* doc/DETAILS: Specify new status code "NOTE".
* dirmngr/ks-engine-http.c (ks_http_fetch): Print a NOTE status for a
bad TLS certificate.
* g10/call-dirmngr.c (ks_status_cb): Detect this status.
--
For example a
gpg -v --locate-external-keys dd9jn@posteo.net
now yields
gpg: Note: server uses an invalid certificate
gpg: (further info: bad cert for 'posteo.net': \
Hostname does not match the certificate)
gpg: error retrieving 'dd9jn@posteo.net' via WKD: Wrong name
gpg: error reading key: Wrong name
(without -v the "further info" line is not shown). Note that even
after years Posteo is not able to provide a valid certificate for
their .net addresses. Anyway, this help to show the feature.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/http.c: Include dirmngr-status.h
(http_prepare_redirect): Emit WARNING status lines for redirection
problems.
* dirmngr/http.h: Include fwddecl.h.
(struct http_redir_info_s): Add field ctrl.
* dirmngr/ks-engine-hkp.c (send_request): Set it.
* dirmngr/ks-engine-http.c (ks_http_fetch): Set it.
* g10/call-dirmngr.c (ks_status_cb): Detect the two new warnings.
--
This should make it easier to diagnose problems with bad WKD servers.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-hkp.c (send_request): New case for 413.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/ocsp.c (do_ocsp_request): Ditto.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/http.h (parsed_uri_s): Add fields off_host and off_path.
(http_redir_info_t): New.
* dirmngr/http.c (do_parse_uri): Set new fields.
(same_host_p): New.
(http_prepare_redirect): New.
* dirmngr/t-http-basic.c: New test.
* dirmngr/ks-engine-hkp.c (send_request): Use http_prepare_redirect
instead of the open code.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
--
With this change a http query will not follow a redirect unless the
Location header gives the same host. If the host is different only
the host and port is taken from the Location header and the original
path and query parts are kept.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dirmngr-status.h: New.
* dirmngr/dirmngr.h: Include dirmngr-status.h and move some prototypes
to that file.
* dirmngr/t-support.c: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add dirmngr-status.h.
(t_common_src): Add t-support.c.
* dirmngr/server.c (dirmngr_status_printf): Bypass if CTRL is NULL.
* dirmngr/dns-stuff.c: Include dirmngr-status.h.
(libdns_init): Print WARNING status line. Change call callers to take
and pass a CTRL argument.
* g10/call-dirmngr.c (ks_status_cb): Print info for new WARNING
status.
--
To test this you can change RESOLV_CONF_NAME in dns-stuff.c and run
gpg --recv-key -v SOMETHING.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine.h (KS_HTTP_FETCH_NOCACHE): New flag.
(KS_HTTP_FETCH_TRUST_CFG): Ditto.
(KS_HTTP_FETCH_NO_CRL): Ditto.
(KS_HTTP_FETCH_ALLOW_DOWNGRADE): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Replace args send_no_cache
and extra_http_trust_flags by a new flags arg. Allow redirectiong
from https to http it KS_HTTP_FETCH_ALLOW_DOWNGRADE is set.
* dirmngr/loadswdb.c (fetch_file): Call with KS_HTTP_FETCH_NOCACHE.
* dirmngr/ks-action.c (ks_action_get): Ditto.
(ks_action_fetch): Ditto.
* dirmngr/crlfetch.c (crl_fetch): Call with the appropriate flags.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/http.h (HTTP_FLAG_TRUST_CFG): New flag.
* dirmngr/http.c (http_register_cfg_ca): New.
(http_session_new) [HTTP_USE_GNUTLS]: Implement new trust flag.
* dirmngr/certcache.c (load_certs_from_dir): Call new function.
(cert_cache_deinit): Ditto.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Add new args
'send_no_cache' and 'extra_http_trust_flags'. Change all callers to
provide the default value.
* dirmngr/crlfetch.c (crl_fetch): Rewrite to make use of
ks_http_fetch.
--
The old code simply did not use https for downloading of CRLS.
Instead it rewrote https to http under the assumption that the CRL
service was also available without encryption. Note that a CRL is
self-standing and thus it does not need to have extra authenticity as
provided by TLS. These days we should not use any unencrypted content
and thus this patch.
Be aware that cacert.org give a https CRL DP but that currently
redirects to to http! This is a downgrade attack which we detect and
don't allow. The outcome is that it is right now not possible to use
CAcert certificates.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-http.c (ks_http_fetch): Forbid redirects from
a https URI to a http URI.
--
GnuPG-bug-id: 3436
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
* dirmngr/dirmngr.c (oConnectTimeout, oConnectQuickTimeout): New
enums.
(opts): New options --connect-timeout and --connect-quick-timeout.
(DEFAULT_CONNECT_TIMEOUT): New.
(DEFAULT_CONNECT_QUICK_TIMEOUT): New.
(parse_rereadable_options): Handle new options.
(post_option_parsing): New. Use instead of direct calls to
set_debug() and set_tor_mode ().
(main): Setup default timeouts.
(dirmngr_init_default_ctrl): Set standard connect timeout.
* dirmngr/dirmngr.h (opt): New fields connect_timeout and
connect_quick_timeout.
(server_control_s): New field timeout.
* dirmngr/ks-engine-finger.c (ks_finger_fetch): Pass timeout to
http_raw_connect.
* dirmngr/ks-engine-hkp.c (send_request): Call
http_session_set_timeout.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/server.c (cmd_wkd_get, cmd_ks_search, cmd_ks_get)
(cmd_ks_fetch): Implement --quick option.
--
The standard connect timeouts are way to long so we add a timeout to
the connect calls. Also implement the --quick option which is already
used by gpg for non-important requests (e.g. looking up a key for
verification).
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dirmngr.h (struct opt): Add field 'disable_ipv6'.
* dirmngr/dirmngr.c (oDisableIPv6): New const.
(opts): New option --disable-ipv6.
(parse_rereadable_options): Set that option.
* dirmngr/dns-stuff.c (opt_disable_ipv6): New var.
(set_dns_disable_ipv6): New.
(resolve_name_standard): Make use of it.
* dirmngr/ks-engine-finger.c (ks_finger_fetch): Take care of
OPT.DISABLE_IPV6.
* dirmngr/ks-engine-hkp.c (map_host): Ditto.
(send_request): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/ocsp.c (do_ocsp_request): Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dirmngr.h (server_control_s): New flag 'http_no_crl'.
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set this flag.
* dirmngr/server.c (option_handler): New option "http-crl"
* dirmngr/http.h (HTTP_FLAG_NO_CRL): New flag.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Consult this flag.
* dirmngr/ks-engine-hkp.c (send_request): Set flag depending on CTRL.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (main): New option --no-crl.
--
This new option can be used to enable CRL checks on a per session
base. The default is not to use CRLs for https connections.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/http-ntbtls.c: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add file.
* dirmngr/dirmngr.h (SERVER_CONTROL_MAGIC): New.
(server_conrol_s): Add field 'magic',
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set MAGIC.
(dirmngr_deinit_default_ctrl): Set MAGIC to deadbeef.
* dirmngr/http.c (my_ntbtls_verify_cb): New.
(http_session_new) [HTTP_USE_NTBTLS]: Remove all CA setting code.
(send_request) [HTTP_USE_NTBTLS]: Set the verify callback. Do not call
the verify callback after the handshake.
* dirmngr/ks-engine-hkp.c (send_request): Pass
gnupg_http_tls_verify_cb to http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (my_http_tls_verify_cb): New.
(main): Rename option --gnutls-debug to --tls-debug.
(main) [HTTP_USE_NTBTLS]: Create a session.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dns-stuff.c (disable_dns_tormode): New.
* dirmngr/dirmngr.c (oNoUseTor): New const.
(opts): New option --no-use-tor.
(tor_mode): New var.
(parse_rereadable_options): Change to use TOR_MODE.
(dirmngr_use_tor): New.
(set_tor_mode): Call disable_dns_tormode. Implement oNoUseTor.
* dirmngr/dirmngr.h (opt): Remove field 'use_tor'. Replace all
references by a call to dirmngr_use_tor().
* dirmngr/server.c (cmd_getinfo): Distinguish between default and
enforced TOR_MODE.
--
This patch replaces the global variable opt.use_tar by a function
testing a file local mode flag. This patch prepares for a
use-tor-if-available mode.
GnuPG-bug-id: 2935
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/logging.c (do_logv): Remove extra parentheses in comparison.
* dirmngr/dns-stuff.c (resolve_addr_libdns): Init RES so that
dns_res_close is given a defined value in the error case.
* dirmngr/http.c (cookie_read, cookie_write) [HTTP_USE_NTBTLS]: Fix
format string char.
* dirmngr/ks-engine-hkp.c (ks_hkp_help): Remove duplicate "const".
* dirmngr/ks-engine-http.c (ks_http_help): Ditto.
* dirmngr/ks-engine-kdns.c (ks_kdns_help): Ditto.
* dirmngr/ks-engine-ldap.c (ks_ldap_help): Ditto.
* scd/app-p15.c (send_keypairinfo, do_getattr): Fix format string
char.
* tools/gpgconf-comp.c (gpg_agent_runtime_change): Init PID for the
error case.
(scdaemon_runtime_change): Ditto.
(dirmngr_runtime_change): Ditto.
* tools/gpgconf.c (query_swdb): Init VALUE_SIZE_UL.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-http.c (ks_http_fetch): Reinitialize HTTP session
when following a HTTP redirection.
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
* dirmngr/http.h (HTTP_FLAG_TRUST_DEF, HTTP_FLAG_TRUST_SYS): New.
* dirmngr/http.c (http_session_new): Add arg "flags".
* dirmngr/ks-engine-hkp.c (send_request): Use new flag
HTTP_FLAG_TRUST_DEF for the new arg of http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (main): Ditto.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-http.c (ks_hkp_help): Only print https if tls
is supported.
--
Wrong reporting was pointed out by K_F. Check is the same as
in ks-engine-hkp.c
* dirmngr/Makefile.am (dist_pkgdata_DATA): Add sks-keyservers.netCA.pem.
* dirmngr/http.c (http_session_new): Add optional arg
intended_hostname and set a default cert.
* dirmngr/ks-engine-hkp.c (send_request): Pass httphost to
http_session_new.
--
Ship the certificate for the sks-keyservers hkps pool. If the user
has specified that they want to use
hkps://hkps.pool.sks-keyservers.net, and they have not specified any
hkp-cacert explicitly, then initialize the trust path with this
specific trust anchor.
Co-authored-by: wk@gnupg.org
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dirmngr.h (opt): Add field "use_tor".
* dirmngr/dirmngr.c (oUseTor): New.
(opts): Add --use-tor.
(parse_rereadable_options): Set option.
(main): Tell gpgconf about that option.
* dirmngr/crlfetch.c (crl_fetch): Pass TOR flag to the http module and
return an error if LDAP is used in TOR mode.
(ca_cert_fetch): Return an error in TOR mode.
(start_cert_fetch): Ditto.
* dirmngr/ks-engine-finger.c (ks_finger_fetch): Pass TOR flag to the
http module.
* dirmngr/ks-engine-hkp.c (send_request): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/ks-engine-ldap.c (ks_ldap_get): Return an error in TOR mode.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto.
* dirmngr/ocsp.c (do_ocsp_request): Ditto. Also pass TOR flag to the
http module.
* dirmngr/server.c (option_handler): Add "honor-keyserver-url-used".
(cmd_dns_cert): Return an error in TOR mode.
(cmd_getinfo): Add subcommand "tor"
* tools/gpgconf-comp.c (gc_options_dirmngr): Add TOR group.
--
More work is required to actually make --use-tor useful. For now it
returns an error for almost all network access but as soon as we have
added the TOR feature to the http module some parts will start to
work.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-hkp.c (cert_log_cb): Move to ...
* dirmngr/misc.c (cert_log_cb): here.
* dirmngr/ks-engine-http.c (ks_http_fetch): Support 307-redirection
and https.
--
Note that this requires that the root certificates are registered using
the --hkp-cacert option. Eventually we may introduce a separate
option to allow using different CAs for KS_FETCH and keyserver based
requests.
* common/http.c (http_open): Add arg httphost.
(http_open_document): Pass NULL for httphost.
(send_request): Add arg httphost. If given, use HTTPHOST instead of
SERVER. Use https with a proxy if requested.
(http_verify_server_credentials): Do not stop at the first error
message.
* dirmngr/ocsp.c (do_ocsp_request): Adjust call to http_open.
* keyserver/curl-shim.c (curl_easy_perform): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/ks-engine-hkp.c (ks_hkp_help): Ditto.
The asymmetric quotes used by GNU in the past (`...') don't render
nicely on modern systems. We now use two \x27 characters ('...').
The proper solution would be to use the correct Unicode symmetric
quotes here. However this has the disadvantage that the system
requires Unicode support. We don't want that today. If Unicode is
available a generated po file can be used to output proper quotes. A
simple sed script like the one used for en@quote is sufficient to
change them.
The changes have been done by applying
sed -i "s/\`\([^'\`]*\)'/'\1'/g"
to most files and fixing obvious problems by hand. The msgid strings in
the po files were fixed with a similar command.
We had some debug code here which prevented it from working.
The host selection code still needs a review!
* ks-engine-http.c (ks_http_help): Do not print help for hkp.
* ks-engine-hkp.c (ks_hkp_help): Print help only for hkp.
(send_request): Remove test code.
(map_host): Use xtrymalloc.
* certcache.c (classify_pattern): Remove unused variable and make
explicit substring search work.
Werner Koch