Page MenuHome GnuPG
Create Task
Maniphest T1773

Keyserver search with gnupg 2.1 fails with "System error w/o errno"
Closed, ResolvedPublic
Actions

Description

I've installed gnupg 2.1.0 with the speedo build system on an Ubuntu 14.4 into
/opt/gnupg and set my LD_LIBRARY_PATH / PATH accordingly.

Everything works fine I can sign / encrypt / verify but the lookup of openpgp
keys fails with: "error searching keyserver: System error w/o errno"

I guess it has to be something with my environment but if I can figure out the
problem maybe the error message could be improved for that case.

To rule out some environmental causes I ran the following test:

pkill gpg-agent
pkill dirmngr
unset GPG_AGENT_INFO
gpg2 --keyserver hkp://75.75.183.132 --homedir mktemp -d -v -v -v --search
aheinecke@intevation.de

Output:
gpg: using character set 'utf-8'
gpg: keybox '/tmp/tmp.GICwwzmCUz/pubring.kbx' created
gpg: no running Dirmngr - starting '/opt/gnupg/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to the dirmngr established
gpg: error searching keyserver: System error w/o errno
gpg: keyserver search failed: System error w/o errno

If I run the same command with gpg 1.4.16 everything is ok:

gpg --keyserver hkp://75.75.183.132 --homedir mktemp -d -v -v -v --search
aheinecke@intevation.de
gpg: using character set `utf-8'
gpg: keyring `/tmp/tmp.79u9D4HS5L/secring.gpg' created
gpg: keyring `/tmp/tmp.79u9D4HS5L/pubring.gpg' created
gpg: searching for "aheinecke@intevation.de" from hkp server 75.75.183.132
(1) Andre Heinecke <andre@heinecke.or.at>

Andre Heinecke <aheinecke@intevation.de>
Andre Heinecke <andre.heinecke@intevation.de>
  384 bit unknown key 58BD45EC, created: 2014-11-18, expires: 2019-11-17

(2) Andre Heinecke <aheinecke@intevation.de>

Andre Heinecke <andre.heinecke@intevation.de>
  1024 bit DSA key C97822F5, created: 2009-11-23, expires: 2015-12-31

Keys 1-2 of 2 for "aheinecke@intevation.de". Enter number(s), N)ext, or Q)uit >
gpg: Interrupt caught ... exiting

Details

Version
2.1.0

Related Objects

Event Timeline

aheinecke added projects: dirmngr, gnupg (gpg21), Keyserver, Bug Report.Nov 26 2014, 12:39 PM
aheinecke set Version to 2.1.0.
aheinecke added subscribers: aheinecke, werner.
aheinecke added a comment.Nov 26 2014, 10:35 PM

The problem was with that specific keyserver. If I use another keyserver it
works. The keyserver was the first one returned to me by using the
keys.gnupg.net pool and as gpg 1 works with it.

I've debugged the issue.

The test case is now reduced to:
gpg2 --keyserver hkp://127.0.0.1 --search foobar

Dirmngr logs:

2014-11-26 20:35:55 dirmngr[5892.1] getnameinfo returned for '127.0.0.1':
'localhost'
2014-11-26 20:35:55 dirmngr[5892.1] can't connect to '127.0.0.1': Success
2014-11-26 20:35:55 dirmngr[5892.1] error connecting to
'http://127.0.0.1:11371': System error w/o errno
2014-11-26 20:35:55 dirmngr[5892.1] command 'KS_SEARCH' failed: System error w/o
errno

In my case this is because common/http.c (connect_server) ~ line 2200

  ai->ai_family == AF_INET && (flags & HTTP_FLAG_IGNORE_IPv4)

Returns true for 127.0.0.1 (same for 75.75.183.132 which also explains why it
works with gnupg) the address is skipped but it is the only one -> loop finishes
with no errno set.

It is set in dirmngr/ks-engine-hkp.c which looks to me like: "If it is not
indicated that a host either uses IPv4 nor IPv6 ignore it." Which i find kind of
harsh. At least a debug output like:

      if (!hi->v4 && !hi->v6)
        log_debug("Ignoring host\n");

Should be added there and of course connect_server should return an appropiate
error in case it never actually tried to connect to a server.

While debugging this I think I found another issue. You are using errno after
my_connect calls. If this expands to npth_connect the actual calls are

enter_npth()
sem_post() modifies errno
connect() modifies errno
leave_npth()
sem_wait() //modifies errno

Afaik enter / leave in npth should save errno. I could not confirm that this is
really an issue with a test but I think it is.

aheinecke claimed this task.Dec 15 2014, 11:23 PM
aheinecke added a project: Info Needed.

I had another go at this bug this evening. I had a keyserver with reproducable
failures (while I still could use it in gpg1). And suddenly during debugging it
all changed and worked flawlessly. I was down to npth_connect and after I had
added debug output in there it began to work (and kept working after removing
the debug output again, hrmpf)

With regards to the test case from T1773 (aheinecke on Nov 26 2014, 10:35 PM / Roundup). This now (after e8c0ed7 ) returns a
dead host.

Btw. I think the error message could be improved for dead hosts.

gpg2 --keyserver hkp://127.0.0.1 --search foobar
gpg: no keyserver known (use option --keyserver)
gpg: keyserver search failed: No keyserver available

Should be something like "No reachable keyserver found"

Assigned this bug to me to at least provide a clearer example.

Thanks for fixing the 127.0.0.1 lookup error :)

werner removed a project: Info Needed.Dec 16 2014, 7:58 PM

This was straight 2.1.0, right? Please try again with 2.1.1 there are just to
many bugs fixs that it is not worth to look at 2.1.0. If it is still the case I
can look at (although that you assigned yourself ;-)

aheinecke added a comment.Dec 16 2014, 8:05 PM

No this was on "the master of the day"

And with the dead server detection the case for "localhost lookup" already got
better.

But you could look at npth src/npth.c
I am pretty sure that npth_enter and npth_leave modify errno and that this
causes at least npth_connect not to set errno as expected.

werner added a comment.Dec 18 2014, 4:50 PM

The sem_post in enter_pth can't set ERRNO because we assert the return value
later. However, the sem_wait in leave_npth has the usual EINTR protection and
thus changes ERRNO. Needs to be fixed.

aheinecke closed this task as Resolved.Oct 2 2015, 9:45 AM

Haven't seen this problem for months and npth-1.2 contains the fix.

-> Resolved.