From 3533b854408fa93734742b2ee12b62aa0d55ff28 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 3 Apr 2017 20:56:12 +0200
Subject: [PATCH] dirmngr: New option --disable-ipv6

* dirmngr/dirmngr.h (struct opt): Add field 'disable_ipv6'.
* dirmngr/dirmngr.c (oDisableIPv6): New const.
(opts): New option --disable-ipv6.
(parse_rereadable_options): Set that option.
* dirmngr/dns-stuff.c (opt_disable_ipv6): New var.
(set_dns_disable_ipv6): New.
(resolve_name_standard): Make use of it.
* dirmngr/ks-engine-finger.c (ks_finger_fetch): Take care of
OPT.DISABLE_IPV6.
* dirmngr/ks-engine-hkp.c (map_host): Ditto.
(send_request): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/ocsp.c (do_ocsp_request): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 dirmngr/crlfetch.c         |  1 +
 dirmngr/dirmngr.c          |  4 ++++
 dirmngr/dirmngr.h          |  3 ++-
 dirmngr/dns-stuff.c        | 15 +++++++++++++++
 dirmngr/dns-stuff.h        |  4 ++++
 dirmngr/ks-engine-finger.c |  3 ++-
 dirmngr/ks-engine-hkp.c    |  7 +++++--
 dirmngr/ks-engine-http.c   |  3 ++-
 dirmngr/ocsp.c             |  3 ++-
 doc/dirmngr.texi           |  5 +++--
 10 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c
index f7a23ffed..0892421e9 100644
--- a/dirmngr/crlfetch.c
+++ b/dirmngr/crlfetch.c
@@ -201,6 +201,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
                                    |(DBG_LOOKUP? HTTP_FLAG_LOG_RESP:0)
                                    |(dirmngr_use_tor()? HTTP_FLAG_FORCE_TOR:0)
                                    |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4:0)
+                                   |(opt.disable_ipv6? HTTP_FLAG_IGNORE_IPv6:0)
                                    ),
                                   ctrl->http_proxy, NULL, NULL, NULL);
 
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index e3e02fe6b..07b3b913f 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -113,6 +113,7 @@ enum cmd_and_opt_values {
   oDisableHTTP,
   oDisableLDAP,
   oDisableIPv4,
+  oDisableIPv6,
   oIgnoreLDAPDP,
   oIgnoreHTTPDP,
   oIgnoreOCSPSvcUrl,
@@ -229,6 +230,7 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oNoUseTor, "no-use-tor", "@"),
 
   ARGPARSE_s_n (oDisableIPv4, "disable-ipv4", "@"),
+  ARGPARSE_s_n (oDisableIPv6, "disable-ipv6", "@"),
 
   ARGPARSE_s_s (oSocketName, "socket-name", "@"),  /* Only for debugging.  */
 
@@ -638,6 +640,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
     case oDisableHTTP: opt.disable_http = 1; break;
     case oDisableLDAP: opt.disable_ldap = 1; break;
     case oDisableIPv4: opt.disable_ipv4 = 1; break;
+    case oDisableIPv6: opt.disable_ipv6 = 1; break;
     case oHonorHTTPProxy: opt.honor_http_proxy = 1; break;
     case oHTTPProxy: opt.http_proxy = pargs->r.ret_str; break;
     case oLDAPProxy: opt.ldap_proxy = pargs->r.ret_str; break;
@@ -707,6 +710,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
   set_dns_verbose (opt.verbose, !!DBG_DNS);
   http_set_verbose (opt.verbose, !!DBG_NETWORK);
   set_dns_disable_ipv4 (opt.disable_ipv4);
+  set_dns_disable_ipv6 (opt.disable_ipv6);
 
   return 1; /* Handled. */
 }
diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index b269865a8..e10de09c1 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -97,7 +97,8 @@ struct
 
   int disable_http;       /* Do not use HTTP at all.  */
   int disable_ldap;       /* Do not use LDAP at all.  */
-  int disable_ipv4;       /* Do not use leagacy IP addresses.  */
+  int disable_ipv4;       /* Do not use legacy IP addresses.  */
+  int disable_ipv6;       /* Do not use standard IP addresses.  */
   int honor_http_proxy;   /* Honor the http_proxy env variable. */
   const char *http_proxy; /* The default HTTP proxy.  */
   const char *ldap_proxy; /* Use given LDAP proxy.  */
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index c9ce40a2c..728f662ae 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -123,6 +123,10 @@ static int opt_timeout;
  * returned A records.  */
 static int opt_disable_ipv4;
 
+/* The flag to disable IPv6 access - right now this only skips
+ * returned AAAA records.  */
+static int opt_disable_ipv6;
+
 /* If set force the use of the standard resolver.  */
 static int standard_resolver;
 
@@ -248,6 +252,15 @@ set_dns_disable_ipv4 (int yes)
 }
 
 
+/* Set the Disable-IPv6 flag so that the name resolver does not return
+ * AAAA addresses.  */
+void
+set_dns_disable_ipv6 (int yes)
+{
+  opt_disable_ipv6 = !!yes;
+}
+
+
 /* Set the timeout for libdns requests to SECONDS.  A value of 0 sets
  * the default timeout and values are capped at 10 minutes.  */
 void
@@ -953,6 +966,8 @@ resolve_name_standard (const char *name, unsigned short port,
         continue;
       if (opt_disable_ipv4 && ai->ai_family == AF_INET)
         continue;
+      if (opt_disable_ipv6 && ai->ai_family == AF_INET6)
+        continue;
 
       dai = xtrymalloc (sizeof *dai + ai->ai_addrlen - 1);
       dai->family = ai->ai_family;
diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h
index 9b8303c3b..71605b741 100644
--- a/dirmngr/dns-stuff.h
+++ b/dirmngr/dns-stuff.h
@@ -99,6 +99,10 @@ void set_dns_verbose (int verbose, int debug);
  * A addresses.  */
 void set_dns_disable_ipv4 (int yes);
 
+/* Set the Disable-IPv6 flag so that the name resolver does not return
+ * AAAA addresses.  */
+void set_dns_disable_ipv6 (int yes);
+
 /* Set the timeout for libdns requests to SECONDS.  */
 void set_dns_timeout (int seconds);
 
diff --git a/dirmngr/ks-engine-finger.c b/dirmngr/ks-engine-finger.c
index 82ef7a500..f56a9ff8e 100644
--- a/dirmngr/ks-engine-finger.c
+++ b/dirmngr/ks-engine-finger.c
@@ -84,7 +84,8 @@ ks_finger_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp)
 
   err = http_raw_connect (&http, server, 79,
                           ((dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR : 0)
-                           | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
+                           | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)
+                           | (opt.disable_ipv6? HTTP_FLAG_IGNORE_IPv6 : 0)),
                           NULL);
   if (err)
     {
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 4428c1266..1592fab34 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -512,6 +512,8 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
                 continue;
               if (opt.disable_ipv4 && ai->family == AF_INET)
                 continue;
+              if (opt.disable_ipv6 && ai->family == AF_INET6)
+                continue;
               dirmngr_tick (ctrl);
 
               add_host (name, is_pool, ai, 0, reftbl, reftblsize, &refidx);
@@ -592,7 +594,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
         {
           for (ai = aibuf; ai; ai = ai->next)
             {
-              if (ai->family == AF_INET6
+              if ((!opt.disable_ipv6 && ai->family == AF_INET6)
                   || (!opt.disable_ipv4 && ai->family == AF_INET))
                 {
                   err = resolve_dns_addr (ai->addr, ai->addrlen, 0, &host);
@@ -1140,7 +1142,8 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
                    (httpflags
                     |(opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
                     |(dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0)
-                    |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
+                    |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)
+                    |(opt.disable_ipv6? HTTP_FLAG_IGNORE_IPv6 : 0)),
                    ctrl->http_proxy,
                    session,
                    NULL,
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index d4a6c8a63..02269da6e 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -92,7 +92,8 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
                    /* fixme: AUTH */ NULL,
                    ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
                     | (dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0)
-                    | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
+                    | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)
+                    | (opt.disable_ipv6? HTTP_FLAG_IGNORE_IPv6 : 0)),
                    ctrl->http_proxy,
                    session,
                    NULL,
diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
index aff8e3288..22391c32d 100644
--- a/dirmngr/ocsp.c
+++ b/dirmngr/ocsp.c
@@ -175,7 +175,8 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md,
   err = http_open (&http, HTTP_REQ_POST, url, NULL, NULL,
                    ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
                     | (dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0)
-                    | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
+                    | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)
+                    | (opt.disable_ipv6? HTTP_FLAG_IGNORE_IPv6 : 0)),
                    ctrl->http_proxy, NULL, NULL, NULL);
   if (err)
     {
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 7a6ba47b4..027bb949d 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -314,9 +314,10 @@ a numerical IP address must be given (IPv6 or IPv4) and that no error
 checking is done for @var{ipaddr}.
 
 @item --disable-ipv4
+@item --disable-ipv6
 @opindex disable-ipv4
-Disable the use of all IPv4 addresses.  This option is mainly useful
-for debugging.
+@opindex disable-ipv6
+Disable the use of all IPv4 or IPv6 addresses.
 
 @item --disable-ldap
 @opindex disable-ldap