[gmime] Added ENABLE_KEYSERVER_LOOKUPS and flip the logic
- From: Jeffrey Stedfast <fejj src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gmime] Added ENABLE_KEYSERVER_LOOKUPS and flip the logic
- Date: Mon, 21 May 2018 23:53:05 +0000 (UTC)
commit f1123691ba3110f3c945a3c6cf1a5128d6ab7dc3
Author: Jeffrey Stedfast <jestedfa microsoft com>
Date: Mon May 21 19:44:18 2018 -0400
Added ENABLE_KEYSERVER_LOOKUPS and flip the logic
Clients that wish to enable online certificate and/or
keyserver lookups now need to explicitly enable this
functionality.
These changes are designed to make it more difficult
for clients to be susceptible to Efail privacy exploits.
gmime/gmime-crypto-context.h | 20 ++++++++++++--------
gmime/gmime-gpgme-utils.c | 5 ++---
2 files changed, 14 insertions(+), 11 deletions(-)
---
diff --git a/gmime/gmime-crypto-context.h b/gmime/gmime-crypto-context.h
index 991cc69..5089aea 100644
--- a/gmime/gmime-crypto-context.h
+++ b/gmime/gmime-crypto-context.h
@@ -79,17 +79,19 @@ typedef GMimeCryptoContext * (* GMimeCryptoContextNewFunc) (void);
/**
* GMimeDecryptFlags:
* @GMIME_DECRYPT_NONE: No flags specified.
- * @GMIME_DECRYPT_EXPORT_SESSION_KEY: Export the decryption session-key
- * @GMIME_DECRYPT_DISABLE_ONLINE_CERTIFICATE_CHECKS: Disable CRL and OCSP checks that require network
lookups.
+ * @GMIME_DECRYPT_EXPORT_SESSION_KEY: Export the decryption session-key.
+ * @GMIME_DECRYPT_ENABLE_KEYSERVER_LOOKUPS: Enable OpenPGP keyserver lookups.
+ * @GMIME_DECRYPT_ENABLE_ONLINE_CERTIFICATE_CHECKS: Enable CRL and OCSP checks that require network lookups.
*
* Decryption flags.
**/
typedef enum {
- GMIME_DECRYPT_NONE = 0,
- GMIME_DECRYPT_EXPORT_SESSION_KEY = 1 << 0,
+ GMIME_DECRYPT_NONE = 0,
+ GMIME_DECRYPT_EXPORT_SESSION_KEY = 1 << 0,
/* Note: these values must stay in sync with GMimeVerifyFlags */
- GMIME_DECRYPT_DISABLE_ONLINE_CERTIFICATE_CHECKS = 1 << 15
+ GMIME_DECRYPT_ENABLE_KEYSERVER_LOOKUPS = 1 << 15,
+ GMIME_DECRYPT_ENABLE_ONLINE_CERTIFICATE_CHECKS = 1 << 15
} GMimeDecryptFlags;
@@ -115,13 +117,15 @@ typedef enum {
/**
* GMimeVerifyFlags:
* @GMIME_VERIFY_NONE: No flags specified.
- * @GMIME_VERIFY_DISABLE_ONLINE_CERTIFICATE_CHECKS: Disable CRL and OCSP checks that require network lookups.
+ * @GMIME_VERIFY_ENABLE_KEYSERVER_LOOKUPS: Enable OpenPGP keyserver lookups.
+ * @GMIME_VERIFY_ENABLE_ONLINE_CERTIFICATE_CHECKS: Enable CRL and OCSP checks that require network lookups.
*
* Signature verification flags.
**/
typedef enum {
- GMIME_VERIFY_NONE = 0,
- GMIME_VERIFY_DISABLE_ONLINE_CERTIFICATE_CHECKS = 1 << 15,
+ GMIME_VERIFY_NONE = 0,
+ GMIME_VERIFY_ENABLE_KEYSERVER_LOOKUPS = 1 << 15,
+ GMIME_VERIFY_ENABLE_ONLINE_CERTIFICATE_CHECKS = 1 << 15
} GMimeVerifyFlags;
diff --git a/gmime/gmime-gpgme-utils.c b/gmime/gmime-gpgme-utils.c
index 4866405..6d8ce13 100644
--- a/gmime/gmime-gpgme-utils.c
+++ b/gmime/gmime-gpgme-utils.c
@@ -438,7 +438,7 @@ g_mime_gpgme_verify (gpgme_ctx_t ctx, GMimeVerifyFlags flags, GMimeStream *istre
return NULL;
}
- gpgme_set_offline (ctx, (flags & GMIME_VERIFY_DISABLE_ONLINE_CERTIFICATE_CHECKS) == 0);
+ gpgme_set_offline (ctx, (flags & GMIME_VERIFY_ENABLE_ONLINE_CERTIFICATE_CHECKS) == 0);
error = gpgme_op_verify (ctx, sig, signed_text, plain);
if (signed_text)
@@ -603,8 +603,7 @@ g_mime_gpgme_decrypt (gpgme_ctx_t ctx, GMimeDecryptFlags flags, const char *sess
/* decrypt the input stream */
if (gpgme_get_protocol (ctx) == GPGME_PROTOCOL_OpenPGP) {
- /* Note: not currently supported for OpenPGP */
- /*gpgme_set_offline (ctx, (flags & GMIME_DECRYPT_DISABLE_KEYSERVER_LOOKUPS) == 0);*/
+ gpgme_set_offline (ctx, (flags & GMIME_DECRYPT_ENABLE_KEYSERVER_LOOKUPS) == 0);
error = gpgme_op_decrypt_verify (ctx, input, output);
} else {
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
