[gmime] Added support for disabling online certificate checks

From: Jeffrey Stedfast <fejj src gnome org>
To: commits-list gnome org
Cc:
Subject: [gmime] Added support for disabling online certificate checks
Date: Mon, 21 May 2018 23:52:45 +0000 (UTC)
commit 57d16f7ca9ff76e2c46c518db43b6822a2ea075a
Author: Jeffrey Stedfast <jestedfa microsoft com>
Date:   Sat May 19 14:33:46 2018 -0400

    Added support for disabling online certificate checks
    
    Addresses privacy concerns published at https://efail.de
    regarding CRL and OCSP status check backchannels.

 gmime/gmime-crypto-context.h |   12 +++++++++---
 gmime/gmime-gpgme-utils.c    |   10 ++++++++--
 2 files changed, 17 insertions(+), 5 deletions(-)
---
diff --git a/gmime/gmime-crypto-context.h b/gmime/gmime-crypto-context.h
index d44e912..991cc69 100644
--- a/gmime/gmime-crypto-context.h
+++ b/gmime/gmime-crypto-context.h
@@ -80,12 +80,16 @@ typedef GMimeCryptoContext * (* GMimeCryptoContextNewFunc) (void);
  * GMimeDecryptFlags:
  * @GMIME_DECRYPT_NONE: No flags specified.
  * @GMIME_DECRYPT_EXPORT_SESSION_KEY: Export the decryption session-key
+ * @GMIME_DECRYPT_DISABLE_ONLINE_CERTIFICATE_CHECKS: Disable CRL and OCSP checks that require network 
lookups.
  *
  * Decryption flags.
  **/
 typedef enum {
-       GMIME_DECRYPT_NONE               = 0,
-       GMIME_DECRYPT_EXPORT_SESSION_KEY = 1 << 0,
+       GMIME_DECRYPT_NONE                              = 0,
+       GMIME_DECRYPT_EXPORT_SESSION_KEY                = 1 << 0,
+
+       /* Note: these values must stay in sync with GMimeVerifyFlags */
+       GMIME_DECRYPT_DISABLE_ONLINE_CERTIFICATE_CHECKS = 1 << 15
 } GMimeDecryptFlags;
 
 
@@ -111,11 +115,13 @@ typedef enum {
 /**
  * GMimeVerifyFlags:
  * @GMIME_VERIFY_NONE: No flags specified.
+ * @GMIME_VERIFY_DISABLE_ONLINE_CERTIFICATE_CHECKS: Disable CRL and OCSP checks that require network lookups.
  *
  * Signature verification flags.
  **/
 typedef enum {
-       GMIME_VERIFY_NONE           = 0
+       GMIME_VERIFY_NONE                              = 0,
+       GMIME_VERIFY_DISABLE_ONLINE_CERTIFICATE_CHECKS = 1 << 15,
 } GMimeVerifyFlags;
 
 
diff --git a/gmime/gmime-gpgme-utils.c b/gmime/gmime-gpgme-utils.c
index 280b92a..4866405 100644
--- a/gmime/gmime-gpgme-utils.c
+++ b/gmime/gmime-gpgme-utils.c
@@ -438,6 +438,8 @@ g_mime_gpgme_verify (gpgme_ctx_t ctx, GMimeVerifyFlags flags, GMimeStream *istre
                return NULL;
        }
        
+       gpgme_set_offline (ctx, (flags & GMIME_VERIFY_DISABLE_ONLINE_CERTIFICATE_CHECKS) == 0);
+       
        error = gpgme_op_verify (ctx, sig, signed_text, plain);
        if (signed_text)
                gpgme_data_release (signed_text);
@@ -600,10 +602,14 @@ g_mime_gpgme_decrypt (gpgme_ctx_t ctx, GMimeDecryptFlags flags, const char *sess
 #endif
        
        /* decrypt the input stream */
-       if (gpgme_get_protocol (ctx) == GPGME_PROTOCOL_OpenPGP)
+       if (gpgme_get_protocol (ctx) == GPGME_PROTOCOL_OpenPGP) {
+               /* Note: not currently supported for OpenPGP */
+               /*gpgme_set_offline (ctx, (flags & GMIME_DECRYPT_DISABLE_KEYSERVER_LOOKUPS) == 0);*/
+               
                error = gpgme_op_decrypt_verify (ctx, input, output);
-       else
+       } else {
                error = gpgme_op_decrypt (ctx, input, output);
+       }
        
 #if GPGME_VERSION_NUMBER >= 0x010800
        if (flags & GMIME_DECRYPT_EXPORT_SESSION_KEY)
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]