[gmime] Added support for disabling online certificate checks
- From: Jeffrey Stedfast <fejj src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gmime] Added support for disabling online certificate checks
- Date: Mon, 21 May 2018 23:52:45 +0000 (UTC)
commit 57d16f7ca9ff76e2c46c518db43b6822a2ea075a
Author: Jeffrey Stedfast <jestedfa microsoft com>
Date: Sat May 19 14:33:46 2018 -0400
Added support for disabling online certificate checks
Addresses privacy concerns published at https://efail.de
regarding CRL and OCSP status check backchannels.
gmime/gmime-crypto-context.h | 12 +++++++++---
gmime/gmime-gpgme-utils.c | 10 ++++++++--
2 files changed, 17 insertions(+), 5 deletions(-)
---
diff --git a/gmime/gmime-crypto-context.h b/gmime/gmime-crypto-context.h
index d44e912..991cc69 100644
--- a/gmime/gmime-crypto-context.h
+++ b/gmime/gmime-crypto-context.h
@@ -80,12 +80,16 @@ typedef GMimeCryptoContext * (* GMimeCryptoContextNewFunc) (void);
* GMimeDecryptFlags:
* @GMIME_DECRYPT_NONE: No flags specified.
* @GMIME_DECRYPT_EXPORT_SESSION_KEY: Export the decryption session-key
+ * @GMIME_DECRYPT_DISABLE_ONLINE_CERTIFICATE_CHECKS: Disable CRL and OCSP checks that require network
lookups.
*
* Decryption flags.
**/
typedef enum {
- GMIME_DECRYPT_NONE = 0,
- GMIME_DECRYPT_EXPORT_SESSION_KEY = 1 << 0,
+ GMIME_DECRYPT_NONE = 0,
+ GMIME_DECRYPT_EXPORT_SESSION_KEY = 1 << 0,
+
+ /* Note: these values must stay in sync with GMimeVerifyFlags */
+ GMIME_DECRYPT_DISABLE_ONLINE_CERTIFICATE_CHECKS = 1 << 15
} GMimeDecryptFlags;
@@ -111,11 +115,13 @@ typedef enum {
/**
* GMimeVerifyFlags:
* @GMIME_VERIFY_NONE: No flags specified.
+ * @GMIME_VERIFY_DISABLE_ONLINE_CERTIFICATE_CHECKS: Disable CRL and OCSP checks that require network lookups.
*
* Signature verification flags.
**/
typedef enum {
- GMIME_VERIFY_NONE = 0
+ GMIME_VERIFY_NONE = 0,
+ GMIME_VERIFY_DISABLE_ONLINE_CERTIFICATE_CHECKS = 1 << 15,
} GMimeVerifyFlags;
diff --git a/gmime/gmime-gpgme-utils.c b/gmime/gmime-gpgme-utils.c
index 280b92a..4866405 100644
--- a/gmime/gmime-gpgme-utils.c
+++ b/gmime/gmime-gpgme-utils.c
@@ -438,6 +438,8 @@ g_mime_gpgme_verify (gpgme_ctx_t ctx, GMimeVerifyFlags flags, GMimeStream *istre
return NULL;
}
+ gpgme_set_offline (ctx, (flags & GMIME_VERIFY_DISABLE_ONLINE_CERTIFICATE_CHECKS) == 0);
+
error = gpgme_op_verify (ctx, sig, signed_text, plain);
if (signed_text)
gpgme_data_release (signed_text);
@@ -600,10 +602,14 @@ g_mime_gpgme_decrypt (gpgme_ctx_t ctx, GMimeDecryptFlags flags, const char *sess
#endif
/* decrypt the input stream */
- if (gpgme_get_protocol (ctx) == GPGME_PROTOCOL_OpenPGP)
+ if (gpgme_get_protocol (ctx) == GPGME_PROTOCOL_OpenPGP) {
+ /* Note: not currently supported for OpenPGP */
+ /*gpgme_set_offline (ctx, (flags & GMIME_DECRYPT_DISABLE_KEYSERVER_LOOKUPS) == 0);*/
+
error = gpgme_op_decrypt_verify (ctx, input, output);
- else
+ } else {
error = gpgme_op_decrypt (ctx, input, output);
+ }
#if GPGME_VERSION_NUMBER >= 0x010800
if (flags & GMIME_DECRYPT_EXPORT_SESSION_KEY)
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]