1 From: Werner Koch <wk@gnupg.org>
2 Date: Mon, 3 Apr 2017 20:56:12 +0200
3 Subject: dirmngr: New option --disable-ipv6
5 * dirmngr/dirmngr.h (struct opt): Add field 'disable_ipv6'.
6 * dirmngr/dirmngr.c (oDisableIPv6): New const.
7 (opts): New option --disable-ipv6.
8 (parse_rereadable_options): Set that option.
9 * dirmngr/dns-stuff.c (opt_disable_ipv6): New var.
10 (set_dns_disable_ipv6): New.
11 (resolve_name_standard): Make use of it.
12 * dirmngr/ks-engine-finger.c (ks_finger_fetch): Take care of
14 * dirmngr/ks-engine-hkp.c (map_host): Ditto.
15 (send_request): Ditto.
16 * dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
17 * dirmngr/ocsp.c (do_ocsp_request): Ditto.
19 Signed-off-by: Werner Koch <wk@gnupg.org>
20 (cherry picked from commit 3533b854408fa93734742b2ee12b62aa0d55ff28)
22 dirmngr/crlfetch.c | 1 +
23 dirmngr/dirmngr.c | 4 ++++
24 dirmngr/dirmngr.h | 3 ++-
25 dirmngr/dns-stuff.c | 15 +++++++++++++++
26 dirmngr/dns-stuff.h | 4 ++++
27 dirmngr/ks-engine-finger.c | 3 ++-
28 dirmngr/ks-engine-hkp.c | 7 +++++--
29 dirmngr/ks-engine-http.c | 3 ++-
30 dirmngr/ocsp.c | 3 ++-
31 doc/dirmngr.texi | 5 +++--
32 10 files changed, 40 insertions(+), 8 deletions(-)
34 diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c
35 index 337fe6e..2700cf9 100644
36 --- a/dirmngr/crlfetch.c
37 +++ b/dirmngr/crlfetch.c
38 @@ -200,6 +200,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
39 |(DBG_LOOKUP? HTTP_FLAG_LOG_RESP:0)
40 |(dirmngr_use_tor()? HTTP_FLAG_FORCE_TOR:0)
41 |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4:0)
42 + |(opt.disable_ipv6? HTTP_FLAG_IGNORE_IPv6:0)
44 ctrl->http_proxy, NULL, NULL, NULL);
46 diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
47 index 43e9cbd..31d3ca2 100644
48 --- a/dirmngr/dirmngr.c
49 +++ b/dirmngr/dirmngr.c
50 @@ -112,6 +112,7 @@ enum cmd_and_opt_values {
58 @@ -228,6 +229,7 @@ static ARGPARSE_OPTS opts[] = {
59 ARGPARSE_s_n (oNoUseTor, "no-use-tor", "@"),
61 ARGPARSE_s_n (oDisableIPv4, "disable-ipv4", "@"),
62 + ARGPARSE_s_n (oDisableIPv6, "disable-ipv6", "@"),
64 ARGPARSE_s_s (oSocketName, "socket-name", "@"), /* Only for debugging. */
66 @@ -624,6 +626,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
67 case oDisableHTTP: opt.disable_http = 1; break;
68 case oDisableLDAP: opt.disable_ldap = 1; break;
69 case oDisableIPv4: opt.disable_ipv4 = 1; break;
70 + case oDisableIPv6: opt.disable_ipv6 = 1; break;
71 case oHonorHTTPProxy: opt.honor_http_proxy = 1; break;
72 case oHTTPProxy: opt.http_proxy = pargs->r.ret_str; break;
73 case oLDAPProxy: opt.ldap_proxy = pargs->r.ret_str; break;
74 @@ -690,6 +693,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
75 set_dns_verbose (opt.verbose, !!DBG_DNS);
76 http_set_verbose (opt.verbose, !!DBG_NETWORK);
77 set_dns_disable_ipv4 (opt.disable_ipv4);
78 + set_dns_disable_ipv6 (opt.disable_ipv6);
80 return 1; /* Handled. */
82 diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
83 index 6a4fd00..4cc2be0 100644
84 --- a/dirmngr/dirmngr.h
85 +++ b/dirmngr/dirmngr.h
86 @@ -97,7 +97,8 @@ struct
88 int disable_http; /* Do not use HTTP at all. */
89 int disable_ldap; /* Do not use LDAP at all. */
90 - int disable_ipv4; /* Do not use leagacy IP addresses. */
91 + int disable_ipv4; /* Do not use legacy IP addresses. */
92 + int disable_ipv6; /* Do not use standard IP addresses. */
93 int honor_http_proxy; /* Honor the http_proxy env variable. */
94 const char *http_proxy; /* The default HTTP proxy. */
95 const char *ldap_proxy; /* Use given LDAP proxy. */
96 diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
97 index 150237e..ed77742 100644
98 --- a/dirmngr/dns-stuff.c
99 +++ b/dirmngr/dns-stuff.c
100 @@ -123,6 +123,10 @@ static int opt_timeout;
101 * returned A records. */
102 static int opt_disable_ipv4;
104 +/* The flag to disable IPv6 access - right now this only skips
105 + * returned AAAA records. */
106 +static int opt_disable_ipv6;
108 /* If set force the use of the standard resolver. */
109 static int standard_resolver;
111 @@ -248,6 +252,15 @@ set_dns_disable_ipv4 (int yes)
115 +/* Set the Disable-IPv6 flag so that the name resolver does not return
116 + * AAAA addresses. */
118 +set_dns_disable_ipv6 (int yes)
120 + opt_disable_ipv6 = !!yes;
124 /* Set the timeout for libdns requests to SECONDS. A value of 0 sets
125 * the default timeout and values are capped at 10 minutes. */
127 @@ -934,6 +947,8 @@ resolve_name_standard (const char *name, unsigned short port,
129 if (opt_disable_ipv4 && ai->ai_family == AF_INET)
131 + if (opt_disable_ipv6 && ai->ai_family == AF_INET6)
134 dai = xtrymalloc (sizeof *dai + ai->ai_addrlen - 1);
135 dai->family = ai->ai_family;
136 diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h
137 index 9b8303c..71605b7 100644
138 --- a/dirmngr/dns-stuff.h
139 +++ b/dirmngr/dns-stuff.h
140 @@ -99,6 +99,10 @@ void set_dns_verbose (int verbose, int debug);
142 void set_dns_disable_ipv4 (int yes);
144 +/* Set the Disable-IPv6 flag so that the name resolver does not return
145 + * AAAA addresses. */
146 +void set_dns_disable_ipv6 (int yes);
148 /* Set the timeout for libdns requests to SECONDS. */
149 void set_dns_timeout (int seconds);
151 diff --git a/dirmngr/ks-engine-finger.c b/dirmngr/ks-engine-finger.c
152 index 811b72d..8a21c9f 100644
153 --- a/dirmngr/ks-engine-finger.c
154 +++ b/dirmngr/ks-engine-finger.c
155 @@ -84,7 +84,8 @@ ks_finger_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp)
157 err = http_raw_connect (&http, server, 79,
158 ((dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR : 0)
159 - | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
160 + | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)
161 + | (opt.disable_ipv6? HTTP_FLAG_IGNORE_IPv6 : 0)),
165 diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
166 index 66350a7..7c91b6a 100644
167 --- a/dirmngr/ks-engine-hkp.c
168 +++ b/dirmngr/ks-engine-hkp.c
169 @@ -568,6 +568,8 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
171 if (opt.disable_ipv4 && ai->family == AF_INET)
173 + if (opt.disable_ipv6 && ai->family == AF_INET6)
177 add_host (name, is_pool, ai, 0, reftbl, reftblsize, &refidx);
178 @@ -649,7 +651,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
180 for (ai = aibuf; ai; ai = ai->next)
182 - if (ai->family == AF_INET6
183 + if ((!opt.disable_ipv6 && ai->family == AF_INET6)
184 || (!opt.disable_ipv4 && ai->family == AF_INET))
186 err = resolve_dns_addr (ai->addr, ai->addrlen, 0, &host);
187 @@ -1102,7 +1104,8 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
189 |(opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
190 |(dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0)
191 - |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
192 + |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)
193 + |(opt.disable_ipv6? HTTP_FLAG_IGNORE_IPv6 : 0)),
197 diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
198 index 69642ff..6de0616 100644
199 --- a/dirmngr/ks-engine-http.c
200 +++ b/dirmngr/ks-engine-http.c
201 @@ -89,7 +89,8 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
202 /* fixme: AUTH */ NULL,
203 ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
204 | (dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0)
205 - | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
206 + | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)
207 + | (opt.disable_ipv6? HTTP_FLAG_IGNORE_IPv6 : 0)),
211 diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
212 index aff8e32..22391c3 100644
215 @@ -175,7 +175,8 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md,
216 err = http_open (&http, HTTP_REQ_POST, url, NULL, NULL,
217 ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
218 | (dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0)
219 - | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
220 + | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)
221 + | (opt.disable_ipv6? HTTP_FLAG_IGNORE_IPv6 : 0)),
222 ctrl->http_proxy, NULL, NULL, NULL);
225 diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
226 index b00c2d3..9a7238f 100644
227 --- a/doc/dirmngr.texi
228 +++ b/doc/dirmngr.texi
229 @@ -313,9 +313,10 @@ a numerical IP address must be given (IPv6 or IPv4) and that no error
230 checking is done for @var{ipaddr}.
233 +@item --disable-ipv6
234 @opindex disable-ipv4
235 -Disable the use of all IPv4 addresses. This option is mainly useful
237 +@opindex disable-ipv6
238 +Disable the use of all IPv4 or IPv6 addresses.
241 @opindex disable-ldap