dirmngr: Allow redirection from https to http for CRLs
authorWerner Koch <wk@gnupg.org>
Wed, 25 Apr 2018 10:37:34 +0000 (12:37 +0200)
committerWerner Koch <wk@gnupg.org>
Wed, 25 Apr 2018 10:38:04 +0000 (12:38 +0200)
* dirmngr/ks-engine.h (KS_HTTP_FETCH_NOCACHE): New flag.
(KS_HTTP_FETCH_TRUST_CFG): Ditto.
(KS_HTTP_FETCH_NO_CRL): Ditto.
(KS_HTTP_FETCH_ALLOW_DOWNGRADE): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Replace args send_no_cache
and extra_http_trust_flags by a new flags arg.  Allow redirectiong
from https to http it KS_HTTP_FETCH_ALLOW_DOWNGRADE is set.
* dirmngr/loadswdb.c (fetch_file): Call with KS_HTTP_FETCH_NOCACHE.
* dirmngr/ks-action.c (ks_action_get): Ditto.
(ks_action_fetch): Ditto.
* dirmngr/crlfetch.c (crl_fetch): Call with the appropriate flags.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
dirmngr/crlfetch.c
dirmngr/ks-action.c
dirmngr/ks-engine-http.c
dirmngr/ks-engine.h
dirmngr/loadswdb.c

index 0d27aa0..57ac51b 100644 (file)
@@ -175,11 +175,14 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
       else
         {
           /* Note that we also allow root certificates loaded from
-           * "/etc/gnupg/trusted-certs/".  We also do not consult
-           * the CRL for the TLS connection - that may lwad to a
-           * loop.  */
-          err = ks_http_fetch (ctrl, url, 0,
-                               (HTTP_FLAG_TRUST_CFG | HTTP_FLAG_NO_CRL),
+           * "/etc/gnupg/trusted-certs/".  We also do not consult the
+           * CRL for the TLS connection - that may lead to a loop.
+           * Due to cacert.org redirecting their https URL to http we
+           * also allow such a downgrade.  */
+          err = ks_http_fetch (ctrl, url,
+                               (KS_HTTP_FETCH_TRUST_CFG
+                                | KS_HTTP_FETCH_NO_CRL
+                                | KS_HTTP_FETCH_ALLOW_DOWNGRADE ),
                                &httpfp);
         }
 
index eb15e40..c1ecafb 100644 (file)
@@ -257,7 +257,8 @@ ks_action_get (ctrl_t ctrl, uri_item_t keyservers,
               if (is_hkp_s)
                 err = ks_hkp_get (ctrl, uri->parsed_uri, sl->d, &infp);
               else if (is_http_s)
-                err = ks_http_fetch (ctrl, uri->parsed_uri->original, 1, 0,
+                err = ks_http_fetch (ctrl, uri->parsed_uri->original,
+                                     KS_HTTP_FETCH_NOCACHE,
                                      &infp);
               else
                 BUG ();
@@ -315,7 +316,7 @@ ks_action_fetch (ctrl_t ctrl, const char *url, estream_t outfp)
 
   if (parsed_uri->is_http)
     {
-      err = ks_http_fetch (ctrl, url, 1, 0, &infp);
+      err = ks_http_fetch (ctrl, url, KS_HTTP_FETCH_NOCACHE, &infp);
       if (!err)
         {
           err = copy_stream (infp, outfp);
index a035803..946c927 100644 (file)
@@ -67,11 +67,12 @@ ks_http_help (ctrl_t ctrl, parsed_uri_t uri)
  * data via https or http.
  */
 gpg_error_t
-ks_http_fetch (ctrl_t ctrl, const char *url, int send_no_cache,
-               unsigned int extra_http_trust_flags, estream_t *r_fp)
+ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags,
+               estream_t *r_fp)
 {
   gpg_error_t err;
   http_session_t session = NULL;
+  unsigned int session_flags;
   http_t http = NULL;
   int redirects_left = MAX_REDIRECTS;
   estream_t fp = NULL;
@@ -85,14 +86,16 @@ ks_http_fetch (ctrl_t ctrl, const char *url, int send_no_cache,
   is_onion = uri->onion;
   is_https = uri->use_tls;
 
- once_more:
   /* By default we only use the system provided certificates with this
-   * fetch command.  However, EXTRA_HTTP_FLAGS can be used to add more
-   * flags. */
-  err = http_session_new (&session, NULL,
-                          ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
-                           | HTTP_FLAG_TRUST_SYS
-                           | extra_http_trust_flags),
+   * fetch command.  */
+  session_flags = HTTP_FLAG_TRUST_SYS;
+  if ((flags & KS_HTTP_FETCH_NO_CRL) || ctrl->http_no_crl)
+    session_flags |= HTTP_FLAG_NO_CRL;
+  if ((flags & KS_HTTP_FETCH_TRUST_CFG))
+    session_flags |= HTTP_FLAG_TRUST_CFG;
+
+ once_more:
+  err = http_session_new (&session, NULL, session_flags,
                           gnupg_http_tls_verify_cb, ctrl);
   if (err)
     goto leave;
@@ -120,7 +123,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, int send_no_cache,
       /* Avoid caches to get the most recent copy of the key.  We set
        * both the Pragma and Cache-Control versions of the header, so
        * we're good with both HTTP 1.0 and 1.1.  */
-      if (send_no_cache)
+      if ((flags & KS_HTTP_FETCH_NOCACHE))
         es_fputs ("Pragma: no-cache\r\n"
                   "Cache-Control: no-cache\r\n", fp);
       http_start_data (http);
@@ -172,7 +175,13 @@ ks_http_fetch (ctrl_t ctrl, const char *url, int send_no_cache,
                 if (err)
                   goto leave;
 
-                if ((is_onion && ! uri->onion) || (is_https && ! uri->use_tls))
+                if (is_onion && !uri->onion)
+                  {
+                    err = gpg_error (GPG_ERR_FORBIDDEN);
+                    goto leave;
+                  }
+                if (!(flags & KS_HTTP_FETCH_ALLOW_DOWNGRADE)
+                    && is_https && !uri->use_tls)
                   {
                     err = gpg_error (GPG_ERR_FORBIDDEN);
                     goto leave;
index ce51141..d28c6ab 100644 (file)
@@ -41,9 +41,15 @@ gpg_error_t ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri,
                         const void *data, size_t datalen);
 
 /*-- ks-engine-http.c --*/
+
+/* Flags for the ks_http_fetch.  */
+#define KS_HTTP_FETCH_NOCACHE         1  /* Request no caching.  */
+#define KS_HTTP_FETCH_TRUST_CFG       2  /* Requests HTTP_FLAG_TRUST_CFG.  */
+#define KS_HTTP_FETCH_NO_CRL          4  /* Requests HTTP_FLAG_NO_CRL.     */
+#define KS_HTTP_FETCH_ALLOW_DOWNGRADE 8  /* Allow redirect https -> http.  */
+
 gpg_error_t ks_http_help (ctrl_t ctrl, parsed_uri_t uri);
-gpg_error_t ks_http_fetch (ctrl_t ctrl, const char *url, int send_no_cache,
-                           unsigned int extra_http_trust_flags,
+gpg_error_t ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags,
                            estream_t *r_fp);
 
 
index dfa0273..fb88372 100644 (file)
@@ -126,7 +126,7 @@ fetch_file (ctrl_t ctrl, const char *url, estream_t *r_fp)
   size_t nread, nwritten;
   char buffer[1024];
 
-  if ((err = ks_http_fetch (ctrl, url, 1, 0, &httpfp)))
+  if ((err = ks_http_fetch (ctrl, url, KS_HTTP_FETCH_NOCACHE, &httpfp)))
     goto leave;
 
   /* We now read the data from the web server into a memory buffer.