* dirmngr/dirmngr.c [HAVE_INOTIFY_INIT]: Include sys/inotify.h.
(oDisableCheckOwnSocket): New.
(opts): Add --disable-check-own-socket.
(disable_check_own_socket): New var.
(parse_rereadable_options): Set that var.
(my_inotify_is_name) [HAVE_INOTIFY_INIT]: New.
(handle_connections) [HAVE_INOTIFY_INIT]: New.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dirmngr.h: Include asshelp.h.
* dirmngr/server.c (server_local_s): Add inhibit_dara_logging fields.
(data_line_write): Implement logging inhibit.
(data_line_cookie_close): Print non-logged D lines.
(cmd_wkd_get, cmd_ks_get, cmd_ks_fetch): Do not log D lines.
(dirmngr_assuan_log_monitor): New.
* dirmngr/dirmngr.c (main): Register monitor function.
--
In particular with large keys the D lines clutter the log output and
make it unusable.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/asshelp.c (my_log_monitor): New var.
(my_libassuan_log_handler): Run that monitor.
(setup_libassuan_logging): Add arg to set a log monitor and change all
callers.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dirmngr.h (opts): Remove fields 'system_service' and
'system_daemon'.
* common/homedir.c (dirmngr_sys_socket_name): Remove.
(dirmngr_user_socket_name): Rename to ...
(dirmngr_socket_name): this. Change call callers.
* common/asshelp.c (start_new_dirmngr): Remove the system socket
feature.
* tools/gpgconf.c (list_dirs): Do not print "dirmngr-sys-socket".
* sm/server.c (gpgsm_server): Adjust for removed system socket feature.
* dirmngr/server.c (cmd_getinfo): Ditto.
(cmd_killdirmngr): Remove check for system daemon.
(cmd_reloaddirmngr): Ditto.
* dirmngr/dirmngr.c (USE_W32_SERVICE): Remove macro.
(aService): Remove.
(opts): Remove --service.
(w32_service_control): Remove.
(real_main, call_real_main) [W32]: Remove wrapper.
(main): Remove Windows system service feature. Remove system dameon
feature. Use only the "~/.gnupg/dirmngr_ldapservers.conf" file.
* dirmngr/certcache.c (load_certs_from_dir): Remove warning in the
system dameon case.
* dirmngr/crlcache.c (DBDIR_D): Always use "~/.gnupg/crls.d".
* dirmngr/ocsp.c (validate_responder_cert): Do not call
validate_cert_chain which was used only in system daemon mode.
* dirmngr/validate.c (validate_cert_chain): Always use the code.
--
We are now starting dirmngr as needed as a user daemon. The
deprecated system daemon mode does not anymore make sense. In case a
system wide daemon is required, it is better to setup a dedicated
account to run dirmngr and tweak socket permissions accordingly.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/preset-passphrase.c, agent/protect-tool.c, dirmngr/dirmngr.c
* dirmngr/t-http.c, g10/gpg.c, g10/gpgv.c, g13/g13-syshelp.c
* g13/g13.c, kbx/kbxutil.c, scd/scdaemon.c, sm/gpgsm.c
* tests/gpgscm/main.c, tools/gpg-check-pattern.c
* tools/gpg-connect-agent.c, tools/gpgconf.c, tools/gpgtar.c
* tools/symcryptrun.c: Invoke log_set_prefix() with
human-readable labels.
--
Some invocations of log_set_prefix() were done with raw numeric values
instead of values that humans can understand. Use symbolic
representations instead of numeric for better readability.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* common/stringhelp.c (string_to_u64): New.
* dirmngr/http.c (longcounter_t): Remove.
(struct cookie_s): Change content_length to uint64_t.
(parse_response): Use string_to_u64.
--
Meanwhile we allow some C99 features including stdint.h. Thus we can
simplify things now.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/init.c (init_common_subsystems): Initialize libgcrypt.
* dirmngr/Makefile.am (dirmngr_ldap): Link with libgcrypt.
--
Most other modules already call gcry_check_version() after
init_common_subsystems() so may as well move initialization of libgcrypt
to here. Also fixes a warning in the system log from gpgconf --homedir.
Signed-off-by: Ben Kibbey <bjk@luxsci.net>
* README, agent/command.c, agent/keyformat.txt, common/i18n.c,
common/iobuf.c, common/keyserver.h, dirmngr/cdblib.c,
dirmngr/ldap-wrapper.c, doc/DETAILS, doc/TRANSLATE,
doc/announce-2.1.txt, doc/gpg.texi, doc/gpgsm.texi,
doc/scdaemon.texi, doc/tools.texi, doc/whats-new-in-2.1.txt,
g10/export.c, g10/getkey.c, g10/import.c, g10/keyedit.c, m4/ksba.m4,
m4/libgcrypt.m4, m4/ntbtls.m4, po/ca.po, po/cs.po, po/da.po,
po/de.po, po/el.po, po/eo.po, po/es.po, po/et.po, po/fi.po,
po/fr.po, po/gl.po, po/hu.po, po/id.po, po/it.po, po/ja.po,
po/nb.po, po/pl.po, po/pt.po, po/ro.po, po/ru.po, po/sk.po,
po/sv.po, po/tr.po, po/uk.po, po/zh_CN.po, po/zh_TW.po,
scd/app-p15.c, scd/ccid-driver.c, scd/command.c, sm/gpgsm.c,
sm/sign.c, tools/gpgconf-comp.c, tools/gpgtar.h: replace "Allow to"
with clearer text.
In standard English, the normal construction is "${XXX} allows ${YYY}
to" -- that is, the subject (${XXX}) of the sentence is allowing the
object (${YYY}) to do something. When the object is missing, the
phrasing sounds awkward, even if the object is implied by context.
There's almost always a better construction that isn't as awkward.
These changes should make the language a bit clearer.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* dirmngr/crlcache.c (list_one_crl_entry): Spell superseded correctly.
* dirmngr/ocsp.c (ocsp_invalid): Likewise.
This might break some tools which parse the existing output and expect
misspellings, but i'm not sure there are many such tools, and we
should use standardized orthography going forward.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* dirmngr/ks-engine-http.c (ks_http_fetch): Reinitialize HTTP session
when following a HTTP redirection.
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
* dirmngr/ks-engine-hkp.c (ks_hkp_search): Prefix fingerprint with 0x.
--
pre-2.1 made sure that the 0x prefix was put before the fingerprint so
that the search command works. Actually --recv-key should be used
with a fingerprint but some users are using --search-key, probably to
use the interactive mode.
GnuPG-bug-id: 2412
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/protect.c (OCB_MODE_SUPPORTED): Remove macro.
(do_encryption): Always support OCB.
(do_decryption): Ditto.
(agent_unprotect): Ditto.
* dirmngr/server.c (is_tor_running): Unconditionally build this.
--
Although not technically required, it is easier to require them to
avoid bug reports due to too old library versions.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dirmngr_ldap.c (fetch_ldap): Do not use log_debug in an
unprotected section. Replace log_debug by log_info in verbose mode.
--
GnuPG-bug-id: 2376
* dirmngr/dirmngr_ldap.c (fetch_ldap): Try V3 Protocol in case
default Protocol gives error.
--
Servers may have blocked V2 Protocol, in which case the
bind will result in a Protocol Error. In that case we try
again with v3 Protocol if the ldap libarary used to compile
dirmngr supports V3.
Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
* dirmngr/dirmngr_ldap.c (fetch_ldap): Use ldap_err2string on bind
return.
--
ldap_simple_bind_s does not set errno.
Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
* agent/gpg-agent.c (create_server_socket): Call chmod before listen.
* scd/scdaemon.c (create_server_socket): Ditto.
* dirmngr/dirmngr.c (main): Ditto.
--
This is just in case of a improperly set umask. Note that a connect
requires a write permissions.
* tools/Makefile.am (gpgconf_SOURCES): Remove no-libgcrypt.c.
(gpgconf_LDADD): Add LIBGCRYPT_LIBS.
(gpg_connect_agent_LDADD): Ditto.
(gpgtar_LDADD): Ditto.
* dirmngr/Makefile.am (dirmngr_client_LDADD): Ditto.
(t_common_ldadd): Ditto. Remove no-libgcrypt.o.
--
We need this change so that a future code in common/ can use Libgcrypt
functions; in particular hashing.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/server.c (cmd_wkd_get): Remove second occurrence of the
domain part.
--
This change updates gnupg to comply with
draft-koch-openpgp-webkey-service-01
* dirmngr/http.h (HTTP_FLAG_TRUST_DEF, HTTP_FLAG_TRUST_SYS): New.
* dirmngr/http.c (http_session_new): Add arg "flags".
* dirmngr/ks-engine-hkp.c (send_request): Use new flag
HTTP_FLAG_TRUST_DEF for the new arg of http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (main): Ditto.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-http.c (ks_hkp_help): Only print https if tls
is supported.
--
Wrong reporting was pointed out by K_F. Check is the same as
in ks-engine-hkp.c
* dirmngr/dirmngr-client.c (init_asctobin): New function.
(main): Move the initialization code to the new function.
(read_pem_certificate): Initialize base64 table.
(read_certificate): Try to decode certificates given in files as PEM
first.
GnuPG-bug-id: 1844
Signed-off-by: Justus Winter <justus@g10code.com>
* dirmngr/dns-stuff.c (map_eai_to_gpg_error): Map EAI_NODATA and
EAI_ADDRFAMILY only if defined.
--
Reported-by: Christoph Moench-Tegeder <cmt@burggraben.net>
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/misc.c (hexify_data): Add arg with_prefix. Adjust all
callers.
* dirmngr/crlcache.c (cache_isvalid): Print "0x" in front of the S/N.
--
GnuPG-bug-id: 1147
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-hkp.c (map_host): Fix setting of r_poolname.
--
map_host is intended to return the name of the pool as an additional
information. However this broke some time ago and a pool name was
only retrained if the pool name was retrieved from a DNS CNAME.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/Makefile.am (dist_pkgdata_DATA): Add sks-keyservers.netCA.pem.
* dirmngr/http.c (http_session_new): Add optional arg
intended_hostname and set a default cert.
* dirmngr/ks-engine-hkp.c (send_request): Pass httphost to
http_session_new.
--
Ship the certificate for the sks-keyservers hkps pool. If the user
has specified that they want to use
hkps://hkps.pool.sks-keyservers.net, and they have not specified any
hkp-cacert explicitly, then initialize the trust path with this
specific trust anchor.
Co-authored-by: wk@gnupg.org
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dns-stuff.c (enable_dns_tormode): Reference new_circuit to
avoid a warning when ADNS is not available.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* dirmngr/ks-action.c (ks_action_search): Initialize 'http_status' as
it is unused if LDAP is used to search for keys.
--
This amends 6ac57a48.
Signed-off-by: Justus Winter <justus@g10code.com>
* dirmngr/ks-action.c (ks_action_search): Only retry if the keyserver
responded with a '404 Not Found'.
* dirmngr/ks-engine-hkp.c (send_request): Return http status code.
(ks_hkp_search): Likewise.
(ks_hkp_{get,put}): Adapt call to 'send_request'.
* dirmngr/ks-engine.h (ks_hkp_search): Update prototype.
Signed-off-by: Justus Winter <justus@g10code.com>
* dirmngr/ks-action.c (ks_action_search): Search all configured
keyservers for the given patterns.
Signed-off-by: Justus Winter <justus@g10code.com>
GnuPG-bug-id: 1038