1 /* dirmngr.h - Common definitions for the dirmngr
2 * Copyright (C) 2002 Klarälvdalens Datakonsult AB
3 * Copyright (C) 2004, 2015 g10 Code GmbH
4 * Copyright (C) 2014 Werner Koch
6 * This file is part of GnuPG.
8 * GnuPG is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * GnuPG is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <https://www.gnu.org/licenses/>.
21 * SPDX-License-Identifier: GPL-3.0+
27 #include "./dirmngr-err.h"
28 #define map_assuan_err(a) \
29 map_assuan_err_with_source (GPG_ERR_SOURCE_DEFAULT, (a))
34 #include "../common/util.h"
35 #include "../common/membuf.h"
36 #include "../common/sysutils.h" /* (gnupg_fd_t) */
37 #include "../common/asshelp.h" /* (assuan_context_t) */
38 #include "../common/i18n.h"
39 #include "../common/name-value.h"
40 #include "dirmngr-status.h"
41 #include "http.h" /* (parsed_uri_t) */
43 /* This objects keeps information about a particular LDAP server and
44 is used as item of a single linked list of servers. */
47 struct ldap_server_s* next;
54 unsigned int starttls:1; /* Use STARTTLS. */
55 unsigned int ldap_over_tls:1; /* Use LDAP over an TLS tunnel */
56 unsigned int ntds:1; /* Use Active Directory authentication. */
57 unsigned int areconly:1; /* Set LDAP_OPT_AREC_EXCLUSIVE. */
59 typedef struct ldap_server_s *ldap_server_t;
62 /* This objects is used to build a list of URI consisting of the
63 original and the parsed URI. */
66 struct uri_item_s *next;
67 parsed_uri_t parsed_uri; /* The broken down URI. */
68 char uri[1]; /* The original URI. */
70 typedef struct uri_item_s *uri_item_t;
73 /* A list of fingerprints. */
74 struct fingerprint_list_s;
75 typedef struct fingerprint_list_s *fingerprint_list_t;
76 struct fingerprint_list_s
78 fingerprint_list_t next;
79 char binlen; /* If this is not 0 hexfpr actually carries a binary fpr. */
84 /* A large struct named "opt" to keep global flags. */
85 EXTERN_UNLESS_MAIN_MODULE
88 unsigned int debug; /* debug flags (DBG_foo_VALUE) */
89 int verbose; /* verbosity level */
90 int quiet; /* be as quiet as possible */
91 int dry_run; /* don't change any persistent data */
92 int batch; /* batch mode */
93 const char *homedir_cache; /* Dir for cache files (/var/cache/dirmngr). */
95 char *config_filename; /* Name of a config file, which will be
96 reread on a HUP if it is not NULL. */
98 char *ldap_wrapper_program; /* Override value for the LDAP wrapper
100 char *http_wrapper_program; /* Override value for the HTTP wrapper
103 int running_detached; /* We are running in detached mode. */
104 int allow_version_check; /* --allow-version-check is active. */
106 int force; /* Force loading outdated CRLs. */
108 char *fake_crl; /* Name of a file with faked CRL entries. */
110 unsigned int connect_timeout; /* Timeout for connect. */
111 unsigned int connect_quick_timeout; /* Shorter timeout for connect. */
113 int disable_http; /* Do not use HTTP at all. */
114 int disable_ldap; /* Do not use LDAP at all. */
115 int disable_ipv4; /* Do not use legacy IP addresses. */
116 int disable_ipv6; /* Do not use standard IP addresses. */
117 int honor_http_proxy; /* Honor the http_proxy env variable. */
118 const char *http_proxy; /* The default HTTP proxy. */
119 const char *ldap_proxy; /* Use given LDAP proxy. */
120 int only_ldap_proxy; /* Only use the LDAP proxy; no fallback. */
121 int ignore_http_dp; /* Ignore HTTP CRL distribution points. */
122 int ignore_ldap_dp; /* Ignore LDAP CRL distribution points. */
123 int ignore_ocsp_service_url; /* Ignore OCSP service URLs as given in
126 /* A list of fingerprints of certififcates we should completely
127 * ignore. These are all stored in binary format. */
128 fingerprint_list_t ignored_certs;
130 /* A list of certificate extension OIDs which are ignored so that
131 one can claim that a critical extension has been handled. One
133 strlist_t ignored_cert_extensions;
135 /* A list of CRL extension OIDs which are ignored so that one can
136 * claim that a critical extension has been handled. One OID per
138 strlist_t ignored_crl_extensions;
140 /* Allow expired certificates in the cache. */
141 int debug_cache_expired_certs;
143 int allow_ocsp; /* Allow using OCSP. */
146 unsigned int ldaptimeout;
148 ldap_server_t ldapservers;
149 int add_new_ldapservers;
151 const char *ocsp_responder; /* Standard OCSP responder's URL. */
152 fingerprint_list_t ocsp_signer; /* The list of fingerprints with allowed
153 standard OCSP signer certificates. */
155 unsigned int ocsp_max_clock_skew; /* Allowed seconds of clocks skew. */
156 unsigned int ocsp_max_period; /* Seconds a response is at maximum
157 considered valid after thisUpdate. */
158 unsigned int ocsp_current_period; /* Seconds a response is considered
159 current after nextUpdate. */
161 strlist_t keyserver; /* List of default keyservers. */
163 /* Compatibility flags (COMPAT_FLAG_xxxx). */
164 unsigned int compat_flags;
168 #define DBG_X509_VALUE 1 /* debug x.509 parsing */
169 #define DBG_CRYPTO_VALUE 4 /* debug low level crypto */
170 #define DBG_DNS_VALUE 16 /* debug DNS calls. */
171 #define DBG_MEMORY_VALUE 32 /* debug memory allocation stuff */
172 #define DBG_CACHE_VALUE 64 /* debug the caching */
173 #define DBG_MEMSTAT_VALUE 128 /* show memory statistics */
174 #define DBG_HASHING_VALUE 512 /* debug hashing operations */
175 #define DBG_IPC_VALUE 1024 /* debug assuan communication */
176 #define DBG_NETWORK_VALUE 2048 /* debug network I/O. */
177 #define DBG_LOOKUP_VALUE 8192 /* debug lookup details */
178 #define DBG_EXTPROG_VALUE 16384 /* debug external program calls */
179 #define DBG_KEEPTMP_VALUE 32768 /* keep some temporary files */
181 #define DBG_X509 (opt.debug & DBG_X509_VALUE)
182 #define DBG_CRYPTO (opt.debug & DBG_CRYPTO_VALUE)
183 #define DBG_DNS (opt.debug & DBG_DNS_VALUE)
184 #define DBG_MEMORY (opt.debug & DBG_MEMORY_VALUE)
185 #define DBG_CACHE (opt.debug & DBG_CACHE_VALUE)
186 #define DBG_HASHING (opt.debug & DBG_HASHING_VALUE)
187 #define DBG_IPC (opt.debug & DBG_IPC_VALUE)
188 #define DBG_NETWORK (opt.debug & DBG_NETWORK_VALUE)
189 #define DBG_LOOKUP (opt.debug & DBG_LOOKUP_VALUE)
190 #define DBG_EXTPROG (opt.debug & DBG_EXTPROG_VALUE)
191 #define DBG_KEEPTMP (opt.debug & DBG_KEEPTMP_VALUE)
193 /* Compatibility flags */
195 /* Since version 2.2.12 dirmngr restricted HTTP redirection in an
196 * attempt to mitigate certain CSRF attacks. It turned out that this
197 * breaks too many WKD deployments and that the attack scenario is not
198 * due to gnupg's redirecting but due to insecure configured systems.
199 * Thus from 2.4.3 on we disable this restriction but allow to use the
200 * old behaviour by using this compatibility flag. For details see
201 * https://dev.gnupg.org/T6477. */
202 #define COMPAT_RESTRICT_HTTP_REDIR 1
205 /* A simple list of certificate references. FIXME: Better use
206 certlist_t also for references (Store NULL at .cert) */
209 struct cert_ref_s *next;
210 unsigned char fpr[20];
212 typedef struct cert_ref_s *cert_ref_t;
214 /* Forward reference; access only via ks-engine-ldap.c. */
215 struct ks_engine_ldap_local_s;
217 /* Forward reference; access only through server.c. */
218 struct server_local_s;
220 #if SIZEOF_UNSIGNED_LONG == 8
221 # define SERVER_CONTROL_MAGIC 0x6469726d6e677220
223 # define SERVER_CONTROL_MAGIC 0x6469726d
226 /* Connection control structure. */
227 struct server_control_s
229 unsigned long magic;/* Always has SERVER_CONTROL_MAGIC. */
230 int refcount; /* Count additional references to this object. */
231 int no_server; /* We are not running under server control. */
232 int status_fd; /* Only for non-server mode. */
233 struct server_local_s *server_local;
234 struct ks_engine_ldap_local_s *ks_get_state;
235 int force_crl_refresh; /* Always load a fresh CRL. */
237 int check_revocations_nest_level; /* Internal to check_revovations. */
238 cert_ref_t ocsp_certs; /* Certificates from the current OCSP
241 int audit_events; /* Send audit events to client. */
242 char *http_proxy; /* The used http_proxy or NULL. */
244 nvc_t rootdse; /* Container wit the rootDSE properties. */
246 unsigned int timeout; /* Timeout for connect calls in ms. */
248 unsigned int http_no_crl:1; /* Do not check CRLs for https. */
249 unsigned int rootdse_tried:1;/* Already tried to get the rootDSE. */
254 void dirmngr_exit( int ); /* Wrapper for exit() */
255 void dirmngr_init_default_ctrl (ctrl_t ctrl);
256 void dirmngr_deinit_default_ctrl (ctrl_t ctrl);
257 void dirmngr_sighup_action (void);
258 const char* dirmngr_get_current_socket_name (void);
259 int dirmngr_use_tor (void);
260 int dirmngr_never_use_tor_p (void);
262 /*-- Various housekeeping functions. --*/
263 void ks_hkp_housekeeping (time_t curtime);
264 void ks_hkp_reload (void);
265 void ks_hkp_init (void);
268 void release_uri_item_list (uri_item_t list);
270 ldap_server_t get_ldapservers_from_ctrl (ctrl_t ctrl);
271 ksba_cert_t get_cert_local (ctrl_t ctrl, const char *issuer);
272 ksba_cert_t get_issuing_cert_local (ctrl_t ctrl, const char *issuer);
273 ksba_cert_t get_cert_local_ski (ctrl_t ctrl,
274 const char *name, ksba_sexp_t keyid);
275 gpg_error_t get_istrusted_from_client (ctrl_t ctrl, const char *hexfpr);
276 int dirmngr_assuan_log_monitor (assuan_context_t ctx, unsigned int cat,
278 void start_command_handler (gnupg_fd_t fd, unsigned int session_id);
279 gpg_error_t dirmngr_tick (ctrl_t ctrl);
281 /*-- http-ntbtls.c --*/
282 /* Note that we don't use a callback for gnutls. */
284 gpg_error_t gnupg_http_tls_verify_cb (void *opaque,
286 http_session_t session,
292 gpg_error_t dirmngr_load_swdb (ctrl_t ctrl, int force);
295 /*-- domaininfo.c --*/
296 void domaininfo_print_stats (ctrl_t ctrl);
297 int domaininfo_is_wkd_not_supported (const char *domain);
298 void domaininfo_set_no_name (const char *domain);
299 void domaininfo_set_wkd_supported (const char *domain);
300 void domaininfo_set_wkd_not_supported (const char *domain);
301 void domaininfo_set_wkd_not_found (const char *domain);
303 /*-- workqueue.c --*/
304 typedef const char *(*wqtask_t)(ctrl_t ctrl, const char *args);
306 void workqueue_dump_queue (ctrl_t ctrl);
307 gpg_error_t workqueue_add_task (wqtask_t func, const char *args,
308 unsigned int session_id, int need_network);
309 void workqueue_run_global_tasks (ctrl_t ctrl, int with_network);
310 void workqueue_run_post_session_tasks (unsigned int session_id);