You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
203 lines
6.2 KiB
203 lines
6.2 KiB
https://bugs.gentoo.org/924606
|
|
https://dev.gnupg.org/T6997
|
|
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=04cbc3074aa98660b513a80f623a7e9f0702c7c9
|
|
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=848546b05ab0ff6abd47724ecfab73bf32dd4c01
|
|
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2810b934647edd483996bee1f5f9256a162b2705
|
|
|
|
From 6236978d78886cbb476ed9fbc49ff99c7582b2d7 Mon Sep 17 00:00:00 2001
|
|
From: NIIBE Yutaka <gniibe@fsij.org>
|
|
Date: Thu, 15 Feb 2024 15:38:34 +0900
|
|
Subject: [PATCH 1/3] dirmngr: Fix proxy with TLS.
|
|
|
|
* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always
|
|
available regardless of USE_TLS.
|
|
(run_proxy_connect): Use log_debug_string.
|
|
(send_request): Remove USE_TLS.
|
|
|
|
--
|
|
|
|
Since the commit of
|
|
|
|
1009e4e5f71347a1fe194e59a9d88c8034a67016
|
|
|
|
Building with TLS library is mandatory.
|
|
|
|
GnuPG-bug-id: 6997
|
|
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
---
|
|
dirmngr/http.c | 8 +-------
|
|
1 file changed, 1 insertion(+), 7 deletions(-)
|
|
|
|
diff --git a/dirmngr/http.c b/dirmngr/http.c
|
|
index 4899a5d55..10eecfdb0 100644
|
|
--- a/dirmngr/http.c
|
|
+++ b/dirmngr/http.c
|
|
@@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server)
|
|
* NULL, decode the string and use this as input from teh server. On
|
|
* success the final output token is stored at PROXY->OUTTOKEN and
|
|
* OUTTOKLEN. IF the authentication succeeded OUTTOKLEN is zero. */
|
|
-#ifdef USE_TLS
|
|
static gpg_error_t
|
|
proxy_get_token (proxy_info_t proxy, const char *inputstring)
|
|
{
|
|
@@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring)
|
|
|
|
#endif /*!HAVE_W32_SYSTEM*/
|
|
}
|
|
-#endif /*USE_TLS*/
|
|
|
|
|
|
/* Use the CONNECT method to proxy our TLS stream. */
|
|
-#ifdef USE_TLS
|
|
static gpg_error_t
|
|
run_proxy_connect (http_t hd, proxy_info_t proxy,
|
|
const char *httphost, const char *server,
|
|
@@ -2586,7 +2583,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
|
|
hd->keep_alive = !auth_basic; /* We may need to send more requests. */
|
|
|
|
if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
|
|
- log_debug_with_string (request, "http.c:proxy:request:");
|
|
+ log_debug_string (request, "http.c:proxy:request:");
|
|
|
|
if (!hd->fp_write)
|
|
{
|
|
@@ -2743,7 +2740,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
|
|
xfree (tmpstr);
|
|
return err;
|
|
}
|
|
-#endif /*USE_TLS*/
|
|
|
|
|
|
/* Make a request string using a standard proxy. On success the
|
|
@@ -2903,7 +2899,6 @@ send_request (ctrl_t ctrl,
|
|
goto leave;
|
|
}
|
|
|
|
-#if USE_TLS
|
|
if (use_http_proxy && hd->uri->use_tls)
|
|
{
|
|
err = run_proxy_connect (hd, proxy, httphost, server, port);
|
|
@@ -2915,7 +2910,6 @@ send_request (ctrl_t ctrl,
|
|
* clear the flag to indicate this. */
|
|
use_http_proxy = 0;
|
|
}
|
|
-#endif /* USE_TLS */
|
|
|
|
#if HTTP_USE_NTBTLS
|
|
err = run_ntbtls_handshake (hd);
|
|
--
|
|
2.43.2
|
|
|
|
From 68650eb6999e674fd2f1c78f47b68d3cd1d37ff0 Mon Sep 17 00:00:00 2001
|
|
From: NIIBE Yutaka <gniibe@fsij.org>
|
|
Date: Fri, 16 Feb 2024 11:31:37 +0900
|
|
Subject: [PATCH 2/3] dirmngr: Fix the regression of use of proxy for TLS
|
|
connection.
|
|
|
|
* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it
|
|
causes resource leak of FP_WRITE.
|
|
Don't try to read response body to fix the hang.
|
|
|
|
--
|
|
|
|
GnuPG-bug-id: 6997
|
|
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
---
|
|
dirmngr/http.c | 14 ++------------
|
|
1 file changed, 2 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/dirmngr/http.c b/dirmngr/http.c
|
|
index 10eecfdb0..7ce01bacd 100644
|
|
--- a/dirmngr/http.c
|
|
+++ b/dirmngr/http.c
|
|
@@ -2553,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
|
|
* RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
|
|
*/
|
|
auth_basic = !!proxy->uri->auth;
|
|
+ hd->keep_alive = 0;
|
|
|
|
/* For basic authentication we need to send just one request. */
|
|
if (auth_basic
|
|
@@ -2574,13 +2575,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
|
|
httphost ? httphost : server,
|
|
port,
|
|
authhdr ? authhdr : "",
|
|
- auth_basic? "" : "Connection: keep-alive\r\n");
|
|
+ hd->keep_alive? "Connection: keep-alive\r\n" : "");
|
|
if (!request)
|
|
{
|
|
err = gpg_error_from_syserror ();
|
|
goto leave;
|
|
}
|
|
- hd->keep_alive = !auth_basic; /* We may need to send more requests. */
|
|
|
|
if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
|
|
log_debug_string (request, "http.c:proxy:request:");
|
|
@@ -2607,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
|
|
if (err)
|
|
goto leave;
|
|
|
|
- {
|
|
- unsigned long count = 0;
|
|
-
|
|
- while (es_getc (hd->fp_read) != EOF)
|
|
- count++;
|
|
- if (opt_debug)
|
|
- log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n",
|
|
- count);
|
|
- }
|
|
-
|
|
/* Reset state. */
|
|
es_clearerr (hd->fp_read);
|
|
((cookie_t)(hd->read_cookie))->up_to_empty_line = 1;
|
|
--
|
|
2.43.2
|
|
|
|
From 7c7cbd94549d08780fc3767d6de8336b3f44e7d7 Mon Sep 17 00:00:00 2001
|
|
From: NIIBE Yutaka <gniibe@fsij.org>
|
|
Date: Fri, 16 Feb 2024 16:24:26 +0900
|
|
Subject: [PATCH 3/3] dirmngr: Fix keep-alive flag handling.
|
|
|
|
* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic
|
|
Authentication. Fix resource leak of FP_WRITE.
|
|
|
|
--
|
|
|
|
GnuPG-bug-id: 6997
|
|
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
---
|
|
dirmngr/http.c | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/dirmngr/http.c b/dirmngr/http.c
|
|
index 7ce01bacd..da0c89ae5 100644
|
|
--- a/dirmngr/http.c
|
|
+++ b/dirmngr/http.c
|
|
@@ -2553,7 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
|
|
* RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
|
|
*/
|
|
auth_basic = !!proxy->uri->auth;
|
|
- hd->keep_alive = 0;
|
|
+ hd->keep_alive = !auth_basic; /* We may need to send more requests. */
|
|
|
|
/* For basic authentication we need to send just one request. */
|
|
if (auth_basic
|
|
@@ -2717,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
|
|
}
|
|
|
|
leave:
|
|
+ if (hd->keep_alive)
|
|
+ {
|
|
+ es_fclose (hd->fp_write);
|
|
+ hd->fp_write = NULL;
|
|
+ /* The close has released the cookie and thus we better set it
|
|
+ * to NULL. */
|
|
+ hd->write_cookie = NULL;
|
|
+ }
|
|
/* Restore flags, destroy stream, reset state. */
|
|
hd->flags = saved_flags;
|
|
es_fclose (hd->fp_read);
|
|
--
|
|
2.43.2
|
|
|