[PATCH 1/3] dirmngr: register hkp-cacert even if the file doesn't exist yet
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 28 00:30:57 CEST 2016
* dirmngr/dirmngr.c (parse_readable_options): if we're unable to turn
an argument for hkp-cacert into an absolute filename, terminate
completely.
* dirmngr/http.c (http_register_tls_ca): show a warning if file is not
immediately accessible, but register it anyway.
--
Without this changeset, the condition of the filesystem when dirmngr
is initialized will have an effect on later activities of dirmngr.
For example, if a file identified by a hkp-cacert directive doesn't
exist when dirmngr starts, dirmngr will behave as though it simply
didn't have the hkp-cacert directive set at all, even if the file
should appear later.
dirmngr currently behaves differently if no hkp-cacert directives have
been set then it does when at least one hkp-cacert directive has been
set. For example, its choice of CA cert for
hkps://hkps.pool.sks-keyservers.net depends on whether a TLS CA file
has been registered. That behavior shouldn't additionally depend on
the state of the filesystem at the time of dirmngr launch.
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
---
dirmngr/dirmngr.c | 12 +++---------
dirmngr/http.c | 5 +++++
2 files changed, 8 insertions(+), 9 deletions(-)
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 07cbed9..d15b9e5 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -601,15 +601,9 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
{
char *tmpname;
- /* Do tilde expansion and print a warning if the file can't be
- accessed. */
- tmpname = make_absfilename_try (pargs->r.ret_str, NULL);
- if (!tmpname || access (tmpname, F_OK))
- log_info (_("can't access '%s': %s\n"),
- tmpname? tmpname : pargs->r.ret_str,
- gpg_strerror (gpg_error_from_syserror()));
- else
- http_register_tls_ca (tmpname);
+ /* Do tilde expansion and make path absolute. */
+ tmpname = make_absfilename (pargs->r.ret_str, NULL);
+ http_register_tls_ca (tmpname);
xfree (tmpname);
}
break;
diff --git a/dirmngr/http.c b/dirmngr/http.c
index ac8238c..b767c15 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -492,6 +492,11 @@ http_register_tls_ca (const char *fname)
}
else
{
+ /* Warn if we can't access right now, but register it anyway in
+ case it becomes accessible later */
+ if (access (fname, F_OK))
+ log_info (_("can't access '%s': %s\n"), fname,
+ gpg_strerror (gpg_error_from_syserror()));
sl = add_to_strlist (&tls_ca_certlist, fname);
if (*sl->d && !strcmp (sl->d + strlen (sl->d) - 4, ".pem"))
sl->flags = 1;
--
2.9.3
More information about the Gnupg-devel
mailing list