From 4dc09bc5e7f349948a0bb68bdacfdbbc221a2b45 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 26 Jan 2024 13:14:14 +0100 Subject: dirmngr: For CRL issuer verification trust the system's root CA. * dirmngr/crlcache.c (crl_parse_insert): Add VALIDATE_FLAG_TRUST_SYSTEM. -- GnuPG-bug-id: 6963 --- dirmngr/crlcache.c | 1 + 1 file changed, 1 insertion(+) (limited to 'dirmngr') diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c index ac673a8d5..d3fe5c272 100644 --- a/dirmngr/crlcache.c +++ b/dirmngr/crlcache.c @@ -2086,6 +2086,7 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl, err = validate_cert_chain (ctrl, crlissuer_cert, NULL, (VALIDATE_FLAG_TRUST_CONFIG + | VALIDATE_FLAG_TRUST_SYSTEM | VALIDATE_FLAG_CRL | VALIDATE_FLAG_RECURSIVE), r_trust_anchor); -- cgit v1.2.3 From 2ed1f68b48db7b5503045386de0500fddf70077e Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 29 Jan 2024 09:16:21 +0100 Subject: doc: Fix spelling errors found by lintian. -- Reported-by: Andreas Metzler --- dirmngr/dirmngr_ldap.c | 2 +- dirmngr/http.c | 4 ++-- dirmngr/ks-engine-ldap.c | 2 +- dirmngr/server.c | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) (limited to 'dirmngr') diff --git a/dirmngr/dirmngr_ldap.c b/dirmngr/dirmngr_ldap.c index 412d0ad1f..d999ee87e 100644 --- a/dirmngr/dirmngr_ldap.c +++ b/dirmngr/dirmngr_ldap.c @@ -107,7 +107,7 @@ static gpgrt_opt_t opts[] = { " a record oriented format"}, { oProxy, "proxy", 2, "|NAME|ignore host part and connect through NAME"}, - { oStartTLS, "starttls", 0, "use STARTLS for the conenction"}, + { oStartTLS, "starttls", 0, "use STARTLS for the connection"}, { oLdapTLS, "ldaptls", 0, "use a TLS for the connection"}, { oNtds, "ntds", 0, "authenticate using AD"}, { oARecOnly, "areconly", 0, "do only an A record lookup"}, diff --git a/dirmngr/http.c b/dirmngr/http.c index 4899a5d55..a6892479e 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -2882,7 +2882,7 @@ send_request (ctrl_t ctrl, if (proxy && proxy->is_http_proxy) { - use_http_proxy = 1; /* We want to use a proxy for the conenction. */ + use_http_proxy = 1; /* We want to use a proxy for the connection. */ err = connect_server (ctrl, *proxy->uri->host ? proxy->uri->host : "localhost", proxy->uri->port ? proxy->uri->port : 80, @@ -4411,7 +4411,7 @@ same_host_p (parsed_uri_t a, parsed_uri_t b) } /* Also consider hosts the same if they differ only in a subdomain; - * in both direction. This allows to have redirection between the + * in both direction. This allows one to have redirection between the * WKD advanced and direct lookup methods. */ for (i=0; i < DIM (subdomains); i++) { diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index c2a210542..749c0de09 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -605,7 +605,7 @@ interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search, * including whether to use TLS and the username and password (see * ldap_parse_uri for a description of the various fields). Be * default a PGP keyserver is assumed; if GENERIC is true a generic - * ldap conenction is instead established. + * ldap connection is instead established. * * Returns: The ldap connection handle in *LDAP_CONNP, R_BASEDN is set * to the base DN for the PGP key space, several flags will be stored diff --git a/dirmngr/server.c b/dirmngr/server.c index 1dbc87878..32c85d07b 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -3325,7 +3325,7 @@ dirmngr_status_help (ctrl_t ctrl, const char *text) /* Print a help status line using a printf like format. The function - * splits text at LFs. With CTRL beeing NULL, the function behaves + * splits text at LFs. With CTRL being NULL, the function behaves * like log_info. */ gpg_error_t dirmngr_status_helpf (ctrl_t ctrl, const char *format, ...) -- cgit v1.2.3 From 04cbc3074aa98660b513a80f623a7e9f0702c7c9 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Thu, 15 Feb 2024 15:38:34 +0900 Subject: dirmngr: Fix proxy with TLS. * dirmngr/http.c (proxy_get_token, run_proxy_connect): Always available regardless of USE_TLS. (run_proxy_connect): Use log_debug_string. (send_request): Remove USE_TLS. -- Since the commit of 1009e4e5f71347a1fe194e59a9d88c8034a67016 Building with TLS library is mandatory. GnuPG-bug-id: 6997 Signed-off-by: NIIBE Yutaka --- dirmngr/http.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'dirmngr') diff --git a/dirmngr/http.c b/dirmngr/http.c index a6892479e..084f65ed8 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server) * NULL, decode the string and use this as input from teh server. On * success the final output token is stored at PROXY->OUTTOKEN and * OUTTOKLEN. IF the authentication succeeded OUTTOKLEN is zero. */ -#ifdef USE_TLS static gpg_error_t proxy_get_token (proxy_info_t proxy, const char *inputstring) { @@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring) #endif /*!HAVE_W32_SYSTEM*/ } -#endif /*USE_TLS*/ /* Use the CONNECT method to proxy our TLS stream. */ -#ifdef USE_TLS static gpg_error_t run_proxy_connect (http_t hd, proxy_info_t proxy, const char *httphost, const char *server, @@ -2586,7 +2583,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, hd->keep_alive = !auth_basic; /* We may need to send more requests. */ if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) - log_debug_with_string (request, "http.c:proxy:request:"); + log_debug_string (request, "http.c:proxy:request:"); if (!hd->fp_write) { @@ -2743,7 +2740,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, xfree (tmpstr); return err; } -#endif /*USE_TLS*/ /* Make a request string using a standard proxy. On success the @@ -2903,7 +2899,6 @@ send_request (ctrl_t ctrl, goto leave; } -#if USE_TLS if (use_http_proxy && hd->uri->use_tls) { err = run_proxy_connect (hd, proxy, httphost, server, port); @@ -2915,7 +2910,6 @@ send_request (ctrl_t ctrl, * clear the flag to indicate this. */ use_http_proxy = 0; } -#endif /* USE_TLS */ #if HTTP_USE_NTBTLS err = run_ntbtls_handshake (hd); -- cgit v1.2.3 From 848546b05ab0ff6abd47724ecfab73bf32dd4c01 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Fri, 16 Feb 2024 11:31:37 +0900 Subject: dirmngr: Fix the regression of use of proxy for TLS connection. * dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it causes resource leak of FP_WRITE. Don't try to read response body to fix the hang. -- GnuPG-bug-id: 6997 Signed-off-by: NIIBE Yutaka --- dirmngr/http.c | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) (limited to 'dirmngr') diff --git a/dirmngr/http.c b/dirmngr/http.c index 084f65ed8..ac7e13241 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -2553,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication */ auth_basic = !!proxy->uri->auth; + hd->keep_alive = 0; /* For basic authentication we need to send just one request. */ if (auth_basic @@ -2574,13 +2575,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, httphost ? httphost : server, port, authhdr ? authhdr : "", - auth_basic? "" : "Connection: keep-alive\r\n"); + hd->keep_alive? "Connection: keep-alive\r\n" : ""); if (!request) { err = gpg_error_from_syserror (); goto leave; } - hd->keep_alive = !auth_basic; /* We may need to send more requests. */ if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) log_debug_string (request, "http.c:proxy:request:"); @@ -2607,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, if (err) goto leave; - { - unsigned long count = 0; - - while (es_getc (hd->fp_read) != EOF) - count++; - if (opt_debug) - log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n", - count); - } - /* Reset state. */ es_clearerr (hd->fp_read); ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1; -- cgit v1.2.3 From 2810b934647edd483996bee1f5f9256a162b2705 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Fri, 16 Feb 2024 16:24:26 +0900 Subject: dirmngr: Fix keep-alive flag handling. * dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic Authentication. Fix resource leak of FP_WRITE. -- GnuPG-bug-id: 6997 Signed-off-by: NIIBE Yutaka --- dirmngr/http.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'dirmngr') diff --git a/dirmngr/http.c b/dirmngr/http.c index ac7e13241..e4c719348 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -2553,7 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication */ auth_basic = !!proxy->uri->auth; - hd->keep_alive = 0; + hd->keep_alive = !auth_basic; /* We may need to send more requests. */ /* For basic authentication we need to send just one request. */ if (auth_basic @@ -2717,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, } leave: + if (hd->keep_alive) + { + es_fclose (hd->fp_write); + hd->fp_write = NULL; + /* The close has released the cookie and thus we better set it + * to NULL. */ + hd->write_cookie = NULL; + } /* Restore flags, destroy stream, reset state. */ hd->flags = saved_flags; es_fclose (hd->fp_read); -- cgit v1.2.3