--- Begin Message ---
Package: gnupg
Version: 1.4.9-5
Severity: wishlist
Tags: patch
Hello,
There is a move towards providing keyserver queries over an encrypted
transport for the purposes of stopping the leakage of key query
information that could be used for transactional surveillance
purposes. There are keyservers now in the global pool that are setup
to provide encrypted transport, with more on their way.
The SKS keyserver develoopers are actively discussing how to add TLS
wrapped keyserver queries natively in the keyserver code[0]. Until
then people are setting up front-end SSL proxies, using things like
nginx. In fact, along with some other folks, I am running one which
supports this in the SKS pool[1] zimmerman.mayfirst.org.
The gnupg developers have introduced a patch to the upstream stable
branch of gnupg 1.4[2] which provides a simple mechanism for
performing secure hkps queries to keyservers, and according to the
original author, this will be in gpg2 in the next round of patch
integration[3]. The PGP developers are also implementing this in their
code. Also, the IETF seem to have also come to a similar position
recently[4].
It would be very much appreciated if debian adopted the attached patch
so more people could have convenient access to this feature. When
upstream's STABLE-1.4 branch is released, then it could be simply
dropped. I've built and tested this and it works flawlessly, its a
relatively small patch and upstream has already adopted it, so it
seems like a win all around.
Micah
0. thread starts at:
http://lists.gnu.org/archive/html/sks-devel/2009-03/msg00025.html
1. https://zimmerman.mayfirst.org or if you have installed the patch:
hkps://zimmerman.mayfirst.org
2.
http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924
3. http://lists.gnu.org/archive/html/sks-devel/2009-03/msg00036.html
4. http://www.imc.org/ietf-openpgp/mail-archive/msg30930.html
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages gnupg depends on:
ii gpgv 1.4.9-4 GNU privacy guard - signature veri
ii libbz2-1.0 1.0.5-1 high-quality block-sorting file co
ii libc6 2.9-4 GNU C Library: Shared libraries
ii libcurl3-gnutls 7.18.2-8 Multi-protocol file transfer libra
ii libreadline5 5.2-4 GNU readline and history libraries
ii libusb-0.1-4 2:0.1.12-13 userspace USB programming library
ii zlib1g 1:1.2.3.3.dfsg-13 compression library - runtime
Versions of packages gnupg recommends:
ii libldap-2.4-2 2.4.15-1 OpenLDAP libraries
Versions of packages gnupg suggests:
pn gnupg-doc <none> (no description available)
ii imagemagick 7:6.3.7.9.dfsg1-3 image manipulation programs
ii libpcsclite1 1.5.2-1 Middleware to access a smart card
-- no debconf information
diff --new-file -u -r gnupg-1.4.9/debian/changelog gnupg-1.4.9_hks/debian/changelog
--- gnupg-1.4.9/debian/changelog 2009-03-09 11:26:36.000000000 -0400
+++ gnupg-1.4.9_hks/debian/changelog 2009-03-09 10:48:14.000000000 -0400
@@ -1,3 +1,13 @@
+gnupg (1.4.9-5) unstable; urgency=low
+
+ * Added upstream patch r4924 and r4753 to gpgkeys_hkp.c
+ and r4743 to gpgkeys_curl.c to support SSLized HKP (hkps) requests
+ * Add a symlink to debian/gnupg.links for gpgkeys_hkps -> gpgkeys_hkp
+ * Added Build-Depends on libcurl4-gnutls-dev to get https transport
+ support for hkps queries
+
+ -- Micah Anderson <[email protected]> Sat, 07 Mar 2009 21:46:08 -0500
+
gnupg (1.4.9-4) unstable; urgency=low
[ Daniel Leidert (dale) ]
diff --new-file -u -r gnupg-1.4.9/debian/control gnupg-1.4.9_hks/debian/control
--- gnupg-1.4.9/debian/control 2009-03-09 11:26:36.000000000 -0400
+++ gnupg-1.4.9_hks/debian/control 2009-03-09 10:47:31.000000000 -0400
@@ -8,7 +8,7 @@
Standards-Version: 3.8.0
Build-Depends: debhelper (>> 5), libz-dev, libldap2-dev, libbz2-dev,
libusb-dev [!hurd-i386],
- libreadline5-dev, file, gettext, dpatch
+ libreadline5-dev, file, gettext, dpatch, libcurl4-gnutls-dev
Homepage: http://www.gnupg.org
Vcs-Browser: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/
Vcs-Svn: svn://svn.debian.org/svn/pkg-gnupg/gnupg/trunk/
diff --new-file -u -r gnupg-1.4.9/debian/gnupg.links gnupg-1.4.9_hks/debian/gnupg.links
--- gnupg-1.4.9/debian/gnupg.links 2009-03-09 11:26:36.000000000 -0400
+++ gnupg-1.4.9_hks/debian/gnupg.links 2009-03-09 10:47:43.000000000 -0400
@@ -1 +1,2 @@
usr/share/doc/gnupg/changelog.g10.gz usr/share/doc/gnupg/changelog.gz
+usr/lib/gnupg/gpgkeys_hkp usr/lib/gnupg/gpgkeys_hkps
diff --new-file -u -r gnupg-1.4.9/debian/patches/00list gnupg-1.4.9_hks/debian/patches/00list
--- gnupg-1.4.9/debian/patches/00list 2009-03-09 11:26:36.000000000 -0400
+++ gnupg-1.4.9_hks/debian/patches/00list 2009-03-09 10:47:16.000000000 -0400
@@ -3,3 +3,4 @@
25_it.po_fixes
25_fr.po_fixes
99_yat2m_fix_samp_handling
+99_support_hkps
diff --new-file -u -r gnupg-1.4.9/debian/patches/99_support_hkps.dpatch gnupg-1.4.9_hks/debian/patches/99_support_hkps.dpatch
--- gnupg-1.4.9/debian/patches/99_support_hkps.dpatch 1969-12-31 19:00:00.000000000 -0500
+++ gnupg-1.4.9_hks/debian/patches/99_support_hkps.dpatch 2009-03-09 10:47:01.000000000 -0400
@@ -0,0 +1,308 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_support_hkps.dpatch by Micah Anderson <Micah Anderson <[email protected]>>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Add support for hkps queries for secure keyserver queries
+## DP:
+## DP: <URL:http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924>
+
+...@dpatch@
+diff -urNad gnupg-1.4.9~/keyserver/gpgkeys_curl.c gnupg-1.4.9/keyserver/gpgkeys_curl.c
+--- gnupg-1.4.9~/keyserver/gpgkeys_curl.c 2007-10-23 05:59:12.000000000 -0400
++++ gnupg-1.4.9/keyserver/gpgkeys_curl.c 2009-03-09 10:42:15.000000000 -0400
+@@ -1,5 +1,5 @@
+ /* gpgkeys_curl.c - fetch a key via libcurl
+- * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation, Inc.
++ * Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+@@ -286,7 +286,7 @@
+
+ if(follow_redirects)
+ {
+- curl_easy_setopt(curl,CURLOPT_FOLLOWLOCATION,1);
++ curl_easy_setopt(curl,CURLOPT_FOLLOWLOCATION,1L);
+ if(follow_redirects>0)
+ curl_easy_setopt(curl,CURLOPT_MAXREDIRS,follow_redirects);
+ }
+@@ -298,10 +298,10 @@
+ {
+ fprintf(console,"gpgkeys: curl version = %s\n",curl_version());
+ curl_easy_setopt(curl,CURLOPT_STDERR,console);
+- curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
++ curl_easy_setopt(curl,CURLOPT_VERBOSE,1L);
+ }
+
+- curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,opt->flags.check_cert);
++ curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
+ curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
+
+ if(proxy)
+diff -urNad gnupg-1.4.9~/keyserver/gpgkeys_hkp.c gnupg-1.4.9/keyserver/gpgkeys_hkp.c
+--- gnupg-1.4.9~/keyserver/gpgkeys_hkp.c 2007-10-23 05:59:12.000000000 -0400
++++ gnupg-1.4.9/keyserver/gpgkeys_hkp.c 2009-03-09 10:42:15.000000000 -0400
+@@ -1,6 +1,6 @@
+ /* gpgkeys_hkp.c - talk to an HKP keyserver
+- * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006,
+- * 2007 Free Software Foundation, Inc.
++ * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
++ * 2009 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+@@ -54,6 +54,7 @@
+ static CURL *curl;
+ static struct ks_options *opt;
+ static char errorbuffer[CURL_ERROR_SIZE];
++static char *proto,*port;
+
+ static size_t
+ curl_mrindex_writer(const void *ptr,size_t size,size_t nmemb,void *stream)
+@@ -186,13 +187,10 @@
+ strcpy(key,"keytext=");
+ strcat(key,encoded_key);
+
+- strcpy(request,"http://");
++ strcpy(request,proto);
+ strcat(request,opt->host);
+ strcat(request,":");
+- if(opt->port)
+- strcat(request,opt->port);
+- else
+- strcat(request,"11371");
++ strcat(request,port);
+ strcat(request,opt->path);
+ /* request is MAX_URL+15 bytes long - MAX_URL covers the whole URL,
+ including any supplied path. The 15 covers /pks/add. */
+@@ -202,9 +200,9 @@
+ fprintf(console,"gpgkeys: HTTP URL is `%s'\n",request);
+
+ curl_easy_setopt(curl,CURLOPT_URL,request);
+- curl_easy_setopt(curl,CURLOPT_POST,1);
++ curl_easy_setopt(curl,CURLOPT_POST,1L);
+ curl_easy_setopt(curl,CURLOPT_POSTFIELDS,key);
+- curl_easy_setopt(curl,CURLOPT_FAILONERROR,1);
++ curl_easy_setopt(curl,CURLOPT_FAILONERROR,1L);
+
+ res=curl_easy_perform(curl);
+ if(res!=0)
+@@ -253,13 +251,10 @@
+ return KEYSERVER_NOT_SUPPORTED;
+ }
+
+- strcpy(request,"http://");
++ strcpy(request,proto);
+ strcat(request,opt->host);
+ strcat(request,":");
+- if(opt->port)
+- strcat(request,opt->port);
+- else
+- strcat(request,"11371");
++ strcat(request,port);
+ strcat(request,opt->path);
+ /* request is MAX_URL+55 bytes long - MAX_URL covers the whole URL,
+ including any supplied path. The 60 overcovers this /pks/... etc
+@@ -334,13 +329,10 @@
+
+ fprintf(output,"NAME %s BEGIN\n",getkey);
+
+- strcpy(request,"http://");
++ strcpy(request,proto);
+ strcat(request,opt->host);
+ strcat(request,":");
+- if(opt->port)
+- strcat(request,opt->port);
+- else
+- strcat(request,"11371");
++ strcat(request,port);
+ strcat(request,opt->path);
+ append_path(request,"/pks/lookup?op=get&options=mr&search=");
+ strcat(request,searchkey_encoded);
+@@ -420,13 +412,10 @@
+
+ fprintf(output,"SEARCH %s BEGIN\n",searchkey);
+
+- strcpy(request,"http://");
++ strcpy(request,proto);
+ strcat(request,opt->host);
+ strcat(request,":");
+- if(opt->port)
+- strcat(request,opt->port);
+- else
+- strcat(request,"11371");
++ strcat(request,port);
+ strcat(request,opt->path);
+ append_path(request,"/pks/lookup?op=index&options=mr&search=");
+
+@@ -631,6 +620,28 @@
+ }
+ }
+
++
++ if(!opt->scheme)
++ {
++ fprintf(console,"gpgkeys: no scheme supplied!\n");
++ ret=KEYSERVER_SCHEME_NOT_FOUND;
++ goto fail;
++ }
++
++ if(ascii_strcasecmp(opt->scheme,"hkps")==0)
++ {
++ proto="https://";
++ port="11372";
++ }
++ else
++ {
++ proto="http://";
++ port="11371";
++ }
++
++ if(opt->port)
++ port=opt->port;
++
+ if(!opt->host)
+ {
+ fprintf(console,"gpgkeys: no keyserver host provided\n");
+@@ -661,9 +672,12 @@
+ {
+ fprintf(console,"gpgkeys: curl version = %s\n",curl_version());
+ curl_easy_setopt(curl,CURLOPT_STDERR,console);
+- curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
++ curl_easy_setopt(curl,CURLOPT_VERBOSE,1L);
+ }
+
++ curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
++ curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
++
+ if(proxy)
+ curl_easy_setopt(curl,CURLOPT_PROXY,proxy);
+
+diff -urNad gnupg-1.4.9~/keyserver/gpgkeys_hkp.diff gnupg-1.4.9/keyserver/gpgkeys_hkp.diff
+--- gnupg-1.4.9~/keyserver/gpgkeys_hkp.diff 1969-12-31 19:00:00.000000000 -0500
++++ gnupg-1.4.9/keyserver/gpgkeys_hkp.diff 2009-03-09 10:42:15.000000000 -0400
+@@ -0,0 +1,124 @@
++Index: gpgkeys_hkp.c
++===================================================================
++--- gpgkeys_hkp.c (revision 4923)
+++++ gpgkeys_hkp.c (revision 4924)
++@@ -1,6 +1,6 @@
++ /* gpgkeys_hkp.c - talk to an HKP keyserver
++- * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007,
++- * 2008 Free Software Foundation, Inc.
+++ * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
+++ * 2009 Free Software Foundation, Inc.
++ *
++ * This file is part of GnuPG.
++ *
++@@ -54,6 +54,7 @@
++ static CURL *curl;
++ static struct ks_options *opt;
++ static char errorbuffer[CURL_ERROR_SIZE];
+++static char *proto,*port;
++
++ static size_t
++ curl_mrindex_writer(const void *ptr,size_t size,size_t nmemb,void *stream)
++@@ -186,13 +187,10 @@
++ strcpy(key,"keytext=");
++ strcat(key,encoded_key);
++
++- strcpy(request,"http://");
+++ strcpy(request,proto);
++ strcat(request,opt->host);
++ strcat(request,":");
++- if(opt->port)
++- strcat(request,opt->port);
++- else
++- strcat(request,"11371");
+++ strcat(request,port);
++ strcat(request,opt->path);
++ /* request is MAX_URL+15 bytes long - MAX_URL covers the whole URL,
++ including any supplied path. The 15 covers /pks/add. */
++@@ -253,13 +251,10 @@
++ return KEYSERVER_NOT_SUPPORTED;
++ }
++
++- strcpy(request,"http://");
+++ strcpy(request,proto);
++ strcat(request,opt->host);
++ strcat(request,":");
++- if(opt->port)
++- strcat(request,opt->port);
++- else
++- strcat(request,"11371");
+++ strcat(request,port);
++ strcat(request,opt->path);
++ /* request is MAX_URL+55 bytes long - MAX_URL covers the whole URL,
++ including any supplied path. The 60 overcovers this /pks/... etc
++@@ -334,13 +329,10 @@
++
++ fprintf(output,"NAME %s BEGIN\n",getkey);
++
++- strcpy(request,"http://");
+++ strcpy(request,proto);
++ strcat(request,opt->host);
++ strcat(request,":");
++- if(opt->port)
++- strcat(request,opt->port);
++- else
++- strcat(request,"11371");
+++ strcat(request,port);
++ strcat(request,opt->path);
++ append_path(request,"/pks/lookup?op=get&options=mr&search=");
++ strcat(request,searchkey_encoded);
++@@ -420,13 +412,10 @@
++
++ fprintf(output,"SEARCH %s BEGIN\n",searchkey);
++
++- strcpy(request,"http://");
+++ strcpy(request,proto);
++ strcat(request,opt->host);
++ strcat(request,":");
++- if(opt->port)
++- strcat(request,opt->port);
++- else
++- strcat(request,"11371");
+++ strcat(request,port);
++ strcat(request,opt->path);
++ append_path(request,"/pks/lookup?op=index&options=mr&search=");
++
++@@ -633,6 +622,28 @@
++ }
++ }
++
+++
+++ if(!opt->scheme)
+++ {
+++ fprintf(console,"gpgkeys: no scheme supplied!\n");
+++ ret=KEYSERVER_SCHEME_NOT_FOUND;
+++ goto fail;
+++ }
+++
+++ if(ascii_strcasecmp(opt->scheme,"hkps")==0)
+++ {
+++ proto="https://";
+++ port="11372";
+++ }
+++ else
+++ {
+++ proto="http://";
+++ port="11371";
+++ }
+++
+++ if(opt->port)
+++ port=opt->port;
+++
++ if(!opt->host)
++ {
++ fprintf(console,"gpgkeys: no keyserver host provided\n");
++@@ -666,6 +677,9 @@
++ curl_easy_setopt(curl,CURLOPT_VERBOSE,1L);
++ }
++
+++ curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
+++ curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
+++
++ if(proxy)
++ curl_easy_setopt(curl,CURLOPT_PROXY,proxy);
++
--- End Message ---