security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

Merge branch 'STABLE-BRANCH-2-4' into master

Browse source
This commit is contained in:
Werner Koch 2023-07-04 17:37:54 +02:00
commit 334f5d95c8
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
89 changed files with 3260 additions and 1400 deletions
Download patch file Download diff file Expand all files Collapse all files

10
dirmngr/crlcache.c
View file

@ -2356,11 +2356,21 @@ crl_cache_insert (ctrl_t ctrl, const char *url, ksba_reader_t reader)
for (idx=0; !(err=ksba_crl_get_extension (crl, idx, &oid, &critical,
NULL, NULL)); idx++)
{
strlist_t sl;
if (!critical
|| !strcmp (oid, oidstr_authorityKeyIdentifier)
|| !strcmp (oid, oidstr_crlNumber) )
continue;
for (sl=opt.ignored_crl_extensions;
sl && strcmp (sl->d, oid); sl = sl->next)
;
if (sl)
continue; /* Is in ignored list. */
log_error (_("unknown critical CRL extension %s\n"), oid);
log_info ("(CRL='%s')\n", url);
if (!err2)
err2 = gpg_error (GPG_ERR_INV_CRL);
invalidate_crl |= INVCRL_UNKNOWN_EXTN;

27
dirmngr/dirmngr.c
View file

@ -147,6 +147,7 @@ enum cmd_and_opt_values {
oHTTPWrapperProgram,
oIgnoreCert,
oIgnoreCertExtension,
oIgnoreCRLExtension,
oUseTor,
oNoUseTor,
oKeyServer,
@ -159,6 +160,7 @@ enum cmd_and_opt_values {
oConnectQuickTimeout,
oListenBacklog,
oFakeCRL,
oCompatibilityFlags,
aTest
};
@ -223,6 +225,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_n (oDisableCheckOwnSocket, "disable-check-own-socket", "@"),
ARGPARSE_s_s (oIgnoreCert,"ignore-cert", "@"),
ARGPARSE_s_s (oIgnoreCertExtension,"ignore-cert-extension", "@"),
ARGPARSE_s_s (oIgnoreCRLExtension,"ignore-crl-extension", "@"),
ARGPARSE_header ("Network", N_("Network related options")),
@ -297,6 +300,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oSocketName, "socket-name", "@"), /* Only for debugging. */
ARGPARSE_s_n (oDebugCacheExpiredCerts, "debug-cache-expired-certs", "@"),
ARGPARSE_s_s (oCompatibilityFlags, "compatibility-flags", "@"),
ARGPARSE_header (NULL, ""), /* Stop the header group. */
@ -329,6 +333,14 @@ static struct debug_flags_s debug_flags [] =
{ 77, NULL } /* 77 := Do not exit on "help" or "?". */
};
/* The list of compatibility flags. */
static struct compatibility_flags_s compatibility_flags [] =
{
{ COMPAT_RESTRICT_HTTP_REDIR, "restrict-http-redir" },
{ 0, NULL }
};
#define DEFAULT_MAX_REPLIES 10
#define DEFAULT_LDAP_TIMEOUT 15 /* seconds */
@ -699,6 +711,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
opt.ignored_certs = tmp;
}
FREE_STRLIST (opt.ignored_cert_extensions);
FREE_STRLIST (opt.ignored_crl_extensions);
http_register_tls_ca (NULL);
FREE_STRLIST (hkp_cacert_filenames);
FREE_STRLIST (opt.keyserver);
@ -715,6 +728,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
opt.debug_cache_expired_certs = 0;
xfree (opt.fake_crl);
opt.fake_crl = NULL;
opt.compat_flags = 0;
return 1;
}
@ -811,6 +825,10 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str);
break;
case oIgnoreCRLExtension:
add_to_strlist (&opt.ignored_crl_extensions, pargs->r.ret_str);
break;
case oUseTor:
tor_mode = TOR_MODE_FORCE;
break;
@ -882,6 +900,15 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
opt.fake_crl = *pargs->r.ret_str? xstrdup (pargs->r.ret_str) : NULL;
break;
case oCompatibilityFlags:
if (parse_compatibility_flags (pargs->r.ret_str, &opt.compat_flags,
compatibility_flags))
{
pargs->r_opt = ARGPARSE_INVALID_ARG;
pargs->err = ARGPARSE_PRINT_WARNING;
}
break;
default:
return 0; /* Not handled. */
}

20
dirmngr/dirmngr.h
View file

@ -132,6 +132,11 @@ struct
OID per string. */
strlist_t ignored_cert_extensions;
/* A list of CRL extension OIDs which are ignored so that one can
* claim that a critical extension has been handled. One OID per
* string. */
strlist_t ignored_crl_extensions;
/* Allow expired certificates in the cache. */
int debug_cache_expired_certs;
@ -154,6 +159,9 @@ struct
current after nextUpdate. */
strlist_t keyserver; /* List of default keyservers. */
/* Compatibility flags (COMPAT_FLAG_xxxx). */
unsigned int compat_flags;
} opt;
@ -182,6 +190,18 @@ struct
#define DBG_EXTPROG (opt.debug & DBG_EXTPROG_VALUE)
#define DBG_KEEPTMP (opt.debug & DBG_KEEPTMP_VALUE)
/* Compatibility flags */
/* Since version 2.2.12 dirmngr restricted HTTP redirection in an
* attempt to mitigate certain CSRF attacks. It turned out that this
* breaks too many WKD deployments and that the attack scenario is not
* due to gnupg's redirecting but due to insecure configured systems.
* Thus from 2.4.3 on we disable this restriction but allow to use the
* old behaviour by using this compatibility flag. For details see
* https://dev.gnupg.org/T6477. */
#define COMPAT_RESTRICT_HTTP_REDIR 1
/* A simple list of certificate references. FIXME: Better use
certlist_t also for references (Store NULL at .cert) */
struct cert_ref_s

9
dirmngr/http.c
View file

@ -3741,10 +3741,11 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
http_release_parsed_uri (locuri);
return err;
}
else if (same_host_p (origuri, locuri))
else if (!info->restrict_redir || same_host_p (origuri, locuri))
{
/* The host is the same or on an exception list and thus we can
* take the location verbatim. */
/* Take the syntactically correct location or if restrict_redir
* is set the host is the same or on an exception list and thus
* we can take the location verbatim. */
http_release_parsed_uri (origuri);
http_release_parsed_uri (locuri);
newurl = xtrystrdup (location);
@ -3754,7 +3755,7 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
return err;
}
}
else
else /* Strictly rectricted redirection which we used in the past. */
{
/* We take only the host and port from the URL given in the
* Location. This limits the effects of redirection attacks by

1
dirmngr/http.h
View file

@ -117,6 +117,7 @@ struct http_redir_info_s
unsigned int silent:1; /* No diagnostics. */
unsigned int allow_downgrade:1;/* Allow a downgrade from https to http. */
unsigned int trust_location:1; /* Trust the received Location header. */
unsigned int restrict_redir:1; /* Use legacy restricted redirection. */
};
typedef struct http_redir_info_s http_redir_info_t;

5
dirmngr/ks-engine-hkp.c
View file

@ -1242,8 +1242,9 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
redirinfo.orig_url = request;
redirinfo.orig_onion = uri->onion;
redirinfo.allow_downgrade = 1;
/* FIXME: I am not sure whey we allow a downgrade for hkp requests.
* Needs at least an explanation here.. */
/* FIXME: I am not sure why we allow a downgrade for hkp requests.
* Needs at least an explanation here. */
redirinfo.restrict_redir = !!(opt.compat_flags & COMPAT_RESTRICT_HTTP_REDIR);
once_more:
err = http_session_new (&session, httphost,

1
dirmngr/ks-engine-http.c
View file

@ -88,6 +88,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags,
redirinfo.orig_onion = uri->onion;
redirinfo.orig_https = uri->use_tls;
redirinfo.allow_downgrade = !!(flags & KS_HTTP_FETCH_ALLOW_DOWNGRADE);
redirinfo.restrict_redir = !!(opt.compat_flags & COMPAT_RESTRICT_HTTP_REDIR);
/* By default we only use the system provided certificates with this
* fetch command. */

191
dirmngr/ks-engine-ldap.c
View file

@ -26,6 +26,13 @@
#include <unistd.h>
#include <stdlib.h>
#include <npth.h>
#ifdef HAVE_W32_SYSTEM
# ifndef WINVER
# define WINVER 0x0500 /* Same as in common/sysutils.c */
# endif
# include <winsock2.h>
# include <sddl.h>
#endif
#include "dirmngr.h"
@ -73,6 +80,9 @@ struct ks_engine_ldap_local_s
int more_pages; /* More pages announced by server. */
};
/*-- prototypes --*/
static char *map_rid_to_dn (ctrl_t ctrl, const char *rid);
static char *basedn_from_rootdse (ctrl_t ctrl, parsed_uri_t uri);
@ -150,6 +160,114 @@ my_ldap_value_free (char **vals)
}
/* Print a description of supported variables. */
void
ks_ldap_help_variables (ctrl_t ctrl)
{
const char data[] =
"Supported variables in LDAP filter expressions:\n"
"\n"
"domain - The defaultNamingContext.\n"
"domain_admins - Group of domain admins.\n"
"domain_users - Group with all user accounts.\n"
"domain_guests - Group with the builtin gues account.\n"
"domain_computers - Group with all clients and servers.\n"
"cert_publishers - Group with all cert issuing computers.\n"
"protected_users - Group of users with extra protection.\n"
"key_admins - Group for delegated access to msdsKeyCredentialLink.\n"
"enterprise_key_admins - Similar to key_admins.\n"
"domain_domain_controllers - Group with all domain controllers.\n"
"sid_domain - SubAuthority numbers.\n";
ks_print_help (ctrl, data);
}
/* Helper function for substitute_vars. */
static const char *
getval_for_filter (void *cookie, const char *name)
{
ctrl_t ctrl = cookie;
const char *result = NULL;
if (!strcmp (name, "sid_domain"))
{
#ifdef HAVE_W32_SYSTEM
PSID mysid;
static char *sidstr;
char *s, *s0;
int i;
if (!sidstr)
{
mysid = w32_get_user_sid ();
if (!mysid)
{
gpg_err_set_errno (ENOENT);
goto leave;
}
if (!ConvertSidToStringSid (mysid, &sidstr))
{
gpg_err_set_errno (EINVAL);
goto leave;
}
/* Example for SIDSTR:
* S-1-5-21-3636969917-2569447256-918939550-1127 */
for (s0=NULL,s=sidstr,i=0; (s=strchr (s, '-')); i++)
{
s++;
if (i == 3)
s0 = s;
else if (i==6)
{
s[-1] = 0;
break;
}
}
if (!s0)
{
log_error ("oops: invalid SID received from OS");
gpg_err_set_errno (EINVAL);
LocalFree (sidstr);
goto leave;
}
sidstr = s0; /* (We never release SIDSTR thus no memmove.) */
}
result = sidstr;
#else
gpg_err_set_errno (ENOSYS);
goto leave;
#endif
}
else if (!strcmp (name, "domain"))
result = basedn_from_rootdse (ctrl, NULL);
else if (!strcmp (name, "domain_admins"))
result = map_rid_to_dn (ctrl, "512");
else if (!strcmp (name, "domain_users"))
result = map_rid_to_dn (ctrl, "513");
else if (!strcmp (name, "domain_guests"))
result = map_rid_to_dn (ctrl, "514");
else if (!strcmp (name, "domain_computers"))
result = map_rid_to_dn (ctrl, "515");
else if (!strcmp (name, "domain_domain_controllers"))
result = map_rid_to_dn (ctrl, "516");
else if (!strcmp (name, "cert_publishers"))
result = map_rid_to_dn (ctrl, "517");
else if (!strcmp (name, "protected_users"))
result = map_rid_to_dn (ctrl, "525");
else if (!strcmp (name, "key_admins"))
result = map_rid_to_dn (ctrl, "526");
else if (!strcmp (name, "enterprise_key_admins"))
result = map_rid_to_dn (ctrl, "527");
else
result = ""; /* Unknown variables are empty. */
leave:
return result;
}
/* Print a help output for the schemata supported by this module. */
gpg_error_t
@ -1396,6 +1514,63 @@ fetch_rootdse (ctrl_t ctrl, parsed_uri_t uri)
}
/* Return the DN for the given RID. This is used with the Active
* Directory. */
static char *
map_rid_to_dn (ctrl_t ctrl, const char *rid)
{
gpg_error_t err;
char *result = NULL;
estream_t infp = NULL;
uri_item_t puri; /* The broken down URI. */
nvc_t nvc = NULL;
char *filter = NULL;
const char *s;
char *attr[2] = {"dn", NULL};
err = ks_action_parse_uri ("ldap:///", &puri);
if (err)
return NULL;
filter = strconcat ("(objectSid=S-1-5-21-$sid_domain-", rid, ")", NULL);
if (!filter)
goto leave;
err = ks_ldap_query (ctrl, puri->parsed_uri, KS_GET_FLAG_SUBST,
filter, attr, NULL, &infp);
if (err)
{
log_error ("ldap: AD query '%s' failed: %s\n", filter,gpg_strerror (err));
goto leave;
}
if ((err = nvc_parse (&nvc, NULL, infp)))
{
log_error ("ldap: parsing the result failed: %s\n",gpg_strerror (err));
goto leave;
}
if (!(s = nvc_get_string (nvc, "Dn:")))
{
err = gpg_error (GPG_ERR_NOT_FOUND);
log_error ("ldap: mapping rid '%s'failed: %s\n", rid, gpg_strerror (err));
goto leave;
}
result = xtrystrdup (s);
if (!result)
{
err = gpg_error_from_syserror ();
log_error ("ldap: strdup failed: %s\n", gpg_strerror (err));
goto leave;
}
leave:
es_fclose (infp);
release_uri_item_list (puri);
xfree (filter);
nvc_release (nvc);
return result;
}
/* Return the baseDN for URI which might have already been cached for
* this session. */
static char *
@ -2824,6 +2999,7 @@ ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags,
LDAP *ldap_conn = NULL;
char *basedn = NULL;
estream_t fp = NULL;
char *filter_arg_buffer = NULL;
char *filter = NULL;
int scope = LDAP_SCOPE_SUBTREE;
LDAPMessage *message = NULL;
@ -2839,6 +3015,20 @@ ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags,
if ((!filter_arg || !*filter_arg) && (ks_get_flags & KS_GET_FLAG_ROOTDSE))
filter_arg = "^&base&(objectclass=*)";
if ((ks_get_flags & KS_GET_FLAG_SUBST)
&& filter_arg && strchr (filter_arg, '$'))
{
filter_arg_buffer = substitute_vars (filter_arg, getval_for_filter, ctrl);
if (!filter_arg_buffer)
{
err = gpg_error_from_syserror ();
log_error ("substituting filter variables failed: %s\n",
gpg_strerror (err));
goto leave;
}
filter_arg = filter_arg_buffer;
}
err = ks_ldap_prepare_my_state (ctrl, ks_get_flags, &first_mode, &next_mode);
if (err)
goto leave;
@ -3048,6 +3238,7 @@ ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags,
ldap_unbind (ldap_conn);
xfree (filter);
xfree (filter_arg_buffer);
return err;
}

2
dirmngr/ks-engine.h
View file

@ -29,6 +29,7 @@
#define KS_GET_FLAG_NEXT 4
#define KS_GET_FLAG_ONLY_AD 8 /* Do this only if we have an AD. */
#define KS_GET_FLAG_ROOTDSE 16 /* Get the rootDSE. */
#define KS_GET_FLAG_SUBST 32 /* Substiture variables. */
/*-- ks-action.c --*/
@ -70,6 +71,7 @@ gpg_error_t ks_kdns_help (ctrl_t ctrl, parsed_uri_t uri);
gpg_error_t ks_kdns_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp);
/*-- ks-engine-ldap.c --*/
void ks_ldap_help_variables (ctrl_t ctrl);
gpg_error_t ks_ldap_help (ctrl_t ctrl, parsed_uri_t uri);
void ks_ldap_free_state (struct ks_engine_ldap_local_s *state);
gpg_error_t ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,

66
dirmngr/server.c
View file

@ -32,6 +32,13 @@
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
#ifdef HAVE_W32_SYSTEM
# ifndef WINVER
# define WINVER 0x0500 /* Same as in common/sysutils.c */
# endif
# include <winsock2.h>
# include <sddl.h>
#endif
#include "dirmngr.h"
#include <assuan.h>
@ -2701,15 +2708,21 @@ cmd_ks_put (assuan_context_t ctx, char *line)
static const char hlp_ad_query[] =
"AD_QUERY [--first|--next] [--] <filter_expression> \n"
"AD_QUERY [--first|--next] [--] <filter> \n"
"\n"
"Query properties from a Windows Active Directory.\n"
"Our extended filter syntax may be used for the filter\n"
"expression; see gnupg/dirmngr/ldap-misc.c. There are\n"
"a couple of other options available:\n\n"
" --rootdse - Query the root using serverless binding,\n"
"Options:\n"
"\n"
" --rootdse - Query the root using serverless binding,\n"
" --subst - Substitute variables in the filter\n"
" --attr=<attribs> - Comma delimited list of attributes\n"
" to return.\n"
" --help - List supported variables\n"
"\n"
"Extended filter syntax is allowed:\n"
" ^[<base>][&<scope>]&[<filter>]\n"
"Usual escaping rules apply. An ampersand in <base> must\n"
"doubled. <scope> may be \"base\", \"one\", or \"sub\"."
;
static gpg_error_t
cmd_ad_query (assuan_context_t ctx, char *line)
@ -2723,6 +2736,7 @@ cmd_ad_query (assuan_context_t ctx, char *line)
char **opt_attr = NULL;
const char *s;
gnupg_isotime_t opt_newer;
int opt_help = 0;
*opt_newer = 0;
@ -2733,6 +2747,10 @@ cmd_ad_query (assuan_context_t ctx, char *line)
flags |= KS_GET_FLAG_NEXT;
if (has_option (line, "--rootdse"))
flags |= KS_GET_FLAG_ROOTDSE;
if (has_option (line, "--subst"))
flags |= KS_GET_FLAG_SUBST;
if (has_option (line, "--help"))
opt_help = 1;
if ((s = option_value (line, "--newer"))
&& !string2isotime (opt_newer, s))
{
@ -2756,6 +2774,13 @@ cmd_ad_query (assuan_context_t ctx, char *line)
line = skip_options (line);
filter = line;
if (opt_help)
{
ks_ldap_help_variables (ctrl);
err = 0;
goto leave;
}
if ((flags & KS_GET_FLAG_NEXT))
{
if (*filter || (flags & ~KS_GET_FLAG_NEXT))
@ -2907,14 +2932,39 @@ cmd_getinfo (assuan_context_t ctx, char *line)
{
const char *s = getenv (line);
if (!s)
err = set_error (GPG_ERR_NOT_FOUND, "No such envvar");
else
err = assuan_send_data (ctx, s, strlen (s));
{
err = set_error (GPG_ERR_NOT_FOUND, "No such envvar");
goto leave;
}
err = assuan_send_data (ctx, s, strlen (s));
}
}
#ifdef HAVE_W32_SYSTEM
else if (!strcmp (line, "sid"))
{
PSID mysid;
char *sidstr;
mysid = w32_get_user_sid ();
if (!mysid)
{
err = set_error (GPG_ERR_NOT_FOUND, "Error getting my SID");
goto leave;
}
if (!ConvertSidToStringSid (mysid, &sidstr))
{
err = set_error (GPG_ERR_BUG, "Error converting SID to a string");
goto leave;
}
err = assuan_send_data (ctx, sidstr, strlen (sidstr));
LocalFree (sidstr);
}
#endif /*HAVE_W32_SYSTEM*/
else
err = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT");
leave:
return leave_cmd (ctx, err);
}

1
dirmngr/t-http-basic.c
View file

@ -165,6 +165,7 @@ test_http_prepare_redirect (void)
ri.silent = 1;
ri.redirects_left = 1;
ri.orig_url = tests[tidx].url;
ri.restrict_redir = 1; /* This is what we used to test here. */
err = http_prepare_redirect (&ri, 301, tests[tidx].location, &newurl);
if (err && newurl)