[git] GnuPG - branch, master, updated. gnupg-2.1.2-14-g2fc27c8
by Werner Koch
cvs at cvs.gnupg.org
Wed Feb 25 16:37:53 CET 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via 2fc27c8696f5cf2ddf3212397ea49bff115d617b (commit)
via af60152a4632ef26ca950a424429b15b6c69038d (commit)
via 9913253610bac69e9503800e85696491e018e327 (commit)
from e2d93402801a2cb822c723e891fd98233fdb3fd5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2fc27c8696f5cf2ddf3212397ea49bff115d617b
Author: Werner Koch <wk at gnupg.org>
Date: Wed Feb 25 16:34:19 2015 +0100
gpg: Switch to a hash and CERT record based PKA system.
* common/dns-cert.c (get_dns_cert): Make r_key optional.
* common/pka.c: Rewrite for the new hash based lookup.
* common/t-pka.c: New.
* configure.ac: Remove option --disable-dns-pka.
(USE_DNS_PKA): Remove ac_define.
* g10/getkey.c (parse_auto_key_locate): Always include PKA.
--
Note that although PKA is now always build, it will only work if
support for looking up via DNS has not been disabled.
The new PKA only works with the IPGP DNS certtype and shall be used
only to retrieve the fingerprint and optional the key for the first
time. Due to the security problems with DNSSEC the former assumption
to validate the key using DNSSEC is not anymore justified. Instead an
additional layer (e.g. Trust-On-First-Use) needs to be implemented to
track change to the key. Having a solid way of getting a key matching
a mail address is however a must have.
More work needs to go into a redefinition of the --verify-options
pka-lookups and pka-trust-increase. The auto-key-locate mechanism
should also be able to continue key fetching with another methods once
the fingerprint has been retrieved with PKA.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/common/Makefile.am b/common/Makefile.am
index df2dafe..2ba6dc0 100644
--- a/common/Makefile.am
+++ b/common/Makefile.am
@@ -178,7 +178,7 @@ jnlib_tests += t-w32-reg
endif
module_tests = t-convert t-percent t-gettime t-sysutils t-sexputil \
t-session-env t-openpgp-oid t-ssh-utils t-dns-cert \
- t-mapstrings t-zb32 t-mbox-util
+ t-pka t-mapstrings t-zb32 t-mbox-util
if !HAVE_W32CE_SYSTEM
module_tests += t-exechelp
endif
@@ -222,6 +222,7 @@ t_session_env_LDADD = $(t_common_ldadd)
t_openpgp_oid_LDADD = $(t_common_ldadd)
t_ssh_utils_LDADD = $(t_common_ldadd)
t_dns_cert_LDADD = $(t_common_ldadd) $(DNSLIBS)
+t_pka_LDADD = $(t_common_ldadd) $(DNSLIBS)
t_mapstrings_LDADD = $(t_common_ldadd)
t_zb32_LDADD = $(t_common_ldadd)
t_mbox_util_LDADD = $(t_common_ldadd)
diff --git a/common/dns-cert.c b/common/dns-cert.c
index e7be275..405ca29 100644
--- a/common/dns-cert.c
+++ b/common/dns-cert.c
@@ -70,7 +70,7 @@
returns the first CERT found with a supported type; it is expected
that only one CERT record is used. If WANT_CERTTYPE is one of the
supported certtypes only records wih this certtype are considered
- and the first found is returned. */
+ and the first found is returned. R_KEY is optional. */
gpg_error_t
get_dns_cert (const char *name, int want_certtype,
estream_t *r_key,
@@ -84,7 +84,8 @@ get_dns_cert (const char *name, int want_certtype,
unsigned int ctype;
int count;
- *r_key = NULL;
+ if (r_key)
+ *r_key = NULL;
*r_fpr = NULL;
*r_fprlen = 0;
*r_url = NULL;
@@ -129,7 +130,7 @@ get_dns_cert (const char *name, int want_certtype,
if (want_certtype && want_certtype != ctype)
; /* Not of the requested certtype. */
- else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11)
+ else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11 && r_key)
{
/* CERT type is PGP. Gpg checks for a minimum length of 11,
thus we do the same. */
@@ -197,7 +198,8 @@ get_dns_cert (const char *name, int want_certtype,
int r;
u16 count;
- *r_key = NULL;
+ if (r_key)
+ *r_key = NULL;
*r_fpr = NULL;
*r_fprlen = 0;
*r_url = NULL;
@@ -292,7 +294,7 @@ get_dns_cert (const char *name, int want_certtype,
/* 15 bytes takes us to here */
if (want_certtype && want_certtype != ctype)
; /* Not of the requested certtype. */
- else if (ctype == DNS_CERTTYPE_PGP && dlen)
+ else if (ctype == DNS_CERTTYPE_PGP && dlen && r_key)
{
/* PGP type */
*r_key = es_fopenmem_init (0, "rwb", pt, dlen);
@@ -355,7 +357,8 @@ get_dns_cert (const char *name, int want_certtype,
#endif /*!USE_ADNS */
#else /* !USE_DNS_CERT */
(void)name;
- *r_key = NULL;
+ if (r_key)
+ *r_key = NULL;
*r_fpr = NULL;
*r_fprlen = 0;
*r_url = NULL;
diff --git a/common/pka.c b/common/pka.c
index 4ead97f..c3c68b5 100644
--- a/common/pka.c
+++ b/common/pka.c
@@ -33,307 +33,76 @@
#include <stdlib.h>
#include <string.h>
-#ifdef USE_DNS_PKA
-#include <sys/types.h>
-#ifdef _WIN32
-# ifdef HAVE_WINSOCK2_H
-# include <winsock2.h>
-# endif
-# include <windows.h>
-#else
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#endif
-#endif /* USE_DNS_PKA */
-#ifdef USE_ADNS
-# include <adns.h>
-#endif
-
#include "util.h"
-#include "host2net.h"
+#include "mbox-util.h"
+#include "dns-cert.h"
#include "pka.h"
-#ifdef USE_DNS_PKA
-/* Parse the TXT resource record. Format is:
-
- v=pka1;fpr=a4d94e92b0986ab5ee9dcd755de249965b0358a2;uri=string
-
- For simplicity white spaces are not allowed. Because we expect to
- use a new RRTYPE for this in the future we define the TXT really
- strict for simplicity: No white spaces, case sensitivity of the
- names, order must be as given above. Only URI is optional.
-
- This function modifies BUFFER. On success 0 is returned, the 20
- byte fingerprint stored at FPR and BUFFER contains the URI or an
- empty string.
-*/
-static int
-parse_txt_record (char *buffer, unsigned char *fpr)
-{
- char *p, *pend;
- int i;
-
- p = buffer;
- pend = strchr (p, ';');
- if (!pend)
- return -1;
- *pend++ = 0;
- if (strcmp (p, "v=pka1"))
- return -1; /* Wrong or missing version. */
-
- p = pend;
- pend = strchr (p, ';');
- if (pend)
- *pend++ = 0;
- if (strncmp (p, "fpr=", 4))
- return -1; /* Missing fingerprint part. */
- p += 4;
- for (i=0; i < 20 && hexdigitp (p) && hexdigitp (p+1); i++, p += 2)
- fpr[i] = xtoi_2 (p);
- if (i != 20)
- return -1; /* Fingerprint consists not of exactly 40 hexbytes. */
-
- p = pend;
- if (!p || !*p)
- {
- *buffer = 0;
- return 0; /* Success (no URI given). */
- }
- if (strncmp (p, "uri=", 4))
- return -1; /* Unknown part. */
- p += 4;
- /* There is an URI, copy it to the start of the buffer. */
- while (*p)
- *buffer++ = *p++;
- *buffer = 0;
- return 0;
-}
-
/* For the given email ADDRESS lookup the PKA information in the DNS.
- On success the 20 byte SHA-1 fingerprint is stored at FPR and the
- URI will be returned in an allocated buffer. Note that the URI
- might be an zero length string as this information is optional.
- Caller must xfree the returned string.
+ On success the fingerprint is stored at FPRBUF and the URI will be
+ returned in an allocated buffer. Note that the URI might be a zero
+ length string as this information is optional. Caller must xfree
+ the returned string. FPRBUFLEN gives the size of the expected
+ fingerprint (usually 20).
- On error NULL is returned and the 20 bytes at FPR are not
- defined. */
+ On error NULL is returned and the FPRBUF is not defined. */
char *
-get_pka_info (const char *address, unsigned char *fpr)
+get_pka_info (const char *address, void *fprbuf, size_t fprbuflen)
{
-#ifdef USE_ADNS
- int rc;
- adns_state state;
- const char *domain;
- char *name;
- adns_answer *answer = NULL;
- char *buffer = NULL;
-
- domain = strrchr (address, '@');
- if (!domain || domain == address || !domain[1])
- return NULL; /* Invalid mail address given. */
- name = xtrymalloc (strlen (address) + 5 + 1);
+ char *result = NULL;
+ char *mbox;
+ char *domain; /* Points to mbox. */
+ char hashbuf[20];
+ char *hash = NULL;
+ char *name = NULL;
+ unsigned char *fpr = NULL;
+ size_t fpr_len;
+ char *url = NULL;
+ gpg_error_t err;
+
+ mbox = mailbox_from_userid (address);
+ if (!mbox)
+ goto leave;
+ domain = strchr (mbox, '@');
+ if (!domain)
+ goto leave;
+ *domain++ = 0;
+
+ gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, mbox, strlen (mbox));
+ hash = zb32_encode (hashbuf, 8*20);
+ if (!hash)
+ goto leave;
+ name = strconcat (hash, "._pka.", domain, NULL);
if (!name)
- return NULL;
- memcpy (name, address, domain - address);
- strcpy (stpcpy (name + (domain-address), "._pka."), domain+1);
-
- rc = adns_init (&state, adns_if_noerrprint, NULL);
- if (rc)
- {
- log_error ("error initializing adns: %s\n", strerror (errno));
- xfree (name);
- return NULL;
- }
+ goto leave;
- rc = adns_synchronous (state, name, adns_r_txt, adns_qf_quoteok_query,
- &answer);
- xfree (name);
- if (rc)
- {
- log_error ("DNS query failed: %s\n", strerror (errno));
- adns_finish (state);
- return NULL;
- }
- if (answer->status != adns_s_ok
- || answer->type != adns_r_txt || !answer->nrrs)
- {
- log_error ("DNS query returned an error: %s (%s)\n",
- adns_strerror (answer->status),
- adns_errabbrev (answer->status));
- adns_free (answer);
- adns_finish (state);
- return NULL;
- }
+ if (get_dns_cert (name, DNS_CERTTYPE_IPGP, NULL, &fpr, &fpr_len, &url))
+ goto leave;
+ if (!fpr)
+ goto leave;
- /* We use a PKA records iff there is exactly one record. */
- if (answer->nrrs == 1 && answer->rrs.manyistr[0]->i != -1)
+ /* Return the fingerprint. */
+ if (fpr_len != fprbuflen)
{
- buffer = xtrystrdup (answer->rrs.manyistr[0]->str);
- if (parse_txt_record (buffer, fpr))
- {
- xfree (buffer);
- buffer = NULL; /* Not a valid gpg trustdns RR. */
- }
+ /* fprintf (stderr, "get_dns_cert failed: fprlen (%zu/%zu)\n", */
+ /* fpr_len, fprbuflen); */
+ goto leave;
}
+ memcpy (fprbuf, fpr, fpr_len);
- adns_free (answer);
- adns_finish (state);
- return buffer;
-
-#else /*!USE_ADNS*/
- unsigned char answer[PACKETSZ];
- int anslen;
- int qdcount, ancount;
- int rc;
- unsigned char *p, *pend;
- const char *domain;
- char *name;
- HEADER header;
-
- domain = strrchr (address, '@');
- if (!domain || domain == address || !domain[1])
- return NULL; /* invalid mail address given. */
+ /* We return the URL or an empty string. */
+ if (!url)
+ url = xtrycalloc (1, 1);
+ result = url;
+ url = NULL;
- name = xtrymalloc (strlen (address) + 5 + 1);
- if (!name)
- return NULL;
- memcpy (name, address, domain - address);
- strcpy (stpcpy (name + (domain-address), "._pka."), domain+1);
-
- anslen = res_query (name, C_IN, T_TXT, answer, PACKETSZ);
+ leave:
+ xfree (fpr);
+ xfree (url);
xfree (name);
- if (anslen < sizeof(HEADER))
- return NULL; /* DNS resolver returned a too short answer. */
-
- /* Don't despair: A good compiler should optimize this away, as
- header is just 32 byte and constant at compile time. It's
- one way to comply with strict aliasing rules. */
- memcpy (&header, answer, sizeof (header));
-
- if ( (rc=header.rcode) != NOERROR )
- return NULL; /* DNS resolver returned an error. */
-
- /* We assume that PACKETSZ is large enough and don't do dynmically
- expansion of the buffer. */
- if (anslen > PACKETSZ)
- return NULL; /* DNS resolver returned a too long answer */
-
- qdcount = ntohs (header.qdcount);
- ancount = ntohs (header.ancount);
-
- if (!ancount)
- return NULL; /* Got no answer. */
-
- p = answer + sizeof (HEADER);
- pend = answer + anslen; /* Actually points directly behind the buffer. */
-
- while (qdcount-- && p < pend)
- {
- rc = dn_skipname (p, pend);
- if (rc == -1)
- return NULL;
- p += rc + QFIXEDSZ;
- }
-
- if (ancount > 1)
- return NULL; /* more than one possible gpg trustdns record - none used. */
-
- while (ancount-- && p <= pend)
- {
- unsigned int type, class, txtlen, n;
- char *buffer, *bufp;
-
- rc = dn_skipname (p, pend);
- if (rc == -1)
- return NULL;
- p += rc;
- if (p >= pend - 10)
- return NULL; /* RR too short. */
-
- type = buf16_to_uint (p);
- p += 2;
- class = buf16_to_uint (p);
- p += 2;
- p += 4;
- txtlen = buf16_to_uint (p);
- p += 2;
-
- if (type != T_TXT || class != C_IN)
- return NULL; /* Answer does not match the query. */
-
- buffer = bufp = xmalloc (txtlen + 1);
- while (txtlen && p < pend)
- {
- for (n = *p++, txtlen--; txtlen && n && p < pend; txtlen--, n--)
- *bufp++ = *p++;
- }
- *bufp = 0;
- if (parse_txt_record (buffer, fpr))
- {
- xfree (buffer);
- return NULL; /* Not a valid gpg trustdns RR. */
- }
- return buffer;
- }
-
- return NULL;
-#endif /*!USE_ADNS*/
+ xfree (hash);
+ xfree (mbox);
+ return result;
}
-
-#else /* !USE_DNS_PKA */
-
-/* Dummy version of the function if we can't use the resolver
- functions. */
-char *
-get_pka_info (const char *address, unsigned char *fpr)
-{
- (void)address;
- (void)fpr;
- return NULL;
-}
-#endif /* !USE_DNS_PKA */
-
-
-#ifdef TEST
-int
-main(int argc,char *argv[])
-{
- unsigned char fpr[20];
- char *uri;
- int i;
-
- if (argc < 2)
- {
- fprintf (stderr, "usage: pka mail-addresses\n");
- return 1;
- }
- argc--;
- argv++;
-
- for (; argc; argc--, argv++)
- {
- uri = get_pka_info ( *argv, fpr );
- printf ("%s", *argv);
- if (uri)
- {
- putchar (' ');
- for (i=0; i < 20; i++)
- printf ("%02X", fpr[i]);
- if (*uri)
- printf (" %s", uri);
- xfree (uri);
- }
- putchar ('\n');
- }
- return 0;
-}
-#endif /* TEST */
-
-/*
-Local Variables:
-compile-command: "cc -DUSE_DNS_PKA -DTEST -I.. -I../include -Wall -g -o pka pka.c -lresolv ../tools/no-libgcrypt.o ../jnlib/libjnlib.a"
-End:
-*/
diff --git a/common/pka.h b/common/pka.h
index 68b4c2e..93a4eb3 100644
--- a/common/pka.h
+++ b/common/pka.h
@@ -29,7 +29,7 @@
#ifndef GNUPG_COMMON_PKA_H
#define GNUPG_COMMON_PKA_H
-char *get_pka_info (const char *address, unsigned char *fpr);
+char *get_pka_info (const char *address, void *fprbuf, size_t fprbuflen);
#endif /*GNUPG_COMMON_PKA_H*/
diff --git a/common/t-pka.c b/common/t-pka.c
new file mode 100644
index 0000000..7c4d7c3
--- /dev/null
+++ b/common/t-pka.c
@@ -0,0 +1,72 @@
+/* t-pak.c - Module test for pka.c
+ * Copyright (C) 2015 Werner Koch
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+#include "util.h"
+#include "pka.h"
+
+
+int
+main (int argc, char **argv)
+{
+ unsigned char fpr[20];
+ char *url;
+ char const *name;
+ int i;
+
+ if (argc)
+ {
+ argc--;
+ argv++;
+ }
+
+ if (!argc)
+ name = "wk at gnupg.org";
+ else if (argc == 1)
+ name = *argv;
+ else
+ {
+ fputs ("usage: t-pka [userid]\n", stderr);
+ return 1;
+ }
+
+ printf ("User id ...: %s\n", name);
+
+ url = get_pka_info (name, fpr, sizeof fpr);
+ printf ("Fingerprint: ");
+ if (url)
+ {
+ for (i = 0; i < sizeof fpr; i++)
+ printf ("%02X", fpr[i]);
+ }
+ else
+ printf ("[not found]");
+
+ putchar ('\n');
+
+ printf ("URL .......: %s\n", (url && *url)? url : "[none]");
+
+ xfree (url);
+
+ return 0;
+}
diff --git a/configure.ac b/configure.ac
index 0d18f19..34fffb2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -920,18 +920,12 @@ AC_ARG_ENABLE(dns-srv,
[disable the use of DNS SRV in HKP and HTTP]),
use_dns_srv=$enableval,use_dns_srv=yes)
-AC_ARG_ENABLE(dns-pka,
- AC_HELP_STRING([--disable-dns-pka],
- [disable the use of PKA records in DNS]),
- use_dns_pka=$enableval,use_dns_pka=yes)
-
AC_ARG_ENABLE(dns-cert,
AC_HELP_STRING([--disable-dns-cert],
[disable the use of CERT records in DNS]),
use_dns_cert=$enableval,use_dns_cert=yes)
-if test x"$use_dns_pka" = xyes || test x"$use_dns_srv" = xyes \
- || test x"$use_dns_cert" = xyes; then
+if test x"$use_dns_srv" = xyes || test x"$use_dns_cert" = xyes; then
_dns_save_libs=$LIBS
LIBS=""
# the double underscore thing is a glibc-ism?
@@ -988,10 +982,6 @@ if test x"$use_dns_pka" = xyes || test x"$use_dns_srv" = xyes \
AC_DEFINE(USE_DNS_SRV,1,[define to use DNS SRV])
fi
- if test x"$use_dns_pka" = xyes ; then
- AC_DEFINE(USE_DNS_PKA,1,[define to use our experimental DNS PKA])
- fi
-
if test x"$use_dns_cert" = xyes ; then
AC_DEFINE(USE_DNS_CERT,1,[define to use DNS CERT])
fi
@@ -1010,16 +1000,11 @@ if test x"$use_dns_pka" = xyes || test x"$use_dns_srv" = xyes \
AC_DEFINE(USE_DNS_SRV,1)
fi
- if test x"$use_dns_pka" = xyes ; then
- AC_DEFINE(USE_DNS_PKA,1)
- fi
-
if test x"$use_dns_cert" = xyes ; then
AC_DEFINE(USE_DNS_CERT,1,[define to use DNS CERT])
fi
else
use_dns_srv=no
- use_dns_pka=no
use_dns_cert=no
fi
fi
diff --git a/g10/getkey.c b/g10/getkey.c
index 2a24484..d54bd57 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -2971,10 +2971,8 @@ parse_auto_key_locate (char *options)
else if (ascii_strcasecmp (tok, "cert") == 0)
akl->type = AKL_CERT;
#endif
-#ifdef USE_DNS_PKA
else if (ascii_strcasecmp (tok, "pka") == 0)
akl->type = AKL_PKA;
-#endif
else if ((akl->spec = parse_keyserver_uri (tok, 1)))
akl->type = AKL_SPEC;
else
diff --git a/g10/keyserver.c b/g10/keyserver.c
index ffcc1bf..477ff17 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -1980,7 +1980,7 @@ keyserver_import_pka (ctrl_t ctrl,
*fpr = xmalloc (20);
*fpr_len = 20;
- uri = get_pka_info (name, *fpr);
+ uri = get_pka_info (name, *fpr, 20);
if (uri && *uri)
{
/* An URI is available. Lookup the key. */
diff --git a/g10/mainproc.c b/g10/mainproc.c
index 753fdbe..0ae9168 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -1498,7 +1498,8 @@ pka_uri_from_sig (PKT_signature *sig)
{
char *uri;
- uri = get_pka_info (sig->pka_info->email, sig->pka_info->fpr);
+ uri = get_pka_info (sig->pka_info->email,
+ sig->pka_info->fpr, sizeof sig->pka_info->fpr);
if (uri)
{
sig->pka_info->valid = 1;
commit af60152a4632ef26ca950a424429b15b6c69038d
Author: Werner Koch <wk at gnupg.org>
Date: Wed Feb 25 12:03:21 2015 +0100
common: Allow requesting a specific certtype with get_dns_cert()
* common/dns-cert.c (get_dns_cert): Add arg want_certtype. Change all
callers.
(CERTTYPE_): Move constants to ...
* common/dns-cert.h: here as DNS_CERTTYPE_.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/common/dns-cert.c b/common/dns-cert.c
index e743308..e7be275 100644
--- a/common/dns-cert.c
+++ b/common/dns-cert.c
@@ -60,29 +60,20 @@
#define my_adns_r_cert 37
-/* Certificate types according to RFC-4398. */
-#define CERTTYPE_PKIX 1 /* X.509 as per PKIX. */
-#define CERTTYPE_SPKI 2 /* SPKI certificate. */
-#define CERTTYPE_PGP 3 /* OpenPGP packet. */
-#define CERTTYPE_IPKIX 4 /* The URL of an X.509 data object. */
-#define CERTTYPE_ISPKI 5 /* The URL of an SPKI certificate. */
-#define CERTTYPE_IPGP 6 /* The fingerprint and URL of an OpenPGP packet.*/
-#define CERTTYPE_ACPKIX 7 /* Attribute Certificate. */
-#define CERTTYPE_IACPKIX 8 /* The URL of an Attribute Certificate. */
-#define CERTTYPE_URI 253 /* URI private. */
-#define CERTTYPE_OID 254 /* OID private. */
-
/* Returns 0 on success or an error code. If a PGP CERT record was
found, a new estream with that key will be returned at R_KEY and
the other return parameters are set to NULL/0. If an IPGP CERT
record was found the fingerprint is stored as an allocated block at
R_FPR and its length at R_FPRLEN; an URL is is allocated as a
- string and returned at R_URL. Note that this function returns the
- first CERT found with a supported type; it is expected that only
- one CERT record is used. */
+ string and returned at R_URL. If WANT_CERTTYPE is 0 this function
+ returns the first CERT found with a supported type; it is expected
+ that only one CERT record is used. If WANT_CERTTYPE is one of the
+ supported certtypes only records wih this certtype are considered
+ and the first found is returned. */
gpg_error_t
-get_dns_cert (const char *name, estream_t *r_key,
+get_dns_cert (const char *name, int want_certtype,
+ estream_t *r_key,
unsigned char **r_fpr, size_t *r_fprlen, char **r_url)
{
#ifdef USE_DNS_CERT
@@ -136,7 +127,9 @@ get_dns_cert (const char *name, estream_t *r_key,
data += 5;
datalen -= 5;
- if (ctype == CERTTYPE_PGP && datalen >= 11)
+ if (want_certtype && want_certtype != ctype)
+ ; /* Not of the requested certtype. */
+ else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11)
{
/* CERT type is PGP. Gpg checks for a minimum length of 11,
thus we do the same. */
@@ -148,7 +141,7 @@ get_dns_cert (const char *name, estream_t *r_key,
err = 0;
goto leave;
}
- else if (ctype == CERTTYPE_IPGP && datalen && datalen < 1023
+ else if (ctype == DNS_CERTTYPE_IPGP && datalen && datalen < 1023
&& datalen >= data[0] + 1 && r_fpr && r_fprlen && r_url)
{
/* CERT type is IPGP. We made sure that the data is
@@ -297,8 +290,9 @@ get_dns_cert (const char *name, estream_t *r_key,
dlen -= 5;
/* 15 bytes takes us to here */
-
- if (ctype == CERTTYPE_PGP && dlen)
+ if (want_certtype && want_certtype != ctype)
+ ; /* Not of the requested certtype. */
+ else if (ctype == DNS_CERTTYPE_PGP && dlen)
{
/* PGP type */
*r_key = es_fopenmem_init (0, "rwb", pt, dlen);
@@ -309,7 +303,7 @@ get_dns_cert (const char *name, estream_t *r_key,
err = 0;
goto leave;
}
- else if (ctype == CERTTYPE_IPGP
+ else if (ctype == DNS_CERTTYPE_IPGP
&& dlen && dlen < 1023 && dlen >= pt[0] + 1)
{
/* IPGP type */
diff --git a/common/dns-cert.h b/common/dns-cert.h
index ae38caa..4b49efc 100644
--- a/common/dns-cert.h
+++ b/common/dns-cert.h
@@ -29,7 +29,24 @@
#ifndef GNUPG_COMMON_DNS_CERT_H
#define GNUPG_COMMON_DNS_CERT_H
-gpg_error_t get_dns_cert (const char *name, estream_t *r_key,
+
+#define DNS_CERTTYPE_ANY 0 /* Internal catch all type. */
+/* Certificate types according to RFC-4398: */
+#define DNS_CERTTYPE_PKIX 1 /* X.509 as per PKIX. */
+#define DNS_CERTTYPE_SPKI 2 /* SPKI certificate. */
+#define DNS_CERTTYPE_PGP 3 /* OpenPGP packet. */
+#define DNS_CERTTYPE_IPKIX 4 /* The URL of an X.509 data object. */
+#define DNS_CERTTYPE_ISPKI 5 /* The URL of an SPKI certificate. */
+#define DNS_CERTTYPE_IPGP 6 /* The fingerprint
+ and URL of an OpenPGP packet. */
+#define DNS_CERTTYPE_ACPKIX 7 /* Attribute Certificate. */
+#define DNS_CERTTYPE_IACPKIX 8 /* The URL of an Attribute Certificate. */
+#define DNS_CERTTYPE_URI 253 /* URI private. */
+#define DNS_CERTTYPE_OID 254 /* OID private. */
+
+
+gpg_error_t get_dns_cert (const char *name, int want_certtype,
+ estream_t *r_key,
unsigned char **r_fpr, size_t *r_fprlen,
char **r_url);
diff --git a/common/t-dns-cert.c b/common/t-dns-cert.c
index 71c7a9c..a170ffb 100644
--- a/common/t-dns-cert.c
+++ b/common/t-dns-cert.c
@@ -54,7 +54,7 @@ main (int argc, char **argv)
printf ("CERT lookup on '%s'\n", name);
- err = get_dns_cert (name, &key, &fpr, &fpr_len, &url);
+ err = get_dns_cert (name, DNS_CERTTYPE_ANY, &key, &fpr, &fpr_len, &url);
if (err)
printf ("get_dns_cert failed: %s <%s>\n",
gpg_strerror (err), gpg_strsource (err));
diff --git a/g10/keyserver.c b/g10/keyserver.c
index 8bcb827..ffcc1bf 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -1910,7 +1910,7 @@ keyserver_import_cert (ctrl_t ctrl,
if(domain)
*domain='.';
- err = get_dns_cert (look, &key, fpr, fpr_len, &url);
+ err = get_dns_cert (look, DNS_CERTTYPE_ANY, &key, fpr, fpr_len, &url);
if (err)
;
else if (key)
commit 9913253610bac69e9503800e85696491e018e327
Author: Werner Koch <wk at gnupg.org>
Date: Wed Feb 25 11:43:50 2015 +0100
Move new mailbox.c source file to common/.
* g10/mailbox.c: Move to ...
* common/mbox-util.c: new file.
* common/mbox-util.h: New. Include where needed.
* g10/t-mailbox.c: Move to ...
* common/t-mbox-util.c: new file.
--
This will make it easier to use the code by other modules in common/.
diff --git a/common/Makefile.am b/common/Makefile.am
index 6b41062..df2dafe 100644
--- a/common/Makefile.am
+++ b/common/Makefile.am
@@ -75,6 +75,7 @@ common_sources = \
b64enc.c b64dec.c zb32.c \
convert.c \
percent.c \
+ mbox-util.c mbox-util.h \
miscellaneous.c \
xasprintf.c \
xreadline.c \
@@ -177,7 +178,7 @@ jnlib_tests += t-w32-reg
endif
module_tests = t-convert t-percent t-gettime t-sysutils t-sexputil \
t-session-env t-openpgp-oid t-ssh-utils t-dns-cert \
- t-mapstrings t-zb32
+ t-mapstrings t-zb32 t-mbox-util
if !HAVE_W32CE_SYSTEM
module_tests += t-exechelp
endif
@@ -223,6 +224,7 @@ t_ssh_utils_LDADD = $(t_common_ldadd)
t_dns_cert_LDADD = $(t_common_ldadd) $(DNSLIBS)
t_mapstrings_LDADD = $(t_common_ldadd)
t_zb32_LDADD = $(t_common_ldadd)
+t_mbox_util_LDADD = $(t_common_ldadd)
# http tests
t_http_SOURCES = t-http.c
diff --git a/g10/mailbox.c b/common/mbox-util.c
similarity index 87%
rename from g10/mailbox.c
rename to common/mbox-util.c
index 64b818f..332f62f 100644
--- a/g10/mailbox.c
+++ b/common/mbox-util.c
@@ -1,15 +1,25 @@
-/* mailbox.c - Mail address helper functions
+/* mbox-util.c - Mail address helper functions
* Copyright (C) 1998-2010 Free Software Foundation, Inc.
- * Copyright (C) 2014-2015 Werner Koch
+ * Copyright (C) 1998-2015 Werner Koch
*
* This file is part of GnuPG.
*
- * GnuPG is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
+ * This file is free software; you can redistribute it and/or modify
+ * it under the terms of either
*
- * GnuPG is distributed in the hope that it will be useful,
+ * - the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 3 of the License, or (at
+ * your option) any later version.
+ *
+ * or
+ *
+ * - the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * or both in parallel, as here.
+ *
+ * This file is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
@@ -25,9 +35,8 @@
#include <unistd.h>
#include <errno.h>
-#include "gpg.h"
#include "util.h"
-#include "main.h"
+#include "mbox-util.h"
static int
diff --git a/common/mbox-util.h b/common/mbox-util.h
new file mode 100644
index 0000000..b9a3bda
--- /dev/null
+++ b/common/mbox-util.h
@@ -0,0 +1,38 @@
+/* mbox-util.h - Defs for mail address helper functions
+ * Copyright (C) 2015 Werner Koch
+ *
+ * This file is part of GnuPG.
+ *
+ * This file is free software; you can redistribute it and/or modify
+ * it under the terms of either
+ *
+ * - the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 3 of the License, or (at
+ * your option) any later version.
+ *
+ * or
+ *
+ * - the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * or both in parallel, as here.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+#ifndef GNUPG_COMMON_MBOX_UTIL_H
+#define GNUPG_COMMON_MBOX_UTIL_H
+
+int has_invalid_email_chars (const char *s);
+int is_valid_mailbox (const char *name);
+char *mailbox_from_userid (const char *userid);
+int is_valid_user_id (const char *uid);
+
+
+#endif /*GNUPG_COMMON_MBOX_UTIL_H*/
diff --git a/g10/t-mailbox.c b/common/t-mbox-util.c
similarity index 91%
rename from g10/t-mailbox.c
rename to common/t-mbox-util.c
index aa7cf33..dfa4ada 100644
--- a/g10/t-mailbox.c
+++ b/common/t-mbox-util.c
@@ -1,4 +1,4 @@
-/* t-mailbox.c - Module test for mailbox.c
+/* t-mbox-util.c - Module test for mbox-util.c
* Copyright (C) 2015 Werner Koch
*
* This file is part of GnuPG.
@@ -22,9 +22,8 @@
#include <stdlib.h>
#include <string.h>
-#include "gpg.h"
#include "util.h"
-#include "main.h"
+#include "mbox-util.h"
#define pass() do { ; } while(0)
#define fail(a) do { fprintf (stderr, "%s:%d: test %d failed\n",\
@@ -33,29 +32,6 @@
} while(0)
-void *
-gcry_malloc (size_t n)
-{
- return malloc (n);
-}
-
-
-char *
-gcry_strdup (const char *string)
-{
- return strdup (string);
-}
-
-
-void
-gcry_free (void *a)
-{
- if (a)
- free (a);
-}
-
-
-
static void
run_test (void)
{
diff --git a/g10/Makefile.am b/g10/Makefile.am
index 0704924..0a02119 100644
--- a/g10/Makefile.am
+++ b/g10/Makefile.am
@@ -83,7 +83,6 @@ common_source = \
textfilter.c \
progress.c \
misc.c \
- mailbox.c \
rmd160.c rmd160.h \
options.h \
openfile.c \
@@ -155,11 +154,9 @@ gpgv2_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) \
gpgv2_LDFLAGS = $(extra_bin_ldflags)
t_common_ldadd =
-module_tests = t-rmd160 t-mailbox
+module_tests = t-rmd160
t_rmd160_SOURCES = t-rmd160.c rmd160.c
t_rmd160_LDADD = $(t_common_ldadd)
-t_mailbox_SOURCES = t-mailbox.c mailbox.c
-t_mailbox_LDADD = $(t_common_ldadd)
$(PROGRAMS): $(needed_libs) ../common/libgpgrl.a
diff --git a/g10/getkey.c b/g10/getkey.c
index 116753c..2a24484 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -37,7 +37,7 @@
#include "keyserver-internal.h"
#include "call-agent.h"
#include "host2net.h"
-
+#include "mbox-util.h"
#define MAX_PK_CACHE_ENTRIES PK_UID_CACHE_SIZE
#define MAX_UID_CACHE_ENTRIES PK_UID_CACHE_SIZE
diff --git a/g10/keygen.c b/g10/keygen.c
index 11bfbd4..769e193 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -44,6 +44,7 @@
#include "pkglue.h"
#include "../common/shareddefs.h"
#include "host2net.h"
+#include "mbox-util.h"
/* The default algorithms. If you change them remember to change them
diff --git a/g10/keylist.c b/g10/keylist.c
index 881ffa4..7f13d8b 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -42,6 +42,8 @@
#include "i18n.h"
#include "status.h"
#include "call-agent.h"
+#include "mbox-util.h"
+
static void list_all (int, int);
static void list_one (strlist_t names, int secret, int mark_secret);
diff --git a/g10/main.h b/g10/main.h
index 8c326f6..39a1feb 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -176,13 +176,6 @@ int mpi_print (estream_t stream, gcry_mpi_t a, int mode);
unsigned int ecdsa_qbits_from_Q (unsigned int qbits);
-/*-- mailbox.c --*/
-int has_invalid_email_chars (const char *s);
-int is_valid_mailbox (const char *name);
-char *mailbox_from_userid (const char *userid);
-int is_valid_user_id (const char *uid);
-
-
/*-- status.c --*/
void set_status_fd ( int fd );
int is_status_enabled ( void );
diff --git a/g10/mainproc.c b/g10/mainproc.c
index e0dba13..753fdbe 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -39,6 +39,7 @@
#include "keyserver-internal.h"
#include "photoid.h"
#include "pka.h"
+#include "mbox-util.h"
/* Put an upper limit on nested packets. The 32 is an arbitrary
-----------------------------------------------------------------------
Summary of changes:
common/Makefile.am | 5 +-
common/dns-cert.c | 45 ++---
common/dns-cert.h | 19 +-
g10/mailbox.c => common/mbox-util.c | 27 ++-
common/{dns-cert.h => mbox-util.h} | 18 +-
common/pka.c | 341 ++++++--------------------------
common/pka.h | 2 +-
common/t-dns-cert.c | 2 +-
g10/t-mailbox.c => common/t-mbox-util.c | 28 +--
common/{t-dns-cert.c => t-pka.c} | 55 ++----
configure.ac | 17 +-
g10/Makefile.am | 5 +-
g10/getkey.c | 4 +-
g10/keygen.c | 1 +
g10/keylist.c | 2 +
g10/keyserver.c | 4 +-
g10/main.h | 7 -
g10/mainproc.c | 4 +-
18 files changed, 156 insertions(+), 430 deletions(-)
rename g10/mailbox.c => common/mbox-util.c (87%)
copy common/{dns-cert.h => mbox-util.h} (71%)
rename g10/t-mailbox.c => common/t-mbox-util.c (91%)
copy common/{t-dns-cert.c => t-pka.c} (51%)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list