security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00
Code Activity

dirmngr: Implement CERT record lookup via libdns.

Browse Source 
* dirmngr/dns-stuff.c (get_dns_cert_libdns): New.
(get_dns_cert_standard): Fix URL malloc checking.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2016-12-14 14:11:33 +01:00
parent 4c13e4e3de
commit 3c2a7918ea
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 188 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

190
dirmngr/dns-stuff.c
View File

@ -719,7 +719,193 @@ get_dns_cert_libdns (const char *name, int want_certtype,
void **r_key, size_t *r_keylen,
unsigned char **r_fpr, size_t *r_fprlen, char **r_url)
{
return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
gpg_error_t err;
struct dns_resolver *res = NULL;
struct dns_packet *ans = NULL;
struct dns_rr rr;
struct dns_rr_i rri;
char host[DNS_D_MAXNAME + 1];
int derr;
int srvcount = 0;
int qtype;
/* Gte the query type from WANT_CERTTYPE (which in general indicates
* the subtype we want). */
qtype = (want_certtype < DNS_CERTTYPE_RRBASE
? T_CERT
: (want_certtype - DNS_CERTTYPE_RRBASE));
err = libdns_init ();
if (err)
goto leave;
res = dns_res_open (libdns.resolv_conf, libdns.hosts, libdns.hints, NULL,
dns_opts (/*.socks_host=&libdns.socks_host*/), &derr);
if (!res)
{
err = libdns_error_to_gpg_error (derr);
goto leave;
}
if (dns_d_anchor (host, sizeof host, name, strlen (name)) >= sizeof host)
{
err = gpg_error (GPG_ERR_ENAMETOOLONG);
goto leave;
}
err = libdns_error_to_gpg_error (dns_res_submit (res, name, qtype, DNS_C_IN));
if (err)
goto leave;
/* Loop until we found a record. */
while ((err = libdns_error_to_gpg_error (dns_res_check (res))))
{
if (gpg_err_code (err) == GPG_ERR_EAGAIN)
{
if (dns_res_elapsed (res) > 30)
{
err = gpg_error (GPG_ERR_DNS_TIMEOUT);
goto leave;
}
my_unprotect ();
dns_res_poll (res, 1);
my_protect ();
}
else if (err)
goto leave;
}
ans = dns_res_fetch (res, &derr);
if (!ans)
{
err = libdns_error_to_gpg_error (derr);
goto leave;
}
/* Check the rcode. */
switch (dns_p_rcode (ans))
{
case DNS_RC_NOERROR: break;
case DNS_RC_NXDOMAIN: err = gpg_error (GPG_ERR_NO_NAME); break;
default: err = GPG_ERR_SERVER_FAILED; break;
}
if (err)
goto leave;
memset (&rri, 0, sizeof rri);
dns_rr_i_init (&rri, ans);
rri.section = DNS_S_ALL & ~DNS_S_QD;
rri.name = host;
rri.type = qtype;
err = gpg_error (GPG_ERR_NOT_FOUND);
while (dns_rr_grep (&rr, 1, &rri, ans, &derr))
{
unsigned char *rp = ans->data + rr.rd.p;
unsigned short len = rr.rd.len;
u16 subtype;
if (!len)
{
/* Definitely too short - skip. */
}
else if (want_certtype >= DNS_CERTTYPE_RRBASE
&& rr.type == (want_certtype - DNS_CERTTYPE_RRBASE)
&& r_key)
{
*r_key = xtrymalloc (len);
if (!*r_key)
err = gpg_error_from_syserror ();
else
{
memcpy (*r_key, rp, len);
*r_keylen = len;
err = 0;
}
goto leave;
}
else if (want_certtype >= DNS_CERTTYPE_RRBASE)
{
/* We did not found the requested RR - skip. */
}
else if (rr.type == T_CERT && len > 5)
{
/* We got a CERT type. */
subtype = buf16_to_u16 (rp);
rp += 2; len -= 2;
/* Skip the CERT key tag and algo which we don't need. */
rp += 3; len -= 3;
if (want_certtype && want_certtype != subtype)
; /* Not the requested subtype - skip. */
else if (subtype == DNS_CERTTYPE_PGP && len && r_key && r_keylen)
{
/* PGP subtype */
*r_key = xtrymalloc (len);
if (!*r_key)
err = gpg_error_from_syserror ();
else
{
memcpy (*r_key, rp, len);
*r_keylen = len;
err = 0;
}
goto leave;
}
else if (subtype == DNS_CERTTYPE_IPGP
&& len && len < 1023 && len >= rp[0] + 1)
{
/* IPGP type */
*r_fprlen = rp[0];
if (*r_fprlen)
{
*r_fpr = xtrymalloc (*r_fprlen);
if (!*r_fpr)
{
err = gpg_error_from_syserror ();
goto leave;
}
memcpy (*r_fpr, rp+1, *r_fprlen);
}
else
*r_fpr = NULL;
if (len > *r_fprlen + 1)
{
*r_url = xtrymalloc (len - (*r_fprlen + 1) + 1);
if (!*r_url)
{
err = gpg_error_from_syserror ();
xfree (*r_fpr);
*r_fpr = NULL;
goto leave;
}
memcpy (*r_url, rp + *r_fprlen + 1, len - (*r_fprlen + 1));
(*r_url)[len - (*r_fprlen + 1)] = 0;
}
else
*r_url = NULL;
err = 0;
goto leave;
}
else
{
/* Unknown subtype or record too short - skip. */
}
}
else
{
/* Not a requested type - skip. */
}
}
leave:
dns_free (ans);
dns_res_close (res);
return err;
}
@ -878,7 +1064,7 @@ get_dns_cert_standard (const char *name, int want_certtype,
if (dlen > *r_fprlen + 1)
{
*r_url = xtrymalloc (dlen - (*r_fprlen + 1) + 1);
if (!*r_fpr)
if (!*r_url)
{
err = gpg_error_from_syserror ();
xfree (*r_fpr);