[git] GnuPG - branch, master, updated. gnupg-2.1.10-140-g77bceb2

by Werner Koch cvs at cvs.gnupg.org
Fri Jan 22 12:39:55 CET 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, master has been updated
       via  77bceb2902dd489443073d91836ea54376c60bf6 (commit)
       via  afb8696126ff0babaab23e884ff5da008281e3b7 (commit)
      from  361820a3be48def2237f734d1383633891972f62 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 77bceb2902dd489443073d91836ea54376c60bf6
Author: Werner Koch <wk at gnupg.org>
Date:   Fri Jan 22 12:34:50 2016 +0100

    dirmngr: Provide the keyserver pool name even if there is no CNAME.
    
    * dirmngr/ks-engine-hkp.c (map_host): Fix setting of r_poolname.
    --
    
    map_host is intended to return the name of the pool as an additional
    information.  However this broke some time ago and a pool name was
    only retrained if the pool name was retrieved from a DNS CNAME.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 598e614..eca02f0 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -545,9 +545,9 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
   if (hi->pool)
     {
       /* Deal with the pool name before selecting a host. */
-      if (r_poolname && hi->cname)
+      if (r_poolname)
         {
-          *r_poolname = xtrystrdup (hi->cname);
+          *r_poolname = xtrystrdup (hi->cname? hi->cname : hi->name);
           if (!*r_poolname)
             return gpg_error_from_syserror ();
         }

commit afb8696126ff0babaab23e884ff5da008281e3b7
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Mon Oct 19 23:48:30 2015 -0400

    dirmngr: Use sks-keyservers CA by default for the hkps pool.
    
    * dirmngr/Makefile.am (dist_pkgdata_DATA): Add sks-keyservers.netCA.pem.
    * dirmngr/http.c (http_session_new): Add optional arg
    intended_hostname and set a default cert.
    * dirmngr/ks-engine-hkp.c (send_request): Pass httphost to
    http_session_new.
    --
    
    Ship the certificate for the sks-keyservers hkps pool.  If the user
    has specified that they want to use
    hkps://hkps.pool.sks-keyservers.net, and they have not specified any
    hkp-cacert explicitly, then initialize the trust path with this
    specific trust anchor.
    
    Co-authored-by: wk at gnupg.org
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
index c3bce0d..1c74d10 100644
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@@ -20,6 +20,7 @@
 ## Process this file with automake to produce Makefile.in
 
 EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem
+dist_pkgdata_DATA = sks-keyservers.netCA.pem
 
 bin_PROGRAMS = dirmngr dirmngr-client
 
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 74b6911..aa33917 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -562,7 +562,8 @@ http_session_release (http_session_t sess)
 /* Create a new session object which is currently used to enable TLS
    support.  It may eventually allow reusing existing connections.  */
 gpg_error_t
-http_session_new (http_session_t *r_session, const char *tls_priority)
+http_session_new (http_session_t *r_session, const char *tls_priority,
+                  const char *intended_hostname)
 {
   gpg_error_t err;
   http_session_t sess;
@@ -600,6 +601,34 @@ http_session_new (http_session_t *r_session, const char *tls_priority)
         goto leave;
       }
 
+    /* If the user has not specified a CA list, and they are looking
+     * for the hkps pool from sks-keyservers.net, then default to
+     * Kristian's certificate authority:  */
+    if (!tls_ca_certlist
+        && intended_hostname
+        && !ascii_strcasecmp (intended_hostname,
+                              "hkps.pool.sks-keyservers.net"))
+      {
+        char *pemname = make_filename_try (gnupg_datadir (),
+                                           "sks-keyservers.netCA.pem", NULL);
+        if (!pemname)
+          {
+            err = gpg_error_from_syserror ();
+            log_error ("setting CA from file '%s' failed: %s\n",
+                       pemname, gpg_strerror (err));
+          }
+        else
+          {
+            rc = gnutls_certificate_set_x509_trust_file
+              (sess->certcred, pemname, GNUTLS_X509_FMT_PEM);
+            if (rc < 0)
+              log_info ("setting CA from file '%s' failed: %s\n",
+                        pemname, gnutls_strerror (rc));
+            xfree (pemname);
+          }
+      }
+
+    /* Add configured certificates to the session.  */
     for (sl = tls_ca_certlist; sl; sl = sl->next)
       {
         rc = gnutls_certificate_set_x509_trust_file
diff --git a/dirmngr/http.h b/dirmngr/http.h
index 64f55e1..58b8c1a 100644
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@@ -98,7 +98,8 @@ void http_register_tls_callback (gpg_error_t (*cb)(http_t,http_session_t,int));
 void http_register_tls_ca (const char *fname);
 
 gpg_error_t http_session_new (http_session_t *r_session,
-                              const char *tls_priority);
+                              const char *tls_priority,
+                              const char *intended_hostname);
 http_session_t http_session_ref (http_session_t sess);
 void http_session_release (http_session_t sess);
 
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index f38f29a..598e614 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -991,7 +991,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
 
   *r_fp = NULL;
 
-  err = http_session_new (&session, NULL);
+  err = http_session_new (&session, NULL, httphost);
   if (err)
     goto leave;
   http_session_set_log_cb (session, cert_log_cb);
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index ae128ee..c51c0ce 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -65,7 +65,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
   estream_t fp = NULL;
   char *request_buffer = NULL;
 
-  err = http_session_new (&session, NULL);
+  err = http_session_new (&session, NULL, NULL);
   if (err)
     goto leave;
   http_session_set_log_cb (session, cert_log_cb);
diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c
index 63662a2..9d5ea5f 100644
--- a/dirmngr/t-http.c
+++ b/dirmngr/t-http.c
@@ -262,7 +262,7 @@ main (int argc, char **argv)
   http_register_tls_callback (verify_callback);
   http_register_tls_ca (cafile);
 
-  err = http_session_new (&session, NULL);
+  err = http_session_new (&session, NULL, NULL);
   if (err)
     log_error ("http_session_new failed: %s\n", gpg_strerror (err));
 

-----------------------------------------------------------------------

Summary of changes:
 dirmngr/Makefile.am      |  1 +
 dirmngr/http.c           | 31 ++++++++++++++++++++++++++++++-
 dirmngr/http.h           |  3 ++-
 dirmngr/ks-engine-hkp.c  |  6 +++---
 dirmngr/ks-engine-http.c |  2 +-
 dirmngr/t-http.c         |  2 +-
 6 files changed, 38 insertions(+), 7 deletions(-)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org

More information about the Gnupg-commits mailing list