[git] GnuPG - branch, STABLE-BRANCH-2-2, updated. gnupg-2.2.6-30-gcc66108

by Werner Koch cvs at cvs.gnupg.org
Thu Apr 26 12:40:54 CEST 2018 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, STABLE-BRANCH-2-2 has been updated
       via  cc66108253c58583d6bad3d1e2da2b004701d0f0 (commit)
       via  bb8894760fe87cf46a42599f11eab7e7c7a8eb71 (commit)
      from  1de4462974113ac18cf98f903e97cd1127fa842f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit cc66108253c58583d6bad3d1e2da2b004701d0f0
Author: Werner Koch <wk at gnupg.org>
Date:   Thu Apr 26 12:28:53 2018 +0200

    dirmngr: Fix handling of CNAMEed keyserver pools.
    
    * dirmngr/ks-engine-hkp.c (map_host): Don't use the cname for HTTPHOST.
    * dirmngr/server.c (make_keyserver_item): Map keys.gnupg.net.
    --
    
    For a description of the problem see the comment in
    make_keyserver_item.
    
    GnuPG-bug-id: 3755
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/NEWS b/NEWS
index 7547b2a..ca84e20 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,9 @@ Noteworthy changes in version 2.2.7 (unreleased)
   * dirmngr: Fix a regression since 2.1.16 which caused corrupted CRL
     caches under Windows.  [#2448,#3923]
 
+  * dirmngr: Fix a CNAME problem with pools and TLS.  Also use a fixed
+    mapping of keys.gnupg.net to sks-keyservers.net.  [#3755]
+
 
 Noteworthy changes in version 2.2.6 (2018-04-09)
 ------------------------------------------------
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index a9bb936..eba7a1a 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -583,7 +583,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
       /* Deal with the pool name before selecting a host. */
       if (r_httphost)
         {
-          *r_httphost = xtrystrdup (hi->cname? hi->cname : hi->name);
+          *r_httphost = xtrystrdup (hi->name);
           if (!*r_httphost)
             return gpg_error_from_syserror ();
         }
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 8a0b940..b7cdb24 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -1997,6 +1997,38 @@ make_keyserver_item (const char *uri, uri_item_t *r_item)
   uri_item_t item;
 
   *r_item = NULL;
+
+  /* We used to have DNS CNAME redirection from the URLs below to
+   * sks-keyserver. pools.  The idea was to allow for a quick way to
+   * switch to a different set of pools.  The problem with that
+   * approach is that TLS needs to verify the hostname and - because
+   * DNS is not secured - it can only check the user supplied hostname
+   * and not a hostname from a CNAME RR.  Thus the final server all
+   * need to have certificates with the actual pool name as well as
+   * for keys.gnupg.net - that would render the advantage of
+   * keys.gnupg.net useless and so we better give up on this.  Because
+   * the keys.gnupg.net URL are still in widespread use we do a static
+   * mapping here.
+   */
+  if (!strcmp (uri, "hkps://keys.gnupg.net")
+      || !strcmp (uri, "keys.gnupg.net"))
+    uri = "hkps://hkps.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "https://keys.gnupg.net"))
+    uri = "https://hkps.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "hkp://keys.gnupg.net"))
+    uri = "hkp://hkps.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "http://keys.gnupg.net"))
+    uri = "http://hkps.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "hkps://http-keys.gnupg.net")
+           || !strcmp (uri, "http-keys.gnupg.net"))
+    uri = "hkps://ha.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "https://http-keys.gnupg.net"))
+    uri = "https://ha.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "hkp://http-keys.gnupg.net"))
+    uri = "hkp://ha.pool.sks-keyservers.net";
+  else if (!strcmp (uri, "http://http-keys.gnupg.net"))
+    uri = "http://ha.pool.sks-keyservers.net";
+
   item = xtrymalloc (sizeof *item + strlen (uri));
   if (!item)
     return gpg_error_from_syserror ();

commit bb8894760fe87cf46a42599f11eab7e7c7a8eb71
Author: Werner Koch <wk at gnupg.org>
Date:   Wed Apr 25 15:25:14 2018 +0200

    dirmngr: Add the used TLS library to the debug output.
    
    * dirmngr/http.c (send_request): Print the used TLS library in debug
    mode.
    --
    
    We allow two different TLS libararies and thus it is useful to see
    that in the debug output of bug reports.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/dirmngr/http.c b/dirmngr/http.c
index 4624d5f..6846107 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -1736,9 +1736,19 @@ send_request (http_t hd, const char *httphost, const char *auth,
 #ifdef USE_TLS
   if (hd->uri->use_tls && !hd->session->tls_session)
     {
-      log_error ("TLS requested but no GNUTLS context available\n");
+      log_error ("TLS requested but no TLS context available\n");
       return gpg_err_make (default_errsource, GPG_ERR_INTERNAL);
     }
+  if (opt_debug)
+    log_debug ("Using TLS library: %s %s\n",
+# if HTTP_USE_NTBTLS
+               "NTBTLS", ntbtls_check_version (NULL)
+# elif HTTP_USE_GNUTLS
+               "GNUTLS", gnutls_check_version (NULL)
+# else
+               "?", "?"
+# endif /*HTTP_USE_*TLS*/
+               );
 #endif /*USE_TLS*/
 
   if ((hd->flags & HTTP_FLAG_FORCE_TOR))
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 800955c..76be528 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -208,9 +208,10 @@ flag names.  To get a list of all supported flags the single word
 @opindex debug-all
 Same as @code{--debug=0xffffffff}
 
- at item --gnutls-debug @var{level}
- at opindex gnutls-debug
-Enable debugging of GNUTLS at @var{level}.
+ at item --tls-debug @var{level}
+ at opindex tls-debug
+Enable debugging of the TLS layer at @var{level}.  The details of the
+debug level depend on the used TLS library and are not set in stone.
 
 @item --debug-wait @var{n}
 @opindex debug-wait

-----------------------------------------------------------------------

Summary of changes:
 NEWS                    |  3 +++
 dirmngr/http.c          | 12 +++++++++++-
 dirmngr/ks-engine-hkp.c |  2 +-
 dirmngr/server.c        | 32 ++++++++++++++++++++++++++++++++
 doc/dirmngr.texi        |  7 ++++---
 5 files changed, 51 insertions(+), 5 deletions(-)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org

More information about the Gnupg-commits mailing list