dirmngr: Implement CRL fetching via https.
authorWerner Koch <wk@gnupg.org>
Wed, 25 Apr 2018 07:43:18 +0000 (09:43 +0200)
committerWerner Koch <wk@gnupg.org>
Wed, 25 Apr 2018 10:38:04 +0000 (12:38 +0200)
commit705d8e9cf0d109005b3441766270c0e584f7847d
treeb769b80d79627d283e9ce834e4f55b16fc700145
parent71903eee89496e3f1d0a24536bced6ff16df6783
dirmngr: Implement CRL fetching via https.

* dirmngr/http.h (HTTP_FLAG_TRUST_CFG): New flag.
* dirmngr/http.c (http_register_cfg_ca): New.
(http_session_new) [HTTP_USE_GNUTLS]: Implement new trust flag.
* dirmngr/certcache.c (load_certs_from_dir): Call new function.
(cert_cache_deinit): Ditto.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Add new args
'send_no_cache' and 'extra_http_trust_flags'.  Change all callers to
provide the default value.
* dirmngr/crlfetch.c (crl_fetch): Rewrite to make use of
ks_http_fetch.
--

The old code simply did not use https for downloading of CRLS.
Instead it rewrote https to http under the assumption that the CRL
service was also available without encryption.  Note that a CRL is
self-standing and thus it does not need to have extra authenticity as
provided by TLS.  These days we should not use any unencrypted content
and thus this patch.

Be aware that cacert.org give a https CRL DP but that currently
redirects to to http!  This is a downgrade attack which we detect and
don't allow.  The outcome is that it is right now not possible to use
CAcert certificates.

Signed-off-by: Werner Koch <wk@gnupg.org>
dirmngr/certcache.c
dirmngr/crlfetch.c
dirmngr/http-ntbtls.c
dirmngr/http.c
dirmngr/http.h
dirmngr/ks-action.c
dirmngr/ks-engine-http.c
dirmngr/ks-engine.h
dirmngr/loadswdb.c
dirmngr/server.c