From ae9acb8745c1654b446b3cd5b9322b235723d9cb Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 18 Nov 2019 17:22:45 +0100
Subject: [PATCH] dirmngr: Forward http redirect warnings to gpg.

* dirmngr/http.c: Include dirmngr-status.h
(http_prepare_redirect): Emit WARNING status lines for redirection
problems.
* dirmngr/http.h: Include fwddecl.h.
(struct http_redir_info_s): Add field ctrl.
* dirmngr/ks-engine-hkp.c (send_request): Set it.
* dirmngr/ks-engine-http.c (ks_http_fetch): Set it.
* g10/call-dirmngr.c (ks_status_cb): Detect the two new warnings.
--

This should make it easier to diagnose problems with bad WKD servers.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 dirmngr/http.c           | 17 ++++++++++++++++-
 dirmngr/http.h           |  2 ++
 dirmngr/ks-engine-hkp.c  |  1 +
 dirmngr/ks-engine-http.c |  1 +
 g10/call-dirmngr.c       |  4 ++++
 5 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/dirmngr/http.c b/dirmngr/http.c
index c6dc077da..56399a2f9 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -101,6 +101,7 @@
 #include "../common/i18n.h"
 #include "../common/sysutils.h" /* (gnupg_fd_t) */
 #include "dns-stuff.h"
+#include "dirmngr-status.h"    /* (dirmngr_status_printf)  */
 #include "http.h"
 #include "http-common.h"
 
@@ -3634,13 +3635,23 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
    * https address. */
   if (info->orig_onion && !locuri->onion)
     {
+      dirmngr_status_printf (info->ctrl, "WARNING",
+                             "http_redirect %u"
+                             " redirect from onion to non-onion address"
+                             " rejected",
+                             err);
       http_release_parsed_uri (locuri);
       return gpg_error (GPG_ERR_FORBIDDEN);
     }
   if (!info->allow_downgrade && info->orig_https && !locuri->use_tls)
     {
+      err = gpg_error (GPG_ERR_FORBIDDEN);
+      dirmngr_status_printf (info->ctrl, "WARNING",
+                             "http_redirect %u"
+                             " redirect '%s' to '%s' rejected",
+                             err, info->orig_url, location);
       http_release_parsed_uri (locuri);
-      return gpg_error (GPG_ERR_FORBIDDEN);
+      return err;
     }
 
   if (info->trust_location)
@@ -3720,6 +3731,10 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
       http_release_parsed_uri (locuri);
       if (!info->silent)
         log_info (_("redirection changed to '%s'\n"), newurl);
+      dirmngr_status_printf (info->ctrl, "WARNING",
+                             "http_redirect_cleanup %u"
+                             " changed from '%s' to '%s'",
+                             0, info->orig_url, newurl);
     }
 
   *r_url = newurl;
diff --git a/dirmngr/http.h b/dirmngr/http.h
index 492e86726..01546374e 100644
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@@ -32,6 +32,7 @@
 #define GNUPG_COMMON_HTTP_H
 
 #include <gpg-error.h>
+#include "../common/fwddecl.h"
 
 struct uri_tuple_s
 {
@@ -106,6 +107,7 @@ typedef struct http_context_s *http_t;
 struct http_redir_info_s
 {
   unsigned int redirects_left;   /* Number of still possible redirects.    */
+  ctrl_t ctrl;                   /* The usual connection info or NULL.     */
   const char *orig_url;          /* The original requested URL.            */
   unsigned int orig_onion:1;     /* Original request was an onion address. */
   unsigned int orig_https:1;     /* Original request was a http address.   */
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index f8814ecd0..653e164ea 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -1215,6 +1215,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
   err = http_parse_uri (&uri, request, 0);
   if (err)
     goto leave;
+  redirinfo.ctrl       = ctrl;
   redirinfo.orig_url   = request;
   redirinfo.orig_onion = uri->onion;
   redirinfo.allow_downgrade = 1;
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index a84a3a1ea..007bbc99d 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -82,6 +82,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags,
   err = http_parse_uri (&uri, url, 0);
   if (err)
     goto leave;
+  redirinfo.ctrl       = ctrl;
   redirinfo.orig_url   = url;
   redirinfo.orig_onion = uri->onion;
   redirinfo.orig_https = uri->use_tls;
diff --git a/g10/call-dirmngr.c b/g10/call-dirmngr.c
index 8f83c087f..58829c764 100644
--- a/g10/call-dirmngr.c
+++ b/g10/call-dirmngr.c
@@ -414,6 +414,10 @@ ks_status_cb (void *opaque, const char *line)
         warn = _("Tor is not properly configured");
       else if ((s2 = has_leading_keyword (s, "dns_config_problem")))
         warn = _("DNS is not properly configured");
+      else if ((s2 = has_leading_keyword (s, "http_redirect")))
+        warn = _("unacceptable HTTP redirect from server");
+      else if ((s2 = has_leading_keyword (s, "http_redirect_cleanup")))
+        warn = _("unacceptable HTTP redirect from server was cleaned up");
       else
         warn = NULL;