Page MenuHome GnuPG
Create Task
Maniphest T6997

gnupg-2.4.4 breaks dirmngr fetching keys via hkps:// from behind a proxy
Testing, NormalPublic
Actions

Description

When behind a proxy with:

# echo $http_proxy | sed 's/[0-9]/N/g'
http://NNN.NNN.NNN.NNN:NNNN/

# cat ~/.gnupg/dirmngr.conf 
honor-http-proxy

gnupg-2.4.3 can recv-keys fine:

# killall dirmngr 2>/dev/null ; gpg --version | head -n1 ; gpg --keyserver hkps://keys.gentoo.org --recv-keys 39EA32FE8222EEEC
gpg (GnuPG) 2.4.3
gpg: key 39EA32FE8222EEEC: "Ulrich Müller <ulm@gentoo.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

gnupg 2.4.4 fails:

# killall dirmngr 2>/dev/null ; gpg --version | head -n1 ; gpg --keyserver hkps://keys.gentoo.org --recv-keys 39EA32FE8222EEEC
gpg (GnuPG) 2.4.4
gpg: keyserver receive failed: No keyserver available

When I watch the proxy, it is not that 2.4.4 makes no attempt to connect. It's that it doesn't send CONNECT, instead something the proxy server doesn't like:

NNN.NNN.NNN.NNN - - [14/Feb/2024:16:36:19 -0500] "- error:invalid-request HTTP/1.1" 400 3585 397 - "-" "-" NONE_NONE:HIER_NONE

When I sniff this, it's binary goo as soon as the 3WHS completes.

There's mentions of proxy handling changes in the 2.4.4 release notes, but they only talk about Windows systems; this is on Linux.

This might only impact hkps://. I'm having trouble finding an hkp:// server that's still alive, but when I attempt one, I see the client issuing a well-formed GET through the proxy, which of course then times out.

Details

Version
2.4.4

Revisions and Commits

rG GnuPG
rG41c022072599 dirmngr: Fix keep-alive flag handling.
rGc33c4fdf10b7 dirmngr: Fix the regression of use of proxy for TLS connection.
rGd6c428699db7 dirmngr: Fix proxy with TLS.
rG2810b934647e dirmngr: Fix keep-alive flag handling.
rG848546b05ab0 dirmngr: Fix the regression of use of proxy for TLS connection.
Concern RaisedrG04cbc3074aa9 dirmngr: Fix proxy with TLS.

Related Objects

Event Timeline

hlein created this task.Feb 14 2024, 10:45 PM
thesamesam added a subscriber: thesamesam.Feb 14 2024, 10:50 PM
gniibe added a commit: rG04cbc3074aa9: dirmngr: Fix proxy with TLS..Feb 15 2024, 7:42 AM
gniibe changed the task status from Open to Testing.Feb 15 2024, 7:44 AM
gniibe claimed this task.
gniibe triaged this task as Normal priority.
gniibe added a project: gnupg24.
gniibe added a subscriber: gniibe.

Thank you for the report. There was a problem in: rG845d5e61d8e1: dirmngr: Cleanup the http module.
Pushed the fix in: rG04cbc3074aa9: dirmngr: Fix proxy with TLS.

ebo moved this task from Backlog to WiP on the gnupg24 board.Feb 15 2024, 8:26 AM
thesamesam added a comment.Feb 15 2024, 10:43 PM

Per https://dev.gnupg.org/rG04cbc3074aa98660b513a80f623a7e9f0702c7c9#83517, it looks like the fix might be incomplete?

gniibe added a commit: rG848546b05ab0: dirmngr: Fix the regression of use of proxy for TLS connection..Feb 16 2024, 3:39 AM
gniibe added a project: gnupg22.Feb 16 2024, 3:40 AM

Right. I was wrong assuming the code in 2.2 branch is stable (that is: well tested).

Another fix is pushed: rG848546b05ab0: dirmngr: Fix the regression of use of proxy for TLS connection.

We need to fix 2.2 branch too.

gniibe reassigned this task from gniibe to werner.Feb 16 2024, 3:44 AM
gniibe moved this task from Backlog to WiP on the gnupg22 board.
gniibe moved this task from WiP to QA on the gnupg24 board.Feb 16 2024, 3:50 AM
gniibe added a comment.EditedFeb 16 2024, 5:17 AM

IIUC, the code for keep_alive is for negotiation of proxy. If so, something like this is the fix:

diff --git a/dirmngr/http.c b/dirmngr/http.c
index ac7e13241..7b206c23a 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2553,7 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
    * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
    */
   auth_basic = !!proxy->uri->auth;
-  hd->keep_alive = 0;
+  hd->keep_alive = !!proxy->outtoken;
 
   /* For basic authentication we need to send just one request.  */
   if (auth_basic
@@ -2717,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
     }
 
  leave:
+  if (hd->keep_alive)
+    {
+      es_fclose (hd->fp_write);
+      hd->fp_write = NULL;
+      /* The close has released the cookie and thus we better set it
+       * to NULL.  */
+      hd->write_cookie = NULL;
+    }
   /* Restore flags, destroy stream, reset state.  */
   hd->flags = saved_flags;
   es_fclose (hd->fp_read);
hlein added a comment.Feb 16 2024, 5:22 AM

Thank you @gniibe! Applied the rG848546b05ab0: dirmngr: Fix the regression of use of proxy for TLS connection. changes here, and 2.4.4 works here now.

I did not try your extra keep_alive fix.

gniibe added a comment.Feb 16 2024, 8:14 AM

@hlein Thanks a lot for quick testing.

Please note that keep_alive fix is for Windows.

gniibe added a commit: rG2810b934647e: dirmngr: Fix keep-alive flag handling..Feb 16 2024, 8:27 AM
gniibe added a comment.Feb 16 2024, 8:28 AM

I was wrong for the semantics of proxy->outtoken. It is zero when run_proxy_connect is called and enabled during the negotiation.

I fix this in: rG2810b934647e: dirmngr: Fix keep-alive flag handling.

werner added a commit: rGd6c428699db7: dirmngr: Fix proxy with TLS..Feb 21 2024, 3:13 PM
werner added a commit: rGc33c4fdf10b7: dirmngr: Fix the regression of use of proxy for TLS connection..
werner added a commit: rG41c022072599: dirmngr: Fix keep-alive flag handling..
werner added a comment.Feb 21 2024, 3:13 PM

Okay, backported to 2.2.

werner mentioned this in T6960: Release GnuPG 2.4.5.Mar 7 2024, 3:23 PM
werner moved this task from QA to gnupg-2.4.5 on the gnupg24 board.Mar 7 2024, 3:26 PM
werner edited projects, added gnupg24 (gnupg-2.4.5); removed gnupg24.
werner moved this task from WiP to QA on the gnupg22 board.Mar 18 2024, 4:22 PM
werner mentioned this in T6849: Release GnuPG 2.2.43.Tue, Apr 16, 9:47 AM