Require Libgcrypt 1.9

* configure.ac: Require at least Libgcrypt 1.9.0. Remove all GCRYPT_VERSION_NUMBER dependent code. -- Only Libgcrypt 1.9 implements EAX which is a mandatory algorithm in RFC4880bis. Signed-off-by: Werner Koch <wk@gnupg.org>
2024-12-22 10:19:57 +01:00 · 2021-01-19 10:33:03 +01:00 · 2021-01-19 10:33:03 +01:00 · 9500432b7a
commit 9500432b7a
parent 93d5d7ea2a
11 changed files with 24 additions and 63 deletions
--- a/agent/command.c
+++ b/agent/command.c
@ -3530,7 +3530,6 @@ cmd_getinfo (assuan_context_t ctx, char *line)
    }
  else if (!strcmp (line, "jent_active"))
    {
-#if GCRYPT_VERSION_NUMBER >= 0x010800
      char *buf;
      const char *fields[5];

@ -3542,9 +3541,6 @@ cmd_getinfo (assuan_context_t ctx, char *line)
      else
        rc = gpg_error (GPG_ERR_FALSE);
      gcry_free (buf);
-#else
-      rc = gpg_error (GPG_ERR_FALSE);
-#endif
    }
  else if (!strcmp (line, "s2k_count_cal"))
    {
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@ -1007,9 +1007,7 @@ thread_init_once (void)
   * has already been initialized but at that point nPth was not
   * initialized and thus Libgcrypt could not set its system call
   * clamp.  */
-#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
  gcry_control (GCRYCTL_REINIT_SYSCALL_CLAMP, 0, 0);
-#endif
 }


@ -1817,23 +1815,6 @@ agent_libgcrypt_progress_cb (void *data, const char *what, int printchar,
      break;
  if (dispatch && dispatch->cb)
    dispatch->cb (dispatch->ctrl, what, printchar, current, total);
-
-  /* Libgcrypt < 1.8 does not know about nPth and thus when it reads
-   * from /dev/random this will block the process.  To mitigate this
-   * problem we yield the thread when Libgcrypt tells us that it needs
-   * more entropy.  This way other threads have chance to run.  */
-#if GCRYPT_VERSION_NUMBER < 0x010800 /* 1.8.0 */
-  if (what && !strcmp (what, "need_entropy"))
-    {
-#if GPGRT_VERSION_NUMBER < 0x011900 /* 1.25 */
-      /* In older gpg-error versions gpgrt_yield is buggy for use with
-       * nPth and thus we need to resort to a sleep call.  */
-      npth_usleep (1000); /* 1ms */
-#else
-      gpgrt_yield ();
-#endif
-    }
-#endif
 }


--- a/agent/pksign.c
+++ b/agent/pksign.c
@ -513,12 +513,6 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
      if (err)
        goto leave;

-      if (algo == GCRY_PK_RSA && GCRYPT_VERSION_NUMBER < 0x010700)
-        {
-          /* It's RSA and Libgcrypt < 1.7 */
-          check_signature = 1;
-        }
-
      if (DBG_CRYPTO)
        {
          gcry_log_debugsxp ("skey", s_skey);
--- a/common/compliance.c
+++ b/common/compliance.c
@ -499,7 +499,6 @@ gnupg_rng_is_compliant (enum gnupg_compliance_mode compliance)
      /* In DE_VS mode under Windows we require that the JENT RNG
       * is active.  */
 #ifdef HAVE_W32_SYSTEM
-# if GCRYPT_VERSION_NUMBER >= 0x010800
      char *buf;
      const char *fields[5];

@ -511,9 +510,6 @@ gnupg_rng_is_compliant (enum gnupg_compliance_mode compliance)
      else
        result = 0;
      gcry_free (buf);
-# else
-      result = 0;  /* No JENT - can't be compliant.  */
-# endif
 #else /*!HAVE_W32_SYSTEM*/
      result = 1;  /* Not Windows - RNG is good.  */
 #endif /*!HAVE_W32_SYSTEM*/
--- a/common/sexputil.c
+++ b/common/sexputil.c
@ -871,9 +871,7 @@ hash_algo_to_string (int algo)
       { "md4",       GCRY_MD_MD4 },
       { "tiger",     GCRY_MD_TIGER },
       { "haval",     GCRY_MD_HAVAL },
-#if GCRYPT_VERSION_NUMBER >= 0x010900
       { "sm3",       GCRY_MD_SM3 },
-#endif
       { "md5",       GCRY_MD_MD5 }
      };
  int i;
--- a/configure.ac
+++ b/configure.ac
@ -56,7 +56,7 @@ AC_DEFINE_UNQUOTED(GNUPG_SWDB_TAG, "gnupg24", [swdb tag for this branch])
 NEED_GPG_ERROR_VERSION=1.38

 NEED_LIBGCRYPT_API=1
-NEED_LIBGCRYPT_VERSION=1.8.0
+NEED_LIBGCRYPT_VERSION=1.9.0

 NEED_LIBASSUAN_API=2
 NEED_LIBASSUAN_VERSION=2.5.0
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@ -2461,15 +2461,27 @@ check_inet_support (int *r_v4, int *r_v6)
                  log_debug ("%s:     addr: %s\n", __func__, buffer);
              }
          }
+      }
+
+    for (ai = aibuf; ai; ai = ai->ai_next)
+      {
+        if (ai->ai_family == AF_INET)
+          *r_v4 = 1;
+      }
+    for (ai = aibuf; ai; ai = ai->ai_next)
+      {
        if (ai->ai_family == AF_INET6)
          {
            struct sockaddr_in6 *v6addr = (struct sockaddr_in6 *)ai->ai_addr;
-            if (!IN6_IS_ADDR_LINKLOCAL (&v6addr->sin6_addr))
-              *r_v6 = 1;
-          }
-        else if (ai->ai_family == AF_INET)
-          {
-            *r_v4 = 1;
+            if (!IN6_IS_ADDR_LINKLOCAL (&v6addr->sin6_addr)
+                && (!*r_v4 || !IN6_IS_ADDR_LOOPBACK (&v6addr->sin6_addr)))
+              {
+                /* We only assume v6 if we do not have a v4 address or
+                 * if the address is not ::1.  Linklocal never
+                 * indicates v6 support.  */
+                *r_v6 = 1;
+                break;
+              }
          }
      }

--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@ -232,6 +232,9 @@ select_random_host (hostinfo_t hi)
  size_t tblsize;
  int pidx, idx;

+  /* CHECKTHIS();  See */
+  /*                 https://sources.debian.org/patches/gnupg2/2.2.20-1/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch/ */
+
  /* We create a new table so that we randomly select only from
     currently alive hosts.  */
  for (idx = 0, tblsize = 0;
--- a/g10/misc.c
+++ b/g10/misc.c
@ -620,20 +620,14 @@ openpgp_aead_test_algo (aead_algo_t algo)
  /* FIXME: We currently have no easy way to test whether libgcrypt
   * implements a mode.  The only way we can do this is to open a
   * cipher context with that mode and close it immediately.  That is
-   * a bit costly.  So we look at the libgcrypt version and assume
-   * nothing has been patched out.  */
+   * a bit costly.  Thus in case we add another algo we need to look
+   * at the libgcrypt version and assume nothing has been patched out.  */
  switch (algo)
    {
    case AEAD_ALGO_NONE:
      break;

    case AEAD_ALGO_EAX:
-#if GCRYPT_VERSION_NUMBER < 0x010900
-      break;
-#else
-      return 0;
-#endif
-
    case AEAD_ALGO_OCB:
      return 0;
    }
--- a/sm/certdump.c
+++ b/sm/certdump.c
@ -103,11 +103,7 @@ gpgsm_print_serial_decimal (estream_t fp, ksba_const_sexp_t sn)
  unsigned long n, i;
  char *endp;
  gcry_mpi_t a, r, ten;
-#if GCRYPT_VERSION_NUMBER >= 0x010900 /* >= 1.9.0 */
  unsigned int dd;
-#else
-  unsigned char numbuf[10];
-#endif

  if (!p)
    es_fputs (_("none"), fp);
@ -134,15 +130,8 @@ gpgsm_print_serial_decimal (estream_t fp, ksba_const_sexp_t sn)
          do
            {
              gcry_mpi_div (a, r, a, ten, 0);
-#if GCRYPT_VERSION_NUMBER >= 0x010900 /* >= 1.9.0 */
              gcry_mpi_get_ui (&dd, r);
              put_membuf_printf (&mb, "%u", dd);
-#else
-              *numbuf = 0;  /* Need to clear because USB format prints
-                             * an empty string for a value of 0.  */
-              gcry_mpi_print (GCRYMPI_FMT_USG, numbuf, 10, NULL, r);
-              put_membuf_printf (&mb, "%u", (unsigned int)*numbuf);
-#endif
            }
          while (gcry_mpi_cmp_ui (a, 0));

--- a/tools/gpgconf.c
+++ b/tools/gpgconf.c
@ -1040,11 +1040,9 @@ show_version_libgcrypt (estream_t fp)
  s = get_revision_from_blurb (gcry_check_version ("\x01\x01"), &n);
  es_fprintf (fp, "* Libgcrypt %s (%.*s)\n",
              gcry_check_version (NULL), n, s);
-#if GCRYPT_VERSION_NUMBER >= 0x010800
  s = gcry_get_config (0, NULL);
  if (s)
    es_fputs (s, fp);
-#endif
 }