Page MenuHome GnuPG
Files F35313485

No OneTemporary
Actions

View Options

diff --git a/dirmngr/ChangeLog b/dirmngr/ChangeLog
index 757eb78ac..ac71bdd6c 100644
--- a/dirmngr/ChangeLog
+++ b/dirmngr/ChangeLog
@@ -1,1545 +1,1555 @@
2011-02-09 Werner Koch <wk@g10code.com>
+ * ks-engine-kdns.c: New. Based on the former gpgkeys_kdns.
+
+ * server.c (cmd_keyserver): Add option --help.
+ (dirmngr_status_help): New.
+ * ks-action.c (ks_print_help): New.
+ (ks_action_help): New.
+ * ks-engine-finger.c (ks_finger_help): New.
+ * ks-engine-http.c (ks_http_help): New.
+ * ks-engine-hkp.c (ks_hkp_help): New.
+
* ks-action.c (ks_action_fetch): Support http URLs.
* ks-engine-http.c: New.
* ks-engine-finger.c (ks_finger_get): Rename to ks_finger_fetch.
Change caller.
2011-02-08 Werner Koch <wk@g10code.com>
* server.c (cmd_ks_fetch): New.
* ks-action.c (ks_action_fetch): New.
* ks-engine-finger.c: New.
2011-02-03 Werner Koch <wk@g10code.com>
* Makefile.am (dirmngr_LDADD): Remove -llber.
2011-01-25 Werner Koch <wk@g10code.com>
* dirmngr.c (handle_connections): Rewrite loop to use pth-select
so to sync timeouts to the full second.
(pth_thread_id): New.
(main) [W32CE]: Fix setting of default homedir.
* ldap-wrapper.c (ldap_wrapper_thread): Sync to the full second.
Increate pth_wait timeout from 1 to 2 seconds.
2011-01-20 Werner Koch <wk@g10code.com>
* server.c (release_ctrl_keyservers): New.
(cmd_keyserver, cmd_ks_seach, cmd_ks_get, cmd_ks_put): New.
* dirmngr.h (uri_item_t): New.
(struct server_control_s): Add field KEYSERVERS.
* ks-engine-hkp.c: New.
* ks-engine.h: New.
* ks-action.c, ks-action.h: New.
* server.c: Include ks-action.h.
(cmd_ks_search): New.
* Makefile.am (dirmngr_SOURCES): Add new files.
2011-01-19 Werner Koch <wk@g10code.com>
* dirmngr.c (main): Use es_printf for --gpgconf-list.
2010-12-14 Werner Koch <wk@g10code.com>
* cdb.h (struct cdb) [W32]: Add field CDB_MAPPING.
* cdblib.c (cdb_init) [W32]: Save mapping handle.
(cdb_free) [W32]: Don't leak the mapping handle from cdb_init by
using the saved one.
* crlcache.c (crl_cache_insert): Close unused matching files.
* dirmngr.c (main) [W32CE]: Change homedir in daemon mode to /gnupg.
2010-12-07 Werner Koch <wk@g10code.com>
* dirmngr.c (TIMERTICK_INTERVAL) [W32CE]: Change to 60s.
2010-11-23 Werner Koch <wk@g10code.com>
* Makefile.am (dirmngr_LDFLAGS): Add extra_bin_ldflags.
(dirmngr_client_LDFLAGS): Ditto.
2010-10-21 Werner Koch <wk@g10code.com>
* dirmngr.c (main): Changed faked system time warning
2010-10-15 Werner Koch <wk@g10code.com>
* Makefile.am (CLEANFILES): Add no-libgcrypt.c.
2010-09-16 Werner Koch <wk@g10code.com>
* validate.c (validate_cert_chain): Use GPG_ERR_MISSING_ISSUER_CERT.
2010-08-13 Werner Koch <wk@g10code.com>
* Makefile.am (dirmngr_SOURCES): Add w32-ldap-help.h.
* dirmngr_ldap.c (fetch_ldap): Call ldap_unbind.
* w32-ldap-help.h: New.
* dirmngr_ldap.c [W32CE]: Include w32-ldap-help.h and use the
mapped ldap functions.
2010-08-12 Werner Koch <wk@g10code.com>
* crlcache.c (update_dir, crl_cache_insert): s/unlink/gnupg_remove/.
* dirmngr.c (dirmngr_sighup_action): New.
* server.c (cmd_killdirmngr, cmd_reloaddirmngr): New.
(struct server_local_s): Add field STOPME.
(start_command_handler): Act on STOPME.
2010-08-06 Werner Koch <wk@g10code.com>
* dirmngr.c (JNLIB_NEED_AFLOCAL): Define macro.
(main): Use SUN_LEN macro.
(main) [W32]: Allow EEXIST in addition to EADDRINUSE.
2010-08-05 Werner Koch <wk@g10code.com>
* server.c (set_error, leave_cmd): New.
(cmd_validate, cmd_ldapserver, cmd_isvalid, cmd_checkcrl)
(cmd_checkocsp, cmd_lookup, cmd_listcrls, cmd_cachecert): Use
leave_cmd.
(cmd_getinfo): New.
(data_line_cookie_write, data_line_cookie_close): New.
(cmd_listcrls): Replace assuan_get_data_fp by es_fopencookie.
* misc.c (create_estream_ksba_reader, my_estream_ksba_reader_cb): New.
* certcache.c (load_certs_from_dir): Use create_estream_ksba_reader.
* crlcache.c (crl_cache_load): Ditto.
2010-08-03 Werner Koch <wk@g10code.com>
* dirmngr_ldap.c (pth_enter, pth_leave) [USE_LDAPWRAPPER]: Turn
into functions for use in a 'for' control stmt.
2010-07-26 Werner Koch <wk@g10code.com>
* dirmngr_ldap.c (print_ldap_entries): Remove special fwrite case
for W32 because that is now handles by estream.
2010-07-25 Werner Koch <wk@g10code.com>
* Makefile.am (dirmngr_SOURCES) [!USE_LDAPWRAPPER]: Build
ldap-wrapper-ce.
* ldap-wrapper-ce.c: New.
* dirmngr_ldap.c (opt): Remove global variable ...
(my_opt_t): ... and declare a type instead.
(main): Define a MY_OPT variable and change all references to OPT
to this.
(set_timeout, print_ldap_entries, fetch_ldap, process_url): Pass
MYOPT arg.
2010-07-24 Werner Koch <wk@g10code.com>
* dirmngr_ldap.c (main): Init common subsystems. Call
es_set_binary.
2010-07-19 Werner Koch <wk@g10code.com>
* dirmngr.c: Include ldap-wrapper.h.
(launch_reaper_thread): Move code to ...
* ldap-wrapper.c (ldap_wrapper_launch_thread): .. here. Change
callers.
(ldap_wrapper_thread): Rename to ...
(wrapper_thread): this and make local.
* ldap.c (destroy_wrapper, print_log_line)
(read_log_data, ldap_wrapper_thread)
(ldap_wrapper_wait_connections, ldap_wrapper_release_context)
(ldap_wrapper_connection_cleanup, reader_callback, ldap_wrapper):
Factor code out to ...
* ldap-wrapper.c: new.
(ldap_wrapper): Make public.
(read_buffer): Copy from ldap.c.
* ldap-wrapper.h: New.
* Makefile.am (dirmngr_SOURCES): Add new files.
2010-07-16 Werner Koch <wk@g10code.com>
* http.c, http.h: Remove.
* dirmngr-err.h: New.
* dirmngr.h: Include dirmngr-err.h instead of gpg-error.h
* cdblib.c: Replace assignments to ERRNO by a call to
gpg_err_set_errno. Include dirmngr-err.h.
(cdb_free) [__MINGW32CE__]: Do not use get_osfhandle.
* dirmngr.c [!HAVE_SIGNAL_H]: Don't include signal.h.
(USE_W32_SERVICE): New. Use this to control the use of the W32
service system.
2010-07-06 Werner Koch <wk@g10code.com>
* dirmngr.c (main): Print note on directory name changes.
Replace almost all uses of stdio by estream.
* b64dec.c, b64enc.c: Remove. They are duplicated in ../common/.
2010-06-28 Werner Koch <wk@g10code.com>
* dirmngr_ldap.c (my_i18n_init): Remove.
(main): Call i18n_init instead of above function.
* dirmngr-client.c (my_i18n_init): Remove.
(main): Call i18n_init instead of above function.
* Makefile.am (dirmngr_LDADD): Add ../gl/libgnu.
(dirmngr_ldap_LDADD, dirmngr_client_LDADD): Ditto.
2010-06-09 Werner Koch <wk@g10code.com>
* i18n.h: Remove.
* Makefile.am (no-libgcrypt.c): New rule.
* exechelp.h: Remove.
* exechelp.c: Remove.
(dirmngr_release_process): Change callers to use the gnupg func.
(dirmngr_wait_process): Likewise.
(dirmngr_kill_process): Likewise. This actually implements it for
W32.
* ldap.c (ldap_wrapper): s/get_dirmngr_ldap_path/gnupg_module_name/.
(ldap_wrapper_thread): Use gnupg_wait_process and adjust for
changed semantics.
(ldap_wrapper): Replace xcalloc by xtrycalloc. Replace spawn
mechanism.
* server.c (start_command_handler): Remove assuan_set_log_stream.
* validate.c: Remove gcrypt.h and ksba.h.
* ldapserver.c: s/util.h/dirmngr.h/.
* dirmngr.c (sleep) [W32]: Remove macro.
(main): s/sleep/gnupg_sleep/.
(pid_suffix_callback): Change arg type.
(my_gcry_logger): Remove.
(fixed_gcry_pth_init): New.
(main): Use it.
(FD2INT): Remove.
2010-06-08 Werner Koch <wk@g10code.com>
* misc.h (copy_time): Remove and replace by gnupg_copy_time which
allows to set a null date.
* misc.c (dump_isotime, get_time, get_isotime, set_time)
(check_isotime, add_isotime): Remove and replace all calls by the
versions from common/gettime.c.
* crlcache.c, misc.c, misc.h: s/dirmngr_isotime_t/gnupg_isotime_t/.
* server.c, ldap.c: Reorder include directives.
* crlcache.h, misc.h: Remove all include directives.
* certcache.c (cmp_simple_canon_sexp): Remove.
(compare_serialno): Rewrite using cmp_simple_canon_sexp from
common/sexputil.c
* error.h: Remove.
* dirmngr.c: Remove transitional option "--ignore-ocsp-servic-url".
(opts): Use ARGPARSE macros.
(i18n_init): Remove.
(main): Use GnuPG init functions.
* dirmngr.h: Remove duplicated stuff now taken from ../common.
* get-path.c, util.h: Remove.
* Makefile.am: Adjust to GnuPG system.
* estream.c, estream.h, estream-printf.c, estream-printf.h: Remove.
2010-06-07 Werner Koch <wk@g10code.com>
* OAUTHORS, ONEWS, ChangeLog.1: New.
* ChangeLog, Makefile.am, b64dec.c, b64enc.c, cdb.h, cdblib.c
* certcache.c, certcache.h, crlcache.c, crlcache.h, crlfetch.c
* crlfetch.h, dirmngr-client.c, dirmngr.c, dirmngr.h
* dirmngr_ldap.c, error.h, estream-printf.c, estream-printf.h
* estream.c, estream.h, exechelp.c, exechelp.h, get-path.c, http.c
* http.h, i18n.h, ldap-url.c, ldap-url.h, ldap.c, ldapserver.c
* ldapserver.h, misc.c, misc.h, ocsp.c, ocsp.h, server.c, util.h
* validate.c, validate.h: Imported from the current SVN of the
dirmngr package (only src/).
2010-03-13 Werner Koch <wk@g10code.com>
* dirmngr.c (int_and_ptr_u): New.
(pid_suffix_callback): Trick out compiler.
(start_connection_thread): Ditto.
(handle_connections): Ditto.
2010-03-09 Werner Koch <wk@g10code.com>
* dirmngr.c (set_debug): Allow numerical values.
2009-12-15 Werner Koch <wk@g10code.com>
* dirmngr.c: Add option --ignore-cert-extension.
(parse_rereadable_options): Implement.
* dirmngr.h (opt): Add IGNORED_CERT_EXTENSIONS.
* validate.c (unknown_criticals): Handle ignored extensions.
2009-12-08 Marcus Brinkmann <marcus@g10code.de>
* dirmngr-client.c (start_dirmngr): Convert posix FDs to assuan fds.
2009-11-25 Marcus Brinkmann <marcus@g10code.de>
* server.c (start_command_handler): Use assuan_fd_t and
assuan_fdopen on fds.
2009-11-05 Marcus Brinkmann <marcus@g10code.de>
* server.c (start_command_handler): Update use of
assuan_init_socket_server.
* dirmngr-client.c (start_dirmngr): Update use of
assuan_pipe_connect and assuan_socket_connect.
2009-11-04 Werner Koch <wk@g10code.com>
* server.c (register_commands): Add help arg to
assuan_register_command. Change all command comments to strings.
2009-11-02 Marcus Brinkmann <marcus@g10code.de>
* server.c (reset_notify): Take LINE argument, return gpg_error_t.
2009-10-16 Marcus Brinkmann <marcus@g10code.com>
* Makefile.am: (dirmngr_LDADD): Link to $(LIBASSUAN_LIBS) instead
of $(LIBASSUAN_PTH_LIBS).
* dirmngr.c: Invoke ASSUAN_SYSTEM_PTH_IMPL.
(main): Call assuan_set_system_hooks and assuan_sock_init.
2009-09-22 Marcus Brinkmann <marcus@g10code.de>
* dirmngr.c (main): Update to new Assuan interface.
* server.c (option_handler, cmd_ldapserver, cmd_isvalid)
(cmd_checkcrl, cmd_checkocsp, cmd_lookup, cmd_loadcrl)
(cmd_listcrls, cmd_cachecert, cmd_validate): Return gpg_error_t
instead int.
(register_commands): Likewise for member HANDLER.
(start_command_handler): Allocate context with assuan_new before
starting server. Release on error.
* dirmngr-client.c (main): Update to new Assuan interface.
(start_dirmngr): Allocate context with assuan_new before
connecting to server. Release on error.
2009-08-12 Werner Koch <wk@g10code.com>
* dirmngr-client.c (squid_loop_body): Flush stdout. Suggested by
Philip Shin.
2009-08-07 Werner Koch <wk@g10code.com>
* crlfetch.c (my_es_read): Add explicit check for EOF.
* http.c (struct http_context_s): Turn IN_DATA and IS_HTTP_0_9 to
bit fields.
(struct cookie_s): Add CONTENT_LENGTH_VALID and CONTENT_LENGTH.
(parse_response): Parse the Content-Length header.
(cookie_read): Handle content length.
(http_open): Make NEED_HEADER the semi-default.
* http.h (HTTP_FLAG_IGNORE_CL): New.
2009-08-04 Werner Koch <wk@g10code.com>
* ldap.c (ldap_wrapper_thread): Factor some code out to ...
(read_log_data): ... new. Close the log fd on error.
(ldap_wrapper_thread): Delay cleanup until the log fd is closed.
(SAFE_PTH_CLOSE): New. Use it instead of pth_close.
2009-07-31 Werner Koch <wk@g10code.com>
* server.c (cmd_loadcrl): Add option --url.
* dirmngr-client.c (do_loadcrl): Make use of --url.
* crlfetch.c (crl_fetch): Remove HTTP_FLAG_NO_SHUTDOWN. Add
flag HTTP_FLAG_LOG_RESP with active DBG_LOOKUP.
* http.c: Require estream. Remove P_ES macro.
(write_server): Remove.
(my_read_line): Remove. Replace all callers by es_read_line.
(send_request): Use es_asprintf. Always store the cookie.
(http_wait_response): Remove the need to dup the socket. USe new
shutdown flag.
* http.h (HTTP_FLAG_NO_SHUTDOWN): Rename to HTTP_FLAG_SHUTDOWN.
* estream.c, estream.h, estream-printf.c, estream-printf.h: Update
from current libestream. This is provide es_asprintf.
2009-07-20 Werner Koch <wk@g10code.com>
* dirmngr.c (pid_suffix_callback): New.
(main): Use log_set_pid_suffix_cb.
(start_connection_thread): Put the fd into the tls.
* ldap.c (ldap_wrapper_thread): Print ldap worker stati.
(ldap_wrapper_release_context): Print a debug info.
(end_cert_fetch_ldap): Release the reader. Might fix bug#999.
2009-06-17 Werner Koch <wk@g10code.com>
* util.h: Remove unused dotlock.h.
2009-05-26 Werner Koch <wk@g10code.com>
* ldap.c (ldap_wrapper): Show reader object in diagnostics.
* crlcache.c (crl_cache_reload_crl): Ditto. Change debug messages
to regular diagnostics.
* dirmngr_ldap.c (print_ldap_entries): Add extra diagnostics.
2009-04-03 Werner Koch <wk@g10code.com>
* dirmngr.h (struct server_local_s): Move back to ...
* server.c (struct server_local_s): ... here.
(get_ldapservers_from_ctrl): New.
* ldapserver.h (ldapserver_iter_begin): Use it.
2008-10-29 Marcus Brinkmann <marcus@g10code.de>
* estream.c (es_getline): Add explicit cast to silence gcc -W
warning.
* crlcache.c (finish_sig_check): Likewise.
* dirmngr.c (opts): Add missing initializer to silence gcc
-W warning.
* server.c (register_commands): Likewise.
* dirmngr-client.c (opts): Likewise.
* dirmngr_ldap.c (opts): Likewise.
* dirmngr-client.c (status_cb, inq_cert, data_cb): Change return
type to gpg_error_t to silence gcc warning.
2008-10-21 Werner Koch <wk@g10code.com>
* certcache.c (load_certs_from_dir): Accept ".der" files.
* server.c (get_istrusted_from_client): New.
* validate.c (validate_cert_chain): Add new optional arg
R_TRUST_ANCHOR. Adjust all callers
* crlcache.c (crl_cache_entry_s): Add fields USER_TRUST_REQ
and CHECK_TRUST_ANCHOR.
(release_one_cache_entry): Release CHECK_TRUST_ANCHOR.
(list_one_crl_entry): Print info about the new fields.
(open_dir, write_dir_line_crl): Support the new U-flag.
(crl_parse_insert): Add arg R_TRUST_ANCHOR and set it accordingly.
(crl_cache_insert): Store trust anchor in entry object.
(cache_isvalid): Ask client for trust is needed.
* crlcache.c (open_dir): Replace xcalloc by xtrycalloc.
(next_line_from_file): Ditt. Add arg to return the gpg error.
Change all callers.
(update_dir): Replace sprintf and malloc by estream_asprintf.
(crl_cache_insert): Ditto.
(crl_cache_isvalid): Replace xmalloc by xtrymalloc.
(get_auth_key_id): Ditto.
(crl_cache_insert): Ditto.
* crlcache.c (start_sig_check): Remove HAVE_GCRY_MD_DEBUG test.
* validate.c (check_cert_sig): Ditto. Remove workaround for bug
in libgcrypt 1.2.
* estream.c, estream.h, estream-printf.c, estream-printf.h: Update
from current libestream (svn rev 61).
2008-09-30 Marcus Brinkmann <marcus@g10code.com>
* get-path.c (get_dirmngr_ldap_path): Revert last change.
Instead, use dirmngr_libexecdir().
(find_program_at_standard_place): Don't define for now.
2008-09-30 Marcus Brinkmann <marcus@g10code.com>
* get-path.c (dirmngr_cachedir): Make COMP a pointer to const to
silence gcc warning.
(get_dirmngr_ldap_path): Look for dirmngr_ldap in the installation
directory.
2008-08-06 Marcus Brinkmann <marcus@g10code.com>
* dirmngr.c (main): Mark the ldapserverlist-file option as
read-only.
2008-07-31 Werner Koch <wk@g10code.com>
* crlcache.c (start_sig_check) [!HAVE_GCRY_MD_DEBUG]: Use
gcry_md_start_debug
2008-06-16 Werner Koch <wk@g10code.com>
* get-path.c (w32_commondir): New.
(dirmngr_sysconfdir): Use it here.
(dirmngr_datadir): Ditto.
2008-06-12 Marcus Brinkmann <marcus@g10code.de>
* Makefile.am (dirmngr_SOURCES): Add ldapserver.h and ldapserver.c.
* ldapserver.h, ldapserver.c: New files.
* ldap.c: Include "ldapserver.h".
(url_fetch_ldap): Use iterator to get session servers as well.
(attr_fetch_ldap, start_default_fetch_ldap): Likewise.
* dirmngr.c: Include "ldapserver.h".
(free_ldapservers_list): Removed. Change callers to
ldapserver_list_free.
(parse_ldapserver_file): Use ldapserver_parse_one.
* server.c: Include "ldapserver.h".
(cmd_ldapserver): New command.
(register_commands): Add new command LDAPSERVER.
(reset_notify): New function.
(start_command_handler): Register reset notify handler.
Deallocate session server list.
(lookup_cert_by_pattern): Use iterator to get session servers as well.
(struct server_local_s): Move to ...
* dirmngr.h (struct server_local_s): ... here. Add new member
ldapservers.
2008-06-10 Werner Koch <wk@g10code.com>
Support PEM encoded CRLs. Fixes bug#927.
* crlfetch.c (struct reader_cb_context_s): New.
(struct file_reader_map_s): Replace FP by new context.
(register_file_reader, get_file_reader): Adjust accordingly.
(my_es_read): Detect Base64 encoded CRL and decode if needed.
(crl_fetch): Pass new context to the callback.
(crl_close_reader): Cleanup the new context.
* b64dec.c: New. Taken from GnuPG.
* util.h (struct b64state): Add new fields STOP_SEEN and
INVALID_ENCODING.
2008-05-26 Marcus Brinkmann <marcus@g10code.com>
* dirmngr.c (main) [HAVE_W32_SYSTEM]: Switch to system
configuration on gpgconf related commands, and make all options
unchangeable.
2008-03-25 Marcus Brinkmann <marcus@g10code.de>
* dirmngr_ldap.c (print_ldap_entries): Add code alternative for
W32 console stdout (unused at this point).
2008-03-21 Marcus Brinkmann <marcus@g10code.de>
* estream.c (ESTREAM_MUTEX_DESTROY): New macro.
(es_create, es_destroy): Use it.
2008-02-21 Werner Koch <wk@g10code.com>
* validate.c (check_cert_sig) [HAVE_GCRY_MD_DEBUG]: Use new debug
function if available.
* crlcache.c (abort_sig_check): Mark unused arg.
* exechelp.c (dirmngr_release_process) [!W32]: Mark unsed arg.
* validate.c (is_root_cert): New. Taken from GnuPG.
(validate_cert_chain): Use it in place of the simple DN compare.
2008-02-15 Marcus Brinkmann <marcus@g10code.de>
* dirmngr.c (main): Reinitialize assuan log stream if necessary.
* crlcache.c (update_dir) [HAVE_W32_SYSTEM]: Remove destination
file before rename.
(crl_cache_insert) [HAVE_W32_SYSTEM]: Remove destination file
before rename.
2008-02-14 Marcus Brinkmann <marcus@g10code.de>
* validate.c (check_cert_policy): Use ksba_free instead of xfree.
(validate_cert_chain): Likewise. Free SUBJECT on error.
(cert_usage_p): Likewise.
* crlcache.c (finish_sig_check): Undo last change.
(finish_sig_check): Close md.
(abort_sig_check): New function.
(crl_parse_insert): Use abort_sig_check to clean up.
* crlcache.c (crl_cache_insert): Clean up CDB on error.
2008-02-13 Marcus Brinkmann <marcus@g10code.de>
* crlcache.c (finish_sig_check): Call gcry_md_stop_debug.
* exechelp.h (dirmngr_release_process): New prototype.
* exechelp.c (dirmngr_release_process): New function.
* ldap.c (ldap_wrapper_thread): Release pid.
(destroy_wrapper): Likewise.
* dirmngr.c (launch_reaper_thread): Destroy tattr.
(handle_connections): Likewise.
2008-02-12 Marcus Brinkmann <marcus@g10code.de>
* ldap.c (pth_close) [! HAVE_W32_SYSTEM]: New macro.
(struct wrapper_context_s): New member log_ev.
(destroy_wrapper): Check FDs for != -1 rather than != 0. Use
pth_close instead of close. Free CTX->log_ev.
(ldap_wrapper_thread): Rewritten to use pth_wait instead of
select. Also use pth_read instead of read and pth_close instead
of close.
(ldap_wrapper): Initialize CTX->log_ev.
(reader_callback): Use pth_close instead of close.
* exechelp.c (create_inheritable_pipe) [HAVE_W32_SYSTEM]: Removed.
(dirmngr_spawn_process) [HAVE_W32_SYSTEM]: Use pth_pipe instead.
* dirmngr_ldap.c [HAVE_W32_SYSTEM]: Include <fcntl.h>.
(main) [HAVE_W32_SYSTEM]: Set mode of stdout to binary.
2008-02-01 Werner Koch <wk@g10code.com>
* ldap.c: Remove all ldap headers as they are unused.
* dirmngr_ldap.c (LDAP_DEPRECATED): New, to have OpenLDAP use the
old standard API.
2008-01-10 Werner Koch <wk@g10code.com>
* dirmngr-client.c: New option --local.
(do_lookup): Use it.
* server.c (lookup_cert_by_pattern): Implement local lookup.
(return_one_cert): New.
* certcache.c (hexsn_to_sexp): New.
(classify_pattern, get_certs_bypattern): New.
* misc.c (unhexify): Allow passing NULL for RESULT.
(cert_log_subject): Do not call ksba_free on an unused variable.
2008-01-02 Marcus Brinkmann <marcus@g10code.de>
* Makefile.am (dirmngr_LDADD, dirmngr_ldap_LDADD)
(dirmngr_client_LDADD): Add $(LIBICONV). Reported by Michael
Nottebrock.
2007-12-11 Werner Koch <wk@g10code.com>
* server.c (option_handler): New option audit-events.
* dirmngr.h (struct server_control_s): Add member AUDIT_EVENTS.
2007-11-26 Marcus Brinkmann <marcus@g10code.de>
* get-path.c (dirmngr_cachedir): Create intermediate directories.
(default_socket_name): Use CSIDL_WINDOWS.
2007-11-21 Werner Koch <wk@g10code.com>
* server.c (lookup_cert_by_pattern): Add args SINGLE and CACHE_ONLY.
(cmd_lookup): Add options --single and --cache-only.
2007-11-16 Werner Koch <wk@g10code.com>
* certcache.c (load_certs_from_dir): Also log the subject DN.
* misc.c (cert_log_subject): New.
2007-11-14 Werner Koch <wk@g10code.com>
* dirmngr-client.c: Replace --lookup-url by --url.
(main): Remove extra code for --lookup-url.
(do_lookup): Remove LOOKUP_URL arg and use the
global option OPT.URL.
* server.c (has_leading_option): New.
(cmd_lookup): Use it.
* crlfetch.c (fetch_cert_by_url): Use GPG_ERR_INV_CERT_OBJ.
(fetch_cert_by_url): Use gpg_error_from_syserror.
2007-11-14 Moritz <moritz@gnu.org> (wk)
* dirmngr-client.c: New command: --lookup-url <URL>.
(do_lookup): New parameter: lookup_url. If TRUE, include "--url"
switch in LOOKUP transaction.
(enum): New entry: oLookupUrl.
(opts): Likewise.
(main): Handle oLookupUrl. New variable: cmd_lookup_url, set
during option parsing, pass to do_lookup() and substitute some
occurences of "cmd_lookup" with "cmd_lookup OR cmd_lookup_url".
* crlfetch.c (fetch_cert_by_url): New function, uses
url_fetch_ldap() to create a reader object and libksba functions
to read a single cert from that reader.
* server.c (lookup_cert_by_url, lookup_cert_by_pattern): New
functions.
(cmd_lookup): Moved almost complete code ...
(lookup_cert_by_pattern): ... here.
(cmd_lookup): Support new optional argument: --url. Depending on
the presence of that switch, call lookup_cert_by_url() or
lookup_cert_by_pattern().
(lookup_cert_by_url): Heavily stripped down version of
lookup_cert_by_pattern(), using fetch_cert_by_url.
2007-10-24 Marcus Brinkmann <marcus@g10code.de>
* exechelp.c (dirmngr_spawn_process): Fix child handles.
2007-10-05 Marcus Brinkmann <marcus@g10code.de>
* dirmngr.h: Include assuan.h.
(start_command_handler): Change type of FD to assuan_fd_t.
* dirmngr.c: Do not include w32-afunix.h.
(socket_nonce): New global variable.
(create_server_socket): Use assuan socket wrappers. Remove W32
specific stuff. Save the server nonce.
(check_nonce): New function.
(start_connection_thread): Call it.
(handle_connections): Change args to assuan_fd_t.
* server.c (start_command_handler): Change type of FD to assuan_fd_t.
2007-09-12 Marcus Brinkmann <marcus@g10code.de>
* dirmngr.c (main): Percent escape pathnames in --gpgconf-list output.
2007-08-27 Moritz Schulte <moritz@g10code.com>
* src/Makefile.am (AM_CPPFLAGS): Define DIRMNGR_SOCKETDIR based on
$(localstatedir).
* src/get-path.c (default_socket_name): Use DIRMNGR_SOCKETDIR
instead of hard-coded "/var/run/dirmngr".
2007-08-16 Werner Koch <wk@g10code.com>
* get-path.c (get_dirmngr_ldap_path): Make PATHNAME const.
* dirmngr.c (my_ksba_hash_buffer): Mark unused arg.
(dirmngr_init_default_ctrl): Ditto.
(my_gcry_logger): Ditto.
* dirmngr-client.c (status_cb): Ditto.
* dirmngr_ldap.c (catch_alarm): Ditto.
* estream-printf.c (pr_bytes_so_far): Ditto.
* estream.c (es_func_fd_create): Ditto.
(es_func_fp_create): Ditto.
(es_write_hexstring): Ditto.
* server.c (cmd_listcrls): Ditto.
(cmd_cachecert): Ditto.
* crlcache.c (cache_isvalid): Ditto.
* ocsp.c (do_ocsp_request): Ditto.
* ldap.c (ldap_wrapper_thread): Ditto.
* http.c (http_register_tls_callback): Ditto.
(connect_server): Ditto.
(write_server) [!HTTP_USE_ESTREAM]: Don't build.
2007-08-14 Werner Koch <wk@g10code.com>
* get-path.c (dirmngr_cachedir) [W32]: Use CSIDL_LOCAL_APPDATA.
2007-08-13 Werner Koch <wk@g10code.com>
* dirmngr.c (handle_connections): Use a timeout in the accept
function. Block signals while creating a new thread.
(shutdown_pending): Needs to be volatile as also accessed bt the
service function.
(w32_service_control): Do not use the regular log fucntions here.
(handle_tick): New.
(main): With system_service in effect use aDaemon as default
command.
(main) [W32]: Only temporary redefine main for the sake of Emacs's
"C-x 4 a".
* dirmngr-client.c (main) [W32]: Initialize sockets.
(start_dirmngr): Use default_socket_name instead of a constant.
* Makefile.am (dirmngr_client_SOURCES): Add get-path.c
2007-08-09 Werner Koch <wk@g10code.com>
* dirmngr.c (parse_ocsp_signer): New.
(parse_rereadable_options): Set opt.ocsp_signer to this.
* dirmngr.h (fingerprint_list_t): New.
* ocsp.c (ocsp_isvalid, check_signature, validate_responder_cert):
Allow for several default ocscp signers.
(ocsp_isvalid): Return GPG_ERR_NO_DATA for an unknwon status.
* dirmngr-client.c: New option --force-default-responder.
* server.c (has_option, skip_options): New.
(cmd_checkocsp): Add option --force-default-responder.
(cmd_isvalid): Ditto. Also add option --only-ocsp.
* ocsp.c (ocsp_isvalid): New arg FORCE_DEFAULT_RESPONDER.
* dirmngr.c: New option --ocsp-max-period.
* ocsp.c (ocsp_isvalid): Implement it and take care that a missing
next_update is to be ignored.
* crlfetch.c (my_es_read): New. Use it instead of es_read.
* estream.h, estream.c, estream-printf.c: Updated from current
libestream SVN.
2007-08-08 Werner Koch <wk@g10code.com>
* crlcache.c (crl_parse_insert): Hack to allow for a missing
nextUpdate.
* dirmngr_ldap.c (print_ldap_entries): Strip the extension from
the want_attr.
* exechelp.c (dirmngr_wait_process): Reworked for clear error
semantics.
* ldap.c (ldap_wrapper_thread): Adjust for new
dirmngr_wait_process semantics.
2007-08-07 Werner Koch <wk@g10code.com>
* get-path.c (default_socket_name) [!W32]: Fixed syntax error.
* ldap.c (X509CACERT, make_url, fetch_next_cert_ldap): Support
x509caCert as used by the Bundesnetzagentur.
(ldap_wrapper): Do not pass the prgtram name as the first
argument. dirmngr_spawn_process takes care of that.
2007-08-04 Marcus Brinkmann <marcus@g10code.de>
* dirmngr.h (opt): Add member system_service.
* dirmngr.c (opts) [HAVE_W32_SYSTEM]: New entry for option
--service.
(DEFAULT_SOCKET_NAME): Removed.
(service_handle, service_status,
w32_service_control) [HAVE_W32_SYSTEM]: New symbols.
(main) [HAVE_W32_SYSTEM]: New entry point for --service. Rename
old function to ...
(real_main) [HAVE_W32_SYSTEM]: ... this. Use default_socket_name
instead of DEFAULT_SOCKET_NAME, and similar for other paths.
Allow colons in Windows socket path name, and implement --service
option.
* util.h (dirmngr_sysconfdir, dirmngr_libexecdir, dirmngr_datadir,
dirmngr_cachedir, default_socket_name): New prototypes.
* get-path.c (dirmngr_sysconfdir, dirmngr_libexecdir)
(dirmngr_datadir, dirmngr_cachedir, default_socket_name): New
functions.
(DIRSEP_C, DIRSEP_S): New macros.
2007-08-03 Marcus Brinkmann <marcus@g10code.de>
* get-path.c: Really add the file this time.
2007-07-31 Marcus Brinkmann <marcus@g10code.de>
* crlfetch.c: Include "estream.h".
(crl_fetch): Use es_read callback instead a file handle.
(crl_close_reader): Use es_fclose instead of fclose.
(struct file_reader_map_s): Change type of FP to estream_t.
(register_file_reader, crl_fetch, crl_close_reader): Likewise.
* ocsp.c: Include "estream.h".
(read_response): Change type of FP to estream_t.
(read_response, do_ocsp_request): Use es_* variants of I/O
functions.
* http.c: Include <pth.h>.
(http_wait_response) [HAVE_W32_SYSTEM]: Use DuplicateHandle.
(cookie_read): Use pth_read instead read.
(cookie_write): Use pth_write instead write.
2007-07-30 Marcus Brinkmann <marcus@g10code.de>
* ldap-url.c (ldap_str2charray): Fix buglet in ldap_utf8_strchr
invocation.
2007-07-27 Marcus Brinkmann <marcus@g10code.de>
* estream.h, estream.c: Update from recent GnuPG.
* get-path.c: New file.
* Makefile.am (dirmngr_SOURCES): Add get-path.c.
* util.h (default_homedir, get_dirmngr_ldap_path): New prototypes.
* dirmngr.c (main): Use default_homedir().
* ldap-url.h: Remove japanese white space (sorry!).
2007-07-26 Marcus Brinkmann <marcus@g10code.de>
* ldap.c (pth_yield): Remove macro.
* ldap.c (pth_yield) [HAVE_W32_SYSTEM]: Define to Sleep(0).
* dirmngr_ldap.c [HAVE_W32_SYSTEM]: Do not include <ldap.h>, but
<winsock2.h>, <winldap.h> and "ldap-url.h".
* ldap.c [HAVE_W32_SYSTEM]: Do not include <ldap.h>, but
<winsock2.h> and <winldap.h>.
* ldap-url.c: Do not include <ldap.h>, but <winsock2.h>,
<winldap.h> and "ldap-url.h".
(LDAP_P): New macro.
* ldap-url.h: New file.
* Makefile.am (ldap_url): Add ldap-url.h.
* Makefile.am (ldap_url): New variable.
(dirmngr_ldap_SOURCES): Add $(ldap_url).
(dirmngr_ldap_LDADD): Add $(LIBOBJS).
* ldap-url.c: New file, excerpted from OpenLDAP.
* dirmngr.c (main) [HAVE_W32_SYSTEM]: Avoid the daemonization.
* dirmngr_ldap.c: Include "util.h".
(main) [HAVE_W32_SYSTEM]: Don't set up alarm.
(set_timeout) [HAVE_W32_SYSTEM]: Likewise.
* ldap.c [HAVE_W32_SYSTEM]: Add macros for setenv and pth_yield.
* no-libgcrypt.h (NO_LIBGCRYPT): Define.
* util.h [NO_LIBGCRYPT]: Don't include <gcrypt.h>.
2007-07-23 Marcus Brinkmann <marcus@g10code.de>
* Makefile.am (dirmngr_SOURCES): Add exechelp.h and exechelp.c.
* exechelp.h, exechelp.c: New files.
* ldap.c: Don't include <sys/wait.h> but "exechelp.h".
(destroy_wrapper, ldap_wrapper_thread,
ldap_wrapper_connection_cleanup): Use dirmngr_kill_process instead
of kill.
(ldap_wrapper_thread): Use dirmngr_wait_process instead of
waitpid.
(ldap_wrapper): Use dirmngr_spawn_process.
2007-07-20 Marcus Brinkmann <marcus@g10code.de>
* certcache.c (cert_cache_lock): Do not initialize statically.
(init_cache_lock): New function.
(cert_cache_init): Call init_cache_lock.
* estream.h, estream.c, estream-printf.h, estream-printf.c: New
files.
* Makefile.am (dirmngr_SOURCES): Add estream.c, estream.h,
estream-printf.c, estream-printf.h.
* http.c: Update to latest version from GnuPG.
* Makefile.am (cdb_sources)
* cdblib.c: Port to windows (backport from tinycdb 0.76).
* crlcache.c [HAVE_W32_SYSTEM]: Don't include sys/utsname.h.
[MKDIR_TAKES_ONE_ARG]: Define mkdir as a macro for such systems.
(update_dir, crl_cache_insert) [HAVE_W32_SYSTEM]: Don't get uname.
* server.c (start_command_handler) [HAVE_W32_SYSTEM]: Don't log
peer credentials.
* dirmngr.c [HAVE_W32_SYSTEM]: Do not include sys/socket.h or
sys/un.h, but ../jnlib/w32-afunix.h.
(sleep) [HAVE_W32_SYSTEM]: New macro.
(main) [HAVE_W32_SYSTEM]: Don't mess with SIGPIPE. Use W32 socket
API.
(handle_signal) [HAVE_W32_SYSTEM]: Deactivate the bunch of the
code.
(handle_connections) [HAVE_W32_SYSTEM]: don't handle signals.
2006-11-29 Werner Koch <wk@g10code.com>
* dirmngr.c (my_strusage): Use macro for the bug report address
and the copyright line.
* dirmngr-client.c (my_strusage): Ditto.
* dirmngr_ldap.c (my_strusage): Ditto.
* Makefile.am: Do not link against LIBICONV.
2006-11-19 Werner Koch <wk@g10code.com>
* dirmngr.c: Include i18n.h.
2006-11-17 Werner Koch <wk@g10code.com>
* Makefile.am (dirmngr_LDADD): Use LIBASSUAN_PTH_LIBS.
2006-11-16 Werner Koch <wk@g10code.com>
* server.c (start_command_handler): Replaced
assuan_init_connected_socket_server by assuan_init_socket_server_ext.
* crlcache.c (update_dir): Put a diagnostic into DIR.txt.
(open_dir): Detect invalid and duplicate entries.
(update_dir): Fixed search for second field.
2006-10-23 Werner Koch <wk@g10code.com>
* dirmngr.c (main): New command --gpgconf-test.
2006-09-14 Werner Koch <wk@g10code.com>
* server.c (start_command_handler): In vebose mode print
information about the peer. This may later be used to restrict
certain commands.
2006-09-12 Werner Koch <wk@g10code.com>
* server.c (start_command_handler): Print a more informative hello
line.
* dirmngr.c: Moved config_filename into the opt struct.
2006-09-11 Werner Koch <wk@g10code.com>
Changed everything to use Assuan with gpg-error codes.
* maperror.c: Removed.
* server.c (map_to_assuan_status): Removed.
* dirmngr.c (main): Set assuan error source.
* dirmngr-client.c (main): Ditto.
2006-09-04 Werner Koch <wk@g10code.com>
* crlfetch.c (crl_fetch): Implement HTTP redirection.
* ocsp.c (do_ocsp_request): Ditto.
New HTTP code version taken from gnupg svn release 4236.
* http.c (http_get_header): New.
(capitalize_header_name, store_header): New.
(parse_response): Store headers away.
(send_request): Return GPG_ERR_NOT_FOUND if connect_server failed.
* http.h: New flag HTTP_FLAG_NEED_HEADER.
2006-09-01 Werner Koch <wk@g10code.com>
* crlfetch.c (register_file_reader, get_file_reader): New.
(crl_fetch): Register the file pointer for HTTP.
(crl_close_reader): And release it.
* http.c, http.h: Updated from GnuPG SVN trunk. Changed all users
to adopt the new API.
* dirmngr.h: Moved inclusion of jnlib header to ...
* util.h: .. here. This is required becuase http.c includes only
a file util.h but makes use of log_foo. Include gcrypt.h so that
gcry_malloc et al are declared.
2006-08-31 Werner Koch <wk@g10code.com>
* ocsp.c (check_signature): Make use of the responder id.
2006-08-30 Werner Koch <wk@g10code.com>
* validate.c (check_cert_sig): Workaround for rimemd160.
(allowed_ca): Always allow trusted CAs.
* dirmngr.h (cert_ref_t): New.
(struct server_control_s): Add field OCSP_CERTS.
* server.c (start_command_handler): Release new field
* ocsp.c (release_ctrl_ocsp_certs): New.
(check_signature): Store certificates in OCSP_CERTS.
* certcache.c (find_issuing_cert): Reset error if cert was found
by subject.
(put_cert): Add new arg FPR_BUFFER. Changed callers.
(cache_cert_silent): New.
* dirmngr.c (parse_rereadable_options): New options
--ocsp-max-clock-skew and --ocsp-current-period.
* ocsp.c (ocsp_isvalid): Use them here.
* ocsp.c (validate_responder_cert): New optional arg signer_cert.
(check_signature_core): Ditto.
(check_signature): Use the default signer certificate here.
2006-06-27 Werner Koch <wk@g10code.com>
* dirmngr-client.c (inq_cert): Take care of SENDCERT_SKI.
2006-06-26 Werner Koch <wk@g10code.com>
* crlcache.c (lock_db_file): Count open files when needed.
(find_entry): Fixed deleted case.
2006-06-23 Werner Koch <wk@g10code.com>
* misc.c (cert_log_name): New.
* certcache.c (load_certs_from_dir): Also print certificate name.
(find_cert_bysn): Release ISSDN.
* validate.h: New VALIDATE_MODE_CERT.
* server.c (cmd_validate): Use it here so that no policy checks
are done. Try to validated a cached copy of the target.
* validate.c (validate_cert_chain): Implement a validation cache.
(check_revocations): Print more diagnostics. Actually use the
loop variable and not the head of the list.
(validate_cert_chain): Do not check revocations of CRL issuer
certificates in plain CRL check mode.
* ocsp.c (ocsp_isvalid): Make sure it is reset for a status of
revoked.
2006-06-22 Werner Koch <wk@g10code.com>
* validate.c (cert_use_crl_p): New.
(cert_usage_p): Add a mode 6 for CRL signing.
(validate_cert_chain): Check that the certificate may be used for
CRL signing. Print a note when not running as system daemon.
(validate_cert_chain): Reduce the maximum depth from 50 to 10.
* certcache.c (find_cert_bysn): Minor restructuring
(find_cert_bysubject): Ditto. Use get_cert_local when called
without KEYID.
* crlcache.c (get_crlissuer_cert_bysn): Removed.
(get_crlissuer_cert): Removed.
(crl_parse_insert): Use find_cert_bysubject and find_cert_bysn
instead of the removed functions.
2006-06-19 Werner Koch <wk@g10code.com>
* certcache.c (compare_serialno): Silly me. Using 0 as true is
that hard; tsss. Fixed call cases except for the only working one
which are both numbers of the same length.
2006-05-15 Werner Koch <wk@g10code.com>
* crlfetch.c (crl_fetch): Use no-shutdown flag for HTTP. This
seems to be required for "IBM_HTTP_Server/2.0.47.1 Apache/2.0.47
(Unix)".
* http.c (parse_tuple): Set flag to to indicate no value.
(build_rel_path): Take care of it.
* crlcache.c (crl_cache_reload_crl): Also iterate over all names
within a DP.
2005-09-28 Marcus Brinkmann <marcus@g10code.de>
* Makefile.am (dirmngr_LDADD): Add @LIBINTL@ and @LIBICONV@.
(dirmngr_ldap_LDADD): Likewise.
(dirmngr_client_LDADD): Likewise.
2005-09-12 Werner Koch <wk@g10code.com>
* dirmngr.c: Fixed description to match the one in gpgconf.
2005-06-15 Werner Koch <wk@g10code.com>
* server.c (cmd_lookup): Take care of NO_DATA which might get
returned also by start_cert_fetch().
2005-04-20 Werner Koch <wk@g10code.com>
* ldap.c (ldap_wrapper_wait_connections): Set a shutdown flag.
(ldap_wrapper_thread): Handle shutdown in a special way.
2005-04-19 Werner Koch <wk@g10code.com>
* server.c (get_cert_local, get_issuing_cert_local)
(get_cert_local_ski): Bail out if called without a local context.
2005-04-18 Werner Koch <wk@g10code.com>
* certcache.c (find_issuing_cert): Fixed last resort method which
should be finding by subject and not by issuer. Try to locate it
also using the keyIdentifier method. Improve error reporting.
(cmp_simple_canon_sexp): New.
(find_cert_bysubject): New.
(find_cert_bysn): Ask back to the caller before trying an extarnl
lookup.
* server.c (get_cert_local_ski): New.
* crlcache.c (crl_parse_insert): Also try to locate issuer
certificate using the keyIdentifier. Improved error reporting.
2005-04-14 Werner Koch <wk@g10code.com>
* ldap.c (start_cert_fetch_ldap): Really return ERR.
2005-03-17 Werner Koch <wk@g10code.com>
* http.c (parse_response): Changed MAXLEN and LEN to size_t to
match the requirement of read_line.
* http.h (http_context_s): Ditto for BUFFER_SIZE.
2005-03-15 Werner Koch <wk@g10code.com>
* ldap.c: Included time.h. Reported by Bernhard Herzog.
2005-03-09 Werner Koch <wk@g10code.com>
* dirmngr.c: Add a note to the help listing check the man page for
other options.
2005-02-01 Werner Koch <wk@g10code.com>
* crlcache.c (crl_parse_insert): Renamed a few variables and
changed diagnostic strings for clarity.
(get_issuer_cert): Renamed to get_crlissuer_cert. Try to locate
the certificate from the cache using the subject name. Use new
fetch function.
(get_crlissuer_cert_bysn): New.
(crl_parse_insert): Use it here.
* crlfetch.c (ca_cert_fetch): Changed interface.
(fetch_next_ksba_cert): New.
* ldap.c (run_ldap_wrapper): Add arg MULTI_MODE. Changed all
callers.
(start_default_fetch_ldap): New
* certcache.c (get_cert_bysubject): New.
(clean_cache_slot, put_cert): Store the subject DN if available.
(MAX_EXTRA_CACHED_CERTS): Increase limit of cachable certificates
to 1000.
(find_cert_bysn): Loop until a certificate with a matching S/N has
been found.
* dirmngr.c (main): Add honor-http-proxy to the gpgconf list.
2005-01-31 Werner Koch <wk@g10code.com>
* ldap.c: Started to work on support for userSMIMECertificates.
* dirmngr.c (main): Make sure to always pass a server control
structure to the caching functions. Reported by Neil Dunbar.
2005-01-05 Werner Koch <wk@g10code.com>
* dirmngr-client.c (read_pem_certificate): Skip trailing percent
escaped linefeeds.
2005-01-03 Werner Koch <wk@g10code.com>
* dirmngr-client.c (read_pem_certificate): New.
(read_certificate): Divert to it depending on pem option.
(squid_loop_body): New.
(main): New options --pem and --squid-mode.
2004-12-17 Werner Koch <wk@g10code.com>
* dirmngr.c (launch_ripper_thread): Renamed to launch_reaper_thread.
(shutdown_reaper): New. Use it for --server and --daemon.
* ldap.c (ldap_wrapper_wait_connections): New.
2004-12-17 Werner Koch <wk@g10code.com>
* Makefile.am (dirmngr_ldap_LDADD): Adjusted for new LDAP checks.
2004-12-16 Werner Koch <wk@g10code.com>
* ldap.c (ldap_wrapper): Peek on the output to detect empty output
early.
2004-12-15 Werner Koch <wk@g10code.com>
* ldap.c (ldap_wrapper): Print a diagnostic after forking for the
ldap wrapper.
* certcache.h (find_cert_bysn): Add this prototype.
* crlcache.c (start_sig_check): Write CRL hash debug file.
(finish_sig_check): Dump the signer's certificate.
(crl_parse_insert): Try to get the issuing cert by authKeyId.
Moved certificate retrieval after item processing.
2004-12-13 Werner Koch <wk@g10code.com>
* dirmngr_ldap.c (catch_alarm, set_timeout): new.
(main): Install alarm handler. Add new option --only-search-timeout.
(print_ldap_entries, fetch_ldap): Use set_timeout ();
* dirmngr.h: Make LDAPTIMEOUT a simple unsigned int. Change all
initializations.
* ldap.c (start_cert_fetch_ldap, run_ldap_wrapper): Pass timeout
option to the wrapper.
(INACTIVITY_TIMEOUT): Depend on LDAPTIMEOUT.
(run_ldap_wrapper): Add arg IGNORE_TIMEOUT.
(ldap_wrapper_thread): Check for special timeout exit code.
* dirmngr.c: Workaround a typo in gpgconf for
ignore-ocsp-service-url.
2004-12-10 Werner Koch <wk@g10code.com>
* ldap.c (url_fetch_ldap): Use TMP and not a HOST which is always
NULL.
* misc.c (host_and_port_from_url): Fixed bad encoding detection.
2004-12-03 Werner Koch <wk@g10code.com>
* crlcache.c (crl_cache_load): Re-implement it.
* dirmngr-client.c: New command --load-crl
(do_loadcrl): New.
* dirmngr.c (parse_rereadable_options, main): Make --allow-ocsp,
--ocsp-responder, --ocsp-signer and --max-replies re-readable.
* ocsp.c (check_signature): try to get the cert from the cache
first.
(ocsp_isvalid): Print the next and this update times on time
conflict.
* certcache.c (load_certs_from_dir): Print the fingerprint for
trusted certificates.
(get_cert_byhexfpr): New.
* misc.c (get_fingerprint_hexstring_colon): New.
2004-12-01 Werner Koch <wk@g10code.com>
* Makefile.am (dirmngr_LDADD): Don't use LDAP_LIBS.
* validate.c (validate_cert_chain): Fixed test; as written in the
comment we want to do this only in daemon mode. For clarity
reworked by using a linked list of certificates and include root
and tragte certificate.
(check_revocations): Likewise. Introduced a recursion sentinel.
2004-11-30 Werner Koch <wk@g10code.com>
* crlfetch.c (ca_cert_fetch, crl_fetch_default): Do not use the
binary prefix as this will be handled in the driver.
* dirmngr_ldap.c: New option --log-with-pid.
(fetch_ldap): Handle LDAP_NO_SUCH_OBJECT.
* ldap.c (run_ldap_wrapper, start_cert_fetch_ldap): Use new log
option.
2004-11-25 Werner Koch <wk@g10code.com>
* Makefile.am (dirmngr_ldap_CFLAGS): Added GPG_ERROR_CFLAGS.
Noted by Bernhard Herzog.
2004-11-24 Werner Koch <wk@g10code.com>
* ldap.c (ldap_wrapper): Fixed default name of the ldap wrapper.
* b64enc.c (b64enc_start, b64enc_finish): Use standard strdup/free
to manage memory.
* dirmngr.c: New options --ignore-http-dp, --ignore-ldap-dp and
--ignore-ocsp-service-url.
* crlcache.c (crl_cache_reload_crl): Implement them.
* ocsp.c (ocsp_isvalid): Ditto.
2004-11-23 Werner Koch <wk@g10code.com>
* ldap.c (ldap_wrapper_thread, reader_callback, ldap_wrapper):
Keep a timestamp and terminate the wrapper after some time of
inactivity.
* dirmngr-client.c (do_lookup): New.
(main): New option --lookup.
(data_cb): New.
* b64enc.c: New. Taken from GnuPG 1.9.
* no-libgcrypt.c (gcry_strdup): Added.
* ocsp.c (ocsp_isvalid): New arg CERT and lookup the issuer
certificate using the standard methods.
* server.c (cmd_lookup): Truncation is now also an indication for
error.
(cmd_checkocsp): Implemented.
* dirmngr_ldap.c (fetch_ldap): Write an error marker for a
truncated search.
* ldap.c (add_server_to_servers): Reactivated.
(url_fetch_ldap): Call it here and try all configured servers in
case of a a failed lookup.
(fetch_next_cert_ldap): Detect the truncation error flag.
* misc.c (host_and_port_from_url, remove_percent_escapes): New.
2004-11-22 Werner Koch <wk@g10code.com>
* dirmngr_ldap.c (main): New option --proxy.
* ocsp.c (do_ocsp_request): Take care of opt.disable_http.
* crlfetch.c (crl_fetch): Honor the --honor-http-proxy variable.
(crl_fetch): Take care of opt.disable_http and disable_ldap.
(crl_fetch_default, ca_cert_fetch, start_cert_fetch):
* ldap.c (run_ldap_wrapper): New arg PROXY.
(url_fetch_ldap, attr_fetch_ldap, start_cert_fetch_ldap): Pass it.
* http.c (http_open_document): Add arg PROXY.
(http_open): Ditto.
(send_request): Ditto and implement it as an override.
* ocsp.c (validate_responder_cert): Use validate_cert_chain.
* Makefile.am (AM_CPPFLAGS): Add macros for a few system
directories.
* dirmngr.h (opt): New members homedir_data, homedir_cache,
ldap_wrapper_program, system_daemon, honor_http_proxy, http_proxy,
ldap_proxy, only_ldap_proxy, disable_ldap, disable_http.
* dirmngr.c (main): Initialize new opt members HOMEDIR_DATA and
HOMEDIR_CACHE.
(parse_rereadable_options): New options --ldap-wrapper-program,
--http-wrapper-program, --disable-ldap, --disable-http,
--honor-http-proxy, --http-proxy, --ldap-proxy, --only-ldap-proxy.
(reread_configuration): New.
* ldap.c (ldap_wrapper): Use the correct name for the wrapper.
* crlcache.c (DBDIR_D): Make it depend on opt.SYSTEM_DAEMON.
(cleanup_cache_dir, open_dir, update_dir, make_db_file_name)
(crl_cache_insert, create_directory_if_needed): Use opt.HOMEDIR_CACHE
* validate.c (check_revocations): New.
* crlcache.c (crl_cache_isvalid): Factored most code out to
(cache_isvalid): .. new.
(crl_cache_cert_isvalid): New.
* server.c (cmd_checkcrl): Cleaned up by using this new function.
(reload_crl): Moved to ..
* crlcache.c (crl_cache_reload_crl): .. here and made global.
* certcache.c (cert_compute_fpr): Renamed from computer_fpr and
made global.
(find_cert_bysn): Try to lookup missing certs.
(cert_cache_init): Intialize using opt.HOMEDIR_DATA.
2004-11-19 Werner Koch <wk@g10code.com>
* dirmngr-client.c (status_cb): New. Use it in very verbose mode.
* server.c (start_command_handler): Malloc the control structure
and properly release it. Removed the primary_connection
hack. Cleanup running wrappers.
(dirmngr_status): Return an error code.
(dirmngr_tick): Return an error code and detect a
cancellation. Use wall time and not CPU time.
* validate.c (validate_cert_chain): Add CTRL arg and changed callers.
* crlcache.c (crl_cache_isvalid):
* crlfetch.c (ca_cert_fetch, start_cert_fetch, crl_fetch_default)
(crl_fetch): Ditto.
* ldap.c (ldap_wrapper, run_ldap_wrapper, url_fetch_ldap)
(attr_fetch_ldap, start_cert_fetch_ldap): Ditto.
(ldap_wrapper_release_context): Reset the stored CTRL.
(reader_callback): Periodically call dirmngr_tick.
(ldap_wrapper_release_context): Print an error message for read
errors.
(ldap_wrapper_connection_cleanup): New.
2004-11-18 Werner Koch <wk@g10code.com>
* dirmngr.c (main): Do not cd / if not running detached.
* dirmngr-client.c: New options --cache-cert and --validate.
(do_cache, do_validate): New.
* server.c (cmd_cachecert, cmd_validate): New.
* crlcache.c (get_issuer_cert): Make use of the certificate cache.
(crl_parse_insert): Validate the issuer certificate.
* dirmngr.c (handle_signal): Reinitialize the certificate cache on
a HUP.
(struct opts): Add --homedir to enable the already implemented code.
(handle_signal): Print stats on SIGUSR1.
* certcache.c (clean_cache_slot, cert_cache_init)
(cert_cache_deinit): New.
(acquire_cache_read_lock, acquire_cache_write_lock)
(release_cache_lock): New. Use them where needed.
(put_cert): Renamed from put_loaded_cert.
(cache_cert): New.
(cert_cache_print_stats): New.
(compare_serialno): Fixed.
2004-11-16 Werner Koch <wk@g10code.com>
* Makefile.am (AM_CPPFLAGS): Define DIRMNGR_SYSCONFDIR and
DIRMNGR_LIBEXECDIR.
* misc.c (dump_isotime, dump_string, dump_cert): New. Taken from
gnupg 1.9.
(dump_serial): New.
2004-11-15 Werner Koch <wk@g10code.com>
* validate.c: New. Based on gnupg's certchain.c
* ldap.c (get_cert_ldap): Removed.
(read_buffer): New.
(start_cert_fetch_ldap, fetch_next_cert_ldap)
(end_cert_fetch_ldap): Rewritten to make use of the ldap wrapper.
2004-11-12 Werner Koch <wk@g10code.com>
* http.c (insert_escapes): Print the percent sign too.
* dirmngr-client.c (inq_cert): Ignore "SENDCERT" and
"SENDISSUERCERT".
* server.c (do_get_cert_local): Limit the length of a retruned
certificate. Return NULL without an error if an empry value has
been received.
* crlfetch.c (ca_cert_fetch): Use the ksba_reader_object.
(setup_funopen, fun_reader, fun_closer): Removed.
* crlcache.c (get_issuer_cert): Adjust accordingly.
* ldap.c (attr_fetch_ldap_internal, attr_fetch_fun_closer)
(attr_fetch_fun_reader, url_fetch_ldap_internal)
(get_attr_from_result_ldap): Removed.
(destroy_wrapper, print_log_line, ldap_wrapper_thread)
(ldap_wrapper_release_context, reader_callback, ldap_wrapper)
(run_ldap_wrapper): New.
(url_fetch_ldap): Make use of the new ldap wrapper and return a
ksba reader object instead of a stdio stream.
(attr_fetch_ldap): Ditto.
(make_url, escape4url): New.
2004-11-11 Werner Koch <wk@g10code.com>
* dirmngr.c (launch_ripper_thread): New.
(main): Start it wheere appropriate. Always ignore SIGPIPE.
(start_connection_thread): Maintain a connection count.
(handle_signal, handle_connections): Use it here instead of the
thread count.
* crlcache.c (crl_cache_insert): Changed to use ksba reader
object. Changed all callers to pass this argument.
2004-11-08 Werner Koch <wk@g10code.com>
* dirmngr_ldap.c: New.
* crlcache.c (crl_cache_init): Don't return a cache object but
keep it module local. We only need one.
(crl_cache_deinit): Don't take cache object but work on existing
one.
(get_current_cache): New.
(crl_cache_insert, crl_cache_list, crl_cache_load): Use the global
cache object and removed the cache arg. Changed all callers.
* dirmngr-client.c: New option --ping.
* dirmngr.c (main): New option --daemon. Initialize PTH.
(handle_connections, start_connection_thread): New.
(handle_signal): New.
(parse_rereadable_options): New. Changed main to make use of it.
(set_debug): Don't bail out on invalid debug levels.
(main): Init the crl_chache for server and daemon mode.
* server.c (start_command_handler): New arg FD. Changed callers.
2004-11-06 Werner Koch <wk@g10code.com>
* server.c (map_assuan_err): Factored out to ..
* maperror.c: .. new file.
* util.h: Add prototype
2004-11-05 Werner Koch <wk@g10code.com>
* no-libgcrypt.c: New, used as helper for dirmngr-client which
does not need libgcrypt proper but jnlib references the memory
functions. Taken from gnupg 1.9.12.
* dirmngr.h: Factored i18n and xmalloc code out to ..
* i18n.h, util.h: .. New.
* dirmngr-client.c: New. Some code taken from gnupg 1.9.12.
* Makefile.am (bin_PROGRAMS) Add dirmngr-client.
2004-11-04 Werner Koch <wk@g10code.com>
* src/server.c (get_fingerprint_from_line, cmd_checkcrl)
(cmd_checkocsp): New.
(register_commands): Register new commands.
(inquire_cert_and_load_crl): Factored most code out to ..
(reload_crl): .. new function.
* src/certcache.h, src/certcache.c: New.
* src/Makefile.am (dirmngr_SOURCES): Add new files.
2004-11-04 Werner Koch <wk@g10code.com>
Please note that earlier entries are found in the top level
ChangeLog.
[Update after merge with GnuPG: see ./ChangeLog.1]
Copyright 2004, 2005, 2006, 2007, 2008, 2009, 2010,
2011 Free Software Foundation, Inc.
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
index 6b27c7abc..6bdb5985e 100644
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@@ -1,87 +1,87 @@
# Makefile.am - dirmngr
# Copyright (C) 2002 Klarälvdalens Datakonsult AB
# Copyright (C) 2004, 2007, 2010 g10 Code GmbH
#
# This file is part of GnuPG.
#
# GnuPG is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# GnuPG is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see <http://www.gnu.org/licenses/>.
## Process this file with automake to produce Makefile.in
EXTRA_DIST = OAUTHORS ONEWS ChangeLog.1
bin_PROGRAMS = dirmngr dirmngr-client
if USE_LDAPWRAPPER
libexec_PROGRAMS = dirmngr_ldap
endif
AM_CPPFLAGS = -I$(top_srcdir)/gl -I$(top_srcdir)/intl -I$(top_srcdir)/common
include $(top_srcdir)/am/cmacros.am
AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(KSBA_CFLAGS) \
$(LIBASSUAN_CFLAGS) $(GPG_ERROR_CFLAGS) $(PTH_CFLAGS)
BUILT_SOURCES = no-libgcrypt.c
CLEANFILES = no-libgcrypt.c
if HAVE_W32_SYSTEM
ldap_url = ldap-url.h ldap-url.c
else
ldap_url =
endif
noinst_HEADERS = dirmngr.h crlcache.h crlfetch.h misc.h
dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c \
ldapserver.h ldapserver.c certcache.c certcache.h \
cdb.h cdblib.c ldap.c misc.c dirmngr-err.h w32-ldap-help.h \
ocsp.c ocsp.h validate.c validate.h ldap-wrapper.h $(ldap_url) \
ks-action.c ks-action.h ks-engine.h \
- ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c
+ ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c ks-engine-kdns.c
if USE_LDAPWRAPPER
dirmngr_SOURCES += ldap-wrapper.c
else
dirmngr_SOURCES += ldap-wrapper-ce.c dirmngr_ldap.c
endif
dirmngr_LDADD = $(libcommonpth) ../gl/libgnu.a $(DNSLIBS) $(LIBASSUAN_LIBS) \
$(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(PTH_LIBS) $(LIBINTL) $(LIBICONV)
if !USE_LDAPWRAPPER
dirmngr_LDADD += $(LDAPLIBS)
endif
dirmngr_LDFLAGS = $(extra_bin_ldflags)
if USE_LDAPWRAPPER
dirmngr_ldap_SOURCES = dirmngr_ldap.c $(ldap_url)
dirmngr_ldap_CFLAGS = $(GPG_ERROR_CFLAGS)
dirmngr_ldap_LDFLAGS =
dirmngr_ldap_LDADD = $(libcommon) no-libgcrypt.o ../gl/libgnu.a $(DNSLIBS) \
$(GPG_ERROR_LIBS) $(LDAPLIBS) $(LIBINTL) $(LIBICONV)
endif
dirmngr_client_SOURCES = dirmngr-client.c
dirmngr_client_LDADD = $(libcommon) no-libgcrypt.o \
../gl/libgnu.a $(LIBASSUAN_LIBS) \
$(GPG_ERROR_LIBS) $(LIBINTL) \
$(LIBICONV)
dirmngr_client_LDFLAGS = $(extra_bin_ldflags)
no-libgcrypt.c : $(top_srcdir)/tools/no-libgcrypt.c
cat $(top_srcdir)/tools/no-libgcrypt.c > no-libgcrypt.c
diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index de243ee25..4f5cbd1d7 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -1,198 +1,199 @@
/* dirmngr.h - Common definitions for the dirmngr
* Copyright (C) 2002 Klarälvdalens Datakonsult AB
* Copyright (C) 2004 g10 Code GmbH
*
* This file is part of DirMngr.
*
* DirMngr is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* DirMngr is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#ifndef DIRMNGR_H
#define DIRMNGR_H
#include "./dirmngr-err.h"
#define map_assuan_err(a) \
map_assuan_err_with_source (GPG_ERR_SOURCE_DEFAULT, (a))
#include <errno.h>
#include <gcrypt.h>
#include <ksba.h>
#include "../common/util.h"
#include "../common/membuf.h"
#include "../common/sysutils.h" /* (gnupg_fd_t) */
#include "../common/i18n.h"
#include "../common/http.h" /* (parsed_uri_t) */
/* This objects keeps information about a particular LDAP server and
is used as item of a single linked list of servers. */
struct ldap_server_s
{
struct ldap_server_s* next;
char *host;
int port;
char *user;
char *pass;
char *base;
};
typedef struct ldap_server_s *ldap_server_t;
/* This objects is used to build a list of URI consisting of the
original and the parsed URI. */
struct uri_item_s
{
struct uri_item_s *next;
parsed_uri_t parsed_uri; /* The broken down URI. */
char uri[1]; /* The original URI. */
};
typedef struct uri_item_s *uri_item_t;
/* A list of fingerprints. */
struct fingerprint_list_s;
typedef struct fingerprint_list_s *fingerprint_list_t;
struct fingerprint_list_s
{
fingerprint_list_t next;
char hexfpr[20+20+1];
};
/* A large struct named "opt" to keep global flags. */
struct
{
unsigned int debug; /* debug flags (DBG_foo_VALUE) */
int verbose; /* verbosity level */
int quiet; /* be as quiet as possible */
int dry_run; /* don't change any persistent data */
int batch; /* batch mode */
const char *homedir; /* Configuration directory name */
const char *homedir_data; /* Ditto for data files (/usr/share/dirmngr). */
const char *homedir_cache; /* Ditto for cache files (/var/cache/dirmngr). */
char *config_filename; /* Name of a config file, which will be
reread on a HUP if it is not NULL. */
char *ldap_wrapper_program; /* Override value for the LDAP wrapper
program. */
char *http_wrapper_program; /* Override value for the HTTP wrapper
program. */
int system_service; /* We are running as W32 service (implies daemon). */
int system_daemon; /* We are running in system daemon mode. */
int running_detached; /* We are running in detached mode. */
int force; /* Force loading outdated CRLs. */
int disable_http; /* Do not use HTTP at all. */
int disable_ldap; /* Do not use LDAP at all. */
int honor_http_proxy; /* Honor the http_proxy env variable. */
const char *http_proxy; /* Use given HTTP proxy. */
const char *ldap_proxy; /* Use given LDAP proxy. */
int only_ldap_proxy; /* Only use the LDAP proxy; no fallback. */
int ignore_http_dp; /* Ignore HTTP CRL distribution points. */
int ignore_ldap_dp; /* Ignore LDAP CRL distribution points. */
int ignore_ocsp_service_url; /* Ignore OCSP service URLs as given in
the certificate. */
/* A list of certificate extension OIDs which are ignored so that
one can claim that a critical extension has been handled. One
OID per string. */
strlist_t ignored_cert_extensions;
int allow_ocsp; /* Allow using OCSP. */
int max_replies;
unsigned int ldaptimeout;
ldap_server_t ldapservers;
int add_new_ldapservers;
const char *ocsp_responder; /* Standard OCSP responder's URL. */
fingerprint_list_t ocsp_signer; /* The list of fingerprints with allowed
standard OCSP signer certificates. */
unsigned int ocsp_max_clock_skew; /* Allowed seconds of clocks skew. */
unsigned int ocsp_max_period; /* Seconds a response is at maximum
considered valid after thisUpdate. */
unsigned int ocsp_current_period; /* Seconds a response is considered
current after nextUpdate. */
} opt;
#define DBG_X509_VALUE 1 /* debug x.509 parsing */
#define DBG_LOOKUP_VALUE 2 /* debug lookup details */
#define DBG_CRYPTO_VALUE 4 /* debug low level crypto */
#define DBG_MEMORY_VALUE 32 /* debug memory allocation stuff */
#define DBG_CACHE_VALUE 64 /* debug the caching */
#define DBG_MEMSTAT_VALUE 128 /* show memory statistics */
#define DBG_HASHING_VALUE 512 /* debug hashing operations */
#define DBG_ASSUAN_VALUE 1024 /* debug assuan communication */
#define DBG_X509 (opt.debug & DBG_X509_VALUE)
#define DBG_LOOKUP (opt.debug & DBG_LOOKUP_VALUE)
#define DBG_CRYPTO (opt.debug & DBG_CRYPTO_VALUE)
#define DBG_MEMORY (opt.debug & DBG_MEMORY_VALUE)
#define DBG_CACHE (opt.debug & DBG_CACHE_VALUE)
#define DBG_HASHING (opt.debug & DBG_HASHING_VALUE)
#define DBG_ASSUAN (opt.debug & DBG_ASSUAN_VALUE)
/* A simple list of certificate references. */
struct cert_ref_s
{
struct cert_ref_s *next;
unsigned char fpr[20];
};
typedef struct cert_ref_s *cert_ref_t;
/* Forward references; access only through server.c. */
struct server_local_s;
/* Connection control structure. */
struct server_control_s
{
int refcount; /* Count additional references to this object. */
int no_server; /* We are not running under server control. */
int status_fd; /* Only for non-server mode. */
struct server_local_s *server_local;
int force_crl_refresh; /* Always load a fresh CRL. */
int check_revocations_nest_level; /* Internal to check_revovations. */
cert_ref_t ocsp_certs; /* Certificates from the current OCSP
response. */
int audit_events; /* Send audit events to client. */
uri_item_t keyservers; /* List of keyservers. */
};
/*-- dirmngr.c --*/
void dirmngr_exit( int ); /* Wrapper for exit() */
void dirmngr_init_default_ctrl (ctrl_t ctrl);
void dirmngr_sighup_action (void);
/*-- server.c --*/
ldap_server_t get_ldapservers_from_ctrl (ctrl_t ctrl);
ksba_cert_t get_cert_local (ctrl_t ctrl, const char *issuer);
ksba_cert_t get_issuing_cert_local (ctrl_t ctrl, const char *issuer);
ksba_cert_t get_cert_local_ski (ctrl_t ctrl,
const char *name, ksba_sexp_t keyid);
gpg_error_t get_istrusted_from_client (ctrl_t ctrl, const char *hexfpr);
void start_command_handler (gnupg_fd_t fd);
gpg_error_t dirmngr_status (ctrl_t ctrl, const char *keyword, ...);
+gpg_error_t dirmngr_status_help (ctrl_t ctrl, const char *text);
gpg_error_t dirmngr_tick (ctrl_t ctrl);
#endif /*DIRMNGR_H*/
diff --git a/dirmngr/ks-action.c b/dirmngr/ks-action.c
index ec691fe2a..1f876d07b 100644
--- a/dirmngr/ks-action.c
+++ b/dirmngr/ks-action.c
@@ -1,228 +1,281 @@
/* ks-action.c - OpenPGP keyserver actions
* Copyright (C) 2011 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include "dirmngr.h"
#include "misc.h"
#include "ks-engine.h"
#include "ks-action.h"
/* Copy all data from IN to OUT. */
static gpg_error_t
copy_stream (estream_t in, estream_t out)
{
char buffer[512];
size_t nread;
while (!es_read (in, buffer, sizeof buffer, &nread))
{
if (!nread)
return 0; /* EOF */
if (es_write (out, buffer, nread, NULL))
break;
}
return gpg_error_from_syserror ();
}
+/* Called by the engine's help functions to print the actual help. */
+gpg_error_t
+ks_print_help (ctrl_t ctrl, const char *text)
+{
+ return dirmngr_status_help (ctrl, text);
+}
+
+
+/* Run the help command for the engine responsible for URI. */
+gpg_error_t
+ks_action_help (ctrl_t ctrl, const char *url)
+{
+ gpg_error_t err;
+ parsed_uri_t parsed_uri; /* The broken down URI. */
+
+ if (!url || !*url)
+ {
+ ks_print_help (ctrl, "Known schemata:\n");
+ parsed_uri = NULL;
+ }
+ else
+ {
+ err = http_parse_uri (&parsed_uri, url, 1);
+ if (err)
+ return err;
+ }
+
+ /* Call all engines to geive them a chance to print a help sting. */
+ err = ks_hkp_help (ctrl, parsed_uri);
+ if (!err)
+ err = ks_http_help (ctrl, parsed_uri);
+ if (!err)
+ err = ks_finger_help (ctrl, parsed_uri);
+ if (!err)
+ err = ks_kdns_help (ctrl, parsed_uri);
+
+ if (!parsed_uri)
+ ks_print_help (ctrl,
+ "(Use the schema followed by a colon for specific help.)");
+ else
+ http_release_parsed_uri (parsed_uri);
+ return err;
+}
+
/* Search all configured keyservers for keys matching PATTERNS and
write the result to the provided output stream. */
gpg_error_t
ks_action_search (ctrl_t ctrl, strlist_t patterns, estream_t outfp)
{
gpg_error_t err = 0;
int any = 0;
uri_item_t uri;
estream_t infp;
if (!patterns)
return gpg_error (GPG_ERR_NO_USER_ID);
/* FIXME: We only take care of the first pattern. To fully support
multiple patterns we might either want to run several queries in
parallel and merge them. We also need to decide what to do with
errors - it might not be the best idea to ignore an error from
one server and silently continue with another server. For now we
stop at the first error. */
for (uri = ctrl->keyservers; !err && uri; uri = uri->next)
{
if (uri->parsed_uri->is_http)
{
any = 1;
err = ks_hkp_search (ctrl, uri->parsed_uri, patterns->d, &infp);
if (!err)
{
err = copy_stream (infp, outfp);
es_fclose (infp);
break;
}
}
}
if (!any)
err = gpg_error (GPG_ERR_NO_KEYSERVER);
return err;
}
/* Get the requested keys (matching PATTERNS) using all configured
keyservers and write the result to the provided output stream. */
gpg_error_t
ks_action_get (ctrl_t ctrl, strlist_t patterns, estream_t outfp)
{
gpg_error_t err = 0;
gpg_error_t first_err = 0;
int any = 0;
strlist_t sl;
uri_item_t uri;
estream_t infp;
if (!patterns)
return gpg_error (GPG_ERR_NO_USER_ID);
/* FIXME: We only take care of the first keyserver. To fully
support multiple keyservers we need to track the result for each
pattern and use the next keyserver if one key was not found. The
keyservers might not all be fully synced thus it is not clear
whether the first keyserver has the freshest copy of the key.
Need to think about a better strategy. */
for (uri = ctrl->keyservers; !err && uri; uri = uri->next)
{
if (uri->parsed_uri->is_http)
{
any = 1;
for (sl = patterns; !err && sl; sl = sl->next)
{
err = ks_hkp_get (ctrl, uri->parsed_uri, sl->d, &infp);
if (err)
{
/* It is possible that a server does not carry a
key, thus we only save the error and continue
with the next pattern. FIXME: It is an open
question how to return such an error condition to
the caller. */
first_err = err;
err = 0;
}
else
{
err = copy_stream (infp, outfp);
/* Reading from the keyserver should never fail, thus
return this error. */
es_fclose (infp);
infp = NULL;
}
}
}
}
if (!any)
err = gpg_error (GPG_ERR_NO_KEYSERVER);
else if (!err && first_err)
err = first_err; /* fixme: Do we really want to do that? */
return err;
}
/* Retrive keys from URL and write the result to the provided output
stream OUTFP. */
gpg_error_t
ks_action_fetch (ctrl_t ctrl, const char *url, estream_t outfp)
{
gpg_error_t err = 0;
estream_t infp;
parsed_uri_t parsed_uri; /* The broken down URI. */
if (!url)
return gpg_error (GPG_ERR_INV_URI);
err = http_parse_uri (&parsed_uri, url, 1);
if (err)
return err;
if (parsed_uri->is_http)
{
err = ks_http_fetch (ctrl, url, &infp);
if (!err)
{
err = copy_stream (infp, outfp);
es_fclose (infp);
}
}
else if (!parsed_uri->opaque)
{
err = gpg_error (GPG_ERR_INV_URI);
}
else if (!strcmp (parsed_uri->scheme, "finger"))
{
err = ks_finger_fetch (ctrl, parsed_uri, &infp);
if (!err)
{
err = copy_stream (infp, outfp);
es_fclose (infp);
}
}
+ else if (!strcmp (parsed_uri->scheme, "kdns"))
+ {
+ err = ks_kdns_fetch (ctrl, parsed_uri, &infp);
+ if (!err)
+ {
+ err = copy_stream (infp, outfp);
+ es_fclose (infp);
+ }
+ }
else
err = gpg_error (GPG_ERR_INV_URI);
http_release_parsed_uri (parsed_uri);
return err;
}
/* Send an OpenPGP key to all keyservers. The key in {DATA,DATALEN}
is expected in OpenPGP binary transport format. */
gpg_error_t
ks_action_put (ctrl_t ctrl, const void *data, size_t datalen)
{
gpg_error_t err = 0;
gpg_error_t first_err = 0;
int any = 0;
uri_item_t uri;
for (uri = ctrl->keyservers; !err && uri; uri = uri->next)
{
if (uri->parsed_uri->is_http)
{
any = 1;
err = ks_hkp_put (ctrl, uri->parsed_uri, data, datalen);
if (err)
{
first_err = err;
err = 0;
}
}
}
if (!any)
err = gpg_error (GPG_ERR_NO_KEYSERVER);
else if (!err && first_err)
err = first_err; /* fixme: Do we really want to do that? */
return err;
}
diff --git a/dirmngr/ks-action.h b/dirmngr/ks-action.h
index bba53bc04..3dca90f16 100644
--- a/dirmngr/ks-action.h
+++ b/dirmngr/ks-action.h
@@ -1,29 +1,30 @@
/* ks-action.h - OpenPGP keyserver actions definitions
* Copyright (C) 2011 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#ifndef DIRMNGR_KS_ACTION_H
#define DIRMNGR_KS_ACTION_H 1
+gpg_error_t ks_action_help (ctrl_t ctrl, const char *url);
gpg_error_t ks_action_search (ctrl_t ctrl, strlist_t patterns, estream_t outfp);
gpg_error_t ks_action_get (ctrl_t ctrl, strlist_t patterns, estream_t outfp);
gpg_error_t ks_action_fetch (ctrl_t ctrl, const char *url, estream_t outfp);
gpg_error_t ks_action_put (ctrl_t ctrl, const void *data, size_t datalen);
#endif /*DIRMNGR_KS_ACTION_H*/
diff --git a/dirmngr/ks-engine-finger.c b/dirmngr/ks-engine-finger.c
index c9e897f84..57dd340e8 100644
--- a/dirmngr/ks-engine-finger.c
+++ b/dirmngr/ks-engine-finger.c
@@ -1,101 +1,123 @@
/* ks-engine-finger.c - Finger OpenPGP key access
* Copyright (C) 2011 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include "dirmngr.h"
#include "misc.h"
#include "userids.h"
#include "ks-engine.h"
+/* Print a help output for the schemata supported by this module. */
+gpg_error_t
+ks_finger_help (ctrl_t ctrl, parsed_uri_t uri)
+{
+ char const data[] =
+ "Handler for FINGER:\n"
+ " finger:<user>@<host>\n"
+ "Supported methods: fetch\n"
+ "Example:\n"
+ " finger:joe@example.org\n";
+ gpg_error_t err;
+
+ if (!uri)
+ err = ks_print_help (ctrl, " finger");
+ else if (!strcmp (uri->scheme, "finger"))
+ err = ks_print_help (ctrl, data);
+ else
+ err = 0;
+
+ return err;
+}
+
/* Get the key from URI which is expected to specify a finger scheme.
On success R_FP has an open stream to read the data. */
gpg_error_t
ks_finger_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp)
{
gpg_error_t err;
estream_t fp;
char *server;
char *name;
http_t http;
(void)ctrl;
*r_fp = NULL;
if (strcmp (uri->scheme, "finger") || !uri->opaque || !uri->path)
return gpg_error (GPG_ERR_INV_ARG);
name = xtrystrdup (uri->path);
if (!name)
return gpg_error_from_syserror ();
server = strchr (name, '@');
if (!server)
{
err = gpg_error (GPG_ERR_INV_URI);
xfree (name);
return err;
}
*server++ = 0;
err = http_raw_connect (&http, server, 79, 0, NULL);
if (err)
{
xfree (name);
return err;
}
fp = http_get_write_ptr (http);
if (!fp)
{
err = gpg_error (GPG_ERR_INTERNAL);
http_close (http, 0);
xfree (name);
return err;
}
if (es_fputs (name, fp) || es_fputs ("\r\n", fp) || es_fflush (fp))
{
err = gpg_error_from_syserror ();
http_close (http, 0);
xfree (name);
return err;
}
xfree (name);
es_fclose (fp);
fp = http_get_read_ptr (http);
if (!fp)
{
err = gpg_error (GPG_ERR_INTERNAL);
http_close (http, 0);
return err;
}
http_close (http, 1 /* Keep read ptr. */);
*r_fp = fp;
return 0;
}
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 3467a6df3..5ad61fd4d 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -1,558 +1,578 @@
/* ks-engine-hkp.c - HKP keyserver engine
* Copyright (C) 2011 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include "dirmngr.h"
#include "misc.h"
#include "userids.h"
#include "ks-engine.h"
/* To match the behaviour of our old gpgkeys helper code we escape
more characters than actually needed. */
#define EXTRA_ESCAPE_CHARS "@!\"#$%&'()*+,-./:;<=>?[\\]^_{|}~"
/* How many redirections do we allow. */
#define MAX_REDIRECTS 2
+/* Print a help output for the schemata supported by this module. */
+gpg_error_t
+ks_hkp_help (ctrl_t ctrl, parsed_uri_t uri)
+{
+ const char const data[] =
+ "Handler for HKP URLs:\n"
+ " hkp://\n"
+ "Supported methods: search, get, put\n";
+ gpg_error_t err;
+
+ if (!uri)
+ err = ks_print_help (ctrl, " hkp");
+ else if (uri->is_http)
+ err = ks_print_help (ctrl, data);
+ else
+ err = 0;
+
+ return err;
+}
+
/* Send an HTTP request. On success returns an estream object at
R_FP. HOSTPORTSTR is only used for diagnostics. If POST_CB is not
NULL a post request is used and that callback is called to allow
writing the post data. */
static gpg_error_t
send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
gpg_error_t (*post_cb)(void *, http_t), void *post_cb_value,
estream_t *r_fp)
{
gpg_error_t err;
http_t http = NULL;
int redirects_left = MAX_REDIRECTS;
estream_t fp = NULL;
char *request_buffer = NULL;
*r_fp = NULL;
once_more:
err = http_open (&http,
post_cb? HTTP_REQ_POST : HTTP_REQ_GET,
request,
/* fixme: AUTH */ NULL,
0,
/* fixme: proxy*/ NULL,
NULL, NULL,
/*FIXME curl->srvtag*/NULL);
if (!err)
{
fp = http_get_write_ptr (http);
/* Avoid caches to get the most recent copy of the key. We set
both the Pragma and Cache-Control versions of the header, so
we're good with both HTTP 1.0 and 1.1. */
es_fputs ("Pragma: no-cache\r\n"
"Cache-Control: no-cache\r\n", fp);
if (post_cb)
err = post_cb (post_cb_value, http);
if (!err)
{
http_start_data (http);
if (es_ferror (fp))
err = gpg_error_from_syserror ();
}
}
if (err)
{
/* Fixme: After a redirection we show the old host name. */
log_error (_("error connecting to `%s': %s\n"),
hostportstr, gpg_strerror (err));
goto leave;
}
/* Wait for the response. */
dirmngr_tick (ctrl);
err = http_wait_response (http);
if (err)
{
log_error (_("error reading HTTP response for `%s': %s\n"),
hostportstr, gpg_strerror (err));
goto leave;
}
switch (http_get_status_code (http))
{
case 200:
err = 0;
break; /* Success. */
case 301:
case 302:
{
const char *s = http_get_header (http, "Location");
log_info (_("URL `%s' redirected to `%s' (%u)\n"),
request, s?s:"[none]", http_get_status_code (http));
if (s && *s && redirects_left-- )
{
xfree (request_buffer);
request_buffer = xtrystrdup (s);
if (request_buffer)
{
request = request_buffer;
http_close (http, 0);
http = NULL;
goto once_more;
}
err = gpg_error_from_syserror ();
}
else
err = gpg_error (GPG_ERR_NO_DATA);
log_error (_("too many redirections\n"));
}
goto leave;
default:
log_error (_("error accessing `%s': http status %u\n"),
request, http_get_status_code (http));
err = gpg_error (GPG_ERR_NO_DATA);
goto leave;
}
fp = http_get_read_ptr (http);
if (!fp)
{
err = gpg_error (GPG_ERR_BUG);
goto leave;
}
/* Return the read stream and close the HTTP context. */
*r_fp = fp;
http_close (http, 1);
http = NULL;
leave:
http_close (http, 0);
xfree (request_buffer);
return err;
}
static gpg_error_t
armor_data (char **r_string, const void *data, size_t datalen)
{
gpg_error_t err;
struct b64state b64state;
estream_t fp;
long length;
char *buffer;
size_t nread;
*r_string = NULL;
fp = es_fopenmem (0, "rw");
if (!fp)
return gpg_error_from_syserror ();
if ((err=b64enc_start_es (&b64state, fp, "PGP PUBLIC KEY BLOCK"))
|| (err=b64enc_write (&b64state, data, datalen))
|| (err = b64enc_finish (&b64state)))
{
es_fclose (fp);
return err;
}
/* FIXME: To avoid the extra buffer allocation estream should
provide a function to snatch the internal allocated memory from
such a memory stream. */
length = es_ftell (fp);
if (length < 0)
{
err = gpg_error_from_syserror ();
es_fclose (fp);
return err;
}
buffer = xtrymalloc (length+1);
if (!buffer)
{
err = gpg_error_from_syserror ();
es_fclose (fp);
return err;
}
es_rewind (fp);
if (es_read (fp, buffer, length, &nread))
{
err = gpg_error_from_syserror ();
es_fclose (fp);
return err;
}
buffer[nread] = 0;
es_fclose (fp);
*r_string = buffer;
return 0;
}
/* Search the keyserver identified by URI for keys matching PATTERN.
On success R_FP has an open stream to read the data. */
gpg_error_t
ks_hkp_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
estream_t *r_fp)
{
gpg_error_t err;
KEYDB_SEARCH_DESC desc;
char fprbuf[2+40+1];
const char *scheme;
char portstr[10];
char *hostport = NULL;
char *request = NULL;
estream_t fp = NULL;
*r_fp = NULL;
/* Remove search type indicator and adjust PATTERN accordingly.
Note that HKP keyservers like the 0x to be present when searching
by keyid. We need to re-format the fingerprint and keyids so to
remove the gpg specific force-use-of-this-key flag ("!"). */
err = classify_user_id (pattern, &desc);
if (err)
return err;
switch (desc.mode)
{
case KEYDB_SEARCH_MODE_EXACT:
case KEYDB_SEARCH_MODE_SUBSTR:
case KEYDB_SEARCH_MODE_MAIL:
case KEYDB_SEARCH_MODE_MAILSUB:
pattern = desc.u.name;
break;
case KEYDB_SEARCH_MODE_SHORT_KID:
snprintf (fprbuf, sizeof fprbuf, "0x%08lX", (ulong)desc.u.kid[1]);
pattern = fprbuf;
break;
case KEYDB_SEARCH_MODE_LONG_KID:
snprintf (fprbuf, sizeof fprbuf, "0x%08lX%08lX",
(ulong)desc.u.kid[0], (ulong)desc.u.kid[1]);
pattern = fprbuf;
break;
case KEYDB_SEARCH_MODE_FPR16:
bin2hex (desc.u.fpr, 16, fprbuf);
pattern = fprbuf;
break;
case KEYDB_SEARCH_MODE_FPR20:
case KEYDB_SEARCH_MODE_FPR:
bin2hex (desc.u.fpr, 20, fprbuf);
pattern = fprbuf;
break;
default:
return gpg_error (GPG_ERR_INV_USER_ID);
}
/* Map scheme and port. */
if (!strcmp (uri->scheme,"hkps") || !strcmp (uri->scheme,"https"))
{
scheme = "https";
strcpy (portstr, "443");
}
else /* HKP or HTTP. */
{
scheme = "http";
strcpy (portstr, "11371");
}
if (uri->port)
snprintf (portstr, sizeof portstr, "%hu", uri->port);
else
{} /*fixme_do_srv_lookup ()*/
/* Build the request string. */
{
char *searchkey;
hostport = strconcat (scheme, "://",
*uri->host? uri->host: "localhost",
":", portstr, NULL);
if (!hostport)
{
err = gpg_error_from_syserror ();
goto leave;
}
searchkey = http_escape_string (pattern, EXTRA_ESCAPE_CHARS);
if (!searchkey)
{
err = gpg_error_from_syserror ();
goto leave;
}
request = strconcat (hostport,
"/pks/lookup?op=index&options=mr&search=",
searchkey,
NULL);
xfree (searchkey);
if (!request)
{
err = gpg_error_from_syserror ();
goto leave;
}
}
/* Send the request. */
err = send_request (ctrl, request, hostport, NULL, NULL, &fp);
if (err)
goto leave;
/* Start reading the response. */
{
int c = es_getc (fp);
if (c == -1)
{
err = es_ferror (fp)?gpg_error_from_syserror ():gpg_error (GPG_ERR_EOF);
log_error ("error reading response: %s\n", gpg_strerror (err));
goto leave;
}
if (c == '<')
{
/* The document begins with a '<', assume it's a HTML
response, which we don't support. */
err = gpg_error (GPG_ERR_UNSUPPORTED_ENCODING);
goto leave;
}
es_ungetc (c, fp);
}
/* Return the read stream. */
*r_fp = fp;
fp = NULL;
leave:
es_fclose (fp);
xfree (request);
xfree (hostport);
return err;
}
/* Get the key described key the KEYSPEC string from the keyserver
identified by URI. On success R_FP has an open stream to read the
data. */
gpg_error_t
ks_hkp_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, estream_t *r_fp)
{
gpg_error_t err;
KEYDB_SEARCH_DESC desc;
char kidbuf[8+1];
const char *scheme;
char portstr[10];
char *hostport = NULL;
char *request = NULL;
estream_t fp = NULL;
*r_fp = NULL;
/* Remove search type indicator and adjust PATTERN accordingly.
Note that HKP keyservers like the 0x to be present when searching
by keyid. We need to re-format the fingerprint and keyids so to
remove the gpg specific force-use-of-this-key flag ("!"). */
err = classify_user_id (keyspec, &desc);
if (err)
return err;
switch (desc.mode)
{
case KEYDB_SEARCH_MODE_SHORT_KID:
case KEYDB_SEARCH_MODE_LONG_KID:
snprintf (kidbuf, sizeof kidbuf, "%08lX", (ulong)desc.u.kid[1]);
break;
case KEYDB_SEARCH_MODE_FPR20:
case KEYDB_SEARCH_MODE_FPR:
/* This is a v4 fingerprint. Take the last 8 hex digits from
the fingerprint which is the expected short keyid. */
bin2hex (desc.u.fpr+16, 4, kidbuf);
break;
case KEYDB_SEARCH_MODE_FPR16:
log_error ("HKP keyserver do not support v3 fingerprints\n");
default:
return gpg_error (GPG_ERR_INV_USER_ID);
}
/* Map scheme and port. */
if (!strcmp (uri->scheme,"hkps") || !strcmp (uri->scheme,"https"))
{
scheme = "https";
strcpy (portstr, "443");
}
else /* HKP or HTTP. */
{
scheme = "http";
strcpy (portstr, "11371");
}
if (uri->port)
snprintf (portstr, sizeof portstr, "%hu", uri->port);
else
{} /*fixme_do_srv_lookup ()*/
/* Build the request string. */
{
hostport = strconcat (scheme, "://",
*uri->host? uri->host: "localhost",
":", portstr, NULL);
if (!hostport)
{
err = gpg_error_from_syserror ();
goto leave;
}
request = strconcat (hostport,
"/pks/lookup?op=get&options=mr&search=0x",
kidbuf,
NULL);
if (!request)
{
err = gpg_error_from_syserror ();
goto leave;
}
}
/* Send the request. */
err = send_request (ctrl, request, hostport, NULL, NULL, &fp);
if (err)
goto leave;
/* Return the read stream and close the HTTP context. */
*r_fp = fp;
fp = NULL;
leave:
es_fclose (fp);
xfree (request);
xfree (hostport);
return err;
}
/* Callback parameters for put_post_cb. */
struct put_post_parm_s
{
char *datastring;
};
/* Helper for ks_hkp_put. */
static gpg_error_t
put_post_cb (void *opaque, http_t http)
{
struct put_post_parm_s *parm = opaque;
gpg_error_t err = 0;
estream_t fp;
size_t len;
fp = http_get_write_ptr (http);
len = strlen (parm->datastring);
es_fprintf (fp,
"Content-Type: application/x-www-form-urlencoded\r\n"
"Content-Length: %zu\r\n", len+8 /* 8 is for "keytext" */);
http_start_data (http);
if (es_fputs ("keytext=", fp) || es_write (fp, parm->datastring, len, NULL))
err = gpg_error_from_syserror ();
return err;
}
/* Send the key in {DATA,DATALEN} to the keyserver identified by URI. */
gpg_error_t
ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri, const void *data, size_t datalen)
{
gpg_error_t err;
const char *scheme;
char portstr[10];
char *hostport = NULL;
char *request = NULL;
estream_t fp = NULL;
struct put_post_parm_s parm;
char *armored = NULL;
parm.datastring = NULL;
/* Map scheme and port. */
if (!strcmp (uri->scheme,"hkps") || !strcmp (uri->scheme,"https"))
{
scheme = "https";
strcpy (portstr, "443");
}
else /* HKP or HTTP. */
{
scheme = "http";
strcpy (portstr, "11371");
}
if (uri->port)
snprintf (portstr, sizeof portstr, "%hu", uri->port);
else
{} /*fixme_do_srv_lookup ()*/
err = armor_data (&armored, data, datalen);
if (err)
goto leave;
parm.datastring = http_escape_string (armored, EXTRA_ESCAPE_CHARS);
if (!parm.datastring)
{
err = gpg_error_from_syserror ();
goto leave;
}
xfree (armored);
armored = NULL;
/* Build the request string. */
hostport = strconcat (scheme, "://",
*uri->host? uri->host: "localhost",
":", portstr, NULL);
if (!hostport)
{
err = gpg_error_from_syserror ();
goto leave;
}
request = strconcat (hostport, "/pks/add", NULL);
if (!request)
{
err = gpg_error_from_syserror ();
goto leave;
}
/* Send the request. */
err = send_request (ctrl, request, hostport, put_post_cb, &parm, &fp);
if (err)
goto leave;
leave:
es_fclose (fp);
xfree (parm.datastring);
xfree (armored);
xfree (request);
xfree (hostport);
return err;
}
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index 304e793f7..2ce1b19a1 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -1,141 +1,161 @@
/* ks-engine-http.c - HTTP OpenPGP key access
* Copyright (C) 2011 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include "dirmngr.h"
#include "misc.h"
#include "ks-engine.h"
/* How many redirections do we allow. */
#define MAX_REDIRECTS 2
+/* Print a help output for the schemata supported by this module. */
+gpg_error_t
+ks_http_help (ctrl_t ctrl, parsed_uri_t uri)
+{
+ const char const data[] =
+ "Handler for HTTP URLs:\n"
+ " http://\n"
+ "Supported methods: fetch\n";
+ gpg_error_t err;
+
+ if (!uri)
+ err = ks_print_help (ctrl, " http");
+ else if (uri->is_http)
+ err = ks_print_help (ctrl, data);
+ else
+ err = 0;
+
+ return err;
+}
+
/* Get the key from URL which is expected to specify a http style
scheme. On success R_FP has an open stream to read the data. */
gpg_error_t
ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
{
gpg_error_t err;
http_t http = NULL;
int redirects_left = MAX_REDIRECTS;
estream_t fp = NULL;
char *request_buffer = NULL;
*r_fp = NULL;
once_more:
err = http_open (&http,
HTTP_REQ_GET,
url,
/* fixme: AUTH */ NULL,
0,
/* fixme: proxy*/ NULL,
NULL, NULL,
/*FIXME curl->srvtag*/NULL);
if (!err)
{
fp = http_get_write_ptr (http);
/* Avoid caches to get the most recent copy of the key. We set
both the Pragma and Cache-Control versions of the header, so
we're good with both HTTP 1.0 and 1.1. */
es_fputs ("Pragma: no-cache\r\n"
"Cache-Control: no-cache\r\n", fp);
http_start_data (http);
if (es_ferror (fp))
err = gpg_error_from_syserror ();
}
if (err)
{
/* Fixme: After a redirection we show the old host name. */
log_error (_("error connecting to `%s': %s\n"),
url, gpg_strerror (err));
goto leave;
}
/* Wait for the response. */
dirmngr_tick (ctrl);
err = http_wait_response (http);
if (err)
{
log_error (_("error reading HTTP response for `%s': %s\n"),
url, gpg_strerror (err));
goto leave;
}
switch (http_get_status_code (http))
{
case 200:
err = 0;
break; /* Success. */
case 301:
case 302:
{
const char *s = http_get_header (http, "Location");
log_info (_("URL `%s' redirected to `%s' (%u)\n"),
url, s?s:"[none]", http_get_status_code (http));
if (s && *s && redirects_left-- )
{
xfree (request_buffer);
request_buffer = xtrystrdup (s);
if (request_buffer)
{
url = request_buffer;
http_close (http, 0);
http = NULL;
goto once_more;
}
err = gpg_error_from_syserror ();
}
else
err = gpg_error (GPG_ERR_NO_DATA);
log_error (_("too many redirections\n"));
}
goto leave;
default:
log_error (_("error accessing `%s': http status %u\n"),
url, http_get_status_code (http));
err = gpg_error (GPG_ERR_NO_DATA);
goto leave;
}
fp = http_get_read_ptr (http);
if (!fp)
{
err = gpg_error (GPG_ERR_BUG);
goto leave;
}
/* Return the read stream and close the HTTP context. */
*r_fp = fp;
http_close (http, 1);
http = NULL;
leave:
http_close (http, 0);
xfree (request_buffer);
return err;
}
diff --git a/dirmngr/ks-engine.h b/dirmngr/ks-engine.h
index 9d2afdf85..8b5514473 100644
--- a/dirmngr/ks-engine.h
+++ b/dirmngr/ks-engine.h
@@ -1,43 +1,53 @@
/* ks-engine.h - Keyserver engines definitions
* Copyright (C) 2011 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#ifndef DIRMNGR_KS_ENGINE_H
#define DIRMNGR_KS_ENGINE_H 1
#include "../common/estream.h"
#include "../common/http.h"
+/*-- ks-action.c --*/
+gpg_error_t ks_print_help (ctrl_t ctrl, const char *text);
+
/*-- ks-engine-hkp.c --*/
+gpg_error_t ks_hkp_help (ctrl_t ctrl, parsed_uri_t uri);
gpg_error_t ks_hkp_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
estream_t *r_fp);
gpg_error_t ks_hkp_get (ctrl_t ctrl, parsed_uri_t uri,
const char *keyspec, estream_t *r_fp);
gpg_error_t ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri,
const void *data, size_t datalen);
/*-- ks-engine-http.c --*/
+gpg_error_t ks_http_help (ctrl_t ctrl, parsed_uri_t uri);
gpg_error_t ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp);
/*-- ks-engine-finger.c --*/
+gpg_error_t ks_finger_help (ctrl_t ctrl, parsed_uri_t uri);
gpg_error_t ks_finger_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp);
+/*-- ks-engine-kdns.c --*/
+gpg_error_t ks_kdns_help (ctrl_t ctrl, parsed_uri_t uri);
+gpg_error_t ks_kdns_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp);
+
#endif /*DIRMNGR_KS_ENGINE_H*/
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 403a13692..1a244c896 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -1,2017 +1,2054 @@
/* dirmngr.c - LDAP access
* Copyright (C) 2002 Klarälvdalens Datakonsult AB
* Copyright (C) 2003, 2004, 2005, 2007, 2008, 2009, 2011 g10 Code GmbH
*
* This file is part of DirMngr.
*
* DirMngr is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* DirMngr is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
#include <assert.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
#define JNLIB_NEED_LOG_LOGV
#include "dirmngr.h"
#include <assuan.h>
#include "crlcache.h"
#include "crlfetch.h"
#include "ldapserver.h"
#include "ocsp.h"
#include "certcache.h"
#include "validate.h"
#include "misc.h"
#include "ldap-wrapper.h"
#include "ks-action.h"
/* To avoid DoS attacks we limit the size of a certificate to
something reasonable. */
#define MAX_CERT_LENGTH (8*1024)
/* The same goes for OpenPGP keyblocks, but here we need to allow for
much longer blocks; a 200k keyblock is not too unusual for keys
with a lot of signatures (e.g. 0x5b0358a2). */
#define MAX_KEYBLOCK_LENGTH (512*1024)
#define PARM_ERROR(t) assuan_set_error (ctx, \
gpg_error (GPG_ERR_ASS_PARAMETER), (t))
#define set_error(e,t) assuan_set_error (ctx, gpg_error (e), (t))
/* Control structure per connection. */
struct server_local_s
{
/* Data used to associate an Assuan context with local server data */
assuan_context_t assuan_ctx;
/* Per-session LDAP servers. */
ldap_server_t ldapservers;
/* If this flag is set to true this dirmngr process will be
terminated after the end of this session. */
int stopme;
};
/* Cookie definition for assuan data line output. */
static ssize_t data_line_cookie_write (void *cookie,
const void *buffer, size_t size);
static int data_line_cookie_close (void *cookie);
static es_cookie_io_functions_t data_line_cookie_functions =
{
NULL,
data_line_cookie_write,
NULL,
data_line_cookie_close
};
/* Accessor for the local ldapservers variable. */
ldap_server_t
get_ldapservers_from_ctrl (ctrl_t ctrl)
{
if (ctrl && ctrl->server_local)
return ctrl->server_local->ldapservers;
else
return NULL;
}
/* Release all configured keyserver info from CTRL. */
void
release_ctrl_keyservers (ctrl_t ctrl)
{
while (ctrl->keyservers)
{
uri_item_t tmp = ctrl->keyservers->next;
http_release_parsed_uri (ctrl->keyservers->parsed_uri);
xfree (ctrl->keyservers);
ctrl->keyservers = tmp;
}
}
/* Helper to print a message while leaving a command. */
static gpg_error_t
leave_cmd (assuan_context_t ctx, gpg_error_t err)
{
if (err)
{
const char *name = assuan_get_command_name (ctx);
if (!name)
name = "?";
if (gpg_err_source (err) == GPG_ERR_SOURCE_DEFAULT)
log_error ("command '%s' failed: %s\n", name,
gpg_strerror (err));
else
log_error ("command '%s' failed: %s <%s>\n", name,
gpg_strerror (err), gpg_strsource (err));
}
return err;
}
/* A write handler used by es_fopencookie to write assuan data
lines. */
static ssize_t
data_line_cookie_write (void *cookie, const void *buffer, size_t size)
{
assuan_context_t ctx = cookie;
if (assuan_send_data (ctx, buffer, size))
{
gpg_err_set_errno (EIO);
return -1;
}
return size;
}
static int
data_line_cookie_close (void *cookie)
{
assuan_context_t ctx = cookie;
if (assuan_send_data (ctx, NULL, 0))
{
gpg_err_set_errno (EIO);
return -1;
}
return 0;
}
/* Copy the % and + escaped string S into the buffer D and replace the
escape sequences. Note, that it is sufficient to allocate the
target string D as long as the source string S, i.e.: strlen(s)+1.
Note further that if S contains an escaped binary Nul the resulting
string D will contain the 0 as well as all other characters but it
will be impossible to know whether this is the original EOS or a
copied Nul. */
static void
strcpy_escaped_plus (char *d, const unsigned char *s)
{
while (*s)
{
if (*s == '%' && s[1] && s[2])
{
s++;
*d++ = xtoi_2 ( s);
s += 2;
}
else if (*s == '+')
*d++ = ' ', s++;
else
*d++ = *s++;
}
*d = 0;
}
/* Check whether the option NAME appears in LINE */
static int
has_option (const char *line, const char *name)
{
const char *s;
int n = strlen (name);
s = strstr (line, name);
return (s && (s == line || spacep (s-1)) && (!s[n] || spacep (s+n)));
}
/* Same as has_option but only considers options at the begin of the
line. This is useful for commands which allow arbitrary strings on
the line. */
static int
has_leading_option (const char *line, const char *name)
{
const char *s;
int n;
if (name[0] != '-' || name[1] != '-' || !name[2] || spacep (name+2))
return 0;
n = strlen (name);
while ( *line == '-' && line[1] == '-' )
{
s = line;
while (*line && !spacep (line))
line++;
if (n == (line - s) && !strncmp (s, name, n))
return 1;
while (spacep (line))
line++;
}
return 0;
}
/* Same as has_option but does only test for the name of the option
and ignores an argument, i.e. with NAME being "--hash" it would
return a pointer for "--hash" as well as for "--hash=foo". If
thhere is no such option NULL is returned. The pointer returned
points right behind the option name, this may be an equal sign, Nul
or a space. */
/* static const char * */
/* has_option_name (const char *line, const char *name) */
/* { */
/* const char *s; */
/* int n = strlen (name); */
/* s = strstr (line, name); */
/* return (s && (s == line || spacep (s-1)) */
/* && (!s[n] || spacep (s+n) || s[n] == '=')) ? (s+n) : NULL; */
/* } */
/* Skip over options. It is assumed that leading spaces have been
removed (this is the case for lines passed to a handler from
assuan). Blanks after the options are also removed. */
static char *
skip_options (char *line)
{
while ( *line == '-' && line[1] == '-' )
{
while (*line && !spacep (line))
line++;
while (spacep (line))
line++;
}
return line;
}
/* Common code for get_cert_local and get_issuer_cert_local. */
static ksba_cert_t
do_get_cert_local (ctrl_t ctrl, const char *name, const char *command)
{
unsigned char *value;
size_t valuelen;
int rc;
char *buf;
ksba_cert_t cert;
if (name)
{
buf = xmalloc ( strlen (command) + 1 + strlen(name) + 1);
strcpy (stpcpy (stpcpy (buf, command), " "), name);
}
else
buf = xstrdup (command);
rc = assuan_inquire (ctrl->server_local->assuan_ctx, buf,
&value, &valuelen, MAX_CERT_LENGTH);
xfree (buf);
if (rc)
{
log_error (_("assuan_inquire(%s) failed: %s\n"),
command, gpg_strerror (rc));
return NULL;
}
if (!valuelen)
{
xfree (value);
return NULL;
}
rc = ksba_cert_new (&cert);
if (!rc)
{
rc = ksba_cert_init_from_mem (cert, value, valuelen);
if (rc)
{
ksba_cert_release (cert);
cert = NULL;
}
}
xfree (value);
return cert;
}
/* Ask back to return a certificate for name, given as a regular
gpgsm certificate indentificates (e.g. fingerprint or one of the
other methods). Alternatively, NULL may be used for NAME to
return the current target certificate. Either return the certificate
in a KSBA object or NULL if it is not available.
*/
ksba_cert_t
get_cert_local (ctrl_t ctrl, const char *name)
{
if (!ctrl || !ctrl->server_local || !ctrl->server_local->assuan_ctx)
{
if (opt.debug)
log_debug ("get_cert_local called w/o context\n");
return NULL;
}
return do_get_cert_local (ctrl, name, "SENDCERT");
}
/* Ask back to return the issuing certificate for name, given as a
regular gpgsm certificate indentificates (e.g. fingerprint or one
of the other methods). Alternatively, NULL may be used for NAME to
return thecurrent target certificate. Either return the certificate
in a KSBA object or NULL if it is not available.
*/
ksba_cert_t
get_issuing_cert_local (ctrl_t ctrl, const char *name)
{
if (!ctrl || !ctrl->server_local || !ctrl->server_local->assuan_ctx)
{
if (opt.debug)
log_debug ("get_issuing_cert_local called w/o context\n");
return NULL;
}
return do_get_cert_local (ctrl, name, "SENDISSUERCERT");
}
/* Ask back to return a certificate with subject NAME and a
subjectKeyIdentifier of KEYID. */
ksba_cert_t
get_cert_local_ski (ctrl_t ctrl, const char *name, ksba_sexp_t keyid)
{
unsigned char *value;
size_t valuelen;
int rc;
char *buf;
ksba_cert_t cert;
char *hexkeyid;
if (!ctrl || !ctrl->server_local || !ctrl->server_local->assuan_ctx)
{
if (opt.debug)
log_debug ("get_cert_local_ski called w/o context\n");
return NULL;
}
if (!name || !keyid)
{
log_debug ("get_cert_local_ski called with insufficient arguments\n");
return NULL;
}
hexkeyid = serial_hex (keyid);
if (!hexkeyid)
{
log_debug ("serial_hex() failed\n");
return NULL;
}
buf = xtrymalloc (15 + strlen (hexkeyid) + 2 + strlen(name) + 1);
if (!buf)
{
log_error ("can't allocate enough memory: %s\n", strerror (errno));
xfree (hexkeyid);
return NULL;
}
strcpy (stpcpy (stpcpy (stpcpy (buf, "SENDCERT_SKI "), hexkeyid)," /"),name);
xfree (hexkeyid);
rc = assuan_inquire (ctrl->server_local->assuan_ctx, buf,
&value, &valuelen, MAX_CERT_LENGTH);
xfree (buf);
if (rc)
{
log_error (_("assuan_inquire(%s) failed: %s\n"), "SENDCERT_SKI",
gpg_strerror (rc));
return NULL;
}
if (!valuelen)
{
xfree (value);
return NULL;
}
rc = ksba_cert_new (&cert);
if (!rc)
{
rc = ksba_cert_init_from_mem (cert, value, valuelen);
if (rc)
{
ksba_cert_release (cert);
cert = NULL;
}
}
xfree (value);
return cert;
}
/* Ask the client via an inquiry to check the istrusted status of the
certificate specified by the hexified fingerprint HEXFPR. Returns
0 if the certificate is trusted by the client or an error code. */
gpg_error_t
get_istrusted_from_client (ctrl_t ctrl, const char *hexfpr)
{
unsigned char *value;
size_t valuelen;
int rc;
char request[100];
if (!ctrl || !ctrl->server_local || !ctrl->server_local->assuan_ctx
|| !hexfpr)
return gpg_error (GPG_ERR_INV_ARG);
snprintf (request, sizeof request, "ISTRUSTED %s", hexfpr);
rc = assuan_inquire (ctrl->server_local->assuan_ctx, request,
&value, &valuelen, 100);
if (rc)
{
log_error (_("assuan_inquire(%s) failed: %s\n"),
request, gpg_strerror (rc));
return rc;
}
/* The expected data is: "1" or "1 cruft" (not a C-string). */
if (valuelen && *value == '1' && (valuelen == 1 || spacep (value+1)))
rc = 0;
else
rc = gpg_error (GPG_ERR_NOT_TRUSTED);
xfree (value);
return rc;
}
/* Ask the client to return the certificate associated with the
current command. This is sometimes needed because the client usually
sends us just the cert ID, assuming that the request can be
satisfied from the cache, where the cert ID is used as key. */
static int
inquire_cert_and_load_crl (assuan_context_t ctx)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err;
unsigned char *value = NULL;
size_t valuelen;
ksba_cert_t cert = NULL;
err = assuan_inquire( ctx, "SENDCERT", &value, &valuelen, 0);
if (err)
return err;
/* { */
/* FILE *fp = fopen ("foo.der", "r"); */
/* value = xmalloc (2000); */
/* valuelen = fread (value, 1, 2000, fp); */
/* fclose (fp); */
/* } */
if (!valuelen) /* No data returned; return a comprehensible error. */
return gpg_error (GPG_ERR_MISSING_CERT);
err = ksba_cert_new (&cert);
if (err)
goto leave;
err = ksba_cert_init_from_mem (cert, value, valuelen);
if(err)
goto leave;
xfree (value); value = NULL;
err = crl_cache_reload_crl (ctrl, cert);
leave:
ksba_cert_release (cert);
xfree (value);
return err;
}
/* Handle OPTION commands. */
static gpg_error_t
option_handler (assuan_context_t ctx, const char *key, const char *value)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
if (!strcmp (key, "force-crl-refresh"))
{
int i = *value? atoi (value) : 0;
ctrl->force_crl_refresh = i;
}
else if (!strcmp (key, "audit-events"))
{
int i = *value? atoi (value) : 0;
ctrl->audit_events = i;
}
else
return gpg_error (GPG_ERR_UNKNOWN_OPTION);
return 0;
}
static const char hlp_ldapserver[] =
"LDAPSERVER <data>\n"
"\n"
"Add a new LDAP server to the list of configured LDAP servers.\n"
"DATA is in the same format as expected in the configure file.";
static gpg_error_t
cmd_ldapserver (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
ldap_server_t server;
ldap_server_t *last_next_p;
while (spacep (line))
line++;
if (*line == '\0')
return leave_cmd (ctx, PARM_ERROR (_("ldapserver missing")));
server = ldapserver_parse_one (line, "", 0);
if (! server)
return leave_cmd (ctx, gpg_error (GPG_ERR_INV_ARG));
last_next_p = &ctrl->server_local->ldapservers;
while (*last_next_p)
last_next_p = &(*last_next_p)->next;
*last_next_p = server;
return leave_cmd (ctx, 0);
}
static const char hlp_isvalid[] =
"ISVALID [--only-ocsp] [--force-default-responder]"
" <certificate_id>|<certificate_fpr>\n"
"\n"
"This command checks whether the certificate identified by the\n"
"certificate_id is valid. This is done by consulting CRLs or\n"
"whatever has been configured. Note, that the returned error codes\n"
"are from gpg-error.h. The command may callback using the inquire\n"
"function. See the manual for details.\n"
"\n"
"The CERTIFICATE_ID is a hex encoded string consisting of two parts,\n"
"delimited by a single dot. The first part is the SHA-1 hash of the\n"
"issuer name and the second part the serial number.\n"
"\n"
"Alternatively the certificate's fingerprint may be given in which\n"
"case an OCSP request is done before consulting the CRL.\n"
"\n"
"If the option --only-ocsp is given, no fallback to a CRL check will\n"
"be used.\n"
"\n"
"If the option --force-default-responder is given, only the default\n"
"OCSP responder will be used and any other methods of obtaining an\n"
"OCSP responder URL won't be used.";
static gpg_error_t
cmd_isvalid (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
char *issuerhash, *serialno;
gpg_error_t err;
int did_inquire = 0;
int ocsp_mode = 0;
int only_ocsp;
int force_default_responder;
only_ocsp = has_option (line, "--only-ocsp");
force_default_responder = has_option (line, "--force-default-responder");
line = skip_options (line);
issuerhash = xstrdup (line); /* We need to work on a copy of the
line because that same Assuan
context may be used for an inquiry.
That is because Assuan reuses its
line buffer.
*/
serialno = strchr (issuerhash, '.');
if (serialno)
*serialno++ = 0;
else
{
char *endp = strchr (issuerhash, ' ');
if (endp)
*endp = 0;
if (strlen (issuerhash) != 40)
{
xfree (issuerhash);
return leave_cmd (ctx, PARM_ERROR (_("serialno missing in cert ID")));
}
ocsp_mode = 1;
}
again:
if (ocsp_mode)
{
/* Note, that we ignore the given issuer hash and instead rely
on the current certificate semantics used with this
command. */
if (!opt.allow_ocsp)
err = gpg_error (GPG_ERR_NOT_SUPPORTED);
else
err = ocsp_isvalid (ctrl, NULL, NULL, force_default_responder);
/* Fixme: If we got no ocsp response and --only-ocsp is not used
we should fall back to CRL mode. Thus we need to clear
OCSP_MODE, get the issuerhash and the serialno from the
current certificate and jump to again. */
}
else if (only_ocsp)
err = gpg_error (GPG_ERR_NO_CRL_KNOWN);
else
{
switch (crl_cache_isvalid (ctrl,
issuerhash, serialno,
ctrl->force_crl_refresh))
{
case CRL_CACHE_VALID:
err = 0;
break;
case CRL_CACHE_INVALID:
err = gpg_error (GPG_ERR_CERT_REVOKED);
break;
case CRL_CACHE_DONTKNOW:
if (did_inquire)
err = gpg_error (GPG_ERR_NO_CRL_KNOWN);
else if (!(err = inquire_cert_and_load_crl (ctx)))
{
did_inquire = 1;
goto again;
}
break;
case CRL_CACHE_CANTUSE:
err = gpg_error (GPG_ERR_NO_CRL_KNOWN);
break;
default:
log_fatal ("crl_cache_isvalid returned invalid code\n");
}
}
xfree (issuerhash);
return leave_cmd (ctx, err);
}
/* If the line contains a SHA-1 fingerprint as the first argument,
return the FPR vuffer on success. The function checks that the
fingerprint consists of valid characters and prints and error
message if it does not and returns NULL. Fingerprints are
considered optional and thus no explicit error is returned. NULL is
also returned if there is no fingerprint at all available.
FPR must be a caller provided buffer of at least 20 bytes.
Note that colons within the fingerprint are allowed to separate 2
hex digits; this allows for easier cutting and pasting using the
usual fingerprint rendering.
*/
static unsigned char *
get_fingerprint_from_line (const char *line, unsigned char *fpr)
{
const char *s;
int i;
for (s=line, i=0; *s && *s != ' '; s++ )
{
if ( hexdigitp (s) && hexdigitp (s+1) )
{
if ( i >= 20 )
return NULL; /* Fingerprint too long. */
fpr[i++] = xtoi_2 (s);
s++;
}
else if ( *s != ':' )
return NULL; /* Invalid. */
}
if ( i != 20 )
return NULL; /* Fingerprint to short. */
return fpr;
}
static const char hlp_checkcrl[] =
"CHECKCRL [<fingerprint>]\n"
"\n"
"Check whether the certificate with FINGERPRINT (SHA-1 hash of the\n"
"entire X.509 certificate blob) is valid or not by consulting the\n"
"CRL responsible for this certificate. If the fingerprint has not\n"
"been given or the certificate is not known, the function \n"
"inquires the certificate using an\n"
"\n"
" INQUIRE TARGETCERT\n"
"\n"
"and the caller is expected to return the certificate for the\n"
"request (which should match FINGERPRINT) as a binary blob.\n"
"Processing then takes place without further interaction; in\n"
"particular dirmngr tries to locate other required certificate by\n"
"its own mechanism which includes a local certificate store as well\n"
"as a list of trusted root certificates.\n"
"\n"
"The return value is the usual gpg-error code or 0 for ducesss;\n"
"i.e. the certificate validity has been confirmed by a valid CRL.";
static gpg_error_t
cmd_checkcrl (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err;
unsigned char fprbuffer[20], *fpr;
ksba_cert_t cert;
fpr = get_fingerprint_from_line (line, fprbuffer);
cert = fpr? get_cert_byfpr (fpr) : NULL;
if (!cert)
{
/* We do not have this certificate yet or the fingerprint has
not been given. Inquire it from the client. */
unsigned char *value = NULL;
size_t valuelen;
err = assuan_inquire (ctrl->server_local->assuan_ctx, "TARGETCERT",
&value, &valuelen, MAX_CERT_LENGTH);
if (err)
{
log_error (_("assuan_inquire failed: %s\n"), gpg_strerror (err));
goto leave;
}
if (!valuelen) /* No data returned; return a comprehensible error. */
err = gpg_error (GPG_ERR_MISSING_CERT);
else
{
err = ksba_cert_new (&cert);
if (!err)
err = ksba_cert_init_from_mem (cert, value, valuelen);
}
xfree (value);
if(err)
goto leave;
}
assert (cert);
err = crl_cache_cert_isvalid (ctrl, cert, ctrl->force_crl_refresh);
if (gpg_err_code (err) == GPG_ERR_NO_CRL_KNOWN)
{
err = crl_cache_reload_crl (ctrl, cert);
if (!err)
err = crl_cache_cert_isvalid (ctrl, cert, 0);
}
leave:
ksba_cert_release (cert);
return leave_cmd (ctx, err);
}
static const char hlp_checkocsp[] =
"CHECKOCSP [--force-default-responder] [<fingerprint>]\n"
"\n"
"Check whether the certificate with FINGERPRINT (SHA-1 hash of the\n"
"entire X.509 certificate blob) is valid or not by asking an OCSP\n"
"responder responsible for this certificate. The optional\n"
"fingerprint may be used for a quick check in case an OCSP check has\n"
"been done for this certificate recently (we always cache OCSP\n"
"responses for a couple of minutes). If the fingerprint has not been\n"
"given or there is no cached result, the function inquires the\n"
"certificate using an\n"
"\n"
" INQUIRE TARGETCERT\n"
"\n"
"and the caller is expected to return the certificate for the\n"
"request (which should match FINGERPRINT) as a binary blob.\n"
"Processing then takes place without further interaction; in\n"
"particular dirmngr tries to locate other required certificates by\n"
"its own mechanism which includes a local certificate store as well\n"
"as a list of trusted root certifciates.\n"
"\n"
"If the option --force-default-responder is given, only the default\n"
"OCSP responder will be used and any other methods of obtaining an\n"
"OCSP responder URL won't be used.\n"
"\n"
"The return value is the usual gpg-error code or 0 for ducesss;\n"
"i.e. the certificate validity has been confirmed by a valid CRL.";
static gpg_error_t
cmd_checkocsp (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err;
unsigned char fprbuffer[20], *fpr;
ksba_cert_t cert;
int force_default_responder;
force_default_responder = has_option (line, "--force-default-responder");
line = skip_options (line);
fpr = get_fingerprint_from_line (line, fprbuffer);
cert = fpr? get_cert_byfpr (fpr) : NULL;
if (!cert)
{
/* We do not have this certificate yet or the fingerprint has
not been given. Inquire it from the client. */
unsigned char *value = NULL;
size_t valuelen;
err = assuan_inquire (ctrl->server_local->assuan_ctx, "TARGETCERT",
&value, &valuelen, MAX_CERT_LENGTH);
if (err)
{
log_error (_("assuan_inquire failed: %s\n"), gpg_strerror (err));
goto leave;
}
if (!valuelen) /* No data returned; return a comprehensible error. */
err = gpg_error (GPG_ERR_MISSING_CERT);
else
{
err = ksba_cert_new (&cert);
if (!err)
err = ksba_cert_init_from_mem (cert, value, valuelen);
}
xfree (value);
if(err)
goto leave;
}
assert (cert);
if (!opt.allow_ocsp)
err = gpg_error (GPG_ERR_NOT_SUPPORTED);
else
err = ocsp_isvalid (ctrl, cert, NULL, force_default_responder);
leave:
ksba_cert_release (cert);
return leave_cmd (ctx, err);
}
static int
lookup_cert_by_url (assuan_context_t ctx, const char *url)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err = 0;
unsigned char *value = NULL;
size_t valuelen;
/* Fetch single certificate given it's URL. */
err = fetch_cert_by_url (ctrl, url, &value, &valuelen);
if (err)
{
log_error (_("fetch_cert_by_url failed: %s\n"), gpg_strerror (err));
goto leave;
}
/* Send the data, flush the buffer and then send an END. */
err = assuan_send_data (ctx, value, valuelen);
if (!err)
err = assuan_send_data (ctx, NULL, 0);
if (!err)
err = assuan_write_line (ctx, "END");
if (err)
{
log_error (_("error sending data: %s\n"), gpg_strerror (err));
goto leave;
}
leave:
return err;
}
/* Send the certificate, flush the buffer and then send an END. */
static gpg_error_t
return_one_cert (void *opaque, ksba_cert_t cert)
{
assuan_context_t ctx = opaque;
gpg_error_t err;
const unsigned char *der;
size_t derlen;
der = ksba_cert_get_image (cert, &derlen);
if (!der)
err = gpg_error (GPG_ERR_INV_CERT_OBJ);
else
{
err = assuan_send_data (ctx, der, derlen);
if (!err)
err = assuan_send_data (ctx, NULL, 0);
if (!err)
err = assuan_write_line (ctx, "END");
}
if (err)
log_error (_("error sending data: %s\n"), gpg_strerror (err));
return err;
}
/* Lookup certificates from the internal cache or using the ldap
servers. */
static int
lookup_cert_by_pattern (assuan_context_t ctx, char *line,
int single, int cache_only)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err = 0;
char *p;
strlist_t sl, list = NULL;
int truncated = 0, truncation_forced = 0;
int count = 0;
int local_count = 0;
unsigned char *value = NULL;
size_t valuelen;
struct ldapserver_iter ldapserver_iter;
cert_fetch_context_t fetch_context;
int any_no_data = 0;
/* Break the line down into an STRLIST */
for (p=line; *p; line = p)
{
while (*p && *p != ' ')
p++;
if (*p)
*p++ = 0;
if (*line)
{
sl = xtrymalloc (sizeof *sl + strlen (line));
if (!sl)
{
err = gpg_error_from_errno (errno);
goto leave;
}
memset (sl, 0, sizeof *sl);
strcpy_escaped_plus (sl->d, line);
sl->next = list;
list = sl;
}
}
/* First look through the internal cache. The certifcates retruned
here are not counted towards the truncation limit. */
if (single && !cache_only)
; /* Do not read from the local cache in this case. */
else
{
for (sl=list; sl; sl = sl->next)
{
err = get_certs_bypattern (sl->d, return_one_cert, ctx);
if (!err)
local_count++;
if (!err && single)
goto ready;
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
{
err = 0;
if (cache_only)
any_no_data = 1;
}
else if (gpg_err_code (err) == GPG_ERR_INV_NAME && !cache_only)
{
/* No real fault because the internal pattern lookup
can't yet cope with all types of pattern. */
err = 0;
}
if (err)
goto ready;
}
}
/* Loop over all configured servers unless we want only the
certificates from the cache. */
for (ldapserver_iter_begin (&ldapserver_iter, ctrl);
!cache_only && !ldapserver_iter_end_p (&ldapserver_iter)
&& ldapserver_iter.server->host && !truncation_forced;
ldapserver_iter_next (&ldapserver_iter))
{
ldap_server_t ldapserver = ldapserver_iter.server;
if (DBG_LOOKUP)
log_debug ("cmd_lookup: trying %s:%d base=%s\n",
ldapserver->host, ldapserver->port,
ldapserver->base?ldapserver->base : "[default]");
/* Fetch certificates matching pattern */
err = start_cert_fetch (ctrl, &fetch_context, list, ldapserver);
if ( gpg_err_code (err) == GPG_ERR_NO_DATA )
{
if (DBG_LOOKUP)
log_debug ("cmd_lookup: no data\n");
err = 0;
any_no_data = 1;
continue;
}
if (err)
{
log_error (_("start_cert_fetch failed: %s\n"), gpg_strerror (err));
goto leave;
}
/* Fetch the certificates for this query. */
while (!truncation_forced)
{
xfree (value); value = NULL;
err = fetch_next_cert (fetch_context, &value, &valuelen);
if (gpg_err_code (err) == GPG_ERR_NO_DATA )
{
err = 0;
any_no_data = 1;
break; /* Ready. */
}
if (gpg_err_code (err) == GPG_ERR_TRUNCATED)
{
truncated = 1;
err = 0;
break; /* Ready. */
}
if (gpg_err_code (err) == GPG_ERR_EOF)
{
err = 0;
break; /* Ready. */
}
if (!err && !value)
{
err = gpg_error (GPG_ERR_BUG);
goto leave;
}
if (err)
{
log_error (_("fetch_next_cert failed: %s\n"),
gpg_strerror (err));
end_cert_fetch (fetch_context);
goto leave;
}
if (DBG_LOOKUP)
log_debug ("cmd_lookup: returning one cert%s\n",
truncated? " (truncated)":"");
/* Send the data, flush the buffer and then send an END line
as a certificate delimiter. */
err = assuan_send_data (ctx, value, valuelen);
if (!err)
err = assuan_send_data (ctx, NULL, 0);
if (!err)
err = assuan_write_line (ctx, "END");
if (err)
{
log_error (_("error sending data: %s\n"), gpg_strerror (err));
end_cert_fetch (fetch_context);
goto leave;
}
if (++count >= opt.max_replies )
{
truncation_forced = 1;
log_info (_("max_replies %d exceeded\n"), opt.max_replies );
}
if (single)
break;
}
end_cert_fetch (fetch_context);
}
ready:
if (truncated || truncation_forced)
{
char str[50];
sprintf (str, "%d", count);
assuan_write_status (ctx, "TRUNCATED", str);
}
if (!err && !count && !local_count && any_no_data)
err = gpg_error (GPG_ERR_NO_DATA);
leave:
free_strlist (list);
return err;
}
static const char hlp_lookup[] =
"LOOKUP [--url] [--single] [--cache-only] <pattern>\n"
"\n"
"Lookup certificates matching PATTERN. With --url the pattern is\n"
"expected to be one URL.\n"
"\n"
"If --url is not given: To allow for multiple patterns (which are ORed)\n"
"quoting is required: Spaces are translated to \"+\" or \"%20\";\n"
"obviously this requires that the usual escape quoting rules are applied.\n"
"\n"
"If --url is given no special escaping is required because URLs are\n"
"already escaped this way.\n"
"\n"
"If --single is given the first and only the first match will be\n"
"returned. If --cache-only is _not_ given, no local query will be\n"
"done.\n"
"\n"
"If --cache-only is given no external lookup is done so that only\n"
"certificates from the cache may get returned.";
static gpg_error_t
cmd_lookup (assuan_context_t ctx, char *line)
{
gpg_error_t err;
int lookup_url, single, cache_only;
lookup_url = has_leading_option (line, "--url");
single = has_leading_option (line, "--single");
cache_only = has_leading_option (line, "--cache-only");
line = skip_options (line);
if (lookup_url && cache_only)
err = gpg_error (GPG_ERR_NOT_FOUND);
else if (lookup_url && single)
err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
else if (lookup_url)
err = lookup_cert_by_url (ctx, line);
else
err = lookup_cert_by_pattern (ctx, line, single, cache_only);
return leave_cmd (ctx, err);
}
static const char hlp_loadcrl[] =
"LOADCRL [--url] <filename|url>\n"
"\n"
"Load the CRL in the file with name FILENAME into our cache. Note\n"
"that FILENAME should be given with an absolute path because\n"
"Dirmngrs cwd is not known. With --url the CRL is directly loaded\n"
"from the given URL.\n"
"\n"
"This command is usually used by gpgsm using the invocation \"gpgsm\n"
"--call-dirmngr loadcrl <filename>\". A direct invocation of Dirmngr\n"
"is not useful because gpgsm might need to callback gpgsm to ask for\n"
"the CA's certificate.";
static gpg_error_t
cmd_loadcrl (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err = 0;
int use_url = has_leading_option (line, "--url");
line = skip_options (line);
if (use_url)
{
ksba_reader_t reader;
err = crl_fetch (ctrl, line, &reader);
if (err)
log_error (_("fetching CRL from `%s' failed: %s\n"),
line, gpg_strerror (err));
else
{
err = crl_cache_insert (ctrl, line, reader);
if (err)
log_error (_("processing CRL from `%s' failed: %s\n"),
line, gpg_strerror (err));
crl_close_reader (reader);
}
}
else
{
char *buf;
buf = xtrymalloc (strlen (line)+1);
if (!buf)
err = gpg_error_from_syserror ();
else
{
strcpy_escaped_plus (buf, line);
err = crl_cache_load (ctrl, buf);
xfree (buf);
}
}
return leave_cmd (ctx, err);
}
static const char hlp_listcrls[] =
"LISTCRLS\n"
"\n"
"List the content of all CRLs in a readable format. This command is\n"
"usually used by gpgsm using the invocation \"gpgsm --call-dirmngr\n"
"listcrls\". It may also be used directly using \"dirmngr\n"
"--list-crls\".";
static gpg_error_t
cmd_listcrls (assuan_context_t ctx, char *line)
{
gpg_error_t err;
estream_t fp;
(void)line;
fp = es_fopencookie (ctx, "w", data_line_cookie_functions);
if (!fp)
err = set_error (GPG_ERR_ASS_GENERAL, "error setting up a data stream");
else
{
err = crl_cache_list (fp);
es_fclose (fp);
}
return leave_cmd (ctx, err);
}
static const char hlp_cachecert[] =
"CACHECERT\n"
"\n"
"Put a certificate into the internal cache. This command might be\n"
"useful if a client knows in advance certificates required for a\n"
"test and wants to make sure they get added to the internal cache.\n"
"It is also helpful for debugging. To get the actual certificate,\n"
"this command immediately inquires it using\n"
"\n"
" INQUIRE TARGETCERT\n"
"\n"
"and the caller is expected to return the certificate for the\n"
"request as a binary blob.";
static gpg_error_t
cmd_cachecert (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err;
ksba_cert_t cert = NULL;
unsigned char *value = NULL;
size_t valuelen;
(void)line;
err = assuan_inquire (ctrl->server_local->assuan_ctx, "TARGETCERT",
&value, &valuelen, MAX_CERT_LENGTH);
if (err)
{
log_error (_("assuan_inquire failed: %s\n"), gpg_strerror (err));
goto leave;
}
if (!valuelen) /* No data returned; return a comprehensible error. */
err = gpg_error (GPG_ERR_MISSING_CERT);
else
{
err = ksba_cert_new (&cert);
if (!err)
err = ksba_cert_init_from_mem (cert, value, valuelen);
}
xfree (value);
if(err)
goto leave;
err = cache_cert (cert);
leave:
ksba_cert_release (cert);
return leave_cmd (ctx, err);
}
static const char hlp_validate[] =
"VALIDATE\n"
"\n"
"Validate a certificate using the certificate validation function\n"
"used internally by dirmngr. This command is only useful for\n"
"debugging. To get the actual certificate, this command immediately\n"
"inquires it using\n"
"\n"
" INQUIRE TARGETCERT\n"
"\n"
"and the caller is expected to return the certificate for the\n"
"request as a binary blob.";
static gpg_error_t
cmd_validate (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err;
ksba_cert_t cert = NULL;
unsigned char *value = NULL;
size_t valuelen;
(void)line;
err = assuan_inquire (ctrl->server_local->assuan_ctx, "TARGETCERT",
&value, &valuelen, MAX_CERT_LENGTH);
if (err)
{
log_error (_("assuan_inquire failed: %s\n"), gpg_strerror (err));
goto leave;
}
if (!valuelen) /* No data returned; return a comprehensible error. */
err = gpg_error (GPG_ERR_MISSING_CERT);
else
{
err = ksba_cert_new (&cert);
if (!err)
err = ksba_cert_init_from_mem (cert, value, valuelen);
}
xfree (value);
if(err)
goto leave;
/* If we have this certificate already in our cache, use the cached
version for validation because this will take care of any cached
results. */
{
unsigned char fpr[20];
ksba_cert_t tmpcert;
cert_compute_fpr (cert, fpr);
tmpcert = get_cert_byfpr (fpr);
if (tmpcert)
{
ksba_cert_release (cert);
cert = tmpcert;
}
}
err = validate_cert_chain (ctrl, cert, NULL, VALIDATE_MODE_CERT, NULL);
leave:
ksba_cert_release (cert);
return leave_cmd (ctx, err);
}
static const char hlp_keyserver[] =
- "KEYSERVER [--clear] [<uri>]\n"
+ "KEYSERVER [--clear|--help] [<uri>]\n"
"\n"
"If called without arguments list all configured keyserver URLs.\n"
"If called with option \"--clear\" remove all configured keyservers\n"
"If called with an URI add this as keyserver. Note that keyservers\n"
"are configured on a per-session base. A default keyserver may already be\n"
"present, thus the \"--clear\" option must be used to get full control.\n"
"If \"--clear\" and an URI are used together the clear command is\n"
"obviously executed first. A RESET command does not change the list\n"
"of configured keyservers.";
static gpg_error_t
cmd_keyserver (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err;
- int clear_flag, add_flag;
+ int clear_flag, add_flag, help_flag;
uri_item_t item = NULL; /* gcc 4.4.5 is not able to detect that it
is always initialized. */
clear_flag = has_option (line, "--clear");
+ help_flag = has_option (line, "--help");
line = skip_options (line);
add_flag = !!*line;
+ if (help_flag)
+ {
+ err = ks_action_help (ctrl, line);
+ goto leave;
+ }
+
if (add_flag)
{
item = xtrymalloc (sizeof *item + strlen (line));
if (!item)
{
err = gpg_error_from_syserror ();
goto leave;
}
item->next = NULL;
item->parsed_uri = NULL;
strcpy (item->uri, line);
err = http_parse_uri (&item->parsed_uri, line, 1);
if (err)
{
xfree (item);
goto leave;
}
}
if (clear_flag)
release_ctrl_keyservers (ctrl);
if (add_flag)
{
item->next = ctrl->keyservers;
ctrl->keyservers = item;
}
- if (!add_flag && !clear_flag) /* List configured keyservers. */
+ if (!add_flag && !clear_flag && !help_flag) /* List configured keyservers. */
{
uri_item_t u;
for (u=ctrl->keyservers; u; u = u->next)
dirmngr_status (ctrl, "KEYSERVER", u->uri, NULL);
}
err = 0;
leave:
return leave_cmd (ctx, err);
}
static const char hlp_ks_search[] =
"KS_SEARCH {<pattern>}\n"
"\n"
"Search the configured OpenPGP keyservers (see command KEYSERVER)\n"
"for keys matching PATTERN";
static gpg_error_t
cmd_ks_search (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err;
strlist_t list, sl;
char *p;
estream_t outfp;
/* No options for now. */
line = skip_options (line);
/* Break the line down into an strlist. Each pattern is
percent-plus escaped. */
list = NULL;
for (p=line; *p; line = p)
{
while (*p && *p != ' ')
p++;
if (*p)
*p++ = 0;
if (*line)
{
sl = xtrymalloc (sizeof *sl + strlen (line));
if (!sl)
{
err = gpg_error_from_syserror ();
free_strlist (list);
goto leave;
}
sl->flags = 0;
strcpy_escaped_plus (sl->d, line);
sl->next = list;
list = sl;
}
}
/* Setup an output stream and perform the search. */
outfp = es_fopencookie (ctx, "w", data_line_cookie_functions);
if (!outfp)
err = set_error (GPG_ERR_ASS_GENERAL, "error setting up a data stream");
else
{
err = ks_action_search (ctrl, list, outfp);
es_fclose (outfp);
}
leave:
return leave_cmd (ctx, err);
}
static const char hlp_ks_get[] =
"KS_GET {<pattern>}\n"
"\n"
"Get the keys matching PATTERN from the configured OpenPGP keyservers\n"
"(see command KEYSERVER). Each pattern should be a keyid or a fingerprint";
static gpg_error_t
cmd_ks_get (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err;
strlist_t list, sl;
char *p;
estream_t outfp;
/* No options for now. */
line = skip_options (line);
/* Break the line down into an strlist. Each pattern is by
definition percent-plus escaped. However we only support keyids
and fingerprints and thus the client has no need to apply the
escaping. */
list = NULL;
for (p=line; *p; line = p)
{
while (*p && *p != ' ')
p++;
if (*p)
*p++ = 0;
if (*line)
{
sl = xtrymalloc (sizeof *sl + strlen (line));
if (!sl)
{
err = gpg_error_from_syserror ();
free_strlist (list);
goto leave;
}
sl->flags = 0;
strcpy_escaped_plus (sl->d, line);
sl->next = list;
list = sl;
}
}
/* Setup an output stream and perform the get. */
outfp = es_fopencookie (ctx, "w", data_line_cookie_functions);
if (!outfp)
err = set_error (GPG_ERR_ASS_GENERAL, "error setting up a data stream");
else
{
err = ks_action_get (ctrl, list, outfp);
es_fclose (outfp);
}
leave:
return leave_cmd (ctx, err);
}
static const char hlp_ks_fetch[] =
"KS_FETCH <URL>\n"
"\n"
"Get the key(s) from URL.";
static gpg_error_t
cmd_ks_fetch (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err;
estream_t outfp;
/* No options for now. */
line = skip_options (line);
/* Setup an output stream and perform the get. */
outfp = es_fopencookie (ctx, "w", data_line_cookie_functions);
if (!outfp)
err = set_error (GPG_ERR_ASS_GENERAL, "error setting up a data stream");
else
{
err = ks_action_fetch (ctrl, line, outfp);
es_fclose (outfp);
}
return leave_cmd (ctx, err);
}
static const char hlp_ks_put[] =
"KS_PUT\n"
"\n"
"Send a key to the configured OpenPGP keyservers. The actual key material\n"
"is then requested by Dirmngr using\n"
"\n"
" INQUIRE KEYBLOCK\n"
"\n"
"The client shall respond with a binary version of the keyblock. For LDAP\n"
"keyservers Dirmngr may ask for meta information of the provided keyblock\n"
"using:\n"
"\n"
" INQUIRE KEYBLOCK_INFO\n"
"\n"
"The client shall respond with a colon delimited info lines";
static gpg_error_t
cmd_ks_put (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err;
unsigned char *value = NULL;
size_t valuelen;
unsigned char *info = NULL;
size_t infolen;
/* No options for now. */
line = skip_options (line);
/* Ask for the key material. */
err = assuan_inquire (ctx, "KEYBLOCK",
&value, &valuelen, MAX_KEYBLOCK_LENGTH);
if (err)
{
log_error (_("assuan_inquire failed: %s\n"), gpg_strerror (err));
goto leave;
}
if (!valuelen) /* No data returned; return a comprehensible error. */
{
err = gpg_error (GPG_ERR_MISSING_CERT);
goto leave;
}
/* Ask for the key meta data. Not actually needed for HKP servers
but we do it anyway test the client implementaion. */
err = assuan_inquire (ctx, "KEYBLOCK_INFO",
&info, &infolen, MAX_KEYBLOCK_LENGTH);
if (err)
{
log_error (_("assuan_inquire failed: %s\n"), gpg_strerror (err));
goto leave;
}
/* Send the key. */
err = ks_action_put (ctrl, value, valuelen);
leave:
xfree (info);
xfree (value);
return leave_cmd (ctx, err);
}
static const char hlp_getinfo[] =
"GETINFO <what>\n"
"\n"
"Multi purpose command to return certain information. \n"
"Supported values of WHAT are:\n"
"\n"
"version - Return the version of the program.\n"
"pid - Return the process id of the server.\n"
"\n"
"socket_name - Return the name of the socket.\n";
static gpg_error_t
cmd_getinfo (assuan_context_t ctx, char *line)
{
gpg_error_t err;
if (!strcmp (line, "version"))
{
const char *s = VERSION;
err = assuan_send_data (ctx, s, strlen (s));
}
else if (!strcmp (line, "pid"))
{
char numbuf[50];
snprintf (numbuf, sizeof numbuf, "%lu", (unsigned long)getpid ());
err = assuan_send_data (ctx, numbuf, strlen (numbuf));
}
else if (!strcmp (line, "socket_name"))
{
const char *s = dirmngr_socket_name ();
if (s)
err = assuan_send_data (ctx, s, strlen (s));
else
err = gpg_error (GPG_ERR_NO_DATA);
}
else
err = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT");
return leave_cmd (ctx, err);
}
static const char hlp_killdirmngr[] =
"KILLDIRMNGR\n"
"\n"
"This command allows a user - given sufficient permissions -\n"
"to kill this dirmngr process.\n";
static gpg_error_t
cmd_killdirmngr (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
(void)line;
if (opt.system_daemon)
{
if (opt.system_service)
return set_error (GPG_ERR_NOT_SUPPORTED,
"can't do that whilst running as system service");
#ifndef HAVE_W32_SYSTEM
{
gpg_err_code_t ec;
assuan_peercred_t cred;
ec = gpg_err_code (assuan_get_peercred (ctx, &cred));
if (!ec && cred->uid)
ec = GPG_ERR_EPERM; /* Only root may terminate. */
if (ec)
return set_error (ec, "no permission to kill this process");
}
#endif
}
ctrl->server_local->stopme = 1;
return gpg_error (GPG_ERR_EOF);
}
static const char hlp_reloaddirmngr[] =
"RELOADDIRMNGR\n"
"\n"
"This command is an alternative to SIGHUP\n"
"to reload the configuration.";
static gpg_error_t
cmd_reloaddirmngr (assuan_context_t ctx, char *line)
{
(void)ctx;
(void)line;
if (opt.system_daemon)
{
#ifndef HAVE_W32_SYSTEM
{
gpg_err_code_t ec;
assuan_peercred_t cred;
ec = gpg_err_code (assuan_get_peercred (ctx, &cred));
if (!ec && cred->uid)
ec = GPG_ERR_EPERM; /* Only root may terminate. */
if (ec)
return set_error (ec, "no permission to reload this process");
}
#endif
}
dirmngr_sighup_action ();
return 0;
}
/* Tell the assuan library about our commands. */
static int
register_commands (assuan_context_t ctx)
{
static struct {
const char *name;
assuan_handler_t handler;
const char * const help;
} table[] = {
{ "LDAPSERVER", cmd_ldapserver, hlp_ldapserver },
{ "ISVALID", cmd_isvalid, hlp_isvalid },
{ "CHECKCRL", cmd_checkcrl, hlp_checkcrl },
{ "CHECKOCSP", cmd_checkocsp, hlp_checkocsp },
{ "LOOKUP", cmd_lookup, hlp_lookup },
{ "LOADCRL", cmd_loadcrl, hlp_loadcrl },
{ "LISTCRLS", cmd_listcrls, hlp_listcrls },
{ "CACHECERT", cmd_cachecert, hlp_cachecert },
{ "VALIDATE", cmd_validate, hlp_validate },
{ "KEYSERVER", cmd_keyserver, hlp_keyserver },
{ "KS_SEARCH", cmd_ks_search, hlp_ks_search },
{ "KS_GET", cmd_ks_get, hlp_ks_get },
{ "KS_FETCH", cmd_ks_fetch, hlp_ks_fetch },
{ "KS_PUT", cmd_ks_put, hlp_ks_put },
{ "GETINFO", cmd_getinfo, hlp_getinfo },
{ "KILLDIRMNGR",cmd_killdirmngr,hlp_killdirmngr },
{ "RELOADDIRMNGR",cmd_reloaddirmngr,hlp_reloaddirmngr },
{ NULL, NULL }
};
int i, j, rc;
for (i=j=0; table[i].name; i++)
{
rc = assuan_register_command (ctx, table[i].name, table[i].handler,
table[i].help);
if (rc)
return rc;
}
return 0;
}
/* Note that we do not reset the list of configured keyservers. */
static gpg_error_t
reset_notify (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
(void)line;
ldapserver_list_free (ctrl->server_local->ldapservers);
ctrl->server_local->ldapservers = NULL;
return 0;
}
/* Startup the server and run the main command loop. With FD = -1
used stdin/stdout. */
void
start_command_handler (assuan_fd_t fd)
{
static const char hello[] = "Dirmngr " VERSION " at your service";
static char *hello_line;
int rc;
assuan_context_t ctx;
ctrl_t ctrl;
ctrl = xtrycalloc (1, sizeof *ctrl);
if (ctrl)
ctrl->server_local = xtrycalloc (1, sizeof *ctrl->server_local);
if (!ctrl || !ctrl->server_local)
{
log_error (_("can't allocate control structure: %s\n"),
strerror (errno));
xfree (ctrl);
return;
}
dirmngr_init_default_ctrl (ctrl);
rc = assuan_new (&ctx);
if (rc)
{
log_error (_("failed to allocate assuan context: %s\n"),
gpg_strerror (rc));
dirmngr_exit (2);
}
if (fd == ASSUAN_INVALID_FD)
{
assuan_fd_t filedes[2];
filedes[0] = assuan_fdopen (0);
filedes[1] = assuan_fdopen (1);
rc = assuan_init_pipe_server (ctx, filedes);
}
else
{
rc = assuan_init_socket_server (ctx, fd, ASSUAN_SOCKET_SERVER_ACCEPTED);
}
if (rc)
{
assuan_release (ctx);
log_error (_("failed to initialize the server: %s\n"),
gpg_strerror(rc));
dirmngr_exit (2);
}
rc = register_commands (ctx);
if (rc)
{
log_error (_("failed to the register commands with Assuan: %s\n"),
gpg_strerror(rc));
dirmngr_exit (2);
}
if (!hello_line)
{
size_t n;
const char *cfgname;
cfgname = opt.config_filename? opt.config_filename : "[none]";
n = (30 + strlen (opt.homedir) + strlen (cfgname)
+ strlen (hello) + 1);
hello_line = xmalloc (n+1);
snprintf (hello_line, n,
"Home: %s\n"
"Config: %s\n"
"%s",
opt.homedir,
cfgname,
hello);
hello_line[n] = 0;
}
ctrl->server_local->assuan_ctx = ctx;
assuan_set_pointer (ctx, ctrl);
assuan_set_hello_line (ctx, hello_line);
assuan_register_option_handler (ctx, option_handler);
assuan_register_reset_notify (ctx, reset_notify);
for (;;)
{
rc = assuan_accept (ctx);
if (rc == -1)
break;
if (rc)
{
log_info (_("Assuan accept problem: %s\n"), gpg_strerror (rc));
break;
}
#ifndef HAVE_W32_SYSTEM
if (opt.verbose)
{
assuan_peercred_t peercred;
if (!assuan_get_peercred (ctx, &peercred))
log_info ("connection from process %ld (%ld:%ld)\n",
(long)peercred->pid, (long)peercred->uid,
(long)peercred->gid);
}
#endif
rc = assuan_process (ctx);
if (rc)
{
log_info (_("Assuan processing failed: %s\n"), gpg_strerror (rc));
continue;
}
}
ldap_wrapper_connection_cleanup (ctrl);
ldapserver_list_free (ctrl->server_local->ldapservers);
ctrl->server_local->ldapservers = NULL;
ctrl->server_local->assuan_ctx = NULL;
assuan_release (ctx);
if (ctrl->server_local->stopme)
dirmngr_exit (0);
if (ctrl->refcount)
log_error ("oops: connection control structure still referenced (%d)\n",
ctrl->refcount);
else
{
release_ctrl_ocsp_certs (ctrl);
xfree (ctrl->server_local);
xfree (ctrl);
}
}
/* Send a status line back to the client. KEYWORD is the status
- keyword, the optioal string argumenst are blank separated added to
+ keyword, the optional string arguments are blank separated added to
the line, the last argument must be a NULL. */
gpg_error_t
dirmngr_status (ctrl_t ctrl, const char *keyword, ...)
{
gpg_error_t err = 0;
va_list arg_ptr;
const char *text;
va_start (arg_ptr, keyword);
if (ctrl->server_local)
{
assuan_context_t ctx = ctrl->server_local->assuan_ctx;
char buf[950], *p;
size_t n;
p = buf;
n = 0;
while ( (text = va_arg (arg_ptr, const char *)) )
{
if (n)
{
*p++ = ' ';
n++;
}
for ( ; *text && n < DIM (buf)-2; n++)
*p++ = *text++;
}
*p = 0;
err = assuan_write_status (ctx, keyword, buf);
}
va_end (arg_ptr);
return err;
}
+/* Print a help status line. TEXTLEN gives the length of the text
+ from TEXT to be printed. The function splits text at LFs. */
+gpg_error_t
+dirmngr_status_help (ctrl_t ctrl, const char *text)
+{
+ gpg_error_t err = 0;
+
+ if (ctrl->server_local)
+ {
+ assuan_context_t ctx = ctrl->server_local->assuan_ctx;
+ char buf[950], *p;
+ size_t n;
+
+ do
+ {
+ p = buf;
+ n = 0;
+ for ( ; *text && *text != '\n' && n < DIM (buf)-2; n++)
+ *p++ = *text++;
+ if (*text == '\n')
+ text++;
+ *p = 0;
+ err = assuan_write_status (ctx, "#", buf);
+ }
+ while (!err && *text);
+ }
+
+ return err;
+}
+
/* Send a tick progress indicator back. Fixme: This is only does for
the currently active channel. */
gpg_error_t
dirmngr_tick (ctrl_t ctrl)
{
static time_t next_tick = 0;
gpg_error_t err = 0;
time_t now = time (NULL);
if (!next_tick)
{
next_tick = now + 1;
}
else if ( now > next_tick )
{
if (ctrl)
{
err = dirmngr_status (ctrl, "PROGRESS", "tick", "? 0 0", NULL);
if (err)
{
/* Take this as in indication for a cancel request. */
err = gpg_error (GPG_ERR_CANCELED);
}
now = time (NULL);
}
next_tick = now + 1;
}
return err;
}

File Metadata

Mime Type
text/x-diff
Expires
Thu, Feb 5, 9:43 PM (1 d, 13 h)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
bf/24/1c49603c9536fe16e2bf5909ae7e

Event Timeline