1 /* ks-engine-http.c - HTTP OpenPGP key access
2 * Copyright (C) 2011 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuPG.
5 *
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <https://www.gnu.org/licenses/>.
18 */
19
20 #include <config.h>
21
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <assert.h>
26
27 #include "dirmngr.h"
28 #include "misc.h"
29 #include "ks-engine.h"
30
31 /* How many redirections do we allow. */
32 #define MAX_REDIRECTS 2
33
34 /* Print a help output for the schemata supported by this module. */
35 gpg_error_t
ks_http_help(ctrl_t ctrl,parsed_uri_t uri)36 ks_http_help (ctrl_t ctrl, parsed_uri_t uri)
37 {
38 const char data[] =
39 "Handler for HTTP URLs:\n"
40 " http://\n"
41 #if HTTP_USE_GNUTLS || HTTP_USE_NTBTLS
42 " https://\n"
43 #endif
44 "Supported methods: fetch\n";
45 gpg_error_t err;
46
47 #if HTTP_USE_GNUTLS || HTTP_USE_NTBTLS
48 const char data2[] = " http\n https";
49 #else
50 const char data2[] = " http";
51 #endif
52
53 if (!uri)
54 err = ks_print_help (ctrl, data2);
55 else if (uri->is_http && strcmp (uri->scheme, "hkp"))
56 err = ks_print_help (ctrl, data);
57 else
58 err = 0;
59
60 return err;
61 }
62
63
64 /* Get the key from URL which is expected to specify a http style
65 * scheme. On success R_FP has an open stream to read the data.
66 * Despite its name this function is also used to retrieve arbitrary
67 * data via https or http.
68 */
69 gpg_error_t
ks_http_fetch(ctrl_t ctrl,const char * url,unsigned int flags,estream_t * r_fp)70 ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags,
71 estream_t *r_fp)
72 {
73 gpg_error_t err;
74 http_session_t session = NULL;
75 unsigned int session_flags;
76 http_t http = NULL;
77 http_redir_info_t redirinfo = { MAX_REDIRECTS };
78 estream_t fp = NULL;
79 char *request_buffer = NULL;
80 parsed_uri_t uri = NULL;
81 parsed_uri_t helpuri = NULL;
82
83 err = http_parse_uri (&uri, url, 0);
84 if (err)
85 goto leave;
86 redirinfo.ctrl = ctrl;
87 redirinfo.orig_url = url;
88 redirinfo.orig_onion = uri->onion;
89 redirinfo.orig_https = uri->use_tls;
90 redirinfo.allow_downgrade = !!(flags & KS_HTTP_FETCH_ALLOW_DOWNGRADE);
91
92 /* By default we only use the system provided certificates with this
93 * fetch command. */
94 session_flags = HTTP_FLAG_TRUST_SYS;
95 if ((flags & KS_HTTP_FETCH_NO_CRL) || ctrl->http_no_crl)
96 session_flags |= HTTP_FLAG_NO_CRL;
97 if ((flags & KS_HTTP_FETCH_TRUST_CFG))
98 session_flags |= HTTP_FLAG_TRUST_CFG;
99
100 once_more:
101 err = http_session_new (&session, NULL, session_flags,
102 gnupg_http_tls_verify_cb, ctrl);
103 if (err)
104 goto leave;
105 http_session_set_log_cb (session, cert_log_cb);
106 http_session_set_timeout (session, ctrl->timeout);
107
108 *r_fp = NULL;
109 err = http_open (ctrl, &http,
110 HTTP_REQ_GET,
111 url,
112 /* httphost */ NULL,
113 /* fixme: AUTH */ NULL,
114 ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
115 | (DBG_LOOKUP? HTTP_FLAG_LOG_RESP:0)
116 | (dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0)
117 | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)
118 | (opt.disable_ipv6? HTTP_FLAG_IGNORE_IPv6 : 0)),
119 ctrl->http_proxy,
120 session,
121 NULL,
122 /*FIXME curl->srvtag*/NULL);
123 if (!err)
124 {
125 fp = http_get_write_ptr (http);
126 /* Avoid caches to get the most recent copy of the key. We set
127 * both the Pragma and Cache-Control versions of the header, so
128 * we're good with both HTTP 1.0 and 1.1. */
129 if ((flags & KS_HTTP_FETCH_NOCACHE))
130 es_fputs ("Pragma: no-cache\r\n"
131 "Cache-Control: no-cache\r\n", fp);
132 http_start_data (http);
133 if (es_ferror (fp))
134 err = gpg_error_from_syserror ();
135 }
136 if (err)
137 {
138 log_error (_("error connecting to '%s': %s\n"),
139 url, gpg_strerror (err));
140 if (gpg_err_code (err) == GPG_ERR_WRONG_NAME
141 && gpg_err_source (err) == GPG_ERR_SOURCE_TLS)
142 {
143 const char *errhostname;
144
145 http_release_parsed_uri (helpuri);
146 if (http_parse_uri (&helpuri, url, 0))
147 errhostname = url; /* On parse error we use the full URL. */
148 else
149 errhostname = helpuri->host? helpuri->host : "?";
150
151 dirmngr_status_printf (ctrl, "NOTE",
152 "tls_cert_error %u"
153 " bad cert for '%s': %s",
154 err, errhostname,
155 "Hostname does not match the certificate");
156 }
157 goto leave;
158 }
159
160 /* Wait for the response. */
161 dirmngr_tick (ctrl);
162 err = http_wait_response (http);
163 if (err)
164 {
165 log_error (_("error reading HTTP response for '%s': %s\n"),
166 url, gpg_strerror (err));
167 goto leave;
168 }
169
170 switch (http_get_status_code (http))
171 {
172 case 200:
173 err = 0;
174 break; /* Success. */
175
176 case 301:
177 case 302:
178 case 307:
179 {
180 xfree (request_buffer);
181 err = http_prepare_redirect (&redirinfo, http_get_status_code (http),
182 http_get_header (http, "Location"),
183 &request_buffer);
184 if (err)
185 goto leave;
186
187 url = request_buffer;
188 http_close (http, 0);
189 http = NULL;
190 http_session_release (session);
191 session = NULL;
192 }
193 goto once_more;
194
195 case 413: /* Payload too large */
196 err = gpg_error (GPG_ERR_TOO_LARGE);
197 goto leave;
198
199 default:
200 log_error (_("error accessing '%s': http status %u\n"),
201 url, http_get_status_code (http));
202 err = gpg_error (GPG_ERR_NO_DATA);
203 goto leave;
204 }
205
206 fp = http_get_read_ptr (http);
207 if (!fp)
208 {
209 err = gpg_error (GPG_ERR_BUG);
210 goto leave;
211 }
212
213 /* Return the read stream and close the HTTP context. */
214 *r_fp = fp;
215 http_close (http, 1);
216 http = NULL;
217
218 leave:
219 http_close (http, 0);
220 http_session_release (session);
221 xfree (request_buffer);
222 http_release_parsed_uri (uri);
223 http_release_parsed_uri (helpuri);
224 return err;
225 }
226