| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): New.
--
GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop.
Remove the unused issuername_uri stuff.
--
It is quite common that LDAP servers are blocked and thuis the HTTP
access point should be used instead. This worked well for
certificates where the DP are given in this form:
crlDP: ldap://x500.bund.de/[...]
http://x500.bund.de/[...]
issuer: none
but it failed for this form
crlDP: ldap://x500.bund.de/[...]
issuer: none
crlDP: http://x500.bund.de/[...]
issuer: none
because the LAST_ERR thing terminated the outer loop. This pacth
fixes this and also cleans up the code to be more robust.
Note that the common workaround of using --ignore-ldap-dp will now
only be needed if the firewall uses packet dropping instead of proper
ICMP rejects.
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dns.c: Use __noreturn__.
* doc/yat2m.c: Likewise.
* g10/main.h: Likewise.
--
GnuPG-bug-id: 4002
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-action.c [USE_LDAP] (ks_action_help): Recover variables.
* dirmngr/server.c [USE_LDAP] (dirmngr/server.c): Likewise.
--
Fixes-commit: 3d7dbf16618db4d0dc602daadbde098d4a14b528
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dns.c (dns_a_parse0, dns_a_push0, dns_a_cmp0): New.
(dns_a_print0, dns_aaaa_parse0, dns_aaaa_cmp0): New.
(dns_aaaa_print0, dns_mx_parse0, dns_mx_push0, dns_mx_cmp0): New.
(dns_mx_print0, dns_mx_cname0, dns_ns_parse0, dns_ns_push0): New.
(dns_ns_cmp0, dns_ns_print0, dns_ns_cname0, dns_cname_parse0): New.
(dns_cname_push0, dns_cname_cmp0, dns_cname_print0): New.
(dns_cname_cname0, dns_soa_parse0, dns_soa_push0): New.
(dns_soa_cmp0, dns_soa_print0, dns_srv_parse0, dns_srv_push0): New.
(dns_srv_cmp0, dns_srv_print0, dns_srv_cname0, dns_opt_parse0): New.
(dns_opt_push0, dns_opt_cmp0, dns_opt_print0, dns_ptr_parse0): New.
(dns_ptr_push0, dns_ptr_cmp0, dns_ptr_print0, dns_ptr_cname0): New.
(dns_sshfp_parse0, dns_sshfp_push0, dns_sshfp_cmp0): New.
(dns_sshfp_print0, dns_txt_parse0, dns_txt_push0, dns_txt_cmp0): New.
(struct dns_rrtype): Add function prototypes.
(dns_rrtypes): Use "0" variant of functions.
(DNS_PRAGMA_PUSH, DNS_PRAGMA_POP): Remove.
--
Original code was pretty badly written ignoring the type system of C,
but modern compiler encourages use of the type system. No
architectural changes, but only things mechanically possible.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* agent/protect.c (agent_get_shadow_info_type): It's a write only
variable, useful for debugging.
* g10/key-check.c (key_check_all_keysigs): Likewise.
* g10/keyedit.c (show_basic_key_info, menu_expire): Likewise.
* scd/app-sc-hsm.c (read_ef_prkd): Likewise.
* dirmngr/crlfetch.c (fetch_next_ksba_cert): Initialize the vars.
* dirmngr/ks-action.c (ks_action_help): Remove unused variables.
* dirmngr/server.c (make_keyserver_item): Likewise.
* dirmngr/validate.c (check_cert_sig): Initialize the variable.
* scd/app-p15.c (select_and_read_record): Likewise.
* tests/gpgscm/scheme.c (scheme_init_new): A function with no args.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs:
* dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New.
(opts): Add option.
(parse_rereadable_options): Set option.
* dirmngr/certcache.c (put_cert): Handle the option.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/certcache.c (put_cert): When PERMANENT, reject the
certificate which is obviously invalid.
--
With this change, invalid certificates from system won't be registered
into cache. Then, an intermediate certificate which is issued by an
entity certified by such an invalid certificate will be also rejected
with GPG_ERR_INV_CERT_OBJ. With less invalid certificates in cache,
it helps the validate_cert_chain function work better.
GnuPG-bug-id: 6142
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
| |
* dirmngr/Makefile.am (t_ldap_parse_uri_CFLAGS): Add NTBTLS.
--
This fixes the build in case every lib is installed into its
own prefix.
|
|
|
|
| |
* dirmngr/ocsp.c (check_signature): Fix error printing of xtrymalloc.
|
|
|
|
|
|
|
| |
--
validate.c:1103:13: warning: ‘saltlen’ may be used uninitialized
in this function [-Wmaybe-uninitialized]
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/http.c (EHOSTUNREACH, EAFNOSUPPORT): Define when not
available.
[HTTP_USE_GNUTLS] (my_gnutls_read): Use recv for Windows.
[HTTP_USE_GNUTLS] (my_gnutls_write): Use send for Windows.
--
Reported-by: Eli Zaretskii
GnuPG-bug-id: 5899
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr.c (main): Declaration before a statement.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
| |
* agent/gpg-agent.c (main): Mark --supervised as deprecated.
* dirmngr/dirmngr.c (main): Ditto.
--
The supervised thing causes more trouble than it pretends to solve.
|
|
|
|
|
| |
--
Fixes-commit: 89dc9f1e6916ebd123852534b8cada2fc3555688
|
|
|
|
|
|
| |
* dirmngr/Makefile.am: Tweak library order.
--
(cherry picked from commit 3c79ff34c417bfc392008eca1970b86bec54d6c3)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/crlfetch.c (crl_fetch, crl_fetch_default)
(ca_cert_fetch, start_cert_fetch): Factor Tor error out to ...
(no_crl_due_to_tor): new. Print status note.
* dirmngr/ks-engine-ldap.c (ks_ldap_get)
(ks_ldap_search, ks_ldap_put): Factor Tor error out to ...
(no_ldap_due_to_tor): new. Print status note.
* dirmngr/ocsp.c (do_ocsp_request): Print status note.
* sm/misc.c (gpgsm_print_further_info): New.
* sm/call-dirmngr.c (warning_and_note_printer): New.
(isvalid_status_cb): Call it.
(lookup_status_cb): Ditto.
(run_command_status_cb): Ditto.
* common/asshelp2.c (vprint_assuan_status): Strip a possible trailing
LF.
--
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/http.c (connect_with_timeout): Use FD2INT to unwrap SOCK.
--
GnuPG-bug-id: 5899
Reported-by: Eli Zaretskii
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/Makefile.am (dirmngr_SOURCES): Remove w32-ldap-help.h.
* dirmngr/cdblib.c (cdb_init): Remove for __MINGW32CE__.
* dirmngr/w32-ldap-help.h: Remove.
--
Fixes-commit: 4c295646ba0e175743e6be13457308c1e6d21dd3
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
| |
* dirmngr/server.c (proc_wkd_get): Also escape '#' and '+'
--
GnuPG-bug-id: 5902
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ldap.c (url_fetch_ldap): Detect and replace.
--
The actual URL causing this is
ldap://ldap.dgnservice.de:389/CN=CRL-1,O=DGN%20Service%20GmbH,\
C=DE?certificateRevocationList?base?objectClass=cRLDistributionPoint
It is actually not very helpful because I had problems finding the
issuer cert:
CN=dgnservice CRL2101 13:PN,O=DGN Deutsches Gesundheitsnetz \
Service GmbH,C=DE
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr-client.c (read_pem_certificate): Add NO_ERRMSG
argument to suppress the error message.
(read_certificate, squid_loop_body): Follow the change.
--
GnuPG-bug-id: 5531
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr-client.c (read_certificate): Call
log_get_errorcount.
--
GnuPG-bug-id: 5531
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/server.c (proc_wkd_get): Take care of DNS server failures
--
Unfortunately there are resolver setups which don't handle SRV records
but return a server error. We let a not found error pass, because
that merely means the domain does not exists.
GnuPG-bug-id: 4729
|
|
|
|
| |
* dirmngr/validate.c (validate_cert_chain): Comment out that code.
|
|
|
|
|
|
| |
* dirmngr/crlcache.c (finish_sig_check): Support ECDSA.
* dirmngr/validate.c (check_cert_sig): Ditto. Remove the never
used support for DSA.
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/validate.c (pk_algo_from_sexp): Make public. Support ECC.
* dirmngr/ocsp.c (check_signature): Remove hash preparation out to ...
(check_signature_core): here. This changes the arg s_hash to md.
Support ECDSA.
--
The test was done with my qualified signature certificate from the
Telesec and their responder http://tqrca1.ocsp.telesec.de/ocspr .
See also libksba commit rK24992a4a7a61d93759e1dbd104b845903d4589bf
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr.c (dirmngr_never_use_tor_p): New.
* dirmngr/server.c (ensure_keyserver): Don't even test for the Tor
proxy in never-use-tor Mode.
* tools/gpgtar-create.c: Include unistd.h to avoid a warning on
Windows.
--
This delay of 2 or 3 seconds is in particular annoying on Windows.
This is now suppressed, as it should be, if --no-use-tor is used.
The second patch is unrelated
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr.c: Reorder two option groups.
* tools/gpgconf-comp.c (known_options_gpgsm): Rename "keyserver" to
"ldapserver" and set level to invisible.
(known_options_dirmngr): Add "ldapserver" at the basic level.
* sm/gpgsm.c (opts): No more help text for "ldapserver".
--
GnuPG-bug-id: 5800
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/server.c (make_keyserver_item): Change mapping.
--
It turned out that having the old surfnet keyserver for unencrypted
connections is problematic because that server does not sync with the
Ubuntu server.
GnuPG-bug-id: 5751
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (AC_PREREQ): Use >= 2.69.
(AC_CONFIG_HEADERS): Use it, instead of AC_CONFIG_HEADER.
(AC_HEADER_STDC, AC_HEADER_TIME): Remove obsolete macros.
(sys/time.h): Add the check of the header.
(time_t): Don't use TIME_WITH_SYS_TIME.
* acinclude.m4 (AC_HEADER_TIME): Don't require.
Don't use TIME_WITH_SYS_TIME.
* dirmngr/dns.c: Don't use TIME_WITH_SYS_TIME.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-hkp.c (ks_hkp_search): Add "fingerprint=on" to
request URL.
--
Some keyservers, e.g. keyserver.ubuntu.com (Hockeypuck), do not
provide the key fingerprints by default. Therefore, we ask for the
fingerprints explicitly.
GnuPG-bug-id: 5741
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ldap-url.c (ldap_charray2str): Use memcpy instead of strncpy
when length is computed by strlen beforhand.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ldap-misc.c (ldap_parse_extfilter): Avoid direct return
without freeing resources on errors.
--
GnuPG-bug-id: 5393
Signed-off-by: Jakub Jelen <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* agent/gpg-agent.c (oStealSocket): New.
(opts): Add option.
(steal_socket): New file global var.
(main): Set option.
(create_server_socket): Implement option.
* dirmngr/dirmngr.c (oStealSocket): New.
(opts): Add option.
(steal_socket): New file global var.
(main): Set option. Add comment to eventually implement it.
--
Note that --steal-socket has currently no effect on dirmngr because
dirmngr does this anway.
Signed-off-by: Werner Koch <[email protected]>
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dns.c (dns_resconf_loadfile): Skip "search" which
begins with '.'.
--
GnuPG-bug-id: 5657
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr.h (struct fingerprint_list_s): Add field binlen.
(opt): Add field ignored_certs.
* dirmngr/dirmngr.c: Add option --ignore-cert
(parse_rereadable_options): Handle that option.
(parse_ocsp_signer): Rename to ...
(parse_fingerprint_item): this and add two args.
* dirmngr/certcache.c (put_cert): Ignore all to be igored certs.
Change callers to handle the new error return.
--
This option is useful as a workaround in case we ill run into other
chain validation errors like what we fixed in
GnuPG-bug-id: 5639
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/certcache.c (find_cert_bysubject): Return the first trusted
certififcate if any.
--
This is basically the same as using OpenSSL with ist
X509_V_FLAG_TRUSTED_FIRST flag. See
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
GnuPG-bug-id: 5639
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* agent/findkey.c (unprotect): Use gnupg_sleep.
* agent/gpg-agent.c (handle_connections): Likewise.
* dirmngr/crlfetch.c (handle_connections): Likewise.
* kbx/keyboxd.c (handle_connections): Likewise.
* tpm2d/tpm3daemon.c (handle_connections): Likewise.
* scd/scdaemon.c (handle_connections): Likewise.
* scd/command.c (cmd_lock): Likewise.
* dirmngr/ldap-wrapper.c (ldap_reaper_thread): Likewise.
(ldap_wrapper_wait_connections): Use gnupg_usleep.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/Makefile.am (t_ldap_parse_uri_CFLAGS): Add KSBA_CFLAGS.
* kbx/Makefile.am (libkeybox_a_CFLAGS, libkeybox509_a_CFLAGS): Add
NPTH_CFLAGS.
* tools/Makefile.am (gpgtar_CFLAGS, gpg_wks_server_CFLAGS,
gpg_wks_client_CFLAGS, gpg_pair_tool_CFLAGS): Add LIBGCRYPT_CFLAGS.
--
The tools include gcrypt.h via common/util.h.
GnuPG-bug-id: 5592
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to
keyserver.ubuntu.com.
* dirmngr/certcache.c (cert_cache_init): Disable default pool cert.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/http.c (http_session_new): Ditto.
* dirmngr/server.c (make_keyserver_item): Use a different mapping for
the gnupg.net names.
--
Due to the unfortunate shutdown of the keyserver pool, the long term
defaults won't work anymore. Thus it is better to change them.
For https access keyserver.ubuntu.com is now used because it can be
expected that this server can stand the load from newer gnupg LTS
versions.
For http based access the Dutch Surfnet keyserver is used. However
due to a non-standard TLS certificate this server can not easily be
made the default for https.
Note: that the default server will be changed again as soon as a new
connected keyserver infrastructure has been established.
(cherry picked from commit 47c4e3e00a7ef55f954c14b3c237496e54a853c1)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (AC_CHECK_HEADERS): Remove string.h and getopt.h.
* dirmngr/ks-engine-ldap.c: Remove including getopt.h.
* tools/make-dns-cert.c: Likewise.
--
Checking string.h is supported by AC_HEADER_STDC. Use of getopt.h
is only needed for getopt_long of GNU extention.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-hkp.c (ks_hkp_search): Munge mail address pattern.
(ks_hkp_get): Allow for mail addresses.
-
Before the keyserver changes in 2.2.28 gpg passed dirmngr a pail
address as an exact pattern (e.g. "[email protected]"). Since 2.2.28
the mail address is detected gpg gpg and we see for example
"<[email protected]>". This patch fixes this to turn a mail address
into an exact match again.
GnuPG-bug-id: 5497
Signed-off-by: Werner Koch <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr.c (parse_rereadable_options) [USE_LDAP]:
Conditionalize.
--
Reported-by: Phil Pennock
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit c8b2162c0e7eb42b74811b7ed225fa0f56be4083)
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr_ldap.c (main): Handle no args case.
--
This is required for example for CRLs. The old code did not require
this because the hos was taken from the URL given has arg.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit f6e45671aa26f3e7abb968a876de7bbdb4fca3f1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ldap-misc.c: New.
* dirmngr/ldap-misc.h: New.
* dirmngr/ks-engine-ldap.c: Include ldap-misc.h.
(ldap_err_to_gpg_err, ldap_to_gpg_err): Move to ldap-misc.c.
* dirmngr/ldap-wrapper.c (ldap_wrapper): Print list of args in debug
mode.
* dirmngr/server.c (lookup_cert_by_pattern): Handle GPG_ERR_NOT_FOUND
the saqme as GPG_ERR_NO_DATA.
* dirmngr/ldap.c (run_ldap_wrapper): Add args tls_mode and ntds.
Remove arg url. Adjust for changes in dirmngr_ldap.
(url_fetch_ldap): Remove args host and port. Parse the URL and use
these values to call run_ldap_wrapper.
(attr_fetch_ldap): Pass tls flags to run_ldap_wrapper.
(rfc2254_need_escape, rfc2254_escape): New.
(extfilt_need_escape, extfilt_escape): New.
(parse_one_pattern): Rename to ...
(make_one_filter): this. Change for new dirmngr_ldap calling
convention. Make issuer DN searching partly work.
(escape4url, make_url): Remove.
(start_cert_fetch_ldap): Change for new dirmngr_ldap calling
convention.
* dirmngr/dirmngr_ldap.c: Major rewrite.
* dirmngr/t-ldap-misc.c: New.
* dirmngr/t-support.h (DIM, DIMof): New.
* dirmngr/Makefile.am (dirmngr_ldap_SOURCES): Add ldap-misc.c
(module_tests) [USE_LDAP]: Add t-ldap-misc.
(t_ldap_parse_uri_SOURCES): Ditto.
(t_ldap_misc_SOURCES): New.
--
This rewrite allows to properly handle TLS and avoids some code
duplication.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 39815c023f0371dea01f7c51469b19c06ad18718)
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Remove the
password_param thing because we set the password directly without an
intermediate var.
--
Reported-by: Ingo Kloecker
(cherry picked from commit 8bd5172539e1399b407aa2a9d56fa51b8e040ae3)
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/server.c (make_keyserver_item): Fix default port for ldaps.
Move a tmpstr out of the blocks.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Improve diagnostics.
--
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 8de9d54ac83fa20cb52b847b643311841be4d6dc)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Use LDAP_OPT_TIMEOUT.
* dirmngr/dirmngr.c (main): Move --ldaptimeout setting to ...
(parse_rereadable_options): here.
--
Note that this has not yet been tested. In fact a test with OpenLDAP
using a modified route got stuck in the connection attempt. Maybe it
works on Windows - will be tested later.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 317d5947b84ae2707e46b89fb0d8318c07174e13)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr.c (opts): Add option --ldapserver.
(ldapserver_list_needs_reset): New var.
(parse_rereadable_options): Implement option.
(main): Ignore dirmngr_ldapservers.conf if no --ldapserver is used.
* dirmngr/server.c (cmd_ldapserver): Add option --clear and list
configured servers if none are given.
--
This option allows to specify LDAP keyserver in dirmngr instead of
using gpgsm.conf.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit ff17aee5d10c8c5ab902253fb4332001c3fc3701)
|