1. 23 Jan, 2017 5 commits
    • Werner Koch's avatar
      Fix format string errors and some missing error case initialization. · af5979a4
      Werner Koch authored
      * common/logging.c (do_logv): Remove extra parentheses in comparison.
      * dirmngr/dns-stuff.c (resolve_addr_libdns): Init RES so that
      dns_res_close is given a defined value in the error case.
      * dirmngr/http.c (cookie_read, cookie_write) [HTTP_USE_NTBTLS]: Fix
      format string char.
      * dirmngr/ks-engine-hkp.c (ks_hkp_help): Remove duplicate "const".
      * dirmngr/ks-engine-http.c (ks_http_help): Ditto.
      * dirmngr/ks-engine-kdns.c (ks_kdns_help): Ditto.
      * dirmngr/ks-engine-ldap.c (ks_ldap_help): Ditto.
      * scd/app-p15.c (send_keypairinfo, do_getattr): Fix format string
      * tools/gpgconf-comp.c (gpg_agent_runtime_change): Init PID for the
      error case.
      (scdaemon_runtime_change): Ditto.
      (dirmngr_runtime_change): Ditto.
      * tools/gpgconf.c (query_swdb): Init VALUE_SIZE_UL.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Werner Koch's avatar
      dirmngr: On SIGHUP mark all keyservers alive. · 3ca3da8f
      Werner Koch authored
      * dirmngr/ks-engine-hkp.c (ks_hkp_reload): New.
      * dirmngr/dirmngr.c (dirmngr_sighup_action): Call it.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Gaetan Bisson's avatar
      libdns: Hack to skip negation term. · d4c0187d
      Gaetan Bisson authored
      * dirmngr/dns.c (dns_nssconf_loadfile): Skip negation terms in
      nsswitch.conf parser.
      This small patch was submitted along with this comment:
        We've been having issues over at Arch Linux with the new libdns
        code.  Our /etc/nsswitch.conf contains the following line:
          hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
        And it turns out dirmngr fails to parse the negation statement (the
        bang in !UNAVAIL). This results in gnupg not being able to resolve
        any name.
        Looking at dirmngr/dns.c it was unclear to me how to properly handle
        such negations. The dns_anyconf_scan calls used in
        dns_nssconf_loadfile do not allow to store a negation bit easily...
        In the meantime, I wrote the attached patch which ignores those
        statements altogether. It makes libdns work as expected for us.
      Commit log written by wk
    • Werner Koch's avatar
      dirmngr: Print debug message only with --debug. · 9ae0b81e
      Werner Koch authored
      * dirmngr/dns-stuff.c (libdns_init): Call log_debug only if opt_debug
      is set.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Phil Pennock's avatar
      dirmngr: Handle missing nsswitch.conf. · 88ade475
      Phil Pennock authored
      * dirmngr/dns-stuff.c (libdns_init): Fallback to files,dns.
      Signed-off-by: 's avatarPhil Pennock <phil@pennock-tech.com>
      ChangeLog entry by wk.
      This fixed the problem:
        Short version: macOS doesn't include /etc/nsswitch.conf and GnuPG's
        dirmngr is hard-erroring when that file is missing, such that no DNS
        operations succeed and --recv-key returns ENOENT type errors to the
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
  2. 19 Jan, 2017 1 commit
  3. 16 Jan, 2017 4 commits
  4. 12 Jan, 2017 2 commits
  5. 11 Jan, 2017 6 commits
  6. 09 Jan, 2017 2 commits
  7. 08 Jan, 2017 4 commits
    • Werner Koch's avatar
      dirmngr: Implement experimental SRV record lookup for WKD. · 88dc3af3
      Werner Koch authored
      * dirmngr/server.c (cmd_wkd_get): Support SRV records.
      This patch changes the way a WKD query is done.  Now we first look for
      a SRV record for service "openpgpkey" and port "tcp" under the
      to-be-queried domain.  If such a record was found and the target host
      matches the to-be-queried domain or is a suffix to that domain, that
      target host is used instead of the domain name.  The SRV record also
      allows to change the port and obviously can be used for
      For example a query for the submission address of example.org with the
      SRV record specification
      _openpgpkey._tcp        IN     SRV   0 0  0    wkd.foo.org.
                              IN     SRV   0 0  0    wkd.example.net.
                              IN     SRV   0 0  4711 wkd.example.org.
      (queried using the name "_openpgpkey._tcp.example.org") would fetch
      from this URL:
      Note that the first two SRV records won't be used because foo.org and
      example.net do not match example.org.  We require that the target host
      is identical to the domain or be a subdomain of it.  This is so that
      an attacker modifying the SRV records needs to setup a server in a
      sub-domain of the actual domain and can't use an arbitrary domain.
      Whether this is a sufficient requirement is not clear and needs
      further discussion.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Werner Koch's avatar
      dirmngr: Improve debug output for TLS. · 714faea4
      Werner Koch authored
      * dirmngr/misc.c (dump_cert): Also print SubjectAltNames.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Werner Koch's avatar
      dirmngr: Change internal SRV lookup API. · 16078f3d
      Werner Koch authored
      * dirmngr/dns-stuff.c (get_dns_srv): Add args SERVICE and PROTO.
      * dirmngr/http.c (connect_server): Simplify SRV lookup.
      * dirmngr/ks-engine-hkp.c (map_host): Ditto.
      * dirmngr/t-dns-stuff.c (main): Adjust for changed get_dns_srv.
      This new API is more convenient because it includes commonly used
      code.  Note that right now http.c's SRV record code is not used.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Werner Koch's avatar
      dirmngr: Strip root zone suffix from libdns SRV results. · 9fa94aa1
      Werner Koch authored
      * dirmngr/dns-stuff.c (getsrv_libdns): Strip trailing dot from the
      See-also: b200e636Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
  8. 03 Jan, 2017 2 commits
    • Werner Koch's avatar
      dirmngr: Make sure Tor mode is also set for DNS on SIGHUP. · 96951240
      Werner Koch authored
      * dirmngr/dns-stuff.c (enable_dns_tormode): Always succeed.
      (reload_dns_stuff): Reset tor port.
      * dirmngr/dirmngr.c (set_tor_mode): Also enable Tor mode for DNS.
      (main): Remove warning that Tor mode may not fully work.
      * dirmngr/server.c (cmd_dns_cert): Remove explicit Tor for DNS
      * dirmngr/t-dns-stuff.c (main): Remove option --new-circuit and error
      checking for enable_dns_tormode.
      This patch also resets the port on SIGHUP so that after starting Tor
      SIGHUP is sufficient to use Tor.  Without the SIGHUP and when not
      using the Tor browser Dirmngr would keep on trying the Tor browser
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Werner Koch's avatar
      dirmngr: New debug message on correctly initialized libdns. · 0004d52b
      Werner Koch authored
      * dirmngr/dns-stuff.c (libdns_init): Add debug level diagnostic on
      This output may help to avoid questions when evaluating an Assuan log.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
  9. 02 Jan, 2017 1 commit
  10. 23 Dec, 2016 1 commit
    • NIIBE Yutaka's avatar
      dirmngr: Fix for --disable-libdns usage. · d26c5182
      NIIBE Yutaka authored
      * dirmngr/dns-stuff.c (enable_recursive_resolver, set_dns_nameserver)
      (reload_dns_stuff): Conditionalize with USE_LIBDNS.
      (get_h_errno_as_gpg_error): Map HOST_NOT_FOUND to GPG_ERR_NO_NAME.
      get_dns_srv assumes error code of GPG_ERR_NO_NAME when no SRV record
      Signed-off-by: NIIBE Yutaka's avatarNIIBE Yutaka <gniibe@fsij.org>
      GnuPG-bug-id: 2889
  11. 20 Dec, 2016 1 commit
    • Werner Koch's avatar
      dirmngr: New option --resolver-timeout. · 81c01278
      Werner Koch authored
      * dirmngr/dns-stuff.c (DEFAULT_TIMEOUT): New.
      (opt_timeout): New var.
      (set_dns_timeout): New.
      (libdns_res_open): Set the default timeout.
      (libdns_res_wait): Use configurable timeout.
      (resolve_name_libdns): Ditto.
      * dirmngr/dirmngr.c (oResolverTimeout): New const.
      (opts): New option --resolver-timeout.
      (parse_rereadable_options): Set that option.
      (main) <aGPGConfList>: Add --nameserver and --resolver-timeout.
      * tools/gpgconf-comp.c (gc_options_dirmngr): Add --resolver-timeout
      and --nameserver.
      * dirmngr/http.c (connect_server): Fix yesterday introduced bug in
      error diagnostic.
      This timeout is a pretty crude thing because libdns has a few other
      internal timeouts as well.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
  12. 19 Dec, 2016 3 commits
    • Werner Koch's avatar
      dirmngr: Fix problems with the getsrv function. · af8b68fa
      Werner Koch authored
      * dirmngr/dns-stuff.c (opt_debug, opt_verbose): New vars.
      (set_dns_verbose): New func.
      (libdns_switch_port_p): Add debug output.
      (resolve_dns_name): Ditto.
      (get_dns_cert): Ditto.
      (get_dns_cname): Ditto.
      (getsrv_libdns, getsrv_standard): Change SRVCOUNT to an unsigend int.
      (getsrv): Rename to ...
      ((get_dns_srv): this.  Add arg R_COUNT and return an error.  Add debug
      * dirmngr/http.c: Adjust for chnaged getsrv().
      * dirmngr/ks-engine-hkp.c (map_host): Ditto.
      * dirmngr/t-dns-stuff.c (main): Ditto.  Call set_dns_verbose.
      * dirmngr/dirmngr.c (parse_rereadable_options): Call set_dns_verbose.
      Due to our switch to Libdns getsrv didn't worked correctly because it
      returned -1 for an NXDOMAIN.  However, it is perfectly okay to have no
      SRV record and thus we change the way this function is called to be
      aligned with the other functions and also map NXDOMAIN to a zero SRV
      record count.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Werner Koch's avatar
      dirmngr,w32: Hack around a select problem. · d51499fd
      Werner Koch authored
      * dirmngr/dns.c (FD_SETSIZE): Bump up to 1024.
      (dns_poll): Return an error instead of hitting an assertion failure.
      For unknown reasons socket() return fd with values 244, 252, 268.  The
      latter is above the FD_SETSIZE of 256.  It seems that select has been
      build with a highler FD_SETSIZE limit.  Bump up to a reasonable large
      A better solution would be to grab some code from npth_eselect to
      replace select.  We could also use npth_eselect direclty in
      dns-stuff.c instead of using dns_res_poll.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Werner Koch's avatar
      Remove unused debug flags and add "dns" and "network". · e384405b
      Werner Koch authored
      * g10/options.h (DBG_CARD_IO_VALUE, DBG_CARD_IO): Remove.
      * g10/gpg.c (debug_flags): Remove "cardio".
      * agent/agent.h (DBG_COMMAND_VALUE, DBG_COMMAND): Remove.
      * agent/gpg-agent.c (debug_flags): Remove "command".
      * scd/scdaemon.h (DBG_COMMAND_VALUE, DBG_COMMAND): Remove.
      * scd/scdaemon.c (debug_flags): Remove "command".
      * dirmngr/dirmngr.h (DBG_DNS_VALUE, DBG_DNS): New.
      * dirmngr/dirmngr.c (debug_flags): Add "dns" and "network".
      Note that "dns" and "network" are not yet used but will soon be added
      to dirmngr.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
  13. 17 Dec, 2016 1 commit
    • Werner Koch's avatar
      dirmngr: Fix setup of libdns for W32. · e77b924f
      Werner Koch authored
      * configure.ac (DNSLIB) {W32]: Add -liphlpapi.
      * dirmngr/dns-stuff.c [W32]: Include iphlpapi.h and define
      (libdns_init) [W32]: Use GetNetworkParams to get the nameserver.
      * dirmngr/t-dns-stuff.c (init_sockets): New.
      (main): Call it.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
  14. 16 Dec, 2016 4 commits
    • Werner Koch's avatar
      dirmngr: Auto-switch from Tor port to Torbrowser port. · 024dbd71
      Werner Koch authored
      * dirmngr/dns-stuff.c (libdns_tor_port): New var.
      (set_dns_nameserver): Clear that var.
      (libdns_init): Init var to the default port.
      (libdns_switch_port_p): New func.
      (resolve_dns_name): Use function to switch the port
      (get_dns_cert): Ditto.
      (getsrv): Ditto.
      (get_dns_cname): Ditto.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Werner Koch's avatar
      dirmngr: Use one context for all libdns queries. · c4e8a319
      Werner Koch authored
      * dirmngr/dns-stuff.c (libdns_reinit_pending): New var.
      (enable_recursive_resolver): Set var.
      (set_dns_nameserver): Ditto.
      (libdns_init): Avoid double initialization.
      (libdns_deinit): New.
      (reload_dns_stuff): New.
      (libdns_res_open): Act upon LIBDNS_REINIT_PENDING.
      * dirmngr/t-dns-stuff.c (main): Call reload_dns_stuff to release
      * dirmngr/dirmngr.c (cleanup): Ditto.
      (dirmngr_sighup_action): Call reload_dns_stuff to set
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Werner Koch's avatar
      dirmngr: Pass Tor credentials to libdns. · ddb48086
      Werner Koch authored
      * dirmngr/dns-stuff.c (tor_credentials): Replace by ...
      (tor_socks_user, tor_socks_password): new vars.
      (enable_dns_tormode): Set these new vars.
      (libdns_res_open): Tell libdns the socks credentials.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Werner Koch's avatar
      dirmngr: Factor common libdns code out. · 59d3c3e4
      Werner Koch authored
      * dirmngr/dns-stuff.c (libdns_res_open): New.  Replace all libdns_init
      and dns-res_open by a call to this func.
      (libdns_res_submit): New wrapper.  Replace all dns_res_sumbit calls.
      (libdns_res_wait): New function.
      (resolve_name_libdns): Replace loop by libdns_res_wait.
      (get_dns_cert_libdns): Ditto.
      (getsrv_libdns): Ditto.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
  15. 15 Dec, 2016 1 commit
    • Werner Koch's avatar
      dirmngr: First patch to re-enable Tor support. · 2d1760ff
      Werner Koch authored
      * dirmngr/dns-stuff.c (SOCKS_PORT, TOR_PORT, TOR_PORT2): New
      (libdns_init): Start adding tor support.
      (resolve_name_libdns): Pass socks hosts to dns_res_open.
      (get_dns_cert_libdns): Ditto.
      (getsrv_libdns): Ditto.
      (get_dns_cname_libdns): Ditto.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
  16. 14 Dec, 2016 2 commits
    • Werner Koch's avatar
      dirmngr: New configure option --disable-libdns. · d34a2bb4
      Werner Koch authored
      * configure.ac: Add option --disable-libdns
      (USE_LIBDNS): New ac_subst and am_conditional.
      (USE_C99_CFLAGS): Set only if libdns is used.
      * dirmngr/Makefile.am (dirmngr_SOURCES): Move dns.c and dns.h to ...
      (dirmngr_SOURCES) [USE_LIBDNS0: here.
      (t_common_src): Ditto.
      * dirmngr/dirmngr.c (oRecursiveResolver): New constant.
      (opts): New option "--recursive-resolver".
      (parse_rereadable_options): Set option.
      * dirmngr/t-dns-stuff.c (main): Add option --recursive-resolver.
      * dirmngr/server.c (cmd_getinfo): Depend output of "dnsinfo" on the
      new variables.
      * dirmngr/dns-stuff.c: Include dns.h only if USE_DNSLIB is defined.
      Also build and call dnslib functions only if USE_DNSLIB is defined.
      (recursive_resolver): New var.
      (enable_recursive_resolver): New func.
      (recursive_resolver_p): New func.
      In case users run into problems building GnuPG, the configure option
      allows to disable that support and continue w/o Tor support using the
      system resolver.
      --recursive-resolver was easy enough to implement and may be useful in
      some situation.  It does not fully work, though.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>
    • Werner Koch's avatar
      dirmngr: Implement CERT record lookup via libdns. · 3c2a7918
      Werner Koch authored
      * dirmngr/dns-stuff.c (get_dns_cert_libdns): New.
      (get_dns_cert_standard): Fix URL malloc checking.
      Signed-off-by: 's avatarWerner Koch <wk@gnupg.org>