From bf04b07327a5d2a7197df36daaa764b8ad5706e4 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 15 Jun 2023 15:00:28 +0200 Subject: [PATCH] dirmngr: New option --compatibility-flags. * dirmngr/dirmngr.c (oCompatibilityFlags): NEw. (opts): Add option --compatibility-flags. (compatibility_flags): New. (parse_rereadable_options): Parse them. --- dirmngr/dirmngr.c | 20 ++++++++++++++++++++ dirmngr/dirmngr.h | 15 +++++++++++++++ doc/dirmngr.texi | 8 ++++++++ 3 files changed, 43 insertions(+) diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index bb54f4edd..46521085f 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -159,6 +159,7 @@ enum cmd_and_opt_values { oConnectQuickTimeout, oListenBacklog, oFakeCRL, + oCompatibilityFlags, aTest }; @@ -297,6 +298,7 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_s (oSocketName, "socket-name", "@"), /* Only for debugging. */ ARGPARSE_s_n (oDebugCacheExpiredCerts, "debug-cache-expired-certs", "@"), + ARGPARSE_s_s (oCompatibilityFlags, "compatibility-flags", "@"), ARGPARSE_header (NULL, ""), /* Stop the header group. */ @@ -329,6 +331,14 @@ static struct debug_flags_s debug_flags [] = { 77, NULL } /* 77 := Do not exit on "help" or "?". */ }; +/* The list of compatibility flags. */ +static struct compatibility_flags_s compatibility_flags [] = + { + { COMPAT_RESTRICT_HTTP_REDIR, "restrict-http-redir" }, + { 0, NULL } + }; + + #define DEFAULT_MAX_REPLIES 10 #define DEFAULT_LDAP_TIMEOUT 15 /* seconds */ @@ -712,6 +722,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread) opt.debug_cache_expired_certs = 0; xfree (opt.fake_crl); opt.fake_crl = NULL; + opt.compat_flags = 0; return 1; } @@ -879,6 +890,15 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread) opt.fake_crl = *pargs->r.ret_str? xstrdup (pargs->r.ret_str) : NULL; break; + case oCompatibilityFlags: + if (parse_compatibility_flags (pargs->r.ret_str, &opt.compat_flags, + compatibility_flags)) + { + pargs->r_opt = ARGPARSE_INVALID_ARG; + pargs->err = ARGPARSE_PRINT_WARNING; + } + break; + default: return 0; /* Not handled. */ } diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h index 1128e118b..5571d6181 100644 --- a/dirmngr/dirmngr.h +++ b/dirmngr/dirmngr.h @@ -154,6 +154,9 @@ struct current after nextUpdate. */ strlist_t keyserver; /* List of default keyservers. */ + + /* Compatibility flags (COMPAT_FLAG_xxxx). */ + unsigned int compat_flags; } opt; @@ -182,6 +185,18 @@ struct #define DBG_EXTPROG (opt.debug & DBG_EXTPROG_VALUE) #define DBG_KEEPTMP (opt.debug & DBG_KEEPTMP_VALUE) +/* Compatibility flags */ + +/* Since version 2.2.12 dirmngr restricted HTTP redirection in an + * attempt to mitigate certain CSRF attacks. It turned out that this + * breaks too many WKD deployments and that the attack scenario is not + * due to gnupg's redirecting but due to insecure configured systems. + * Thus from 2.4.3 on we disable this restriction but allow to use the + * old behaviour by using this compatibility flag. For details see + * https://dev.gnupg.org/T6477. */ +#define COMPAT_RESTRICT_HTTP_REDIR 1 + + /* A simple list of certificate references. FIXME: Better use certlist_t also for references (Store NULL at .cert) */ struct cert_ref_s diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index 8e0979c3e..f17c6206c 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -167,6 +167,14 @@ Append all logging output to @var{file}. This is very helpful in seeing what the agent actually does. Use @file{socket://} to log to socket. +@item --compatibility-flags @var{flags} +@opindex compatibility-flags +Set compatibility flags to work around certain problems or to emulate +bugs. The @var{flags} are given as a comma separated list of flag +names and are OR-ed together. The special flag "none" clears the list +and allows to start over with an empty list. To get a list of +available flags the sole word "help" can be used. + @item --debug-level @var{level} @opindex debug-level Select the debug level for investigating problems. @var{level} may be a