Merge branch 'STABLE-BRANCH-2-4'

-- Resolved conflicts: NEWS common/exechelp-w32.c configure.ac
author: Werner Koch <[email protected]> 2024-03-12 15:00:55 +0000
committer: Werner Koch <[email protected]> 2024-03-12 15:00:55 +0000
commit: 4485930f9fd9ff02ca5c8472cf6aed3fdb1280cf (patch)
tree: 683140a4a33b0f3accf5b1f2455274d251581970 /dirmngr
parent: gpg: Fix a possible segv due to an uninitialized gcrypt context. (diff)
parent: Post release updates (diff)
download: gnupg-4485930f9fd9ff02ca5c8472cf6aed3fdb1280cf.tar.gz
gnupg-4485930f9fd9ff02ca5c8472cf6aed3fdb1280cf.zip
5 files changed, 17 insertions, 24 deletions
diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c
index ac673a8d5..d3fe5c272 100644
--- a/dirmngr/crlcache.c
+++ b/dirmngr/crlcache.c
@@ -2086,6 +2086,7 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl,
 
             err = validate_cert_chain (ctrl, crlissuer_cert, NULL,
                                        (VALIDATE_FLAG_TRUST_CONFIG
+                                        | VALIDATE_FLAG_TRUST_SYSTEM
                                         | VALIDATE_FLAG_CRL
                                         | VALIDATE_FLAG_RECURSIVE),
                                        r_trust_anchor);
diff --git a/dirmngr/dirmngr_ldap.c b/dirmngr/dirmngr_ldap.c
index 412d0ad1f..d999ee87e 100644
--- a/dirmngr/dirmngr_ldap.c
+++ b/dirmngr/dirmngr_ldap.c
@@ -107,7 +107,7 @@ static gpgrt_opt_t opts[] = {
                                " a record oriented format"},
   { oProxy,    "proxy",     2,
                 "|NAME|ignore host part and connect through NAME"},
-  { oStartTLS, "starttls",  0, "use STARTLS for the conenction"},
+  { oStartTLS, "starttls",  0, "use STARTLS for the connection"},
   { oLdapTLS,  "ldaptls",   0, "use a TLS for the connection"},
   { oNtds,     "ntds",      0, "authenticate using AD"},
   { oARecOnly, "areconly",  0, "do only an A record lookup"},
diff --git a/dirmngr/http.c b/dirmngr/http.c
index ea9b0365b..6ae9029be 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server)
  * NULL, decode the string and use this as input from teh server.  On
  * success the final output token is stored at PROXY->OUTTOKEN and
  * OUTTOKLEN.  IF the authentication succeeded OUTTOKLEN is zero. */
-#ifdef USE_TLS
 static gpg_error_t
 proxy_get_token (proxy_info_t proxy, const char *inputstring)
 {
@@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring)
 
 #endif /*!HAVE_W32_SYSTEM*/
 }
-#endif /*USE_TLS*/
 
 
 /* Use the CONNECT method to proxy our TLS stream.  */
-#ifdef USE_TLS
 static gpg_error_t
 run_proxy_connect (http_t hd, proxy_info_t proxy,
                    const char *httphost, const char *server,
@@ -2556,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
    * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
    */
   auth_basic = !!proxy->uri->auth;
+  hd->keep_alive = !auth_basic; /* We may need to send more requests.  */
 
   /* For basic authentication we need to send just one request.  */
   if (auth_basic
@@ -2577,16 +2575,15 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
                          httphost ? httphost : server,
                          port,
                          authhdr ? authhdr : "",
-                         auth_basic? "" : "Connection: keep-alive\r\n");
+                         hd->keep_alive? "Connection: keep-alive\r\n" : "");
   if (!request)
     {
       err = gpg_error_from_syserror ();
       goto leave;
     }
-  hd->keep_alive = !auth_basic; /* We may need to send more requests.  */
 
   if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
-    log_debug_with_string (request, "http.c:proxy:request:");
+    log_debug_string (request, "http.c:proxy:request:");
 
   if (!hd->fp_write)
     {
@@ -2610,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
   if (err)
     goto leave;
 
-  {
-    unsigned long count = 0;
-
-    while (es_getc (hd->fp_read) != EOF)
-      count++;
-    if (opt_debug)
-      log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n",
-                 count);
-  }
-
   /* Reset state.  */
   es_clearerr (hd->fp_read);
   ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1;
@@ -2730,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
     }
 
  leave:
+  if (hd->keep_alive)
+    {
+      es_fclose (hd->fp_write);
+      hd->fp_write = NULL;
+      /* The close has released the cookie and thus we better set it
+       * to NULL.  */
+      hd->write_cookie = NULL;
+    }
   /* Restore flags, destroy stream, reset state.  */
   hd->flags = saved_flags;
   es_fclose (hd->fp_read);
@@ -2743,7 +2738,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
   xfree (tmpstr);
   return err;
 }
-#endif /*USE_TLS*/
 
 
 /* Make a request string using a standard proxy.  On success the
@@ -2882,7 +2876,7 @@ send_request (ctrl_t ctrl,
 
   if (proxy && proxy->is_http_proxy)
     {
-      use_http_proxy = 1;  /* We want to use a proxy for the conenction.  */
+      use_http_proxy = 1;  /* We want to use a proxy for the connection.  */
       err = connect_server (ctrl,
                             *proxy->uri->host ? proxy->uri->host : "localhost",
                             proxy->uri->port ? proxy->uri->port : 80,
@@ -2903,7 +2897,6 @@ send_request (ctrl_t ctrl,
       goto leave;
     }
 
-#if USE_TLS
   if (use_http_proxy && hd->uri->use_tls)
     {
       err = run_proxy_connect (hd, proxy, httphost, server, port);
@@ -2915,7 +2908,6 @@ send_request (ctrl_t ctrl,
        * clear the flag to indicate this.  */
       use_http_proxy = 0;
     }
-#endif	/* USE_TLS */
 
 #if HTTP_USE_NTBTLS
   err = run_ntbtls_handshake (hd);
@@ -4411,7 +4403,7 @@ same_host_p (parsed_uri_t a, parsed_uri_t b)
     }
 
   /* Also consider hosts the same if they differ only in a subdomain;
-   * in both direction.  This allows to have redirection between the
+   * in both direction.  This allows one to have redirection between the
    * WKD advanced and direct lookup methods. */
   for (i=0; i < DIM (subdomains); i++)
     {
diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c
index d404a04ac..688972a89 100644
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@@ -607,7 +607,7 @@ interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search,
  * including whether to use TLS and the username and password (see
  * ldap_parse_uri for a description of the various fields).  Be
  * default a PGP keyserver is assumed; if GENERIC is true a generic
- * ldap conenction is instead established.
+ * ldap connection is instead established.
  *
  * Returns: The ldap connection handle in *LDAP_CONNP, R_BASEDN is set
  * to the base DN for the PGP key space, several flags will be stored
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 1dbc87878..32c85d07b 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -3325,7 +3325,7 @@ dirmngr_status_help (ctrl_t ctrl, const char *text)
 
 
 /* Print a help status line using a printf like format.  The function
- * splits text at LFs.  With CTRL beeing NULL, the function behaves
+ * splits text at LFs.  With CTRL being NULL, the function behaves
  * like log_info.  */
 gpg_error_t
 dirmngr_status_helpf (ctrl_t ctrl, const char *format, ...)
author	Werner Koch <[email protected]>	2024-03-12 15:00:55 +0000
committer	Werner Koch <[email protected]>	2024-03-12 15:00:55 +0000
commit	4485930f9fd9ff02ca5c8472cf6aed3fdb1280cf (patch)
tree	683140a4a33b0f3accf5b1f2455274d251581970 /dirmngr
parent	gpg: Fix a possible segv due to an uninitialized gcrypt context. (diff)
parent	Post release updates (diff)
download	gnupg-4485930f9fd9ff02ca5c8472cf6aed3fdb1280cf.tar.gz gnupg-4485930f9fd9ff02ca5c8472cf6aed3fdb1280cf.zip