diff --git a/common/asshelp2.c b/common/asshelp2.c index 4aad8a242..3e45c6a6c 100644 --- a/common/asshelp2.c +++ b/common/asshelp2.c @@ -63,11 +63,15 @@ vprint_assuan_status (assuan_context_t ctx, const char *format, va_list arg_ptr) { int rc; + size_t n; char *buf; rc = gpgrt_vasprintf (&buf, format, arg_ptr); if (rc < 0) return gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); + n = strlen (buf); + if (n && buf[n-1] == '\n') + buf[n-1] = 0; /* Strip trailing LF to avoid earning from Assuan */ rc = assuan_write_status (ctx, keyword, buf); xfree (buf); return rc; diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c index b3fdc0cc6..2e0859861 100644 --- a/dirmngr/crlfetch.c +++ b/dirmngr/crlfetch.c @@ -147,6 +147,19 @@ my_es_read (void *opaque, char *buffer, size_t nbytes, size_t *nread) } +/* For now we do not support LDAP over Tor. */ +static gpg_error_t +no_crl_due_to_tor (ctrl_t ctrl) +{ + gpg_error_t err = gpg_error (GPG_ERR_NOT_SUPPORTED); + const char *text = _("CRL access not possible due to Tor mode"); + + log_error ("%s", text); + dirmngr_status_printf (ctrl, "NOTE", "no_crl_due_to_tor %u %s", err, text); + return gpg_error (GPG_ERR_NOT_SUPPORTED); +} + + /* Fetch CRL from URL and return the entire CRL using new ksba reader object in READER. Note that this reader object should be closed only using ldap_close_reader. */ @@ -233,9 +246,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader) } else if (dirmngr_use_tor ()) { - /* For now we do not support LDAP over Tor. */ - log_error (_("CRL access not possible due to Tor mode\n")); - err = gpg_error (GPG_ERR_NOT_SUPPORTED); + err = no_crl_due_to_tor (ctrl); } else { @@ -259,9 +270,7 @@ crl_fetch_default (ctrl_t ctrl, const char *issuer, ksba_reader_t *reader) { if (dirmngr_use_tor ()) { - /* For now we do not support LDAP over Tor. */ - log_error (_("CRL access not possible due to Tor mode\n")); - return gpg_error (GPG_ERR_NOT_SUPPORTED); + return no_crl_due_to_tor (ctrl); } if (opt.disable_ldap) { @@ -291,9 +300,7 @@ ca_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, const char *dn) { if (dirmngr_use_tor ()) { - /* For now we do not support LDAP over Tor. */ - log_error (_("CRL access not possible due to Tor mode\n")); - return gpg_error (GPG_ERR_NOT_SUPPORTED); + return no_crl_due_to_tor (ctrl); } if (opt.disable_ldap) { @@ -318,9 +325,7 @@ start_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, { if (dirmngr_use_tor ()) { - /* For now we do not support LDAP over Tor. */ - log_error (_("CRL access not possible due to Tor mode\n")); - return gpg_error (GPG_ERR_NOT_SUPPORTED); + return no_crl_due_to_tor (ctrl); } if (opt.disable_ldap) { diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index e0f8e6f7c..dd796a326 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -847,6 +847,20 @@ extract_keys (estream_t output, es_fprintf (output, "INFO %s END\n", certid); } + +/* For now we do not support LDAP over Tor. */ +static gpg_error_t +no_ldap_due_to_tor (ctrl_t ctrl) +{ + gpg_error_t err = gpg_error (GPG_ERR_NOT_SUPPORTED); + const char *msg = _("LDAP access not possible due to Tor mode"); + + log_error ("%s", msg); + dirmngr_status_printf (ctrl, "NOTE", "no_ldap_due_to_tor %u %s", err, msg); + return gpg_error (GPG_ERR_NOT_SUPPORTED); +} + + /* Get the key described key the KEYSPEC string from the keyserver identified by URI. On success R_FP has an open stream to read the data. */ @@ -869,9 +883,7 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, if (dirmngr_use_tor ()) { - /* For now we do not support LDAP over Tor. */ - log_error (_("LDAP access not possible due to Tor mode\n")); - return gpg_error (GPG_ERR_NOT_SUPPORTED); + return no_ldap_due_to_tor (ctrl); } /* Make sure we are talking to an OpenPGP LDAP server. */ @@ -1067,9 +1079,7 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern, if (dirmngr_use_tor ()) { - /* For now we do not support LDAP over Tor. */ - log_error (_("LDAP access not possible due to Tor mode\n")); - return gpg_error (GPG_ERR_NOT_SUPPORTED); + return no_ldap_due_to_tor (ctrl); } /* Make sure we are talking to an OpenPGP LDAP server. */ @@ -1959,9 +1969,7 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri, if (dirmngr_use_tor ()) { - /* For now we do not support LDAP over Tor. */ - log_error (_("LDAP access not possible due to Tor mode\n")); - return gpg_error (GPG_ERR_NOT_SUPPORTED); + return no_ldap_due_to_tor (ctrl); } err = my_ldap_connect (uri, &ldap_conn, &basedn, NULL, NULL, &serverinfo); diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c index 177bd67f8..f8b3e8c79 100644 --- a/dirmngr/ocsp.c +++ b/dirmngr/ocsp.c @@ -145,8 +145,11 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, { /* For now we do not allow OCSP via Tor due to possible privacy concerns. Needs further research. */ - log_error (_("OCSP request not possible due to Tor mode\n")); - return gpg_error (GPG_ERR_NOT_SUPPORTED); + const char *msg = _("OCSP request not possible due to Tor mode"); + err = gpg_error (GPG_ERR_NOT_SUPPORTED); + log_error ("%s", msg); + dirmngr_status_printf (ctrl, "NOTE", "no_ocsp_due_to_tor %u %s", err,msg); + return err; } if (opt.disable_http) diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c index 9675d0404..5dd8a3938 100644 --- a/sm/call-dirmngr.c +++ b/sm/call-dirmngr.c @@ -425,6 +425,51 @@ unhexify_fpr (const char *hexstr, unsigned char *fpr) } +/* This is a helper to print diagnostics from dirmngr indicated by + * WARNING or NOTE status lines. Returns true if the status LINE was + * processed. */ +static int +warning_and_note_printer (const char *line) +{ + const char *s, *s2; + const char *warn = NULL; + int is_note = 0; + + if ((s = has_leading_keyword (line, "WARNING"))) + ; + else if ((is_note = !!(s = has_leading_keyword (line, "NOTE")))) + ; + else + return 0; /* Nothing to process. */ + + if ((s2 = has_leading_keyword (s, "no_crl_due_to_tor")) + || (s2 = has_leading_keyword (s, "no_ldap_due_to_tor")) + || (s2 = has_leading_keyword (s, "no_ocsp_due_to_tor"))) + warn = _("Tor might be in use - network access is limited"); + else + warn = NULL; + + if (warn) + { + if (is_note) + log_info (_("Note: %s\n"), warn); + else + log_info (_("WARNING: %s\n"), warn); + if (s2) + { + while (*s2 && !spacep (s2)) + s2++; + while (*s2 && spacep (s2)) + s2++; + if (*s2) + gpgsm_print_further_info ("%s", s2); + } + } + + return 1; /* Status line processed. */ +} + + static gpg_error_t isvalid_status_cb (void *opaque, const char *line) { @@ -446,6 +491,10 @@ isvalid_status_cb (void *opaque, const char *line) if (!*s || !unhexify_fpr (s, parm->fpr)) parm->seen++; /* Bump it to indicate an error. */ } + else if (warning_and_note_printer (line)) + { + } + return 0; } @@ -722,6 +771,10 @@ lookup_status_cb (void *opaque, const char *line) gpgsm_status (parm->ctrl, STATUS_TRUNCATED, line); } } + else if (warning_and_note_printer (line)) + { + } + return 0; } @@ -969,6 +1022,10 @@ run_command_status_cb (void *opaque, const char *line) return gpg_error (GPG_ERR_ASS_CANCELED); } } + else if (warning_and_note_printer (line)) + { + } + return 0; } diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 0eec0c025..bb32db3ed 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -489,6 +489,7 @@ int gpgsm_dirmngr_run_command (ctrl_t ctrl, const char *command, /*-- misc.c --*/ +void gpgsm_print_further_info (const char *format, ...) GPGRT_ATTR_PRINTF(1,2); void setup_pinentry_env (void); gpg_error_t transform_sigval (const unsigned char *sigval, size_t sigvallen, int mdalgo, diff --git a/sm/misc.c b/sm/misc.c index d4898202e..3fdfd769d 100644 --- a/sm/misc.c +++ b/sm/misc.c @@ -35,6 +35,27 @@ #include "../common/sexp-parse.h" +/* Print a message + * "(further info: %s)\n + * in verbose mode to further explain an error. That message is + * intended to help debug a problem and should not be translated. + */ +void +gpgsm_print_further_info (const char *format, ...) +{ + va_list arg_ptr; + + if (!opt.verbose) + return; + + log_info (_("(further info: ")); + va_start (arg_ptr, format); + log_logv (GPGRT_LOGLVL_CONT, format, arg_ptr); + va_end (arg_ptr); + log_printf (")\n"); +} + + /* Setup the environment so that the pinentry is able to get all required information. This is used prior to an exec of the protect-tool. */