1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

114 Commits

Author SHA1 Message Date
Werner Koch
387ee7dcbd
Merge branch 'STABLE-BRANCH-2-4'
* common/b64dec.c (b64decode): Move to ...
* common/miscellaneous.c: here.

* common/t-b64.c: Re-inroduce and keep only the b64decode test code.
2023-11-07 20:38:27 +01:00
Werner Koch
d7a1577a25
dirmngr: Add code to support the negotiation auth method.
* dirmngr/http.c (enum auth_negotiate_states): New.
(struct proxy_info_s): Add new fields.
(release_proxy_info): Free Windows stuff.
(proxy_get_token): New. Implemented only for Windows for now.
(run_proxy_connect): Add support for auth method Negotiation.
(store_header): Keep some header lines separate.
--

The code does something but I have not yet been able to test it due
to problems setting up Squid with AD authentication.  As of now it
will respond with a failure but that should not be worse than not to
implement Negotiation.

Supporting Negotiation using GSS for Unix should eventually also be
done.

GnuPG-bug-id: 6719
2023-10-02 13:10:13 +02:00
Werner Koch
53bdb7440c
dirmngr: Extended the http_get_header function.
* dirmngr/http.c (send_request): Add arg 'skip'.  Adjust all callers.
--

GnuPG-bug-id: 6719
2023-10-02 13:05:49 +02:00
Werner Koch
a5e33618f4
dirmngr: Fix handling of the HTTP Content-Length
* dirmngr/http.c (cookie_s): Add fields pending, up_to_empty_line,
last_was_lf, and last_was_lfcr.
(http_context_s): Add field keep-alive.
(http_wait_response): Set up_to_empty_line.  Take care of keep_alive
flag.
(coookie_read): Implement detection of empty lines.
(cookie_write): Free the pending buffer.
--

The problem we fix here is that we already buffered stuff beyond the
empty line which marks the start of the content-length counting.  Thus
we tried to wait for more bytes despite that everything had already
been read.  This bug might have showed up more often in the real world
since the we changed the BUFSIZ on Windows from 512 byte to 8k.  It
also depends on the length of the headers and whether the server
closed the connection so that we ignored the Content-Length.

The bug was introduced earlier than 2010 and could have the effect
that a connection got stuck until the network layer timed out.

Note that the keep-alive parts of the patch are not yet used.
2023-09-26 14:19:26 +02:00
Werner Koch
3054016db9
dirmngr: Require gnutls 3.2
* dirmngr/http.c: Remove gnutls version specific code.
(send_request): Factor some code out to ...
(run_proxy_connect): new.
(mk_proxy_request): new.
(mk_std_request): new.
* configure.ac (NEED_GNUTLS_VERSION): Require 3.2.
--

This patch is to factor out some code and also to remove support for
legacy gnutls versions.  Note that gnutls 3.2 was released 10 years
ago.
2023-09-26 14:13:51 +02:00
Werner Koch
1e120f5a8d
dirmngr: Implement automatic proxy detection on Windows.
* dirmngr/http.c [W32]: Include winhttp.h
(w32_get_internet_session): New.
(w32_get_proxy): New.
(get_proxy_for_url): Implement automatic proxy detection and fix error
in last patch.
(http_reinitialize): New.
* dirmngr/dirmngr.c (dirmngr_sighup_action): Call reinitialize.
* dirmngr/Makefile.am (NETLIBS) [W32]: Link with winhttp.
--

GnuPG-bug-id: 5768
2023-09-26 14:10:13 +02:00
Werner Koch
fed33baed1
dirmngr: Further simplify the http code and improve a message.
* dirmngr/http.c (make_fp_write, make_fp_read): New.
(http_raw_connect): Use new functions.
(http_wait_response): Ditto.
(send_request): Ditto.  Change proxy error diagnostic.
(connect_server): Improve error message for host not found.
--

GnuPG-bug-id: 5768
2023-09-26 14:06:47 +02:00
Werner Koch
845d5e61d8
dirmngr: Cleanup the http module.
* configure.ac (NEED_NTBTLS_VERSION): Require at least 0.2.0 so that
we can remove a conditional compilation.

* dirmngr/http.c (struct proxy_info_s): New.
(release_proxy_info): New to keep proxy information in one object.
(send_request): Factor some code out to ...
(get_proxy_for_url): this,
(send_request_basic_checks): this,
(send_request_set_sni): this,
(run_ntbtls_handshake): this,
(run_gnutls_handshake): and this.
--

Note that this also removes some never used code.  For example the
NTBTLS handshake has code taken from GNUTLS which was never used due
to the different ways on how the certificates are checked.

The proxy code has been factored out to make to prepare further
authentication methods.  The proxy_info_t was introduced for the same
reason.

Tested against gnutls and ntbtls builds.  No proxy tests yet done,
because we need more sophisticated tests anyway.

GnuPG-bug-id: 5768
2023-09-26 13:58:31 +02:00
NIIBE Yutaka
ea1935252e
commond: Introduce FD2NUM to express conversion to number of fds.
* common/sysutils.h (FD2NUM): New.
* agent/call-pinentry.c (watch_sock): Use FD2NUM.
* agent/gpg-agent.c (handle_connections): Likewise.
* dirmngr/dirmngr.c (handle_connections): Likewise.
* dirmngr/http.c (connect_with_timeout): Likewise.
* kbx/keyboxd.c (handle_connections): Likewise.
* scd/scdaemon.c (handle_connections): Likewise.
* tpm2d/tpm2daemon.c (handle_connections): Likewise.

--

GnuPG-bug-id: 6598
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-18 14:43:36 +09:00
NIIBE Yutaka
81055baf5c
dirmngr,kbk,tools: Fix type casting.
* dirmngr/http.c (send_request): Remove cast which is not needed.
* kbx/kbx-client-util.c (prepare_data_pipe): Cast to HANDLE.
* tools/gpg-connect-agent.c (do_open): Ditto.

--

GnuPG-bug-id: 6508
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-18 12:07:25 +09:00
NIIBE Yutaka
b849c930e9
common: Introduce FD_DBG to display gnupg_fd_t value.
* common/sysutils.h (FD_DBG): New.
* agent/gpg-agent.c (check_nonce): Use FD_DBG.
(do_start_connection_thread, start_connection_thread_ssh): Likewise.
* common/iobuf.c (fd_cache_close, file_filter, do_open): Likewise.
(do_iobuf_fdopen): Likewise.
* dirmngr/dirmngr.c (check_nonce, start_connection_thread)
(handle_connections): Likewise.
* dirmngr/http.c (_my_socket_new, _my_socket_ref): Likewise.
(_my_socket_unref): Likewise.
* g10/decrypt.c (decrypt_message_fd): Likewise.
* g10/encrypt.c (encrypt_crypt): Likewise.
* g10/openfile.c (open_outfile): Likewise.
* g10/plaintext.c (get_output_file, hash_datafile_by_fd): Likewise.
* g10/verify.c (gpg_verify): Likewise.
* kbx/keyboxd.c (check_nonce, do_start_connection_thread): Likewise.
* scd/scdaemon.c (start_connection_thread): Likewise.
(handle_connections): Likewise.
* sm/gpgsm.c (open_es_fread, open_es_fwrite): Likewise.
* tpm2d/tpm2daemon.c (start_connection_thread): Likewise.
(handle_connections): Likewise.

--

GnuPG-bug-id: 6597
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-18 11:54:16 +09:00
Werner Koch
0a63afc79a
dirmngr: Disable the HTTP redirect rewriting.
* dirmngr/http.h (struct http_redir_info_s): Add restrict_redir.
* dirmngr/ks-engine-hkp.c (send_request): Set it depending on flags.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http-basic.c (test_http_prepare_redirect): Always set it.
* dirmngr/http.c (http_prepare_redirect): Remove location rewriting
unless the flag is set.
--

GnuPG-bug-id: 6477
2023-06-15 15:06:21 +02:00
NIIBE Yutaka
0fe99d69f0
dirmngr: Fix API of functions wrt their error type.
* dirmngr/crlcache.h (fakecrl_isvalid): Fix return type.
* dirmngr/http.c (parse_response): Fix return type to gpg_error_t,
modifying the function implementation.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-05-01 11:39:24 +09:00
NIIBE Yutaka
14068dfc74 dirmngr: Fix for Windows.
* dirmngr/http.c (EHOSTUNREACH, EAFNOSUPPORT): Define when not
available.
[HTTP_USE_GNUTLS] (my_gnutls_read): Use recv for Windows.
[HTTP_USE_GNUTLS] (my_gnutls_write): Use send for Windows.

--

Reported-by: Eli Zaretskii
GnuPG-bug-id: 5899
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-10 14:54:40 +09:00
NIIBE Yutaka
01ade6945d dirmngr: Fix for SOCK.
* dirmngr/http.c (connect_with_timeout): Use FD2INT to unwrap SOCK.

--

GnuPG-bug-id: 5899
Reported-by: Eli Zaretskii
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-30 13:05:41 +09:00
Werner Koch
55b5928099
dirmngr: Change the default keyserver.
* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to
keyserver.ubuntu.com.

* dirmngr/certcache.c (cert_cache_init): Disable default pool cert.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/http.c (http_session_new): Ditto.

* dirmngr/server.c (make_keyserver_item): Use a different mapping for
the gnupg.net names.
--

Due to the unfortunate shutdown of the keyserver pool, the long term
defaults won't work anymore.  Thus it is better to change them.

For https access keyserver.ubuntu.com is now used because it can be
expected that this server can stand the load from newer gnupg LTS
versions.

For http based access the Dutch Surfnet keyserver is used.  However
due to a non-standard TLS certificate this server can not easily be
made the default for https.

Note: that the default server will be changed again as soon as a new
connected keyserver infrastructure has been established.

(cherry picked from commit 47c4e3e00a7ef55f954c14b3c237496e54a853c1)
2021-08-24 18:09:56 +02:00
Werner Koch
1c96f4d663
dirmngr: Support pseudo URI scheme "opaque".
* dirmngr/http.h (HTTP_PARSE_NO_SCHEME_CHECK): New.
* dirmngr/http.c (http_parse_uri): Use this flag.  Change all callers
to use the new macro for better readability.
(do_parse_uri): Add pseudo scheme "opaque".
(uri_query_value): New.
--

This scheme can be used to convey arbitrary strings in a parsed_uri_t
object.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 72124fadafde153f8ac89a70202006d831829d06)
2021-06-16 11:54:47 +02:00
Jakub Jelen
25aa353bf8
dirmgr: Avoid double free
* dirmgr/http.c (http_prepare_redirect): Avoid double free
* dirmgr/ocsp.c (check_signature): Initialize pointer

--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
GnuPG-bug-id: 5393
2021-05-20 14:33:35 +02:00
Jakub Jelen
0d2c1e9046
dirmgr: clean up memory on error code paths
* dirmgr/crlcache.c (finish_sig_check): goto leave instead of return
* dirmgr/http.c (send_request): free authstr and proxy_authstr
* dirmgr/ldap.c (start_cert_fetch_ldap): free proxy
* dirmgr/ocsp.c (check_signature): release s_hash

--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
GnuPG-bug-id: 5393
2021-05-20 13:38:24 +02:00
Werner Koch
c94ee1386e
Replace all calls to access by gnupg_access
* common/sysutils.c (gnupg_access): New.  Replace all calls to access
by this wrapper.
* common/homedir.c (w32_shgetfolderpath): Change to return UTF-8
directory name.
(standard_homedir): Adjust for change.
(w32_commondir, gnupg_cachedir): Ditto.
--

Also use SHGetFolderPathW instead of SHGetFolderPathA on Windows.

This is required to correctly handle non-ascii filenames on Windows.

GnuPG-bug-id: 5098
2020-10-20 12:15:55 +02:00
Werner Koch
faabc49797
dirmngr: Align the gnutls use of CAs with the ntbtls code.
* dirmngr/http.c (http_session_new) <gnutls>: Use only the special
pool certificate for the default keyserver.
--

The gnutls version uses a different strategy than the ntbtls version
on when to use the special SKS pool certificate.  This patch aligns it
so that we don't need to wonder about different kind of bug reports.
In short the special cert is now the only cert use with the default
keyserver.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-09-10 10:50:39 +02:00
Werner Koch
05358d7384
dirmngr: Print the last alert message returned by NTBTLS.
* dirmngr/http.c (send_request): Print the last TLS alert.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-27 09:02:21 +02:00
NIIBE Yutaka
109d16e8f6 dirmngr: Handle EAFNOSUPPORT at connect_server.
* dirmngr/http.c (connect_server): Skip server with EAFNOSUPPORT.

--

GnuPG-bug-id: 4977
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-07-13 10:03:09 +09:00
Daniel Kahn Gillmor
0904b8ef34 Spelling cleanup.
No functional changes, just fixing minor spelling issues.

---

Most of these were identified from the command line by running:

  codespell \
    --ignore-words-list fpr,stati,keyserver,keyservers,asign,cas,iff,ifset \
    --skip '*.po,ChangeLog*,help.*.txt,*.jpg,*.eps,*.pdf,*.png,*.gpg,*.asc' \
    doc g13 g10 kbx agent artwork scd tests tools am common dirmngr sm \
    NEWS README README.maint TODO

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-02-18 18:07:46 -05:00
Werner Koch
264c15c72f
dirmngr: Rework of the LDAP code, part 1.
* dirmngr/http.h (struct parsed_uri_s): Add flag is_ldap.
* dirmngr/http.c (do_parse_uri): Set flag.  Do not error out for a
missing slashes in an http scheme if NO_SCHEME_CHECK is active.
* dirmngr/t-http.c (main): Print new flag.
* dirmngr/ks-engine-ldap.c (ks_ldap_help): Use flag instead of
checking the scheme.
* dirmngr/ldap-parse-uri.c (ldap_uri_p): Re-implement using
http_parse_uri.
* dirmngr/t-ldap-parse-uri.c (main): Add option --verbose.
--

This patch merely remove the separate parser for checking for an LDAP
scheme.  It is better to let our generic URI parser handle this.  Also
fixes this bug
       || url[4] == 'i' || url[4] == 'i')
to make the rarely used ldapi scheme case-insensitive.

More changes to the LDAP code are planned.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-11-26 13:09:35 +01:00
Werner Koch
1009e4e5f7
dirmngr: Make building with a TLS library mandatory
* configure.ac: Do not build dirmngr if no TLS is available.
* dirmngr/http.c: Remove all uses of the USE_TLS macro.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-11-26 12:02:27 +01:00
Werner Koch
ae9acb8745
dirmngr: Forward http redirect warnings to gpg.
* dirmngr/http.c: Include dirmngr-status.h
(http_prepare_redirect): Emit WARNING status lines for redirection
problems.
* dirmngr/http.h: Include fwddecl.h.
(struct http_redir_info_s): Add field ctrl.
* dirmngr/ks-engine-hkp.c (send_request): Set it.
* dirmngr/ks-engine-http.c (ks_http_fetch): Set it.
* g10/call-dirmngr.c (ks_status_cb): Detect the two new warnings.
--

This should make it easier to diagnose problems with bad WKD servers.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-11-18 18:24:02 +01:00
Werner Koch
12def3a84e
dirmngr: Use IPv4 or IPv6 interface only if available.
* dirmngr/dns-stuff.c (cached_inet_support): New variable.
(dns_stuff_housekeeping): New.
(check_inet_support): New.
* dirmngr/http.c (connect_server): Use only detected interfaces.
* dirmngr/dirmngr.c (housekeeping_thread): Flush the new cache.
--

This currently works only for Windows but that is where users really
ran into problems.  The old workaround was to configure disable-ipv4
or disable-ipv6.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-11-12 20:35:12 +01:00
NIIBE Yutaka
75e0ec6517 dirmngr: Don't add system CAs for SKS HKPS pool.
* dirmngr/http.c [HTTP_USE_GNUTLS] (http_session_new): Clear
add_system_cas.

GnuPG-bug-id: 4594
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-07-16 10:10:52 +09:00
Werner Koch
37f0c55c7b
dirmngr: Do not rewrite the redirection for the "openpgpkey" subdomain.
* dirmngr/http.c (same_host_p): Consider certain subdomains to be the
same.
--

GnuPG-bug-id: 4603
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-07-03 16:20:00 +02:00
Werner Koch
7098e4ce19
dirmngr: Add a CSRF expection for pm.me
--

Also comment typo fix.
2019-05-09 14:50:41 +02:00
Werner Koch
134c3c1652
dirmngr: Add CSRF protection exception for protonmail.
* dirmngr/http.c (same_host_p): Add exception table.
--

Please: Adding entries to this table shall be an exception and not the
rule.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-07 11:34:19 +01:00
Werner Koch
dc61f4ecea
dirmngr: New function http_status2string.
* dirmngr/http.c (http_status2string): New.
--

Right now only the standard 5xx codes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-12-11 13:24:31 +01:00
Werner Koch
fa1b1eaa42
dirmngr: Avoid possible CSRF attacks via http redirects.
* dirmngr/http.h (parsed_uri_s): Add fields off_host and off_path.
(http_redir_info_t): New.
* dirmngr/http.c (do_parse_uri): Set new fields.
(same_host_p): New.
(http_prepare_redirect): New.
* dirmngr/t-http-basic.c: New test.
* dirmngr/ks-engine-hkp.c (send_request): Use http_prepare_redirect
instead of the open code.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
--

With this change a http query will not follow a redirect unless the
Location header gives the same host.  If the host is different only
the host and port is taken from the Location header and the original
path and query parts are kept.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-11-22 22:36:07 +01:00
Werner Koch
bd4048c533
dirmngr: Print a WARNING status for DNS config problems.
* dirmngr/dirmngr-status.h: New.
* dirmngr/dirmngr.h: Include dirmngr-status.h and move some prototypes
to that file.
* dirmngr/t-support.c: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add dirmngr-status.h.
(t_common_src): Add t-support.c.
* dirmngr/server.c (dirmngr_status_printf): Bypass if CTRL is NULL.
* dirmngr/dns-stuff.c: Include dirmngr-status.h.
(libdns_init): Print WARNING status line.  Change call callers to take
and pass a CTRL argument.
* g10/call-dirmngr.c (ks_status_cb): Print info for new WARNING
status.
--

To test this you can change RESOLV_CONF_NAME in dns-stuff.c and run
gpg --recv-key -v SOMETHING.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-25 14:35:04 +02:00
Werner Koch
7b7576637d
Merge branch 'STABLE-BRANCH-2-2' into master
--

Resolved Conflicts:
	NEWS  - removed
	configure.ac - removed

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-05-13 13:29:40 +02:00
Werner Koch
bb8894760f
dirmngr: Add the used TLS library to the debug output.
* dirmngr/http.c (send_request): Print the used TLS library in debug
mode.
--

We allow two different TLS libararies and thus it is useful to see
that in the debug output of bug reports.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-04-25 15:25:26 +02:00
Werner Koch
705d8e9cf0
dirmngr: Implement CRL fetching via https.
* dirmngr/http.h (HTTP_FLAG_TRUST_CFG): New flag.
* dirmngr/http.c (http_register_cfg_ca): New.
(http_session_new) [HTTP_USE_GNUTLS]: Implement new trust flag.
* dirmngr/certcache.c (load_certs_from_dir): Call new function.
(cert_cache_deinit): Ditto.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Add new args
'send_no_cache' and 'extra_http_trust_flags'.  Change all callers to
provide the default value.
* dirmngr/crlfetch.c (crl_fetch): Rewrite to make use of
ks_http_fetch.
--

The old code simply did not use https for downloading of CRLS.
Instead it rewrote https to http under the assumption that the CRL
service was also available without encryption.  Note that a CRL is
self-standing and thus it does not need to have extra authenticity as
provided by TLS.  These days we should not use any unencrypted content
and thus this patch.

Be aware that cacert.org give a https CRL DP but that currently
redirects to to http!  This is a downgrade attack which we detect and
don't allow.  The outcome is that it is right now not possible to use
CAcert certificates.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-04-25 12:38:04 +02:00
Werner Koch
b56dfdfc18
Use the gpgrt log functions if possible.
* common/logging.c: Do not build any code if we can use the gpgrt_log
functions.
(log_logv_with_prefix): Rename to log_logv_prefix and change order of
args so that this function matches its printf like counterpart
gpgrt_logv_prefix.  Change all callers.
(log_debug_with_string): Rename to log_debug_string. Change all
callers.
(log_printhex): Move first arg to end so that this function matches
its printf like counterpart gpgrt_log_printhex.  Change all callers.
* common/logging.h: Divert to gpgrt/libgpg-error if we can use the
gpgrt_log functions.
(bug_at): Add inline versions if we can use the gpgrt_log functions.
* configure.ac (GPGRT_ENABLE_LOG_MACROS): Add to AH_BOTTOM.
(mycflags): Add -Wno-format-zero-length.
--

This patch enables the use of the log function from libgpgrt (aka
libgpg-error).  Instead of checking a version number, we enable them
depending on macros set by recent gpg-error versions.  Eventually the
whole divert stuff can be removed.

The -Wno-format-zero-length is required because log_printhex can be
called with an empty format string.  Note that this is fully specified
standard C behaviour.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-27 15:00:25 +01:00
Werner Koch
482fd5758c
dirmngr,w32: Fix http connection timeout problem.
* dirmngr/http.c (connect_with_timeout) [W32]: Take care of EAGAIN.
--

GnuPG-bug-id: 3319
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-31 13:12:37 +02:00
Werner Koch
c5e5748480
dirmngr: Do not use a blocking connect in Tor mode.
* dirmngr/http.c (http_raw_connect): Disable the timeout in Tor mode.
(send_request): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-26 13:48:27 +02:00
NIIBE Yutaka
ade4b2744c dirmngr: More minor fix.
* dirmngr/http.c (send_request): Care the case of !USE_TLS.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-07-24 16:09:11 +09:00
NIIBE Yutaka
789401e955 dirmngr: More minor fixes.
* dirmngr/http.c (http_verify_server_credentials): Duplicated const.
* dirmngr/ldap.c (parse_one_pattern): Add comment.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-07-24 15:35:34 +09:00
NIIBE Yutaka
274602820c dirmngr: Minor fix for Windows.
* dirmngr/http.c (connect_with_timeout): Use FD2INT.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-07-24 15:30:56 +09:00
Justus Winter
da91d2106a
dirmngr: Implement TLS over http proxies.
* dirmngr/http.c (send_request): If a http proxy is to be used, and we
want to use TLS, try to use the CONNECT method to get a connection to
the target server.

GnuPG-bug-id: 2940
Signed-off-by: Justus Winter <justus@g10code.com>
2017-07-19 12:14:30 +02:00
Justus Winter
e7eabe66b6
dirmngr: Log http response in debug mode.
* dirmngr/http.c (parse_response): Log http response in debug mode.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-07-19 12:14:28 +02:00
Justus Winter
1ba220e681
dirmngr: Amend TLS handling.
* dirmngr/http.c (http_wait_response): Get the 'use_tls' flag from the
write cookie, not from the URI.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-07-19 12:14:27 +02:00
Justus Winter
46a4a0c0e7
dirmngr: Fix connecting to http proxies.
* dirmngr/http.c (send_request): Do not use the 'srvtag' intended for
the target host to connect to the http proxy.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-07-19 12:14:25 +02:00
Justus Winter
73d4781e45
dirmngr: Fix handling of proxy URIs.
* dirmngr/http.c (send_request): We do not support socks4.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-07-19 11:18:39 +02:00
Justus Winter
b231959728
dirmngr: Honor http keyserver URLs.
* dirmngr/http.c (parse_uri): Keep an unmodified copy of the URI.
* dirmngr/http.h (struct parsed_uri_s): New field 'original'.
* dirmngr/ks-action.c (ks_action_get): Properly handle http and https
URLs.
--

If a key has a http or https URL as preferred keyserver, fetch the key
from there.  Previously, dirmngr unconditionally interpreted these
URLs as hkp servers.

GnuPG-bug-id: 2924
Signed-off-by: Justus Winter <justus@g10code.com>
2017-07-18 13:56:33 +02:00