else if (!(ctrl->http_proxy = xtrystrdup (value)))
err = gpg_error_from_syserror ();
}
+ else if (!strcmp (key, "honor-keyserver-url-used"))
+ {
+ /* Return an error if we are running in TOR mode. */
+ if (opt.use_tor)
+ err = gpg_error (GPG_ERR_FORBIDDEN);
+ }
else
err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
static const char hlp_dns_cert[] =
"DNS_CERT <subtype> <name>\n"
"DNS_CERT --pka <user_id>\n"
+ "DNS_CERT --dane <user_id>\n"
"\n"
"Return the CERT record for <name>. <subtype> is one of\n"
" * Return the first record of any supported subtype\n"
" IPGP Return the first record of subtype IPGP (6)\n"
"If the content of a certifciate is available (PGP) it is returned\n"
"by data lines. Fingerprints and URLs are returned via status lines.\n"
- "In --pka mode the fingerprint and if available an URL is returned.";
+ "In --pka mode the fingerprint and if available an URL is returned.\n"
+ "In --dane mode the key is returned from RR type 61";
static gpg_error_t
cmd_dns_cert (assuan_context_t ctx, char *line)
{
/* ctrl_t ctrl = assuan_get_pointer (ctx); */
gpg_error_t err = 0;
- int pka_mode;
+ int pka_mode, dane_mode;
char *mbox = NULL;
char *namebuf = NULL;
char *encodedhash = NULL;
char *url = NULL;
pka_mode = has_option (line, "--pka");
+ dane_mode = has_option (line, "--dane");
line = skip_options (line);
- if (pka_mode)
+
+ if (pka_mode && dane_mode)
+ {
+ err = PARM_ERROR ("either --pka or --dane may be given");
+ goto leave;
+ }
+
+ if (pka_mode || dane_mode)
; /* No need to parse here - we do this later. */
else
{
}
}
- if (pka_mode)
+ if (opt.use_tor)
+ {
+ err = gpg_error (GPG_ERR_FORBIDDEN);
+ goto leave;
+ }
+
+ if (pka_mode || dane_mode)
{
- char *domain; /* Points to mbox. */
- char hashbuf[20];
+ char *domain; /* Points to mbox. */
+ char hashbuf[32]; /* For SHA-1 and SHA-256. */
+ /* We lowercase ascii characters but the DANE I-D does not allow
+ this. FIXME: Check after the release of the RFC whether to
+ change this. */
mbox = mailbox_from_userid (line);
if (!mbox || !(domain = strchr (mbox, '@')))
{
}
*domain++ = 0;
- gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, mbox, strlen (mbox));
- encodedhash = zb32_encode (hashbuf, 8*20);
- if (!encodedhash)
+ if (pka_mode)
{
- err = gpg_error_from_syserror ();
- goto leave;
+ gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, mbox, strlen (mbox));
+ encodedhash = zb32_encode (hashbuf, 8*20);
+ if (!encodedhash)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ namebuf = strconcat (encodedhash, "._pka.", domain, NULL);
+ if (!namebuf)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ name = namebuf;
+ certtype = DNS_CERTTYPE_IPGP;
}
- namebuf = strconcat (encodedhash, "._pka.", domain, NULL);
- if (!namebuf)
+ else
{
- err = gpg_error_from_syserror ();
- goto leave;
+ /* Note: The hash is truncated to 28 bytes and we lowercase
+ the result only for aesthetic reasons. */
+ gcry_md_hash_buffer (GCRY_MD_SHA256, hashbuf, mbox, strlen (mbox));
+ encodedhash = bin2hex (hashbuf, 28, NULL);
+ if (!encodedhash)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ ascii_strlwr (encodedhash);
+ namebuf = strconcat (encodedhash, "._openpgpkey.", domain, NULL);
+ if (!namebuf)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ name = namebuf;
+ certtype = DNS_CERTTYPE_RR61;
}
- name = namebuf;
- certtype = DNS_CERTTYPE_IPGP;
}
else
name = line;
return leave_cmd (ctx, err);
}
+
\f
+/* Parse an keyserver URI and store it in a new uri item which is
+ returned at R_ITEM. On error return an error code. */
+static gpg_error_t
+make_keyserver_item (const char *uri, uri_item_t *r_item)
+{
+ gpg_error_t err;
+ uri_item_t item;
+
+ *r_item = NULL;
+ item = xtrymalloc (sizeof *item + strlen (uri));
+ if (!item)
+ return gpg_error_from_syserror ();
+
+ item->next = NULL;
+ item->parsed_uri = NULL;
+ strcpy (item->uri, uri);
+
+#if USE_LDAP
+ if (ldap_uri_p (item->uri))
+ err = ldap_parse_uri (&item->parsed_uri, uri);
+ else
+#endif
+ {
+ err = http_parse_uri (&item->parsed_uri, uri, 1);
+ }
+
+ if (err)
+ xfree (item);
+ else
+ *r_item = item;
+ return err;
+}
+
+
+/* If no keyserver is stored in CTRL but a global keyserver has been
+ set, put that global keyserver into CTRL. We need use this
+ function to help migrate from the old gpg based keyserver
+ configuration to the new dirmngr based configuration. */
+static gpg_error_t
+ensure_keyserver (ctrl_t ctrl)
+{
+ gpg_error_t err;
+ uri_item_t item;
+
+ if (ctrl->server_local->keyservers)
+ return 0; /* Already set for this session. */
+ if (!opt.keyserver)
+ return 0; /* No global option set. */
+
+ err = make_keyserver_item (opt.keyserver, &item);
+ if (!err)
+ ctrl->server_local->keyservers = item;
+
+ return err;
+}
+
+
static const char hlp_keyserver[] =
"KEYSERVER [<options>] [<uri>|<host>]\n"
"Options are:\n"
if (resolve_flag)
{
- err = ks_action_resolve (ctrl, ctrl->server_local->keyservers);
+ err = ensure_keyserver (ctrl);
+ if (!err)
+ err = ks_action_resolve (ctrl, ctrl->server_local->keyservers);
if (err)
goto leave;
}
if (add_flag)
{
- item = xtrymalloc (sizeof *item + strlen (line));
- if (!item)
- {
- err = gpg_error_from_syserror ();
- goto leave;
- }
- item->next = NULL;
- item->parsed_uri = NULL;
- strcpy (item->uri, line);
-
-#if USE_LDAP
- if (ldap_uri_p (item->uri))
- err = ldap_parse_uri (&item->parsed_uri, line);
- else
-#endif
- {
- err = http_parse_uri (&item->parsed_uri, line, 1);
- }
+ err = make_keyserver_item (line, &item);
if (err)
- {
- xfree (item);
- goto leave;
- }
+ goto leave;
}
if (clear_flag)
release_ctrl_keyservers (ctrl);
ctrl->server_local->keyservers = item;
}
- if (!add_flag && !clear_flag && !help_flag) /* List configured keyservers. */
+ if (!add_flag && !clear_flag && !help_flag)
{
+ /* List configured keyservers. However, we first add a global
+ keyserver. */
uri_item_t u;
+ err = ensure_keyserver (ctrl);
+ if (err)
+ {
+ assuan_set_error (ctx, err,
+ "Bad keyserver configuration in dirmngr.conf");
+ goto leave;
+ }
+
for (u=ctrl->server_local->keyservers; u; u = u->next)
dirmngr_status (ctrl, "KEYSERVER", u->uri, NULL);
}
}
}
+ err = ensure_keyserver (ctrl);
+ if (err)
+ goto leave;
+
/* Setup an output stream and perform the search. */
outfp = es_fopencookie (ctx, "w", data_line_cookie_functions);
if (!outfp)
}
}
+ err = ensure_keyserver (ctrl);
+ if (err)
+ goto leave;
+
/* Setup an output stream and perform the get. */
outfp = es_fopencookie (ctx, "w", data_line_cookie_functions);
if (!outfp)
/* No options for now. */
line = skip_options (line);
+ err = ensure_keyserver (ctrl);
+ if (err)
+ goto leave;
+
/* Setup an output stream and perform the get. */
outfp = es_fopencookie (ctx, "w", data_line_cookie_functions);
if (!outfp)
es_fclose (outfp);
}
+ leave:
return leave_cmd (ctx, err);
}
/* No options for now. */
line = skip_options (line);
+ err = ensure_keyserver (ctrl);
+ if (err)
+ goto leave;
+
/* Ask for the key material. */
err = assuan_inquire (ctx, "KEYBLOCK",
&value, &valuelen, MAX_KEYBLOCK_LENGTH);
"\n"
"version - Return the version of the program.\n"
"pid - Return the process id of the server.\n"
- "\n"
+ "tor - Return OK if running in TOR mode\n"
"socket_name - Return the name of the socket.\n";
static gpg_error_t
cmd_getinfo (assuan_context_t ctx, char *line)
else
err = gpg_error (GPG_ERR_NO_DATA);
}
+ else if (!strcmp (line, "tor"))
+ {
+ err = opt.use_tor? 0:set_error (GPG_ERR_GENERAL, "TOR mode not enabled");
+ }
else
err = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT");
if (!err)
{
ctrl->server_local->stopme = 1;
+ assuan_set_flag (ctx, ASSUAN_FORCE_CLOSE, 1);
err = gpg_error (GPG_ERR_EOF);
}
return err;
{
#ifndef HAVE_W32_SYSTEM
{
- gpg_err_code_t ec;
- assuan_peercred_t cred;
-
- ec = gpg_err_code (assuan_get_peercred (ctx, &cred));
- if (!ec && cred->uid)
- ec = GPG_ERR_EPERM; /* Only root may terminate. */
- if (ec)
- return set_error (ec, "no permission to reload this process");
+ gpg_error_t err;
+
+ err = check_owner_permission (ctx,
+ "no permission to reload this process");
+ if (err)
+ return err;
}
#endif
}