aboutsummaryrefslogtreecommitdiffstats
path: root/dirmngr (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* doc: Comment typo fixWerner Koch2022-11-291-2/+2
| | | | --
* dirmngr: Silence ocsp debug output.Werner Koch2022-11-251-2/+5
| | | | | | | * dirmngr/ocsp.c (check_signature_core): No debug output -- Also typo and doc fixes.
* dirmngr: Fix verification of ECDSA signed CRLs.Werner Koch2022-11-152-3/+4
| | | | | | | | * dirmngr/crlcache.c (finish_sig_check): Use raw value for the data. -- This had the usual signed/unsigned problem. By using the modern form we enforce Libgcrypt internal parsing as unsigned integer.
* agent,common,dirmngr,tests,tools: Remove spawn PREEXEC argument.NIIBE Yutaka2022-10-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | * common/exechelp-posix.c (do_exec): Remove PREEXEC argument. (gnupg_spawn_process): Likewise. (gnupg_spawn_process_fd): Follow the change of do_exec. (gnupg_spawn_process_detached): Likewise. * common/exechelp-w32.c (gnupg_spawn_process): Remove PREEXEC. * common/exechelp.h (gnupg_spawn_process): Remove PREEXEC. * agent/genkey.c (do_check_passphrase_pattern): Follow the change. * common/exectool.c (gnupg_exec_tool_stream): Likewise. * dirmngr/ldap-wrapper.c (ldap_wrapper): Likewise. * tests/gpgscm/ffi.c (do_spawn_process): Likewise. * tools/gpgconf-comp.c (gc_component_check_options): Likewise. (retrieve_options_from_program): Likewise. * tools/gpgconf.c (show_versions_via_dirmngr): Likewise. * tools/gpgtar-create.c (gpgtar_create): Likewise. * tools/gpgtar-extract.c (gpgtar_extract): Likewise. * tools/gpgtar-list.c (gpgtar_list): Likewise. -- PREEXEC is not portable feature and it's not used. GnuPG-bug-id: 6249 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Fix build with no LDAP support.NIIBE Yutaka2022-10-141-0/+2
| | | | | | | | | * dirmngr/server.c [USE_LDAP] (start_command_handler): Conditionalize. -- GnuPG-bug-id: 6239 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Support paged LDAP mode for KS_GETWerner Koch2022-10-053-37/+214
| | | | | | | | | | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (PAGE_SIZE): New. (struct ks_engine_ldap_local_s): Add several new fields. (ks_ldap_clear_state): Release them. (search_and_parse): Factored out from ks_ldap_get and extended to support the paged mode. (ks_ldap_get): Implement the pages mode for --first and --next. * dirmngr/server.c (cmd_ks_get): Provide a dummy passphrase in --first mode. * dirmngr/Makefile.am (dirmngr_LDADD): Add LBER_LIBS. -- The paged mode allows to retrieve more items than the servers usually limit (e.g. 1000 for an LDS). This patch also allows to use --first without a patter to retrieve all keyblocks (except for disabled and revoked keys). GnuPG-bug-id: 6224
* dirmngr: New options --first and --next for KS_GET.Werner Koch2022-10-046-133/+345
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/server.c (cmd_ks_get): Add option --first and --next. (start_command_handler): Free that new ldap state. * dirmngr/ks-engine-ldap.c (struct ks_engine_ldap_local_s): New. (ks_ldap_new_state, ks_ldap_clear_state): New. (ks_ldap_free_state): New. (return_one_keyblock): New. Mostly factored out from .... (ks_ldap_get): here. Implement --first/--next feature. * dirmngr/ks-action.c (ks_action_get): Rename arg ldap_only to ks_get_flags. * dirmngr/ks-engine.h (KS_GET_FLAG_ONLY_LDAP): New. (KS_GET_FLAG_FIRST): New. (KS_GET_FLAG_NEXT): New. * dirmngr/dirmngr.h (struct server_control_s): Add member ks_get_state. (struct ks_engine_ldap_local_s): New forward reference. -- This feature allows to fetch keyblock by keyblock from an LDAP server. This way tools can process and maybe filter each keyblock in a more flexible way. Here is an example where two keyblocks for one mail address are returned: $ gpg-connect-agent --dirmngr > ks_get --ldap --first <[email protected]> [... First keyblock is returned ] OK > ks_get --next [ ... Next keyblock is returned ] OK > ks_get --next ERR 167772218 No data <Dirmngr> GnuPG_bug_id: 6224
* dirmngr: Minor fix for baseDN fallback.Werner Koch2022-09-291-37/+22
| | | | | | | | | | | * dirmngr/ks-engine-ldap.c (my_ldap_connect): Avoid passing data behind the EOS. (interrogate_ldap_dn): Stylistic change. -- This also updates the my_ldap_connect description. GnuPG-bug-id: 6047
* dirnmgr: Fix the function prototype.NIIBE Yutaka2022-09-291-1/+1
| | | | | | | | | * dirmngr/ldap-wrapper.c (ldap_wrapper_wait_connections): It's with no arguments. -- Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Change interrogate_ldap_dn for better memory semantics.NIIBE Yutaka2022-09-291-28/+12
| | | | | | | | | | | * dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): Return BASEDN found, memory allocated. (my_ldap_connect): Follow the change, removing needless allocation. -- GnuPG-bug-id: 6047 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Interrogate LDAP server when base DN specified.Joey Berkovitz2022-09-291-7/+26
| | | | | | | | | | * dirmngr/ks-engine-ldap.c (my_ldap_connect): interrogate LDAP server when basedn specified. -- GnuPG-bug-id: 6047 Signed-off-by: Joey Berkovitz <[email protected]>
* dirmngr: Fix lost flags during LDAP uploadWerner Koch2022-09-282-15/+18
| | | | | | | | | | * dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const. Use strtokenize instead of strtok style parsing. -- This fixes a problem with resulted in a General Error for the second key to be uploaded in the same session. But only if the colon format to specify a keyserver with flags was used.
* dirmngr: New server flag "areconly" (A-record-only)Werner Koch2022-09-285-3/+48
| | | | | | | | | | | | | | | * dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly. * dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly" * dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag. * dirmngr/dirmngr_ldap.c: Add option --areconly (connect_ldap): Implement option. * dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option. -- This flag is used to pass the Windows specific option LDAP_OPT_AREC_EXCLUSIVE. It is ignored on other systems. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Support gpgMailbox for mode MAILSUB and MAILEND.Werner Koch2022-09-261-2/+8
| | | | | * dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Use gpgMailbox if server supports this.
* dirmngr: Factor out interrogate_ldap_dn function.NIIBE Yutaka2022-09-261-66/+69
| | | | | | | | | * dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): New. -- GnuPG-bug-id: 6047 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Fix CRL DP error fallback to other schemes.Werner Koch2022-09-161-28/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop. Remove the unused issuername_uri stuff. -- It is quite common that LDAP servers are blocked and thuis the HTTP access point should be used instead. This worked well for certificates where the DP are given in this form: crlDP: ldap://x500.bund.de/[...] http://x500.bund.de/[...] issuer: none but it failed for this form crlDP: ldap://x500.bund.de/[...] issuer: none crlDP: http://x500.bund.de/[...] issuer: none because the LAST_ERR thing terminated the outer loop. This pacth fixes this and also cleans up the code to be more robust. Note that the common workaround of using --ignore-ldap-dp will now only be needed if the firewall uses packet dropping instead of proper ICMP rejects.
* dirmngr:dns,doc,gpg: Fix for noreturn for C11.NIIBE Yutaka2022-09-161-1/+1
| | | | | | | | | | | * dirmngr/dns.c: Use __noreturn__. * doc/yat2m.c: Likewise. * g10/main.h: Likewise. -- GnuPG-bug-id: 4002 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Fix for USE_LDAP.NIIBE Yutaka2022-09-142-0/+7
| | | | | | | | | | * dirmngr/ks-action.c [USE_LDAP] (ks_action_help): Recover variables. * dirmngr/server.c [USE_LDAP] (dirmngr/server.c): Likewise. -- Fixes-commit: 3d7dbf16618db4d0dc602daadbde098d4a14b528 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr:dns: Fixes for function prototypes.NIIBE Yutaka2022-09-141-59/+164
| | | | | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/dns.c (dns_a_parse0, dns_a_push0, dns_a_cmp0): New. (dns_a_print0, dns_aaaa_parse0, dns_aaaa_cmp0): New. (dns_aaaa_print0, dns_mx_parse0, dns_mx_push0, dns_mx_cmp0): New. (dns_mx_print0, dns_mx_cname0, dns_ns_parse0, dns_ns_push0): New. (dns_ns_cmp0, dns_ns_print0, dns_ns_cname0, dns_cname_parse0): New. (dns_cname_push0, dns_cname_cmp0, dns_cname_print0): New. (dns_cname_cname0, dns_soa_parse0, dns_soa_push0): New. (dns_soa_cmp0, dns_soa_print0, dns_srv_parse0, dns_srv_push0): New. (dns_srv_cmp0, dns_srv_print0, dns_srv_cname0, dns_opt_parse0): New. (dns_opt_push0, dns_opt_cmp0, dns_opt_print0, dns_ptr_parse0): New. (dns_ptr_push0, dns_ptr_cmp0, dns_ptr_print0, dns_ptr_cname0): New. (dns_sshfp_parse0, dns_sshfp_push0, dns_sshfp_cmp0): New. (dns_sshfp_print0, dns_txt_parse0, dns_txt_push0, dns_txt_cmp0): New. (struct dns_rrtype): Add function prototypes. (dns_rrtypes): Use "0" variant of functions. (DNS_PRAGMA_PUSH, DNS_PRAGMA_POP): Remove. -- Original code was pretty badly written ignoring the type system of C, but modern compiler encourages use of the type system. No architectural changes, but only things mechanically possible. Signed-off-by: NIIBE Yutaka <[email protected]>
* agent,dirmngr,gpg,scd: Clean up for modern compiler.NIIBE Yutaka2022-09-144-6/+4
| | | | | | | | | | | | | | | | | | * agent/protect.c (agent_get_shadow_info_type): It's a write only variable, useful for debugging. * g10/key-check.c (key_check_all_keysigs): Likewise. * g10/keyedit.c (show_basic_key_info, menu_expire): Likewise. * scd/app-sc-hsm.c (read_ef_prkd): Likewise. * dirmngr/crlfetch.c (fetch_next_ksba_cert): Initialize the vars. * dirmngr/ks-action.c (ks_action_help): Remove unused variables. * dirmngr/server.c (make_keyserver_item): Likewise. * dirmngr/validate.c (check_cert_sig): Initialize the variable. * scd/app-p15.c (select_and_read_record): Likewise. * tests/gpgscm/scheme.c (scheme_init_new): A function with no args. -- Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: New option --debug-cache-expired-certs.Werner Koch2022-08-313-3/+14
| | | | | | | | * dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs: * dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New. (opts): Add option. (parse_rereadable_options): Set option. * dirmngr/certcache.c (put_cert): Handle the option.
* dirmngr: Reject certificate which is not valid into cache.NIIBE Yutaka2022-08-261-0/+14
| | | | | | | | | | | | | | | | * dirmngr/certcache.c (put_cert): When PERMANENT, reject the certificate which is obviously invalid. -- With this change, invalid certificates from system won't be registered into cache. Then, an intermediate certificate which is issued by an entity certified by such an invalid certificate will be also rejected with GPG_ERR_INV_CERT_OBJ. With less invalid certificates in cache, it helps the validate_cert_chain function work better. GnuPG-bug-id: 6142 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Fix NTBTLS include for testAndre Heinecke2022-08-161-1/+2
| | | | | | | | * dirmngr/Makefile.am (t_ldap_parse_uri_CFLAGS): Add NTBTLS. -- This fixes the build in case every lib is installed into its own prefix.
* dirmngr: Fix failed malloc error message.Werner Koch2022-08-031-2/+5
| | | | * dirmngr/ocsp.c (check_signature): Fix error printing of xtrymalloc.
* dirmngr: Fix a wrong compiler warning.Werner Koch2022-06-131-1/+1
| | | | | | | -- validate.c:1103:13: warning: ‘saltlen’ may be used uninitialized in this function [-Wmaybe-uninitialized]
* dirmngr: Fix for Windows.NIIBE Yutaka2022-05-101-4/+38
| | | | | | | | | | | | | * dirmngr/http.c (EHOSTUNREACH, EAFNOSUPPORT): Define when not available. [HTTP_USE_GNUTLS] (my_gnutls_read): Use recv for Windows. [HTTP_USE_GNUTLS] (my_gnutls_write): Use send for Windows. -- Reported-by: Eli Zaretskii GnuPG-bug-id: 5899 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Fix for C90 compiler.NIIBE Yutaka2022-04-261-1/+2
| | | | | | | | * dirmngr/dirmngr.c (main): Declaration before a statement. -- Signed-off-by: NIIBE Yutaka <[email protected]>
* Deprecate the --supervised options.Werner Koch2022-04-251-1/+4
| | | | | | | | * agent/gpg-agent.c (main): Mark --supervised as deprecated. * dirmngr/dirmngr.c (main): Ditto. -- The supervised thing causes more trouble than it pretends to solve.
* dirmngr: Fix MakefileWerner Koch2022-04-211-1/+1
| | | | | -- Fixes-commit: 89dc9f1e6916ebd123852534b8cada2fc3555688
* dirmngr: Changes to the linking order.Werner Koch2022-04-201-11/+15
| | | | | | * dirmngr/Makefile.am: Tweak library order. -- (cherry picked from commit 3c79ff34c417bfc392008eca1970b86bec54d6c3)
* sm: Print diagnostic about CRL problems due to Tor mode.Werner Koch2022-04-113-23/+39
| | | | | | | | | | | | | | | | | | | | | | * dirmngr/crlfetch.c (crl_fetch, crl_fetch_default) (ca_cert_fetch, start_cert_fetch): Factor Tor error out to ... (no_crl_due_to_tor): new. Print status note. * dirmngr/ks-engine-ldap.c (ks_ldap_get) (ks_ldap_search, ks_ldap_put): Factor Tor error out to ... (no_ldap_due_to_tor): new. Print status note. * dirmngr/ocsp.c (do_ocsp_request): Print status note. * sm/misc.c (gpgsm_print_further_info): New. * sm/call-dirmngr.c (warning_and_note_printer): New. (isvalid_status_cb): Call it. (lookup_status_cb): Ditto. (run_command_status_cb): Ditto. * common/asshelp2.c (vprint_assuan_status): Strip a possible trailing LF. --
* dirmngr: Fix for SOCK.NIIBE Yutaka2022-03-301-1/+1
| | | | | | | | | | * dirmngr/http.c (connect_with_timeout): Use FD2INT to unwrap SOCK. -- GnuPG-bug-id: 5899 Reported-by: Eli Zaretskii Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Clean up for not supporting WindowsCE.NIIBE Yutaka2022-03-293-174/+1
| | | | | | | | | | | * dirmngr/Makefile.am (dirmngr_SOURCES): Remove w32-ldap-help.h. * dirmngr/cdblib.c (cdb_init): Remove for __MINGW32CE__. * dirmngr/w32-ldap-help.h: Remove. -- Fixes-commit: 4c295646ba0e175743e6be13457308c1e6d21dd3 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Escape more characters in WKD requests.Werner Koch2022-03-281-1/+1
| | | | | | * dirmngr/server.c (proc_wkd_get): Also escape '#' and '+' -- GnuPG-bug-id: 5902
* dirmngr: Workaround for a certain broken LDAP URLWerner Koch2022-03-251-3/+19
| | | | | | | | | | | | | | | | * dirmngr/ldap.c (url_fetch_ldap): Detect and replace. -- The actual URL causing this is ldap://ldap.dgnservice.de:389/CN=CRL-1,O=DGN%20Service%20GmbH,\ C=DE?certificateRevocationList?base?objectClass=cRLDistributionPoint It is actually not very helpful because I had problems finding the issuer cert: CN=dgnservice CRL2101 13:PN,O=DGN Deutsches Gesundheitsnetz \ Service GmbH,C=DE
* dirmngr: Suppress error message on trial reading as PEM format.NIIBE Yutaka2022-03-241-5/+7
| | | | | | | | | | | * dirmngr/dirmngr-client.c (read_pem_certificate): Add NO_ERRMSG argument to suppress the error message. (read_certificate, squid_loop_body): Follow the change. -- GnuPG-bug-id: 5531 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Clear the error count to try certificate as binary.NIIBE Yutaka2022-03-241-0/+2
| | | | | | | | | | * dirmngr/dirmngr-client.c (read_certificate): Call log_get_errorcount. -- GnuPG-bug-id: 5531 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Make WKD_GET work even for servers not handling SRV RRs.Werner Koch2022-03-211-1/+8
| | | | | | | | | | | * dirmngr/server.c (proc_wkd_get): Take care of DNS server failures -- Unfortunately there are resolver setups which don't handle SRV records but return a server error. We let a not found error pass, because that merely means the domain does not exists. GnuPG-bug-id: 4729
* dimngr: Do not check the self-signature of a root CA cert.Werner Koch2022-02-271-8/+8
| | | | * dirmngr/validate.c (validate_cert_chain): Comment out that code.
* dirmngr: Support ECDSA for CRLsWerner Koch2022-02-272-12/+92
| | | | | | * dirmngr/crlcache.c (finish_sig_check): Support ECDSA. * dirmngr/validate.c (check_cert_sig): Ditto. Remove the never used support for DSA.
* dirmngr: Support ECDSA for OCSP.Werner Koch2022-02-273-50/+106
| | | | | | | | | | | | * dirmngr/validate.c (pk_algo_from_sexp): Make public. Support ECC. * dirmngr/ocsp.c (check_signature): Remove hash preparation out to ... (check_signature_core): here. This changes the arg s_hash to md. Support ECDSA. -- The test was done with my qualified signature certificate from the Telesec and their responder http://tqrca1.ocsp.telesec.de/ocspr . See also libksba commit rK24992a4a7a61d93759e1dbd104b845903d4589bf
* dirmngr: Avoid initial delay on the first keyserver access.Werner Koch2022-02-013-2/+12
| | | | | | | | | | | | | | | * dirmngr/dirmngr.c (dirmngr_never_use_tor_p): New. * dirmngr/server.c (ensure_keyserver): Don't even test for the Tor proxy in never-use-tor Mode. * tools/gpgtar-create.c: Include unistd.h to avoid a warning on Windows. -- This delay of 2 or 3 seconds is in particular annoying on Windows. This is now suppressed, as it should be, if --no-use-tor is used. The second patch is unrelated
* gpgconf: Return --ldapserver and --keyserver from dirmngr.Werner Koch2022-01-251-8/+7
| | | | | | | | | | | * dirmngr/dirmngr.c: Reorder two option groups. * tools/gpgconf-comp.c (known_options_gpgsm): Rename "keyserver" to "ldapserver" and set level to invisible. (known_options_dirmngr): Add "ldapserver" at the basic level. * sm/gpgsm.c (opts): No more help text for "ldapserver". -- GnuPG-bug-id: 5800
* dirmngr: Map all gnupg.net addresses to the Ubuntu keyserver.Werner Koch2022-01-101-4/+4
| | | | | | | | | | | * dirmngr/server.c (make_keyserver_item): Change mapping. -- It turned out that having the old surfnet keyserver for unencrypted connections is problematic because that server does not sync with the Ubuntu server. GnuPG-bug-id: 5751
* build: Update for newer autoconf.NIIBE Yutaka2021-12-221-1/+1
| | | | | | | | | | | | | | | * configure.ac (AC_PREREQ): Use >= 2.69. (AC_CONFIG_HEADERS): Use it, instead of AC_CONFIG_HEADER. (AC_HEADER_STDC, AC_HEADER_TIME): Remove obsolete macros. (sys/time.h): Add the check of the header. (time_t): Don't use TIME_WITH_SYS_TIME. * acinclude.m4 (AC_HEADER_TIME): Don't require. Don't use TIME_WITH_SYS_TIME. * dirmngr/dns.c: Don't use TIME_WITH_SYS_TIME. -- Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Ask keyservers to provide the key fingerprintsIngo Klöcker2021-12-201-1/+1
| | | | | | | | | | | | * dirmngr/ks-engine-hkp.c (ks_hkp_search): Add "fingerprint=on" to request URL. -- Some keyservers, e.g. keyserver.ubuntu.com (Hockeypuck), do not provide the key fingerprints by default. Therefore, we ask for the fingerprints explicitly. GnuPG-bug-id: 5741
* dirmngr: Fix ldap-url.c.NIIBE Yutaka2021-12-171-2/+2
| | | | | | | | | * dirmngr/ldap-url.c (ldap_charray2str): Use memcpy instead of strncpy when length is computed by strlen beforhand. -- Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Avoid memory leaks on errorsJakub Jelen2021-11-241-2/+4
| | | | | | | | | * dirmngr/ldap-misc.c (ldap_parse_extfilter): Avoid direct return without freeing resources on errors. -- GnuPG-bug-id: 5393 Signed-off-by: Jakub Jelen <[email protected]>
* agent,dirmngr: New option --steal-socketWerner Koch2021-11-131-1/+12
| | | | | | | | | | | | | | | | | | | * agent/gpg-agent.c (oStealSocket): New. (opts): Add option. (steal_socket): New file global var. (main): Set option. (create_server_socket): Implement option. * dirmngr/dirmngr.c (oStealSocket): New. (opts): Add option. (steal_socket): New file global var. (main): Set option. Add comment to eventually implement it. -- Note that --steal-socket has currently no effect on dirmngr because dirmngr does this anway. Signed-off-by: Werner Koch <[email protected]>
* dns: Make reading resolv.conf more robust.NIIBE Yutaka2021-10-151-1/+6
| | | | | | | | | | * dirmngr/dns.c (dns_resconf_loadfile): Skip "search" which begins with '.'. -- GnuPG-bug-id: 5657 Signed-off-by: NIIBE Yutaka <[email protected]>
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-09 11:23:13 +0000