* dirmngr/http-ntbtls.c: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add file.
* dirmngr/dirmngr.h (SERVER_CONTROL_MAGIC): New.
(server_conrol_s): Add field 'magic',
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set MAGIC.
(dirmngr_deinit_default_ctrl): Set MAGIC to deadbeef.
* dirmngr/http.c (my_ntbtls_verify_cb): New.
(http_session_new) [HTTP_USE_NTBTLS]: Remove all CA setting code.
(send_request) [HTTP_USE_NTBTLS]: Set the verify callback. Do not call
the verify callback after the handshake.
* dirmngr/ks-engine-hkp.c (send_request): Pass
gnupg_http_tls_verify_cb to http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (my_http_tls_verify_cb): New.
(main): Rename option --gnutls-debug to --tls-debug.
(main) [HTTP_USE_NTBTLS]: Create a session.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac: Add option --disable-libdns
(USE_LIBDNS): New ac_subst and am_conditional.
(USE_C99_CFLAGS): Set only if libdns is used.
* dirmngr/Makefile.am (dirmngr_SOURCES): Move dns.c and dns.h to ...
(dirmngr_SOURCES) [USE_LIBDNS0: here.
(t_common_src): Ditto.
* dirmngr/dirmngr.c (oRecursiveResolver): New constant.
(opts): New option "--recursive-resolver".
(parse_rereadable_options): Set option.
* dirmngr/t-dns-stuff.c (main): Add option --recursive-resolver.
* dirmngr/server.c (cmd_getinfo): Depend output of "dnsinfo" on the
new variables.
* dirmngr/dns-stuff.c: Include dns.h only if USE_DNSLIB is defined.
Also build and call dnslib functions only if USE_DNSLIB is defined.
(recursive_resolver): New var.
(enable_recursive_resolver): New func.
(recursive_resolver_p): New func.
--
In case users run into problems building GnuPG, the configure option
allows to disable that support and continue w/o Tor support using the
system resolver.
--recursive-resolver was easy enough to implement and may be useful in
some situation. It does not fully work, though.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac (USE_C99_CFLAGS): New ac_subst. Set to -std=gnu99 for
gcc.
* dirmngr/Makefile.am (AM_CFLAGS): Add USE_C99_CFLAGS.
(t_http_CFLAGS): Ditto.
(t_ldap_parse_uri_CFLAGS): Ditto.
(t_dns_stuff_CFLAGS): Ditto.
--
C99 and the GCC option is required for use with dns.c which makes
heavy use of C99 features. We should consider to switch GnuPG
entirely to C99 but enable gcc warnings to detect features which are
not supported by not-real-c99 compilers and which makes audits
harder (VLA etc.).
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dns.c: New file.
* dirmngr/dns.h: New file.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add new files.
* dirmngr/dns-stuff.c: Include dns.h.xxx use libdns
(libdns): New global var for the libdns state.
(libdns_error_to_gpg_error): New.
(libdns_init): New.
(resolve_name_libdns): New.
(get_dns_cert_libdns): New stub.
(getsrv_libdns): New stub.
(get_dns_cname_libdns): New stub.
Signed-off-by: Justus Winter <justus@g10code.com>
* dirmngr/loadswdb.c: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add that file.
* dirmngr/server.c: Remove includes cpparray.h and exectool.h.
(cmd_loadswdb): New.
(parse_version_number,parse_version_string): Remove.
(my_mktmpdir, cmp_version): Remove.
(fetch_into_tmpdir): Remove.
(struct verify_swdb_parm_s): Remove.
(verify_swdb_status_cb): Remove.
(cmd_versioncheck): Remove.
(register_commands): Register LOADSWDB. Remove VERSIONCHECK.
--
This change is required to to the new design where gpgconf does the
version check w/o network access and only dirmngr is responsible for
getting the swdb.
In the next installment the loading will be triggered as needed.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/Makefile.am (dirmngr_ldap_LDADD): Remove no-libgcrypt.o.
--
Thanks to Rainer Perske who located the issue.
GnuPG-bug-id: 2698
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
This is a fix for the commit: 49829c29e5
* common/init.c (init_common_subsystems): Initialize libgcrypt.
* dirmngr/Makefile.am (dirmngr_ldap): Link with libgcrypt.
--
Most other modules already call gcry_check_version() after
init_common_subsystems() so may as well move initialization of libgcrypt
to here. Also fixes a warning in the system log from gpgconf --homedir.
Signed-off-by: Ben Kibbey <bjk@luxsci.net>
* tools/Makefile.am (gpgconf_SOURCES): Remove no-libgcrypt.c.
(gpgconf_LDADD): Add LIBGCRYPT_LIBS.
(gpg_connect_agent_LDADD): Ditto.
(gpgtar_LDADD): Ditto.
* dirmngr/Makefile.am (dirmngr_client_LDADD): Ditto.
(t_common_ldadd): Ditto. Remove no-libgcrypt.o.
--
We need this change so that a future code in common/ can use Libgcrypt
functions; in particular hashing.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/Makefile.am (dist_pkgdata_DATA): Add sks-keyservers.netCA.pem.
* dirmngr/http.c (http_session_new): Add optional arg
intended_hostname and set a default cert.
* dirmngr/ks-engine-hkp.c (send_request): Pass httphost to
http_session_new.
--
Ship the certificate for the sks-keyservers hkps pool. If the user
has specified that they want to use
hkps://hkps.pool.sks-keyservers.net, and they have not specified any
hkp-cacert explicitly, then initialize the trust path with this
specific trust anchor.
Co-authored-by: wk@gnupg.org
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dns-stuff.c: Include npth.h
(my_unprotect, my_protect): New wrapper.
(resolve_name_adns): Put unprotect/protect around adns calls.
(get_dns_cert): Ditto.
(getsrv): Ditto.
(get_dns_cname): Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dns-stuff.c (resolve_name_standard): On failure retry by
first resolving the CNAME.
(get_dns_cname): New.
* dirmngr/t-dns-stuff.c (main): Add option --cname.
--
At least the getaddrinfo implementation in glibc 2.19-13 from Debian
returns EAI_NONAME if the CNAME points to a too long list of A/AAAA
addresses. Looking at the wire the data is correctly returned from
the server but getaddrinfo seems to get confused by truncation and
retry. To fix this we resolve the CNAME again and call getaddrinfo
again with the canonical name.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/Makefile.am (t_http_SOURCES): Add dns-stuff.c.
(t_ldap_parse_uri_SOURCES): Ditto.
* dirmngr/dns-stuff.c: Bail out if neither ADNS nor getaddrinfo is
available.
--
We used to have replacement code for getaddrinfo and thus check for it
in configure. However, this was for the old http and dns-cert code
from common/. For dirmngr I made liberal use of getaddrinfo w/o
without checking. Just in case someone tries to build on an old
platform we now error our with a suitable #error.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dns-cert.c: Rename to dirmngr/dns-stuff.c.
* dirmngr/dns-cert.h: Rename to dirmngr/dns-stuff.h and change
includers.
* dirmngr/t-dns-cert.c: Rename to dirmngr/t-dns-stuff.c.
* dirmngr/Makefile.am: Adjust.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/http.c: Include assuan.h. Changed all code taking a socket
descriptor from int to assuan_fd_t.
(my_unprotect, my_protect): New.
(my_connect): Remove.
(_my_socket_new, _my_socket_unref): use assuan_sock_close.
(connect_server): Use assuan_sock_connect, assuan_sock_new, and
assuan_sock_close.
* dirmngr/Makefile.am (t_common_ldadd): Add LIBASSUAN_LIBS.
--
This change prepares for the use of SOCKS5 with http.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/http.c: Move to ../dirmngr/.
* common/http.h: Move to ../dirmngr/.
* common/t-http.c: Move to ../dirmngr/.
* common/tls-ca.pem: Move to ../dirmngr/.
* common/Makefile.am: Do not build libcommontls.a libcommontlsnpth.a.
Remove http.c related stuff.
* po/POTFILES.in: Move http.c to dirmngr/.
* dirmngr/Makefile.am (EXTRA_DIST): Add tls-ca.pem.
(module_maint_tests): New.
(noinst_PROGRAMS): Add module_maint_tests.
(dirmngr_SOURCES): Add http.c and http.h.
(dirmngr_LDADD): Remove libcommontlsnpth.
(t_common_ldadd): Ditto.
(t_http_SOURCES, t_http_CFLAGS, t_http_LDADD): New.
(t_ldap_parse_uri_SOURCES): Add http.c.
(t_ldap_parse_uri_CFLAGS): Build without npth.
($(PROGRAMS)): Do not require libcommontls.a libcommontlsnpth.a.
* dirmngr/dirmngr.h, dirmngr/ks-engine.h: Fix include of http.h.
--
All network access is done via dirmngr and thus http.c should be
there.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/dns-cert.h: Move to ../dirmngr/.
* common/dns-cert.c: Move to ../dirmngr/. Change args to return the
key as a buffer.
* common/t-dns-cert.c: Move to ../dirmngr/.
* common/pka.c, common/pka.h, common/t-pka.c: Remove.
* dirmngr/server.c (data_line_cookie_write): Factor code out to
data_line_write and make it a wrapper for that.
(data_line_write): New.
(cmd_dns_cert): New.
(register_commands): Register new command.
* g10/Makefile.am (LDADD): Remove DNSLIBS.
* g10/call-dirmngr.c (dns_cert_parm_s): New.
(dns_cert_data_cb, dns_cert_status_cb): New.
(gpg_dirmngr_dns_cert): New.
(gpg_dirmngr_get_pka): New.
* g10/gpgv.c (gpg_dirmngr_get_pka): New dummy function.
* g10/keyserver.c (keyserver_import_cert): Replace get_dns_cert by
gpg_dirmngr_dns_cert.
(keyserver_import_pka): Replace get_pka_info by gpg_dirmngr_get_pka.
* g10/mainproc.c: Include call-dirmngr.h.
(pka_uri_from_sig): Add CTX arg. Replace get_pka_info by
gpg_dirmngr_get_pka.
--
With this patch gpg does not do any network access itself but uses
dirmngr for that. Note that we need to keep linking to NETLIBS due to
the logging code and because we need TCP for our socket emulation
under Windows. Probably also required for Solaris etc.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/Makefile.am (dirmngr_SOURCES): Only include
ks-engine-ldap.c, ldap-parse-uri.c and ldap-parse-uri.h if USE_LDAP
is TRUE.
(module_tests): Only add t-ldap-parse-uri if USE_LDAP is TRUE.
* dirmngr/ks-action.c: Only include "ldap-parse-uri.h" if USE_LDAP is
TRUE.
(ks_action_help): Don't invoke LDAP functionality if USE_LDAP is not
TRUE.
(ks_action_search): Likewise.
(ks_action_get): Likewise.
(ks_action_put): Likewise.
* dirmngr/server.c: Only include "ldap-parse-uri.h" if USE_LDAP is
TRUE.
(cmd_keyserver): Don't invoke LDAP functionality if USE_LDAP is not
TRUE.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
GnuPG-bug-id: 1949
* g10/call-dirmngr.c (record_output): New function.
(ks_put_inq_cb): Use it here to generate a --with-colons like output
instead of a custom format.
* dirmngr/ks-action.c: Include "ldap-parse-uri.h".
(ks_action_help): If the provided URI is an LDAP URI, then use
ldap_parse_uri to parse. Call ks_ldap_help.
(ks_action_search): If passed an LDAP URI, then call ks_ldap_search.
(ks_action_get): Likewise.
(ks_action_put): Likewise. Also, change data from a 'const void *' to
a 'void *' and add info and infolen parameters. Add note that
function may modify DATA.
* dirmngr/ks-action.h (ks_action_put): Update declaration accordingly.
* dirmngr/server.c: Include "ldap-parse-uri.h".
(cmd_keyserver): If ITEM->URI is an LDAP URI, parse it using
ldap_parse_uri.
(hlp_ks_put): Improve documentation.
(cmd_ks_put): Also pass info and infolen to ks_action_put. Improve
documentation.
* dirmngr/ks-engine.h (ks_ldap_help): New declaration.
(ks_ldap_search): Likewise.
(ks_ldap_get): Likewise.
(ks_ldap_put): Likewise.
* dirmngr/ks-engine-ldap.c: New file.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add ks-engine-ldap.c,
ldap-parse-uri.c and ldap-parse-uri.h.
(dirmngr_LDADD) [USE_LDAP]: Add $(ldaplibs).
--
Signed-off-by: Neal H. Walfield <neal@g10code.de>
* dirmngr/Makefile.am (module_tests): New variable.
(noinst_PROGRAMS): New primary. Set it to $(module_tests).
(TESTS): New variable. Set it to $(module_tests).
(t_common_src): New variable.
(t_common_ldadd): Likewise.
(t_ldap_parse_uri_SOURCES): New primary.
(t_ldap_parse_uri_LDADD): Likewise.
* dirmngr/ldap-parse-uri.c: New file.
* dirmngr/ldap-parse-uri.h: Likewise.
* dirmngr/t-ldap-parse-uri.c: Likewise.
* dirmngr/t-support.h: Likewise.
--
Signed-off-by: Neal H. Walfield <neal@g10code.de>
* gl/: Remove entire tree.
* configure.ac: Remove gnulib tests and the gl/ Makefile.
(setenv): Add to AC_CHECK_FUNCS.
* autogen.rc (extra_aclocal_flags): Set to empty.
* Makefile.am (ACLOCAL_AMFLAGS): Remove -I gl/m4
(SUBDIRS): Remove gl/.
* agent/Makefile.am (common_libs): Remove ../gl/gnulib.a
* common/Makefile.am (t_common_ldadd): Ditto.
* dirmngr/Makefile.am (dirmngr_LDADD): Ditto.
(dirmngr_ldap_LDADD, dirmngr_client_LDADD): Ditto.
* g10/Makefile.am (needed_libs): Ditto.
* g13/Makefile.am (g13_LDADD): Ditto.
* kbx/Makefile.am (kbxutil_LDADD): Ditto.
($(PROGRAMS)): Ditto.
* scd/Makefile.am (scdaemon_LDADD): Ditto.
* sm/Makefile.am (common_libs): Ditto.
* tools/Makefile.am (common_libs, commonpth_libs): Ditto.
* agent/gpg-agent.c: Remove "mkdtemp.h"
* g10/exec.c: Ditto.
* scd/scdaemon.c: Ditto.
* tools/symcryptrun.c: Ditto.
* common/sysutils.c: Remove "setenv.h"
* common/t-timestuff.c: Use putenv if setenv is not available.
--
gnulib has always been a cause of trouble in GnuPG because we used
only a very few functions and the complex include machinery of gnulib
is quite complex and the cause for many build problems for example on
OS X. This is not gnulib's fault but due to our limited use of gnulib
and that we only rarely update the gnulib code to avoid regressions.
In part two we will address the functions
mkdtemp
setenv
unsetenv
strpbrk
which may bot be implemented on all platforms. They are not required
on a libc based system.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac: Add option --disable-ldap.
(USE_LDAP): New ac_define and am_conditional.
* dirmngr/Makefile.am: Take care of USE_LDAP.
* dirmngr/dirmngr.c (!USE_LDAP): Make all ldap options dummy options
and do not call any ldap function.
* dirmngr/server.c (!USE_LDAP): Do not call any ldap function.
* dirmngr/crlfetch.c (!USE_LDAP): Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/Makefile.am: Avoid $(DNSLIBS) for dirmngr_ldap
* g10/Makefile.am: $(LIBREADLINE) is only for gpg2; gpgv2 does not
need $(LIBASSUAN_LIBS)
* sm/Makefile.am: gpgsm does not need $(ZLIBS)
* tools/Makefile.am: gpgconf does not need $(NPTH_LIBS)
--
In the course of building GnuPG 2.1.0 beta864 on debian, i found that
several of the installed executables were linked to libraries that
they did not need to be linked to, which would cause unnecessary
package dependencies at runtime.
The changeset here removes these unnecessary libraries from linking.
Something similar could possibly also be done by passing --as-needed
to the linker, but trimming the depenencies seems more parsimonious.
* configure.ac (NEED_NTBTLS_ABI, NEED_NTBTLS_VERSION): New.
(HTTP_USE_NTBTLS): New. Prefer over GNUTLS.
* m4/ntbtls.m4: New.
* m4/Makefile.am (EXTRA_DIST): Add new file.
* common/http.c: Add conditionals to eventually use NTBTLS.
--
This is only the configure stuff. If you have NTBTLS installed GNUTLS
will not be used but there won't be any https support either :-(.
This patch is used to have a real world test bench for the forthcoming
library.
* common/Makefile.am ($(PROGRAMS)): New rule
(t_http_LDADD): Use libcommontls.a without directory prefix.
* dirmngr/Makefile.am ($(PROGRAMS)): New rule.
* scripts/gitlog-to-changelog: New script. Taken from gnulib.
* scripts/git-log-fix: New file.
* scripts/git-log-footer: New file.
* doc/HACKING: Describe the ChangeLog policy
* ChangeLog: New file.
* Makefile.am (EXTRA_DIST): Add new files.
(gen-ChangeLog): New.
(dist-hook): Run gen-ChangeLog.
Rename all ChangeLog files to ChangeLog-2011.
The basic network code from http.c is used for finger. This keeps the
network related code at one place and we are able to use the somewhat
matured code form http.c. Unfortunately I had to enhance the http
code for more robustness and probably introduced new bugs.
Test this code using
gpg --fetch-key finger:wk@g10code.com
(I might be the last user of finger ;-)
We better do this once and for all instead of cluttering all future
commits with diffs of trailing white spaces. In the majority of cases
blank or single lines are affected and thus this change won't disturb
a git blame too much. For future commits the pre-commit scripts
checks that this won't happen again.
Changed order of some conditional to make to put the special case into
the true branch. Indentation changes. Minor other changes to make the
ECC code more similar to the rest of our code.
It builds but many sefltests still fail. Need to fix that before
using it with an ECDH enabled libgcrypt.
[/]
2011-01-21 Werner Koch <wk@g10code.com>
* configure.ac: Need Libgcrypt 1.4.6 due to AESWRAP.
(HAVE_GCRY_PK_ECDH): Add new test.
[agent/]
2011-01-21 Werner Koch <wk@g10code.com>
* cvt-openpgp.c (GCRY_PK_ECDH) [!HAVE_GCRY_PK_ECDH]: New.
[include/]
2011-01-21 Werner Koch <wk@g10code.com>
* cipher.h (GCRY_PK_USAGE_CERT): Remove compatibility macros
because we now require libgcrypt 1.4.6.
(GCRY_PK_ECDH): Add replacement.
The following works:
gpg2 --gen-key (ECC)
gpg2 --list-keys
gpg2 --list-packets ~/.gnupg/pubring.gpg
gpg2 --list-packets <private key from http://sites.google.com/site/brainhub/pgpecckeys>
ECDH doesn't work yet as the code must be re-written to adjust for gpg-agent refactoring.
Werner Koch