* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
*/
#include <config.h>
#include "dirmngr.h"
#include "misc.h"
-#include "userids.h"
+#include "../common/userids.h"
+#include "dns-stuff.h"
#include "ks-engine.h"
/* Substitutes for missing Mingw macro. The EAI_SYSTEM mechanism
/* Number of retries done for a dead host etc. */
#define SEND_REQUEST_RETRIES 3
+enum ks_protocol { KS_PROTOCOL_HKP, KS_PROTOCOL_HKPS, KS_PROTOCOL_MAX };
+
/* Objects used to maintain information about hosts. */
struct hostinfo_s;
typedef struct hostinfo_s *hostinfo_t;
{
time_t lastfail; /* Time we tried to connect and failed. */
time_t lastused; /* Time of last use. */
- int *pool; /* A -1 terminated array with indices into
- HOSTTABLE or NULL if NAME is not a pool
- name. */
+ int *pool; /* An array with indices into HOSTTABLE or NULL
+ if NAME is not a pool name. */
+ size_t pool_len; /* Length of POOL. */
+ size_t pool_size; /* Allocated size of POOL. */
+#define MAX_POOL_SIZE 128
int poolidx; /* Index into POOL with the used host. -1 if not set. */
unsigned int v4:1; /* Host supports AF_INET. */
unsigned int v6:1; /* Host supports AF_INET6. */
+ unsigned int onion:1;/* NAME is an onion (Tor HS) address. */
unsigned int dead:1; /* Host is currently unresponsive. */
+ unsigned int iporname_valid:1; /* The field IPORNAME below is valid */
+ /* (but may be NULL) */
+ unsigned int did_a_lookup:1; /* Have we done an A lookup yet? */
+ unsigned int did_srv_lookup:2; /* One bit per protocol indicating
+ whether we already did a SRV
+ lookup. */
time_t died_at; /* The time the host was marked dead. If this is
0 the host has been manually marked dead. */
char *cname; /* Canonical name of the host. Only set if this
- is a pool. */
- char *v4addr; /* A string with the v4 IP address of the host.
- NULL if NAME has a numeric IP address or no v4
- address is available. */
- char *v6addr; /* A string with the v6 IP address of the host.
- NULL if NAME has a numeric IP address or no v4
- address is available. */
+ is a pool or NAME has a numerical IP address. */
+ char *iporname; /* Numeric IP address or name for printing. */
+ unsigned short port[KS_PROTOCOL_MAX];
+ /* The port used by the host for all protocols, 0
+ if unknown. */
char name[1]; /* The hostname. */
};
static hostinfo_t *hosttable;
static int hosttable_size;
-/* The number of host slots we initally allocate for HOSTTABLE. */
+/* The number of host slots we initially allocate for HOSTTABLE. */
#define INITIAL_HOSTTABLE_SIZE 10
return -1;
strcpy (hi->name, name);
hi->pool = NULL;
+ hi->pool_len = 0;
+ hi->pool_size = 0;
hi->poolidx = -1;
hi->lastused = (time_t)(-1);
hi->lastfail = (time_t)(-1);
hi->v4 = 0;
hi->v6 = 0;
+ hi->onion = 0;
hi->dead = 0;
+ hi->did_a_lookup = 0;
+ hi->did_srv_lookup = 0;
+ hi->iporname_valid = 0;
hi->died_at = 0;
hi->cname = NULL;
- hi->v4addr = NULL;
- hi->v6addr = NULL;
+ hi->iporname = NULL;
+ hi->port[KS_PROTOCOL_HKP] = 0;
+ hi->port[KS_PROTOCOL_HKPS] = 0;
/* Add it to the hosttable. */
for (idx=0; idx < hosttable_size; idx++)
}
-/* Return true if the host with the hosttable index TBLIDX is in POOL. */
+/* Return true if the host with the hosttable index TBLIDX is in HI->pool. */
static int
-host_in_pool_p (int *pool, int tblidx)
+host_in_pool_p (hostinfo_t hi, int tblidx)
{
int i, pidx;
- for (i=0; (pidx = pool[i]) != -1; i++)
+ for (i = 0; i < hi->pool_len && (pidx = hi->pool[i]) != -1; i++)
if (pidx == tblidx && hosttable[pidx])
return 1;
return 0;
}
-/* Select a random host. Consult TABLE which indices into the global
- hosttable. Returns index into TABLE or -1 if no host could be
+/* Select a random host. Consult HI->pool which indices into the global
+ hosttable. Returns index into HI->pool or -1 if no host could be
selected. */
static int
-select_random_host (int *table)
+select_random_host (hostinfo_t hi)
{
int *tbl;
size_t tblsize;
/* We create a new table so that we randomly select only from
currently alive hosts. */
- for (idx=0, tblsize=0; (pidx = table[idx]) != -1; idx++)
+ for (idx = 0, tblsize = 0;
+ idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
+ idx++)
if (hosttable[pidx] && !hosttable[pidx]->dead)
tblsize++;
if (!tblsize)
tbl = xtrymalloc (tblsize * sizeof *tbl);
if (!tbl)
return -1;
- for (idx=0, tblsize=0; (pidx = table[idx]) != -1; idx++)
+ for (idx = 0, tblsize = 0;
+ idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
+ idx++)
if (hosttable[pidx] && !hosttable[pidx]->dead)
tbl[tblsize++] = pidx;
}
-/* Simplified version of getnameinfo which also returns a numeric
- hostname inside of brackets. The caller should provide a buffer
- for HOST which is 2 bytes larger than the largest hostname. If
- NUMERIC is true the returned value is numeric IP address. Returns
- 0 on success or an EAI error code. True is stored at R_ISNUMERIC
- if HOST has a numeric IP address. */
+/* Figure out if a set of DNS records looks like a pool. */
static int
-my_getnameinfo (struct addrinfo *ai, char *host, size_t hostlen,
- int numeric, int *r_isnumeric)
+arecords_is_pool (dns_addrinfo_t aibuf)
{
- int ec;
- char *p;
+ dns_addrinfo_t ai;
+ int n_v6, n_v4;
- *r_isnumeric = 0;
+ n_v6 = n_v4 = 0;
+ for (ai = aibuf; ai; ai = ai->next)
+ {
+ if (ai->family == AF_INET6)
+ n_v6++;
+ else if (ai->family == AF_INET)
+ n_v4++;
+ }
- if (hostlen < 5)
- return EAI_OVERFLOW;
+ return n_v6 > 1 || n_v4 > 1;
+}
- if (numeric)
- ec = EAI_NONAME;
- else
- ec = getnameinfo (ai->ai_addr, ai->ai_addrlen,
- host, hostlen, NULL, 0, NI_NAMEREQD);
- if (!ec && *host == '[')
- ec = EAI_FAIL; /* A name may never start with a bracket. */
- else if (ec == EAI_NONAME)
- {
- p = host;
- if (ai->ai_family == AF_INET6)
- {
- *p++ = '[';
- hostlen -= 2;
- }
- ec = getnameinfo (ai->ai_addr, ai->ai_addrlen,
- p, hostlen, NULL, 0, NI_NUMERICHOST);
- if (!ec && ai->ai_family == AF_INET6)
- strcat (host, "]");
+/* Print a warning iff Tor is not running but Tor has been requested.
+ * Also return true if it is not running. */
+static int
+tor_not_running_p (ctrl_t ctrl)
+{
+ assuan_fd_t sock;
+
+ if (!dirmngr_use_tor ())
+ return 0;
- *r_isnumeric = 1;
+ sock = assuan_sock_connect_byname (NULL, 0, 0, NULL, ASSUAN_SOCK_TOR);
+ if (sock != ASSUAN_INVALID_FD)
+ {
+ assuan_sock_close (sock);
+ return 0;
}
- return ec;
+ log_info ("(it seems Tor is not running)\n");
+ dirmngr_status (ctrl, "WARNING", "tor_not_running 0",
+ "Tor is enabled but the local Tor daemon"
+ " seems to be down", NULL);
+ return 1;
}
-/* Check whether NAME is an IP address. */
-static int
-is_ip_address (const char *name)
+/* Add the host AI under the NAME into the HOSTTABLE. If PORT is not
+ zero, it specifies which port to use to talk to the host for
+ PROTOCOL. If NAME specifies a pool (as indicated by IS_POOL),
+ update the given reference table accordingly. */
+static void
+add_host (const char *name, int is_pool,
+ const dns_addrinfo_t ai,
+ enum ks_protocol protocol, unsigned short port)
{
- int ndots, n;
-
- if (*name == '[')
- return 1;
- /* Check whether it is legacy IP address. */
- if (*name == '.')
- return 0; /* No. */
- ndots = n = 0;
- for (; *name; name++)
+ gpg_error_t tmperr;
+ char *tmphost;
+ int idx, tmpidx;
+ hostinfo_t host;
+ int i;
+
+ idx = find_hostinfo (name);
+ host = hosttable[idx];
+
+ if (is_pool)
+ {
+ /* For a pool immediately convert the address to a string. */
+ tmperr = resolve_dns_addr (ai->addr, ai->addrlen,
+ (DNS_NUMERICHOST | DNS_WITHBRACKET), &tmphost);
+ }
+ else if (!is_ip_address (name))
+ {
+ /* This is a hostname. Use the name as given without going
+ * through resolve_dns_addr. */
+ tmphost = xtrystrdup (name);
+ if (!tmphost)
+ tmperr = gpg_error_from_syserror ();
+ else
+ tmperr = 0;
+ }
+ else
{
- if (*name == '.')
+ /* Do a PTR lookup on AI. If a name was not found the function
+ * returns the numeric address (with brackets). */
+ tmperr = resolve_dns_addr (ai->addr, ai->addrlen,
+ DNS_WITHBRACKET, &tmphost);
+ }
+
+ if (tmperr)
+ {
+ log_info ("resolve_dns_addr failed while checking '%s': %s\n",
+ name, gpg_strerror (tmperr));
+ }
+ else if (host->pool_len + 1 >= MAX_POOL_SIZE)
+ {
+ log_error ("resolve_dns_addr for '%s': '%s'"
+ " [index table full - ignored]\n", name, tmphost);
+ }
+ else
+ {
+ if (!is_pool && is_ip_address (name))
+ /* Update the original entry. */
+ tmpidx = idx;
+ else
+ tmpidx = find_hostinfo (tmphost);
+ log_info ("resolve_dns_addr for '%s': '%s'%s\n",
+ name, tmphost,
+ tmpidx == -1? "" : " [already known]");
+
+ if (tmpidx == -1) /* Create a new entry. */
+ tmpidx = create_new_hostinfo (tmphost);
+
+ if (tmpidx == -1)
{
- if (name[1] == '.')
- return 0; /* No. */
- if (atoi (name+1) > 255)
- return 0; /* Value too large. */
- ndots++;
- n = 0;
+ log_error ("map_host for '%s' problem: %s - '%s' [ignored]\n",
+ name, strerror (errno), tmphost);
+ }
+ else /* Set or update the entry. */
+ {
+ if (port)
+ hosttable[tmpidx]->port[protocol] = port;
+
+ if (ai->family == AF_INET6)
+ {
+ hosttable[tmpidx]->v6 = 1;
+ }
+ else if (ai->family == AF_INET)
+ {
+ hosttable[tmpidx]->v4 = 1;
+ }
+ else
+ BUG ();
+
+ /* If we updated the main entry, we're done. */
+ if (idx == tmpidx)
+ goto leave;
+
+ /* If we updated an existing entry, we're done. */
+ for (i = 0; i < host->pool_len; i++)
+ if (host->pool[i] == tmpidx)
+ goto leave;
+
+ /* Otherwise, we need to add it to the pool. Check if there
+ is space. */
+ if (host->pool_len + 1 > host->pool_size)
+ {
+ int *new_pool;
+ size_t new_size;
+
+ if (host->pool_size == 0)
+ new_size = 4;
+ else
+ new_size = host->pool_size * 2;
+
+ new_pool = xtryrealloc (host->pool,
+ new_size * sizeof *new_pool);
+
+ if (new_pool == NULL)
+ goto leave;
+
+ host->pool = new_pool;
+ host->pool_size = new_size;
+ }
+
+ /* Finally, add it. */
+ log_assert (host->pool_len < host->pool_size);
+ host->pool[host->pool_len++] = tmpidx;
}
- else if (!strchr ("012345678", *name))
- return 0; /* Not a digit. */
- else if (++n > 3)
- return 0; /* More than 3 digits. */
}
- return !!(ndots == 3);
+ leave:
+ xfree (tmphost);
}
+/* Sort the pool of the given hostinfo HI. */
+static void
+hostinfo_sort_pool (hostinfo_t hi)
+{
+ qsort (hi->pool, hi->pool_len, sizeof *hi->pool, sort_hostpool);
+}
+
/* Map the host name NAME to the actual to be used host name. This
- allows us to manage round robin DNS names. We use our own strategy
- to choose one of the hosts. For example we skip those hosts which
- failed for some time and we stick to one host for a time
- independent of DNS retry times. If FORCE_RESELECT is true a new
- host is always selected. The selected host is stored as a malloced
- string at R_HOST; on error NULL is stored. If R_HTTPFLAGS is not
- NULL it will receive flags which are to be passed to http_open. If
- R_POOLNAME is not NULL a malloced name of the pool is stored or
- NULL if it is not a pool. */
+ * allows us to manage round robin DNS names. We use our own strategy
+ * to choose one of the hosts. For example we skip those hosts which
+ * failed for some time and we stick to one host for a time
+ * independent of DNS retry times. If FORCE_RESELECT is true a new
+ * host is always selected. If SRVTAG is NULL no service record
+ * lookup will be done, if it is set that service name is used. The
+ * selected host is stored as a malloced string at R_HOST; on error
+ * NULL is stored. If we know the port used by the selected host from
+ * a service record, a string representation is written to R_PORTSTR,
+ * otherwise it is left untouched. If R_HTTPFLAGS is not NULL it will
+ * receive flags which are to be passed to http_open. If R_HTTPHOST
+ * is not NULL a malloced name of the host is stored there; this might
+ * be different from R_HOST in case it has been selected from a
+ * pool. */
static gpg_error_t
-map_host (ctrl_t ctrl, const char *name, int force_reselect,
- char **r_host, unsigned int *r_httpflags, char **r_poolname)
+map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ enum ks_protocol protocol, char **r_host, char *r_portstr,
+ unsigned int *r_httpflags, char **r_httphost)
{
gpg_error_t err = 0;
hostinfo_t hi;
int idx;
+ dns_addrinfo_t aibuf, ai;
+ int is_pool;
+ int new_hosts = 0;
+ char *cname;
*r_host = NULL;
if (r_httpflags)
*r_httpflags = 0;
- if (r_poolname)
- *r_poolname = NULL;
+ if (r_httphost)
+ *r_httphost = NULL;
/* No hostname means localhost. */
if (!name || !*name)
idx = find_hostinfo (name);
if (idx == -1)
{
- /* We never saw this host. Allocate a new entry. */
- struct addrinfo hints, *aibuf, *ai;
- int *reftbl;
- size_t reftblsize;
- int refidx;
- int is_pool = 0;
-
- reftblsize = 100;
- reftbl = xtrymalloc (reftblsize * sizeof *reftbl);
- if (!reftbl)
- return gpg_error_from_syserror ();
- refidx = 0;
-
idx = create_new_hostinfo (name);
if (idx == -1)
+ return gpg_error_from_syserror ();
+ hi = hosttable[idx];
+ hi->onion = is_onion_address (name);
+ }
+ else
+ hi = hosttable[idx];
+
+ is_pool = hi->pool != NULL;
+
+ if (srvtag && !is_ip_address (name)
+ && ! hi->onion
+ && ! (hi->did_srv_lookup & 1 << protocol))
+ {
+ struct srventry *srvs;
+ unsigned int srvscount;
+
+ /* Check for SRV records. */
+ err = get_dns_srv (name, srvtag, NULL, &srvs, &srvscount);
+ if (err)
{
- err = gpg_error_from_syserror ();
- xfree (reftbl);
+ if (gpg_err_code (err) == GPG_ERR_ECONNREFUSED)
+ tor_not_running_p (ctrl);
return err;
}
- hi = hosttable[idx];
+ if (srvscount > 0)
+ {
+ int i;
+ if (! is_pool)
+ is_pool = srvscount > 1;
+
+ for (i = 0; i < srvscount; i++)
+ {
+ err = resolve_dns_name (srvs[i].target, 0,
+ AF_UNSPEC, SOCK_STREAM,
+ &ai, &cname);
+ if (err)
+ continue;
+ dirmngr_tick (ctrl);
+ add_host (name, is_pool, ai, protocol, srvs[i].port);
+ new_hosts = 1;
+ }
+
+ xfree (srvs);
+ }
+
+ hi->did_srv_lookup |= 1 << protocol;
+ }
+
+ if (! hi->did_a_lookup
+ && ! hi->onion)
+ {
/* Find all A records for this entry and put them into the pool
list - if any. */
- memset (&hints, 0, sizeof (hints));
- hints.ai_family = AF_UNSPEC;
- hints.ai_socktype = SOCK_STREAM;
- hints.ai_flags = AI_CANONNAME;
- /* We can't use the the AI_IDN flag because that does the
- conversion using the current locale. However, GnuPG always
- used UTF-8. To support IDN we would need to make use of the
- libidn API. */
- if (!getaddrinfo (name, NULL, &hints, &aibuf))
+ err = resolve_dns_name (name, 0, 0, SOCK_STREAM, &aibuf, &cname);
+ if (err)
+ {
+ log_error ("resolving '%s' failed: %s\n", name, gpg_strerror (err));
+ err = 0;
+ }
+ else
{
- int n_v6, n_v4;
-
/* First figure out whether this is a pool. For a pool we
- use a different strategy than for a plains erver: We use
+ use a different strategy than for a plain server: We use
the canonical name of the pool as the virtual host along
with the IP addresses. If it is not a pool, we use the
specified name. */
- n_v6 = n_v4 = 0;
- for (ai = aibuf; ai; ai = ai->ai_next)
+ if (! is_pool)
+ is_pool = arecords_is_pool (aibuf);
+ if (is_pool && cname)
{
- if (ai->ai_family != AF_INET6)
- n_v6++;
- else if (ai->ai_family != AF_INET)
- n_v4++;
+ hi->cname = cname;
+ cname = NULL;
}
- if (n_v6 > 1 || n_v4 > 1)
- is_pool = 1;
- if (is_pool && aibuf->ai_canonname)
- hi->cname = xtrystrdup (aibuf->ai_canonname);
- for (ai = aibuf; ai; ai = ai->ai_next)
+ for (ai = aibuf; ai; ai = ai->next)
{
- char tmphost[NI_MAXHOST + 2];
- int tmpidx;
- int is_numeric;
- int ec;
- int i;
-
- if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+ if (ai->family != AF_INET && ai->family != AF_INET6)
+ continue;
+ if (opt.disable_ipv4 && ai->family == AF_INET)
+ continue;
+ if (opt.disable_ipv6 && ai->family == AF_INET6)
continue;
-
dirmngr_tick (ctrl);
- if (!is_pool && !is_ip_address (name))
- {
- /* This is a hostname but not a pool. Use the name
- as given without going through getnameinfo. */
- if (strlen (name)+1 > sizeof tmphost)
- {
- ec = EAI_SYSTEM;
- gpg_err_set_errno (EINVAL);
- }
- else
- {
- ec = 0;
- strcpy (tmphost, name);
- }
- is_numeric = 0;
- }
- else
- ec = my_getnameinfo (ai, tmphost, sizeof tmphost,
- 0, &is_numeric);
-
- if (ec)
- {
- log_info ("getnameinfo failed while checking '%s': %s\n",
- name, gai_strerror (ec));
- }
- else if (refidx+1 >= reftblsize)
- {
- log_error ("getnameinfo returned for '%s': '%s'"
- " [index table full - ignored]\n", name, tmphost);
- }
- else
- {
- tmpidx = find_hostinfo (tmphost);
- log_info ("getnameinfo returned for '%s': '%s'%s\n",
- name, tmphost,
- tmpidx == -1? "" : " [already known]");
-
- if (tmpidx == -1) /* Create a new entry. */
- tmpidx = create_new_hostinfo (tmphost);
-
- if (tmpidx == -1)
- {
- log_error ("map_host for '%s' problem: %s - '%s'"
- " [ignored]\n",
- name, strerror (errno), tmphost);
- }
- else /* Set or update the entry. */
- {
- char *ipaddr = NULL;
-
- if (!is_numeric)
- {
- ec = my_getnameinfo (ai, tmphost, sizeof tmphost,
- 1, &is_numeric);
- if (!ec && !(ipaddr = xtrystrdup (tmphost)))
- ec = EAI_SYSTEM;
- if (ec)
- log_info ("getnameinfo failed: %s\n",
- gai_strerror (ec));
- }
-
- if (ai->ai_family == AF_INET6)
- {
- hosttable[tmpidx]->v6 = 1;
- xfree (hosttable[tmpidx]->v6addr);
- hosttable[tmpidx]->v6addr = ipaddr;
- }
- else if (ai->ai_family == AF_INET)
- {
- hosttable[tmpidx]->v4 = 1;
- xfree (hosttable[tmpidx]->v4addr);
- hosttable[tmpidx]->v4addr = ipaddr;
- }
- else
- BUG ();
-
- for (i=0; i < refidx; i++)
- if (reftbl[i] == tmpidx)
- break;
- if (!(i < refidx) && tmpidx != idx)
- reftbl[refidx++] = tmpidx;
- }
- }
+ add_host (name, is_pool, ai, 0, 0);
+ new_hosts = 1;
}
- freeaddrinfo (aibuf);
- }
- reftbl[refidx] = -1;
- if (refidx && is_pool)
- {
- assert (!hi->pool);
- hi->pool = xtryrealloc (reftbl, (refidx+1) * sizeof *reftbl);
- if (!hi->pool)
- {
- err = gpg_error_from_syserror ();
- log_error ("shrinking index table in map_host failed: %s\n",
- gpg_strerror (err));
- xfree (reftbl);
- return err;
- }
- qsort (reftbl, refidx, sizeof *reftbl, sort_hostpool);
+
+ hi->did_a_lookup = 1;
}
- else
- xfree (reftbl);
+ xfree (cname);
+ free_dns_addrinfo (aibuf);
}
+ if (new_hosts)
+ hostinfo_sort_pool (hi);
- hi = hosttable[idx];
if (hi->pool)
{
/* Deal with the pool name before selecting a host. */
- if (r_poolname && hi->cname)
+ if (r_httphost)
{
- *r_poolname = xtrystrdup (hi->cname);
- if (!*r_poolname)
+ *r_httphost = xtrystrdup (hi->cname? hi->cname : hi->name);
+ if (!*r_httphost)
return gpg_error_from_syserror ();
}
/* Select a host if needed. */
if (hi->poolidx == -1)
{
- hi->poolidx = select_random_host (hi->pool);
+ hi->poolidx = select_random_host (hi);
if (hi->poolidx == -1)
{
log_error ("no alive host found in pool '%s'\n", name);
- if (r_poolname)
+ if (r_httphost)
{
- xfree (*r_poolname);
- *r_poolname = NULL;
+ xfree (*r_httphost);
+ *r_httphost = NULL;
}
return gpg_error (GPG_ERR_NO_KEYSERVER);
}
hi = hosttable[hi->poolidx];
assert (hi);
}
+ else if (r_httphost && is_ip_address (hi->name))
+ {
+ /* This is a numerical IP address and not a pool. We want to
+ * find the canonical name so that it can be used in the HTTP
+ * Host header. Fixme: We should store that name in the
+ * hosttable. */
+ char *host;
+
+ err = resolve_dns_name (hi->name, 0, 0, SOCK_STREAM, &aibuf, NULL);
+ if (!err)
+ {
+ for (ai = aibuf; ai; ai = ai->next)
+ {
+ if ((!opt.disable_ipv6 && ai->family == AF_INET6)
+ || (!opt.disable_ipv4 && ai->family == AF_INET))
+ {
+ err = resolve_dns_addr (ai->addr, ai->addrlen, 0, &host);
+ if (!err)
+ {
+ /* Okay, we return the first found name. */
+ *r_httphost = host;
+ break;
+ }
+ }
+ }
+ }
+ free_dns_addrinfo (aibuf);
+ }
if (hi->dead)
{
log_error ("host '%s' marked as dead\n", hi->name);
- if (r_poolname)
+ if (r_httphost)
{
- xfree (*r_poolname);
- *r_poolname = NULL;
+ xfree (*r_httphost);
+ *r_httphost = NULL;
}
return gpg_error (GPG_ERR_NO_KEYSERVER);
}
*r_httpflags |= HTTP_FLAG_IGNORE_IPv4;
if (!hi->v6)
*r_httpflags |= HTTP_FLAG_IGNORE_IPv6;
+
+ /* Note that we do not set the HTTP_FLAG_FORCE_TOR for onion
+ addresses because the http module detects this itself. This
+ also allows us to use an onion address without Tor mode being
+ enabled. */
}
*r_host = xtrystrdup (hi->name);
if (!*r_host)
{
err = gpg_error_from_syserror ();
- if (r_poolname)
+ if (r_httphost)
{
- xfree (*r_poolname);
- *r_poolname = NULL;
+ xfree (*r_httphost);
+ *r_httphost = NULL;
}
return err;
}
+ if (hi->port[protocol])
+ snprintf (r_portstr, 6 /* five digits and the sentinel */,
+ "%hu", hi->port[protocol]);
return 0;
}
/* If the host is a pool mark all member hosts. */
if (!err && hi->pool)
{
- for (idx2=0; !err && (n=hi->pool[idx2]) != -1; idx2++)
+ for (idx2 = 0;
+ !err && idx2 < hi->pool_len && (n = hi->pool[idx2]) != -1;
+ idx2++)
{
assert (n >= 0 && n < hosttable_size);
if (hosttable[idx3]
&& hosttable[idx3]->pool
&& idx3 != idx
- && host_in_pool_p (hosttable[idx3]->pool, n))
+ && host_in_pool_p (hosttable[idx3], n))
break;
}
if (idx3 < hosttable_size)
if (err)
return err;
+ /* FIXME: We need a lock for the hosttable. */
curtime = gnupg_get_time ();
for (idx=0; idx < hosttable_size; idx++)
if ((hi=hosttable[idx]))
}
else
diedstr = died = NULL;
- err = ks_printf_help (ctrl, "%3d %s %s %s %s%s%s%s%s%s%s%s\n",
- idx, hi->v6? "6":" ", hi->v4? "4":" ",
+
+ if (!hi->iporname_valid)
+ {
+ char *canon = NULL;
+
+ xfree (hi->iporname);
+ hi->iporname = NULL;
+
+ /* Do a lookup just for the display purpose. */
+ if (hi->onion || hi->pool)
+ ;
+ else if (is_ip_address (hi->name))
+ {
+ dns_addrinfo_t aibuf, ai;
+
+ /* Turn the numerical IP address string into an AI and
+ * then do a DNS PTR lookup. */
+ if (!resolve_dns_name (hi->name, 0, 0,
+ SOCK_STREAM,
+ &aibuf, &canon))
+ {
+ if (canon && is_ip_address (canon))
+ {
+ xfree (canon);
+ canon = NULL;
+ }
+ for (ai = aibuf; !canon && ai; ai = ai->next)
+ {
+ resolve_dns_addr (ai->addr, ai->addrlen,
+ DNS_WITHBRACKET, &canon);
+ if (canon && is_ip_address (canon))
+ {
+ /* We already have the numeric IP - no need to
+ * display it a second time. */
+ xfree (canon);
+ canon = NULL;
+ }
+ }
+ }
+ free_dns_addrinfo (aibuf);
+ }
+ else
+ {
+ dns_addrinfo_t aibuf, ai;
+
+ /* Get the IP address as a string from a name. Note
+ * that resolve_dns_addr allocates CANON on success
+ * and thus terminates the loop. */
+ if (!resolve_dns_name (hi->name, 0,
+ hi->v6? AF_INET6 : AF_INET,
+ SOCK_STREAM,
+ &aibuf, NULL))
+ {
+ for (ai = aibuf; !canon && ai; ai = ai->next)
+ {
+ resolve_dns_addr (ai->addr, ai->addrlen,
+ DNS_NUMERICHOST|DNS_WITHBRACKET,
+ &canon);
+ }
+ }
+ free_dns_addrinfo (aibuf);
+ }
+
+ hi->iporname = canon;
+ hi->iporname_valid = 1;
+ }
+
+ err = ks_printf_help (ctrl, "%3d %s %s %s %s%s%s%s%s%s%s\n",
+ idx,
+ hi->onion? "O" : hi->v6? "6":" ",
+ hi->v4? "4":" ",
hi->dead? "d":" ",
hi->name,
- hi->v6addr? " v6=":"",
- hi->v6addr? hi->v6addr:"",
- hi->v4addr? " v4=":"",
- hi->v4addr? hi->v4addr:"",
+ hi->iporname? " (":"",
+ hi->iporname? hi->iporname : "",
+ hi->iporname? ")":"",
diedstr? " (":"",
diedstr? diedstr:"",
diedstr? ")":"" );
{
init_membuf (&mb, 256);
put_membuf_printf (&mb, " . -->");
- for (idx2=0; hi->pool[idx2] != -1; idx2++)
+ for (idx2 = 0; idx2 < hi->pool_len && hi->pool[idx2] != -1; idx2++)
{
put_membuf_printf (&mb, " %d", hi->pool[idx2]);
if (hi->poolidx == hi->pool[idx2])
gpg_error_t
ks_hkp_help (ctrl_t ctrl, parsed_uri_t uri)
{
- const char const data[] =
+ const char data[] =
"Handler for HKP URLs:\n"
" hkp://\n"
#if HTTP_USE_GNUTLS || HTTP_USE_NTBTLS
/* Build the remote part of the URL from SCHEME, HOST and an optional
- PORT. Returns an allocated string at R_HOSTPORT or NULL on failure
- If R_POOLNAME is not NULL it receives a malloced string with the
- poolname. */
+ * PORT. If NO_SRV is set no SRV record lookup will be done. Returns
+ * an allocated string at R_HOSTPORT or NULL on failure. If
+ * R_HTTPHOST is not NULL it receives a malloced string with the
+ * hostname; this may be different from HOST if HOST is selected from
+ * a pool. */
static gpg_error_t
make_host_part (ctrl_t ctrl,
const char *scheme, const char *host, unsigned short port,
- int force_reselect,
- char **r_hostport, unsigned int *r_httpflags, char **r_poolname)
+ int force_reselect, int no_srv,
+ char **r_hostport, unsigned int *r_httpflags, char **r_httphost)
{
gpg_error_t err;
+ const char *srvtag;
char portstr[10];
char *hostname;
+ enum ks_protocol protocol;
*r_hostport = NULL;
- /* Map scheme and port. */
if (!strcmp (scheme, "hkps") || !strcmp (scheme,"https"))
{
scheme = "https";
- strcpy (portstr, "443");
+ srvtag = no_srv? NULL : "pgpkey-https";
+ protocol = KS_PROTOCOL_HKPS;
}
else /* HKP or HTTP. */
{
scheme = "http";
- strcpy (portstr, "11371");
- }
- if (port)
- snprintf (portstr, sizeof portstr, "%hu", port);
- else
- {
- /*fixme_do_srv_lookup ()*/
+ srvtag = no_srv? NULL : "pgpkey-http";
+ protocol = KS_PROTOCOL_HKP;
}
- err = map_host (ctrl, host, force_reselect,
- &hostname, r_httpflags, r_poolname);
+ portstr[0] = 0;
+ err = map_host (ctrl, host, srvtag, force_reselect, protocol,
+ &hostname, portstr, r_httpflags, r_httphost);
if (err)
return err;
- *r_hostport = strconcat (scheme, "://", hostname, ":", portstr, NULL);
+ /* If map_host did not return a port (from a SRV record) but a port
+ * has been specified (implicitly or explicitly) then use that port.
+ * In the case that a port was not specified (which is probably a
+ * bug in https.c) we will set up defaults. */
+ if (*portstr)
+ ;
+ else if (!*portstr && port)
+ snprintf (portstr, sizeof portstr, "%hu", port);
+ else if (!strcmp (scheme,"https"))
+ strcpy (portstr, "443");
+ else
+ strcpy (portstr, "11371");
+
+ if (*hostname != '[' && is_ip_address (hostname) == 6)
+ *r_hostport = strconcat (scheme, "://[", hostname, "]:", portstr, NULL);
+ else
+ *r_hostport = strconcat (scheme, "://", hostname, ":", portstr, NULL);
xfree (hostname);
if (!*r_hostport)
{
- if (r_poolname)
+ if (r_httphost)
{
- xfree (*r_poolname);
- *r_poolname = NULL;
+ xfree (*r_httphost);
+ *r_httphost = NULL;
}
return gpg_error_from_syserror ();
}
gpg_error_t err;
char *hostport = NULL;
- err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, 1,
+ /* NB: With an explicitly given port we do not want to consult a
+ * service record because that might be in conflict with the port
+ * from such a service record. */
+ err = make_host_part (ctrl, uri->scheme, uri->host, uri->port,
+ 1, uri->explicit_port,
&hostport, NULL, NULL);
if (err)
{
}
+/* Reload (SIGHUP) action for this module. We mark all host alive
+ * even those which have been manually shot. */
+void
+ks_hkp_reload (void)
+{
+ int idx, count;
+ hostinfo_t hi;
+
+ for (idx=count=0; idx < hosttable_size; idx++)
+ {
+ hi = hosttable[idx];
+ if (!hi)
+ continue;
+ hi->iporname_valid = 0;
+ if (!hi->dead)
+ continue;
+ hi->dead = 0;
+ count++;
+ }
+ if (count)
+ log_info ("number of resurrected hosts: %d", count);
+}
+
+
/* Send an HTTP request. On success returns an estream object at
R_FP. HOSTPORTSTR is only used for diagnostics. If HTTPHOST is
not NULL it will be used as HTTP "Host" header. If POST_CB is not
NULL a post request is used and that callback is called to allow
- writing the post data. */
+ writing the post data. If R_HTTP_STATUS is not NULL, the http
+ status code will be stored there. */
static gpg_error_t
send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
const char *httphost, unsigned int httpflags,
gpg_error_t (*post_cb)(void *, http_t), void *post_cb_value,
- estream_t *r_fp)
+ estream_t *r_fp, unsigned int *r_http_status)
{
gpg_error_t err;
http_session_t session = NULL;
int redirects_left = MAX_REDIRECTS;
estream_t fp = NULL;
char *request_buffer = NULL;
+ parsed_uri_t uri = NULL;
+ int is_onion;
*r_fp = NULL;
- err = http_session_new (&session, NULL);
+ err = http_parse_uri (&uri, request, 0);
+ if (err)
+ goto leave;
+ is_onion = uri->onion;
+
+ err = http_session_new (&session, httphost,
+ ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
+ | HTTP_FLAG_TRUST_DEF),
+ gnupg_http_tls_verify_cb, ctrl);
if (err)
goto leave;
http_session_set_log_cb (session, cert_log_cb);
+ http_session_set_timeout (session, ctrl->timeout);
once_more:
err = http_open (&http,
request,
httphost,
/* fixme: AUTH */ NULL,
- (httpflags | (opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)),
+ (httpflags
+ |(opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
+ |(dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0)
+ |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)
+ |(opt.disable_ipv6? HTTP_FLAG_IGNORE_IPv6 : 0)),
ctrl->http_proxy,
session,
NULL,
httpflags |= HTTP_FLAG_FORCE_TLS;
}
+ if (r_http_status)
+ *r_http_status = http_get_status_code (http);
+
switch (http_get_status_code (http))
{
case 200:
request, s?s:"[none]", http_get_status_code (http));
if (s && *s && redirects_left-- )
{
+ if (is_onion)
+ {
+ /* Make sure that an onion address only redirects to
+ * another onion address. */
+ http_release_parsed_uri (uri);
+ uri = NULL;
+ err = http_parse_uri (&uri, s, 0);
+ if (err)
+ goto leave;
+
+ if (! uri->onion)
+ {
+ err = gpg_error (GPG_ERR_FORBIDDEN);
+ goto leave;
+ }
+ }
+
xfree (request_buffer);
request_buffer = xtrystrdup (s);
if (request_buffer)
}
goto leave;
+ case 501:
+ err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+ goto leave;
+
default:
log_error (_("error accessing '%s': http status %u\n"),
request, http_get_status_code (http));
http_close (http, 0);
http_session_release (session);
xfree (request_buffer);
+ http_release_parsed_uri (uri);
return err;
}
-/* Helper to evaluate the error code ERR form a send_request() call
+/* Helper to evaluate the error code ERR from a send_request() call
with REQUEST. The function returns true if the caller shall try
again. TRIES_LEFT points to a variable to track the number of
retries; this function decrements it and won't return true if it is
down to zero. */
static int
-handle_send_request_error (gpg_error_t err, const char *request,
+handle_send_request_error (ctrl_t ctrl, gpg_error_t err, const char *request,
unsigned int *tries_left)
{
int retry = 0;
+ /* Fixme: Should we disable all hosts of a protocol family if a
+ * request for an address of that familiy returned ENETDOWN? */
+
switch (gpg_err_code (err))
{
case GPG_ERR_ECONNREFUSED:
+ if (tor_not_running_p (ctrl))
+ break; /* A retry does not make sense. */
+ /* Okay: Tor is up or --use-tor is not used. */
+ /*FALLTHRU*/
case GPG_ERR_ENETUNREACH:
+ case GPG_ERR_ENETDOWN:
case GPG_ERR_UNKNOWN_HOST:
case GPG_ERR_NETWORK:
+ case GPG_ERR_EIO: /* Sometimes used by estream cookie functions. */
+ case GPG_ERR_EADDRNOTAVAIL: /* e.g. when IPv6 is disabled */
+ case GPG_ERR_EAFNOSUPPORT: /* e.g. when IPv6 is not compiled in */
if (mark_host_dead (request) && *tries_left)
retry = 1;
break;
log_info ("selecting a different host due to a timeout\n");
retry = 1;
}
+ break;
+
+ case GPG_ERR_EACCES:
+ if (dirmngr_use_tor ())
+ {
+ log_info ("(Tor configuration problem)\n");
+ dirmngr_status (ctrl, "WARNING", "tor_config_problem 0",
+ "Please check that the \"SocksPort\" flag "
+ "\"IPv6Traffic\" is set in torrc", NULL);
+ }
+ break;
default:
break;
\f
/* Search the keyserver identified by URI for keys matching PATTERN.
- On success R_FP has an open stream to read the data. */
+ On success R_FP has an open stream to read the data. If
+ R_HTTP_STATUS is not NULL, the http status code will be stored
+ there. */
gpg_error_t
ks_hkp_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
- estream_t *r_fp)
+ estream_t *r_fp, unsigned int *r_http_status)
{
gpg_error_t err;
KEYDB_SEARCH_DESC desc;
pattern = fprbuf;
break;
case KEYDB_SEARCH_MODE_FPR16:
- bin2hex (desc.u.fpr, 16, fprbuf);
+ fprbuf[0] = '0';
+ fprbuf[1] = 'x';
+ bin2hex (desc.u.fpr, 16, fprbuf+2);
pattern = fprbuf;
break;
case KEYDB_SEARCH_MODE_FPR20:
case KEYDB_SEARCH_MODE_FPR:
- bin2hex (desc.u.fpr, 20, fprbuf);
+ fprbuf[0] = '0';
+ fprbuf[1] = 'x';
+ bin2hex (desc.u.fpr, 20, fprbuf+2);
pattern = fprbuf;
break;
default:
xfree (hostport); hostport = NULL;
xfree (httphost); httphost = NULL;
- err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, reselect,
+ err = make_host_part (ctrl, uri->scheme, uri->host, uri->port,
+ reselect, uri->explicit_port,
&hostport, &httpflags, &httphost);
if (err)
goto leave;
/* Send the request. */
err = send_request (ctrl, request, hostport, httphost, httpflags,
- NULL, NULL, &fp);
- if (handle_send_request_error (err, request, &tries))
+ NULL, NULL, &fp, r_http_status);
+ if (handle_send_request_error (ctrl, err, request, &tries))
{
reselect = 1;
goto again;
case KEYDB_SEARCH_MODE_FPR16:
log_error ("HKP keyservers do not support v3 fingerprints\n");
+ /* fall through */
default:
return gpg_error (GPG_ERR_INV_USER_ID);
}
/* Build the request string. */
xfree (hostport); hostport = NULL;
xfree (httphost); httphost = NULL;
- err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, reselect,
+ err = make_host_part (ctrl, uri->scheme, uri->host, uri->port,
+ reselect, uri->explicit_port,
&hostport, &httpflags, &httphost);
if (err)
goto leave;
/* Send the request. */
err = send_request (ctrl, request, hostport, httphost, httpflags,
- NULL, NULL, &fp);
- if (handle_send_request_error (err, request, &tries))
+ NULL, NULL, &fp, NULL);
+ if (handle_send_request_error (ctrl, err, request, &tries))
{
reselect = 1;
goto again;
again:
xfree (hostport); hostport = NULL;
xfree (httphost); httphost = NULL;
- err = make_host_part (ctrl, uri->scheme, uri->host, uri->port, reselect,
+ err = make_host_part (ctrl, uri->scheme, uri->host, uri->port,
+ reselect, uri->explicit_port,
&hostport, &httpflags, &httphost);
if (err)
goto leave;
/* Send the request. */
err = send_request (ctrl, request, hostport, httphost, 0,
- put_post_cb, &parm, &fp);
- if (handle_send_request_error (err, request, &tries))
+ put_post_cb, &parm, &fp, NULL);
+ if (handle_send_request_error (ctrl, err, request, &tries))
{
reselect = 1;
goto again;