GpgOL finnished Logo

Contact information available at the g10 Code main pages. +href="https://www.g10code.com">g10 Code main pages.

Copyright (C) 2006 g10 Code GmbH, Erkrath-Hochdahl.
Verbatim copying and distribution of this entire article is diff --git a/misc/bugs.gnupg.org/roundup-topics.html b/misc/bugs.gnupg.org/roundup-topics.html index 208707d..d78cf28 100644 --- a/misc/bugs.gnupg.org/roundup-topics.html +++ b/misc/bugs.gnupg.org/roundup-topics.html @@ -60,7 +60,7 @@ clear. This list shall help to make sensible use of the keywords. asm Problem with low-level assembler code cross Bug pertaining to cross-compiling - osx Mac OS/X specific problem + macos MacOS specific problem w32 MS Windows specific problem w64 MS Windows 64 bit specific problem @@ -74,6 +74,8 @@ clear. This list shall help to make sensible use of the keywords. faq This should be made an entry into the FAQ or is already answered there. + gpg22 To be fixed for GnuPG 2.2. + gpg23 Will be addressed in GnuPG 2.2. patch Patch included noinfo Not enough information given notdup Problem duplicating the bug @@ -84,6 +86,8 @@ clear. This list shall help to make sensible use of the keywords. Note that there is also a category of the same name. + rc Release critical report + sillyUB Silly interpretation of undefined behaviour by a compiler. Needs fix so that gcc et al do not break the @@ -101,7 +105,7 @@ clear. This list shall help to make sensible use of the keywords.

Contact information available at the g10 Code main pages. +href="https://www.g10code.com">g10 Code main pages.

Copyright (C) 2006 g10 Code GmbH, Erkrath-Hochdahl.
Verbatim copying and distribution of this entire article is ----------------------------------------------------------------------- Summary of changes: misc/bugs.gnupg.org/index.html | 2 +- misc/bugs.gnupg.org/roundup-topics.html | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) hooks/post-receive -- The GnuPG website and other docs http://git.gnupg.org From cvs at cvs.gnupg.org Sun Jan 8 18:45:54 2017 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Sun, 08 Jan 2017 18:45:54 +0100 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.17-47-g88dc3af Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 88dc3af3d4ae1afe1d5e136bc4c38bc4e7d4cd10 (commit) via 714faea4fa7f30d42e9986358214a99aa8fa57b3 (commit) via 16078f3deea5b82ea26e2f01dbd3ef3a5ce25410 (commit) via 9fa94aa10778bbd680315e93b23175423e338c40 (commit) from 8d774904c8066d8c0f19cfffe2d568979bb8c470 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 88dc3af3d4ae1afe1d5e136bc4c38bc4e7d4cd10 Author: Werner Koch Date: Sun Jan 8 18:42:50 2017 +0100 dirmngr: Implement experimental SRV record lookup for WKD. * dirmngr/server.c (cmd_wkd_get): Support SRV records. -- This patch changes the way a WKD query is done. Now we first look for a SRV record for service "openpgpkey" and port "tcp" under the to-be-queried domain. If such a record was found and the target host matches the to-be-queried domain or is a suffix to that domain, that target host is used instead of the domain name. The SRV record also allows to change the port and obviously can be used for load-balancing. For example a query for the submission address of example.org with the SRV record specification _openpgpkey._tcp IN SRV 0 0 0 wkd.foo.org. IN SRV 0 0 0 wkd.example.net. IN SRV 0 0 4711 wkd.example.org. (queried using the name "_openpgpkey._tcp.example.org") would fetch from this URL: https://wkd.example.org:4711/.well-known/openpgpkey/submission-address Note that the first two SRV records won't be used because foo.org and example.net do not match example.org. We require that the target host is identical to the domain or be a subdomain of it. This is so that an attacker modifying the SRV records needs to setup a server in a sub-domain of the actual domain and can't use an arbitrary domain. Whether this is a sufficient requirement is not clear and needs further discussion. Signed-off-by: Werner Koch diff --git a/dirmngr/server.c b/dirmngr/server.c index 28c2cd4..c9c4ad4 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -826,13 +826,15 @@ cmd_wkd_get (assuan_context_t ctx, char *line) ctrl_t ctrl = assuan_get_pointer (ctx); gpg_error_t err = 0; char *mbox = NULL; - char *domain; /* Points to mbox. */ + char *domainbuf = NULL; + char *domain; /* Points to mbox or domainbuf. */ char sha1buf[20]; char *uri = NULL; char *encodedhash = NULL; int opt_submission_addr; int opt_policy_flags; int no_log = 0; + char portstr[20] = { 0 }; opt_submission_addr = has_option (line, "--submission-address"); opt_policy_flags = has_option (line, "--policy-flags"); @@ -846,6 +848,50 @@ cmd_wkd_get (assuan_context_t ctx, char *line) } *domain++ = 0; + /* Check for SRV records. */ + if (1) + { + struct srventry *srvs; + unsigned int srvscount; + size_t domainlen, targetlen; + int i; + + err = get_dns_srv (domain, "openpgpkey", NULL, &srvs, &srvscount); + if (err) + goto leave; + + /* Find the first target which also ends in DOMAIN or is equal + * to DOMAIN. */ + domainlen = strlen (domain); + for (i = 0; i < srvscount; i++) + { + log_debug ("srv: trying '%s:%hu'\n", srvs[i].target, srvs[i].port); + targetlen = strlen (srvs[i].target); + if ((targetlen > domainlen + 1 + && srvs[i].target[targetlen - domainlen - 1] == '.' + && !ascii_strcasecmp (srvs[i].target + targetlen - domainlen, + domain)) + || (targetlen == domainlen + && !ascii_strcasecmp (srvs[i].target, domain))) + { + /* found. */ + domainbuf = xtrystrdup (srvs[i].target); + if (!domainbuf) + { + err = gpg_error_from_syserror (); + xfree (srvs); + goto leave; + } + domain = domainbuf; + if (srvs[i].port) + snprintf (portstr, sizeof portstr, ":%hu", srvs[i].port); + break; + } + } + xfree (srvs); + log_debug ("srv: got '%s%s'\n", domain, portstr); + } + gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, mbox, strlen (mbox)); encodedhash = zb32_encode (sha1buf, 8*20); if (!encodedhash) @@ -858,6 +904,7 @@ cmd_wkd_get (assuan_context_t ctx, char *line) { uri = strconcat ("https://", domain, + portstr, "/.well-known/openpgpkey/submission-address", NULL); } @@ -865,6 +912,7 @@ cmd_wkd_get (assuan_context_t ctx, char *line) { uri = strconcat ("https://", domain, + portstr, "/.well-known/openpgpkey/policy", NULL); } @@ -872,6 +920,7 @@ cmd_wkd_get (assuan_context_t ctx, char *line) { uri = strconcat ("https://", domain, + portstr, "/.well-known/openpgpkey/hu/", encodedhash, NULL); @@ -907,6 +956,7 @@ cmd_wkd_get (assuan_context_t ctx, char *line) xfree (uri); xfree (encodedhash); xfree (mbox); + xfree (domainbuf); return leave_cmd (ctx, err); } commit 714faea4fa7f30d42e9986358214a99aa8fa57b3 Author: Werner Koch Date: Sun Jan 8 18:07:18 2017 +0100 dirmngr: Improve debug output for TLS. * dirmngr/misc.c (dump_cert): Also print SubjectAltNames. Signed-off-by: Werner Koch diff --git a/dirmngr/misc.c b/dirmngr/misc.c index ac3856e..2ee6d82 100644 --- a/dirmngr/misc.c +++ b/dirmngr/misc.c @@ -296,6 +296,7 @@ dump_cert (const char *text, ksba_cert_t cert) ksba_sexp_t sexp; char *p; ksba_isotime_t t; + int idx; log_debug ("BEGIN Certificate '%s':\n", text? text:""); if (cert) @@ -326,6 +327,13 @@ dump_cert (const char *text, ksba_cert_t cert) dump_string (p); ksba_free (p); log_printf ("\n"); + for (idx=1; (p = ksba_cert_get_subject (cert, idx)); idx++) + { + log_debug (" aka: "); + dump_string (p); + ksba_free (p); + log_printf ("\n"); + } log_debug (" hash algo: %s\n", ksba_cert_get_digest_algo (cert)); commit 16078f3deea5b82ea26e2f01dbd3ef3a5ce25410 Author: Werner Koch Date: Sun Jan 8 18:04:59 2017 +0100 dirmngr: Change internal SRV lookup API. * dirmngr/dns-stuff.c (get_dns_srv): Add args SERVICE and PROTO. * dirmngr/http.c (connect_server): Simplify SRV lookup. * dirmngr/ks-engine-hkp.c (map_host): Ditto. * dirmngr/t-dns-stuff.c (main): Adjust for changed get_dns_srv. -- This new API is more convenient because it includes commonly used code. Note that right now http.c's SRV record code is not used. Signed-off-by: Werner Koch diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c index 028b065..a8713eb 100644 --- a/dirmngr/dns-stuff.c +++ b/dirmngr/dns-stuff.c @@ -1740,17 +1740,37 @@ getsrv_standard (const char *name, } -/* Note that we do not return NONAME but simply store 0 at R_COUNT. */ +/* Query a SRV record for SERVICE and PROTO for NAME. If SERVICE is + * NULL, NAME is expected to contain the full query name. Note that + * we do not return NONAME but simply store 0 at R_COUNT. On error an + * error code is returned and 0 stored at R_COUNT. */ gpg_error_t -get_dns_srv (const char *name, struct srventry **list, unsigned int *r_count) +get_dns_srv (const char *name, const char *service, const char *proto, + struct srventry **list, unsigned int *r_count) { gpg_error_t err; + char *namebuffer = NULL; unsigned int srvcount; int i; *list = NULL; *r_count = 0; srvcount = 0; + + /* If SERVICE is given construct the query from it and PROTO. */ + if (service) + { + namebuffer = xtryasprintf ("_%s._%s.%s", + service, proto? proto:"tcp", name); + if (!namebuffer) + { + err = gpg_error_from_syserror (); + goto leave; + } + name = namebuffer; + } + + #ifdef USE_LIBDNS if (!standard_resolver) { @@ -1852,6 +1872,7 @@ get_dns_srv (const char *name, struct srventry **list, unsigned int *r_count) } if (!err) *r_count = srvcount; + xfree (namebuffer); return err; } diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h index eb7fe72..d68dd17 100644 --- a/dirmngr/dns-stuff.h +++ b/dirmngr/dns-stuff.h @@ -153,6 +153,7 @@ gpg_error_t get_dns_cert (const char *name, int want_certtype, /* Return an array of SRV records. */ gpg_error_t get_dns_srv (const char *name, + const char *service, const char *proto, struct srventry **list, unsigned int *r_count); diff --git a/dirmngr/http.c b/dirmngr/http.c index 14d60df..7a02804 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -2362,29 +2362,11 @@ connect_server (const char *server, unsigned short port, /* Do the SRV thing */ if (srvtag) { - /* We're using SRV, so append the tags. */ - if (1 + strlen (srvtag) + 6 + strlen (server) + 1 - <= DIMof (struct srventry, target)) - { - char *srvname = xtrymalloc (DIMof (struct srventry, target)); - - if (!srvname) /* Out of core */ - { - serverlist = NULL; - srvcount = 0; - } - else - { - stpcpy (stpcpy (stpcpy (stpcpy (srvname,"_"), srvtag), - "._tcp."), server); - err = get_dns_srv (srvname, &serverlist, &srvcount); - if (err) - log_info ("getting SRV '%s' failed: %s\n", - srvname, gpg_strerror (err)); - xfree (srvname); - /* Note that on error SRVCOUNT is zero. */ - } - } + err = get_dns_srv (server, srvtag, NULL, &serverlist, &srvcount); + if (err) + log_info ("getting '%s' SRV for '%s' failed: %s\n", + srvtag, server, gpg_strerror (err)); + /* Note that on error SRVCOUNT is zero. */ } if (!serverlist) diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index a6c22f8..283e805 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -426,7 +426,6 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, int refidx; int is_pool = 0; char *cname; - char *srvrecord; struct srventry *srvs; unsigned int srvscount; @@ -448,16 +447,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, if (!is_ip_address (name)) { /* Check for SRV records. */ - srvrecord = xtryasprintf ("_hkp._tcp.%s", name); - if (srvrecord == NULL) - { - err = gpg_error_from_syserror (); - xfree (reftbl); - return err; - } - - err = get_dns_srv (srvrecord, &srvs, &srvscount); - xfree (srvrecord); + err = get_dns_srv (name, "hkp", NULL, &srvs, &srvscount); if (err) { xfree (reftbl); diff --git a/dirmngr/t-dns-stuff.c b/dirmngr/t-dns-stuff.c index bc4ca9a..23c0c6a 100644 --- a/dirmngr/t-dns-stuff.c +++ b/dirmngr/t-dns-stuff.c @@ -235,7 +235,7 @@ main (int argc, char **argv) int i; err = get_dns_srv (name? name : "_hkp._tcp.wwwkeys.pgp.net", - &srv, &count); + NULL, NULL, &srv, &count); if (err) printf ("get_dns_srv failed: %s <%s>\n", gpg_strerror (err), gpg_strsource (err)); commit 9fa94aa10778bbd680315e93b23175423e338c40 Author: Werner Koch Date: Sun Jan 8 18:00:38 2017 +0100 dirmngr: Strip root zone suffix from libdns SRV results. * dirmngr/dns-stuff.c (getsrv_libdns): Strip trailing dot from the target. -- See-also: b200e636ab20d2aa93d9f71f3789db5a04af0a56 Signed-off-by: Werner Koch diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c index e32e1e3..028b065 100644 --- a/dirmngr/dns-stuff.c +++ b/dirmngr/dns-stuff.c @@ -1591,6 +1591,10 @@ getsrv_libdns (const char *name, struct srventry **list, unsigned int *r_count) srv->weight = dsrv.weight; srv->port = dsrv.port; mem2str (srv->target, dsrv.target, sizeof srv->target); + /* Libdns appends the root zone part which is problematic for + * most other functions - strip it. */ + if (*srv->target && (srv->target)[strlen (srv->target)-1] == '.') + (srv->target)[strlen (srv->target)-1] = 0; } *r_count = srvcount; ----------------------------------------------------------------------- Summary of changes: dirmngr/dns-stuff.c | 29 +++++++++++++++++++++++++-- dirmngr/dns-stuff.h | 1 + dirmngr/http.c | 28 +++++--------------------- dirmngr/ks-engine-hkp.c | 12 +----------- dirmngr/misc.c | 8 ++++++++ dirmngr/server.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++- dirmngr/t-dns-stuff.c | 2 +- 7 files changed, 94 insertions(+), 38 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Mon Jan 9 08:57:05 2017 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Mon, 09 Jan 2017 08:57:05 +0100 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.17-48-g2baba11 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 2baba11fad6dd680a992260d161dffa1eeae0e42 (commit) from 88dc3af3d4ae1afe1d5e136bc4c38bc4e7d4cd10 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 2baba11fad6dd680a992260d161dffa1eeae0e42 Author: Werner Koch Date: Mon Jan 9 08:54:45 2017 +0100 doc: Update man page for watchgnupg -- Signed-off-by: Werner Koch diff --git a/doc/tools.texi b/doc/tools.texi index d321b69..f0e6fe7 100644 --- a/doc/tools.texi +++ b/doc/tools.texi @@ -54,13 +54,14 @@ other utilities. This tool is not available for Windows. @command{watchgnupg} is commonly invoked as @example -watchgnupg --force ~/.gnupg/S.log +watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log @end example @manpause @noindent -This starts it on the current terminal for listening on the socket - at file{~/.gnupg/S.log}. +This starts it on the current terminal for listening on the standard +logging socket (which is either @file{~/.gnupg/S.log} or + at file{/var/run/user/UID/gnupg/S.log}). @mansect options @noindent @@ -77,6 +78,10 @@ Delete an already existing socket file. Instead of reading from a local socket, listen for connects on TCP port @var{n}. + at item --time-only + at opindex time-only +Do not print the date part of the timestamp. + @item --verbose @opindex verbose Enable extra informational output. @@ -96,21 +101,22 @@ Display a brief help page and exit. @chapheading Examples @example -$ watchgnupg --force /home/foo/.gnupg/S.log +$ watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log @end example This waits for connections on the local socket - at file{/home/foo/.gnupg/S.log} and shows all log entries. To make this -work the option @option{log-file} needs to be used with all modules -which logs are to be shown. The value for that option must be given -with a special prefix (e.g. in the conf files): +(e.g. @file{/home/foo/.gnupg/S.log}) and shows all log entries. To +make this work the option @option{log-file} needs to be used with all +modules which logs are to be shown. The suggested entry for the +configuration files is: @example -log-file socket:///home/foo/.gnupg/S.log +log-file socket:// @end example -If only @code{socket://} is used a default socket file named - at file{S.log} in the standard socket directory is used. +If the default socket as given above and returned by "echo $(gpgconf +--list-dirs socketdir)/S.log" is not desired an arbitrary socket name +can be specified, for example @file{socket:///home/foo/bar/mysocket}. For debugging purposes it is also possible to do remote logging. Take care if you use this feature because the information is send in the clear over the network. Use this syntax in the conf files: @@ -119,13 +125,14 @@ clear over the network. Use this syntax in the conf files: log-file tcp://192.168.1.1:4711 @end example -You may use any port and not just 4711 as shown above; only IP addresses -are supported (v4 and v6) and no host names. You need to start - at command{watchgnupg} with the @option{tcp} option. Note that under -Windows the registry entry @var{HKCU\Software\GNU\GnuPG:DefaultLogFile} -can be used to change the default log output from @code{stderr} to -whatever is given by that entry. However the only useful entry is a TCP -name for remote debugging. +You may use any port and not just 4711 as shown above; only IP +addresses are supported (v4 and v6) and no host names. You need to +start @command{watchgnupg} with the @option{tcp} option. Note that +under Windows the registry entry + at var{HKCU\Software\GNU\GnuPG:DefaultLogFile} can be used to change the +default log output from @code{stderr} to whatever is given by that +entry. However the only useful entry is a TCP name for remote +debugging. @mansect see also ----------------------------------------------------------------------- Summary of changes: doc/tools.texi | 43 +++++++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 18 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Mon Jan 9 10:54:46 2017 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Mon, 09 Jan 2017 10:54:46 +0100 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.17-50-g0cc975d Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 0cc975d8a1cd54115938202432e43263b8893ea4 (commit) via c2cbe2f87c480c62239dc4c2cbb352acd98cd267 (commit) from 2baba11fad6dd680a992260d161dffa1eeae0e42 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 0cc975d8a1cd54115938202432e43263b8893ea4 Author: Werner Koch Date: Mon Jan 9 10:42:30 2017 +0100 dirmngr: Use "pgpkey-hkps" and "pgpkey-hkp" for SRV record lookups. * dirmngr/ks-engine-hkp.c (map_host): Chnage arg NO_SRV to SRVTAG. (make_host_part): Rewrite. -- This fixes a regression from 2.0 and 1.4 where these tags have been in used since 2009. For whatever reason this was not ported to 2.1 and "hkp" was always used. GnuPG-bug-id: 2451 Signed-off-by: Werner Koch diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index 9b757a3..5f6e5f4 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -378,16 +378,17 @@ add_host (const char *name, int is_pool, * to choose one of the hosts. For example we skip those hosts which * failed for some time and we stick to one host for a time * independent of DNS retry times. If FORCE_RESELECT is true a new - * host is always selected. If NO_SRV is set no service record lookup - * will be done. The selected host is stored as a malloced string at - * R_HOST; on error NULL is stored. If we know the port used by the - * selected host from a service record, a string representation is - * written to R_PORTSTR, otherwise it is left untouched. If - * R_HTTPFLAGS is not NULL it will receive flags which are to be - * passed to http_open. If R_POOLNAME is not NULL a malloced name of - * the pool is stored or NULL if it is not a pool. */ + * host is always selected. If SRVTAG is NULL no service record + * lookup will be done, if it is set that service name is used. The + * selected host is stored as a malloced string at R_HOST; on error + * NULL is stored. If we know the port used by the selected host from + * a service record, a string representation is written to R_PORTSTR, + * otherwise it is left untouched. If R_HTTPFLAGS is not NULL it will + * receive flags which are to be passed to http_open. If R_POOLNAME + * is not NULL a malloced name of the pool is stored or NULL if it is + * not a pool. */ static gpg_error_t -map_host (ctrl_t ctrl, const char *name, int force_reselect, int no_srv, +map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, char **r_host, char *r_portstr, unsigned int *r_httpflags, char **r_poolname) { @@ -445,10 +446,10 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, int no_srv, } hi = hosttable[idx]; - if (!no_srv && !is_ip_address (name)) + if (srvtag && !is_ip_address (name)) { /* Check for SRV records. */ - err = get_dns_srv (name, "hkp", NULL, &srvs, &srvscount); + err = get_dns_srv (name, srvtag, NULL, &srvs, &srvscount); if (err) { xfree (reftbl); @@ -859,38 +860,42 @@ make_host_part (ctrl_t ctrl, char **r_hostport, unsigned int *r_httpflags, char **r_poolname) { gpg_error_t err; + const char *srvtag; char portstr[10]; char *hostname; *r_hostport = NULL; - portstr[0] = 0; - err = map_host (ctrl, host, force_reselect, no_srv, - &hostname, portstr, r_httpflags, r_poolname); - if (err) - return err; - - /* If map_host did not return a port (from a SRV record) but a port - * has been specified (implicitly or explicitly) then use that port. - * Only in the case that a port was not specified (which might be a - * bug in https.c) we will later make sure that it has been set. */ - if (!*portstr && port) - snprintf (portstr, sizeof portstr, "%hu", port); - - /* Map scheme and port. */ if (!strcmp (scheme, "hkps") || !strcmp (scheme,"https")) { scheme = "https"; - if (! *portstr) - strcpy (portstr, "443"); + srvtag = no_srv? NULL : "pgpkey-https"; } else /* HKP or HTTP. */ { scheme = "http"; - if (! *portstr) - strcpy (portstr, "11371"); + srvtag = no_srv? NULL : "pgpkey-http"; } + portstr[0] = 0; + err = map_host (ctrl, host, srvtag, force_reselect, + &hostname, portstr, r_httpflags, r_poolname); + if (err) + return err; + + /* If map_host did not return a port (from a SRV record) but a port + * has been specified (implicitly or explicitly) then use that port. + * In the case that a port was not specified (which is probably a + * bug in https.c) we will set up defaults. */ + if (*portstr) + ; + else if (!*portstr && port) + snprintf (portstr, sizeof portstr, "%hu", port); + else if (!strcmp (scheme,"https")) + strcpy (portstr, "443"); + else + strcpy (portstr, "11371"); + *r_hostport = strconcat (scheme, "://", hostname, ":", portstr, NULL); xfree (hostname); if (!*r_hostport) commit c2cbe2f87c480c62239dc4c2cbb352acd98cd267 Author: Werner Koch Date: Mon Jan 9 10:11:20 2017 +0100 dirmngr: Do not use a SRV record for HKP if a port was specified. * dirmngr/http.h (parsed_uri_s): Add field EXPLICIT_PORT. * dirmngr/http.c (do_parse_uri): That it. * dirmngr/ks-engine-hkp.c (map_host): Add arg NO_SRV. (make_host_part): Ditto. (ks_hkp_resolve): Set NO_SRV from EXPLICIT_PORT. (ks_hkp_search): Ditto. (ks_hkp_get): Ditto. (ks_hkp_put): Ditto. -- This implements the behaviour of the keyserver helpers from 1.4 and 2.0. Signed-off-by: Werner Koch diff --git a/dirmngr/http.c b/dirmngr/http.c index 7a02804..0a47d9f 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -1169,6 +1169,7 @@ do_parse_uri (parsed_uri_t uri, int only_local_part, uri->opaque = 0; uri->v6lit = 0; uri->onion = 0; + uri->explicit_port = 0; /* A quick validity check. */ if (strspn (p, VALID_URI_CHARS) != n) @@ -1241,6 +1242,7 @@ do_parse_uri (parsed_uri_t uri, int only_local_part, { *p3++ = '\0'; uri->port = atoi (p3); + uri->explicit_port = 1; } if ((n = remove_escapes (uri->host)) < 0) diff --git a/dirmngr/http.h b/dirmngr/http.h index 2a36fda..32556a4 100644 --- a/dirmngr/http.h +++ b/dirmngr/http.h @@ -53,6 +53,7 @@ struct parsed_uri_s unsigned int opaque:1;/* Unknown scheme; PATH has the rest. */ unsigned int v6lit:1; /* Host was given as a literal v6 address. */ unsigned int onion:1; /* .onion address given. */ + unsigned int explicit_port :1; /* The port was explicitly specified. */ char *auth; /* username/password for basic auth. */ char *host; /* Host (converted to lowercase). */ unsigned short port; /* Port (always set if the host is set). */ diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index 283e805..9b757a3 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -374,19 +374,20 @@ add_host (const char *name, int is_pool, /* Map the host name NAME to the actual to be used host name. This - allows us to manage round robin DNS names. We use our own strategy - to choose one of the hosts. For example we skip those hosts which - failed for some time and we stick to one host for a time - independent of DNS retry times. If FORCE_RESELECT is true a new - host is always selected. The selected host is stored as a malloced - string at R_HOST; on error NULL is stored. If we know the port - used by the selected host, a string representation is written to - R_PORTSTR, otherwise it is left untouched. If R_HTTPFLAGS is not - NULL it will receive flags which are to be passed to http_open. If - R_POOLNAME is not NULL a malloced name of the pool is stored or - NULL if it is not a pool. */ + * allows us to manage round robin DNS names. We use our own strategy + * to choose one of the hosts. For example we skip those hosts which + * failed for some time and we stick to one host for a time + * independent of DNS retry times. If FORCE_RESELECT is true a new + * host is always selected. If NO_SRV is set no service record lookup + * will be done. The selected host is stored as a malloced string at + * R_HOST; on error NULL is stored. If we know the port used by the + * selected host from a service record, a string representation is + * written to R_PORTSTR, otherwise it is left untouched. If + * R_HTTPFLAGS is not NULL it will receive flags which are to be + * passed to http_open. If R_POOLNAME is not NULL a malloced name of + * the pool is stored or NULL if it is not a pool. */ static gpg_error_t -map_host (ctrl_t ctrl, const char *name, int force_reselect, +map_host (ctrl_t ctrl, const char *name, int force_reselect, int no_srv, char **r_host, char *r_portstr, unsigned int *r_httpflags, char **r_poolname) { @@ -444,7 +445,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, } hi = hosttable[idx]; - if (!is_ip_address (name)) + if (!no_srv && !is_ip_address (name)) { /* Check for SRV records. */ err = get_dns_srv (name, "hkp", NULL, &srvs, &srvscount); @@ -848,13 +849,13 @@ ks_hkp_help (ctrl_t ctrl, parsed_uri_t uri) /* Build the remote part of the URL from SCHEME, HOST and an optional - PORT. Returns an allocated string at R_HOSTPORT or NULL on failure - If R_POOLNAME is not NULL it receives a malloced string with the - poolname. */ + * PORT. If NO_SRV is set no SRV record lookup will be done. Returns + * an allocated string at R_HOSTPORT or NULL on failure If R_POOLNAME + * is not NULL it receives a malloced string with the poolname. */ static gpg_error_t make_host_part (ctrl_t ctrl, const char *scheme, const char *host, unsigned short port, - int force_reselect, + int force_reselect, int no_srv, char **r_hostport, unsigned int *r_httpflags, char **r_poolname) { gpg_error_t err; @@ -864,11 +865,18 @@ make_host_part (ctrl_t ctrl, *r_hostport = NULL; portstr[0] = 0; - err = map_host (ctrl, host, force_reselect, + err = map_host (ctrl, host, force_reselect, no_srv, &hostname, portstr, r_httpflags, r_poolname); if (err) return err; + /* If map_host did not return a port (from a SRV record) but a port + * has been specified (implicitly or explicitly) then use that port. + * Only in the case that a port was not specified (which might be a + * bug in https.c) we will later make sure that it has been set. */ + if (!*portstr && port) + snprintf (portstr, sizeof portstr, "%hu", port); + /* Map scheme and port. */ if (!strcmp (scheme, "hkps") || !strcmp (scheme,"https")) { @@ -882,12 +890,6 @@ make_host_part (ctrl_t ctrl, if (! *portstr) strcpy (portstr, "11371"); } - if (port) - snprintf (portstr, sizeof portstr, "%hu", port); - else - { - /*fixme_do_srv_lookup ()*/ - } *r_hostport = strconcat (scheme, "://", hostname, ":", portstr, NULL); xfree (hostname); @@ -913,7 +915,11 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri) gpg_error_t err; char *hostport = NULL; - err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, 1, + /* NB: With an explicitly given port we do not want to consult a + * service record because that might be in conflict with the port + * from such a service record. */ + err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, + 1, uri->explicit_port, &hostport, NULL, NULL); if (err) { @@ -1219,7 +1225,8 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern, xfree (hostport); hostport = NULL; xfree (httphost); httphost = NULL; - err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, reselect, + err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, + reselect, uri->explicit_port, &hostport, &httpflags, &httphost); if (err) goto leave; @@ -1360,7 +1367,8 @@ ks_hkp_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, estream_t *r_fp) /* Build the request string. */ xfree (hostport); hostport = NULL; xfree (httphost); httphost = NULL; - err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, reselect, + err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, + reselect, uri->explicit_port, &hostport, &httpflags, &httphost); if (err) goto leave; @@ -1472,7 +1480,8 @@ ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri, const void *data, size_t datalen) again: xfree (hostport); hostport = NULL; xfree (httphost); httphost = NULL; - err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, reselect, + err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, + reselect, uri->explicit_port, &hostport, &httpflags, &httphost); if (err) goto leave; ----------------------------------------------------------------------- Summary of changes: dirmngr/http.c | 2 ++ dirmngr/http.h | 1 + dirmngr/ks-engine-hkp.c | 88 ++++++++++++++++++++++++++++--------------------- 3 files changed, 54 insertions(+), 37 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Mon Jan 9 13:15:08 2017 From: cvs at cvs.gnupg.org (by Andre Heinecke) Date: Mon, 09 Jan 2017 13:15:08 +0100 Subject: [git] GpgOL - branch, master, updated. gpgol-1.4.0-244-g54c973f Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GnuPG extension for MS Outlook". The branch, master has been updated via 54c973fd2e45ee71664a89c500b00d5088107081 (commit) via 24832b5f163822e471e468234972bc2f2a2e68b6 (commit) via 03ae7589f175b6f4d4ecf1b7f4605e78a1932814 (commit) via 352c06b528804aa4754a91a653a8546607592512 (commit) via b9ef5502c572eae0db0dc4ed10013d888edaf9a8 (commit) via cce2a22442aefb9e65b5cc10fed0db4e5d9e11b8 (commit) from abaca16b9019781359c105944ea22adf3f6fa4c8 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 54c973fd2e45ee71664a89c500b00d5088107081 Author: Andre Heinecke Date: Mon Jan 9 13:13:43 2017 +0100 Treat marginal in WoT as lvel 2 * src/mail.cpp (Mail::update_sigstate): Set marginal trust as level 2. -- This is what we did before and also what kleopatra did. Marginal trust is shown as trusted certificate and "green". Only with tofu trust model we do marginal later because it can be automatically reached and any seen key is marginal in tofu. diff --git a/src/mail.cpp b/src/mail.cpp index 2604a86..dd6562c 100644 --- a/src/mail.cpp +++ b/src/mail.cpp @@ -1334,12 +1334,12 @@ Mail::update_sigstate () if (sig.validity() == Signature::Validity::Marginal) { const auto tofu = m_uid.tofuInfo(); - if (tofu.isNull() || + if (!tofu.isNull() && (tofu.validity() != TofuInfo::Validity::BasicHistory && tofu.validity() != TofuInfo::Validity::LargeHistory)) { - /* Marginal is not good enough without tofu. - We also wait for basic trust. */ + /* Marginal is only good enough without tofu. + Otherwise we wait for basic trust. */ log_debug ("%s:%s: Discarding marginal signature." "With too little history.", SRCNAME, __func__); @@ -1692,16 +1692,14 @@ Mail::get_crypto_details() message = buf; xfree (buf); } + else if (level == 2 && m_uid.tofuInfo ().isNull ()) + { + /* Marginal trust through pgp only */ + message = _("Some trusted people " + "have certified the senders identity."); + } else if (level == 2) { - /* Only reachable through TOFU Trust. */ - if (m_uid.tofuInfo ().isNull ()) - { - log_error ("%s:%s:%i BUG: Invalid sigstate.", - SRCNAME, __func__, __LINE__); - return message; - } - unsigned long first_contact = std::max (m_uid.tofuInfo().signFirst(), m_uid.tofuInfo().encrFirst()); char *time = format_date_from_gpgme (first_contact); @@ -1739,12 +1737,6 @@ Mail::get_crypto_details() message = buf; xfree (buf); } - else - { - /* Marginal trust through pgp */ - message = _("Not enough trusted people or yourself " - "have certified the senders identity."); - } } else { commit 24832b5f163822e471e468234972bc2f2a2e68b6 Author: Andre Heinecke Date: Mon Jan 9 13:12:42 2017 +0100 Release attachments object earlier * src/mail.cpp (Mail::check_attachments): Release attachments object earlier. diff --git a/src/mail.cpp b/src/mail.cpp index 6b6a5ca..2604a86 100644 --- a/src/mail.cpp +++ b/src/mail.cpp @@ -325,6 +325,7 @@ Mail::check_attachments () const VariantClear (&var); gpgol_release (oom_attach); } + gpgol_release (attachments); if (foundOne) { message += "\n"; @@ -337,7 +338,6 @@ Mail::check_attachments () const xfree (wmsg); xfree (wtitle); } - gpgol_release (attachments); return 0; } commit 03ae7589f175b6f4d4ecf1b7f4605e78a1932814 Author: Andre Heinecke Date: Mon Jan 9 13:11:45 2017 +0100 Deactive Outlook Window during encryption * src/mail.cpp (encrypt_sign): Deactivate Outlook Window. -- Not optimal but this at least allows to move the outlook window during encryption. Kleopatra must do some work to really become modal. diff --git a/src/mail.cpp b/src/mail.cpp index 5fed0f6..6b6a5ca 100644 --- a/src/mail.cpp +++ b/src/mail.cpp @@ -848,6 +848,8 @@ Mail::encrypt_sign () return err; } flags = get_gpgol_draft_info_flags (message); + + EnableWindow (get_active_hwnd(), FALSE); if (flags == 3) { log_debug ("%s:%s: Sign / Encrypting message", @@ -872,6 +874,7 @@ Mail::encrypt_sign () } log_debug ("%s:%s: Status: %i", SRCNAME, __func__, err); + EnableWindow (get_active_hwnd(), TRUE); gpgol_release (message); m_crypt_successful = !err; return err; commit 352c06b528804aa4754a91a653a8546607592512 Author: Andre Heinecke Date: Mon Jan 9 13:09:27 2017 +0100 Disable button and fix msgs if no mail selected * src/gpgoladdin.cpp (GpgolRibbonExtender::GetIDsOfNames) (GpgolRibbonExtender::Invoke, GetCustomUI_MIME): Update for get_is_details_enabled. * src/ribbon-callbacks.cpp (get_is_details_enabled): New. (get_mail_from_control): Extend with selection state. diff --git a/src/gpgoladdin.cpp b/src/gpgoladdin.cpp index 15ba34d..9eda8c2 100644 --- a/src/gpgoladdin.cpp +++ b/src/gpgoladdin.cpp @@ -646,7 +646,7 @@ GpgolRibbonExtender::GetIDsOfNames (REFIID riid, LPOLESTR *rgszNames, ID_MAPPER (L"getSigSTip", ID_GET_SIG_STIP) ID_MAPPER (L"getSigTip", ID_GET_SIG_TTIP) ID_MAPPER (L"launchDetails", ID_LAUNCH_CERT_DETAILS) - ID_MAPPER (L"getIsCrypto", ID_GET_IS_CRYPTO) + ID_MAPPER (L"getIsDetailsEnabled", ID_GET_IS_DETAILS_ENABLED) } if (cNames > 1) @@ -741,8 +741,8 @@ GpgolRibbonExtender::Invoke (DISPID dispid, REFIID riid, LCID lcid, return get_sig_label (parms->rgvarg[0].pdispVal, result); case ID_LAUNCH_CERT_DETAILS: return launch_cert_details (parms->rgvarg[0].pdispVal); - case ID_GET_IS_CRYPTO: - return get_is_crypto (parms->rgvarg[0].pdispVal, result); + case ID_GET_IS_DETAILS_ENABLED: + return get_is_details_enabled (parms->rgvarg[0].pdispVal, result); case ID_ON_LOAD: { @@ -925,8 +925,8 @@ GetCustomUI_MIME (BSTR RibbonID, BSTR * RibbonXml) " getLabel=\"getSigLabel\"" " getScreentip=\"getSigTip\"" " getSupertip=\"getSigSTip\"" - " onAction=\"launchDetails\"/>" - /* " getEnabled=\"getIsCrypto\"/>" */ + " onAction=\"launchDetails\"" + " getEnabled=\"getIsDetailsEnabled\"/>" " " "