diff options
Diffstat (limited to 'dirmngr/http-ntbtls.c')
-rw-r--r-- | dirmngr/http-ntbtls.c | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c new file mode 100644 index 0000000..58388b2 --- /dev/null +++ b/dirmngr/http-ntbtls.c @@ -0,0 +1,134 @@ +/* http-ntbtls.c - Support for using NTBTLS with http.c + * Copyright (C) 2017 Werner Koch + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <https://www.gnu.org/licenses/>. + */ + +#include <config.h> + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include "dirmngr.h" +#include "certcache.h" +#include "validate.h" +#include "http-common.h" + +#ifdef HTTP_USE_NTBTLS +# include <ntbtls.h> + + +/* The callback used to verify the peer's certificate. */ +gpg_error_t +gnupg_http_tls_verify_cb (void *opaque, + http_t http, + http_session_t session, + unsigned int http_flags, + void *tls_context) +{ + ctrl_t ctrl = opaque; + ntbtls_t tls = tls_context; + gpg_error_t err; + int idx; + ksba_cert_t cert; + ksba_cert_t hostcert = NULL; + unsigned int validate_flags; + const char *hostname; + + (void)http; + (void)session; + + log_assert (ctrl && ctrl->magic == SERVER_CONTROL_MAGIC); + log_assert (!ntbtls_check_context (tls)); + + /* Get the peer's certs fron ntbtls. */ + for (idx = 0; + (cert = ntbtls_x509_get_peer_cert (tls, idx)); idx++) + { + if (!idx) + hostcert = cert; + else + { + /* Quick hack to make verification work by inserting the supplied + * certs into the cache. FIXME! */ + cache_cert (cert); + ksba_cert_release (cert); + } + } + if (!idx) + { + err = gpg_error (GPG_ERR_MISSING_CERT); + goto leave; + } + + validate_flags = VALIDATE_FLAG_TLS; + + /* If we are using the standard hkps:// pool use the dedicated root + * certificate. Note that this differes from the GnuTLS + * implementation which uses this special certificate only if no + * other certificates are configured. */ + hostname = ntbtls_get_hostname (tls); + if (hostname + && !ascii_strcasecmp (hostname, get_default_keyserver (1))) + { + validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL; + } + else /* Use the certificates as requested from the HTTP module. */ + { + if ((http_flags & HTTP_FLAG_TRUST_CFG)) + validate_flags |= VALIDATE_FLAG_TRUST_CONFIG; + if ((http_flags & HTTP_FLAG_TRUST_DEF)) + validate_flags |= VALIDATE_FLAG_TRUST_HKP; + if ((http_flags & HTTP_FLAG_TRUST_SYS)) + validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM; + + /* If HKP trust is requested and there are no HKP certificates + * configured, also try the standard system certificates. */ + if ((validate_flags & VALIDATE_FLAG_TRUST_HKP) + && !cert_cache_any_in_class (CERTTRUST_CLASS_HKP)) + validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM; + } + + if ((http_flags & HTTP_FLAG_NO_CRL)) + validate_flags |= VALIDATE_FLAG_NOCRLCHECK; + + err = validate_cert_chain (ctrl, hostcert, NULL, validate_flags, NULL); + + leave: + ksba_cert_release (hostcert); + return err; +} + + +#else /*!HTTP_USE_NTBTLS*/ + +/* Dummy function used when not build without ntbtls support. */ +gpg_error_t +gnupg_http_tls_verify_cb (void *opaque, + http_t http, + http_session_t session, + unsigned int flags, + void *tls_context) +{ + (void)opaque; + (void)http; + (void)session; + (void)flags; + (void)tls_context; + return gpg_error (GPG_ERR_NOT_IMPLEMENTED); +} +#endif /*!HTTP_USE_NTBTLS*/ |