1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-01 20:18:44 +01:00
gnupg/common/dns-cert.c

293 lines
7.5 KiB
C
Raw Normal View History

2006-06-16 13:49:27 +02:00
/* dns-cert.c - DNS CERT code
* Copyright (C) 2005, 2006, 2009 Free Software Foundation, Inc.
2006-06-16 13:49:27 +02:00
*
* This file is part of GNUPG.
*
* GNUPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
2007-07-04 21:49:40 +02:00
* the Free Software Foundation; either version 3 of the License, or
2006-06-16 13:49:27 +02:00
* (at your option) any later version.
*
* GNUPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
2007-07-04 21:49:40 +02:00
* along with this program; if not, see <http://www.gnu.org/licenses/>.
2006-06-16 13:49:27 +02:00
*/
#include <config.h>
#include <sys/types.h>
#ifdef USE_DNS_CERT
# ifdef HAVE_W32_SYSTEM
2009-12-08 13:20:11 +01:00
# include <windows.h>
2006-06-16 13:49:27 +02:00
# else
2009-12-08 13:20:11 +01:00
# include <netinet/in.h>
# include <arpa/nameser.h>
# include <resolv.h>
# endif
# include <string.h>
#endif
#ifdef USE_ADNS
# include <adns.h>
# ifndef HAVE_ADNS_FREE
# define adns_free free
2006-06-16 13:49:27 +02:00
# endif
#endif
#include "util.h"
#include "iobuf.h"
#include "dns-cert.h"
/* Not every installation has gotten around to supporting CERTs
yet... */
#ifndef T_CERT
#define T_CERT 37
#endif
/* ADNS has no support for CERT yet. */
2009-12-08 13:20:11 +01:00
#define my_adns_r_cert 37
2006-06-16 13:49:27 +02:00
/* Returns -1 on error, 0 for no answer, 1 for PGP provided and 2 for
IPGP provided. Note that this function retruns the first CERT
2009-12-08 13:20:11 +01:00
found with a supported type; it is expected that only one CERT
record is used. */
2006-06-16 13:49:27 +02:00
int
2011-11-28 18:35:19 +01:00
get_dns_cert (const char *name, size_t max_size, IOBUF * iobuf,
unsigned char **fpr, size_t * fpr_len, char **url)
2006-06-16 13:49:27 +02:00
{
#ifdef USE_DNS_CERT
2009-12-08 13:20:11 +01:00
#ifdef USE_ADNS
adns_state state;
adns_answer *answer = NULL;
int rc;
unsigned int ctype;
int count;
rc = adns_init (&state, adns_if_noerrprint, NULL);
if (rc)
{
log_error ("error initializing adns: %s\n", strerror (errno));
return -1;
}
rc = adns_synchronous (state, name, (adns_r_unknown | my_adns_r_cert),
adns_qf_quoteok_query, &answer);
if (rc)
{
/* log_error ("DNS query failed: %s\n", strerror (errno)); */
adns_finish (state);
return -1;
}
if (answer->status != adns_s_ok)
2009-12-08 13:20:11 +01:00
{
/* log_error ("DNS query returned an error: %s (%s)\n", */
/* adns_strerror (answer->status), */
/* adns_errabbrev (answer->status)); */
adns_free (answer);
adns_finish (state);
return 0;
}
2011-11-28 18:35:19 +01:00
for (rc = 0, count = 0; !rc && count < answer->nrrs; count++)
2009-12-08 13:20:11 +01:00
{
int datalen = answer->rrs.byteblock[count].len;
const unsigned char *data = answer->rrs.byteblock[count].data;
if (datalen < 5)
continue; /* Truncated CERT record - skip. */
2011-11-28 18:35:19 +01:00
ctype = ((data[0] << 8) | data[1]);
2009-12-08 13:20:11 +01:00
/* (key tag and algorithm fields are not required.) */
data += 5;
datalen -= 5;
if (ctype == 3 && datalen >= 11)
{
/* CERT type is PGP. Gpg checks for a minimum length of 11,
thus we do the same. */
2011-11-28 18:35:19 +01:00
*iobuf = iobuf_temp_with_content ((char *)data, datalen);
2009-12-08 13:20:11 +01:00
rc = 1;
}
else if (ctype == 6 && datalen && datalen < 1023
2011-11-28 18:35:19 +01:00
&& datalen >= data[0] + 1 && fpr && fpr_len && url)
2009-12-08 13:20:11 +01:00
{
/* CERT type is IPGP. We made sure tha the data is
plausible and that the caller requested the
information. */
*fpr_len = data[0];
if (*fpr_len)
{
*fpr = xmalloc (*fpr_len);
2011-11-28 18:35:19 +01:00
memcpy (*fpr, data + 1, *fpr_len);
2009-12-08 13:20:11 +01:00
}
else
*fpr = NULL;
2009-12-08 13:20:11 +01:00
if (datalen > *fpr_len + 1)
{
2011-11-28 18:35:19 +01:00
*url = xmalloc (datalen - (*fpr_len + 1) + 1);
memcpy (*url, data + (*fpr_len + 1), datalen - (*fpr_len + 1));
(*url)[datalen - (*fpr_len + 1)] = '\0';
2009-12-08 13:20:11 +01:00
}
else
*url = NULL;
2009-12-08 13:20:11 +01:00
rc = 2;
}
}
2009-12-08 13:20:11 +01:00
adns_free (answer);
adns_finish (state);
return rc;
#else /*!USE_ADNS*/
2006-06-16 13:49:27 +02:00
unsigned char *answer;
2011-11-28 18:35:19 +01:00
int ret = -1;
int r;
2006-06-16 13:49:27 +02:00
u16 count;
2011-11-28 18:35:19 +01:00
if (fpr)
*fpr = NULL;
2006-06-16 13:49:27 +02:00
2011-11-28 18:35:19 +01:00
if (url)
*url = NULL;
2006-06-16 13:49:27 +02:00
2011-11-28 18:35:19 +01:00
answer = xmalloc (max_size);
2006-06-16 13:49:27 +02:00
2011-11-28 18:35:19 +01:00
r = res_query (name, C_IN, T_CERT, answer, max_size);
2006-06-16 13:49:27 +02:00
/* Not too big, not too small, no errors and at least 1 answer. */
2011-11-28 18:35:19 +01:00
if (r >= sizeof (HEADER) && r <= max_size
&& (((HEADER *) answer)->rcode) == NOERROR
&& (count = ntohs (((HEADER *) answer)->ancount)))
2006-06-16 13:49:27 +02:00
{
int rc;
2011-11-28 18:35:19 +01:00
unsigned char *pt, *emsg;
2006-06-16 13:49:27 +02:00
2011-11-28 18:35:19 +01:00
emsg = &answer[r];
2006-06-16 13:49:27 +02:00
2011-11-28 18:35:19 +01:00
pt = &answer[sizeof (HEADER)];
2006-06-16 13:49:27 +02:00
/* Skip over the query */
2011-11-28 18:35:19 +01:00
rc = dn_skipname (pt, emsg);
if (rc == -1)
goto fail;
2006-06-16 13:49:27 +02:00
2011-11-28 18:35:19 +01:00
pt += rc + QFIXEDSZ;
2006-06-16 13:49:27 +02:00
/* There are several possible response types for a CERT request.
2011-11-28 18:35:19 +01:00
We're interested in the PGP (a key) and IPGP (a URI) types.
Skip all others. TODO: A key is better than a URI since
we've gone through all this bother to fetch it, so favor that
if we have both PGP and IPGP? */
while (count-- > 0 && pt < emsg)
{
u16 type, class, dlen, ctype;
rc = dn_skipname (pt, emsg); /* the name we just queried for */
if (rc == -1)
break;
pt += rc;
/* Truncated message? 15 bytes takes us to the point where
we start looking at the ctype. */
if ((emsg - pt) < 15)
break;
type = *pt++ << 8;
type |= *pt++;
class = *pt++ << 8;
class |= *pt++;
/* We asked for IN and got something else !? */
if (class != C_IN)
break;
/* ttl */
pt += 4;
/* data length */
dlen = *pt++ << 8;
dlen |= *pt++;
/* We asked for CERT and got something else - might be a
CNAME, so loop around again. */
if (type != T_CERT)
{
pt += dlen;
continue;
}
/* The CERT type */
ctype = *pt++ << 8;
ctype |= *pt++;
/* Skip the CERT key tag and algo which we don't need. */
pt += 3;
dlen -= 5;
/* 15 bytes takes us to here */
if (ctype == 3 && iobuf && dlen)
{
/* PGP type */
*iobuf = iobuf_temp_with_content ((char *) pt, dlen);
ret = 1;
break;
}
else if (ctype == 6 && dlen && dlen < 1023 && dlen >= pt[0] + 1
&& fpr && fpr_len && url)
{
/* IPGP type */
*fpr_len = pt[0];
if (*fpr_len)
{
*fpr = xmalloc (*fpr_len);
memcpy (*fpr, &pt[1], *fpr_len);
}
else
*fpr = NULL;
if (dlen > *fpr_len + 1)
{
*url = xmalloc (dlen - (*fpr_len + 1) + 1);
memcpy (*url, &pt[*fpr_len + 1], dlen - (*fpr_len + 1));
(*url)[dlen - (*fpr_len + 1)] = '\0';
}
else
*url = NULL;
ret = 2;
break;
}
/* Neither type matches, so go around to the next answer. */
pt += dlen;
}
2006-06-16 13:49:27 +02:00
}
fail:
2011-11-28 18:35:19 +01:00
xfree (answer);
2006-06-16 13:49:27 +02:00
return ret;
2011-11-28 18:35:19 +01:00
#endif /*!USE_ADNS */
2006-06-16 13:49:27 +02:00
#else /* !USE_DNS_CERT */
(void)name;
(void)max_size;
(void)iobuf;
(void)fpr;
(void)fpr_len;
(void)url;
2006-06-16 13:49:27 +02:00
return -1;
#endif
}