1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-23 10:29:58 +01:00

570 Commits

Author SHA1 Message Date
Werner Koch
9e8d299e18
Merge branch 'wk/stable-2.2-global-options' into STABLE-BRANCH-2-2
--
2020-12-18 11:23:01 +01:00
Werner Koch
9b886adba4
dirmngr: Fix backport of the new option parser from 2.3
* dirmngr/dirmngr.c (main) <aGPGConfList>: Re-introduce
gpgconf-dirmngr.conf.
--

Fixes-commit: a028f24136a062f55408a5fec84c6d31201b2143
2020-12-18 11:21:18 +01:00
Werner Koch
559efd23e9
gpg: New AKL method "ntds"
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Change the new
support for KEYDB_SEARCH_MODE_MAIL.
(ks_ldap_get): Add a debug.
* g10/options.h (AKL_NTDS): New.
* g10/keyserver.c (keyserver_import_ntds): New.
(keyserver_get_chunk): Allow KEYDB_SEARCH_MODE_MAIL.
* g10/getkey.c (parse_auto_key_locate): Support "ntds".
(get_pubkey_byname): Ditto.
2020-12-17 18:19:01 +01:00
Werner Koch
776bef74c7
dirmngr: Support "ldap:///" for the current AD user.
* dirmngr/http.h (struct parsed_uri_s): Add field ad_current.
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Set it.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Take care of ad_current.
2020-12-17 16:09:31 +01:00
Werner Koch
c75fd75532
dirmngr: Allow LDAP searches via fingerprint.
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Add arg
serverinfo and allow searching by fingerprint.
(ks_ldap_get, ks_ldap_search): First connect then create teh filter.
--

With the new schema we can finally search by fingerprint.
2020-12-17 11:19:22 +01:00
Werner Koch
c28cb5282b
dirmngr: Store all version 2 schema attributes.
* g10/call-dirmngr.c (ks_put_inq_cb): Emit "fpr" records.
* dirmngr/ks-engine-ldap.c (extract_attributes): Add args
extract-state and schemav2.  Add data for the new schema version.
remove the legacy code to handle UIDs in the "pub" line.
(ks_ldap_put): Set new attributes for NTDS use the fingerprint as CN.

Signed-off-by: Werner Koch <wk@gnupg.org>

This is a backport from 2.3
2020-12-17 11:08:31 +01:00
Werner Koch
ac8ece9266
dirmngr: Support the new Active Directory schema
* dirmngr/ks-engine-ldap.c (SERVERINFO_): New constants.
(my_ldap_connect): Relace args pgpkeyattrp and real_ldapp by a new
serverinfo arg.  Set the new info flags.
(ks_ldap_get): Adjust for change.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto.  Replace xmalloc by xtrymalloc.  Change the DN
for use with NTDS (aka Active Directory).
--

This is a first take on better Active Directory support.  The main
change for NTDS in the code is that the an top-RDN of CN is used
instead of the old pgpCertID.  More changes to come; for example using
and storing the fingerprint.

Signed-off-by: Werner Koch <wk@gnupg.org>

This is a backport from 2.3 without the new schema samples - they can
be found in the repo.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-17 11:05:46 +01:00
Werner Koch
0e88c73bc9
dirmngr: Do not store the useless pgpSignerID in the LDAP.
* dirmngr/ks-engine-ldap.c (extract_attributes): Do not store the
pgpSignerID.
* g10/call-dirmngr.c (ks_put_inq_cb): Do not emit sig records.
--

The pgpSignerID has no use in the LDAP and thus don't store it.
David's idea back in 2004 was
              /* This bit is really for the benefit of people who
                 store their keys in LDAP servers.  It makes it easy
                 to do queries for things like "all keys signed by
                 Isabella".  */
See-commit: 3ddd4410aef928827e1c8d4fb02c1ccd3f8eaea5

I consider this dangerous because such a query is not able to validate
the signature, does not get revocation signatures, and also has no
information about the validity of the signatures.  Further many keys
are spammed tehse days with faked signatures and it does not make
sense to blow up the LDAP with such garbage.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-17 11:02:49 +01:00
Werner Koch
e47de85382
dirmngr: Fix adding keys to an LDAP server.
* dirmngr/ks-engine-ldap.c (ks_ldap_put): Extract attribites into
addlist.
--

The code used the wrong list which resulting in adding attributes
marked for deletion.  In particular Active Directory does not accept
such an data and rejects them.  The bug was introduced into 2.1 while
porting the code from the old keyserver helpers to dirmngr.

Fixes-commit: 51341badb623927f2a358588c725a356fc77dbe7
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-17 10:23:46 +01:00
Werner Koch
a028f24136
Backport of the new option parser from 2.3
* configure.ac (GPGRT_ENABLE_ARGPARSE_MACROS): Define.
* common/argparse.c, common/argparse.h: Rewrite.
* tests/gpgscm/main.c: Switch to the new option parser.

* g10/gpg.c: Switch to the new option parser and enable a global conf
file.
* g10/gpgv.c: Ditto.
* agent/gpg-agent.c: Ditto.
* agent/preset-passphrase.c: Ditto.
* agent/protect-tool.c: Ditto.
* scd/scdaemon.c: Ditto.
* dirmngr/dirmngr.c: Ditto.
* dirmngr/dirmngr_ldap.c: Ditto
* dirmngr/dirmngr-client.c: Ditto.
* kbx/kbxutil.c: Ditto.
* tools/gpg-card.c: Ditto.
* tools/gpg-check-pattern.c: Ditto.
* tools/gpg-connect-agent.c: Ditto.
* tools/gpg-pair-tool.c: Ditto.
* tools/gpg-wks-client.c: Ditto.
* tools/gpg-wks-server.c: Ditto.
* tools/gpgconf.c: Ditto.
* tools/gpgsplit.c: Ditto.
* tools/gpgtar.c: Ditto.
* g13/g13.c: Ditto.
* g13/g13-syshelp.c: Ditto.  Do not force verbose mode.
* sm/gpgsm.c: Ditto. Add option --no-options.
--

This is backport from master

commit cdbe10b762f38449b86da69076209324b0c99982
commit ba463128ce65a0f347643f7246a8e097c5be19f1
commit 3bc004decd289810bc1b6ad6fb8f47e45c770ce6
commit 2c823bd878fcdbcc4f6c34993e1d0539d9a6b237
commit 0e8f6e2aa98c212442001036fb5178cd6cd8af59

but without changing all functions names to gpgrt.  Instead we use
wrapper functions which, when building against old Libgpg-error
versions, are implemented in argparse.c using code from the current
libgpg-error.  This allows to keep the dependency requirement at
libgpg-error 1.27 to support older distributions.  Tested builds
against 1.27 and 1.40-beta.

Note that g13-syshelp does not anymore default to --verbose because
that can now be enabled in /etc/gnupg/g13-syshelp.conf.

GnuPG-bug-id: 4788
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-04 12:12:20 +01:00
Werner Koch
6594dc31f5
gpgconf: Also print revision of libksba.
* dirmngr/dirmngr.c (get_revision_from_blurb): Fix detection of empty
string.
(gpgconf_versions): Print ksba revision.
--

The latest Libksba version support retrieving of the revision (commit)
id.  We now use that or print a question mark.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 4070f302e4decc8d54d1305cbd30f6dab052ef7e)
2020-11-19 09:12:04 +01:00
Werner Koch
163e4ff195
w32: Support Unicode also for config files etc.
* common/sysutils.c (gnupg_fopen) [W32]: Use _wfopen if needed.   Use
new function in most places where fopen is used.
--

The config files in 2.2 are still read using fopen - we need to change
this to allow Unicode directory names.  There is also one case where
files are written using the old fopen.  The new option parser in 2.3
does not have this problem but at some places fopen is also still used.

GnuPG-bug-id: 5098
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-11-10 12:09:11 +01:00
Werner Koch
5f8123df78
common: New functions gnupg_opendir et al.
* common/sysutils.h (struct gnupg_dirent_s): New.
* common/sysutils.c: Include dirent.h.
(struct gnupg_dir_s): New.
(gnupg_opendir, gnupg_readdir, gnupg_closedir): New.  Change all
callers of opendir, readdir, and closedir to use these functions.
--

GnuPG-bug-id: 5098
Backported-from-master: 7e22e08e2ab09cd3c2317f5e80e8ee47d46eff4b
2020-10-23 11:24:09 +02:00
Werner Koch
157030271f
Replace all calls to stat by gnupg_stat.
* common/sysutils.c (gnupg_stat): New.
* common/sysutils.h: Include sys/stat.h.
--

Yet another wrapper for Unicode support on Windows.

GnuPG-bug-id: 5098
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 18e5dd7b03ced51611c9ba1345cf498a0aaf14a6)
2020-10-23 11:15:59 +02:00
Werner Koch
86e52e3c33
Replace most calls to open by a new wrapper.
* common/sysutils.c (any8bitchar) [W32]: New.
(gnupg_open): New.  Replace most calls to open by this.
* common/iobuf.c (any8bitchar) [W32]: New.
(direct_open) [W32]: Use CreateFileW if needed.
--

This is yet another step for full Unicode support on Windows.

GnuPG-bug-id: 5098
(cherry picked from commit 4dcef0e17836e8725c31a3b76f2bf7144345c808)
2020-10-23 10:02:25 +02:00
Werner Koch
dd5fd4a760
Replace all calls to access by gnupg_access
* common/sysutils.c (gnupg_access): New.  Replace all calls to access
by this wrapper.
* common/homedir.c (w32_shgetfolderpath): Change to return UTF-8
directory name.
(standard_homedir): Adjust for change.
(w32_commondir, gnupg_cachedir): Ditto.
--

Also use SHGetFolderPathW instead of SHGetFolderPathA on Windows.

This is required to correctly handle non-ascii filenames on Windows.

GnuPG-bug-id: 5098
(cherry picked from commit c94ee1386e0d5cdac51086c4d5b92de59c09c9b5)
2020-10-21 20:49:18 +02:00
Werner Koch
ffbef54d36
dirmngr: Minor cleanup for better readability.
* dirmngr/ldap.c (start_default_fetch_ldap): Rename to
start_cacert_fetch_ldap and remove arg attr.  Instead use
"cACertificate" directly.
* dirmngr/crlfetch.c (ca_cert_fetch): Change the only caller.
(start_cert_fetch_ldap): Rename arg for clarity.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-10-05 17:21:55 +02:00
Werner Koch
c81f02c959
w32: Add manifest files to most binaries
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-10-02 17:04:12 +02:00
Werner Koch
a298ba02ee
gpgconf: New option --show-versions.
* tools/gpgconf.c: Include exechelp.h.  New option --show-versions.
(get_revision_from_blurb): New.
(show_version_gnupg): New.
(show_version_libgcrypt): New.
(show_version_gpgrt): New.
(show_versions_via_dirmngr): New.
(show_versions): New.
* dirmngr/dirmngr.c (main): New internal option --gpgconf-versions.
(get_revision_from_blurb): New.
(gpgconf_versions): New.
--

This option should be helpful to gather information for debugging.

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported-from-master: 357ad9ae29677c1676b56d2b81282e2f78ec8040
2020-10-02 12:45:52 +02:00
Werner Koch
a084924d07
gpg-connect-agent: Catch signals so that SIGPIPE is ignored.
* dirmngr/server.c (cmd_killdirmngr): Return 0.
* tools/gpg-connect-agent.c (main): Catch signals.
--

And we also print nicer diagnostics.  The reason we need this is that
for example "gpgconf --kill dirmngr" uses gpg-connect-agent to send a
command to dirmngr.  This may results in a SIGPIPE which in turn leads
to an annoying error message from gpgconf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-09-10 11:05:37 +02:00
Werner Koch
72e04b03b1
dirmngr: Fix the pool keyserver case for a single host in the pool.
* dirmngr/ks-engine-hkp.c (map_host): Set R_HOSTNAME also for
localhost and if there is no pool.
2020-09-10 11:04:46 +02:00
Werner Koch
e4f3b74c91
dirmngr: Align the gnutls use of CAs with the ntbtls code.
* dirmngr/http.c (http_session_new) <gnutls>: Use only the special
pool certificate for the default keyserver.
--

The gnutls version uses a different strategy than the ntbtls version
on when to use the special SKS pool certificate.  This patch aligns it
so that we don't need to wonder about different kind of bug reports.
In short the special cert is now the only cert use with the default
keyserver.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-09-10 11:04:15 +02:00
Werner Koch
45499b2ca3
dirmngr: Print the last alert message returned by NTBTLS.
* dirmngr/http.c (send_request): Print the last TLS alert.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-27 09:03:27 +02:00
Werner Koch
829bc3bc60
build: New configure option --disable-tests
* configure.ac: Add option --disable-tests.  Print warnings in the
summary.
(DISABLE_TESTS): New am_conditional.
--
GnuPG-bug-id: 4960
2020-08-20 10:58:52 +02:00
NIIBE Yutaka
f95d923090 w32: Add link to $(NETLIB) for -lws2_32.
* dirmngr/Makefile.am (dirmngr_LDADD): Add $(NETLIBS).
* sm/Makefile.am (gpgsm_LDADD): Ditto.
* tools/Makefile.am (gpg_wks_client_LDADD): Ditto.

--

Cherry-picked master commit of:
	d69f5570ee5e1b099e39fdf64e18add23ff5c815

GnuPG-bug-id: 4994
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-07-30 15:10:15 +09:00
NIIBE Yutaka
ce793fc2f8 dirmngr: Handle EAFNOSUPPORT at connect_server.
* dirmngr/http.c (connect_server): Skip server with EAFNOSUPPORT.

--

Cherry-pick from master commit of:
	109d16e8f644da97ed9c00e6f9010a53097f587a

GnuPG-bug-id: 4977
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-07-13 10:04:12 +09:00
Werner Koch
daca1a011b
dirmngr: Silence annoying warning for missing default ldap server file.
* dirmngr/dirmngr.c (parse_ldapserver_file): Add arg ignore_enoent.
(main): Use that arg for the default file.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-07-02 16:22:29 +02:00
Werner Koch
0795ab1c8f
dirmngr: Fix case handling of "ldapi" scheme.
* dirmngr/ldap-parse-uri.c (ldap_uri_p): s/'i'/'I'.
--

GnuPG-bug-id: 4758
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-07-02 16:05:40 +02:00
NIIBE Yutaka
ab724d3206 dirmngr: dns: Fix allocation of string buffer in stack.
* dirmngr/dns.h (dns_strsection, dns_strclass)
(dns_strtype): Change APIs.
* dirmngr/dns.c (dns_p_lines): Use __dst for dns_strsection.
(dns_rr_print): Use __dst for dns_strclass and dns_strtype.
(dns_trace_dump): Likewise.
(dns_ai_print): Use __dst for dns_strtype.
(dns_strsection): Add an argument __dst for storage.
(dns_strclass, dns_strtype): Likewise.
(parse_packet): Use __dst for dns_strsection.
(send_query): Use __dst for dns_strtype.
(isection): Use __dst for dns_strsection.
(iclass): Use __dst for dns_strclass.
(itype): Use __dst for dns_strtype.

--

Backport master commit of:
	30eef28bc0f5deaa1b4b7f04293a6527524280a9

GnuPG-bug-id: 4934
Reported-by: Tomas Mraz
Fixes-commit: ff7d01fc6d396fc3b8d37baa9bd4cdebc8853648
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-05-21 14:37:03 +09:00
Werner Koch
c6324ee07a
common: Change argument order of log_printhex.
* common/logging.c (log_printhex): Chnage order of args.  Make it
printf alike.  Change all callers.
* configure.ac: Add -Wno-format-zero-length
--

This makes it consistent with modern libgpgrt logging and thus eases
back porting from newer GnuPG versions which use libgpgrt logging.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-12 18:51:47 +02:00
Werner Koch
3b27c26241
dirmngr: Allow http URLs with "LOOKUP --url"
* dirmngr/crlfetch.c (read_cert_via_http): New.
(fetch_cert_by_url): Implement http scheme.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 18:05:41 +02:00
Werner Koch
ddc74f50d4
sm,dirmngr: Restrict allowed parameters used with rsaPSS.
* sm/certcheck.c (extract_pss_params): Check the used PSS params.
* dirmngr/crlcache.c (finish_sig_check): Ditto.
* dirmngr/validate.c (check_cert_sig): Ditto.
--

GnuPG-bug-id: 4538

# ------------------------ >8 ------------------------
See
https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:45:58 +02:00
Werner Koch
24d563749f
sm: Support rsaPSS verification also for CMS signatures.
* sm/certcheck.c (gpgsm_check_cert_sig): Factor PSS parsing out to ...
(extract_pss_params): new.
(gpgsm_check_cms_signature): Implement PSS.
--

GnuPG-bug-id: 4538
2020-04-15 15:45:34 +02:00
Werner Koch
8bf17eb94d
dirmngr: Support rsaPSS also in the general validate module.
* dirmngr/validate.c (hash_algo_from_buffer): New.
(uint_from_buffer): New.
(check_cert_sig): Support rsaPSS.
* sm/certcheck.c (gpgsm_check_cert_sig): Fix small memory leak on
error.
--

Yes, I know that there is a lot of code duplication.  In fact some of
the code is ugly and it would be better if we enhance Libgcrypt to
guarantee that returned memory buffers via gcry_sexp_extract_param are
allways Nul terminated and we should also enhance that function to
directly extract into an unsigned int or char *.

GnuPG-bug-id: 4538
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:44:37 +02:00
Werner Koch
0626cc8fed
sm,dirmngr: Support rsaPSS signature verification.
* sm/certcheck.c (hash_algo_from_buffer): New.
(uint_from_buffer): New.
(gpgsm_check_cert_sig): Handle PSS.
* dirmngr/crlcache.c (hash_algo_from_buffer): New.
(uint_from_buffer): New.
(start_sig_check): Detect PSS and extract hash algo.  New arg to
return a PSS flag.
(finish_sig_check): New arg use_pss.  Extract PSS args and use them.
(crl_parse_insert): Pass use_pss flag along.
--

GnuPG-bug-id: 4538
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:43:06 +02:00
Werner Koch
25dc0e5b1e
dirmngr: Improve finding OCSP cert.
* dirmngr/certcache.c (find_cert_bysubject): Add better debug output
and try to locate by keyid.
--

This change was suggested in T4536
but we do not have any test cases for this.

GnuPG-bug-id: 4536
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 4699e294cc9e59f35262adca26ca291927acca9e)

The bug report meanwhile has a test description but I have not done
the testing yet.  I port this back to 2.2 anyway given that no
regression have been reported for master in nearly a year.
2020-03-18 14:14:00 +01:00
Werner Koch
21d9bd8b87
build: Always use EXTERN_UNLESS_MAIN_MODULE pattern.
* common/util.h (EXTERN_UNLESS_MAIN_MODULE): Add the definion only
here but now without the Norcroft-C.  Change all other places where it
gets defined.
* common/iobuf.h (iobuf_debug_mode): Declare unconditionally as
extern.
* common/iobuf.c (iobuf_debug_mode): Define it here.
* agent/gpg-agent.c (INCLUDED_BY_MAIN_MODULE): Define here and also in
all main modules of all other programs.

* g10/main.h: Put util.h before the local header files.
--

This change is required for use with gcc/ld's LTO feature which does
not allow common blocks.  Further gcc 10 will make -fno-common the
default and thus this chnage is always needed.  What a pitty.

Co-authored-by: Tomáš Mráz
GnuPG-bug-id: 4831
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-02-10 16:37:34 +01:00
Werner Koch
438a1ec297
dirmngr: Tell gpg about WKD lookups resulting from a cache.
* dirmngr/server.c (proc_wkd_get): Print new NOTE status
"wkd_cached_result".
* g10/call-dirmngr.c (ks_status_cb): Detect this and print a not ein
verbose mode.
--

This little patch is helpful to see why a WKD change still does not
work after it has been updated on the server.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-12-07 11:41:51 +01:00
Werner Koch
3efc94f1eb
dirmngr,gpg: Better diagnostic in case of bad TLS certificates.
* doc/DETAILS: Specify new status code "NOTE".
* dirmngr/ks-engine-http.c (ks_http_fetch): Print a NOTE status for a
bad TLS certificate.
* g10/call-dirmngr.c (ks_status_cb): Detect this status.
--

For example a

  gpg -v --locate-external-keys dd9jn@posteo.net

now yields

  gpg: Note: server uses an invalid certificate
  gpg: (further info: bad cert for 'posteo.net': \
                      Hostname does not match the certificate)
  gpg: error retrieving 'dd9jn@posteo.net' via WKD: Wrong name
  gpg: error reading key: Wrong name

(without -v the "further info" line is not shown).  Note that even
after years Posteo is not able to provide a valid certificate for
their .net addresses.  Anyway, this help to show the feature.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-11-18 18:44:36 +01:00
Werner Koch
4dd5099125
dirmngr: Forward http redirect warnings to gpg.
* dirmngr/http.c: Include dirmngr-status.h
(http_prepare_redirect): Emit WARNING status lines for redirection
problems.
* dirmngr/http.h: Include fwddecl.h.
(struct http_redir_info_s): Add field ctrl.
* dirmngr/ks-engine-hkp.c (send_request): Set it.
* dirmngr/ks-engine-http.c (ks_http_fetch): Set it.
* g10/call-dirmngr.c (ks_status_cb): Detect the two new warnings.
--

This should make it easier to diagnose problems with bad WKD servers.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-11-18 18:44:33 +01:00
Werner Koch
466bdf7c07
dirmngr: Factor some prototypes out to dirmngr-status.h.
* dirmngr/dirmngr-status.h: New.
* dirmngr/dirmngr.h: Include dirmngr-status.h and move some prototypes
to that file.
* dirmngr/t-support.c: New.
* dirmngr/Makefile.am (t_common_src): Add new file.
--

This helps to backport changes from master.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-11-18 18:44:30 +01:00
Werner Koch
0f37727fca
dirmngr: Fixed typo in recently added diagnostic.
--
2019-11-18 18:44:28 +01:00
Werner Koch
392e068e9f
dirmngr: Use IPv4 or IPv6 interface only if available.
* dirmngr/dns-stuff.c (cached_inet_support): New variable.
(dns_stuff_housekeeping): New.
(check_inet_support): New.
* dirmngr/http.c (connect_server): Use only detected interfaces.
* dirmngr/dirmngr.c (housekeeping_thread): Flush the new cache.
--

This currently works only for Windows but that is where users really
ran into problems.  The old workaround was to configure disable-ipv4
or disable-ipv6.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-11-12 20:31:34 +01:00
NIIBE Yutaka
58e234fbeb dirmngr: Don't add system CAs for SKS HKPS pool.
* dirmngr/http.c [HTTP_USE_GNUTLS] (http_session_new): Clear
add_system_cas.

--

Cherry-picking the master commit of:
	75e0ec65170b7053743406e3f3b605febcf7312a

GnuPG-bug-id: 4594
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-07-16 10:13:47 +09:00
Daniel Kahn Gillmor
efb6e08ea2
dirmngr: fix handling of HTTPS redirections during HKP
* dirmngr/ks-engine-hkp.c (send_request): Reinitialize HTTP session when
following a HTTP redirection.

--
inspired by patch from Damien Goutte-Gattat <dgouttegattat@incenp.org>

GnuPG-Bug_id: 4566
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-07-04 16:31:56 +02:00
Werner Koch
d2e8d71251
dirmngr: Avoid endless loop in case of HTTP error 503.
* dirmngr/ks-engine-hkp.c (SEND_REQUEST_EXTRA_RETRIES): New.
(handle_send_request_error): Use it for 503 and 504.
(ks_hkp_search, ks_hkp_get, ks_hkp_put): Pass a new var for
extra_tries.
--

This is a pretty stupid fix but one which works without much risk of
regressions.  We could have used the existing TRIES but in that case
the fallback to other host would have been too limited.  With the used
value we can have several fallbacks to other hosts.  Note that the
TRIES is still cumulative and not per host.

GnuPG-bug-id: 4600
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 8b113bb148f273524682252233b3c65954e1419e)
2019-07-03 17:40:49 +02:00
Werner Koch
c9b133a54e
dirmngr: Do not rewrite the redirection for the "openpgpkey" subdomain.
* dirmngr/http.c (same_host_p): Consider certain subdomains to be the
same.
--

GnuPG-bug-id: 4603
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 37f0c55c7be3fc4912237f2bc72466aef6f8aa36)
2019-07-03 16:21:45 +02:00
Werner Koch
2c6d94702a
dirmngr: Fix previous commit
--
Ooops, forgot to commit the actual backport part.

GnuPG-bug-id: 4590
Fixes-commit: 458973f502b9a43ecf29e804a2c0c86e78f5927a
2019-07-03 15:43:47 +02:00
Werner Koch
458973f502
dirmngr: Support the new WKD draft with the openpgpkey subdomain.
* dirmngr/server.c (proc_wkd_get): Implement new openpgpkey subdomain
method.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 914fa3be22bf8848a97a7dd405a040d6ef31e2fd)
2019-07-03 15:33:13 +02:00
Werner Koch
5281ecbe3a
dirmngr: Allow for other hash algorithms than SHA-1 in OCSP.
* dirmngr/ocsp.c (do_ocsp_request): Remove arg md.  Add args r_sigval,
r_produced_at, and r_md.  Get the hash algo from the signature and
create the context here.
(check_signature): Allow any hash algo.  Print a diagnostic if the
signature does not verify.
--

GnuPG-bug-id: 3966
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-05-28 12:31:41 +02:00