1 From: Werner Koch <wk@gnupg.org>
2 Date: Tue, 24 Jan 2017 16:36:28 +0100
3 Subject: dirmngr: New option --disable-ipv4.
5 * dirmngr/dirmngr.c (oDisableIPv4): New const.
6 (opts): New option --disable-ipv4.
7 (parse_rereadable_options): Set that option.
8 * dirmngr/dirmngr.h (opt): New field 'disable_ipv4'.
9 * dirmngr/dns-stuff.c (opt_disable_ipv4): bew var.
10 (set_dns_disable_ipv4): New.
11 (resolve_name_standard): Skip v4 addresses when OPT_DISABLE_IPV4 is
13 * dirmngr/ks-engine-hkp.c (map_host): Ditto.
14 (send_request): Pass HTTP_FLAG_IGNORE_IPv4 if opt.disable_v4 is set.
15 * dirmngr/crlfetch.c (crl_fetch): Ditto.
16 * dirmngr/ks-engine-finger.c (ks_finger_fetch): Ditto.
17 * dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
18 * dirmngr/ocsp.c (do_ocsp_request): Ditto.
20 Signed-off-by: Werner Koch <wk@gnupg.org>
21 (cherry picked from commit 72736af86a501592d974d46ff754a63959e183bd)
23 dirmngr/crlfetch.c | 4 +++-
24 dirmngr/dirmngr.c | 5 +++++
25 dirmngr/dirmngr.h | 1 +
26 dirmngr/dns-stuff.c | 15 +++++++++++++++
27 dirmngr/dns-stuff.h | 4 ++++
28 dirmngr/ks-engine-finger.c | 4 +++-
29 dirmngr/ks-engine-hkp.c | 8 ++++++--
30 dirmngr/ks-engine-http.c | 3 ++-
31 dirmngr/ocsp.c | 3 ++-
32 doc/dirmngr.texi | 5 +++++
33 10 files changed, 46 insertions(+), 6 deletions(-)
35 diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c
36 index 8fe6e0b1b..aa82137f7 100644
37 --- a/dirmngr/crlfetch.c
38 +++ b/dirmngr/crlfetch.c
39 @@ -198,7 +198,9 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
40 err = http_open_document (&hd, url, NULL,
41 ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
42 |(DBG_LOOKUP? HTTP_FLAG_LOG_RESP:0)
43 - |(opt.use_tor? HTTP_FLAG_FORCE_TOR:0)),
44 + |(opt.use_tor? HTTP_FLAG_FORCE_TOR:0)
45 + |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4:0)
47 ctrl->http_proxy, NULL, NULL, NULL);
49 switch ( err? 99999 : http_get_status_code (hd) )
50 diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
51 index 8d9de9e5a..83356c94c 100644
52 --- a/dirmngr/dirmngr.c
53 +++ b/dirmngr/dirmngr.c
54 @@ -111,6 +111,7 @@ enum cmd_and_opt_values {
62 @@ -224,6 +225,8 @@ static ARGPARSE_OPTS opts[] = {
64 ARGPARSE_s_n (oUseTor, "use-tor", N_("route all network traffic via Tor")),
66 + ARGPARSE_s_n (oDisableIPv4, "disable-ipv4", "@"),
68 ARGPARSE_s_s (oSocketName, "socket-name", "@"), /* Only for debugging. */
70 ARGPARSE_s_u (oFakedSystemTime, "faked-system-time", "@"), /*(epoch time)*/
71 @@ -586,6 +589,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
73 case oDisableHTTP: opt.disable_http = 1; break;
74 case oDisableLDAP: opt.disable_ldap = 1; break;
75 + case oDisableIPv4: opt.disable_ipv4 = 1; break;
76 case oHonorHTTPProxy: opt.honor_http_proxy = 1; break;
77 case oHTTPProxy: opt.http_proxy = pargs->r.ret_str; break;
78 case oLDAPProxy: opt.ldap_proxy = pargs->r.ret_str; break;
79 @@ -645,6 +649,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
81 set_dns_verbose (opt.verbose, !!DBG_DNS);
82 http_set_verbose (opt.verbose, !!DBG_NETWORK);
83 + set_dns_disable_ipv4 (opt.disable_ipv4);
85 return 1; /* Handled. */
87 diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
88 index acd4c636d..fd80d7237 100644
89 --- a/dirmngr/dirmngr.h
90 +++ b/dirmngr/dirmngr.h
91 @@ -98,6 +98,7 @@ struct
93 int disable_http; /* Do not use HTTP at all. */
94 int disable_ldap; /* Do not use LDAP at all. */
95 + int disable_ipv4; /* Do not use leagacy IP addresses. */
96 int honor_http_proxy; /* Honor the http_proxy env variable. */
97 const char *http_proxy; /* The default HTTP proxy. */
98 const char *ldap_proxy; /* Use given LDAP proxy. */
99 diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
100 index 9347196b3..ad19fc2ce 100644
101 --- a/dirmngr/dns-stuff.c
102 +++ b/dirmngr/dns-stuff.c
103 @@ -119,6 +119,10 @@ static int opt_debug;
104 /* The timeout in seconds for libdns requests. */
105 static int opt_timeout;
107 +/* The flag to disable IPv4 access - right now this only skips
108 + * returned A records. */
109 +static int opt_disable_ipv4;
111 /* If set force the use of the standard resolver. */
112 static int standard_resolver;
114 @@ -227,6 +231,15 @@ set_dns_verbose (int verbose, int debug)
118 +/* Set the Disable-IPv4 flag so that the name resolver does not return
121 +set_dns_disable_ipv4 (int yes)
123 + opt_disable_ipv4 = !!yes;
127 /* Set the timeout for libdns requests to SECONDS. A value of 0 sets
128 * the default timeout and values are capped at 10 minutes. */
130 @@ -873,6 +886,8 @@ resolve_name_standard (const char *name, unsigned short port,
132 if (ai->ai_family != AF_INET6 && ai->ai_family != AF_INET)
134 + if (opt_disable_ipv4 && ai->ai_family == AF_INET)
137 dai = xtrymalloc (sizeof *dai + ai->ai_addrlen - 1);
138 dai->family = ai->ai_family;
139 diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h
140 index d68dd1728..9eb97fd6a 100644
141 --- a/dirmngr/dns-stuff.h
142 +++ b/dirmngr/dns-stuff.h
143 @@ -95,6 +95,10 @@ struct srventry
144 /* Set verbosity and debug mode for this module. */
145 void set_dns_verbose (int verbose, int debug);
147 +/* Set the Disable-IPv4 flag so that the name resolver does not return
149 +void set_dns_disable_ipv4 (int yes);
151 /* Set the timeout for libdns requests to SECONDS. */
152 void set_dns_timeout (int seconds);
154 diff --git a/dirmngr/ks-engine-finger.c b/dirmngr/ks-engine-finger.c
155 index b1f02ad7d..114f2e9ac 100644
156 --- a/dirmngr/ks-engine-finger.c
157 +++ b/dirmngr/ks-engine-finger.c
158 @@ -83,7 +83,9 @@ ks_finger_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp)
161 err = http_raw_connect (&http, server, 79,
162 - (opt.use_tor? HTTP_FLAG_FORCE_TOR : 0), NULL);
163 + ((opt.use_tor? HTTP_FLAG_FORCE_TOR : 0)
164 + | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
169 diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
170 index 2b90441e2..dad83efcd 100644
171 --- a/dirmngr/ks-engine-hkp.c
172 +++ b/dirmngr/ks-engine-hkp.c
173 @@ -526,6 +526,8 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
175 if (ai->family != AF_INET && ai->family != AF_INET6)
177 + if (opt.disable_ipv4 && ai->family == AF_INET)
181 add_host (name, is_pool, ai, 0, reftbl, reftblsize, &refidx);
182 @@ -607,7 +609,8 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
184 for (ai = aibuf; ai; ai = ai->next)
186 - if (ai->family == AF_INET6 || ai->family == AF_INET)
187 + if (ai->family == AF_INET6
188 + || (!opt.disable_ipv4 && ai->family == AF_INET))
190 err = resolve_dns_addr (ai->addr, ai->addrlen, 0, &host);
192 @@ -1058,7 +1061,8 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
193 /* fixme: AUTH */ NULL,
195 |(opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
196 - |(opt.use_tor? HTTP_FLAG_FORCE_TOR:0)),
197 + |(opt.use_tor? HTTP_FLAG_FORCE_TOR:0)
198 + |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
202 diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
203 index 858c943ea..dbbf4bb79 100644
204 --- a/dirmngr/ks-engine-http.c
205 +++ b/dirmngr/ks-engine-http.c
206 @@ -88,7 +88,8 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
208 /* fixme: AUTH */ NULL,
209 ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
210 - | (opt.use_tor? HTTP_FLAG_FORCE_TOR:0)),
211 + | (opt.use_tor? HTTP_FLAG_FORCE_TOR:0)
212 + | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
216 diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
217 index 9127cf754..b46c78567 100644
220 @@ -174,7 +174,8 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md,
222 err = http_open (&http, HTTP_REQ_POST, url, NULL, NULL,
223 ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
224 - | (opt.use_tor? HTTP_FLAG_FORCE_TOR:0)),
225 + | (opt.use_tor? HTTP_FLAG_FORCE_TOR:0)
226 + | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
227 ctrl->http_proxy, NULL, NULL, NULL);
230 diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
231 index dd104273d..b00c2d377 100644
232 --- a/doc/dirmngr.texi
233 +++ b/doc/dirmngr.texi
234 @@ -312,6 +312,11 @@ not be used a different one can be given using this option. Note that
235 a numerical IP address must be given (IPv6 or IPv4) and that no error
236 checking is done for @var{ipaddr}.
238 +@item --disable-ipv4
239 +@opindex disable-ipv4
240 +Disable the use of all IPv4 addresses. This option is mainly useful
244 @opindex disable-ldap
245 Entirely disables the use of LDAP.