dirmngr: New option --compatibility-flags.

* dirmngr/dirmngr.c (oCompatibilityFlags): NEw.
(opts): Add option --compatibility-flags.
(compatibility_flags): New.
(parse_rereadable_options): Parse them.

dirmngr/dirmngr.c

@@ -159,6 +159,7 @@ enum cmd_and_opt_values {
   oConnectQuickTimeout,
   oListenBacklog,
   oFakeCRL,
+  oCompatibilityFlags,
   aTest
 };
 
@@ -297,6 +298,7 @@ static gpgrt_opt_t opts[] = {
 
   ARGPARSE_s_s (oSocketName, "socket-name", "@"),  /* Only for debugging.  */
   ARGPARSE_s_n (oDebugCacheExpiredCerts, "debug-cache-expired-certs", "@"),
+  ARGPARSE_s_s (oCompatibilityFlags, "compatibility-flags", "@"),
 
   ARGPARSE_header (NULL, ""),  /* Stop the header group.  */
 
@@ -329,6 +331,14 @@ static struct debug_flags_s debug_flags [] =
     { 77, NULL } /* 77 := Do not exit on "help" or "?".  */
   };
 
+/* The list of compatibility flags.  */
+static struct compatibility_flags_s compatibility_flags [] =
+  {
+    { COMPAT_RESTRICT_HTTP_REDIR, "restrict-http-redir" },
+    { 0, NULL }
+  };
+
+
 #define DEFAULT_MAX_REPLIES 10
 #define DEFAULT_LDAP_TIMEOUT 15  /* seconds */
 
@@ -712,6 +722,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
       opt.debug_cache_expired_certs = 0;
       xfree (opt.fake_crl);
       opt.fake_crl = NULL;
+      opt.compat_flags = 0;
       return 1;
     }
 
@@ -879,6 +890,15 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
       opt.fake_crl = *pargs->r.ret_str? xstrdup (pargs->r.ret_str) : NULL;
       break;
 
+    case oCompatibilityFlags:
+      if (parse_compatibility_flags (pargs->r.ret_str, &opt.compat_flags,
+                                     compatibility_flags))
+        {
+          pargs->r_opt = ARGPARSE_INVALID_ARG;
+          pargs->err = ARGPARSE_PRINT_WARNING;
+        }
+      break;
+
     default:
       return 0; /* Not handled. */
     }

dirmngr/dirmngr.h

@@ -154,6 +154,9 @@ struct
                                        current after nextUpdate. */
 
   strlist_t keyserver;              /* List of default keyservers.  */
+
+  /* Compatibility flags (COMPAT_FLAG_xxxx).  */
+  unsigned int compat_flags;
 } opt;
 
 
@@ -182,6 +185,18 @@ struct
 #define DBG_EXTPROG (opt.debug & DBG_EXTPROG_VALUE)
 #define DBG_KEEPTMP (opt.debug & DBG_KEEPTMP_VALUE)
 
+/* Compatibility flags */
+
+/* Since version 2.2.12 dirmngr restricted HTTP redirection in an
+ * attempt to mitigate certain CSRF attacks.  It turned out that this
+ * breaks too many WKD deployments and that the attack scenario is not
+ * due to gnupg's redirecting but due to insecure configured systems.
+ * Thus from 2.4.3 on we disable this restriction but allow to use the
+ * old behaviour by using this compatibility flag.  For details see
+ * https://dev.gnupg.org/T6477.  */
+#define COMPAT_RESTRICT_HTTP_REDIR   1
+
+
 /* A simple list of certificate references.  FIXME: Better use
    certlist_t also for references (Store NULL at .cert) */
 struct cert_ref_s

doc/dirmngr.texi

@@ -167,6 +167,14 @@ Append all logging output to @var{file}.  This is very helpful in
 seeing what the agent actually does.  Use @file{socket://} to log to
 socket.
 
+@item --compatibility-flags @var{flags}
+@opindex compatibility-flags
+Set compatibility flags to work around certain problems or to emulate
+bugs.  The @var{flags} are given as a comma separated list of flag
+names and are OR-ed together.  The special flag "none" clears the list
+and allows to start over with an empty list.  To get a list of
+available flags the sole word "help" can be used.
+
 @item --debug-level @var{level}
 @opindex debug-level
 Select the debug level for investigating problems.  @var{level} may be a