0c4b 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -73,7 +73,9 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
estream_t fp = NULL;
char *request_buffer = NULL;
- err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_DEF);
+ /* Note that we only use the system provided certificates with the
+ * fetch command. */
+ err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_SYS);
if (err)
goto leave;
http_session_set_log_cb (session, cert_log_cb);
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 781a188..0c43c55 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -476,7 +476,8 @@ only LDAP supports them all.
@opindex fetch-keys
Retrieve keys located at the specified URIs. Note that different
installations of GnuPG may support different protocols (HTTP, FTP,
-LDAP, etc.)
+LDAP, etc.). When using HTTPS the system provided root certificates
+are used by this command.
@item --update-trustdb
@opindex update-trustdb
commit fd765df6a7883c3d841abeb657330a1aab4b7756
Author: Werner Koch <wk at gnupg.org>
Date: Tue Apr 26 21:57:56 2016 +0200
http: Allow to request system defined CAs for TLS.
* dirmngr/http.h (HTTP_FLAG_TRUST_DEF, HTTP_FLAG_TRUST_SYS): New.
* dirmngr/http.c (http_session_new): Add arg "flags".
* dirmngr/ks-engine-hkp.c (send_request): Use new flag
HTTP_FLAG_TRUST_DEF for the new arg of http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (main): Ditto.
--
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/dirmngr/http.c b/dirmngr/http.c
index aa33917..f0fcd0d 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -560,10 +560,14 @@ http_session_release (http_session_t sess)
/* Create a new session object which is currently used to enable TLS
- support. It may eventually allow reusing existing connections. */
+ * support. It may eventually allow reusing existing connections.
+ * Valid values for FLAGS are:
+ * HTTP_FLAG_TRUST_DEF - Use the CAs set with http_register_tls_ca
+ * HTTP_FLAG_TRUST_SYS - Also use the CAs defined by the system
+ */
gpg_error_t
http_session_new (http_session_t *r_session, const char *tls_priority,
- const char *intended_hostname)
+ const char *intended_hostname, unsigned int flags)
{
gpg_error_t err;
http_session_t sess;
@@ -629,14 +633,34 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
}
/* Add configured certificates to the session. */
- for (sl = tls_ca_certlist; sl; sl = sl->next)
+ if ((flags & HTTP_FLAG_TRUST_DEF))
+ {
+ for (sl = tls_ca_certlist; sl; sl = sl->next)
+ {
+ rc = gnutls_certificate_set_x509_trust_file
+ (sess->certcred, sl->d,
+ (sl->flags & 1)? GNUTLS_X509_FMT_PEM : GNUTLS_X509_FMT_DER);
+ if (rc < 0)
+ log_info ("setting CA from file '%s' failed: %s\n",
+ sl->d, gnutls_strerror (rc));
+ }
+ }
+
+ /* Add system certificates to the session. */
+ if ((flags & HTTP_FLAG_TRUST_SYS))
{
- rc = gnutls_certificate_set_x509_trust_file
- (sess->certcred, sl->d,
- (sl->flags & 1)? GNUTLS_X509_FMT_PEM : GNUTLS_X509_FMT_DER);
+#if GNUTLS_VERSION_NUMBER >= 0x030014
+ static int shown;
+
+ rc = gnutls_certificate_set_x509_system_trust (sess->certcred);
if (rc < 0)
- log_info ("setting CA from file '%s' failed: %s\n",
- sl->d, gnutls_strerror (rc));
+ log_info ("setting system CAs failed: %s\n", gnutls_strerror (rc));
+ else if (!shown)
+ {
+ shown = 1;
+ log_info ("number of system provided CAs: %d\n", rc);
+ }
+#endif /* gnutls >= 3.0.20 */
}
rc = gnutls_init (&sess->tls_session, GNUTLS_CLIENT);
diff --git a/dirmngr/http.h b/dirmngr/http.h
index 58b8c1a..569ccea 100644
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@@ -80,11 +80,13 @@ enum
HTTP_FLAG_TRY_PROXY = 1, /* Try to use a proxy. */
HTTP_FLAG_SHUTDOWN = 2, /* Close sending end after the request. */
HTTP_FLAG_FORCE_TOR = 4, /* Force a TOR connection. */
- HTTP_FLAG_LOG_RESP = 8, /* Log the server respone. */
+ HTTP_FLAG_LOG_RESP = 8, /* Log the server response. */
HTTP_FLAG_FORCE_TLS = 16, /* Force the use of TLS. */
HTTP_FLAG_IGNORE_CL = 32, /* Ignore content-length. */
HTTP_FLAG_IGNORE_IPv4 = 64, /* Do not use IPv4. */
- HTTP_FLAG_IGNORE_IPv6 = 128 /* Do not use IPv6. */
+ HTTP_FLAG_IGNORE_IPv6 = 128, /* Do not use IPv6. */
+ HTTP_FLAG_TRUST_DEF = 256, /* Use the default CAs. */
+ HTTP_FLAG_TRUST_SYS = 512 /* Also use the system defined CAs. */
};
@@ -99,7 +101,8 @@ void http_register_tls_ca (const char *fname);
gpg_error_t http_session_new (http_session_t *r_session,
const char *tls_priority,
- const char *intended_hostname);
+ const char *intended_hostname,
+ unsigned int flags);
http_session_t http_session_ref (http_session_t sess);
void http_session_release (http_session_t sess);
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index eca02f0..636eaf7 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -991,7 +991,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
*r_fp = NULL;
- err = http_session_new (&session, NULL, httphost);
+ err = http_session_new (&session, NULL, httphost, HTTP_FLAG_TRUST_DEF);
if (err)
goto leave;
http_session_set_log_cb (session, cert_log_cb);
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index 8232313..b996c25 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -73,7 +73,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
estream_t fp = NULL;
char *request_buffer = NULL;
- err = http_session_new (&session, NULL, NULL);
+ err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_DEF);
if (err)
goto leave;
http_session_set_log_cb (session, cert_log_cb);
diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c
index 9d5ea5f..3a6be6c 100644
--- a/dirmngr/t-http.c
+++ b/dirmngr/t-http.c
@@ -262,7 +262,7 @@ main (int argc, char **argv)
http_register_tls_callback (verify_callback);
http_register_tls_ca (cafile);
- err = http_session_new (&session, NULL, NULL);
+ err = http_session_new (&session, NULL, NULL, HTTP_FLAG_TRUST_DEF);
if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
commit 07dbd061bd6c1f131f1d609b412675a128c5fe99
Author: Werner Koch <wk at gnupg.org>
Date: Tue Apr 26 15:51:46 2016 +0200
gpg: Add OpenPGP card vendor 0x2342.
--
diff --git a/g10/card-util.c b/g10/card-util.c
index d9c12c6..4276716 100644
--- a/g10/card-util.c
+++ b/g10/card-util.c
@@ -215,7 +215,7 @@ get_manufacturer (unsigned int no)
case 0x002A: return "Magrathea";
case 0x1337: return "Warsaw Hackerspace";
-
+ case 0x2342: return "warpzone"; /* hackerspace Muenster. */
case 0xF517: return "FSIJ";
/* 0x0000 and 0xFFFF are defined as test cards per spec,
-----------------------------------------------------------------------
Summary of changes:
dirmngr/http.c | 40 ++++++++++++++++++++-----
dirmngr/http.h | 9 ++++--
dirmngr/ks-engine-hkp.c | 2 +-
dirmngr/ks-engine-http.c | 4 ++-
dirmngr/server.c | 78 +++++++++++++++++++++++++++++++++++++++++++++---
dirmngr/t-http.c | 2 +-
doc/gpg.texi | 12 +++++++-
g10/call-dirmngr.c | 61 ++++++++++++++++++++++++++++++++++++-
g10/call-dirmngr.h | 2 ++
g10/card-util.c | 2 +-
g10/getkey.c | 34 +++++++++++++--------
g10/gpg.c | 6 ++++
g10/gpgv.c | 11 +++++++
g10/import.c | 2 +-
g10/keylist.c | 36 +++++++++++++++++-----
g10/keyserver-internal.h | 2 ++
g10/keyserver.c | 33 ++++++++++++++++++++
g10/options.h | 2 ++
g10/test-stubs.c | 11 +++++++
19 files changed, 307 insertions(+), 42 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list