From 3fbe10172f0a0d9fddad19c1e04a4f7870c88fbe Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 24 May 2023 12:06:37 +0200 Subject: w32: Add missing manifests and set a requestedExecutionLevel. * agent/gpg-agent.w32-manifest.in: New. * dirmngr/dirmngr-client-w32info.rc: New. * dirmngr/dirmngr-client.w32-manifest.in: New. * dirmngr/dirmngr-w32info.rc: New. * dirmngr/dirmngr.w32-manifest.in: New. * dirmngr/dirmngr_ldap-w32info.rc: New. * dirmngr/dirmngr_ldap.w32-manifest.in: New. * g10/gpgv-w32info.rc: New. * g10/gpgv.w32-manifest.in: New. * kbx/keyboxd.w32-manifest.in: New. * scd/scdaemon.w32-manifest.in: New. * sm/gpgsm.w32-manifest.in: New. -- This avoids the use of the VirtualStore uner Windows. GnuPG-bug-id: 6503 --- dirmngr/Makefile.am | 30 +++++++++++++++++--- dirmngr/dirmngr-client-w32info.rc | 52 ++++++++++++++++++++++++++++++++++ dirmngr/dirmngr-client.w32-manifest.in | 25 ++++++++++++++++ dirmngr/dirmngr-w32info.rc | 52 ++++++++++++++++++++++++++++++++++ dirmngr/dirmngr.w32-manifest.in | 25 ++++++++++++++++ dirmngr/dirmngr_ldap-w32info.rc | 52 ++++++++++++++++++++++++++++++++++ dirmngr/dirmngr_ldap.w32-manifest.in | 25 ++++++++++++++++ 7 files changed, 257 insertions(+), 4 deletions(-) create mode 100644 dirmngr/dirmngr-client-w32info.rc create mode 100644 dirmngr/dirmngr-client.w32-manifest.in create mode 100644 dirmngr/dirmngr-w32info.rc create mode 100644 dirmngr/dirmngr.w32-manifest.in create mode 100644 dirmngr/dirmngr_ldap-w32info.rc create mode 100644 dirmngr/dirmngr_ldap.w32-manifest.in (limited to 'dirmngr') diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am index feee2f5c8..3846fdf35 100644 --- a/dirmngr/Makefile.am +++ b/dirmngr/Makefile.am @@ -21,7 +21,14 @@ ## Process this file with automake to produce Makefile.in -EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem +EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem \ + dirmngr-w32info.rc dirmngr.w32-manifest.in \ + dirmngr_ldap-w32info.rc dirmngr_ldap.w32-manifest.in \ + dirmngr-client-w32info.rc dirmngr-client.w32-manifest.in + + + + dist_pkgdata_DATA = sks-keyservers.netCA.pem bin_PROGRAMS = dirmngr dirmngr-client @@ -43,6 +50,16 @@ AM_CPPFLAGS = include $(top_srcdir)/am/cmacros.am +if HAVE_W32_SYSTEM +dirmngr_rc_objs = dirmngr-w32info.o +dirmngr_ldap_rc_objs = dirmngr_ldap-w32info.o +dirmngr_client_rc_objs = dirmngr-client-w32info.o + +dirmngr-w32info.o : dirmngr.w32-manifest ../common/w32info-rc.h +dirmngr_ldap-w32info.o : dirmngr_ldap.w32-manifest ../common/w32info-rc.h +dirmngr-client-w32info.o : dirmngr-client.w32-manifest ../common/w32info-rc.h +endif + AM_CFLAGS = $(USE_C99_CFLAGS) \ $(LIBGCRYPT_CFLAGS) $(KSBA_CFLAGS) $(LIBASSUAN_CFLAGS) \ $(GPG_ERROR_CFLAGS) $(NPTH_CFLAGS) $(NTBTLS_CFLAGS) \ @@ -89,12 +106,13 @@ dirmngr_LDADD = $(libcommonpth) \ $(DNSLIBS) $(LIBASSUAN_LIBS) \ $(KSBA_LIBS) $(NPTH_LIBS) $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) \ $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) $(LIBINTL) $(LIBICONV) \ - $(NETLIBS) + $(NETLIBS) $(dirmngr_rc_objs) if USE_LDAP dirmngr_LDADD += $(ldaplibs) $(LBER_LIBS) endif dirmngr_LDFLAGS = +dirmngr_DEPENDENCIES = $(dirmngr_rc_objs) if USE_LDAP dirmngr_ldap_SOURCES = dirmngr_ldap.c ldap-misc.c ldap-misc.h $(ldap_url) @@ -102,14 +120,18 @@ dirmngr_ldap_CFLAGS = $(GPG_ERROR_CFLAGS) $(LIBGCRYPT_CFLAGS) dirmngr_ldap_LDFLAGS = dirmngr_ldap_LDADD = $(libcommon) \ $(GPG_ERROR_LIBS) $(LIBGCRYPT_LIBS) $(LDAPLIBS) \ - $(LBER_LIBS) $(LIBINTL) $(LIBICONV) $(NETLIBS) + $(LBER_LIBS) $(LIBINTL) $(LIBICONV) $(NETLIBS) \ + $(dirmngr_ldap_rc_objs) +dirmngr_ldap_DEPENDENCIES = $(dirmngr_ldap_rc_objs) endif dirmngr_client_SOURCES = dirmngr-client.c dirmngr_client_LDADD = $(libcommon) \ $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) \ - $(LIBGCRYPT_LIBS) $(NETLIBS) $(LIBINTL) $(LIBICONV) + $(LIBGCRYPT_LIBS) $(NETLIBS) $(LIBINTL) $(LIBICONV) \ + $(dirmngr_client_rc_objs) dirmngr_client_LDFLAGS = +dirmngr_client_DEPENDENCIES = $(dirmngr_client_rc_objs) t_common_src = t-support.h t-support.c diff --git a/dirmngr/dirmngr-client-w32info.rc b/dirmngr/dirmngr-client-w32info.rc new file mode 100644 index 000000000..020447bca --- /dev/null +++ b/dirmngr/dirmngr-client-w32info.rc @@ -0,0 +1,52 @@ +/* dirmngr-client-w32info.rc -*- c -*- + * Copyright (C) 2023 g10 Code GmbH + * + * This file is free software; as a special exception the author gives + * unlimited permission to copy and/or distribute it, with or without + * modifications, as long as this notice is preserved. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY, to the extent permitted by law; without even the + * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "afxres.h" +#include "../common/w32info-rc.h" + +1 ICON "../common/gnupg.ico" + +1 VERSIONINFO + FILEVERSION W32INFO_VI_FILEVERSION + PRODUCTVERSION W32INFO_VI_PRODUCTVERSION + FILEFLAGSMASK 0x3fL +#ifdef _DEBUG + FILEFLAGS 0x01L /* VS_FF_DEBUG (0x1)*/ +#else + FILEFLAGS 0x00L +#endif + FILEOS 0x40004L /* VOS_NT (0x40000) | VOS__WINDOWS32 (0x4) */ + FILETYPE 0x1L /* VFT_APP (0x1) */ + FILESUBTYPE 0x0L /* VFT2_UNKNOWN */ + BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "040904b0" /* US English (0409), Unicode (04b0) */ + BEGIN + VALUE "FileDescription", L"GnuPG\x2019s dirmngr client\0" + VALUE "InternalName", "dirmngr-client\0" + VALUE "OriginalFilename", "dirmngr-client.exe\0" + VALUE "ProductName", W32INFO_PRODUCTNAME + VALUE "ProductVersion", W32INFO_PRODUCTVERSION + VALUE "CompanyName", W32INFO_COMPANYNAME + VALUE "FileVersion", W32INFO_FILEVERSION + VALUE "LegalCopyright", W32INFO_LEGALCOPYRIGHT + VALUE "Comments", W32INFO_COMMENTS + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x409, 0x4b0 + END + END + +1 RT_MANIFEST "dirmngr-client.w32-manifest" diff --git a/dirmngr/dirmngr-client.w32-manifest.in b/dirmngr/dirmngr-client.w32-manifest.in new file mode 100644 index 000000000..1d46d19ff --- /dev/null +++ b/dirmngr/dirmngr-client.w32-manifest.in @@ -0,0 +1,25 @@ + + +GNU Privacy Guard (Dirmngr Client) + + + + + + + + + + + + + + + + + + diff --git a/dirmngr/dirmngr-w32info.rc b/dirmngr/dirmngr-w32info.rc new file mode 100644 index 000000000..cc1475b8e --- /dev/null +++ b/dirmngr/dirmngr-w32info.rc @@ -0,0 +1,52 @@ +/* dirmngr-w32info.rc -*- c -*- + * Copyright (C) 2023 g10 Code GmbH + * + * This file is free software; as a special exception the author gives + * unlimited permission to copy and/or distribute it, with or without + * modifications, as long as this notice is preserved. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY, to the extent permitted by law; without even the + * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "afxres.h" +#include "../common/w32info-rc.h" + +1 ICON "../common/gnupg.ico" + +1 VERSIONINFO + FILEVERSION W32INFO_VI_FILEVERSION + PRODUCTVERSION W32INFO_VI_PRODUCTVERSION + FILEFLAGSMASK 0x3fL +#ifdef _DEBUG + FILEFLAGS 0x01L /* VS_FF_DEBUG (0x1)*/ +#else + FILEFLAGS 0x00L +#endif + FILEOS 0x40004L /* VOS_NT (0x40000) | VOS__WINDOWS32 (0x4) */ + FILETYPE 0x1L /* VFT_APP (0x1) */ + FILESUBTYPE 0x0L /* VFT2_UNKNOWN */ + BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "040904b0" /* US English (0409), Unicode (04b0) */ + BEGIN + VALUE "FileDescription", L"GnuPG\x2019s network access daemon\0" + VALUE "InternalName", "dirmngr\0" + VALUE "OriginalFilename", "dirmngr.exe\0" + VALUE "ProductName", W32INFO_PRODUCTNAME + VALUE "ProductVersion", W32INFO_PRODUCTVERSION + VALUE "CompanyName", W32INFO_COMPANYNAME + VALUE "FileVersion", W32INFO_FILEVERSION + VALUE "LegalCopyright", W32INFO_LEGALCOPYRIGHT + VALUE "Comments", W32INFO_COMMENTS + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x409, 0x4b0 + END + END + +1 RT_MANIFEST "dirmngr.w32-manifest" diff --git a/dirmngr/dirmngr.w32-manifest.in b/dirmngr/dirmngr.w32-manifest.in new file mode 100644 index 000000000..115548b5c --- /dev/null +++ b/dirmngr/dirmngr.w32-manifest.in @@ -0,0 +1,25 @@ + + +GNU Privacy Guard (Archive tool) + + + + + + + + + + + + + + + + + + diff --git a/dirmngr/dirmngr_ldap-w32info.rc b/dirmngr/dirmngr_ldap-w32info.rc new file mode 100644 index 000000000..779d85837 --- /dev/null +++ b/dirmngr/dirmngr_ldap-w32info.rc @@ -0,0 +1,52 @@ +/* dirmngr_ldap-w32info.rc -*- c -*- + * Copyright (C) 2023 g10 Code GmbH + * + * This file is free software; as a special exception the author gives + * unlimited permission to copy and/or distribute it, with or without + * modifications, as long as this notice is preserved. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY, to the extent permitted by law; without even the + * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "afxres.h" +#include "../common/w32info-rc.h" + +1 ICON "../common/gnupg.ico" + +1 VERSIONINFO + FILEVERSION W32INFO_VI_FILEVERSION + PRODUCTVERSION W32INFO_VI_PRODUCTVERSION + FILEFLAGSMASK 0x3fL +#ifdef _DEBUG + FILEFLAGS 0x01L /* VS_FF_DEBUG (0x1)*/ +#else + FILEFLAGS 0x00L +#endif + FILEOS 0x40004L /* VOS_NT (0x40000) | VOS__WINDOWS32 (0x4) */ + FILETYPE 0x1L /* VFT_APP (0x1) */ + FILESUBTYPE 0x0L /* VFT2_UNKNOWN */ + BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "040904b0" /* US English (0409), Unicode (04b0) */ + BEGIN + VALUE "FileDescription", L"GnuPG\x2019s LDAP helper\0" + VALUE "InternalName", "dirmngr_ldap\0" + VALUE "OriginalFilename", "dirmngr_ldap.exe\0" + VALUE "ProductName", W32INFO_PRODUCTNAME + VALUE "ProductVersion", W32INFO_PRODUCTVERSION + VALUE "CompanyName", W32INFO_COMPANYNAME + VALUE "FileVersion", W32INFO_FILEVERSION + VALUE "LegalCopyright", W32INFO_LEGALCOPYRIGHT + VALUE "Comments", W32INFO_COMMENTS + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x409, 0x4b0 + END + END + +1 RT_MANIFEST "dirmngr_ldap.w32-manifest" diff --git a/dirmngr/dirmngr_ldap.w32-manifest.in b/dirmngr/dirmngr_ldap.w32-manifest.in new file mode 100644 index 000000000..67db0841c --- /dev/null +++ b/dirmngr/dirmngr_ldap.w32-manifest.in @@ -0,0 +1,25 @@ + + +GNU Privacy Guard (LDAP Helper) + + + + + + + + + + + + + + + + + + -- cgit v1.2.3 From 6657230f9ee40ca0cfcfd16c12b3288a975944b0 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 24 May 2023 14:16:10 +0200 Subject: w32: Add missing supportedOS Ids for Windows-10 -- --- dirmngr/dirmngr-client.w32-manifest.in | 2 +- dirmngr/dirmngr_ldap.w32-manifest.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'dirmngr') diff --git a/dirmngr/dirmngr-client.w32-manifest.in b/dirmngr/dirmngr-client.w32-manifest.in index 1d46d19ff..670bb60f1 100644 --- a/dirmngr/dirmngr-client.w32-manifest.in +++ b/dirmngr/dirmngr-client.w32-manifest.in @@ -3,7 +3,7 @@ GNU Privacy Guard (Dirmngr Client) diff --git a/dirmngr/dirmngr_ldap.w32-manifest.in b/dirmngr/dirmngr_ldap.w32-manifest.in index 67db0841c..509b5e0d1 100644 --- a/dirmngr/dirmngr_ldap.w32-manifest.in +++ b/dirmngr/dirmngr_ldap.w32-manifest.in @@ -3,7 +3,7 @@ GNU Privacy Guard (LDAP Helper) -- cgit v1.2.3 From 207c99567ced260aab04c471c77f179943d492f4 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 7 Jun 2023 10:03:48 +0200 Subject: dirmngr: Extend the AD_QUERY command. * dirmngr/server.c (cmd_ad_query): Add options --help and --subst. (cmd_getinfo): Add sub-command "sid". * dirmngr/ks-engine.h (KS_GET_FLAG_SUBST): New. * dirmngr/ks-engine-ldap.c (ks_ldap_help_variables): New. (getval_for_filter): New. (map_rid_to_dn): New. (ks_ldap_query): Support variables. -- The new variables features makes it easier to write AD queries without requiring domain specific expressions. --- dirmngr/ks-engine-ldap.c | 191 +++++++++++++++++++++++++++++++++++++++++++++++ dirmngr/ks-engine.h | 2 + dirmngr/server.c | 66 ++++++++++++++-- 3 files changed, 251 insertions(+), 8 deletions(-) (limited to 'dirmngr') diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index 1ffd30ecb..c2a210542 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -26,6 +26,13 @@ #include #include #include +#ifdef HAVE_W32_SYSTEM +# ifndef WINVER +# define WINVER 0x0500 /* Same as in common/sysutils.c */ +# endif +# include +# include +#endif #include "dirmngr.h" @@ -73,6 +80,9 @@ struct ks_engine_ldap_local_s int more_pages; /* More pages announced by server. */ }; +/*-- prototypes --*/ +static char *map_rid_to_dn (ctrl_t ctrl, const char *rid); +static char *basedn_from_rootdse (ctrl_t ctrl, parsed_uri_t uri); @@ -150,6 +160,114 @@ my_ldap_value_free (char **vals) } +/* Print a description of supported variables. */ +void +ks_ldap_help_variables (ctrl_t ctrl) +{ + const char data[] = + "Supported variables in LDAP filter expressions:\n" + "\n" + "domain - The defaultNamingContext.\n" + "domain_admins - Group of domain admins.\n" + "domain_users - Group with all user accounts.\n" + "domain_guests - Group with the builtin gues account.\n" + "domain_computers - Group with all clients and servers.\n" + "cert_publishers - Group with all cert issuing computers.\n" + "protected_users - Group of users with extra protection.\n" + "key_admins - Group for delegated access to msdsKeyCredentialLink.\n" + "enterprise_key_admins - Similar to key_admins.\n" + "domain_domain_controllers - Group with all domain controllers.\n" + "sid_domain - SubAuthority numbers.\n"; + + ks_print_help (ctrl, data); +} + + +/* Helper function for substitute_vars. */ +static const char * +getval_for_filter (void *cookie, const char *name) +{ + ctrl_t ctrl = cookie; + const char *result = NULL; + + if (!strcmp (name, "sid_domain")) + { +#ifdef HAVE_W32_SYSTEM + PSID mysid; + static char *sidstr; + char *s, *s0; + int i; + + if (!sidstr) + { + mysid = w32_get_user_sid (); + if (!mysid) + { + gpg_err_set_errno (ENOENT); + goto leave; + } + + if (!ConvertSidToStringSid (mysid, &sidstr)) + { + gpg_err_set_errno (EINVAL); + goto leave; + } + /* Example for SIDSTR: + * S-1-5-21-3636969917-2569447256-918939550-1127 */ + for (s0=NULL,s=sidstr,i=0; (s=strchr (s, '-')); i++) + { + s++; + if (i == 3) + s0 = s; + else if (i==6) + { + s[-1] = 0; + break; + } + } + if (!s0) + { + log_error ("oops: invalid SID received from OS"); + gpg_err_set_errno (EINVAL); + LocalFree (sidstr); + goto leave; + } + sidstr = s0; /* (We never release SIDSTR thus no memmove.) */ + } + result = sidstr; +#else + gpg_err_set_errno (ENOSYS); + goto leave; +#endif + } + else if (!strcmp (name, "domain")) + result = basedn_from_rootdse (ctrl, NULL); + else if (!strcmp (name, "domain_admins")) + result = map_rid_to_dn (ctrl, "512"); + else if (!strcmp (name, "domain_users")) + result = map_rid_to_dn (ctrl, "513"); + else if (!strcmp (name, "domain_guests")) + result = map_rid_to_dn (ctrl, "514"); + else if (!strcmp (name, "domain_computers")) + result = map_rid_to_dn (ctrl, "515"); + else if (!strcmp (name, "domain_domain_controllers")) + result = map_rid_to_dn (ctrl, "516"); + else if (!strcmp (name, "cert_publishers")) + result = map_rid_to_dn (ctrl, "517"); + else if (!strcmp (name, "protected_users")) + result = map_rid_to_dn (ctrl, "525"); + else if (!strcmp (name, "key_admins")) + result = map_rid_to_dn (ctrl, "526"); + else if (!strcmp (name, "enterprise_key_admins")) + result = map_rid_to_dn (ctrl, "527"); + else + result = ""; /* Unknown variables are empty. */ + + leave: + return result; +} + + /* Print a help output for the schemata supported by this module. */ gpg_error_t @@ -1396,6 +1514,63 @@ fetch_rootdse (ctrl_t ctrl, parsed_uri_t uri) } +/* Return the DN for the given RID. This is used with the Active + * Directory. */ +static char * +map_rid_to_dn (ctrl_t ctrl, const char *rid) +{ + gpg_error_t err; + char *result = NULL; + estream_t infp = NULL; + uri_item_t puri; /* The broken down URI. */ + nvc_t nvc = NULL; + char *filter = NULL; + const char *s; + char *attr[2] = {"dn", NULL}; + + err = ks_action_parse_uri ("ldap:///", &puri); + if (err) + return NULL; + + filter = strconcat ("(objectSid=S-1-5-21-$sid_domain-", rid, ")", NULL); + if (!filter) + goto leave; + + err = ks_ldap_query (ctrl, puri->parsed_uri, KS_GET_FLAG_SUBST, + filter, attr, NULL, &infp); + if (err) + { + log_error ("ldap: AD query '%s' failed: %s\n", filter,gpg_strerror (err)); + goto leave; + } + if ((err = nvc_parse (&nvc, NULL, infp))) + { + log_error ("ldap: parsing the result failed: %s\n",gpg_strerror (err)); + goto leave; + } + if (!(s = nvc_get_string (nvc, "Dn:"))) + { + err = gpg_error (GPG_ERR_NOT_FOUND); + log_error ("ldap: mapping rid '%s'failed: %s\n", rid, gpg_strerror (err)); + goto leave; + } + result = xtrystrdup (s); + if (!result) + { + err = gpg_error_from_syserror (); + log_error ("ldap: strdup failed: %s\n", gpg_strerror (err)); + goto leave; + } + + leave: + es_fclose (infp); + release_uri_item_list (puri); + xfree (filter); + nvc_release (nvc); + return result; +} + + /* Return the baseDN for URI which might have already been cached for * this session. */ static char * @@ -2824,6 +2999,7 @@ ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags, LDAP *ldap_conn = NULL; char *basedn = NULL; estream_t fp = NULL; + char *filter_arg_buffer = NULL; char *filter = NULL; int scope = LDAP_SCOPE_SUBTREE; LDAPMessage *message = NULL; @@ -2839,6 +3015,20 @@ ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags, if ((!filter_arg || !*filter_arg) && (ks_get_flags & KS_GET_FLAG_ROOTDSE)) filter_arg = "^&base&(objectclass=*)"; + if ((ks_get_flags & KS_GET_FLAG_SUBST) + && filter_arg && strchr (filter_arg, '$')) + { + filter_arg_buffer = substitute_vars (filter_arg, getval_for_filter, ctrl); + if (!filter_arg_buffer) + { + err = gpg_error_from_syserror (); + log_error ("substituting filter variables failed: %s\n", + gpg_strerror (err)); + goto leave; + } + filter_arg = filter_arg_buffer; + } + err = ks_ldap_prepare_my_state (ctrl, ks_get_flags, &first_mode, &next_mode); if (err) goto leave; @@ -3048,6 +3238,7 @@ ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags, ldap_unbind (ldap_conn); xfree (filter); + xfree (filter_arg_buffer); return err; } diff --git a/dirmngr/ks-engine.h b/dirmngr/ks-engine.h index 03588a4d3..6de77ccb2 100644 --- a/dirmngr/ks-engine.h +++ b/dirmngr/ks-engine.h @@ -29,6 +29,7 @@ #define KS_GET_FLAG_NEXT 4 #define KS_GET_FLAG_ONLY_AD 8 /* Do this only if we have an AD. */ #define KS_GET_FLAG_ROOTDSE 16 /* Get the rootDSE. */ +#define KS_GET_FLAG_SUBST 32 /* Substiture variables. */ /*-- ks-action.c --*/ @@ -70,6 +71,7 @@ gpg_error_t ks_kdns_help (ctrl_t ctrl, parsed_uri_t uri); gpg_error_t ks_kdns_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp); /*-- ks-engine-ldap.c --*/ +void ks_ldap_help_variables (ctrl_t ctrl); gpg_error_t ks_ldap_help (ctrl_t ctrl, parsed_uri_t uri); void ks_ldap_free_state (struct ks_engine_ldap_local_s *state); gpg_error_t ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern, diff --git a/dirmngr/server.c b/dirmngr/server.c index 2c5a41b07..51a149cb2 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -32,6 +32,13 @@ #include #include #include +#ifdef HAVE_W32_SYSTEM +# ifndef WINVER +# define WINVER 0x0500 /* Same as in common/sysutils.c */ +# endif +# include +# include +#endif #include "dirmngr.h" #include @@ -2701,15 +2708,21 @@ cmd_ks_put (assuan_context_t ctx, char *line) static const char hlp_ad_query[] = - "AD_QUERY [--first|--next] [--] \n" + "AD_QUERY [--first|--next] [--] \n" "\n" "Query properties from a Windows Active Directory.\n" - "Our extended filter syntax may be used for the filter\n" - "expression; see gnupg/dirmngr/ldap-misc.c. There are\n" - "a couple of other options available:\n\n" - " --rootdse - Query the root using serverless binding,\n" + "Options:\n" + "\n" + " --rootdse - Query the root using serverless binding,\n" + " --subst - Substitute variables in the filter\n" " --attr= - Comma delimited list of attributes\n" " to return.\n" + " --help - List supported variables\n" + "\n" + "Extended filter syntax is allowed:\n" + " ^[][&]&[]\n" + "Usual escaping rules apply. An ampersand in must\n" + "doubled. may be \"base\", \"one\", or \"sub\"." ; static gpg_error_t cmd_ad_query (assuan_context_t ctx, char *line) @@ -2723,6 +2736,7 @@ cmd_ad_query (assuan_context_t ctx, char *line) char **opt_attr = NULL; const char *s; gnupg_isotime_t opt_newer; + int opt_help = 0; *opt_newer = 0; @@ -2733,6 +2747,10 @@ cmd_ad_query (assuan_context_t ctx, char *line) flags |= KS_GET_FLAG_NEXT; if (has_option (line, "--rootdse")) flags |= KS_GET_FLAG_ROOTDSE; + if (has_option (line, "--subst")) + flags |= KS_GET_FLAG_SUBST; + if (has_option (line, "--help")) + opt_help = 1; if ((s = option_value (line, "--newer")) && !string2isotime (opt_newer, s)) { @@ -2756,6 +2774,13 @@ cmd_ad_query (assuan_context_t ctx, char *line) line = skip_options (line); filter = line; + if (opt_help) + { + ks_ldap_help_variables (ctrl); + err = 0; + goto leave; + } + if ((flags & KS_GET_FLAG_NEXT)) { if (*filter || (flags & ~KS_GET_FLAG_NEXT)) @@ -2907,14 +2932,39 @@ cmd_getinfo (assuan_context_t ctx, char *line) { const char *s = getenv (line); if (!s) - err = set_error (GPG_ERR_NOT_FOUND, "No such envvar"); - else - err = assuan_send_data (ctx, s, strlen (s)); + { + err = set_error (GPG_ERR_NOT_FOUND, "No such envvar"); + goto leave; + } + err = assuan_send_data (ctx, s, strlen (s)); } } +#ifdef HAVE_W32_SYSTEM + else if (!strcmp (line, "sid")) + { + PSID mysid; + char *sidstr; + + mysid = w32_get_user_sid (); + if (!mysid) + { + err = set_error (GPG_ERR_NOT_FOUND, "Error getting my SID"); + goto leave; + } + + if (!ConvertSidToStringSid (mysid, &sidstr)) + { + err = set_error (GPG_ERR_BUG, "Error converting SID to a string"); + goto leave; + } + err = assuan_send_data (ctx, sidstr, strlen (sidstr)); + LocalFree (sidstr); + } +#endif /*HAVE_W32_SYSTEM*/ else err = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT"); + leave: return leave_cmd (ctx, err); } -- cgit v1.2.3 From bf04b07327a5d2a7197df36daaa764b8ad5706e4 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 15 Jun 2023 15:00:28 +0200 Subject: dirmngr: New option --compatibility-flags. * dirmngr/dirmngr.c (oCompatibilityFlags): NEw. (opts): Add option --compatibility-flags. (compatibility_flags): New. (parse_rereadable_options): Parse them. --- dirmngr/dirmngr.c | 20 ++++++++++++++++++++ dirmngr/dirmngr.h | 15 +++++++++++++++ 2 files changed, 35 insertions(+) (limited to 'dirmngr') diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index bb54f4edd..46521085f 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -159,6 +159,7 @@ enum cmd_and_opt_values { oConnectQuickTimeout, oListenBacklog, oFakeCRL, + oCompatibilityFlags, aTest }; @@ -297,6 +298,7 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_s (oSocketName, "socket-name", "@"), /* Only for debugging. */ ARGPARSE_s_n (oDebugCacheExpiredCerts, "debug-cache-expired-certs", "@"), + ARGPARSE_s_s (oCompatibilityFlags, "compatibility-flags", "@"), ARGPARSE_header (NULL, ""), /* Stop the header group. */ @@ -329,6 +331,14 @@ static struct debug_flags_s debug_flags [] = { 77, NULL } /* 77 := Do not exit on "help" or "?". */ }; +/* The list of compatibility flags. */ +static struct compatibility_flags_s compatibility_flags [] = + { + { COMPAT_RESTRICT_HTTP_REDIR, "restrict-http-redir" }, + { 0, NULL } + }; + + #define DEFAULT_MAX_REPLIES 10 #define DEFAULT_LDAP_TIMEOUT 15 /* seconds */ @@ -712,6 +722,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread) opt.debug_cache_expired_certs = 0; xfree (opt.fake_crl); opt.fake_crl = NULL; + opt.compat_flags = 0; return 1; } @@ -879,6 +890,15 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread) opt.fake_crl = *pargs->r.ret_str? xstrdup (pargs->r.ret_str) : NULL; break; + case oCompatibilityFlags: + if (parse_compatibility_flags (pargs->r.ret_str, &opt.compat_flags, + compatibility_flags)) + { + pargs->r_opt = ARGPARSE_INVALID_ARG; + pargs->err = ARGPARSE_PRINT_WARNING; + } + break; + default: return 0; /* Not handled. */ } diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h index 1128e118b..5571d6181 100644 --- a/dirmngr/dirmngr.h +++ b/dirmngr/dirmngr.h @@ -154,6 +154,9 @@ struct current after nextUpdate. */ strlist_t keyserver; /* List of default keyservers. */ + + /* Compatibility flags (COMPAT_FLAG_xxxx). */ + unsigned int compat_flags; } opt; @@ -182,6 +185,18 @@ struct #define DBG_EXTPROG (opt.debug & DBG_EXTPROG_VALUE) #define DBG_KEEPTMP (opt.debug & DBG_KEEPTMP_VALUE) +/* Compatibility flags */ + +/* Since version 2.2.12 dirmngr restricted HTTP redirection in an + * attempt to mitigate certain CSRF attacks. It turned out that this + * breaks too many WKD deployments and that the attack scenario is not + * due to gnupg's redirecting but due to insecure configured systems. + * Thus from 2.4.3 on we disable this restriction but allow to use the + * old behaviour by using this compatibility flag. For details see + * https://dev.gnupg.org/T6477. */ +#define COMPAT_RESTRICT_HTTP_REDIR 1 + + /* A simple list of certificate references. FIXME: Better use certlist_t also for references (Store NULL at .cert) */ struct cert_ref_s -- cgit v1.2.3 From 0a63afc79a0466a0554870d5e8aa6c3d8a048b3d Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 15 Jun 2023 15:06:21 +0200 Subject: dirmngr: Disable the HTTP redirect rewriting. * dirmngr/http.h (struct http_redir_info_s): Add restrict_redir. * dirmngr/ks-engine-hkp.c (send_request): Set it depending on flags. * dirmngr/ks-engine-http.c (ks_http_fetch): Ditto. * dirmngr/t-http-basic.c (test_http_prepare_redirect): Always set it. * dirmngr/http.c (http_prepare_redirect): Remove location rewriting unless the flag is set. -- GnuPG-bug-id: 6477 --- dirmngr/http.c | 9 +++++---- dirmngr/http.h | 1 + dirmngr/ks-engine-hkp.c | 5 +++-- dirmngr/ks-engine-http.c | 1 + dirmngr/t-http-basic.c | 1 + 5 files changed, 11 insertions(+), 6 deletions(-) (limited to 'dirmngr') diff --git a/dirmngr/http.c b/dirmngr/http.c index b4c501736..8153fcef4 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -3741,10 +3741,11 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code, http_release_parsed_uri (locuri); return err; } - else if (same_host_p (origuri, locuri)) + else if (!info->restrict_redir || same_host_p (origuri, locuri)) { - /* The host is the same or on an exception list and thus we can - * take the location verbatim. */ + /* Take the syntactically correct location or if restrict_redir + * is set the host is the same or on an exception list and thus + * we can take the location verbatim. */ http_release_parsed_uri (origuri); http_release_parsed_uri (locuri); newurl = xtrystrdup (location); @@ -3754,7 +3755,7 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code, return err; } } - else + else /* Strictly rectricted redirection which we used in the past. */ { /* We take only the host and port from the URL given in the * Location. This limits the effects of redirection attacks by diff --git a/dirmngr/http.h b/dirmngr/http.h index 18420c925..e60212761 100644 --- a/dirmngr/http.h +++ b/dirmngr/http.h @@ -117,6 +117,7 @@ struct http_redir_info_s unsigned int silent:1; /* No diagnostics. */ unsigned int allow_downgrade:1;/* Allow a downgrade from https to http. */ unsigned int trust_location:1; /* Trust the received Location header. */ + unsigned int restrict_redir:1; /* Use legacy restricted redirection. */ }; typedef struct http_redir_info_s http_redir_info_t; diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index 5292da844..66291bc02 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -1242,8 +1242,9 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, redirinfo.orig_url = request; redirinfo.orig_onion = uri->onion; redirinfo.allow_downgrade = 1; - /* FIXME: I am not sure whey we allow a downgrade for hkp requests. - * Needs at least an explanation here.. */ + /* FIXME: I am not sure why we allow a downgrade for hkp requests. + * Needs at least an explanation here. */ + redirinfo.restrict_redir = !!(opt.compat_flags & COMPAT_RESTRICT_HTTP_REDIR); once_more: err = http_session_new (&session, httphost, diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c index f55a25774..3dca80ee6 100644 --- a/dirmngr/ks-engine-http.c +++ b/dirmngr/ks-engine-http.c @@ -88,6 +88,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags, redirinfo.orig_onion = uri->onion; redirinfo.orig_https = uri->use_tls; redirinfo.allow_downgrade = !!(flags & KS_HTTP_FETCH_ALLOW_DOWNGRADE); + redirinfo.restrict_redir = !!(opt.compat_flags & COMPAT_RESTRICT_HTTP_REDIR); /* By default we only use the system provided certificates with this * fetch command. */ diff --git a/dirmngr/t-http-basic.c b/dirmngr/t-http-basic.c index edf82efb9..ba3d07a8c 100644 --- a/dirmngr/t-http-basic.c +++ b/dirmngr/t-http-basic.c @@ -165,6 +165,7 @@ test_http_prepare_redirect (void) ri.silent = 1; ri.redirects_left = 1; ri.orig_url = tests[tidx].url; + ri.restrict_redir = 1; /* This is what we used to test here. */ err = http_prepare_redirect (&ri, 301, tests[tidx].location, &newurl); if (err && newurl) -- cgit v1.2.3 From 701a8b30f0be24552772fc2818ad07402eb14478 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 19 Jun 2023 14:05:22 +0200 Subject: gpgsm: Support SENDCERT_SKI for --call-dirmngr * sm/call-dirmngr.c (run_command_inq_cb): Support SENDCERT_SKI. * dirmngr/crlcache.c (crl_cache_insert): Print the CRL name along with the unknown OID nortice. --- dirmngr/crlcache.c | 1 + 1 file changed, 1 insertion(+) (limited to 'dirmngr') diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c index 9f0b910f3..64f4de97f 100644 --- a/dirmngr/crlcache.c +++ b/dirmngr/crlcache.c @@ -2361,6 +2361,7 @@ crl_cache_insert (ctrl_t ctrl, const char *url, ksba_reader_t reader) || !strcmp (oid, oidstr_crlNumber) ) continue; log_error (_("unknown critical CRL extension %s\n"), oid); + log_info ("(CRL='%s')\n", url); if (!err2) err2 = gpg_error (GPG_ERR_INV_CRL); invalidate_crl |= INVCRL_UNKNOWN_EXTN; -- cgit v1.2.3 From b1ecc8353ae37e48b586a315a228bce964253ffe Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 19 Jun 2023 14:25:47 +0200 Subject: dirmngr: New option --ignore-crl-extensions. * dirmngr/dirmngr.c (oIgnoreCRLExtension): New. (opts): Add --ignore-crl-extension. (parse_rereadable_options): Add to list/ * dirmngr/dirmngr.h (opt): Add ignored_crl_extensions. * dirmngr/crlcache.c (crl_cache_insert): Implement option. -- This option is is useful for debugging problems with new CRL extensions. It is similar to --ignore-cert-extension. GnuPG-bug-id: 6545 --- dirmngr/crlcache.c | 9 +++++++++ dirmngr/dirmngr.c | 7 +++++++ dirmngr/dirmngr.h | 5 +++++ 3 files changed, 21 insertions(+) (limited to 'dirmngr') diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c index 64f4de97f..ac673a8d5 100644 --- a/dirmngr/crlcache.c +++ b/dirmngr/crlcache.c @@ -2356,10 +2356,19 @@ crl_cache_insert (ctrl_t ctrl, const char *url, ksba_reader_t reader) for (idx=0; !(err=ksba_crl_get_extension (crl, idx, &oid, &critical, NULL, NULL)); idx++) { + strlist_t sl; + if (!critical || !strcmp (oid, oidstr_authorityKeyIdentifier) || !strcmp (oid, oidstr_crlNumber) ) continue; + + for (sl=opt.ignored_crl_extensions; + sl && strcmp (sl->d, oid); sl = sl->next) + ; + if (sl) + continue; /* Is in ignored list. */ + log_error (_("unknown critical CRL extension %s\n"), oid); log_info ("(CRL='%s')\n", url); if (!err2) diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index 46521085f..b460ed3b3 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -147,6 +147,7 @@ enum cmd_and_opt_values { oHTTPWrapperProgram, oIgnoreCert, oIgnoreCertExtension, + oIgnoreCRLExtension, oUseTor, oNoUseTor, oKeyServer, @@ -224,6 +225,7 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_n (oDisableCheckOwnSocket, "disable-check-own-socket", "@"), ARGPARSE_s_s (oIgnoreCert,"ignore-cert", "@"), ARGPARSE_s_s (oIgnoreCertExtension,"ignore-cert-extension", "@"), + ARGPARSE_s_s (oIgnoreCRLExtension,"ignore-crl-extension", "@"), ARGPARSE_header ("Network", N_("Network related options")), @@ -706,6 +708,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread) opt.ignored_certs = tmp; } FREE_STRLIST (opt.ignored_cert_extensions); + FREE_STRLIST (opt.ignored_crl_extensions); http_register_tls_ca (NULL); FREE_STRLIST (hkp_cacert_filenames); FREE_STRLIST (opt.keyserver); @@ -819,6 +822,10 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread) add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str); break; + case oIgnoreCRLExtension: + add_to_strlist (&opt.ignored_crl_extensions, pargs->r.ret_str); + break; + case oUseTor: tor_mode = TOR_MODE_FORCE; break; diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h index 5571d6181..50c97f140 100644 --- a/dirmngr/dirmngr.h +++ b/dirmngr/dirmngr.h @@ -132,6 +132,11 @@ struct OID per string. */ strlist_t ignored_cert_extensions; + /* A list of CRL extension OIDs which are ignored so that one can + * claim that a critical extension has been handled. One OID per + * string. */ + strlist_t ignored_crl_extensions; + /* Allow expired certificates in the cache. */ int debug_cache_expired_certs; -- cgit v1.2.3 From 40090dbbf9ead365cb9350828da8b5ebad426f5e Mon Sep 17 00:00:00 2001 From: zhangguangzhi Date: Thu, 11 May 2023 16:34:23 +0800 Subject: delete redundant characters -- GnuPG-bug-id: 6482 Signed-off-by: zhangguangzhi --- dirmngr/ChangeLog-2011 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'dirmngr') diff --git a/dirmngr/ChangeLog-2011 b/dirmngr/ChangeLog-2011 index 243f2b56f..30e026ff8 100644 --- a/dirmngr/ChangeLog-2011 +++ b/dirmngr/ChangeLog-2011 @@ -1373,7 +1373,7 @@ truncated search. * ldap.c (add_server_to_servers): Reactivated. (url_fetch_ldap): Call it here and try all configured servers in - case of a a failed lookup. + case of a failed lookup. (fetch_next_cert_ldap): Detect the truncation error flag. * misc.c (host_and_port_from_url, remove_percent_escapes): New. -- cgit v1.2.3