1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-23 10:29:58 +01:00

636 Commits

Author SHA1 Message Date
NIIBE Yutaka
51dc05c308
build: Update for newer autoconf.
* configure.ac (AC_PREREQ): Use >= 2.69.
(AC_CONFIG_HEADERS): Use it, instead of AC_CONFIG_HEADER.
(AC_HEADER_STDC, AC_HEADER_TIME): Remove obsolete macros.
(sys/time.h): Add the check of the header.
(time_t): Don't use TIME_WITH_SYS_TIME.
* acinclude.m4 (AC_HEADER_TIME): Don't require.
Don't use TIME_WITH_SYS_TIME.
* dirmngr/dns.c: Don't use TIME_WITH_SYS_TIME.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 6b4441a7de9d7090bb3b1570a12e1e8bce0554cb)
2023-08-31 10:25:45 +02:00
Werner Koch
8dd30e27e2
dirmngr: Extend the AD_QUERY command.
* dirmngr/server.c (cmd_ad_query): Add options --help and --subst.
(cmd_getinfo): Add sub-command "sid".
* dirmngr/ks-engine.h (KS_GET_FLAG_SUBST): New.
* dirmngr/ks-engine-ldap.c (ks_ldap_help_variables): New.
(getval_for_filter): New.
(map_rid_to_dn): New.
(ks_ldap_query): Support variables.
--

The new variables features makes it easier to write AD queries without
requiring domain specific expressions.

(cherry picked from commit 207c99567ced260aab04c471c77f179943d492f4)
2023-08-25 14:50:17 +02:00
Werner Koch
159fb5cdbb
dirmngr: Fix LDAP time parser.
* dirmngr/ldap-misc.c (rfc4517toisotime): Correct index.
--

Obviously the parser assumes the standard ISO format with the 'T'
before the hour.  That is not correct here.  We need this parser for
the modifyTimestamp thingy.
2023-08-25 14:35:56 +02:00
Werner Koch
bdc69f73a4
dirmngr: Return modifyTimestamp and add server option --newer.
* dirmngr/server.c (cmd_ks_get): Add option --newer.
(cmd_ad_query): Ditto.
* dirmngr/ldap-misc.c (isotime2rfc4517): New.
(rfc4517toisotime): New.
* dirmngr/ks-action.c (ks_action_get): Add arg newer and pass on.
(ks_action_query): Ditto.
* dirmngr/ks-engine-ldap.c (extract_keys): Print new "chg" record.
(ks_ldap_get): Add arg newer.  Modify filter with newer arg.
(ks_ldap_search): Print the modifyTimestamp.
(ks_ldap_query): Add arg newer.  Modify filter with newer arg.
--

Note that the modifyTimestamp is also available on Windows, where its
value is more commonly known as whenChanged.  Both are constructed
attributes.

Note that the --newer option is a bit of a misnomer because LDAP has
only a greater-or-equal and no greater-than operator.

(cherry picked from commit 56d309133f0e54ac5e2f95871fb74f8cb97e2636)
2023-08-25 14:34:33 +02:00
Werner Koch
2a3bad5985
dirmngr: New command AD_QUERY.
* dirmngr/dirmngr.h: Include name-value.h
(struct server_control_s): Add rootdse and rootdse_tried.
* dirmngr/dirmngr.c (dirmngr_deinit_default_ctrl): Release them.
* dirmngr/ks-engine.h (KS_GET_FLAG_ROOTDSE): Add two new flags.
* dirmngr/ks-engine-ldap.c: Include ks-action.h
(SERVERINFO_GENERIC): New.
(struct ks_engine_ldap_local_s): Add scope.
(ks_ldap_new_state): Set a default scope.
(ks_ldap_clear_state): Ditto.
(my_ldap_connect): Add flag generic.
(return_all_attributes): New.
(fetch_rootdse): New.
(basedn_from_rootdse): New.
(ks_ldap_get): Move some code out to ...
(ks_ldap_prepare_my_state): New.
(ks_ldap_query): New.
* dirmngr/ks-action.c (ks_action_parse_uri): Factored out from server.c
(ks_action_query): New.
* dirmngr/server.c (make_keyserver_item): Factored most code out to
ks_action_parse_uri.
(cmd_ad_query): New.

* dirmngr/ks-engine-ldap.c (no_ldap_due_to_tor): New common error
printing.  Now also with status line.
--

This command allows to query the Windows Active directory.

(cherry picked from commit 625aeb65b0e75192a414fdca5383cb67c996adee)

no_ldap_due_to_tor has been backported from 2.4
2023-08-25 14:23:39 +02:00
Werner Koch
ed92b45c47
dirmngr: New option --ignore-crl-extensions.
* dirmngr/dirmngr.c (oIgnoreCRLExtension): New.
(opts): Add --ignore-crl-extension.
(parse_rereadable_options): Add to list/
* dirmngr/dirmngr.h (opt): Add ignored_crl_extensions.
* dirmngr/crlcache.c (crl_cache_insert): Implement option.
--

This option is is useful for debugging problems with new CRL
extensions.  It is similar to --ignore-cert-extension.

GnuPG-bug-id: 6545
2023-07-05 12:12:18 +02:00
Werner Koch
24a9c77f36
gpgsm: Support SENDCERT_SKI for --call-dirmngr
* sm/call-dirmngr.c (run_command_inq_cb): Support SENDCERT_SKI.

* dirmngr/crlcache.c (crl_cache_insert): Print the CRL name along with
the unknown OID nortice.
2023-07-05 12:11:03 +02:00
Werner Koch
ff81ded48d
dirmngr: New dummy option --compatibility-flags.
* dirmngr/dirmngr.c (oCompatibilityFlags): New.
(opts): Add option --compatibility-flags.
(compatibility_flags): New.
(parse_rereadable_options): Parse them.
2023-07-05 12:10:29 +02:00
zhangguangzhi
96e3579f6d
delete redundant characters
--

GnuPG-bug-id: 6482
Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com>
2023-06-20 09:06:30 +09:00
Werner Koch
625fb54899
w32: Add missing manifests and set a requestedExecutionLevel.
* agent/gpg-agent.w32-manifest.in: New.
* dirmngr/dirmngr-client-w32info.rc: New.
* dirmngr/dirmngr-client.w32-manifest.in: New.
* dirmngr/dirmngr-w32info.rc: New.
* dirmngr/dirmngr.w32-manifest.in: New.
* dirmngr/dirmngr_ldap-w32info.rc: New.
* dirmngr/dirmngr_ldap.w32-manifest.in: New.
* g10/gpgv-w32info.rc: New.
* g10/gpgv.w32-manifest.in: New.
* kbx/keyboxd.w32-manifest.in: New.
* scd/scdaemon.w32-manifest.in: New.
* sm/gpgsm.w32-manifest.in: New.
--

This avoids the use of the VirtualStore uner Windows.

GnuPG-bug-id: 6503

Backported from 2.4; some manifest files already existed in 2.2 but
not in 2.4
2023-05-25 11:10:21 +02:00
Werner Koch
818051432c
dirmngr: Do not check for Tor for --gpgconf-* options
* dirmngr/dirmngr.c (post_option_parsing): Add arg CMD.
(main): Pass the current command.
2023-01-11 11:13:15 +01:00
Werner Koch
cce5ecece1
dirmngr: Silence debug diagnostics in OCSP
* dirmngr/ocsp.c (check_signature_core): Print them only in debug
mode.
2022-11-17 17:14:15 +01:00
Werner Koch
1307081dc0
dirmngr: Fix verification of ECDSA signed CRLs.
* dirmngr/crlcache.c (finish_sig_check): Use raw value for the data.
--

This had the usual signed/unsigned problem.  By using the modern form
we enforce Libgcrypt internal parsing as unsigned integer.

(cherry picked from commit 868dabb4027a03f4ce39be3c143b480bccde1a63)
2022-11-15 10:47:33 +01:00
Werner Koch
afaed3c122
dirmngr: Support ECDSA for OCSP.
* dirmngr/validate.c (pk_algo_from_sexp): Make public.  Support ECC.
* dirmngr/ocsp.c (check_signature): Remove hash preparation out to ...
(check_signature_core): here.  This changes the arg s_hash to md.
Support ECDSA.
--

The test was done with my qualified signature certificate from the
Telesec and their responder http://tqrca1.ocsp.telesec.de/ocspr .
See also libksba commit rK24992a4a7a61d93759e1dbd104b845903d4589bf

(cherry picked from commit 890e9849b58e91fb7e0ad8d3b11d19363fca2d8a)
2022-11-15 10:47:32 +01:00
Werner Koch
502d43ac30
dirmngr: Support ECDSA for CRLs
* dirmngr/crlcache.c (finish_sig_check): Support ECDSA.
* dirmngr/validate.c (check_cert_sig): Ditto.  Remove the never
used support for DSA.

(cherry picked from commit de87c8e1ead72ea67789ffa4375f9dd3e4f9e2fa)
2022-11-15 10:47:31 +01:00
NIIBE Yutaka
a5c3821664
dirmngr: Fix build with no LDAP support.
* dirmngr/server.c [USE_LDAP] (start_command_handler): Conditionalize.

--

Cherry-pick master commit of:
	7011286ce6e1fb56c2989fdafbd11b931c489faa

GnuPG-bug-id: 6239
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-18 10:16:11 +09:00
Werner Koch
a70a3204c2
dirmngr: Support paged LDAP mode for KS_GET
* dirmngr/ks-engine-ldap.c (PAGE_SIZE): New.
(struct ks_engine_ldap_local_s): Add several new fields.
(ks_ldap_clear_state): Release them.
(search_and_parse): Factored out from ks_ldap_get and extended to
support the paged mode.
(ks_ldap_get):  Implement the pages mode for --first and --next.
* dirmngr/server.c (cmd_ks_get): Provide a dummy passphrase in --first
mode.
* dirmngr/Makefile.am (dirmngr_LDADD): Add LBER_LIBS.
--

The paged mode allows to retrieve more items than the servers usually
limit (e.g. 1000 for an LDS).  This patch also allows to use --first
without a patter to retrieve all keyblocks (except for disabled and
revoked keys).

GnuPG-bug-id: 6224
Backported-from-master: 7a01e806eac4cd7a65eaf3e17dcd2f117ec2d327
2022-10-07 13:54:34 +02:00
Werner Koch
20cb9319d9
dirmngr: New options --first and --next for KS_GET.
* dirmngr/server.c (cmd_ks_get): Add option --first and --next.
(start_command_handler): Free that new ldap state.
* dirmngr/ks-engine-ldap.c (struct ks_engine_ldap_local_s): New.
(ks_ldap_new_state, ks_ldap_clear_state): New.
(ks_ldap_free_state): New.
(return_one_keyblock): New.  Mostly factored out from ....
(ks_ldap_get): here.  Implement --first/--next feature.

* dirmngr/ks-action.c (ks_action_get): Rename arg ldap_only to
ks_get_flags.
* dirmngr/ks-engine.h (KS_GET_FLAG_ONLY_LDAP): New.
(KS_GET_FLAG_FIRST): New.
(KS_GET_FLAG_NEXT): New.

* dirmngr/dirmngr.h (struct server_control_s): Add member
ks_get_state.
(struct ks_engine_ldap_local_s): New forward reference.
--

This feature allows to fetch keyblock by keyblock from an LDAP server.
This way tools can process and maybe filter each keyblock in a more
flexible way.  Here is an example where two keyblocks for one mail
address are returned:

  $ gpg-connect-agent --dirmngr
  > ks_get --ldap --first  <foo@example.org>
  [... First keyblock is returned ]
  OK
  > ks_get --next
  [ ... Next keyblock is returned ]
  OK
  > ks_get --next
  ERR 167772218 No data <Dirmngr>

GnuPG_bug_id: 6224
Backported-from-master: 4de98d4468f37bfb8352426830d5d5642ded7536
2022-10-07 13:49:55 +02:00
Werner Koch
4cf8dc2d96
dirmngr: Minor fix for baseDN fallback.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Avoid passing data
behind the EOS.
(interrogate_ldap_dn): Stylistic change.
--

This also updates the my_ldap_connect description.

GnuPG-bug-id: 6047
(cherry picked from commit 11aa5a93a754fe978d0f35d7fbeb4767b6b6df05)
2022-10-07 13:35:21 +02:00
NIIBE Yutaka
73cc5e073c
dirnmgr: Fix the function prototype.
* dirmngr/ldap-wrapper.c (ldap_wrapper_wait_connections): It's with
no arguments.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 530d709607e54465ce47c1fc7d2554ea3b0bea6b)
2022-10-07 13:22:03 +02:00
NIIBE Yutaka
98fbac6141
dirmngr: Change interrogate_ldap_dn for better memory semantics.
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): Return BASEDN found,
memory allocated.
(my_ldap_connect): Follow the change, removing needless allocation.

--

GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 4b2066afb4988c32a030330acf51b7b0dc190041)
2022-10-07 13:21:37 +02:00
Joey Berkovitz
5516f92224
dirmngr: Interrogate LDAP server when base DN specified.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): interrogate LDAP
server when basedn specified.

--

GnuPG-bug-id: 6047
Signed-off-by: Joey Berkovitz <joeyberkovitz@gmail.com>
(cherry picked from commit 3257385378bb3f19ebf089538f0efe2154487989)
2022-10-07 13:21:20 +02:00
Werner Koch
615c9717c1
dirmngr: Support gpgMailbox for mode MAILSUB and MAILEND.
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Use gpgMailbox if
server supports this.
2022-10-07 13:19:10 +02:00
Werner Koch
44960e702e
dirmngr: Factor out interrogate_ldap_dn function.
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): New.
--

GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 993820c315216584e23d36299920007abfeb3a32
2022-10-07 13:16:57 +02:00
Werner Koch
d7a0df4478
doc: Typo fix in a comment.
--
2022-09-28 15:41:16 +02:00
Werner Koch
32ce7ac0c6
dirmngr: Fix lost flags during LDAP upload
* dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const.
Use strtokenize instead of strtok style parsing.
--

This fixes a problem with resulted in a General Error for the second
key to be uploaded in the same session.  But only if the colon format
to specify a keyserver with flags was used.
2022-09-28 15:40:22 +02:00
Werner Koch
6300035ba1
dirmngr: New server flag "areconly" (A-record-only)
* dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly.
* dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly"
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag.
* dirmngr/dirmngr_ldap.c: Add option --areconly
(connect_ldap): Implement option.
* dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option.
--

This flag is used to pass the Windows specific option
LDAP_OPT_AREC_EXCLUSIVE.  It is ignored on other systems.

Signed-off-by: Werner Koch <wk@gnupg.org>
2022-09-28 09:43:25 +02:00
Werner Koch
289fbc550d
dirmngr: Fix CRL DP error fallback to other schemes.
* dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop.
Remove the unused issuername_uri stuff.
--

It is quite common that LDAP servers are blocked and thuis the HTTP
access point should be used instead.  This worked well for
certificates where the DP are given in this form:

        crlDP: ldap://x500.bund.de/[...]
               http://x500.bund.de/[...]
               issuer: none

but it failed for this form

        crlDP: ldap://x500.bund.de/[...]
               issuer: none
        crlDP: http://x500.bund.de/[...]
               issuer: none

because the LAST_ERR thing terminated the outer loop.  This pacth
fixes this and also cleans up the code to be more robust.

Note that the common workaround of using --ignore-ldap-dp will now
only be needed if the firewall uses packet dropping instead of proper
ICMP rejects.
2022-09-16 16:54:39 +02:00
Werner Koch
ea34325c54
dirmngr: New option --debug-cache-expired-certs.
* dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs:
* dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New.
(opts): Add option.
(parse_rereadable_options): Set option.
* dirmngr/certcache.c (put_cert): Handle the option.
2022-08-31 18:13:25 +02:00
NIIBE Yutaka
14ccabe7f8
dirmngr: Reject certificate which is not valid into cache.
* dirmngr/certcache.c (put_cert): When PERMANENT, reject the
certificate which is obviously invalid.

--

With this change, invalid certificates from system won't be registered
into cache.  Then, an intermediate certificate which is issued by an
entity certified by such an invalid certificate will be also rejected
with GPG_ERR_INV_CERT_OBJ.  With less invalid certificates in cache,
it helps the validate_cert_chain function work better.

GnuPG-bug-id: 6142
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-08-31 13:47:51 +02:00
Werner Koch
94908857e1
dirmngr: Fix failed malloc error message.
* dirmngr/ocsp.c (check_signature): Fix error printing of xtrymalloc.
2022-08-03 11:12:13 +02:00
Ingo Klöcker
22e8dc7927
dirmngr: Ask keyservers to provide the key fingerprints
* dirmngr/ks-engine-hkp.c (ks_hkp_search): Add "fingerprint=on" to
request URL.
--

Some keyservers, e.g. keyserver.ubuntu.com (Hockeypuck), do not
provide the key fingerprints by default. Therefore, we ask for the
fingerprints explicitly.

GnuPG-bug-id: 5741
(cherry picked from commit c7fa4c7f8bf375e3739ef8361f38b6b31113b8bf)
2022-07-26 09:46:15 +02:00
Werner Koch
cc1d475f98
dirmngr,w32: Silence compiler warnings for the LDAP API.
--
2022-06-03 15:36:58 +02:00
Werner Koch
3b251c8366
dirmngr: Escape more characters in WKD requests.
* dirmngr/server.c (proc_wkd_get): Also escape '#' and '+'
--
GnuPG-bug-id: 5902
2022-03-28 16:13:52 +02:00
Werner Koch
6d30fb6940
dirmngr: Make WKD_GET work even for servers not handling SRV RRs.
* dirmngr/server.c (proc_wkd_get): Take care of DNS server failures
--

Unfortunately there are resolver setups which don't handle SRV records
but return a server error.  We let a not found error pass, because
that merely means the domain does not exists.

GnuPG-bug-id: 4729
2022-03-21 22:41:09 +01:00
Werner Koch
3c79ff34c4
dirmngr: Changes to the linking order.
* dirmngr/Makefile.am: Tweak library order.
2022-02-07 20:24:22 +01:00
Werner Koch
137590fd86
dirmngr: Allow building with non-standard ntbtls location.
* dirmngr/Makefile.am: Add missing -L and -I
--
2022-02-03 21:54:09 +01:00
Werner Koch
0b76ef48e1
dirmngr: Simplify --gpgconf-list output
* dirmngr/dirmngr.c (main): Keep only values with the default flag.
--

This is not anymore required abnd brings us in sync with 2.3.
2022-02-03 18:28:25 +01:00
Werner Koch
dde88897e2
dirmngr: Avoid initial delay on the first keyserver access.
* dirmngr/dirmngr.c (dirmngr_never_use_tor_p): New.
* dirmngr/server.c (ensure_keyserver): Don't even test for the Tor
proxy in never-use-tor Mode.

* tools/gpgtar-create.c: Include unistd.h to avoid a warning on
Windows.
--

This delay of 2 or 3 seconds is in particular annoying on Windows.
This is now suppressed, as it should be, if --no-use-tor is used.

The second patch is unrelated
2022-02-01 16:02:20 +01:00
Werner Koch
bf284fdf22
dirmngr: Re-group the options in the --help output.
--

This looks better and is also required for further simplifications of
gpgconf.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 4c43fabbb0124bacbbaad2521a3085709e7f8249)
2021-12-30 09:23:45 +01:00
Werner Koch
5f890f417f
gpgconf: Support reading global options (part 2).
* tools/gpgconf-comp.c: Remove all regular option descriptions.  They
are now read in from the component.  Also remove a few meanwhile
obsolete options.
* agent/gpg-agent.c: Add option description which were only set in
gpgconf-comp.c.
* dirmngr/dirmngr.c: Ditto.
* scd/scdaemon.c: Ditto.
* sm/gpgsm.c: Ditto.
* g10/gpg.c: Ditto.
--

This second part removes all regular option descriptions because they
can be read from the components.  A few were missing in the components
and thus moved to there.

Signed-off-by: Werner Koch <wk@gnupg.org>

This is a backport from master (2.3).
2021-12-29 09:42:45 +01:00
Ingo Klöcker
027e34235b
build: Fix several "include file not found" problems
* dirmngr/Makefile.am (t_ldap_parse_uri_CFLAGS): Add KSBA_CFLAGS.
* kbx/Makefile.am (libkeybox_a_CFLAGS, libkeybox509_a_CFLAGS): Add
NPTH_CFLAGS.
* tools/Makefile.am (gpgtar_CFLAGS, gpg_wks_server_CFLAGS,
gpg_wks_client_CFLAGS, gpg_pair_tool_CFLAGS): Add LIBGCRYPT_CFLAGS.
--

The tools include gcrypt.h via common/util.h.

GnuPG-bug-id: 5592
2021-11-14 18:18:41 +01:00
Werner Koch
6507c6ab10
agent,dirmngr: New option --steal-socket
* agent/gpg-agent.c (oStealSocket): New.
(opts): Add option.
(steal_socket): New file global var.
(main): Set option.
(create_server_socket): Implement option.

* dirmngr/dirmngr.c (oStealSocket): New.
(opts): Add option.
(steal_socket): New file global var.
(main): Set option.  Add comment to eventually implement it.
--

Note that --steal-socket has currently no effect on dirmngr because
dirmngr does this anway.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-11-13 15:07:35 +01:00
NIIBE Yutaka
152f028155
dns: Make reading resolv.conf more robust.
* dirmngr/dns.c (dns_resconf_loadfile): Skip "search" which
begins with '.'.

--

GnuPG-bug-id: 5657
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-11-02 20:49:51 +01:00
Werner Koch
323a20399d
dirmngr: New option --ignore-cert
* dirmngr/dirmngr.h (struct fingerprint_list_s): Add field binlen.
(opt): Add field ignored_certs.
* dirmngr/dirmngr.c: Add option --ignore-cert
(parse_rereadable_options): Handle that option.
(parse_ocsp_signer): Rename to ...
(parse_fingerprint_item): this and add two args.
* dirmngr/certcache.c (put_cert): Ignore all to be igored certs.
Change callers to handle the new error return.
--

This option is useful as a workaround in case we ill run into other
chain validation errors like what we fixed in
GnuPG-bug-id: 5639
Backported-from-master: 4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d
2021-10-06 11:06:01 +02:00
Werner Koch
341ab0123a
dirmngr: Fix Let's Encrypt certificate chain validation.
* dirmngr/certcache.c (find_cert_bysubject): Return the first trusted
certififcate if any.
--

This is basically the same as using OpenSSL with ist
X509_V_FLAG_TRUSTED_FIRST flag. See
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

GnuPG-bug-id: 5639
2021-10-06 10:56:43 +02:00
Werner Koch
47c4e3e00a
dirmngr: Change the default keyserver.
* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to
keyserver.ubuntu.com.

* dirmngr/certcache.c (cert_cache_init): Disable default pool cert.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/http.c (http_session_new): Ditto.

* dirmngr/server.c (make_keyserver_item): Use a different mapping for
the gnupg.net names.
--

Due to the unfortunate shutdown of the keyserver pool, the long term
defaults won't work anymore.  Thus it is better to change them.

For https access keyserver.ubuntu.com is now used because it can be
expected that this server can stand the load from newer gnupg LTS
versions.

For http based access the Dutch Surfnet keyserver is used.  However
due to a non-standard TLS certificate this server can not easily be
made the default for https.

Note: that the default server will be changed again as soon as a new
connected keyserver infrastructure has been established.
2021-06-25 19:15:24 +02:00
Werner Koch
adf7bfba5d
dirmngr: Fix regression in KS_GET for mail address pattern.
* dirmngr/ks-engine-hkp.c (ks_hkp_search): Munge mail address pattern.
(ks_hkp_get): Allow for mail addresses.
-

Before the keyserver changes in 2.2.28 gpg passed dirmngr a pail
address as an exact pattern (e.g. "=foo@example.org").  Since 2.2.28
the mail address is detected gpg gpg and we see for example
"<foo@example.org>".  This patch fixes this to turn a mail address
into an exact match again.

GnuPG-bug-id: 5497
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-21 09:22:17 +02:00
NIIBE Yutaka
c8b2162c0e dirmngir: Fix build with --disable-ldap.
* dirmngr/dirmngr.c (parse_rereadable_options) [USE_LDAP]:
Conditionalize.

--

Reported-by: Phil Pennock
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-11 10:30:02 +09:00
NIIBE Yutaka
8ee4c8d1e0 dirmngr: Remove use of USE_LDAPWRAPPER.
* configure.ac (USE_LDAPWRAPPER): Remove.
* dirmngr/Makefile.am: Use USE_LDAP instead of USE_LDAPWRAPPER.
* dirmngr/ldap-wrapper-ce.c: Remove.
* dirmngr/ldap-wrapper.h, dirmngr/ldap-wrapper.c: Remove
USE_LDAPWRAPPER things.

--

Backported-from-master: 4c295646ba0e175743e6be13457308c1e6d21dd3
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-11 10:06:24 +09:00