aboutsummaryrefslogtreecommitdiffstats
path: root/dirmngr/http.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* dirmngr: Fix for Windows.NIIBE Yutaka2022-05-101-4/+38
| | | | | | | | | | | | | * dirmngr/http.c (EHOSTUNREACH, EAFNOSUPPORT): Define when not available. [HTTP_USE_GNUTLS] (my_gnutls_read): Use recv for Windows. [HTTP_USE_GNUTLS] (my_gnutls_write): Use send for Windows. -- Reported-by: Eli Zaretskii GnuPG-bug-id: 5899 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Fix for SOCK.NIIBE Yutaka2022-03-301-1/+1
| | | | | | | | | | * dirmngr/http.c (connect_with_timeout): Use FD2INT to unwrap SOCK. -- GnuPG-bug-id: 5899 Reported-by: Eli Zaretskii Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Change the default keyserver.Werner Koch2021-08-241-26/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to keyserver.ubuntu.com. * dirmngr/certcache.c (cert_cache_init): Disable default pool cert. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto. * dirmngr/http.c (http_session_new): Ditto. * dirmngr/server.c (make_keyserver_item): Use a different mapping for the gnupg.net names. -- Due to the unfortunate shutdown of the keyserver pool, the long term defaults won't work anymore. Thus it is better to change them. For https access keyserver.ubuntu.com is now used because it can be expected that this server can stand the load from newer gnupg LTS versions. For http based access the Dutch Surfnet keyserver is used. However due to a non-standard TLS certificate this server can not easily be made the default for https. Note: that the default server will be changed again as soon as a new connected keyserver infrastructure has been established. (cherry picked from commit 47c4e3e00a7ef55f954c14b3c237496e54a853c1)
* dirmngr: Support pseudo URI scheme "opaque".Werner Koch2021-06-161-11/+26
| | | | | | | | | | | | | | | * dirmngr/http.h (HTTP_PARSE_NO_SCHEME_CHECK): New. * dirmngr/http.c (http_parse_uri): Use this flag. Change all callers to use the new macro for better readability. (do_parse_uri): Add pseudo scheme "opaque". (uri_query_value): New. -- This scheme can be used to convey arbitrary strings in a parsed_uri_t object. Signed-off-by: Werner Koch <[email protected]> (cherry picked from commit 72124fadafde153f8ac89a70202006d831829d06)
* dirmgr: Avoid double freeJakub Jelen2021-05-201-2/+0
| | | | | | | | | | * dirmgr/http.c (http_prepare_redirect): Avoid double free * dirmgr/ocsp.c (check_signature): Initialize pointer -- Signed-off-by: Jakub Jelen <[email protected]> GnuPG-bug-id: 5393
* dirmgr: clean up memory on error code pathsJakub Jelen2021-05-201-1/+5
| | | | | | | | | | | | * dirmgr/crlcache.c (finish_sig_check): goto leave instead of return * dirmgr/http.c (send_request): free authstr and proxy_authstr * dirmgr/ldap.c (start_cert_fetch_ldap): free proxy * dirmgr/ocsp.c (check_signature): release s_hash -- Signed-off-by: Jakub Jelen <[email protected]> GnuPG-bug-id: 5393
* Replace all calls to access by gnupg_accessWerner Koch2020-10-201-6/+6
| | | | | | | | | | | | | | | | * common/sysutils.c (gnupg_access): New. Replace all calls to access by this wrapper. * common/homedir.c (w32_shgetfolderpath): Change to return UTF-8 directory name. (standard_homedir): Adjust for change. (w32_commondir, gnupg_cachedir): Ditto. -- Also use SHGetFolderPathW instead of SHGetFolderPathA on Windows. This is required to correctly handle non-ascii filenames on Windows. GnuPG-bug-id: 5098
* dirmngr: Align the gnutls use of CAs with the ntbtls code.Werner Koch2020-09-101-8/+11
| | | | | | | | | | | | | | * dirmngr/http.c (http_session_new) <gnutls>: Use only the special pool certificate for the default keyserver. -- The gnutls version uses a different strategy than the ntbtls version on when to use the special SKS pool certificate. This patch aligns it so that we don't need to wonder about different kind of bug reports. In short the special cert is now the only cert use with the default keyserver. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Print the last alert message returned by NTBTLS.Werner Koch2020-08-271-0/+8
| | | | | | * dirmngr/http.c (send_request): Print the last TLS alert. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Handle EAFNOSUPPORT at connect_server.NIIBE Yutaka2020-07-131-0/+9
| | | | | | | | | * dirmngr/http.c (connect_server): Skip server with EAFNOSUPPORT. -- GnuPG-bug-id: 4977 Signed-off-by: NIIBE Yutaka <[email protected]>
* Spelling cleanup.Daniel Kahn Gillmor2020-02-181-1/+1
| | | | | | | | | | | | | | | | No functional changes, just fixing minor spelling issues. --- Most of these were identified from the command line by running: codespell \ --ignore-words-list fpr,stati,keyserver,keyservers,asign,cas,iff,ifset \ --skip '*.po,ChangeLog*,help.*.txt,*.jpg,*.eps,*.pdf,*.png,*.gpg,*.asc' \ doc g13 g10 kbx agent artwork scd tests tools am common dirmngr sm \ NEWS README README.maint TODO Signed-off-by: Daniel Kahn Gillmor <[email protected]>
* dirmngr: Rework of the LDAP code, part 1.Werner Koch2019-11-261-4/+22
| | | | | | | | | | | | | | | | | | | | | | | * dirmngr/http.h (struct parsed_uri_s): Add flag is_ldap. * dirmngr/http.c (do_parse_uri): Set flag. Do not error out for a missing slashes in an http scheme if NO_SCHEME_CHECK is active. * dirmngr/t-http.c (main): Print new flag. * dirmngr/ks-engine-ldap.c (ks_ldap_help): Use flag instead of checking the scheme. * dirmngr/ldap-parse-uri.c (ldap_uri_p): Re-implement using http_parse_uri. * dirmngr/t-ldap-parse-uri.c (main): Add option --verbose. -- This patch merely remove the separate parser for checking for an LDAP scheme. It is better to let our generic URI parser handle this. Also fixes this bug || url[4] == 'i' || url[4] == 'i') to make the rarely used ldapi scheme case-insensitive. More changes to the LDAP code are planned. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Make building with a TLS library mandatoryWerner Koch2019-11-261-57/+34
| | | | | | | * configure.ac: Do not build dirmngr if no TLS is available. * dirmngr/http.c: Remove all uses of the USE_TLS macro. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Forward http redirect warnings to gpg.Werner Koch2019-11-181-1/+16
| | | | | | | | | | | | | | | | * dirmngr/http.c: Include dirmngr-status.h (http_prepare_redirect): Emit WARNING status lines for redirection problems. * dirmngr/http.h: Include fwddecl.h. (struct http_redir_info_s): Add field ctrl. * dirmngr/ks-engine-hkp.c (send_request): Set it. * dirmngr/ks-engine-http.c (ks_http_fetch): Set it. * g10/call-dirmngr.c (ks_status_cb): Detect the two new warnings. -- This should make it easier to diagnose problems with bad WKD servers. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Use IPv4 or IPv6 interface only if available.Werner Koch2019-11-121-3/+7
| | | | | | | | | | | | | | | * dirmngr/dns-stuff.c (cached_inet_support): New variable. (dns_stuff_housekeeping): New. (check_inet_support): New. * dirmngr/http.c (connect_server): Use only detected interfaces. * dirmngr/dirmngr.c (housekeeping_thread): Flush the new cache. -- This currently works only for Windows but that is where users really ran into problems. The old workaround was to configure disable-ipv4 or disable-ipv6. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Don't add system CAs for SKS HKPS pool.NIIBE Yutaka2019-07-161-0/+2
| | | | | | | | * dirmngr/http.c [HTTP_USE_GNUTLS] (http_session_new): Clear add_system_cas. GnuPG-bug-id: 4594 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Do not rewrite the redirection for the "openpgpkey" subdomain.Werner Koch2019-07-031-0/+20
| | | | | | | | | * dirmngr/http.c (same_host_p): Consider certain subdomains to be the same. -- GnuPG-bug-id: 4603 Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Add a CSRF expection for pm.meWerner Koch2019-05-091-1/+2
| | | | | | -- Also comment typo fix.
* dirmngr: Add CSRF protection exception for protonmail.Werner Koch2019-03-071-5/+40
| | | | | | | | | | * dirmngr/http.c (same_host_p): Add exception table. -- Please: Adding entries to this table shall be an exception and not the rule. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: New function http_status2string.Werner Koch2018-12-111-0/+24
| | | | | | | | | * dirmngr/http.c (http_status2string): New. -- Right now only the standard 5xx codes. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Avoid possible CSRF attacks via http redirects.Werner Koch2018-11-221-2/+169
| | | | | | | | | | | | | | | | | | | | * dirmngr/http.h (parsed_uri_s): Add fields off_host and off_path. (http_redir_info_t): New. * dirmngr/http.c (do_parse_uri): Set new fields. (same_host_p): New. (http_prepare_redirect): New. * dirmngr/t-http-basic.c: New test. * dirmngr/ks-engine-hkp.c (send_request): Use http_prepare_redirect instead of the open code. * dirmngr/ks-engine-http.c (ks_http_fetch): Ditto. -- With this change a http query will not follow a redirect unless the Location header gives the same host. If the host is different only the host and port is taken from the Location header and the original path and query parts are kept. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Print a WARNING status for DNS config problems.Werner Koch2018-07-251-15/+21
| | | | | | | | | | | | | | | | | | | | | * dirmngr/dirmngr-status.h: New. * dirmngr/dirmngr.h: Include dirmngr-status.h and move some prototypes to that file. * dirmngr/t-support.c: New. * dirmngr/Makefile.am (dirmngr_SOURCES): Add dirmngr-status.h. (t_common_src): Add t-support.c. * dirmngr/server.c (dirmngr_status_printf): Bypass if CTRL is NULL. * dirmngr/dns-stuff.c: Include dirmngr-status.h. (libdns_init): Print WARNING status line. Change call callers to take and pass a CTRL argument. * g10/call-dirmngr.c (ks_status_cb): Print info for new WARNING status. -- To test this you can change RESOLV_CONF_NAME in dns-stuff.c and run gpg --recv-key -v SOMETHING. Signed-off-by: Werner Koch <[email protected]>
* Merge branch 'STABLE-BRANCH-2-2' into masterWerner Koch2018-05-131-1/+59
|\ | | | | | | | | | | | | | | | | | | -- Resolved Conflicts: NEWS - removed configure.ac - removed Signed-off-by: Werner Koch <[email protected]>
| * dirmngr: Add the used TLS library to the debug output.Werner Koch2018-04-251-1/+11
| | | | | | | | | | | | | | | | | | | | | | * dirmngr/http.c (send_request): Print the used TLS library in debug mode. -- We allow two different TLS libararies and thus it is useful to see that in the debug output of bug reports. Signed-off-by: Werner Koch <[email protected]>
| * dirmngr: Implement CRL fetching via https.Werner Koch2018-04-251-0/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/http.h (HTTP_FLAG_TRUST_CFG): New flag. * dirmngr/http.c (http_register_cfg_ca): New. (http_session_new) [HTTP_USE_GNUTLS]: Implement new trust flag. * dirmngr/certcache.c (load_certs_from_dir): Call new function. (cert_cache_deinit): Ditto. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto. * dirmngr/ks-engine-http.c (ks_http_fetch): Add new args 'send_no_cache' and 'extra_http_trust_flags'. Change all callers to provide the default value. * dirmngr/crlfetch.c (crl_fetch): Rewrite to make use of ks_http_fetch. -- The old code simply did not use https for downloading of CRLS. Instead it rewrote https to http under the assumption that the CRL service was also available without encryption. Note that a CRL is self-standing and thus it does not need to have extra authenticity as provided by TLS. These days we should not use any unencrypted content and thus this patch. Be aware that cacert.org give a https CRL DP but that currently redirects to to http! This is a downgrade attack which we detect and don't allow. The outcome is that it is right now not possible to use CAcert certificates. Signed-off-by: Werner Koch <[email protected]>
* | Use the gpgrt log functions if possible.Werner Koch2017-11-271-5/+5
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | * common/logging.c: Do not build any code if we can use the gpgrt_log functions. (log_logv_with_prefix): Rename to log_logv_prefix and change order of args so that this function matches its printf like counterpart gpgrt_logv_prefix. Change all callers. (log_debug_with_string): Rename to log_debug_string. Change all callers. (log_printhex): Move first arg to end so that this function matches its printf like counterpart gpgrt_log_printhex. Change all callers. * common/logging.h: Divert to gpgrt/libgpg-error if we can use the gpgrt_log functions. (bug_at): Add inline versions if we can use the gpgrt_log functions. * configure.ac (GPGRT_ENABLE_LOG_MACROS): Add to AH_BOTTOM. (mycflags): Add -Wno-format-zero-length. -- This patch enables the use of the log function from libgpgrt (aka libgpg-error). Instead of checking a version number, we enable them depending on macros set by recent gpg-error versions. Eventually the whole divert stuff can be removed. The -Wno-format-zero-length is required because log_printhex can be called with an empty format string. Note that this is fully specified standard C behaviour. Signed-off-by: Werner Koch <[email protected]>
* dirmngr,w32: Fix http connection timeout problem.Werner Koch2017-07-311-1/+5
| | | | | | | | * dirmngr/http.c (connect_with_timeout) [W32]: Take care of EAGAIN. -- GnuPG-bug-id: 3319 Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Do not use a blocking connect in Tor mode.Werner Koch2017-07-261-0/+8
| | | | | | | * dirmngr/http.c (http_raw_connect): Disable the timeout in Tor mode. (send_request): Ditto. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: More minor fix.NIIBE Yutaka2017-07-241-0/+4
| | | | | | * dirmngr/http.c (send_request): Care the case of !USE_TLS. Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: More minor fixes.NIIBE Yutaka2017-07-241-1/+1
| | | | | | | * dirmngr/http.c (http_verify_server_credentials): Duplicated const. * dirmngr/ldap.c (parse_one_pattern): Add comment. Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Minor fix for Windows.NIIBE Yutaka2017-07-241-1/+1
| | | | | | * dirmngr/http.c (connect_with_timeout): Use FD2INT. Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Implement TLS over http proxies.Justus Winter2017-07-191-1/+90
| | | | | | | | | * dirmngr/http.c (send_request): If a http proxy is to be used, and we want to use TLS, try to use the CONNECT method to get a connection to the target server. GnuPG-bug-id: 2940 Signed-off-by: Justus Winter <[email protected]>
* dirmngr: Log http response in debug mode.Justus Winter2017-07-191-2/+2
| | | | | | * dirmngr/http.c (parse_response): Log http response in debug mode. Signed-off-by: Justus Winter <[email protected]>
* dirmngr: Amend TLS handling.Justus Winter2017-07-191-1/+3
| | | | | | | * dirmngr/http.c (http_wait_response): Get the 'use_tls' flag from the write cookie, not from the URI. Signed-off-by: Justus Winter <[email protected]>
* dirmngr: Fix connecting to http proxies.Justus Winter2017-07-191-1/+1
| | | | | | | * dirmngr/http.c (send_request): Do not use the 'srvtag' intended for the target host to connect to the http proxy. Signed-off-by: Justus Winter <[email protected]>
* dirmngr: Fix handling of proxy URIs.Justus Winter2017-07-191-2/+3
| | | | | | * dirmngr/http.c (send_request): We do not support socks4. Signed-off-by: Justus Winter <[email protected]>
* dirmngr: Honor http keyserver URLs.Justus Winter2017-07-181-1/+3
| | | | | | | | | | | | | | | * dirmngr/http.c (parse_uri): Keep an unmodified copy of the URI. * dirmngr/http.h (struct parsed_uri_s): New field 'original'. * dirmngr/ks-action.c (ks_action_get): Properly handle http and https URLs. -- If a key has a http or https URL as preferred keyserver, fetch the key from there. Previously, dirmngr unconditionally interpreted these URLs as hkp servers. GnuPG-bug-id: 2924 Signed-off-by: Justus Winter <[email protected]>
* dirmngr: Fix memory leak.Justus Winter2017-07-181-1/+1
| | | | | | * dirmngr/http.c (parse_uri): Properly free partial results. Signed-off-by: Justus Winter <[email protected]>
* dirmngr: Fix memory leak.Justus Winter2017-07-181-0/+5
| | | | | | * dirmngr/http.c (http_release_parsed_uri): Free 'params'. Signed-off-by: Justus Winter <[email protected]>
* dirmngr: Allow a timeout for HTTP and other TCP connects.Werner Koch2017-06-081-16/+183
| | | | | | | | | | | | | | | | | | | | | | | * dirmngr/http.c: Include fcntl.h. (http_session_s): Add field 'connect_timeout'. (http_session_new): Clear that. (http_session_set_timeout): New function. (my_wsagetlasterror) [W32]: New. (connect_with_timeout): New function. (connect_server): Add arg 'timeout' and call connect_with_timeout. (send_request): Add arg 'timeout' and pass it to connect_server. (http_raw_connect): Add arg 'timeout'. (http_open): Pass TIMEOUT from the session to connect_server. -- Note that the non-blocking connect we implement is traditional a pretty non-portable thing due to slighly different semantics. The code uses the strategy W. Richard Stevens suggested in 1998. Hopefully current OS versions got it all right. The code has not been tested on Windows. Signed-off-by: Werner Koch <[email protected]>
* Spelling fixes in docs and comments.NIIBE Yutaka2017-04-281-4/+4
| | | | | | | | | | -- In addition, fix trailing spaces in tests/inittests. GnuPG-bug-id: 3121 Reported-by: ka7 (klemens) Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Fix API difference for Windows.NIIBE Yutaka2017-04-181-9/+10
| | | | | | | | | * dirmngr/http.c (read_server, write_server): Use assuan_fd_t. (http_wait_response): Use FD2INT to get unsigned integer fd. (read_server, write_server): Likewise. (simple_cookie_read, simple_cookie_write): Use assuan_fd_t. Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: More fix for Windows.NIIBE Yutaka2017-04-131-6/+6
| | | | | | | | | * dirmngr/http.c (simple_cookie_read, simple_cookie_write): Only valid with HTTP_USE_NTBTLS. (_my_socket_new): Simply cast to int since it's for debug. (_my_socket_ref, _my_socket_unref): Likewise. Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Fix http.c for sockaddr_storage.NIIBE Yutaka2017-04-131-6/+7
| | | | | | | dirmngr/http.c (use_socks): Use sockaddr_storage. (my_sock_new_for_addr, connect_server): Likewise. Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Fix type of sock.NIIBE Yutaka2017-04-121-1/+1
| | | | | | * dirmngr/http.c (send_request): Use assuan_fd_t for SOCK. Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Ignore warning alerts in the GNUTLS handshake.Werner Koch2017-03-171-1/+7
| | | | | | | | | * dirmngr/http.c (send_request) [GNUTLS]: Don't bail out on warning alerts. -- GnuPG-bug-id: 2833 Signed-off-by: Werner Koch <[email protected]>
* Remove -I option to common.NIIBE Yutaka2017-03-071-2/+2
| | | | | | | | | | | | | * dirmngr/Makefile.am (AM_CPPFLAGS): Remove -I$(top_srcdir)/common. * g10/Makefile.am (AM_CPPFLAGS): Ditto. * g13/Makefile.am (AM_CPPFLAGS): Ditto. * kbx/Makefile.am (AM_CPPFLAGS): Ditto. * scd/Makefile.am (AM_CPPFLAGS): Ditto. * sm/Makefile.am (AM_CPPFLAGS): Ditto. * tools/Makefile.am (AM_CPPFLAGS): Ditto. * Throughout: Follow the change. Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Rearrange files to fix de6d831.Werner Koch2017-03-021-1/+1
| | | | | | | | | | | | | | * dirmngr/http-common.c: New. * dirmngr/http-common.h: New. * dirmngr/Makefile.am (dirmngr_SOURCES): Add them. (t_http_SOURCES): Add them. (t_ldap_parse_uri_SOURCES): Add them. * dirmngr/misc.c (get_default_keyserver): Move to ... * dirmngr/http-common.c: here. * dirmngr/http.c: Include http-common.h instead of misc.h. * dirmngr/http-ntbtls.c: Ditto. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Let --gpgconf-list return the default keyserver.Werner Koch2017-03-021-1/+2
| | | | | | | | | | | * dirmngr/misc.c (get_default_keyserver): New. * dirmngr/http.c: Include misc.h (http_session_new): Use get_default_keyserver instead of hardwired "hkps.pool.sks-keyservers.net". * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto. * dirmngr/dirmngr.c (main) <aGPGCongList>: Return default keyserver. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Add new debug flag "extprog"Werner Koch2017-02-231-3/+3
| | | | | | | | | * dirmngr/dirmngr.h (DBG_EXTPROG_VALUE, DBG_EXTPROG): New macros. * dirmngr/dirmngr.c (debug_flags): Add flag "extprog". (handle_connections): Use a macro instead of -1 for an invalid socket. * dirmngr/loadswdb.c (verify_status_cb): Debug the gpgv call. Signed-off-by: Werner Koch <[email protected]>
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-12 06:43:09 +0000