commit: 08da6f87e95c43a1441569981eee1afe4da24997 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sun Feb 18 10:11:22 2024 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sun Feb 18 10:12:32 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08da6f87
app-crypt/gnupg: use final version of dirmngr proxy fixes Export the patches from STABLE-BRANCH-2-4 so it's easier to compare with any future fixes as things kept changing here. Hopefully it's all OK now. (Contents are the same though, really.) Bug: https://bugs.gentoo.org/924606 Signed-off-by: Sam James <sam <AT> gentoo.org> .../gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch | 179 +++++++++++++++++---- 1 file changed, 145 insertions(+), 34 deletions(-) diff --git a/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch b/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch index ebfaddb78e03..686a3aadc8dd 100644 --- a/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch +++ b/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch @@ -1,7 +1,38 @@ -diff -urP gnupg-2.4.4.orig/dirmngr/http.c gnupg-2.4.4/dirmngr/http.c ---- gnupg-2.4.4.orig/dirmngr/http.c 2024-01-25 03:06:42.000000000 -0700 -+++ gnupg-2.4.4/dirmngr/http.c 2024-02-15 21:10:28.849074727 -0700 -@@ -2362,7 +2362,6 @@ +https://bugs.gentoo.org/924606 +https://dev.gnupg.org/T6997 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=04cbc3074aa98660b513a80f623a7e9f0702c7c9 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=848546b05ab0ff6abd47724ecfab73bf32dd4c01 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2810b934647edd483996bee1f5f9256a162b2705 + +From 6236978d78886cbb476ed9fbc49ff99c7582b2d7 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gni...@fsij.org> +Date: Thu, 15 Feb 2024 15:38:34 +0900 +Subject: [PATCH 1/3] dirmngr: Fix proxy with TLS. + +* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always +available regardless of USE_TLS. +(run_proxy_connect): Use log_debug_string. +(send_request): Remove USE_TLS. + +-- + +Since the commit of + + 1009e4e5f71347a1fe194e59a9d88c8034a67016 + +Building with TLS library is mandatory. + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gni...@fsij.org> +--- + dirmngr/http.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 4899a5d55..10eecfdb0 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server) * NULL, decode the string and use this as input from teh server. On * success the final output token is stored at PROXY->OUTTOKEN and * OUTTOKLEN. IF the authentication succeeded OUTTOKLEN is zero. */ @@ -9,7 +40,7 @@ diff -urP gnupg-2.4.4.orig/dirmngr/http.c gnupg-2.4.4/dirmngr/http.c static gpg_error_t proxy_get_token (proxy_info_t proxy, const char *inputstring) { -@@ -2530,11 +2529,9 @@ +@@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring) #endif /*!HAVE_W32_SYSTEM*/ } @@ -21,7 +52,65 @@ diff -urP gnupg-2.4.4.orig/dirmngr/http.c gnupg-2.4.4/dirmngr/http.c static gpg_error_t run_proxy_connect (http_t hd, proxy_info_t proxy, const char *httphost, const char *server, -@@ -2556,6 +2553,7 @@ +@@ -2586,7 +2583,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) +- log_debug_with_string (request, "http.c:proxy:request:"); ++ log_debug_string (request, "http.c:proxy:request:"); + + if (!hd->fp_write) + { +@@ -2743,7 +2740,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + xfree (tmpstr); + return err; + } +-#endif /*USE_TLS*/ + + + /* Make a request string using a standard proxy. On success the +@@ -2903,7 +2899,6 @@ send_request (ctrl_t ctrl, + goto leave; + } + +-#if USE_TLS + if (use_http_proxy && hd->uri->use_tls) + { + err = run_proxy_connect (hd, proxy, httphost, server, port); +@@ -2915,7 +2910,6 @@ send_request (ctrl_t ctrl, + * clear the flag to indicate this. */ + use_http_proxy = 0; + } +-#endif /* USE_TLS */ + + #if HTTP_USE_NTBTLS + err = run_ntbtls_handshake (hd); +-- +2.43.2 + +From 68650eb6999e674fd2f1c78f47b68d3cd1d37ff0 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gni...@fsij.org> +Date: Fri, 16 Feb 2024 11:31:37 +0900 +Subject: [PATCH 2/3] dirmngr: Fix the regression of use of proxy for TLS + connection. + +* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it +causes resource leak of FP_WRITE. +Don't try to read response body to fix the hang. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gni...@fsij.org> +--- + dirmngr/http.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 10eecfdb0..7ce01bacd 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2553,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication */ auth_basic = !!proxy->uri->auth; @@ -29,7 +118,7 @@ diff -urP gnupg-2.4.4.orig/dirmngr/http.c gnupg-2.4.4/dirmngr/http.c /* For basic authentication we need to send just one request. */ if (auth_basic -@@ -2577,16 +2575,15 @@ +@@ -2574,13 +2575,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, httphost ? httphost : server, port, authhdr ? authhdr : "", @@ -43,12 +132,8 @@ diff -urP gnupg-2.4.4.orig/dirmngr/http.c gnupg-2.4.4/dirmngr/http.c - hd->keep_alive = !auth_basic; /* We may need to send more requests. */ if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) -- log_debug_with_string (request, "http.c:proxy:request:"); -+ log_debug_string (request, "http.c:proxy:request:"); - - if (!hd->fp_write) - { -@@ -2610,16 +2607,6 @@ + log_debug_string (request, "http.c:proxy:request:"); +@@ -2607,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, if (err) goto leave; @@ -65,27 +150,53 @@ diff -urP gnupg-2.4.4.orig/dirmngr/http.c gnupg-2.4.4/dirmngr/http.c /* Reset state. */ es_clearerr (hd->fp_read); ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1; -@@ -2743,7 +2730,6 @@ - xfree (tmpstr); - return err; - } --#endif /*USE_TLS*/ - - - /* Make a request string using a standard proxy. On success the -@@ -2903,7 +2889,6 @@ - goto leave; - } +-- +2.43.2 + +From 7c7cbd94549d08780fc3767d6de8336b3f44e7d7 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gni...@fsij.org> +Date: Fri, 16 Feb 2024 16:24:26 +0900 +Subject: [PATCH 3/3] dirmngr: Fix keep-alive flag handling. + +* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic +Authentication. Fix resource leak of FP_WRITE. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gni...@fsij.org> +--- + dirmngr/http.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 7ce01bacd..da0c89ae5 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2553,7 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; +- hd->keep_alive = 0; ++ hd->keep_alive = !auth_basic; /* We may need to send more requests. */ --#if USE_TLS - if (use_http_proxy && hd->uri->use_tls) - { - err = run_proxy_connect (hd, proxy, httphost, server, port); -@@ -2915,7 +2900,6 @@ - * clear the flag to indicate this. */ - use_http_proxy = 0; + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2717,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, } --#endif /* USE_TLS */ - #if HTTP_USE_NTBTLS - err = run_ntbtls_handshake (hd); + leave: ++ if (hd->keep_alive) ++ { ++ es_fclose (hd->fp_write); ++ hd->fp_write = NULL; ++ /* The close has released the cookie and thus we better set it ++ * to NULL. */ ++ hd->write_cookie = NULL; ++ } + /* Restore flags, destroy stream, reset state. */ + hd->flags = saved_flags; + es_fclose (hd->fp_read); +-- +2.43.2 +
