Page Menu
Home
GnuPG
Search
Configure Global Search
Log In
Files
F34140282
http-ntbtls.c
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Size
3 KB
Subscribers
None
http-ntbtls.c
View Options
/* http-ntbtls.c - Support for using NTBTLS with http.c
* Copyright (C) 2017 Werner Koch
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <https://www.gnu.org/licenses/>.
*/
#include
<config.h>
#include
<stdio.h>
#include
<stdlib.h>
#include
<string.h>
#include
"dirmngr.h"
#include
"certcache.h"
#include
"validate.h"
#include
"http-common.h"
#ifdef HTTP_USE_NTBTLS
# include <ntbtls.h>
/* The callback used to verify the peer's certificate. */
gpg_error_t
gnupg_http_tls_verify_cb
(
void
*
opaque
,
http_t
http
,
http_session_t
session
,
unsigned
int
http_flags
,
void
*
tls_context
)
{
ctrl_t
ctrl
=
opaque
;
ntbtls_t
tls
=
tls_context
;
gpg_error_t
err
;
int
idx
;
ksba_cert_t
cert
;
ksba_cert_t
hostcert
=
NULL
;
unsigned
int
validate_flags
;
const
char
*
hostname
;
(
void
)
http
;
(
void
)
session
;
log_assert
(
ctrl
&&
ctrl
->
magic
==
SERVER_CONTROL_MAGIC
);
log_assert
(
!
ntbtls_check_context
(
tls
));
/* Get the peer's certs from ntbtls. */
for
(
idx
=
0
;
(
cert
=
ntbtls_x509_get_peer_cert
(
tls
,
idx
));
idx
++
)
{
if
(
!
idx
)
hostcert
=
cert
;
else
{
/* Quick hack to make verification work by inserting the supplied
* certs into the cache. FIXME! */
cache_cert
(
cert
);
ksba_cert_release
(
cert
);
}
}
if
(
!
idx
)
{
err
=
gpg_error
(
GPG_ERR_MISSING_CERT
);
goto
leave
;
}
validate_flags
=
VALIDATE_FLAG_TLS
;
/* If we are using the standard hkps:// pool use the dedicated
* root certificate. */
hostname
=
ntbtls_get_hostname
(
tls
);
if
(
hostname
&&
!
ascii_strcasecmp
(
hostname
,
get_default_keyserver
(
1
)))
{
validate_flags
|=
VALIDATE_FLAG_TRUST_HKPSPOOL
;
}
else
/* Use the certificates as requested from the HTTP module. */
{
if
((
http_flags
&
HTTP_FLAG_TRUST_CFG
))
validate_flags
|=
VALIDATE_FLAG_TRUST_CONFIG
;
if
((
http_flags
&
HTTP_FLAG_TRUST_DEF
))
validate_flags
|=
VALIDATE_FLAG_TRUST_HKP
;
if
((
http_flags
&
HTTP_FLAG_TRUST_SYS
))
validate_flags
|=
VALIDATE_FLAG_TRUST_SYSTEM
;
/* If HKP trust is requested and there are no HKP certificates
* configured, also try the standard system certificates. */
if
((
validate_flags
&
VALIDATE_FLAG_TRUST_HKP
)
&&
!
cert_cache_any_in_class
(
CERTTRUST_CLASS_HKP
))
validate_flags
|=
VALIDATE_FLAG_TRUST_SYSTEM
;
}
if
((
http_flags
&
HTTP_FLAG_NO_CRL
))
validate_flags
|=
VALIDATE_FLAG_NOCRLCHECK
;
err
=
validate_cert_chain
(
ctrl
,
hostcert
,
NULL
,
validate_flags
,
NULL
);
leave
:
ksba_cert_release
(
hostcert
);
return
err
;
}
#else
/*!HTTP_USE_NTBTLS*/
/* Dummy function used when not build without ntbtls support. */
gpg_error_t
gnupg_http_tls_verify_cb
(
void
*
opaque
,
http_t
http
,
http_session_t
session
,
unsigned
int
flags
,
void
*
tls_context
)
{
(
void
)
opaque
;
(
void
)
http
;
(
void
)
session
;
(
void
)
flags
;
(
void
)
tls_context
;
return
gpg_error
(
GPG_ERR_NOT_IMPLEMENTED
);
}
#endif
/*!HTTP_USE_NTBTLS*/
File Metadata
Details
Attached
Mime Type
text/x-c
Expires
Tue, Dec 9, 1:06 AM (18 h, 2 m)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
42/7a/8431d3490b7a68bca32652536ed3
Attached To
rG GnuPG
Event Timeline
Log In to Comment