security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

dirmngr,build: Remove support for ADNS. 

* autogen.rc: Remove '--with-adns' argument.
* configure.ac: Remove check for ADNS.
* dirmngr/dns-stuff.c: Remove all code that uses ADNS.
* dirmngr/server.c (cmd_getinfo): Update status line.
* doc/dirmngr.texi: Do not mention ADNS.
--

We used ADNS to support queries over Tor.  However, our patch to ADNS
that adds Tor support was never accepted upstream.  Furthermore, there
are other shortcomings that let us to consider alternatives.

Signed-off-by: Justus Winter <justus@g10code.com>
This commit is contained in:
Justus Winter 2016-12-08 12:51:52 +01:00 committed by Werner Koch
parent 57aa42ce9b
commit 2e734a3ce1
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
5 changed files with 26 additions and 534 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
autogen.rc
View File

@ -22,7 +22,6 @@ case "$myhost" in
--with-zlib=@SYSROOT@
--with-regex=@SYSROOT@
--with-npth-prefix=@SYSROOT@
--with-adns=@SYSROOT@
--disable-g13
"
;;

42
configure.ac
View File

@ -102,7 +102,6 @@ have_gnutls=no
have_sqlite=no
have_npth=no
have_libusb=no
have_adns=no
have_system_resolver=no
gnupg_have_ldap="n/a"
@ -995,44 +994,6 @@ AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt,
[NETLIBS="-lsocket $NETLIBS"]))
#
# Check for ADNS.
#
_cppflags="${CPPFLAGS}"
_ldflags="${LDFLAGS}"
AC_ARG_WITH(adns,
AC_HELP_STRING([--with-adns=DIR],
[look for the adns library in DIR]),
[if test -d "$withval"; then
CPPFLAGS="${CPPFLAGS} -I$withval/include"
LDFLAGS="${LDFLAGS} -L$withval/lib"
fi])
if test "$with_adns" != "no"; then
AC_CHECK_HEADERS(adns.h,AC_CHECK_LIB(adns, adns_init_strcfg,[have_adns=yes]))
AC_CHECK_FUNCS(adns_free)
AC_MSG_CHECKING([if adns supports adns_if_tormode])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
#include <adns.h>
adns_initflags flags = adns_if_tormode;
]],[])],[adns_if_tormode=yes],[adns_if_tormode=no])
AC_MSG_RESULT($adns_if_tormode)
if test x"$adns_if_tormode" = xyes; then
AC_DEFINE(HAVE_ADNS_IF_TORMODE,1,[define if adns_if_tormode is available])
if test "$show_tor_support" != "no"; then
show_tor_support=yes
fi
fi
fi
CPPFLAGS=${_cppflags}
LDFLAGS=${_ldflags}
if test "$have_adns" = "yes"; then
DNSLIBS="-ladns"
AC_DEFINE(USE_ADNS,1,[Use ADNS as resolver library.])
else
DNSLIBS=""
fi
#
# Check standard resolver functions.
#
@ -1063,8 +1024,7 @@ if test "$build_dirmngr" = "yes"; then
# Make sure that the BIND 4 resolver interface is workable before
# enabling any code that calls it. At some point I'll rewrite the
# code to use the BIND 8 resolver API.
# We might also want to use adns instead. Problem with ADNS is that
# it does not support v6.
# We might also want to use libdns instead.
AC_MSG_CHECKING([whether the resolver is usable])
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>

508
dirmngr/dns-stuff.c
View File

@ -45,13 +45,6 @@
#endif
#include <string.h>
#include <unistd.h>
#ifdef USE_ADNS
# include <adns.h>
#endif
#if !defined(HAVE_GETADDRINFO) && !defined(USE_ADNS)
# error Either getaddrinfo or the ADNS library is required.
#endif
#ifdef WITHOUT_NPTH /* Give the Makefile a chance to build without Pth. */
# undef USE_NPTH
@ -82,11 +75,6 @@
# define AI_ADDRCONFIG 0
#endif
/* Provide a replacement function for older ADNS versions. */
#ifndef HAVE_ADNS_FREE
# define adns_free(a) free ((a))
#endif
/* Not every installation has gotten around to supporting SRVs or
CERTs yet... */
#ifndef T_SRV
@ -96,11 +84,8 @@
# define T_CERT 37
#endif
/* ADNS has no support for CERT yet. */
#define my_adns_r_cert 37
/* The default nameserver used with ADNS in Tor mode. */
/* The default nameserver used in Tor mode. */
#define DEFAULT_NAMESERVER "8.8.8.8"
/* If set force the use of the standard resolver. */
@ -114,9 +99,7 @@ static int tor_mode;
static char tor_nameserver[40+20];
/* A string to hold the credentials presented to Tor. */
#ifdef USE_ADNS
static char tor_credentials[50];
#endif
/* Calling this function with YES set to True forces the use of the
@ -142,25 +125,17 @@ standard_resolver_p (void)
gpg_error_t
enable_dns_tormode (int new_circuit)
{
(void) new_circuit;
if (!*tor_credentials || new_circuit)
{
static unsigned int counter;
#ifdef USE_ADNS
# if HAVE_ADNS_IF_TORMODE
if (!*tor_credentials || new_circuit)
{
static unsigned int counter;
gpgrt_snprintf (tor_credentials, sizeof tor_credentials,
"dirmngr-%lu:p%u",
(unsigned long)getpid (), counter);
counter++;
}
tor_mode = 1;
return 0;
# endif
#endif
return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
gpgrt_snprintf (tor_credentials, sizeof tor_credentials,
"dirmngr-%lu:p%u",
(unsigned long)getpid (), counter);
counter++;
}
tor_mode = 1;
return 0;
}
@ -218,177 +193,6 @@ map_eai_to_gpg_error (int ec)
return err;
}
#ifdef USE_ADNS
static gpg_error_t
map_adns_status_to_gpg_error (adns_status status)
{
gpg_err_code_t ec;
switch (status)
{
/* case adns_s_netunreach: ec = GPG_ERR_ENETUNREACH; break; */
default: ec = GPG_ERR_GENERAL; break;
}
return gpg_error (ec);
}
#endif /*USE_ADNS*/
#ifdef USE_ADNS
/* Init ADNS and store the new state at R_STATE. Returns 0 on
success; prints an error message and returns an error code on
failure. */
static gpg_error_t
my_adns_init (adns_state *r_state)
{
gpg_error_t err = 0;
int ret;
if (tor_mode)
{
char *cfgstr;
if (!*tor_nameserver)
set_dns_nameserver (NULL);
cfgstr = xtryasprintf ("nameserver %s\n"
"options adns_tormode adns_sockscred:%s",
tor_nameserver, tor_credentials);
if (!cfgstr)
err = gpg_error_from_syserror ();
else
{
ret = adns_init_strcfg (r_state, adns_if_debug /*adns_if_noerrprint*/, NULL, cfgstr);
if (ret)
err = gpg_error_from_errno (ret);
xfree (cfgstr);
}
}
else
{
ret = adns_init (r_state, adns_if_noerrprint, NULL);
if (ret)
err = gpg_error_from_errno (ret);
}
if (err)
{
log_error ("error initializing adns: %s\n", gpg_strerror (err));
return err;
}
return 0;
}
#endif /*USE_ADNS*/
#ifdef USE_ADNS
/* Resolve a name using the ADNS library. See resolve_dns_name for
the description. */
static gpg_error_t
resolve_name_adns (const char *name, unsigned short port,
int want_family, int want_socktype,
dns_addrinfo_t *r_dai, char **r_canonname)
{
gpg_error_t err = 0;
int ret;
dns_addrinfo_t daihead = NULL;
dns_addrinfo_t dai;
adns_state state;
adns_answer *answer = NULL;
int count;
(void)want_family;
*r_dai = NULL;
if (r_canonname)
*r_canonname = NULL;
if (want_socktype != SOCK_STREAM && want_socktype != SOCK_DGRAM)
return gpg_error (GPG_ERR_ESOCKTNOSUPPORT);
err = my_adns_init (&state);
if (err)
return err;
my_unprotect ();
ret = adns_synchronous (state, name, adns_r_addr,
adns_qf_quoteok_query, &answer);
my_protect ();
if (ret)
{
err = gpg_error (gpg_err_code_from_errno (ret));
log_error ("DNS query failed: %s\n", gpg_strerror (err));
goto leave;
}
err = gpg_error (GPG_ERR_NOT_FOUND);
if (answer->status != adns_s_ok || answer->type != adns_r_addr)
{
err = map_adns_status_to_gpg_error (answer->status);
if (gpg_err_code (err) == GPG_ERR_GENERAL)
err = gpg_error (GPG_ERR_NOT_FOUND);
log_error ("DNS query returned an error: %s (%s)\n",
adns_strerror (answer->status),
adns_errabbrev (answer->status));
goto leave;
}
if (r_canonname && answer->cname)
{
*r_canonname = xtrystrdup (answer->cname);
if (!*r_canonname)
{
err = gpg_error_from_syserror ();
goto leave;
}
}
for (count = 0; count < answer->nrrs; count++)
{
int len;
adns_rr_addr *addr;
len = answer->rrs.addr[count].len;
addr = &answer->rrs.addr[count];
if (addr->addr.sa.sa_family != AF_INET6
&& addr->addr.sa.sa_family != AF_INET)
continue;
dai = xtrymalloc (sizeof *dai + len - 1);
if (!dai)
{
err = gpg_error_from_syserror ();
goto leave;
}
dai->family = addr->addr.sa.sa_family;
dai->socktype = want_socktype == SOCK_STREAM? SOCK_STREAM : SOCK_DGRAM;
dai->protocol = want_socktype == SOCK_STREAM? IPPROTO_TCP : IPPROTO_UDP;
dai->addrlen = len;
memcpy (dai->addr, &addr->addr.sa, len);
((struct sockaddr_in *) dai->addr)->sin_port = htons (port);
dai->next = daihead;
daihead = dai;
err = 0;
}
leave:
adns_free (answer);
adns_finish (state);
if (err)
{
if (r_canonname)
{
xfree (*r_canonname);
*r_canonname = NULL;
}
free_dns_addrinfo (daihead);
}
else
*r_dai = daihead;
return err;
}
#endif /*USE_ADNS*/
/* Resolve a name using the standard system function. */
static gpg_error_t
@ -572,10 +376,10 @@ resolve_dns_name (const char *name, unsigned short port,
int want_family, int want_socktype,
dns_addrinfo_t *r_ai, char **r_canonname)
{
#ifdef USE_ADNS
#ifdef NOTYET
if (!standard_resolver)
return resolve_name_adns (name, port, want_family, want_socktype,
r_ai, r_canonname);
return resolve_name_libdns (name, port, want_family, want_socktype,
r_ai, r_canonname);
#endif
return resolve_name_standard (name, port, want_family, want_socktype,
r_ai, r_canonname);
@ -671,150 +475,6 @@ is_onion_address (const char *name)
}
#ifdef USE_ADNS
/* ADNS version of get_dns_cert. */
static gpg_error_t
get_dns_cert_adns (const char *name, int want_certtype,
void **r_key, size_t *r_keylen,
unsigned char **r_fpr, size_t *r_fprlen, char **r_url)
{
gpg_error_t err;
int ret;
adns_state state;
adns_answer *answer = NULL;
unsigned int ctype;
int count;
err = my_adns_init (&state);
if (err)
return err;
my_unprotect ();
ret = adns_synchronous (state, name,
(adns_r_unknown
| (want_certtype < DNS_CERTTYPE_RRBASE
? my_adns_r_cert
: (want_certtype - DNS_CERTTYPE_RRBASE))),
adns_qf_quoteok_query, &answer);
my_protect ();
if (ret)
{
err = gpg_error (gpg_err_code_from_errno (ret));
/* log_error ("DNS query failed: %s\n", gpg_strerror (err)); */
adns_finish (state);
return err;
}
if (answer->status != adns_s_ok)
{
/* log_error ("DNS query returned an error: %s (%s)\n", */
/* adns_strerror (answer->status), */
/* adns_errabbrev (answer->status)); */
err = map_adns_status_to_gpg_error (answer->status);
if (gpg_err_code (err) == GPG_ERR_GENERAL)
err = gpg_error (GPG_ERR_NOT_FOUND);
goto leave;
}
err = gpg_error (GPG_ERR_NOT_FOUND);
for (count = 0; count < answer->nrrs; count++)
{
int datalen = answer->rrs.byteblock[count].len;
const unsigned char *data = answer->rrs.byteblock[count].data;
/* First check for our generic RR hack. */
if (datalen
&& want_certtype >= DNS_CERTTYPE_RRBASE
&& ((want_certtype - DNS_CERTTYPE_RRBASE)
== (answer->type & ~adns_r_unknown)))
{
/* Found the requested record - return it. */
*r_key = xtrymalloc (datalen);
if (!*r_key)
err = gpg_error_from_syserror ();
else
{
memcpy (*r_key, data, datalen);
*r_keylen = datalen;
err = 0;
}
goto leave;
}
if (datalen < 5)
continue; /* Truncated CERT record - skip. */
ctype = buf16_to_uint (data);
/* (key tag and algorithm fields are not required.) */
data += 5;
datalen -= 5;
if (want_certtype && want_certtype != ctype)
; /* Not of the requested certtype. */
else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11 && r_key && r_keylen)
{
/* CERT type is PGP. Gpg checks for a minimum length of 11,
thus we do the same. */
*r_key = xtrymalloc (datalen);
if (!*r_key)
err = gpg_error_from_syserror ();
else
{
memcpy (*r_key, data, datalen);
*r_keylen = datalen;
err = 0;
}
goto leave;
}
else if (ctype == DNS_CERTTYPE_IPGP && datalen && datalen < 1023
&& datalen >= data[0] + 1 && r_fpr && r_fprlen && r_url)
{
/* CERT type is IPGP. We made sure that the data is
plausible and that the caller requested this
information. */
*r_fprlen = data[0];
if (*r_fprlen)
{
*r_fpr = xtrymalloc (*r_fprlen);
if (!*r_fpr)
{
err = gpg_error_from_syserror ();
goto leave;
}
memcpy (*r_fpr, data + 1, *r_fprlen);
}
else
*r_fpr = NULL;
if (datalen > *r_fprlen + 1)
{
*r_url = xtrymalloc (datalen - (*r_fprlen + 1) + 1);
if (!*r_url)
{
err = gpg_error_from_syserror ();
xfree (*r_fpr);
*r_fpr = NULL;
goto leave;
}
memcpy (*r_url,
data + (*r_fprlen + 1), datalen - (*r_fprlen + 1));
(*r_url)[datalen - (*r_fprlen + 1)] = '\0';
}
else
*r_url = NULL;
err = 0;
goto leave;
}
}
leave:
adns_free (answer);
adns_finish (state);
return err;
}
#endif /*!USE_ADNS */
/* Standard resolver version of get_dns_cert. */
static gpg_error_t
get_dns_cert_standard (const char *name, int want_certtype,
@ -1041,11 +701,11 @@ get_dns_cert (const char *name, int want_certtype,
*r_fprlen = 0;
*r_url = NULL;
#ifdef USE_ADNS
#ifdef NOTYET
if (!standard_resolver)
return get_dns_cert_adns (name, want_certtype, r_key, r_keylen,
r_fpr, r_fprlen, r_url);
#endif /*!USE_ADNS */
return get_dns_cert_libdns (name, want_certtype, r_key, r_keylen,
r_fpr, r_fprlen, r_url);
#endif
return get_dns_cert_standard (name, want_certtype, r_key, r_keylen,
r_fpr, r_fprlen, r_url);
}
@ -1064,78 +724,6 @@ priosort(const void *a,const void *b)
}
#ifdef USE_ADNS
/* ADNS based helper for getsrv. */
static int
getsrv_adns (const char *name, struct srventry **list)
{
int srvcount = 0;
u16 count;
int rc;
adns_state state;
adns_answer *answer = NULL;
if (my_adns_init (&state))
return -1;
my_unprotect ();
rc = adns_synchronous (state, name, adns_r_srv, adns_qf_quoteok_query,
&answer);
my_protect ();
if (rc)
{
log_error ("DNS query failed: %s\n", strerror (rc));
adns_finish (state);
return -1;
}
if (answer->status != adns_s_ok
|| answer->type != adns_r_srv || !answer->nrrs)
{
log_error ("DNS query returned an error or no records: %s (%s)\n",
adns_strerror (answer->status),
adns_errabbrev (answer->status));
adns_free (answer);
adns_finish (state);
return 0;
}
for (count = 0; count < answer->nrrs; count++)
{
struct srventry *srv = NULL;
struct srventry *newlist;
if (strlen (answer->rrs.srvha[count].ha.host) >= sizeof srv->target)
{
log_info ("hostname in SRV record too long - skipped\n");
continue;
}
newlist = xtryrealloc (*list, (srvcount+1)*sizeof(struct srventry));
if (!newlist)
{
xfree (*list);
*list = NULL;
return -1;
}
*list = newlist;
memset (&(*list)[srvcount], 0, sizeof(struct srventry));
srv = &(*list)[srvcount];
srvcount++;
srv->priority = answer->rrs.srvha[count].priority;
srv->weight = answer->rrs.srvha[count].weight;
srv->port = answer->rrs.srvha[count].port;
strcpy (srv->target, answer->rrs.srvha[count].ha.host);
}
adns_free (answer);
adns_finish (state);
return srvcount;
}
#endif /*USE_ADNS*/
/* Standard resolver based helper for getsrv. */
static int
getsrv_standard (const char *name, struct srventry **list)
@ -1264,10 +852,10 @@ getsrv (const char *name, struct srventry **list)
if (0)
;
#ifdef USE_ADNS
#ifdef NOTYET
else if (!standard_resolver)
srvcount = getsrv_adns (name, list);
#endif /*!USE_ADNS*/
srvcount = getsrv_libdns (name, list);
#endif
else
srvcount = getsrv_standard (name, list);
@ -1351,54 +939,6 @@ getsrv (const char *name, struct srventry **list)
}
#ifdef USE_ADNS
/* ADNS version of get_dns_cname. */
gpg_error_t
get_dns_cname_adns (const char *name, char **r_cname)
{
gpg_error_t err;
int rc;
adns_state state;
adns_answer *answer = NULL;
if (my_adns_init (&state))
return gpg_error (GPG_ERR_GENERAL);
my_unprotect ();
rc = adns_synchronous (state, name, adns_r_cname, adns_qf_quoteok_query,
&answer);
my_protect ();
if (rc)
{
err = gpg_error (gpg_err_code_from_errno (rc));
log_error ("DNS query failed: %s\n", gpg_strerror (err));
adns_finish (state);
return err;
}
if (answer->status != adns_s_ok
|| answer->type != adns_r_cname || answer->nrrs != 1)
{
err = map_adns_status_to_gpg_error (answer->status);
log_error ("DNS query returned an error or no records: %s (%s)\n",
adns_strerror (answer->status),
adns_errabbrev (answer->status));
adns_free (answer);
adns_finish (state);
return err;
}
*r_cname = xtrystrdup (answer->rrs.str[0]);
if (!*r_cname)
err = gpg_error_from_syserror ();
else
err = 0;
adns_free (answer);
adns_finish (state);
return err;
}
#endif /*USE_ADNS*/
/* Standard resolver version of get_dns_cname. */
gpg_error_t
get_dns_cname_standard (const char *name, char **r_cname)
@ -1482,10 +1022,10 @@ get_dns_cname (const char *name, char **r_cname)
{
*r_cname = NULL;
#ifdef USE_ADNS
#ifdef NOTYET
if (!standard_resolver)
return get_dns_cname_adns (name, r_cname);
#endif /*!USE_ADNS*/
return get_dns_cname_libdns (name, r_cname);
#endif
return get_dns_cname_standard (name, r_cname);
}

6
dirmngr/server.c
View File

@ -2314,13 +2314,7 @@ cmd_getinfo (assuan_context_t ctx, char *line)
(ctx, "- Forced use of System resolver (w/o Tor support)");
else
{
#if USE_ADNS && HAVE_ADNS_IF_TORMODE
assuan_set_okay_line (ctx, "- ADNS with Tor support");
#elif USE_ADNS
assuan_set_okay_line (ctx, "- ADNS w/o Tor support");
#else
assuan_set_okay_line (ctx, "- System resolver (w/o Tor support)");
#endif
}
err = 0;
}

3
doc/dirmngr.texi
View File

@ -293,8 +293,7 @@ In ``Tor mode'' Dirmngr uses a public resolver via Tor to resolve DNS
names. If the default public resolver, which is @code{8.8.8.8}, shall
not be used a different one can be given using this option. Note that
a numerical IP address must be given (IPv6 or IPv4) and that no error
checking is done for @var{ipaddr}. DNS queries in Tor mode do only
work if GnuPG as been build with ADNS support.
checking is done for @var{ipaddr}.
@item --disable-ldap
@opindex disable-ldap