[git] GnuPG - branch, master, updated. gnupg-2.1.8-76-g264a81d
by Werner Koch
cvs at cvs.gnupg.org
Tue Oct 6 20:03:46 CEST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via 264a81d82737369ee8beef771cf2bd2cd874320a (commit)
via 211b8084ee4391baec35e8c5bd75a9ecbcb889a7 (commit)
via 6cf80dc77ec5df3722924301ff4be2475966937b (commit)
from 7faf45effcd47d2d04d35090a1e01a1dbb99ec70 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 264a81d82737369ee8beef771cf2bd2cd874320a
Author: Werner Koch <wk at gnupg.org>
Date: Tue Oct 6 19:59:56 2015 +0200
dirmngr: Addlow fetching keys using OpenPGP DANE
* dirmngr/server.c (cmd_dns_cert): Add option --dane.
--
This implements draft-ietf-dane-openpgpkey-05.txt
To test this use
$ gpg-connect-agent --dirmngr
> /hex
> dns_cert --dane wk at gnupg.org
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 63a5cd8..bfcdd57 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -643,6 +643,7 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
static const char hlp_dns_cert[] =
"DNS_CERT <subtype> <name>\n"
"DNS_CERT --pka <user_id>\n"
+ "DNS_CERT --dane <user_id>\n"
"\n"
"Return the CERT record for <name>. <subtype> is one of\n"
" * Return the first record of any supported subtype\n"
@@ -650,13 +651,14 @@ static const char hlp_dns_cert[] =
" IPGP Return the first record of subtype IPGP (6)\n"
"If the content of a certifciate is available (PGP) it is returned\n"
"by data lines. Fingerprints and URLs are returned via status lines.\n"
- "In --pka mode the fingerprint and if available an URL is returned.";
+ "In --pka mode the fingerprint and if available an URL is returned.\n"
+ "In --dane mode the key is returned from RR type 61";
static gpg_error_t
cmd_dns_cert (assuan_context_t ctx, char *line)
{
/* ctrl_t ctrl = assuan_get_pointer (ctx); */
gpg_error_t err = 0;
- int pka_mode;
+ int pka_mode, dane_mode;
char *mbox = NULL;
char *namebuf = NULL;
char *encodedhash = NULL;
@@ -670,8 +672,16 @@ cmd_dns_cert (assuan_context_t ctx, char *line)
char *url = NULL;
pka_mode = has_option (line, "--pka");
+ dane_mode = has_option (line, "--dane");
line = skip_options (line);
- if (pka_mode)
+
+ if (pka_mode && dane_mode)
+ {
+ err = PARM_ERROR ("either --pka or --dane may be given");
+ goto leave;
+ }
+
+ if (pka_mode || dane_mode)
; /* No need to parse here - we do this later. */
else
{
@@ -709,11 +719,14 @@ cmd_dns_cert (assuan_context_t ctx, char *line)
goto leave;
}
- if (pka_mode)
+ if (pka_mode || dane_mode)
{
- char *domain; /* Points to mbox. */
- char hashbuf[20];
+ char *domain; /* Points to mbox. */
+ char hashbuf[32]; /* For SHA-1 and SHA-256. */
+ /* We lowercase ascii characters but the DANE I-D does not allow
+ this. FIXME: Check after the release of the RFC whether to
+ change this. */
mbox = mailbox_from_userid (line);
if (!mbox || !(domain = strchr (mbox, '@')))
{
@@ -722,21 +735,45 @@ cmd_dns_cert (assuan_context_t ctx, char *line)
}
*domain++ = 0;
- gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, mbox, strlen (mbox));
- encodedhash = zb32_encode (hashbuf, 8*20);
- if (!encodedhash)
+ if (pka_mode)
{
- err = gpg_error_from_syserror ();
- goto leave;
+ gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, mbox, strlen (mbox));
+ encodedhash = zb32_encode (hashbuf, 8*20);
+ if (!encodedhash)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ namebuf = strconcat (encodedhash, "._pka.", domain, NULL);
+ if (!namebuf)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ name = namebuf;
+ certtype = DNS_CERTTYPE_IPGP;
}
- namebuf = strconcat (encodedhash, "._pka.", domain, NULL);
- if (!namebuf)
+ else
{
- err = gpg_error_from_syserror ();
- goto leave;
+ /* Note: The hash is truncated to 28 bytes and we lowercase
+ the result only for aesthetic reasons. */
+ gcry_md_hash_buffer (GCRY_MD_SHA256, hashbuf, mbox, strlen (mbox));
+ encodedhash = bin2hex (hashbuf, 28, NULL);
+ if (!encodedhash)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ ascii_strlwr (encodedhash);
+ namebuf = strconcat (encodedhash, "._openpgpkey.", domain, NULL);
+ if (!namebuf)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ name = namebuf;
+ certtype = DNS_CERTTYPE_RR61;
}
- name = namebuf;
- certtype = DNS_CERTTYPE_IPGP;
}
else
name = line;
commit 211b8084ee4391baec35e8c5bd75a9ecbcb889a7
Author: Werner Koch <wk at gnupg.org>
Date: Tue Oct 6 19:57:00 2015 +0200
dirmngr: Improve DNS code to retrieve arbitrary records.
* dirmngr/dns-cert.c (get_dns_cert): Add hack to retrieve arbitrary
resource records.
* dirmngr/dns-cert.h (DNS_CERTTYPE_RRBASE): New.
(DNS_CERTTYPE_RR61): New.
--
This has been tested with ADNS on Unix and with the standard
resolver. Because ADNS works it should also work on Windows.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/dirmngr/dns-cert.c b/dirmngr/dns-cert.c
index 03c1de1..3845a4b 100644
--- a/dirmngr/dns-cert.c
+++ b/dirmngr/dns-cert.c
@@ -99,7 +99,11 @@ get_dns_cert (const char *name, int want_certtype,
return err;
}
- if (adns_synchronous (state, name, (adns_r_unknown | my_adns_r_cert),
+ if (adns_synchronous (state, name,
+ (adns_r_unknown
+ | (want_certtype < DNS_CERTTYPE_RRBASE
+ ? my_adns_r_cert
+ : (want_certtype - DNS_CERTTYPE_RRBASE))),
adns_qf_quoteok_query, &answer))
{
err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
@@ -122,6 +126,26 @@ get_dns_cert (const char *name, int want_certtype,
int datalen = answer->rrs.byteblock[count].len;
const unsigned char *data = answer->rrs.byteblock[count].data;
+ /* First check for our generic RR hack. */
+ if (datalen
+ && want_certtype >= DNS_CERTTYPE_RRBASE
+ && ((want_certtype - DNS_CERTTYPE_RRBASE)
+ == (answer->type & ~adns_r_unknown)))
+ {
+ /* Found the requested record - return it. */
+ *r_key = xtrymalloc (datalen);
+ if (!*r_key)
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ else
+ {
+ memcpy (*r_key, data, datalen);
+ *r_keylen = datalen;
+ err = 0;
+ }
+ goto leave;
+ }
+
if (datalen < 5)
continue; /* Truncated CERT record - skip. */
@@ -219,7 +243,11 @@ get_dns_cert (const char *name, int want_certtype,
err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND);
- r = res_query (name, C_IN, T_CERT, answer, 65536);
+ r = res_query (name, C_IN,
+ (want_certtype < DNS_CERTTYPE_RRBASE
+ ? T_CERT
+ : (want_certtype - DNS_CERTTYPE_RRBASE)),
+ answer, 65536);
/* Not too big, not too small, no errors and at least 1 answer. */
if (r >= sizeof (HEADER) && r <= 65536
&& (((HEADER *) answer)->rcode) == NOERROR
@@ -283,7 +311,28 @@ get_dns_cert (const char *name, int want_certtype,
pt += 2;
/* Check the type and parse. */
- if (type == T_CERT)
+ if (want_certtype >= DNS_CERTTYPE_RRBASE
+ && type == (want_certtype - DNS_CERTTYPE_RRBASE)
+ && r_key)
+ {
+ *r_key = xtrymalloc (dlen);
+ if (!*r_key)
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ else
+ {
+ memcpy (*r_key, pt, dlen);
+ *r_keylen = dlen;
+ err = 0;
+ }
+ goto leave;
+ }
+ else if (want_certtype >= DNS_CERTTYPE_RRBASE)
+ {
+ /* We did not found the requested RR. */
+ pt += dlen;
+ }
+ else if (type == T_CERT)
{
/* We got a CERT type. */
ctype = buf16_to_u16 (pt);
diff --git a/dirmngr/dns-cert.h b/dirmngr/dns-cert.h
index 5a579ec..9dbc58c 100644
--- a/dirmngr/dns-cert.h
+++ b/dirmngr/dns-cert.h
@@ -43,7 +43,9 @@
#define DNS_CERTTYPE_IACPKIX 8 /* The URL of an Attribute Certificate. */
#define DNS_CERTTYPE_URI 253 /* URI private. */
#define DNS_CERTTYPE_OID 254 /* OID private. */
-
+/* Hacks for our implementation. */
+#define DNS_CERTTYPE_RRBASE 1024 /* Base of special constants. */
+#define DNS_CERTTYPE_RR61 (DNS_CERTTYPE_RRBASE + 61)
gpg_error_t get_dns_cert (const char *name, int want_certtype,
void **r_key, size_t *r_keylen,
commit 6cf80dc77ec5df3722924301ff4be2475966937b
Author: Werner Koch <wk at gnupg.org>
Date: Tue Oct 6 17:34:13 2015 +0200
dirmngr: Change DNS code to make additions easier.
* dirmngr/dns-cert.c (get_dns_cert) [!USE_ADNS]: Change loop to allow
adding more resource types.
diff --git a/dirmngr/dns-cert.c b/dirmngr/dns-cert.c
index de523b5..03c1de1 100644
--- a/dirmngr/dns-cert.c
+++ b/dirmngr/dns-cert.c
@@ -53,7 +53,7 @@
/* Not every installation has gotten around to supporting CERTs
yet... */
#ifndef T_CERT
-#define T_CERT 37
+# define T_CERT 37
#endif
/* ADNS has no support for CERT yet. */
@@ -69,7 +69,7 @@
string and returned at R_URL. If WANT_CERTTYPE is 0 this function
returns the first CERT found with a supported type; it is expected
that only one CERT record is used. If WANT_CERTTYPE is one of the
- supported certtypes only records wih this certtype are considered
+ supported certtypes only records with this certtype are considered
and the first found is returned. (R_KEY,R_KEYLEN) are optional. */
gpg_error_t
get_dns_cert (const char *name, int want_certtype,
@@ -282,83 +282,85 @@ get_dns_cert (const char *name, int want_certtype,
dlen = buf16_to_u16 (pt);
pt += 2;
- /* We asked for CERT and got something else - might be a
- CNAME, so loop around again. */
- if (type != T_CERT)
+ /* Check the type and parse. */
+ if (type == T_CERT)
{
- pt += dlen;
- continue;
- }
-
- /* The CERT type */
- ctype = buf16_to_u16 (pt);
- pt += 2;
+ /* We got a CERT type. */
+ ctype = buf16_to_u16 (pt);
+ pt += 2;
- /* Skip the CERT key tag and algo which we don't need. */
- pt += 3;
+ /* Skip the CERT key tag and algo which we don't need. */
+ pt += 3;
- dlen -= 5;
+ dlen -= 5;
- /* 15 bytes takes us to here */
- if (want_certtype && want_certtype != ctype)
- ; /* Not of the requested certtype. */
- else if (ctype == DNS_CERTTYPE_PGP && dlen && r_key && r_keylen)
- {
- /* PGP type */
- *r_key = xtrymalloc (dlen);
- if (!*r_key)
- err = gpg_err_make (default_errsource,
- gpg_err_code_from_syserror ());
- else
+ /* 15 bytes takes us to here */
+ if (want_certtype && want_certtype != ctype)
+ ; /* Not of the requested certtype. */
+ else if (ctype == DNS_CERTTYPE_PGP && dlen && r_key && r_keylen)
{
- memcpy (*r_key, pt, dlen);
- *r_keylen = dlen;
- err = 0;
+ /* PGP type */
+ *r_key = xtrymalloc (dlen);
+ if (!*r_key)
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ else
+ {
+ memcpy (*r_key, pt, dlen);
+ *r_keylen = dlen;
+ err = 0;
+ }
+ goto leave;
}
- goto leave;
- }
- else if (ctype == DNS_CERTTYPE_IPGP
- && dlen && dlen < 1023 && dlen >= pt[0] + 1)
- {
- /* IPGP type */
- *r_fprlen = pt[0];
- if (*r_fprlen)
+ else if (ctype == DNS_CERTTYPE_IPGP
+ && dlen && dlen < 1023 && dlen >= pt[0] + 1)
{
- *r_fpr = xtrymalloc (*r_fprlen);
- if (!*r_fpr)
+ /* IPGP type */
+ *r_fprlen = pt[0];
+ if (*r_fprlen)
{
- err = gpg_err_make (default_errsource,
- gpg_err_code_from_syserror ());
- goto leave;
+ *r_fpr = xtrymalloc (*r_fprlen);
+ if (!*r_fpr)
+ {
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ goto leave;
+ }
+ memcpy (*r_fpr, &pt[1], *r_fprlen);
}
- memcpy (*r_fpr, &pt[1], *r_fprlen);
- }
- else
- *r_fpr = NULL;
+ else
+ *r_fpr = NULL;
- if (dlen > *r_fprlen + 1)
- {
- *r_url = xtrymalloc (dlen - (*r_fprlen + 1) + 1);
- if (!*r_fpr)
+ if (dlen > *r_fprlen + 1)
{
- err = gpg_err_make (default_errsource,
- gpg_err_code_from_syserror ());
- xfree (*r_fpr);
- *r_fpr = NULL;
- goto leave;
+ *r_url = xtrymalloc (dlen - (*r_fprlen + 1) + 1);
+ if (!*r_fpr)
+ {
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ xfree (*r_fpr);
+ *r_fpr = NULL;
+ goto leave;
+ }
+ memcpy (*r_url, &pt[*r_fprlen + 1],
+ dlen - (*r_fprlen + 1));
+ (*r_url)[dlen - (*r_fprlen + 1)] = '\0';
}
- memcpy (*r_url, &pt[*r_fprlen + 1], dlen - (*r_fprlen + 1));
- (*r_url)[dlen - (*r_fprlen + 1)] = '\0';
+ else
+ *r_url = NULL;
+
+ err = 0;
+ goto leave;
}
- else
- *r_url = NULL;
- err = 0;
- goto leave;
+ /* No subtype matches, so continue with the next answer. */
+ pt += dlen;
+ }
+ else
+ {
+ /* Not a requested type - might be a CNAME. Try next item. */
+ pt += dlen;
}
-
- /* Neither type matches, so go around to the next answer. */
- pt += dlen;
}
}
-----------------------------------------------------------------------
Summary of changes:
dirmngr/dns-cert.c | 165 +++++++++++++++++++++++++++++++++++------------------
dirmngr/dns-cert.h | 4 +-
dirmngr/server.c | 71 +++++++++++++++++------
3 files changed, 165 insertions(+), 75 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list