Require Libgcrypt 1.9

* configure.ac: Require at least Libgcrypt 1.9.0.  Remove all
GCRYPT_VERSION_NUMBER dependent code.
--

Only Libgcrypt 1.9 implements EAX which is a mandatory algorithm in
RFC4880bis.

Signed-off-by: Werner Koch <wk@gnupg.org>

11 files changed, 24 insertions, 63 deletions

diff --git a/agent/command.c b/agent/command.c
index 9c5f7b03b..8384560cd 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -3530,7 +3530,6 @@ cmd_getinfo (assuan_context_t ctx, char *line)
     }
   else if (!strcmp (line, "jent_active"))
     {
-#if GCRYPT_VERSION_NUMBER >= 0x010800
       char *buf;
       const char *fields[5];
 
@@ -3542,9 +3541,6 @@ cmd_getinfo (assuan_context_t ctx, char *line)
       else
         rc = gpg_error (GPG_ERR_FALSE);
       gcry_free (buf);
-#else
-      rc = gpg_error (GPG_ERR_FALSE);
-#endif
     }
   else if (!strcmp (line, "s2k_count_cal"))
     {
diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index 546af81a0..b3a0c230c 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -1007,9 +1007,7 @@ thread_init_once (void)
    * has already been initialized but at that point nPth was not
    * initialized and thus Libgcrypt could not set its system call
    * clamp.  */
-#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
   gcry_control (GCRYCTL_REINIT_SYSCALL_CLAMP, 0, 0);
-#endif
 }
 
 
@@ -1817,23 +1815,6 @@ agent_libgcrypt_progress_cb (void *data, const char *what, int printchar,
       break;
   if (dispatch && dispatch->cb)
     dispatch->cb (dispatch->ctrl, what, printchar, current, total);
-
-  /* Libgcrypt < 1.8 does not know about nPth and thus when it reads
-   * from /dev/random this will block the process.  To mitigate this
-   * problem we yield the thread when Libgcrypt tells us that it needs
-   * more entropy.  This way other threads have chance to run.  */
-#if GCRYPT_VERSION_NUMBER < 0x010800 /* 1.8.0 */
-  if (what && !strcmp (what, "need_entropy"))
-    {
-#if GPGRT_VERSION_NUMBER < 0x011900 /* 1.25 */
-      /* In older gpg-error versions gpgrt_yield is buggy for use with
-       * nPth and thus we need to resort to a sleep call.  */
-      npth_usleep (1000); /* 1ms */
-#else
-      gpgrt_yield ();
-#endif
-    }
-#endif
 }
 
 
diff --git a/agent/pksign.c b/agent/pksign.c
index d9ffe6019..ca9a35292 100644
--- a/agent/pksign.c
+++ b/agent/pksign.c
@@ -513,12 +513,6 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
       if (err)
         goto leave;
 
-      if (algo == GCRY_PK_RSA && GCRYPT_VERSION_NUMBER < 0x010700)
-        {
-          /* It's RSA and Libgcrypt < 1.7 */
-          check_signature = 1;
-        }
-
       if (DBG_CRYPTO)
         {
           gcry_log_debugsxp ("skey", s_skey);
diff --git a/common/compliance.c b/common/compliance.c
index 849e0bfc6..0c785799e 100644
--- a/common/compliance.c
+++ b/common/compliance.c
@@ -499,7 +499,6 @@ gnupg_rng_is_compliant (enum gnupg_compliance_mode compliance)
       /* In DE_VS mode under Windows we require that the JENT RNG
        * is active.  */
 #ifdef HAVE_W32_SYSTEM
-# if GCRYPT_VERSION_NUMBER >= 0x010800
       char *buf;
       const char *fields[5];
 
@@ -511,9 +510,6 @@ gnupg_rng_is_compliant (enum gnupg_compliance_mode compliance)
       else
         result = 0;
       gcry_free (buf);
-# else
-      result = 0;  /* No JENT - can't be compliant.  */
-# endif
 #else /*!HAVE_W32_SYSTEM*/
       result = 1;  /* Not Windows - RNG is good.  */
 #endif /*!HAVE_W32_SYSTEM*/
diff --git a/common/sexputil.c b/common/sexputil.c
index 9bb1d6bdc..1fb00776f 100644
--- a/common/sexputil.c
+++ b/common/sexputil.c
@@ -871,9 +871,7 @@ hash_algo_to_string (int algo)
        { "md4",       GCRY_MD_MD4 },
        { "tiger",     GCRY_MD_TIGER },
        { "haval",     GCRY_MD_HAVAL },
-#if GCRYPT_VERSION_NUMBER >= 0x010900
        { "sm3",       GCRY_MD_SM3 },
-#endif
        { "md5",       GCRY_MD_MD5 }
       };
   int i;
diff --git a/configure.ac b/configure.ac
index b6b8d1e01..ea64ce19a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -56,7 +56,7 @@ AC_DEFINE_UNQUOTED(GNUPG_SWDB_TAG, "gnupg24", [swdb tag for this branch])
 NEED_GPG_ERROR_VERSION=1.38
 
 NEED_LIBGCRYPT_API=1
-NEED_LIBGCRYPT_VERSION=1.8.0
+NEED_LIBGCRYPT_VERSION=1.9.0
 
 NEED_LIBASSUAN_API=2
 NEED_LIBASSUAN_VERSION=2.5.0
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index cdda86d63..0edbc0442 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -2461,15 +2461,27 @@ check_inet_support (int *r_v4, int *r_v6)
                   log_debug ("%s:     addr: %s\n", __func__, buffer);
               }
           }
+      }
+
+    for (ai = aibuf; ai; ai = ai->ai_next)
+      {
+        if (ai->ai_family == AF_INET)
+          *r_v4 = 1;
+      }
+    for (ai = aibuf; ai; ai = ai->ai_next)
+      {
         if (ai->ai_family == AF_INET6)
           {
             struct sockaddr_in6 *v6addr = (struct sockaddr_in6 *)ai->ai_addr;
-            if (!IN6_IS_ADDR_LINKLOCAL (&v6addr->sin6_addr))
-              *r_v6 = 1;
-          }
-        else if (ai->ai_family == AF_INET)
-          {
-            *r_v4 = 1;
+            if (!IN6_IS_ADDR_LINKLOCAL (&v6addr->sin6_addr)
+                && (!*r_v4 || !IN6_IS_ADDR_LOOPBACK (&v6addr->sin6_addr)))
+              {
+                /* We only assume v6 if we do not have a v4 address or
+                 * if the address is not ::1.  Linklocal never
+                 * indicates v6 support.  */
+                *r_v6 = 1;
+                break;
+              }
           }
       }
 
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index b31557b60..93c676b6a 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -232,6 +232,9 @@ select_random_host (hostinfo_t hi)
   size_t tblsize;
   int pidx, idx;
 
+  /* CHECKTHIS();  See */
+  /*                 https://sources.debian.org/patches/gnupg2/2.2.20-1/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch/ */
+
   /* We create a new table so that we randomly select only from
      currently alive hosts.  */
   for (idx = 0, tblsize = 0;
diff --git a/g10/misc.c b/g10/misc.c
index 147592827..cd5c1bd7a 100644
--- a/g10/misc.c
+++ b/g10/misc.c
@@ -620,20 +620,14 @@ openpgp_aead_test_algo (aead_algo_t algo)
   /* FIXME: We currently have no easy way to test whether libgcrypt
    * implements a mode.  The only way we can do this is to open a
    * cipher context with that mode and close it immediately.  That is
-   * a bit costly.  So we look at the libgcrypt version and assume
-   * nothing has been patched out.  */
+   * a bit costly.  Thus in case we add another algo we need to look
+   * at the libgcrypt version and assume nothing has been patched out.  */
   switch (algo)
     {
     case AEAD_ALGO_NONE:
       break;
 
     case AEAD_ALGO_EAX:
-#if GCRYPT_VERSION_NUMBER < 0x010900
-      break;
-#else
-      return 0;
-#endif
-
     case AEAD_ALGO_OCB:
       return 0;
     }
diff --git a/sm/certdump.c b/sm/certdump.c
index fec2412fd..5c9f8a96b 100644
--- a/sm/certdump.c
+++ b/sm/certdump.c
@@ -103,11 +103,7 @@ gpgsm_print_serial_decimal (estream_t fp, ksba_const_sexp_t sn)
   unsigned long n, i;
   char *endp;
   gcry_mpi_t a, r, ten;
-#if GCRYPT_VERSION_NUMBER >= 0x010900 /* >= 1.9.0 */
   unsigned int dd;
-#else
-  unsigned char numbuf[10];
-#endif
 
   if (!p)
     es_fputs (_("none"), fp);
@@ -134,15 +130,8 @@ gpgsm_print_serial_decimal (estream_t fp, ksba_const_sexp_t sn)
           do
             {
               gcry_mpi_div (a, r, a, ten, 0);
-#if GCRYPT_VERSION_NUMBER >= 0x010900 /* >= 1.9.0 */
               gcry_mpi_get_ui (&dd, r);
               put_membuf_printf (&mb, "%u", dd);
-#else
-              *numbuf = 0;  /* Need to clear because USB format prints
-                             * an empty string for a value of 0.  */
-              gcry_mpi_print (GCRYMPI_FMT_USG, numbuf, 10, NULL, r);
-              put_membuf_printf (&mb, "%u", (unsigned int)*numbuf);
-#endif
             }
           while (gcry_mpi_cmp_ui (a, 0));
 
diff --git a/tools/gpgconf.c b/tools/gpgconf.c
index 181109f9a..13170e452 100644
--- a/tools/gpgconf.c
+++ b/tools/gpgconf.c
@@ -1040,11 +1040,9 @@ show_version_libgcrypt (estream_t fp)
   s = get_revision_from_blurb (gcry_check_version ("\x01\x01"), &n);
   es_fprintf (fp, "* Libgcrypt %s (%.*s)\n",
               gcry_check_version (NULL), n, s);
-#if GCRYPT_VERSION_NUMBER >= 0x010800
   s = gcry_get_config (0, NULL);
   if (s)
     es_fputs (s, fp);
-#endif
 }