[git] GnuPG - branch, STABLE-BRANCH-2-0, updated. gnupg-2.0.19-48-g6b1f710

by David Shaw cvs at cvs.gnupg.org
Tue Dec 18 05:55:05 CET 2012 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, STABLE-BRANCH-2-0 has been updated
       via  6b1f71055ebab36989e2089cfde319d2ba40ada7 (commit)
      from  cbe98b2cb1e40ba253300e604996681ae191e363 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6b1f71055ebab36989e2089cfde319d2ba40ada7
Author: David Shaw <dshaw at jabberwocky.com>
Date:   Mon Dec 17 23:52:15 2012 -0500

    Issue 1447: Pass proper Host header and SNI when SRV is used with curl.
    
    * configure.ac: Check for inet_ntop.
    
    * m4/libcurl.m4: Provide a #define for the version of the curl
      library.
    
    * keyserver/gpgkeys_hkp.c (main, srv_replace): Call getaddrinfo() on
      each target.  Once we find one that resolves to an address (whether
      IPv4 or IPv6), pass it into libcurl via CURLOPT_RESOLVE using the
      SRV name as the "host".  Force the HTTP Host header to be the same.

diff --git a/configure.ac b/configure.ac
index 6c65798..b1946a3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1107,7 +1107,7 @@ AC_FUNC_VPRINTF
 AC_FUNC_FORK
 AC_CHECK_FUNCS([strerror strlwr tcgetattr mmap])
 AC_CHECK_FUNCS([strcasecmp strncasecmp ctermid times gmtime_r])
-AC_CHECK_FUNCS([unsetenv fcntl ftruncate])
+AC_CHECK_FUNCS([unsetenv fcntl ftruncate inet_ntop])
 AC_CHECK_FUNCS([gettimeofday getrusage getrlimit setrlimit clock_gettime])
 AC_CHECK_FUNCS([atexit raise getpagesize strftime nl_langinfo setlocale])
 AC_CHECK_FUNCS([waitpid wait4 sigaction sigprocmask pipe stat getaddrinfo])
diff --git a/keyserver/gpgkeys_hkp.c b/keyserver/gpgkeys_hkp.c
index 42113b4..8e35783 100644
--- a/keyserver/gpgkeys_hkp.c
+++ b/keyserver/gpgkeys_hkp.c
@@ -40,6 +40,19 @@
 #endif
 #ifdef HAVE_LIBCURL
 #include <curl/curl.h>
+/* This #define rigamarole is to enable a hack to fake DNS SRV using
+   libcurl.  It only works if we have getaddrinfo(), inet_ntop(), and
+   a modern enough version of libcurl (7.21.3) so we can use
+   CURLOPT_RESOLVE to feed the resolver from the outside to force
+   libcurl to pass the right SNI. */
+#if defined(HAVE_GETADDRINFO) && defined(HAVE_INET_NTOP) && LIBCURL_VERNUM >= 0x071503
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#include <arpa/inet.h>
+#else
+#undef USE_DNS_SRV
+#endif
 #else
 #include "curl-shim.h"
 #endif
@@ -499,19 +512,29 @@ fail_all(struct keylist *keylist,int err)
       }
 }
 
-#ifdef HAVE_LIBCURL
+#if defined(HAVE_LIBCURL) && defined(USE_DNS_SRV)
 /* If there is a SRV record, take the highest ranked possibility.
-   This is a hack, as we don't proceed downwards. */
+   This is a hack, as we don't proceed downwards if we can't
+   connect(), but only if we can't getaddinfo().  All this should
+   ideally be replaced by actual SRV support in libcurl someday! */
+
+#define HOST_HEADER "Host:"
+
 static void
-srv_replace(const char *srvtag)
+srv_replace(const char *srvtag,
+	    struct curl_slist **headers,struct curl_slist **resolve)
 {
-#ifdef USE_DNS_SRV
   struct srventry *srvlist=NULL;
-  int srvcount;
+  int srvcount, srvindex;
+  char *portstr;
 
   if(!srvtag)
     return;
 
+  portstr=malloc (MAX_PORT);
+  if(!portstr)
+    return;
+
   if(1+strlen(srvtag)+6+strlen(opt->host)+1<=MAXDNAME)
     {
       char srvname[MAXDNAME];
@@ -523,27 +546,74 @@ srv_replace(const char *srvtag)
       srvcount=getsrv(srvname,&srvlist);
     }
 
-  if(srvlist)
+  for(srvindex=0 ; srvindex<srvcount && portstr ; srvindex++)
     {
-      char *newname,*newport;
+      struct addrinfo hints, *res;
+
+      sprintf (portstr, "%hu", srvlist[srvindex].port);
+      memset (&hints, 0, sizeof (hints));
+      hints.ai_socktype = SOCK_STREAM;
 
-      newname=strdup(srvlist->target);
-      newport=malloc(MAX_PORT);
-      if(newname && newport)
+      if (getaddrinfo (srvlist[srvindex].target, portstr, &hints, &res) == 0)
 	{
-	  free(opt->host);
-	  free(opt->port);
-	  opt->host=newname;
-	  snprintf(newport,MAX_PORT,"%u",srvlist->port);
-	  opt->port=newport;
+	  /* Very safe */
+	  char ipaddr[INET_ADDRSTRLEN+INET6_ADDRSTRLEN];
+
+	  if((res->ai_family==AF_INET
+	      && inet_ntop (res->ai_family,
+			    &((struct sockaddr_in *)res->ai_addr)->sin_addr,
+			    ipaddr,sizeof(ipaddr)))
+	     || (res->ai_family==AF_INET6
+		 && inet_ntop (res->ai_family,
+			       &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
+			       ipaddr,sizeof(ipaddr))))
+	    {
+	      char *entry,*host;
+
+	      entry=malloc (strlen(opt->host)+1
+			    +strlen(portstr)+1+strlen(ipaddr)+1);
+
+	      host=malloc (strlen(HOST_HEADER)+1+strlen(opt->host)+1);
+
+	      if(entry && host)
+		{
+		  sprintf (entry, "%s:%s:%s", opt->host, portstr, ipaddr);
+		  sprintf (host, "%s %s", HOST_HEADER, opt->host);
+
+		  *resolve=curl_slist_append (*resolve,entry);
+		  *headers=curl_slist_append (*headers,host);
+
+		  if(*resolve && *headers)
+		    {
+		      if(curl_easy_setopt (curl,
+					   CURLOPT_RESOLVE,*resolve)==CURLE_OK)
+			{
+			  if(opt->debug)
+			    fprintf (console, "gpgkeys: Faking %s SRV from"
+				     " %s to %s:%u\n",
+				     srvtag, opt->host,
+				     srvlist[srvindex].target,
+				     srvlist[srvindex].port);
+
+			  free (opt->port);
+			  opt->port=portstr;
+			  portstr=NULL;
+			}
+		    }
+		}
+
+	      free (entry);
+	      free (host);
+	    }
+
+	  freeaddrinfo (res);
 	}
       else
-	{
-	  free(newname);
-	  free(newport);
-	}
+	continue; /* Not found */
     }
-#endif
+
+  free (srvlist);
+  free (portstr);
 }
 #endif
 
@@ -564,7 +634,7 @@ main(int argc,char *argv[])
   int failed=0;
   struct keylist *keylist=NULL,*keyptr=NULL;
   char *proxy=NULL;
-  struct curl_slist *headers=NULL;
+  struct curl_slist *headers=NULL,*resolve=NULL;
 
   console=stderr;
 
@@ -726,6 +796,13 @@ main(int argc,char *argv[])
       goto fail;
     }
 
+  if(opt->debug)
+    {
+      fprintf(console,"gpgkeys: curl version = %s\n",curl_version());
+      curl_easy_setopt(curl,CURLOPT_STDERR,console);
+      curl_easy_setopt(curl,CURLOPT_VERBOSE,1L);
+    }
+
   /* Only use SRV if the user does not provide a :port.  The semantics
      of a specified port and SRV do not play well together. */
   if(!opt->port && try_srv)
@@ -744,8 +821,12 @@ main(int argc,char *argv[])
 	 This isn't as good as true SRV support, as we do not try all
 	 possible targets at one particular level and work our way
 	 down the list, but it's better than nothing. */      
-      srv_replace(srvtag);
+#ifdef USE_DNS_SRV
+      srv_replace(srvtag,&headers,&resolve);
 #else
+      fprintf(console,"gpgkeys: try-dns-srv was requested, but not SRV capable\n");
+#endif
+#else /* !HAVE_LIBCURL */
       /* We're using our internal curl shim, so we can use its (true)
 	 SRV support.  Obviously, CURLOPT_SRVTAG_GPG_HACK isn't a real
 	 libcurl option.  It's specific to our shim. */
@@ -763,13 +844,6 @@ main(int argc,char *argv[])
   if(opt->auth)
     curl_easy_setopt(curl,CURLOPT_USERPWD,opt->auth);
 
-  if(opt->debug)
-    {
-      fprintf(console,"gpgkeys: curl version = %s\n",curl_version());
-      curl_easy_setopt(curl,CURLOPT_STDERR,console);
-      curl_easy_setopt(curl,CURLOPT_VERBOSE,1L);
-    }
-
   curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
   curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
 
@@ -971,6 +1045,7 @@ main(int argc,char *argv[])
   free_ks_options(opt);
 
   curl_slist_free_all(headers);
+  curl_slist_free_all(resolve);
 
   if(curl)
     curl_easy_cleanup(curl);
diff --git a/m4/libcurl.m4 b/m4/libcurl.m4
index 7d1dbd3..fe9809e 100644
--- a/m4/libcurl.m4
+++ b/m4/libcurl.m4
@@ -65,6 +65,10 @@ AC_DEFUN([LIBCURL_CHECK_CONFIG],
      AC_PROG_AWK
 
      _libcurl_version_parse="eval $AWK '{split(\$NF,A,\".\"); X=256*256*A[[1]]+256*A[[2]]+A[[3]]; print X;}'"
+     # More recent versions of curl-config have a direct --vernum
+     # option, but we'd like this code to work with older versions as
+     # well, so just convert --version.
+     _libcurl_vernum_parse="eval $AWK '{printf \"0x%06X\",\$NF}'"
 
      _libcurl_try_link=yes
 
@@ -184,6 +188,10 @@ x=CURLOPT_VERBOSE;
            AC_SUBST(LIBCURL_CPPFLAGS)
            AC_SUBST(LIBCURL)
 
+	   _libcurl_vernum=`echo $_libcurl_version | $_libcurl_vernum_parse`
+
+	   AC_DEFINE_UNQUOTED(LIBCURL_VERNUM,$_libcurl_vernum,[The version of the libcurl library in packed hex form])
+
            for _libcurl_feature in $_libcurl_features ; do
 	      AC_DEFINE_UNQUOTED(AS_TR_CPP(libcurl_feature_$_libcurl_feature),[1])
 	      eval AS_TR_SH(libcurl_feature_$_libcurl_feature)=yes
@@ -224,6 +232,7 @@ x=CURLOPT_VERBOSE;
      unset _libcurl_protocol
      unset _libcurl_protocols
      unset _libcurl_version
+     unset _libcurl_vernum
      unset _libcurl_ldflags
   fi
 

-----------------------------------------------------------------------

Summary of changes:
 configure.ac            |    2 +-
 keyserver/gpgkeys_hkp.c |  133 ++++++++++++++++++++++++++++++++++++----------
 m4/libcurl.m4           |    9 +++
 3 files changed, 114 insertions(+), 30 deletions(-)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org

More information about the Gnupg-commits mailing list