[git] GnuPG - branch, master, updated. gnupg-2.1.3-14-gc4d9873
by Werner Koch
cvs at cvs.gnupg.org
Tue Apr 21 19:30:54 CEST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via c4d98734c5df39f57a71f0ec1c0c80e82ff08508 (commit)
via 54e55149f2af96eff08bfd6f70ef13d007fb58c7 (commit)
via a0dead5edce07838cf5ff3ec7205a3bff2a6ef70 (commit)
via 727fe4f8d7d5fc3eac0b0aa6fafa4a314686d7dc (commit)
via ae0d65f86413a82a40cf68e08aaeca405eee8c78 (commit)
via da1990bac71f6447d8ebd169c3b3b186e9f287d9 (commit)
from 62b2cee85f15ee083896efdb44d10208ef1212a7 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c4d98734c5df39f57a71f0ec1c0c80e82ff08508
Author: Werner Koch <wk at gnupg.org>
Date: Tue Apr 21 19:29:53 2015 +0200
gpg: Make keyserver-option http_proxy work.
* g10/options.h (opt): Add field keyserver_options.http_proxy.
* g10/keyserver.c (warn_kshelper_option): Add arg noisy.
(parse_keyserver_options): Parse into new http_proxy field.
* g10/call-dirmngr.c (create_context): Send the http-proxy option.
diff --git a/g10/call-dirmngr.c b/g10/call-dirmngr.c
index 26955ab..bb571b2 100644
--- a/g10/call-dirmngr.c
+++ b/g10/call-dirmngr.c
@@ -148,9 +148,24 @@ create_context (ctrl_t ctrl, assuan_context_t *r_ctx)
}
else if (!err)
{
+ char *line;
+
/* Tell the dirmngr that we want to collect audit event. */
/* err = assuan_transact (agent_ctx, "OPTION audit-events=1", */
/* NULL, NULL, NULL, NULL, NULL, NULL); */
+ if (opt.keyserver_options.http_proxy)
+ {
+ line = xtryasprintf ("OPTION http-proxy=%s",
+ opt.keyserver_options.http_proxy);
+ if (!line)
+ err = gpg_error_from_syserror ();
+ else
+ {
+ err = assuan_transact (ctx, line, NULL, NULL, NULL,
+ NULL, NULL, NULL);
+ xfree (line);
+ }
+ }
}
if (err)
diff --git a/g10/keyserver.c b/g10/keyserver.c
index 674eb81..abe4bde 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -92,11 +92,11 @@ static struct parse_options keyserver_opts[]=
/* some of these options are not real - just for the help
message */
{"max-cert-size",0,NULL,NULL}, /* MUST be the first in this array! */
+ {"http-proxy", KEYSERVER_HTTP_PROXY, NULL, /* MUST be the second! */
+ N_("override proxy options set for dirmngr")},
{"include-revoked",0,NULL,N_("include revoked keys in search results")},
{"include-subkeys",0,NULL,N_("include subkeys when searching by key ID")},
- {"http-proxy", KEYSERVER_HTTP_PROXY, NULL,
- N_("override proxy options set for dirmngr")},
{"timeout", KEYSERVER_TIMEOUT, NULL,
N_("override timeout options set for dirmngr")},
{"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL,
@@ -124,8 +124,9 @@ static gpg_error_t keyserver_put (ctrl_t ctrl, strlist_t keyspecs,
static size_t max_cert_size=DEFAULT_MAX_CERT_SIZE;
+
static void
-warn_kshelper_option(char *option)
+warn_kshelper_option(char *option, int noisy)
{
char *p;
@@ -139,9 +140,12 @@ warn_kshelper_option(char *option)
else if (!strcmp (option, "check-cert")
|| !strcmp (option, "broken-http-proxy"))
log_info ("keyserver option '%s' is obsolete\n", option);
+ else if (noisy || opt.verbose)
+ log_info ("keyserver option '%s' is unknown\n", option);
}
+/* Called from main to parse the args for --keyserver-options. */
int
parse_keyserver_options(char *options)
{
@@ -150,6 +154,7 @@ parse_keyserver_options(char *options)
char *max_cert=NULL;
keyserver_opts[0].value=&max_cert;
+ keyserver_opts[1].value=&opt.keyserver_options.http_proxy;
while((tok=optsep(&options)))
{
@@ -166,7 +171,7 @@ parse_keyserver_options(char *options)
{
/* All of the standard options have failed, so the option was
destined for a keyserver plugin as used by GnuPG < 2.1 */
- warn_kshelper_option (tok);
+ warn_kshelper_option (tok, 1);
}
}
@@ -259,7 +264,7 @@ parse_keyserver_uri (const char *string,int require_scheme)
options++;
while((tok=optsep(&options)))
- warn_kshelper_option (tok);
+ warn_kshelper_option (tok, 0);
}
/* Get the scheme */
diff --git a/g10/options.h b/g10/options.h
index 75032a5..465c5b2 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -148,6 +148,7 @@ struct
unsigned int options;
unsigned int import_options;
unsigned int export_options;
+ char *http_proxy;
} keyserver_options;
int exec_disable;
int exec_path_set;
commit 54e55149f2af96eff08bfd6f70ef13d007fb58c7
Author: Werner Koch <wk at gnupg.org>
Date: Tue Apr 21 19:27:22 2015 +0200
common: Make proper use of http proxy parameter.
* common/http.c (is_hostname_port): New.
(send_request): Fix proxy name parsing.
--
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/common/http.c b/common/http.c
index 118e3b0..c2cac16 100644
--- a/common/http.c
+++ b/common/http.c
@@ -2,7 +2,7 @@
* Copyright (C) 1999, 2001, 2002, 2003, 2004, 2006, 2009, 2010,
* 2011 Free Software Foundation, Inc.
* Copyright (C) 2014 Werner Koch
- * Copyright (C) 2015 g10 Code GmbH
+ * Copyright (C) 2015 g10 Code GmbH
*
* This file is part of GnuPG.
*
@@ -1394,6 +1394,33 @@ parse_tuple (char *string)
}
+/* Return true if STRING is likely "hostname:port" or only "hostname". */
+static int
+is_hostname_port (const char *string)
+{
+ int colons = 0;
+
+ if (!string || !*string)
+ return 0;
+ for (; *string; string++)
+ {
+ if (*string == ':')
+ {
+ if (colons)
+ return 0;
+ if (!string[1])
+ return 0;
+ colons++;
+ }
+ else if (!colons && strchr (" \t\f\n\v_@[]/", *string))
+ return 0; /* Invalid characters in hostname. */
+ else if (colons && !digitp (string))
+ return 0; /* Not a digit in the port. */
+ }
+ return 1;
+}
+
+
/*
* Send a HTTP request to the server
* Returns 0 if the request was successful
@@ -1474,8 +1501,26 @@ send_request (http_t hd, const char *httphost, const char *auth,
if (proxy)
http_proxy = proxy;
- err = parse_uri (&uri, http_proxy, 0,
- !!(hd->flags & HTTP_FLAG_FORCE_TLS));
+ err = parse_uri (&uri, http_proxy, 1, 0);
+ if (gpg_err_code (err) == GPG_ERR_INV_URI
+ && is_hostname_port (http_proxy))
+ {
+ /* Retry assuming a "hostname:port" string. */
+ char *tmpname = strconcat ("http://", http_proxy, NULL);
+ if (tmpname && !parse_uri (&uri, tmpname, 0, 0))
+ err = 0;
+ xfree (tmpname);
+ }
+
+ if (err)
+ ;
+ else if (!strcmp (uri->scheme, "http") || !strcmp (uri->scheme, "socks4"))
+ ;
+ else if (!strcmp (uri->scheme, "socks5h"))
+ err = gpg_err_make (default_errsource, GPG_ERR_NOT_IMPLEMENTED);
+ else
+ err = gpg_err_make (default_errsource, GPG_ERR_INV_URI);
+
if (err)
{
log_error ("invalid HTTP proxy (%s): %s\n",
commit a0dead5edce07838cf5ff3ec7205a3bff2a6ef70
Author: Werner Koch <wk at gnupg.org>
Date: Tue Apr 21 17:14:53 2015 +0200
dirmngr: Add http proxy support for keyservers.
* dirmngr/dirmngr.h (server_control_s): Add field http_proxy.
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Copy http_proxy value
from OPT.
(dirmngr_deinit_default_ctrl): New.
(main): Call dirmngr_deinit_default_ctrl.
* dirmngr/server.c (start_command_handler): Ditto.
(option_handler): Add option "http-proxy".
* dirmngr/crlfetch.c (crl_fetch): Take http_proxy from CTRL.
* dirmngr/ocsp.c (do_ocsp_request): Ditto.
* dirmngr/ks-engine-hkp.c (send_request): Add proxy support.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c
index 2c4a247..3b3916a 100644
--- a/dirmngr/crlfetch.c
+++ b/dirmngr/crlfetch.c
@@ -157,10 +157,6 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
char *free_this = NULL;
int redirects_left = 2; /* We allow for 2 redirect levels. */
-#ifndef USE_LDAP
- (void)ctrl;
-#endif
-
*reader = NULL;
if (!url)
@@ -202,7 +198,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
err = http_open_document (&hd, url, NULL,
(opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
|(DBG_LOOKUP? HTTP_FLAG_LOG_RESP:0),
- opt.http_proxy, NULL, NULL, NULL);
+ ctrl->http_proxy, NULL, NULL, NULL);
switch ( err? 99999 : http_get_status_code (hd) )
{
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 4c17c8c..437c6eb 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -1277,6 +1277,7 @@ main (int argc, char **argv)
for (; !rc && argc; argc--, argv++)
rc = crl_cache_load (&ctrlbuf, *argv);
}
+ dirmngr_deinit_default_ctrl (&ctrlbuf);
}
else if (cmd == aFetchCRL)
{
@@ -1306,6 +1307,7 @@ main (int argc, char **argv)
argv[0], gpg_strerror (rc));
crl_close_reader (reader);
}
+ dirmngr_deinit_default_ctrl (&ctrlbuf);
}
else if (cmd == aFlush)
{
@@ -1465,9 +1467,18 @@ dirmngr_exit (int rc)
void
dirmngr_init_default_ctrl (ctrl_t ctrl)
{
- (void)ctrl;
+ if (opt.http_proxy)
+ ctrl->http_proxy = xstrdup (opt.http_proxy);
+}
+
- /* Nothing for now. */
+void
+dirmngr_deinit_default_ctrl (ctrl_t ctrl)
+{
+ if (!ctrl)
+ return;
+ xfree (ctrl->http_proxy);
+ ctrl->http_proxy = NULL;
}
diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index 56abc86..4f037e7 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -99,7 +99,7 @@ struct
int disable_http; /* Do not use HTTP at all. */
int disable_ldap; /* Do not use LDAP at all. */
int honor_http_proxy; /* Honor the http_proxy env variable. */
- const char *http_proxy; /* Use given HTTP proxy. */
+ const char *http_proxy; /* The default HTTP proxy. */
const char *ldap_proxy; /* Use given LDAP proxy. */
int only_ldap_proxy; /* Only use the LDAP proxy; no fallback. */
int ignore_http_dp; /* Ignore HTTP CRL distribution points. */
@@ -174,12 +174,14 @@ struct server_control_s
response. */
int audit_events; /* Send audit events to client. */
+ char *http_proxy; /* The used http_proxy or NULL. */
};
/*-- dirmngr.c --*/
void dirmngr_exit( int ); /* Wrapper for exit() */
void dirmngr_init_default_ctrl (ctrl_t ctrl);
+void dirmngr_deinit_default_ctrl (ctrl_t ctrl);
void dirmngr_sighup_action (void);
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index fcdd71e..a010411 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -965,8 +965,8 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
request,
httphost,
/* fixme: AUTH */ NULL,
- httpflags,
- /* fixme: proxy*/ NULL,
+ (httpflags | (opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)),
+ ctrl->http_proxy,
session,
NULL,
/*FIXME curl->srvtag*/NULL);
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index e4c2b78..13e51c6 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -77,8 +77,8 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
url,
/* httphost */ NULL,
/* fixme: AUTH */ NULL,
- 0,
- /* fixme: proxy*/ NULL,
+ (opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0),
+ ctrl->http_proxy,
session,
NULL,
/*FIXME curl->srvtag*/NULL);
diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
index f8c437d..8971b9f 100644
--- a/dirmngr/ocsp.c
+++ b/dirmngr/ocsp.c
@@ -166,7 +166,7 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md,
once_more:
err = http_open (&http, HTTP_REQ_POST, url, NULL, NULL,
(opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0),
- opt.http_proxy, NULL, NULL, NULL);
+ ctrl->http_proxy, NULL, NULL, NULL);
if (err)
{
log_error (_("error connecting to '%s': %s\n"), url, gpg_strerror (err));
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 3e6d99d..c0f63ac 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -582,6 +582,7 @@ static gpg_error_t
option_handler (assuan_context_t ctx, const char *key, const char *value)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
+ gpg_error_t err = 0;
if (!strcmp (key, "force-crl-refresh"))
{
@@ -593,12 +594,21 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
int i = *value? atoi (value) : 0;
ctrl->audit_events = i;
}
+ else if (!strcmp (key, "http-proxy"))
+ {
+ xfree (ctrl->http_proxy);
+ if (!*value || !strcmp (value, "none"))
+ ctrl->http_proxy = NULL;
+ else if (!(ctrl->http_proxy = xtrystrdup (value)))
+ err = gpg_error_from_syserror ();
+ }
else
- return gpg_error (GPG_ERR_UNKNOWN_OPTION);
+ err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
- return 0;
+ return err;
}
+
static const char hlp_ldapserver[] =
"LDAPSERVER <data>\n"
"\n"
@@ -1633,7 +1643,7 @@ static const char hlp_ks_get[] =
"\n"
"Get the keys matching PATTERN from the configured OpenPGP keyservers\n"
"(see command KEYSERVER). Each pattern should be a keyid, a fingerprint,\n"
- "or an exact name indicastes by the '=' prefix.";
+ "or an exact name indicated by the '=' prefix.";
static gpg_error_t
cmd_ks_get (assuan_context_t ctx, char *line)
{
@@ -2096,6 +2106,7 @@ start_command_handler (assuan_fd_t fd)
{
release_ctrl_ocsp_certs (ctrl);
xfree (ctrl->server_local);
+ dirmngr_deinit_default_ctrl (ctrl);
xfree (ctrl);
}
}
commit 727fe4f8d7d5fc3eac0b0aa6fafa4a314686d7dc
Author: Werner Koch <wk at gnupg.org>
Date: Tue Apr 21 15:46:13 2015 +0200
gpg: Do not use honor-keyserver-url sub-option by default.
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 899c6b8..2e72309 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1586,12 +1586,14 @@ are available for all keyserver types, some common options are:
keyserver URL, then use that preferred keyserver to refresh the key
from. In addition, if auto-key-retrieve is set, and the signature
being verified has a preferred keyserver URL, then use that preferred
- keyserver to fetch the key from. Defaults to yes.
+ keyserver to fetch the key from. Note that this option introduces a
+ "web bug": The creator of the key can see when the keys is
+ refreshed. Thus this option is not enabled by default.
@item honor-pka-record
If auto-key-retrieve is set, and the signature being verified has a
PKA record, then use the PKA information to fetch the key. Defaults
- to yes.
+ to "yes".
@item include-subkeys
When receiving a key, include subkeys as potential targets. Note that
diff --git a/g10/gpg.c b/g10/gpg.c
index aec6e80..13d6884 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -2128,8 +2128,7 @@ main (int argc, char **argv)
opt.export_options = EXPORT_ATTRIBUTES;
opt.keyserver_options.import_options = IMPORT_REPAIR_PKS_SUBKEY_BUG;
opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
- opt.keyserver_options.options = (KEYSERVER_HONOR_KEYSERVER_URL
- | KEYSERVER_HONOR_PKA_RECORD );
+ opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
opt.verify_options = (LIST_SHOW_UID_VALIDITY
| VERIFY_SHOW_POLICY_URLS
| VERIFY_SHOW_STD_NOTATIONS
commit ae0d65f86413a82a40cf68e08aaeca405eee8c78
Author: Werner Koch <wk at gnupg.org>
Date: Tue Apr 21 15:36:30 2015 +0200
gpg: Make preferred keyservers work.
* g10/call-dirmngr.c (dirmngr_local_s): Add field set_keyservers_done.
(create_context): Move keyserver setting to ...
(open_context): here.
(clear_context_flags): New.
(gpg_dirmngr_ks_get): Add arg override_keyserver.
* g10/keyserver.c (keyserver_refresh): Improve diagnostics.
(keyserver_get_chunk): Ditto. Pass OVERRIDE_KEYSERVER to ks_get.
--
It used to ignore the given server but showed a diagnostics that it
will be used.
diff --git a/g10/call-dirmngr.c b/g10/call-dirmngr.c
index ef4ca76..26955ab 100644
--- a/g10/call-dirmngr.c
+++ b/g10/call-dirmngr.c
@@ -94,6 +94,9 @@ struct dirmngr_local_s
/* The active Assuan context. */
assuan_context_t ctx;
+ /* Flag set when the keyserver names have been send. */
+ int set_keyservers_done;
+
/* Flag set to true while an operation is running on CTX. */
int is_active;
};
@@ -145,32 +148,9 @@ create_context (ctrl_t ctrl, assuan_context_t *r_ctx)
}
else if (!err)
{
- keyserver_spec_t ksi;
-
/* Tell the dirmngr that we want to collect audit event. */
/* err = assuan_transact (agent_ctx, "OPTION audit-events=1", */
/* NULL, NULL, NULL, NULL, NULL, NULL); */
-
- /* Set all configured keyservers. We clear existing keyservers
- so that any keyserver configured in GPG overrides keyservers
- possibly still configured in Dirmngr for the session (Note
- that the keyserver list of a session in Dirmngr survives a
- RESET. */
- for (ksi = opt.keyserver; !err && ksi; ksi = ksi->next)
- {
- char *line;
-
- line = xtryasprintf ("KEYSERVER%s %s",
- ksi == opt.keyserver? " --clear":"", ksi->uri);
- if (!line)
- err = gpg_error_from_syserror ();
- else
- {
- err = assuan_transact (ctx, line,
- NULL, NULL, NULL, NULL, NULL, NULL);
- xfree (line);
- }
- }
}
if (err)
@@ -205,7 +185,42 @@ open_context (ctrl_t ctrl, assuan_context_t *r_ctx)
{
/* Found an inactive local session - return that. */
assert (!dml->is_active);
+
+ /* But first do the per session init if not yet done. */
+ if (!dml->set_keyservers_done)
+ {
+ keyserver_spec_t ksi;
+
+ /* Set all configured keyservers. We clear existing
+ keyservers so that any keyserver configured in GPG
+ overrides keyservers possibly still configured in Dirmngr
+ for the session (Note that the keyserver list of a
+ session in Dirmngr survives a RESET. */
+ for (ksi = opt.keyserver; ksi; ksi = ksi->next)
+ {
+ char *line;
+
+ line = xtryasprintf
+ ("KEYSERVER%s %s",
+ ksi == opt.keyserver? " --clear":"", ksi->uri);
+ if (!line)
+ err = gpg_error_from_syserror ();
+ else
+ {
+ err = assuan_transact (dml->ctx, line, NULL, NULL, NULL,
+ NULL, NULL, NULL);
+ xfree (line);
+ }
+
+ if (err)
+ return err;
+ }
+
+ dml->set_keyservers_done = 1;
+ }
+
dml->is_active = 1;
+
*r_ctx = dml->ctx;
return 0;
}
@@ -219,6 +234,7 @@ open_context (ctrl_t ctrl, assuan_context_t *r_ctx)
xfree (dml);
return err;
}
+
/* To be on the nPth thread safe site we need to add it to a
list; this is far easier than to have a lock for this
function. It should not happen anyway but the code is free
@@ -253,6 +269,29 @@ close_context (ctrl_t ctrl, assuan_context_t ctx)
}
+/* Clear the set_keyservers_done flag on context CTX. */
+static void
+clear_context_flags (ctrl_t ctrl, assuan_context_t ctx)
+{
+ dirmngr_local_t dml;
+
+ if (!ctx)
+ return;
+
+ for (dml = ctrl->dirmngr_local; dml; dml = dml->next)
+ {
+ if (dml->ctx == ctx)
+ {
+ if (!dml->is_active)
+ log_fatal ("clear_context_flags on inactive dirmngr ctx %p\n", ctx);
+ dml->set_keyservers_done = 0;
+ return;
+ }
+ }
+ log_fatal ("clear_context_flags on unknown dirmngr ctx %p\n", ctx);
+}
+
+
/* Status callback for ks_get and ks_search. */
static gpg_error_t
@@ -453,6 +492,7 @@ ks_get_data_cb (void *opaque, const void *data, size_t datalen)
are able to ask for (1000-10-1)/(2+8+1) = 90 keys at once. */
gpg_error_t
gpg_dirmngr_ks_get (ctrl_t ctrl, char **pattern,
+ keyserver_spec_t override_keyserver,
estream_t *r_fp, char **r_source)
{
gpg_error_t err;
@@ -475,6 +515,27 @@ gpg_dirmngr_ks_get (ctrl_t ctrl, char **pattern,
if (err)
return err;
+ /* If we have an override keyserver we first indicate that the next
+ user of the context needs to again setup the global keyservers and
+ them we send the override keyserver. */
+ if (override_keyserver)
+ {
+ clear_context_flags (ctrl, ctx);
+ line = xtryasprintf ("KEYSERVER --clear %s", override_keyserver->uri);
+ if (!line)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ err = assuan_transact (ctx, line, NULL, NULL, NULL,
+ NULL, NULL, NULL);
+ if (err)
+ goto leave;
+
+ xfree (line);
+ line = NULL;
+ }
+
/* Lump all patterns into one string. */
init_membuf (&mb, 1024);
put_membuf_str (&mb, "KS_GET --");
diff --git a/g10/call-dirmngr.h b/g10/call-dirmngr.h
index 481b948..bae1123 100644
--- a/g10/call-dirmngr.h
+++ b/g10/call-dirmngr.h
@@ -25,6 +25,7 @@ gpg_error_t gpg_dirmngr_ks_search (ctrl_t ctrl, const char *searchstr,
gpg_error_t (*cb)(void*, int, char *),
void *cb_value);
gpg_error_t gpg_dirmngr_ks_get (ctrl_t ctrl, char *pattern[],
+ keyserver_spec_t override_keyserver,
estream_t *r_fp, char **r_source);
gpg_error_t gpg_dirmngr_ks_fetch (ctrl_t ctrl,
const char *url, estream_t *r_fp);
diff --git a/g10/keyserver.c b/g10/keyserver.c
index 3aed54b..674eb81 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -112,7 +112,7 @@ static struct parse_options keyserver_opts[]=
static gpg_error_t keyserver_get (ctrl_t ctrl,
KEYDB_SEARCH_DESC *desc, int ndesc,
- struct keyserver_spec *keyserver,
+ struct keyserver_spec *override_keyserver,
unsigned char **r_fpr, size_t *r_fprlen);
static gpg_error_t keyserver_put (ctrl_t ctrl, strlist_t keyspecs,
struct keyserver_spec *keyserver);
@@ -1394,6 +1394,9 @@ keyserver_refresh (ctrl_t ctrl, strlist_t users)
{
struct keyserver_spec *keyserver=desc[i].skipfncvalue;
+ if (!opt.quiet)
+ log_info (_("refreshing 1 key from %s\n"), keyserver->uri);
+
/* We use the keyserver structure we parsed out before.
Note that a preferred keyserver without a scheme://
will be interpreted as hkp:// */
@@ -1418,7 +1421,7 @@ keyserver_refresh (ctrl_t ctrl, strlist_t users)
if(count>0)
{
- if(opt.keyserver)
+ if(opt.keyserver && !opt.quiet)
{
if(count==1)
log_info(_("refreshing 1 key from %s\n"),opt.keyserver->uri);
@@ -1556,7 +1559,7 @@ static gpg_error_t
keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
int *r_ndesc_used,
void *stats_handle,
- struct keyserver_spec *keyserver,
+ struct keyserver_spec *override_keyserver,
unsigned char **r_fpr, size_t *r_fprlen)
{
@@ -1672,15 +1675,15 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
return err;
}
- if (!quiet && keyserver)
+ if (!quiet && override_keyserver)
{
- if (keyserver->host)
+ if (override_keyserver->host)
log_info (_("requesting key %s from %s server %s\n"),
keystr_from_desc (&desc[idx]),
- keyserver->scheme, keyserver->host);
+ override_keyserver->scheme, override_keyserver->host);
else
log_info (_("requesting key %s from %s\n"),
- keystr_from_desc (&desc[idx]), keyserver->uri);
+ keystr_from_desc (&desc[idx]), override_keyserver->uri);
}
}
@@ -1688,7 +1691,8 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
this is different from NPAT. */
*r_ndesc_used = idx;
- err = gpg_dirmngr_ks_get (ctrl, pattern, &datastream, &source);
+ err = gpg_dirmngr_ks_get (ctrl, pattern, override_keyserver,
+ &datastream, &source);
for (idx=0; idx < npat; idx++)
xfree (pattern[idx]);
xfree (pattern);
@@ -1728,12 +1732,12 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
/* Retrieve a key from a keyserver. The search pattern are in
(DESC,NDESC). Allowed search modes are keyid, fingerprint, and
- exact searches. KEYSERVER gives an optional override keyserver. If
- (R_FPR,R_FPRLEN) are not NULL, they may return the fingerprint of a
- single imported key. */
+ exact searches. OVERRIDE_KEYSERVER gives an optional override
+ keyserver. If (R_FPR,R_FPRLEN) are not NULL, they may return the
+ fingerprint of a single imported key. */
static gpg_error_t
keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
- struct keyserver_spec *keyserver,
+ struct keyserver_spec *override_keyserver,
unsigned char **r_fpr, size_t *r_fprlen)
{
gpg_error_t err;
@@ -1746,7 +1750,7 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
for (;;)
{
err = keyserver_get_chunk (ctrl, desc, ndesc, &ndesc_used, stats_handle,
- keyserver, r_fpr, r_fprlen);
+ override_keyserver, r_fpr, r_fprlen);
if (!err)
any_good = 1;
if (err || ndesc_used >= ndesc)
commit da1990bac71f6447d8ebd169c3b3b186e9f287d9
Author: Werner Koch <wk at gnupg.org>
Date: Tue Apr 21 10:15:04 2015 +0200
gpg: Update sub-options of --keyserver-options
* g10/options.h (KEYSERVER_HTTP_PROXY): New.
(KEYSERVER_USE_TEMP_FILES, KEYSERVER_KEEP_TEMP_FILES): Remove.
(KEYSERVER_TIMEOUT): New.
* common/keyserver.h (KEYSERVER_TIMEOUT): Remove.
* g10/keyserver.c (keyserver_opts): Remove obsolete "use-temp-files"
and "keep-temp-files". Add "http-proxy" and "timeout".
(parse_keyserver_options): Remove 1.2 compatibility option
"honor-http_proxy". Remove "use-temp-files" and "keep-temp-files"
code.
--
Note that many of these options where implicitly used by passing any
unknown option down to the former keyserver helpers. The don't exist
anymore thus we need to make them explicit. Another patch will convey
them to dirmngr. Temp files are not anymore used thus they can be
removed and will be ignored when used.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/common/keyserver.h b/common/keyserver.h
index d286f7d..d56b4f4 100644
--- a/common/keyserver.h
+++ b/common/keyserver.h
@@ -34,7 +34,6 @@
#define KEYSERVER_KEY_EXISTS 7 /* key already exists */
#define KEYSERVER_KEY_INCOMPLETE 8 /* key incomplete (EOF) */
#define KEYSERVER_UNREACHABLE 9 /* unable to contact keyserver */
-#define KEYSERVER_TIMEOUT 10 /* timeout while accessing keyserver */
/* Must be 127 due to shell internal magic. */
#define KEYSERVER_SCHEME_NOT_FOUND 127
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 6c413de..cf35c47 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -269,7 +269,7 @@ value to access HTTP servers.
@item --http-proxy @var{host}[:@var{port}]
@opindex http-proxy
Use @var{host} and @var{port} to access HTTP servers. The use of this
-options overrides the environment variable @env{http_proxy} regardless
+option overrides the environment variable @env{http_proxy} regardless
whether @option{--honor-http-proxy} has been set.
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 393cf24..899c6b8 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1545,7 +1545,7 @@ need to send keys to more than one server. The keyserver
@code{hkp://keys.gnupg.net} uses round robin DNS to give a different
keyserver each time you use it.
- at item --keyserver-options @code{name=value1 }
+ at item --keyserver-options @code{name=value}
@opindex keyserver-options
This is a space or comma delimited string that gives options for the
keyserver. Options can be prefixed with a `no-' to give the opposite
@@ -1598,20 +1598,20 @@ are available for all keyserver types, some common options are:
this option is not used with HKP keyservers, as they do not support
retrieving keys by subkey id.
+ at ifclear gpgtwoone
@item use-temp-files
On most Unix-like platforms, GnuPG communicates with the keyserver
helper program via pipes, which is the most efficient method. This
option forces GnuPG to use temporary files to communicate. On some
platforms (such as Win32 and RISC OS), this option is always enabled.
+ at end ifclear
+ at ifclear gpgtwoone
@item keep-temp-files
If using `use-temp-files', do not delete the temp files after using
them. This option is useful to learn the keyserver communication
protocol by reading the temporary files.
-
- @item verbose
- Tell the keyserver helper program to be more verbose. This option can
- be repeated multiple times to increase the verbosity level.
+ at end ifclear
@item timeout
Tell the keyserver helper program how long (in seconds) to try and
@@ -1622,9 +1622,13 @@ are available for all keyserver types, some common options are:
@option{--recv-keys} command as a whole. Defaults to 30 seconds.
@item http-proxy=@code{value}
- Set the proxy to use for HTTP and HKP keyservers. This overrides the
- "http_proxy" environment variable, if any.
-
+ Set the proxy to use for HTTP and HKP keyservers.
+ at ifset gpgtwoone
+This overrides any proxy defined in @file{dirmngr.conf}.
+ at end ifset
+ at ifclear gpgtwoone
+This overrides the "http_proxy" environment variable, if any.
+ at end ifclear
@ifclear gpgtwoone
@item max-cert-size
@@ -1632,26 +1636,42 @@ are available for all keyserver types, some common options are:
Defaults to 16384 bytes.
@end ifclear
+ @item verbose
+ at ifset gpgtwoone
+This option has no more function since GnuPG 2.1. Use the
+ at code{dirmngr} configuration options instead.
+ at end ifset
+ at ifclear gpgtwoone
+Tell the keyserver helper program to be more verbose. This option can
+be repeated multiple times to increase the verbosity level.
+ at end ifclear
+
@item debug
- Turn on debug output in the keyserver helper program. Note that the
- details of debug output depends on which keyserver helper program is
- being used, and in turn, on any libraries that the keyserver helper
- program uses internally (libcurl, openldap, etc).
+ at ifset gpgtwoone
+This option has no more function since GnuPG 2.1. Use the
+ at code{dirmngr} configuration options instead.
+ at end ifset
+ at ifclear gpgtwoone
+Turn on debug output in the keyserver helper program. Note that the
+details of debug output depends on which keyserver helper program is
+being used, and in turn, on any libraries that the keyserver helper
+program uses internally (libcurl, openldap, etc).
+ at end ifclear
@item check-cert
@ifset gpgtwoone
- This option has no more function since GnuPG 2.1. Use the
- @code{dirmngr} configuration options instead.
+This option has no more function since GnuPG 2.1. Use the
+ at code{dirmngr} configuration options instead.
@end ifset
@ifclear gpgtwoone
- Enable certificate checking if the keyserver presents one (for hkps or
- ldaps). Defaults to on.
+Enable certificate checking if the keyserver presents one (for hkps or
+ldaps). Defaults to on.
@end ifclear
@item ca-cert-file
@ifset gpgtwoone
- This option has no more function since GnuPG 2.1. Use the
- @code{dirmngr} configuration options instead.
+This option has no more function since GnuPG 2.1. Use the
+ at code{dirmngr} configuration options instead.
@end ifset
@ifclear gpgtwoone
Provide a certificate store to override the system default. Only
diff --git a/g10/keyserver.c b/g10/keyserver.c
index 7cac55e..3aed54b 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -91,13 +91,14 @@ static struct parse_options keyserver_opts[]=
{
/* some of these options are not real - just for the help
message */
- {"max-cert-size",0,NULL,NULL},
+ {"max-cert-size",0,NULL,NULL}, /* MUST be the first in this array! */
+
{"include-revoked",0,NULL,N_("include revoked keys in search results")},
{"include-subkeys",0,NULL,N_("include subkeys when searching by key ID")},
- {"use-temp-files",0,NULL,
- N_("use temporary files to pass data to keyserver helpers")},
- {"keep-temp-files",KEYSERVER_KEEP_TEMP_FILES,NULL,
- N_("do not delete temporary files after using them")},
+ {"http-proxy", KEYSERVER_HTTP_PROXY, NULL,
+ N_("override proxy options set for dirmngr")},
+ {"timeout", KEYSERVER_TIMEOUT, NULL,
+ N_("override timeout options set for dirmngr")},
{"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL,
NULL},
{"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL,
@@ -155,37 +156,13 @@ parse_keyserver_options(char *options)
if(tok[0]=='\0')
continue;
- /* For backwards compatibility. 1.2.x used honor-http-proxy and
- there are a good number of documents published that recommend
- it. */
- if(ascii_strcasecmp(tok,"honor-http-proxy")==0)
- tok="http-proxy";
- else if(ascii_strcasecmp(tok,"no-honor-http-proxy")==0)
- tok="no-http-proxy";
-
/* We accept quite a few possible options here - some options to
handle specially, the keyserver_options list, and import and
- export options that pertain to keyserver operations. Note
- that you must use strncasecmp here as there might be an
- =argument attached which will foil the use of strcasecmp. */
-
-#ifdef EXEC_TEMPFILE_ONLY
- if(ascii_strncasecmp(tok,"use-temp-files",14)==0 ||
- ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
- log_info(_("WARNING: keyserver option '%s' is not used"
- " on this platform\n"),tok);
-#else
- if(ascii_strncasecmp(tok,"use-temp-files",14)==0)
- opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
- else if(ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
- opt.keyserver_options.options&=~KEYSERVER_USE_TEMP_FILES;
-#endif
- else if(!parse_options(tok,&opt.keyserver_options.options,
- keyserver_opts,0)
- && !parse_import_options(tok,
- &opt.keyserver_options.import_options,0)
- && !parse_export_options(tok,
- &opt.keyserver_options.export_options,0))
+ export options that pertain to keyserver operations. */
+
+ if (!parse_options (tok,&opt.keyserver_options.options, keyserver_opts,0)
+ && !parse_import_options(tok,&opt.keyserver_options.import_options,0)
+ && !parse_export_options(tok,&opt.keyserver_options.export_options,0))
{
/* All of the standard options have failed, so the option was
destined for a keyserver plugin as used by GnuPG < 2.1 */
@@ -204,6 +181,7 @@ parse_keyserver_options(char *options)
return ret;
}
+
void
free_keyserver_spec(struct keyserver_spec *keyserver)
{
diff --git a/g10/options.h b/g10/options.h
index 6c96d18..75032a5 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -361,8 +361,8 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode;
#define VERIFY_PKA_TRUST_INCREASE (1<<8)
#define VERIFY_SHOW_PRIMARY_UID_ONLY (1<<9)
-#define KEYSERVER_USE_TEMP_FILES (1<<0)
-#define KEYSERVER_KEEP_TEMP_FILES (1<<1)
+#define KEYSERVER_HTTP_PROXY (1<<0)
+#define KEYSERVER_TIMEOUT (1<<1)
#define KEYSERVER_ADD_FAKE_V3 (1<<2)
#define KEYSERVER_AUTO_KEY_RETRIEVE (1<<3)
#define KEYSERVER_HONOR_KEYSERVER_URL (1<<4)
-----------------------------------------------------------------------
Summary of changes:
common/http.c | 51 +++++++++++++++++++++--
common/keyserver.h | 1 -
dirmngr/crlfetch.c | 6 +--
dirmngr/dirmngr.c | 15 ++++++-
dirmngr/dirmngr.h | 4 +-
dirmngr/ks-engine-hkp.c | 4 +-
dirmngr/ks-engine-http.c | 4 +-
dirmngr/ocsp.c | 2 +-
dirmngr/server.c | 17 ++++++--
doc/dirmngr.texi | 2 +-
doc/gpg.texi | 62 +++++++++++++++++++---------
g10/call-dirmngr.c | 104 ++++++++++++++++++++++++++++++++++++++++-------
g10/call-dirmngr.h | 1 +
g10/gpg.c | 3 +-
g10/keyserver.c | 87 +++++++++++++++++----------------------
g10/options.h | 5 ++-
16 files changed, 259 insertions(+), 109 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list