https://bugs.gentoo.org/924606
https://dev.gnupg.org/T6997
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=04cbc3074aa98660b513a80f623a7e9f0702c7c9
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=848546b05ab0ff6abd47724ecfab73bf32dd4c01
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2810b934647edd483996bee1f5f9256a162b2705

From 6236978d78886cbb476ed9fbc49ff99c7582b2d7 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 15 Feb 2024 15:38:34 +0900
Subject: [PATCH 1/3] dirmngr: Fix proxy with TLS.

* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always
available regardless of USE_TLS.
(run_proxy_connect): Use log_debug_string.
(send_request): Remove USE_TLS.

--

Since the commit of

	1009e4e5f71347a1fe194e59a9d88c8034a67016

Building with TLS library is mandatory.

GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
 dirmngr/http.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/dirmngr/http.c b/dirmngr/http.c
index 4899a5d55..10eecfdb0 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server)
  * NULL, decode the string and use this as input from teh server.  On
  * success the final output token is stored at PROXY->OUTTOKEN and
  * OUTTOKLEN.  IF the authentication succeeded OUTTOKLEN is zero. */
-#ifdef USE_TLS
 static gpg_error_t
 proxy_get_token (proxy_info_t proxy, const char *inputstring)
 {
@@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring)
 
 #endif /*!HAVE_W32_SYSTEM*/
 }
-#endif /*USE_TLS*/
 
 
 /* Use the CONNECT method to proxy our TLS stream.  */
-#ifdef USE_TLS
 static gpg_error_t
 run_proxy_connect (http_t hd, proxy_info_t proxy,
                    const char *httphost, const char *server,
@@ -2586,7 +2583,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
   hd->keep_alive = !auth_basic; /* We may need to send more requests.  */
 
   if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
-    log_debug_with_string (request, "http.c:proxy:request:");
+    log_debug_string (request, "http.c:proxy:request:");
 
   if (!hd->fp_write)
     {
@@ -2743,7 +2740,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
   xfree (tmpstr);
   return err;
 }
-#endif /*USE_TLS*/
 
 
 /* Make a request string using a standard proxy.  On success the
@@ -2903,7 +2899,6 @@ send_request (ctrl_t ctrl,
       goto leave;
     }
 
-#if USE_TLS
   if (use_http_proxy && hd->uri->use_tls)
     {
       err = run_proxy_connect (hd, proxy, httphost, server, port);
@@ -2915,7 +2910,6 @@ send_request (ctrl_t ctrl,
        * clear the flag to indicate this.  */
       use_http_proxy = 0;
     }
-#endif	/* USE_TLS */
 
 #if HTTP_USE_NTBTLS
   err = run_ntbtls_handshake (hd);
-- 
2.43.2

From 68650eb6999e674fd2f1c78f47b68d3cd1d37ff0 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 16 Feb 2024 11:31:37 +0900
Subject: [PATCH 2/3] dirmngr: Fix the regression of use of proxy for TLS
 connection.

* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it
causes resource leak of FP_WRITE.
Don't try to read response body to fix the hang.

--

GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
 dirmngr/http.c | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/dirmngr/http.c b/dirmngr/http.c
index 10eecfdb0..7ce01bacd 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2553,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
    * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
    */
   auth_basic = !!proxy->uri->auth;
+  hd->keep_alive = 0;
 
   /* For basic authentication we need to send just one request.  */
   if (auth_basic
@@ -2574,13 +2575,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
                          httphost ? httphost : server,
                          port,
                          authhdr ? authhdr : "",
-                         auth_basic? "" : "Connection: keep-alive\r\n");
+                         hd->keep_alive? "Connection: keep-alive\r\n" : "");
   if (!request)
     {
       err = gpg_error_from_syserror ();
       goto leave;
     }
-  hd->keep_alive = !auth_basic; /* We may need to send more requests.  */
 
   if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
     log_debug_string (request, "http.c:proxy:request:");
@@ -2607,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
   if (err)
     goto leave;
 
-  {
-    unsigned long count = 0;
-
-    while (es_getc (hd->fp_read) != EOF)
-      count++;
-    if (opt_debug)
-      log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n",
-                 count);
-  }
-
   /* Reset state.  */
   es_clearerr (hd->fp_read);
   ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1;
-- 
2.43.2

From 7c7cbd94549d08780fc3767d6de8336b3f44e7d7 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 16 Feb 2024 16:24:26 +0900
Subject: [PATCH 3/3] dirmngr: Fix keep-alive flag handling.

* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic
Authentication.  Fix resource leak of FP_WRITE.

--

GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
 dirmngr/http.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/dirmngr/http.c b/dirmngr/http.c
index 7ce01bacd..da0c89ae5 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2553,7 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
    * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
    */
   auth_basic = !!proxy->uri->auth;
-  hd->keep_alive = 0;
+  hd->keep_alive = !auth_basic; /* We may need to send more requests.  */
 
   /* For basic authentication we need to send just one request.  */
   if (auth_basic
@@ -2717,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
     }
 
  leave:
+  if (hd->keep_alive)
+    {
+      es_fclose (hd->fp_write);
+      hd->fp_write = NULL;
+      /* The close has released the cookie and thus we better set it
+       * to NULL.  */
+      hd->write_cookie = NULL;
+    }
   /* Restore flags, destroy stream, reset state.  */
   hd->flags = saved_flags;
   es_fclose (hd->fp_read);
-- 
2.43.2