sm: Print diagnostic about CRL problems due to Tor mode.

* dirmngr/crlfetch.c (crl_fetch, crl_fetch_default)
(ca_cert_fetch, start_cert_fetch): Factor Tor error out to ...
(no_crl_due_to_tor): new.  Print status note.

* dirmngr/ks-engine-ldap.c (ks_ldap_get)
(ks_ldap_search, ks_ldap_put): Factor Tor error out to ...
(no_ldap_due_to_tor): new.  Print status note.

* dirmngr/ocsp.c (do_ocsp_request): Print status note.
* sm/misc.c (gpgsm_print_further_info): New.
* sm/call-dirmngr.c (warning_and_note_printer): New.
(isvalid_status_cb): Call it.
(lookup_status_cb): Ditto.
(run_command_status_cb): Ditto.

* common/asshelp2.c (vprint_assuan_status): Strip a possible trailing
LF.

--

common/asshelp2.c

@@ -63,11 +63,15 @@ vprint_assuan_status (assuan_context_t ctx,
                       const char *format, va_list arg_ptr)
 {
   int rc;
+  size_t n;
   char *buf;
 
   rc = gpgrt_vasprintf (&buf, format, arg_ptr);
   if (rc < 0)
     return gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
+  n = strlen (buf);
+  if (n && buf[n-1] == '\n')
+    buf[n-1] = 0;  /* Strip trailing LF to avoid earning from Assuan  */
   rc = assuan_write_status (ctx, keyword, buf);
   xfree (buf);
   return rc;

dirmngr/crlfetch.c

@@ -147,6 +147,19 @@ my_es_read (void *opaque, char *buffer, size_t nbytes, size_t *nread)
 }
 
 
+/* For now we do not support LDAP over Tor.  */
+static gpg_error_t
+no_crl_due_to_tor (ctrl_t ctrl)
+{
+  gpg_error_t err = gpg_error (GPG_ERR_NOT_SUPPORTED);
+  const char *text = _("CRL access not possible due to Tor mode");
+
+  log_error ("%s", text);
+  dirmngr_status_printf (ctrl, "NOTE", "no_crl_due_to_tor %u %s", err, text);
+  return gpg_error (GPG_ERR_NOT_SUPPORTED);
+}
+
+
 /* Fetch CRL from URL and return the entire CRL using new ksba reader
    object in READER.  Note that this reader object should be closed
    only using ldap_close_reader. */
@@ -233,9 +246,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
         }
       else if (dirmngr_use_tor ())
         {
-          /* For now we do not support LDAP over Tor.  */
+          err = no_crl_due_to_tor (ctrl);
-          log_error (_("CRL access not possible due to Tor mode\n"));
-          err = gpg_error (GPG_ERR_NOT_SUPPORTED);
         }
       else
         {
@@ -259,9 +270,7 @@ crl_fetch_default (ctrl_t ctrl, const char *issuer, ksba_reader_t *reader)
 {
   if (dirmngr_use_tor ())
     {
-      /* For now we do not support LDAP over Tor.  */
+      return no_crl_due_to_tor (ctrl);
-      log_error (_("CRL access not possible due to Tor mode\n"));
-      return gpg_error (GPG_ERR_NOT_SUPPORTED);
     }
   if (opt.disable_ldap)
     {
@@ -291,9 +300,7 @@ ca_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, const char *dn)
 {
   if (dirmngr_use_tor ())
     {
-      /* For now we do not support LDAP over Tor.  */
+      return no_crl_due_to_tor (ctrl);
-      log_error (_("CRL access not possible due to Tor mode\n"));
-      return gpg_error (GPG_ERR_NOT_SUPPORTED);
     }
   if (opt.disable_ldap)
     {
@@ -318,9 +325,7 @@ start_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context,
 {
   if (dirmngr_use_tor ())
     {
-      /* For now we do not support LDAP over Tor.  */
+      return no_crl_due_to_tor (ctrl);
-      log_error (_("CRL access not possible due to Tor mode\n"));
-      return gpg_error (GPG_ERR_NOT_SUPPORTED);
     }
   if (opt.disable_ldap)
     {

dirmngr/ks-engine-ldap.c

@@ -847,6 +847,20 @@ extract_keys (estream_t output,
   es_fprintf (output, "INFO %s END\n", certid);
 }
 
+
+/* For now we do not support LDAP over Tor.  */
+static gpg_error_t
+no_ldap_due_to_tor (ctrl_t ctrl)
+{
+  gpg_error_t err = gpg_error (GPG_ERR_NOT_SUPPORTED);
+  const char *msg = _("LDAP access not possible due to Tor mode");
+
+  log_error ("%s", msg);
+  dirmngr_status_printf (ctrl, "NOTE", "no_ldap_due_to_tor %u %s", err, msg);
+  return gpg_error (GPG_ERR_NOT_SUPPORTED);
+}
+
+
 /* Get the key described key the KEYSPEC string from the keyserver
    identified by URI.  On success R_FP has an open stream to read the
    data.  */
@@ -869,9 +883,7 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
 
   if (dirmngr_use_tor ())
     {
-      /* For now we do not support LDAP over Tor.  */
+      return no_ldap_due_to_tor (ctrl);
-      log_error (_("LDAP access not possible due to Tor mode\n"));
-      return gpg_error (GPG_ERR_NOT_SUPPORTED);
     }
 
   /* Make sure we are talking to an OpenPGP LDAP server.  */
@@ -1067,9 +1079,7 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
 
   if (dirmngr_use_tor ())
     {
-      /* For now we do not support LDAP over Tor.  */
+      return no_ldap_due_to_tor (ctrl);
-      log_error (_("LDAP access not possible due to Tor mode\n"));
-      return gpg_error (GPG_ERR_NOT_SUPPORTED);
     }
 
   /* Make sure we are talking to an OpenPGP LDAP server.  */
@@ -1959,9 +1969,7 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
 
   if (dirmngr_use_tor ())
     {
-      /* For now we do not support LDAP over Tor.  */
+      return no_ldap_due_to_tor (ctrl);
-      log_error (_("LDAP access not possible due to Tor mode\n"));
-      return gpg_error (GPG_ERR_NOT_SUPPORTED);
     }
 
   err = my_ldap_connect (uri, &ldap_conn, &basedn, NULL, NULL, &serverinfo);

dirmngr/ocsp.c

@@ -145,8 +145,11 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp,
     {
       /* For now we do not allow OCSP via Tor due to possible privacy
          concerns.  Needs further research.  */
-      log_error (_("OCSP request not possible due to Tor mode\n"));
+      const char *msg = _("OCSP request not possible due to Tor mode");
-      return gpg_error (GPG_ERR_NOT_SUPPORTED);
+      err = gpg_error (GPG_ERR_NOT_SUPPORTED);
+      log_error ("%s", msg);
+      dirmngr_status_printf (ctrl, "NOTE", "no_ocsp_due_to_tor %u %s", err,msg);
+      return err;
     }
 
   if (opt.disable_http)

sm/call-dirmngr.c

@@ -425,6 +425,51 @@ unhexify_fpr (const char *hexstr, unsigned char *fpr)
 }
 
 
+/* This is a helper to print diagnostics from dirmngr indicated by
+ * WARNING or NOTE status lines.  Returns true if the status LINE was
+ * processed.  */
+static int
+warning_and_note_printer (const char *line)
+{
+  const char *s, *s2;
+  const char *warn = NULL;
+  int is_note = 0;
+
+  if ((s = has_leading_keyword (line, "WARNING")))
+    ;
+  else if ((is_note = !!(s = has_leading_keyword (line, "NOTE"))))
+    ;
+  else
+    return 0;  /* Nothing to process.  */
+
+  if ((s2 = has_leading_keyword (s, "no_crl_due_to_tor"))
+      || (s2 = has_leading_keyword (s, "no_ldap_due_to_tor"))
+      || (s2 = has_leading_keyword (s, "no_ocsp_due_to_tor")))
+    warn = _("Tor might be in use - network access is limited");
+  else
+    warn = NULL;
+
+  if (warn)
+    {
+      if (is_note)
+        log_info (_("Note: %s\n"), warn);
+      else
+        log_info (_("WARNING: %s\n"), warn);
+      if (s2)
+        {
+          while (*s2 && !spacep (s2))
+            s2++;
+          while (*s2 && spacep (s2))
+            s2++;
+          if (*s2)
+            gpgsm_print_further_info ("%s", s2);
+        }
+    }
+
+  return 1;  /* Status line processed.  */
+}
+
+
 static gpg_error_t
 isvalid_status_cb (void *opaque, const char *line)
 {
@@ -446,6 +491,10 @@ isvalid_status_cb (void *opaque, const char *line)
       if (!*s || !unhexify_fpr (s, parm->fpr))
         parm->seen++; /* Bump it to indicate an error. */
     }
+  else if (warning_and_note_printer (line))
+    {
+    }
+
   return 0;
 }
 
@@ -722,6 +771,10 @@ lookup_status_cb (void *opaque, const char *line)
           gpgsm_status (parm->ctrl, STATUS_TRUNCATED, line);
         }
     }
+  else if (warning_and_note_printer (line))
+    {
+    }
+
   return 0;
 }
 
@@ -969,6 +1022,10 @@ run_command_status_cb (void *opaque, const char *line)
             return gpg_error (GPG_ERR_ASS_CANCELED);
         }
     }
+  else if (warning_and_note_printer (line))
+    {
+    }
+
   return 0;
 }
 

sm/gpgsm.h

@@ -489,6 +489,7 @@ int gpgsm_dirmngr_run_command (ctrl_t ctrl, const char *command,
 
 
 /*-- misc.c --*/
+void gpgsm_print_further_info (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
 void setup_pinentry_env (void);
 gpg_error_t transform_sigval (const unsigned char *sigval, size_t sigvallen,
                               int mdalgo,

sm/misc.c

@@ -35,6 +35,27 @@
 #include "../common/sexp-parse.h"
 
 
+/* Print a message
+ *   "(further info: %s)\n
+ * in verbose mode to further explain an error.  That message is
+ * intended to help debug a problem and should not be translated.
+ */
+void
+gpgsm_print_further_info (const char *format, ...)
+{
+  va_list arg_ptr;
+
+  if (!opt.verbose)
+    return;
+
+  log_info (_("(further info: "));
+  va_start (arg_ptr, format);
+  log_logv (GPGRT_LOGLVL_CONT, format, arg_ptr);
+  va_end (arg_ptr);
+  log_printf (")\n");
+}
+
+
 /* Setup the environment so that the pinentry is able to get all
    required information.  This is used prior to an exec of the
    protect-tool. */