[PATCH 1/3] dirmngr: register hkp-cacert even if the file doesn't exist yet

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Oct 28 00:30:57 CEST 2016


* dirmngr/dirmngr.c (parse_readable_options): if we're unable to turn
  an argument for hkp-cacert into an absolute filename, terminate
  completely.
* dirmngr/http.c (http_register_tls_ca): show a warning if file is not
  immediately accessible, but register it anyway.

--

Without this changeset, the condition of the filesystem when dirmngr
is initialized will have an effect on later activities of dirmngr.

For example, if a file identified by a hkp-cacert directive doesn't
exist when dirmngr starts, dirmngr will behave as though it simply
didn't have the hkp-cacert directive set at all, even if the file
should appear later.

dirmngr currently behaves differently if no hkp-cacert directives have
been set then it does when at least one hkp-cacert directive has been
set.  For example, its choice of CA cert for
hkps://hkps.pool.sks-keyservers.net depends on whether a TLS CA file
has been registered.  That behavior shouldn't additionally depend on
the state of the filesystem at the time of dirmngr launch.

Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
---
 dirmngr/dirmngr.c | 12 +++---------
 dirmngr/http.c    |  5 +++++
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 07cbed9..d15b9e5 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -601,15 +601,9 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
       {
         char *tmpname;
 
-        /* Do tilde expansion and print a warning if the file can't be
-           accessed.  */
-        tmpname = make_absfilename_try (pargs->r.ret_str, NULL);
-        if (!tmpname || access (tmpname, F_OK))
-          log_info (_("can't access '%s': %s\n"),
-                    tmpname? tmpname : pargs->r.ret_str,
-                    gpg_strerror (gpg_error_from_syserror()));
-        else
-          http_register_tls_ca (tmpname);
+        /* Do tilde expansion and make path absolute.  */
+        tmpname = make_absfilename (pargs->r.ret_str, NULL);
+        http_register_tls_ca (tmpname);
         xfree (tmpname);
       }
       break;
diff --git a/dirmngr/http.c b/dirmngr/http.c
index ac8238c..b767c15 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -492,6 +492,11 @@ http_register_tls_ca (const char *fname)
     }
   else
     {
+      /* Warn if we can't access right now, but register it anyway in
+         case it becomes accessible later */
+      if (access (fname, F_OK))
+        log_info (_("can't access '%s': %s\n"), fname,
+                  gpg_strerror (gpg_error_from_syserror()));
       sl = add_to_strlist (&tls_ca_certlist, fname);
       if (*sl->d && !strcmp (sl->d + strlen (sl->d) - 4, ".pem"))
         sl->flags = 1;
-- 
2.9.3




More information about the Gnupg-devel mailing list