[git] GnuPG - branch, master, updated. gnupg-2.1.9-126-ga3b26d6
by Werner Koch
cvs at cvs.gnupg.org
Thu Nov 12 13:37:11 CET 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via a3b26d6c0839ec18d1dc226bb537d5067c86d574 (commit)
via a2cc1d57552ccac7b2f9a0c6423b171b2a168b2a (commit)
from 7546e818791988c00b8635dab5b899265d8d9f42 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a3b26d6c0839ec18d1dc226bb537d5067c86d574
Author: Werner Koch <wk at gnupg.org>
Date: Thu Nov 12 13:31:59 2015 +0100
dirmngr: Do not block during ADNS calls.
* dirmngr/dns-stuff.c: Include npth.h
(my_unprotect, my_protect): New wrapper.
(resolve_name_adns): Put unprotect/protect around adns calls.
(get_dns_cert): Ditto.
(getsrv): Ditto.
(get_dns_cname): Ditto.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
index 009802a..c3bce0d 100644
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@@ -142,6 +142,7 @@ t_ldap_parse_uri_SOURCES = \
t_ldap_parse_uri_CFLAGS = -DWITHOUT_NPTH=1
t_ldap_parse_uri_LDADD = $(ldaplibs) $(t_common_ldadd) $(DNSLIBS)
+t_dns_stuff_CFLAGS = -DWITHOUT_NPTH=1
t_dns_stuff_SOURCES = t-dns-stuff.c dns-stuff.c
t_dns_stuff_LDADD = $(t_common_ldadd) $(DNSLIBS)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index 6f3ce39..200e1e2 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -51,10 +51,25 @@
# error Either getaddrinfo or the ADNS libary is required.
#endif
+#ifdef WITHOUT_NPTH /* Give the Makefile a chance to build without Pth. */
+# undef USE_NPTH
+#endif
+#ifdef USE_NPTH
+# include <npth.h>
+#endif
+
#include "util.h"
#include "host2net.h"
#include "dns-stuff.h"
+#ifdef USE_NPTH
+# define my_unprotect() npth_unprotect ()
+# define my_protect() npth_protect ()
+#else
+# define my_unprotect() do { } while(0)
+# define my_protect() do { } while(0)
+#endif
+
/* We allow the use of 0 instead of AF_UNSPEC - check this assumption. */
#if AF_UNSPEC != 0
# error AF_UNSPEC does not have the value 0
@@ -231,6 +246,7 @@ resolve_name_adns (const char *name, unsigned short port,
dns_addrinfo_t *r_dai, char **r_canonname)
{
gpg_error_t err = 0;
+ int ret;
dns_addrinfo_t daihead = NULL;
dns_addrinfo_t dai;
adns_state state;
@@ -251,8 +267,11 @@ resolve_name_adns (const char *name, unsigned short port,
if (err)
return err;
- if (adns_synchronous (state, name, adns_r_addr,
- adns_qf_quoteok_query, &answer))
+ my_unprotect ();
+ ret = adns_synchronous (state, name, adns_r_addr,
+ adns_qf_quoteok_query, &answer);
+ my_protect ();
+ if (ret)
{
err = gpg_error_from_syserror ();
log_error ("DNS query failed: %s\n", gpg_strerror (err));
@@ -629,6 +648,7 @@ get_dns_cert (const char *name, int want_certtype,
#ifdef USE_DNS_CERT
#ifdef USE_ADNS
gpg_error_t err;
+ int ret;
adns_state state;
adns_answer *answer = NULL;
unsigned int ctype;
@@ -646,12 +666,15 @@ get_dns_cert (const char *name, int want_certtype,
if (err)
return err;
- if (adns_synchronous (state, name,
- (adns_r_unknown
- | (want_certtype < DNS_CERTTYPE_RRBASE
- ? my_adns_r_cert
- : (want_certtype - DNS_CERTTYPE_RRBASE))),
- adns_qf_quoteok_query, &answer))
+ my_unprotect ();
+ ret = adns_synchronous (state, name,
+ (adns_r_unknown
+ | (want_certtype < DNS_CERTTYPE_RRBASE
+ ? my_adns_r_cert
+ : (want_certtype - DNS_CERTTYPE_RRBASE))),
+ adns_qf_quoteok_query, &answer);
+ my_protect ();
+ if (ret)
{
err = gpg_error_from_syserror ();
/* log_error ("DNS query failed: %s\n", strerror (errno)); */
@@ -1001,8 +1024,10 @@ getsrv (const char *name,struct srventry **list)
if (my_adns_init (&state))
return -1;
+ my_unprotect ();
rc = adns_synchronous (state, name, adns_r_srv, adns_qf_quoteok_query,
&answer);
+ my_protect ();
if (rc)
{
log_error ("DNS query failed: %s\n", strerror (errno));
@@ -1241,8 +1266,10 @@ get_dns_cname (const char *name, char **r_cname)
if (my_adns_init (&state))
return gpg_error (GPG_ERR_GENERAL);
+ my_unprotect ();
rc = adns_synchronous (state, name, adns_r_cname, adns_qf_quoteok_query,
&answer);
+ my_protect ();
if (rc)
{
err = gpg_error_from_syserror ();
commit a2cc1d57552ccac7b2f9a0c6423b171b2a168b2a
Author: Werner Koch <wk at gnupg.org>
Date: Thu Nov 12 13:20:18 2015 +0100
dirmngr: New option --nameserver.
* dirmngr/dirmngr.c (oNameServer): New.
(opts): Add --nameserver.
(parse_rereadable_options): Act upon oNameServer.
* dirmngr/dns-stuff.c (DEFAULT_NAMESERVER): New.
(tor_nameserver): New.
(set_dns_nameserver): New.
(my_adns_init): Make name server configurable.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index d6c1670..8789d81 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -68,6 +68,7 @@
#endif
#include "../common/init.h"
#include "gc-opt-flags.h"
+#include "dns-stuff.h"
/* The plain Windows version uses the windows service system. For
example to start the service you may use "sc start dirmngr".
@@ -142,6 +143,7 @@ enum cmd_and_opt_values {
oIgnoreCertExtension,
oUseTor,
oKeyServer,
+ oNameServer,
aTest
};
@@ -214,6 +216,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_i (oMaxReplies, "max-replies",
N_("|N|do not return more than N items in one query")),
+ ARGPARSE_s_s (oNameServer, "nameserver", "@"),
ARGPARSE_s_s (oKeyServer, "keyserver", "@"),
ARGPARSE_s_s (oHkpCaCert, "hkp-cacert",
N_("|FILE|use the CA certificates in FILE for HKP over TLS")),
@@ -623,6 +626,10 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
opt.keyserver = *pargs->r.ret_str? xtrystrdup (pargs->r.ret_str) : NULL;
break;
+ case oNameServer:
+ set_dns_nameserver (pargs->r.ret_str);
+ break;
+
default:
return 0; /* Not handled. */
}
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index 6bf36a5..6f3ce39 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -82,9 +82,18 @@
/* ADNS has no support for CERT yet. */
#define my_adns_r_cert 37
+
+/* The default nameserver used with ADNS in Tor mode. */
+#define DEFAULT_NAMESERVER "8.8.8.8"
+
+
/* If set Tor mode shall be used. */
static int tor_mode;
+/* A string with the nameserver IP address used with Tor.
+ (40 should be sufficient for v6 but we add some extra for a scope.) */
+static char tor_nameserver[40+20];
+
/* A string to hold the credentials presented to Tor. */
#ifdef USE_ADNS
static char tor_credentials[50];
@@ -114,6 +123,19 @@ enable_dns_tormode (int new_circuit)
return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
}
+
+/* Change the default IP address of the nameserver to IPADDR. The
+ address needs to be a numerical IP address and will be used for the
+ next DNS query. Note that this is only used in Tor mode. */
+void
+set_dns_nameserver (const char *ipaddr)
+{
+ strncpy (tor_nameserver, ipaddr? ipaddr : DEFAULT_NAMESERVER,
+ sizeof tor_nameserver -1);
+ tor_nameserver[sizeof tor_nameserver -1] = 0;
+}
+
+
/* Free an addressinfo linked list as returned by resolve_dns_name. */
void
free_dns_addrinfo (dns_addrinfo_t ai)
@@ -167,14 +189,17 @@ my_adns_init (adns_state *r_state)
{
char *cfgstr;
+ if (!*tor_nameserver)
+ set_dns_nameserver (NULL);
+
cfgstr = xtryasprintf ("nameserver %s\n"
"options adns_tormode adns_sockscred:%s",
- "8.8.8.8", tor_credentials);
+ tor_nameserver, tor_credentials);
if (!cfgstr)
err = gpg_error_from_syserror ();
else
{
- ret = adns_init_strcfg (r_state, adns_if_noerrprint, NULL, cfgstr);
+ ret = adns_init_strcfg (r_state, adns_if_debug /*adns_if_noerrprint*/, NULL, cfgstr);
if (ret)
err = gpg_error_from_errno (ret);
xfree (cfgstr);
diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h
index 69637d6..ee5132d 100644
--- a/dirmngr/dns-stuff.h
+++ b/dirmngr/dns-stuff.h
@@ -96,6 +96,12 @@ struct srventry
possibe. Return 0 on success. */
gpg_error_t enable_dns_tormode (int new_circuit);
+/* Change the default IP address of the nameserver to IPADDR. The
+ address needs to be a numerical IP address and will be used for the
+ next DNS query. Note that this is only used in Tor mode. */
+void set_dns_nameserver (const char *ipaddr);
+
+
void free_dns_addrinfo (dns_addrinfo_t ai);
/* Function similar to getaddrinfo. */
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 06da87e..e453e8a 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -244,11 +244,11 @@ this still leaks the DNS queries; e.g. to lookup the hosts in a
keyserver pool. Certain other features are disabled if this mode is
active.
- at item --keyserver @code{name}
+ at item --keyserver @var{name}
@opindex keyserver
-Use @code{name} as your keyserver. This is the server that @command{gpg}
+Use @var{name} as your keyserver. This is the server that @command{gpg}
communicates with to receive keys, send keys, and search for
-keys. The format of the @code{name} is a URI:
+keys. The format of the @var{name} is a URI:
`scheme:[//]keyservername[:port]' The scheme is the type of keyserver:
"hkp" for the HTTP (or compatible) keyservers, "ldap" for the LDAP
keyservers, or "mailto" for the Graff email keyserver. Note that your
@@ -263,6 +263,16 @@ need to send keys to more than one server. The keyserver
@code{hkp://keys.gnupg.net} uses round robin DNS to give a different
keyserver each time you use it.
+
+ at item --nameserver @var{ipaddr}
+ at opindex nameserver
+In ``Tor mode'' Dirmngr uses a public resolver via Tor to resolve DNS
+names. If the default public resolver, which is @code{8.8.8.8}, shall
+not be used a different one can be given using this option. Note that
+a numerical IP address must be given (IPv6 or IPv4) and that no error
+checking is done for @var{ipaddr}. DNS queries in Tor mode do only
+work if GnuPG as been build with ADNS support.
+
@item --disable-ldap
@opindex disable-ldap
Entirely disables the use of LDAP.
-----------------------------------------------------------------------
Summary of changes:
dirmngr/Makefile.am | 1 +
dirmngr/dirmngr.c | 7 ++++++
dirmngr/dns-stuff.c | 72 +++++++++++++++++++++++++++++++++++++++++++++--------
dirmngr/dns-stuff.h | 6 +++++
doc/dirmngr.texi | 16 +++++++++---
5 files changed, 89 insertions(+), 13 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list