1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

393 Commits

Author SHA1 Message Date
Daniel Kahn Gillmor
f5782e11a5 dirmngr: Avoid warnings during non-ntbtls build.
* dirmngr/t-http.c (my_http_tls_verify_cb): Avoid warnings when not
using ntbtls.

--

Without this patch, when building without ntbtls, we see the following
warnings during "make check":

t-http.c: In function ‘my_http_tls_verify_cb’:
t-http.c:141:16: warning: implicit declaration of function
      ‘ntbtls_x509_get_peer_cert’ [-Wimplicit-function-declaration]
        (cert = ntbtls_x509_get_peer_cert (tls_context, idx)); idx++)
                ^~~~~~~~~~~~~~~~~~~~~~~~~
t-http.c:141:14: warning: assignment makes pointer from integer
       without a cast  -Wint-conversion]
        (cert = ntbtls_x509_get_peer_cert (tls_context, idx)); idx++)
              ^
At top level:
t-http.c:123:1: warning: ‘my_http_tls_verify_cb’ defined but not
      used [-Wunused-function]
 my_http_tls_verify_cb (void *opaque,
 ^~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-25 22:54:47 -08:00
Werner Koch
22b69b9edf
dirmngr: Add new debug flag "extprog"
* dirmngr/dirmngr.h (DBG_EXTPROG_VALUE, DBG_EXTPROG): New macros.
* dirmngr/dirmngr.c (debug_flags): Add flag "extprog".
(handle_connections): Use a macro instead of -1 for an invalid socket.
* dirmngr/loadswdb.c (verify_status_cb): Debug the gpgv call.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-23 20:14:16 +01:00
Werner Koch
a42bf00b4e
dirmngr,w32: Make https with ntbtls work.
* dirmngr/http.c (simple_cookie_functions): New.
(send_request) [HTTP_USE_NTBTLS, W32]: Use es_fopencookie.
(cookie_read): Factor some code out to ...
(read_server): new.
(simple_cookie_read, simple_cookie_write) [W32]: New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-23 10:30:58 +01:00
Daniel Kahn Gillmor
ccb420380b Fix spelling.
--

Clean up several other misspellings noticed while reviewing Yuri's
de-duplication patch.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-21 13:11:46 -05:00
Yuri Chornoivan
24cf0606b4 Clean up word replication.
--

This fixes extra word repetitions (like "the the" or "is is") in the
code and docs.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-21 13:11:46 -05:00
Werner Koch
831d014550
dirmngr: Add special treatment for the standard hkps pool to ntbtls.
* dirmngr/validate.h (VALIDATE_FLAG_SYSTRUST): Remove
(VALIDATE_FLAG_EXTRATRUST): Remove
(VALIDATE_FLAG_TRUST_SYSTEM): New.
(VALIDATE_FLAG_TRUST_CONFIG): New.
(VALIDATE_FLAG_TRUST_HKP): New.
(VALIDATE_FLAG_TRUST_HKPSPOOL): New.
(VALIDATE_FLAG_MASK_TRUST): New.
* dirmngr/validate.c (check_header_constants): New.
(validate_cert_chain): Call new function.  Simplify call to
is_trusted_cert.
* dirmngr/crlcache.c (crl_parse_insert): Pass
VALIDATE_FLAG_TRUST_CONFIG to validate_cert_chain
* dirmngr/server.c (cmd_validate): Use VALDIATE_FLAG_TRUST_SYSTEM and
VALIDATE_FLAG_TRUST_CONFIG.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Check provided TLS
context.  Set trustclass flags using the new VALIDATE_FLAG_TRUST
values.

* dirmngr/certcache.c (cert_cache_init): Load the standard pool
certificate prior to the --hkp-cacerts.
--

Note that this changes the way the standard cert is used: We require
that it is installed at /usr/share/gnupg and we do not allow to change
it.  If this is not desired, the the standard cert can be removed or
replaced by a newer one.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 14:55:04 +01:00
Werner Koch
d1625a9a82
dirmngr: Load --hkp-cacert values into the certificate cache.
* dirmngr/dirmngr.c (hkp_cacert_filenames): New var.
(parse_rereadable_options): Store filenames from --hkp-cacert in the
new var.
(main, dirmngr_sighup_action): Pass that var to cert_cache_init.
* dirmngr/certcache.c (cert_cache_init): Add arg 'hkp_cacert' and load
those certs.
(load_certs_from_file): Use autodetect so that PEM and DER encodings
are possible.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 13:57:24 +01:00
Werner Koch
9741aa24d9
dirmngr: Load "sks-keyservers.netCA.pem" into the cache.
* dirmngr/certcache.c (load_certs_from_file): Always build this
function.  Add args 'trustclasses' and 'no_error'.  Pass TRUSTCLASSES
to put_cert.
(load_certs_from_system): Pass CERTTRUST_CLASS_SYSTEM to
load_certs_from_file.
(cert_cache_init): Try to load "sks-keyservers.netCA.pem".  Don't make
function fail in an out-of-core condition.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 12:42:34 +01:00
Werner Koch
50b9828eac
dirmngr: Implement trust classes for the cert cache.
* dirmngr/certcache.h (CERTTRUST_CLASS_SYSTEM): New.
(CERTTRUST_CLASS_CONFIG): New.
(CERTTRUST_CLASS_HKP): New.
(CERTTRUST_CLASS_HKPSPOOL): New.
* dirmngr/certcache.c (MAX_EXTRA_CACHED_CERTS): Rename to ...
(MAX_NONPERM_CACHED_CERTS): this.
(total_extra_certificates): Rename to ...
(total_nonperm_certificates): this.
(total_config_certificates): Remove.
(total_trusted_certificates): Remove.
(total_system_trusted_certificates): Remove.
(cert_item_s): Remove field 'flags'.  Add fields 'permanent' and
'trustclasses'.
(clean_cache_slot): Clear new fields.
(put_cert): Change for new cert_item_t structure.
(load_certs_from_dir): Rename arg 'are_trusted' to 'trustclass'
(load_certs_from_file): Use CERTTRUST_CLASS_ value for put_cert.
(load_certs_from_w32_store): Ditto.
(cert_cache_init): Ditto.
(cert_cache_print_stats): Rewrite.
(is_trusted_cert): Replace arg 'with_systrust' by 'trustclasses'.
Chnage the test.
* dirmngr/validate.c (allowed_ca): Pass CERTTRUST_CLASS_CONFIG to
is_trusted_cert.
(validate_cert_chain): Pass CERTTRUST_CLASS_ values to
is_trusted_cert.
--

These trust classes make it easier to select certain sets of root
certificates.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 12:23:20 +01:00
Werner Koch
493c142e58
dirmngr: New Assuan option "http-crl".
* dirmngr/dirmngr.h (server_control_s): New flag 'http_no_crl'.
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set this flag.
* dirmngr/server.c (option_handler): New option "http-crl"
* dirmngr/http.h (HTTP_FLAG_NO_CRL): New flag.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Consult this flag.
* dirmngr/ks-engine-hkp.c (send_request): Set flag depending on CTRL.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.

* dirmngr/t-http.c (main): New option --no-crl.
--

This new option can be used to enable CRL checks on a per session
base.  The default is not to use CRLs for https connections.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 09:37:07 +01:00
Werner Koch
39c7450381
dirmngr: Add a magic field to the http structs.
* dirmngr/http.c (HTTP_SESSION_MAGIC): New.
(http_session_s): New field 'magic'.
(HTTP_CONTEXT_MAGIC): New.
(http_context_s): New field 'magic'.
(my_ntbtls_verify_cb): Assert MAGIC.
(fp_onclose_notification): Ditto.
(session_unref): Ditto.  Reset MAGIC.
(http_session_new): Set MAGIC.
(http_open): Ditto.
(http_raw_connect): Ditto.
(http_close): Assert MAGIC.  Reset MAGIC.

* dirmngr/t-http.c (my_http_tls_verify_cb): MArk HTTP_FLAGS unused.
--

We pass those handles through opaque pointers.  The magic numbers will
help to detect wrong use.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 09:13:02 +01:00
Werner Koch
a022baa4a4
dirmngr: Setup a log handler for ntbtls.
* dirmngr/dirmngr.c (my_ntbtls_log_handler) [HTTP_USE_NTBTLS]: New.
(main) [HTTP_USE_NTBTLS]: Register log handler.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-20 17:24:00 +01:00
Werner Koch
e174893262
dirmngr.c: Make http.c build without any TLS support.
* dirmngr/http.c (http_session_new): Remove used of tls_prority.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-20 10:02:25 +01:00
Werner Koch
81ea24b863
dirmngr: Make t-http.c work again with gnutls - second try
* dirmngr/t-http.c: Always include ksba.h.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-20 09:53:31 +01:00
Werner Koch
f923873863
dirmngr: Make t-http.c work again with gnutls.
* dirmngr/Makefile.am (t_http_CFLAGS, t_http_LDADD): Add KSBA flags
and libs.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-20 09:48:37 +01:00
Werner Koch
64fffd0ce2
dirmngr: First take on ntbtls cert verification.
* dirmngr/http-ntbtls.c: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add file.
* dirmngr/dirmngr.h (SERVER_CONTROL_MAGIC): New.
(server_conrol_s): Add field 'magic',
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set MAGIC.
(dirmngr_deinit_default_ctrl): Set MAGIC to deadbeef.
* dirmngr/http.c (my_ntbtls_verify_cb): New.
(http_session_new) [HTTP_USE_NTBTLS]: Remove all CA setting code.
(send_request) [HTTP_USE_NTBTLS]: Set the verify callback.  Do not call
the verify callback after the handshake.
* dirmngr/ks-engine-hkp.c (send_request): Pass
gnupg_http_tls_verify_cb to http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.

* dirmngr/t-http.c (my_http_tls_verify_cb): New.
(main): Rename option --gnutls-debug to --tls-debug.
(main) [HTTP_USE_NTBTLS]: Create a session.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-19 10:36:43 +01:00
Werner Koch
a74902cccd
dirmngr: Add per-session verify callback to http.c
* dirmngr/http.h (http_verify_cb_t): New type.
* dirmngr/http.c (http_session_s): Add fields flags, verify_cb, and
verify_cb_value.
(http_session_new): Remove arg tls_priority.  Add args verify_cb and
verify-cb_value.  Store them in the session object.
(send_request): Use per-session verify callback.
(http_verify_server_credentials) [HTTP_USE_NTBTLS]: Return
GPG_ERR_NOT_IMPLEMENTED.
* dirmngr/ks-engine-hkp.c (send_request): Adjust for changed
http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (main): Ditto.

* dirmngr/server.c (do_get_cert_local): Replace xmalloc by malloc.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-18 16:39:02 +01:00
Werner Koch
cd32ebd152
dirmngr: Strip the default https port from the Host: header.
* dirmngr/http.c (send_request): Strip the default https port.

--

GnuPG-bug-id: 2965
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-17 21:59:45 +01:00
Werner Koch
f07811ee2c
dirmngr: Add option --no-crl to the VALIDATE cmd.
* dirmngr/validate.h: Remove enums VALIDATE_MODE_*.
(VALIDATE_FLAG_SYSTRUST, VALIDATE_FLAG_EXTRATRUST)
(VALIDATE_FLAG_CRL, VALIDATE_FLAG_RECURSIVE)
(VALIDATE_FLAG_OCSP, VALIDATE_FLAG_TLS)
(VALIDATE_FLAG_NOCRLCHECK): New constants.
* dirmngr/validate.c (validate_cert_chain): Change arg 'mode' to
'flags'.  Change code accordingly.  Remove NO-CRL in TLS mode kludge.
* dirmngr/crlcache.c (crl_parse_insert): Change to use flag values for
the validate_cert_chain call.
* dirmngr/server.c (cmd_validate): Ditto.  Add new option --no-crl.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-17 21:31:33 +01:00
Werner Koch
070211eb99
dirmngr: Add options --tls and --systrust to the VALIDATE cmd.
* dirmngr/certcache.h (certlist_s, certlist_t): New.
* dirmngr/certcache.c (read_certlist_from_stream): New.
(release_certlist): New.
* dirmngr/server.c (MAX_CERTLIST_LENGTH): New.
(cmd_validate): Add options --tls and --systrust.  Implement them
using a kludge for now.
* dirmngr/validate.c (validate_cert_chain): Support systrust
checking.  Add kludge to disable the CRL checking for tls mode.
--

This can now be used to test a list of certificates as returned by
TLS.  Put the certs PEM encoded into a a file certlist.pem with the
target certificate being the first.  Then run

  gpg-connect-agent --dirmngr \
    '/definqfile CERTLIST wiki-gnupg-chain.pem' \
    'validate --systrust --tls' /bye

CRLS check has been disabled becuase we can't yet pass the systrust
flag to the CRL checking code.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-17 16:41:02 +01:00
Werner Koch
ed99af030d
dirmngr: Remove use of hardcoded numbers in validate.
* dirmngr/validate.c (enum cert_usage_modes): New.
(cert_usage_p): Change type of arg MODE.  Use enums instead of
hardwired values.  Use a switch instead of tricky bit tests.
(cert_use_cert_p, cert_use_ocsp_p, cert_use_crl_p): Adjust.

* dirmngr/validate.c (cert_usage_p): Rename to check_cert_usage.
(cert_use_cert_p): Rename to check_cert_use_cert.
(cert_use_ocsp_p): Rename to check_cert_use_ocsp.
(cert_use_crl_p): Rename to check_cert_use_crl.

* dirmngr/validate.h (VALIDATE_MODE_CERT_SYSTRUST): New.
(VALIDATE_MODE_TLS, VALIDATE_MODE_TLS_SYSTRUST): New.

--

A function with a "_p" suffix return 0 for a True just looks weird.
We now use names which better indicate that an error code is returned.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-17 16:41:02 +01:00
Werner Koch
7006352da7
dirmngr,w32: Load all system provided certificates.
* dirmngr/certcache.c (CERTOPENSYSTEMSTORE) [W32]: New type.
(CERTENUMCERTIFICATESINSTORE) [W32]: New type.
(CERTCLOSESTORE) [W32]: New type.
(load_certs_from_file) [W32]: Do not build.
(load_certs_from_w32_store) [W32]: New.
(load_certs_from_system) [W32]: Call new function.
--

GnuTLS loads the system certificates from the "ROOT" and "CA" store;
thus we do the same.  On a Visa box you may for example see 21 from
"ROOT" and 6 from "CA".

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-16 21:25:58 +01:00
Werner Koch
9a1a5ca0bc
dirmngr: Load all system provided certificates.
* configure.ac: Add option --default-trust-store.
(DEFAULT_TRUST_STORE_FILE): New ac_define.
* dirmngr/certcache.c: Include ksba-io-support.h.
(total_trusted_certificates, total_system_trusted_certificates): New.
(put_cert): Manage the new counters.
(cert_cache_deinit): Reset them.
(cert_cache_print_stats): Print them.
(is_trusted_cert): Add arg WITH_SYSTRUST.  Change all callers to pass
false.
(load_certs_from_file): New.
(load_certs_from_system): New.
(cert_cache_init): Load system certificates.
--

Note that this code does not yet allow to load the system certificates
on Windows.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-16 18:58:27 +01:00
Werner Koch
5c4e67afd6
dirmngr: Prepare certcache for forthcoming changes.
* dirmngr/certcache.c (cert_item_s): Rename 'flags.loaded' to
'flags.config'.  Add 'flags.systrust'.
(total_loaded_certificates): Rename to total_config_certificates.
(put_cert): Rename args for clarity.  Set SYSTRUST flag.
(load_certs_from_dir): Make sure put_cert does not set the SYSTRUST
flag.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-16 11:51:57 +01:00
Werner Koch
1af733f37b
indent: Reformat and extend some comments in dirmngr.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-16 11:01:19 +01:00
Werner Koch
aef60abe6a
dirmngr: Replace stpcpy chains by strconcat.
* dirmngr/certcache.c (find_cert_bysn): Use strconcat.
(find_cert_bysubject): Ditto.
* dirmngr/http.c (store_header): Ditto.
* dirmngr/ldap.c (make_url): Ditto.
* dirmngr/server.c (get_cert_local_ski): Ditto.
(do_get_cert_local): Use xstrconcat.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-16 10:33:26 +01:00
Werner Koch
a3509e12b6
libdns: Workaround for bracketed numerical addresses.
* dirmngr/dns-stuff.c (resolve_name_libdns): Work around an
incompatibility between the glibc resolver and libdns.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-15 19:20:33 +01:00
Werner Koch
a75325faf1
dirmngr: Do PTR lookups only for 'keyserver --hosttable'.
* dirmngr/ks-engine-hkp.c (hostinfo_s): Remove fields v4addr and
v5addr and add fields iporname and iporname_valid.
(create_new_hostinfo): Clear them.
(add_host): Remove the code to set the v4addr and v6addr fields.
(ks_hkp_print_hosttable): Remove printing of the fields.  Compute the
iporname field and display it.
(ks_hkp_reload): Force re-computing of the iporname field in
ks_hkp_print_hosttable.
--

GnuPG-bug-id: 2928
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-15 19:20:33 +01:00
Werner Koch
da2ba20868
dirmngr: Avoid PTR lookup for hosts in a pool
* dirmngr/ks-engine-hkp.c (add_host): Don't to a PTR lookup for hosts
in a pool.
--

GnuPG-bug-id: 2928
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-15 19:20:33 +01:00
Werner Koch
dee026d761
dirmngr: Do a DNS lookup even if it is missing from nsswitch.conf.
* dirmngr/dns-stuff.c (libdns_init): Do not print error message for a
missing nsswitch.conf.  Make sure that tehre is a DNS entry.
--

GnuPG-bug-id: 2948
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-13 20:13:05 +01:00
Werner Koch
7440119e72
dirmngr: New option --no-use-tor and internal changes.
* dirmngr/dns-stuff.c (disable_dns_tormode): New.
* dirmngr/dirmngr.c (oNoUseTor): New const.
(opts): New option --no-use-tor.
(tor_mode): New var.
(parse_rereadable_options): Change to use TOR_MODE.
(dirmngr_use_tor): New.
(set_tor_mode): Call disable_dns_tormode.  Implement oNoUseTor.
* dirmngr/dirmngr.h (opt): Remove field 'use_tor'.  Replace all
references by a call to dirmngr_use_tor().
* dirmngr/server.c (cmd_getinfo): Distinguish between default and
enforced TOR_MODE.
--

This patch replaces the global variable opt.use_tar by a function
testing a file local mode flag.  This patch prepares for a
use-tor-if-available mode.

GnuPG-bug-id: 2935
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-01 17:54:14 +01:00
Werner Koch
f518196ca6
Fix explanation of commit e175152ef7515921635bf1e00383e812668d13fc.
--
2017-02-01 08:18:44 +01:00
Werner Koch
b0e8376e19
dirmngr: Require --allow-version-check even if --use-tor is used.
* dirmngr/dirmngr.c (housekeeping_thread): Load swdb only if the
option is set.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-31 13:24:24 +01:00
Werner Koch
770b75a746
gpg: Print a warning on Tor problems.
* dirmngr/ks-engine-hkp.c (tor_not_running_p): New.
(map_host): Call that to print a warning.
(handle_send_request_error): Ditto and avoid marking the host dead.
Also print a tor_config_problem warning.  Add arg CTRL; adjust callers
to pass that new arg.
* g10/call-dirmngr.c (ks_status_cb): Detect and print the new
warnings.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-24 20:52:24 +01:00
Werner Koch
51e5a5e5a4
dirmngr: Simplify error returning inside http.c.
* dirmngr/http.c (connect_server): Change to return an gpg_error_t
and to store socket at the passed address.
(http_raw_connect, send_request): Adjust accordingly.
--

This change removes cruft from the code and allows to return the error
code from the name lookup.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-24 20:52:24 +01:00
Werner Koch
72736af86a
dirmngr: New option --disable-ipv4.
* dirmngr/dirmngr.c (oDisableIPv4): New const.
(opts): New option --disable-ipv4.
(parse_rereadable_options): Set that option.
* dirmngr/dirmngr.h (opt): New field 'disable_ipv4'.
* dirmngr/dns-stuff.c (opt_disable_ipv4): bew var.
(set_dns_disable_ipv4): New.
(resolve_name_standard): Skip v4 addresses when OPT_DISABLE_IPV4 is
set.
* dirmngr/ks-engine-hkp.c (map_host): Ditto.
(send_request): Pass HTTP_FLAG_IGNORE_IPv4 if opt.disable_v4 is set.
* dirmngr/crlfetch.c (crl_fetch): Ditto.
* dirmngr/ks-engine-finger.c (ks_finger_fetch): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/ocsp.c (do_ocsp_request): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-24 20:52:24 +01:00
Werner Koch
af5979a42b
Fix format string errors and some missing error case initialization.
* common/logging.c (do_logv): Remove extra parentheses in comparison.

* dirmngr/dns-stuff.c (resolve_addr_libdns): Init RES so that
dns_res_close is given a defined value in the error case.

* dirmngr/http.c (cookie_read, cookie_write) [HTTP_USE_NTBTLS]: Fix
format string char.

* dirmngr/ks-engine-hkp.c (ks_hkp_help): Remove duplicate "const".
* dirmngr/ks-engine-http.c (ks_http_help): Ditto.
* dirmngr/ks-engine-kdns.c (ks_kdns_help): Ditto.
* dirmngr/ks-engine-ldap.c (ks_ldap_help): Ditto.

* scd/app-p15.c (send_keypairinfo, do_getattr): Fix format string
char.
* tools/gpgconf-comp.c (gpg_agent_runtime_change): Init PID for the
error case.
(scdaemon_runtime_change): Ditto.
(dirmngr_runtime_change): Ditto.

* tools/gpgconf.c (query_swdb): Init VALUE_SIZE_UL.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-23 16:33:01 +01:00
Werner Koch
3ca3da8fc4
dirmngr: On SIGHUP mark all keyservers alive.
* dirmngr/ks-engine-hkp.c (ks_hkp_reload): New.
* dirmngr/dirmngr.c (dirmngr_sighup_action): Call it.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-23 13:07:54 +01:00
Gaetan Bisson
d4c0187dd9
libdns: Hack to skip negation term.
* dirmngr/dns.c (dns_nssconf_loadfile): Skip negation terms in
nsswitch.conf parser.
--

This small patch was submitted along with this comment:

  We've been having issues over at Arch Linux with the new libdns
  code.  Our /etc/nsswitch.conf contains the following line:

    hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname

  And it turns out dirmngr fails to parse the negation statement (the
  bang in !UNAVAIL). This results in gnupg not being able to resolve
  any name.

  Looking at dirmngr/dns.c it was unclear to me how to properly handle
  such negations. The dns_anyconf_scan calls used in
  dns_nssconf_loadfile do not allow to store a negation bit easily...

  In the meantime, I wrote the attached patch which ignores those
  statements altogether. It makes libdns work as expected for us.

Commit log written by wk
2017-01-23 12:46:35 +01:00
Werner Koch
9ae0b81e4f
dirmngr: Print debug message only with --debug.
* dirmngr/dns-stuff.c (libdns_init): Call log_debug only if opt_debug
is set.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-23 11:39:20 +01:00
Phil Pennock
88ade475c5
dirmngr: Handle missing nsswitch.conf.
* dirmngr/dns-stuff.c (libdns_init): Fallback to files,dns.

--

Signed-off-by: Phil Pennock <phil@pennock-tech.com>

ChangeLog entry by wk.

This fixed the problem:

  Short version: macOS doesn't include /etc/nsswitch.conf and GnuPG's
  dirmngr is hard-erroring when that file is missing, such that no DNS
  operations succeed and --recv-key returns ENOENT type errors to the
  caller.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-23 11:02:41 +01:00
NIIBE Yutaka
367349b4dc dirmngr: Add setup of CA for NTBTLS.
* dirmngr/http.c [HTTP_USE_NTBTLS] (http_session_new): Add CA by
ntbtls_set_ca_chain.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-01-19 15:39:55 +09:00
Werner Koch
e6aebfe3d0
dirmngr: Implement hkps lookups using literal addresses.
* dirmngr/ks-engine-hkp.c (map_host): For literal addresses do a
reverse lookup.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-16 19:12:03 +01:00
Werner Koch
9850124c7b
dirmngr: Allow reverse DNS lookups in Tor-mode.
* dirmngr/dns-stuff.c (resolve_dns_name): Move up in the file.
(resolve_addr_libdns): New.
(resolve_dns_addr): Divert to resolve_dns_addr.
--

In the old code reverse lookups where disabled in Tor mode.  By
implementing the reverse lookups via libdns it is now possible to do
them also in Tor mode.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-16 19:12:03 +01:00
Werner Koch
daae97bc14
dirmngr: Avoid network queries for literal IP addresses.
* dirmngr/dns-stuff.c (resolve_name_libdns): USe flags AI_NUMERICHOST
for literal IP addresses.
(resolve_name_standard): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-16 19:12:03 +01:00
Werner Koch
82646bbf1a
dirmngr: Fix URL creation for literal IPv6 addresses in HKP.
* dirmngr/dns-stuff.c (is_ip_address): Make the return value depend on
the address family.
* dirmngr/ks-engine-hkp.c (map_host): Rename arg R_POOLNAME to
R_HTTPHOST because that is its purpose.  Note that the former
behaviour of storing a NULL to indicate that it is not a pool has not
been used.
(make_host_part): Ditto.
(make_host_part): Make sure that literal v6 addresses are correclty
marked in the constructed URL.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-16 19:12:03 +01:00
Werner Koch
97372b39cd
libdns: Silence -Wstrict-prototypes on some function ptrs.
* dirmngr/dns.c (dns_rrtype): Ignore -Wstrict-prototypes warning.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-12 09:22:14 +01:00
Werner Koch
0fadff9cdd
libdns: Provide replacement for EPROTO.
* dirmngr/dns.c (EPROTO) ![EPROTO]: Define to EPROTONOSUPPORT.
--

This is the same replacement we use in Libassuan
(commit 8ab3b9273524bd344bdb90dd5d3bc8e5f53ead6e) to make it work on
OpenBSD and may other BSD based OSes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-12 09:20:49 +01:00
Werner Koch
20dfcfe08c
dirmngr: After a connection failure log a hint if Tor is not running.
* dirmngr/ks-engine-hkp.c (handle_send_request_error): Check whether
Tor is running.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-11 17:09:16 +01:00
Werner Koch
76fb2febde
dirmngr: Mark hosts dead on ENETDOWN.
* dirmngr/ks-engine-hkp.c (handle_send_request_error): Take care of
ENETDOWN.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-11 16:43:30 +01:00