diff options
| author | DongHun Kwak <dh0128.kwak@samsung.com> | 2021-02-09 16:00:08 +0900 |
|---|---|---|
| committer | DongHun Kwak <dh0128.kwak@samsung.com> | 2021-02-09 16:00:08 +0900 |
| commit | 158ef6d574d6bd975c94e86476cb1631e775a40c (patch) | |
| tree | b8b35f4bd31490137410f2b795b252f23ea5ee3e /dirmngr | |
| parent | 723cf5853fa655cec32478e13cd74b5b483fae7f (diff) | |
| download | gpg2-158ef6d574d6bd975c94e86476cb1631e775a40c.tar.gz gpg2-158ef6d574d6bd975c94e86476cb1631e775a40c.tar.bz2 gpg2-158ef6d574d6bd975c94e86476cb1631e775a40c.zip | |
Imported Upstream version 2.1.11upstream/2.1.11
Diffstat (limited to 'dirmngr')
| -rw-r--r-- | dirmngr/Makefile.am | 1 | ||||
| -rw-r--r-- | dirmngr/crlcache.c | 7 | ||||
| -rw-r--r-- | dirmngr/dns-stuff.c | 2 | ||||
| -rw-r--r-- | dirmngr/http.c | 31 | ||||
| -rw-r--r-- | dirmngr/http.h | 3 | ||||
| -rw-r--r-- | dirmngr/ks-action.c | 19 | ||||
| -rw-r--r-- | dirmngr/ks-engine-hkp.c | 30 | ||||
| -rw-r--r-- | dirmngr/ks-engine-http.c | 2 | ||||
| -rw-r--r-- | dirmngr/ks-engine.h | 2 | ||||
| -rw-r--r-- | dirmngr/misc.c | 16 | ||||
| -rw-r--r-- | dirmngr/misc.h | 2 | ||||
| -rw-r--r-- | dirmngr/t-dns-stuff.c | 6 | ||||
| -rw-r--r-- | dirmngr/t-http.c | 2 |
13 files changed, 95 insertions, 28 deletions
diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am index c3bce0d..1c74d10 100644 --- a/dirmngr/Makefile.am +++ b/dirmngr/Makefile.am @@ -20,6 +20,7 @@ ## Process this file with automake to produce Makefile.in EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem +dist_pkgdata_DATA = sks-keyservers.netCA.pem bin_PROGRAMS = dirmngr dirmngr-client diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c index 13d8a26..25ce7a6 100644 --- a/dirmngr/crlcache.c +++ b/dirmngr/crlcache.c @@ -1345,12 +1345,13 @@ cache_isvalid (ctrl_t ctrl, const char *issuer_hash, if (n != 16) { log_error (_("WARNING: invalid cache record length for S/N ")); + log_printf ("0x"); log_printhex ("", sn, snlen); } else if (opt.verbose) { unsigned char record[16]; - char *tmp = hexify_data (sn, snlen); + char *tmp = hexify_data (sn, snlen, 1); if (cdb_read (cdb, record, n, cdb_datapos (cdb))) log_error (_("problem reading cache record for S/N %s: %s\n"), @@ -1366,7 +1367,7 @@ cache_isvalid (ctrl_t ctrl, const char *issuer_hash, { if (opt.verbose) { - char *serialno = hexify_data (sn, snlen); + char *serialno = hexify_data (sn, snlen, 1); log_info (_("S/N %s is valid, it is not listed in the CRL\n"), serialno ); xfree (serialno); @@ -2095,7 +2096,7 @@ crl_cache_insert (ctrl_t ctrl, const char *url, ksba_reader_t reader) err = gpg_error (GPG_ERR_CHECKSUM); goto leave; } - checksum = hexify_data (md5buf, 16); + checksum = hexify_data (md5buf, 16, 0); } diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c index 1bf6cfc..63dfc8d 100644 --- a/dirmngr/dns-stuff.c +++ b/dirmngr/dns-stuff.c @@ -119,6 +119,8 @@ static char tor_credentials[50]; gpg_error_t enable_dns_tormode (int new_circuit) { + (void) new_circuit; + #if defined(USE_DNS_CERT) && defined(USE_ADNS) # if HAVE_ADNS_IF_TORMODE if (!*tor_credentials || new_circuit) diff --git a/dirmngr/http.c b/dirmngr/http.c index 74b6911..aa33917 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -562,7 +562,8 @@ http_session_release (http_session_t sess) /* Create a new session object which is currently used to enable TLS support. It may eventually allow reusing existing connections. */ gpg_error_t -http_session_new (http_session_t *r_session, const char *tls_priority) +http_session_new (http_session_t *r_session, const char *tls_priority, + const char *intended_hostname) { gpg_error_t err; http_session_t sess; @@ -600,6 +601,34 @@ http_session_new (http_session_t *r_session, const char *tls_priority) goto leave; } + /* If the user has not specified a CA list, and they are looking + * for the hkps pool from sks-keyservers.net, then default to + * Kristian's certificate authority: */ + if (!tls_ca_certlist + && intended_hostname + && !ascii_strcasecmp (intended_hostname, + "hkps.pool.sks-keyservers.net")) + { + char *pemname = make_filename_try (gnupg_datadir (), + "sks-keyservers.netCA.pem", NULL); + if (!pemname) + { + err = gpg_error_from_syserror (); + log_error ("setting CA from file '%s' failed: %s\n", + pemname, gpg_strerror (err)); + } + else + { + rc = gnutls_certificate_set_x509_trust_file + (sess->certcred, pemname, GNUTLS_X509_FMT_PEM); + if (rc < 0) + log_info ("setting CA from file '%s' failed: %s\n", + pemname, gnutls_strerror (rc)); + xfree (pemname); + } + } + + /* Add configured certificates to the session. */ for (sl = tls_ca_certlist; sl; sl = sl->next) { rc = gnutls_certificate_set_x509_trust_file diff --git a/dirmngr/http.h b/dirmngr/http.h index 64f55e1..58b8c1a 100644 --- a/dirmngr/http.h +++ b/dirmngr/http.h @@ -98,7 +98,8 @@ void http_register_tls_callback (gpg_error_t (*cb)(http_t,http_session_t,int)); void http_register_tls_ca (const char *fname); gpg_error_t http_session_new (http_session_t *r_session, - const char *tls_priority); + const char *tls_priority, + const char *intended_hostname); http_session_t http_session_ref (http_session_t sess); void http_session_release (http_session_t sess); diff --git a/dirmngr/ks-action.c b/dirmngr/ks-action.c index dd4516a..21aa646 100644 --- a/dirmngr/ks-action.c +++ b/dirmngr/ks-action.c @@ -144,6 +144,7 @@ ks_action_search (ctrl_t ctrl, uri_item_t keyservers, { gpg_error_t err = 0; int any_server = 0; + int any_results = 0; uri_item_t uri; estream_t infp; @@ -155,11 +156,13 @@ ks_action_search (ctrl_t ctrl, uri_item_t keyservers, parallel and merge them. We also need to decide what to do with errors - it might not be the best idea to ignore an error from one server and silently continue with another server. For now we - stop at the first error. */ + stop at the first error, unless the server responds with '404 Not + Found', in which case we try the next server. */ for (uri = keyservers; !err && uri; uri = uri->next) { int is_http = uri->parsed_uri->is_http; int is_ldap = 0; + unsigned int http_status = 0; #if USE_LDAP is_ldap = (strcmp (uri->parsed_uri->scheme, "ldap") == 0 || strcmp (uri->parsed_uri->scheme, "ldaps") == 0 @@ -174,13 +177,23 @@ ks_action_search (ctrl_t ctrl, uri_item_t keyservers, else #endif { - err = ks_hkp_search (ctrl, uri->parsed_uri, patterns->d, &infp); + err = ks_hkp_search (ctrl, uri->parsed_uri, patterns->d, + &infp, &http_status); } + if (err == gpg_error (GPG_ERR_NO_DATA) + && http_status == 404 /* not found */) + { + /* No record found. Clear error and try next server. */ + err = 0; + continue; + } + if (!err) { err = copy_stream (infp, outfp); es_fclose (infp); + any_results = 1; break; } } @@ -188,6 +201,8 @@ ks_action_search (ctrl_t ctrl, uri_item_t keyservers, if (!any_server) err = gpg_error (GPG_ERR_NO_KEYSERVER); + else if (err == 0 && !any_results) + err = gpg_error (GPG_ERR_NO_DATA); return err; } diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index e458899..eca02f0 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -545,9 +545,9 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, if (hi->pool) { /* Deal with the pool name before selecting a host. */ - if (r_poolname && hi->cname) + if (r_poolname) { - *r_poolname = xtrystrdup (hi->cname); + *r_poolname = xtrystrdup (hi->cname? hi->cname : hi->name); if (!*r_poolname) return gpg_error_from_syserror (); } @@ -974,12 +974,13 @@ ks_hkp_housekeeping (time_t curtime) R_FP. HOSTPORTSTR is only used for diagnostics. If HTTPHOST is not NULL it will be used as HTTP "Host" header. If POST_CB is not NULL a post request is used and that callback is called to allow - writing the post data. */ + writing the post data. If R_HTTP_STATUS is not NULL, the http + status code will be stored there. */ static gpg_error_t send_request (ctrl_t ctrl, const char *request, const char *hostportstr, const char *httphost, unsigned int httpflags, gpg_error_t (*post_cb)(void *, http_t), void *post_cb_value, - estream_t *r_fp) + estream_t *r_fp, unsigned int *r_http_status) { gpg_error_t err; http_session_t session = NULL; @@ -990,7 +991,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, *r_fp = NULL; - err = http_session_new (&session, NULL); + err = http_session_new (&session, NULL, httphost); if (err) goto leave; http_session_set_log_cb (session, cert_log_cb); @@ -1050,6 +1051,9 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, httpflags |= HTTP_FLAG_FORCE_TLS; } + if (r_http_status) + *r_http_status = http_get_status_code (http); + switch (http_get_status_code (http)) { case 200: @@ -1083,6 +1087,10 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, } goto leave; + case 501: + err = gpg_error (GPG_ERR_NOT_IMPLEMENTED); + goto leave; + default: log_error (_("error accessing '%s': http status %u\n"), request, http_get_status_code (http)); @@ -1154,10 +1162,12 @@ handle_send_request_error (gpg_error_t err, const char *request, /* Search the keyserver identified by URI for keys matching PATTERN. - On success R_FP has an open stream to read the data. */ + On success R_FP has an open stream to read the data. If + R_HTTP_STATUS is not NULL, the http status code will be stored + there. */ gpg_error_t ks_hkp_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern, - estream_t *r_fp) + estream_t *r_fp, unsigned int *r_http_status) { gpg_error_t err; KEYDB_SEARCH_DESC desc; @@ -1244,7 +1254,7 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern, /* Send the request. */ err = send_request (ctrl, request, hostport, httphost, httpflags, - NULL, NULL, &fp); + NULL, NULL, &fp, r_http_status); if (handle_send_request_error (err, request, &tries)) { reselect = 1; @@ -1377,7 +1387,7 @@ ks_hkp_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, estream_t *r_fp) /* Send the request. */ err = send_request (ctrl, request, hostport, httphost, httpflags, - NULL, NULL, &fp); + NULL, NULL, &fp, NULL); if (handle_send_request_error (err, request, &tries)) { reselect = 1; @@ -1485,7 +1495,7 @@ ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri, const void *data, size_t datalen) /* Send the request. */ err = send_request (ctrl, request, hostport, httphost, 0, - put_post_cb, &parm, &fp); + put_post_cb, &parm, &fp, NULL); if (handle_send_request_error (err, request, &tries)) { reselect = 1; diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c index ae128ee..c51c0ce 100644 --- a/dirmngr/ks-engine-http.c +++ b/dirmngr/ks-engine-http.c @@ -65,7 +65,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp) estream_t fp = NULL; char *request_buffer = NULL; - err = http_session_new (&session, NULL); + err = http_session_new (&session, NULL, NULL); if (err) goto leave; http_session_set_log_cb (session, cert_log_cb); diff --git a/dirmngr/ks-engine.h b/dirmngr/ks-engine.h index 6684a12..cb48f7f 100644 --- a/dirmngr/ks-engine.h +++ b/dirmngr/ks-engine.h @@ -34,7 +34,7 @@ gpg_error_t ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive); gpg_error_t ks_hkp_print_hosttable (ctrl_t ctrl); gpg_error_t ks_hkp_help (ctrl_t ctrl, parsed_uri_t uri); gpg_error_t ks_hkp_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern, - estream_t *r_fp); + estream_t *r_fp, unsigned int *r_http_status); gpg_error_t ks_hkp_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, estream_t *r_fp); gpg_error_t ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri, diff --git a/dirmngr/misc.c b/dirmngr/misc.c index c2c5af1..ac3856e 100644 --- a/dirmngr/misc.c +++ b/dirmngr/misc.c @@ -59,17 +59,23 @@ hashify_data( const char* data, size_t len ) { unsigned char buf[20]; gcry_md_hash_buffer (GCRY_MD_SHA1, buf, data, len); - return hexify_data( buf, 20 ); + return hexify_data (buf, 20, 0); } char* -hexify_data( const unsigned char* data, size_t len ) +hexify_data (const unsigned char* data, size_t len, int with_prefix) { int i; - char* result = xmalloc( sizeof( char ) * (2*len+1)); + char *result = xmalloc (2*len + (with_prefix?2:0) + 1); + char *p; + + if (with_prefix) + p = stpcpy (result, "0x"); + else + p = result; - for( i = 0; i < 2*len; i+=2 ) - sprintf( result+i, "%02X", *data++); + for (i = 0; i < 2*len; i+=2 ) + snprintf (p+i, 3, "%02X", *data++); return result; } diff --git a/dirmngr/misc.h b/dirmngr/misc.h index d8c53d3..be4049e 100644 --- a/dirmngr/misc.h +++ b/dirmngr/misc.h @@ -28,7 +28,7 @@ size_t unhexify (unsigned char *result, const char *string); char* hashify_data( const char* data, size_t len ); /* Returns data as a hex string. */ -char* hexify_data( const unsigned char* data, size_t len ); +char* hexify_data (const unsigned char* data, size_t len, int with_prefix); /* Returns the serial number as a hex string. */ char* serial_hex ( ksba_sexp_t serial ); diff --git a/dirmngr/t-dns-stuff.c b/dirmngr/t-dns-stuff.c index 3030277..05b39a0 100644 --- a/dirmngr/t-dns-stuff.c +++ b/dirmngr/t-dns-stuff.c @@ -155,7 +155,8 @@ main (int argc, char **argv) void *key; size_t keylen; - printf ("CERT lookup on '%s'\n", name); + if (verbose || any_options) + printf ("CERT lookup on '%s'\n", name); err = get_dns_cert (name, DNS_CERTTYPE_ANY, &key, &keylen, &fpr, &fpr_len, &url); @@ -164,7 +165,8 @@ main (int argc, char **argv) gpg_strerror (err), gpg_strsource (err)); else if (key) { - printf ("Key found (%u bytes)\n", (unsigned int)keylen); + if (verbose || any_options) + printf ("Key found (%u bytes)\n", (unsigned int)keylen); } else { diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c index 63662a2..9d5ea5f 100644 --- a/dirmngr/t-http.c +++ b/dirmngr/t-http.c @@ -262,7 +262,7 @@ main (int argc, char **argv) http_register_tls_callback (verify_callback); http_register_tls_ca (cafile); - err = http_session_new (&session, NULL); + err = http_session_new (&session, NULL, NULL); if (err) log_error ("http_session_new failed: %s\n", gpg_strerror (err)); |