diff options
Diffstat (limited to 'common')
| -rw-r--r-- | common/Makefile.am | 8 | ||||
| -rw-r--r-- | common/dns-cert.c | 368 | ||||
| -rw-r--r-- | common/dns-cert.h | 55 | ||||
| -rw-r--r-- | common/pka.c | 107 | ||||
| -rw-r--r-- | common/pka.h | 35 | ||||
| -rw-r--r-- | common/t-dns-cert.c | 95 | ||||
| -rw-r--r-- | common/t-pka.c | 72 |
7 files changed, 2 insertions, 738 deletions
diff --git a/common/Makefile.am b/common/Makefile.am index 4493ae7c5..d137df871 100644 --- a/common/Makefile.am +++ b/common/Makefile.am @@ -87,8 +87,6 @@ common_sources = \ signal.c \ audit.c audit.h \ srv.h \ - dns-cert.c dns-cert.h \ - pka.c pka.h \ localename.c \ session-env.c session-env.h \ userids.c userids.h \ @@ -177,8 +175,8 @@ if HAVE_W32_SYSTEM jnlib_tests += t-w32-reg endif module_tests = t-convert t-percent t-gettime t-sysutils t-sexputil \ - t-session-env t-openpgp-oid t-ssh-utils t-dns-cert \ - t-pka t-mapstrings t-zb32 t-mbox-util + t-session-env t-openpgp-oid t-ssh-utils \ + t-mapstrings t-zb32 t-mbox-util if !HAVE_W32CE_SYSTEM module_tests += t-exechelp endif @@ -221,8 +219,6 @@ t_exechelp_LDADD = $(t_common_ldadd) t_session_env_LDADD = $(t_common_ldadd) t_openpgp_oid_LDADD = $(t_common_ldadd) t_ssh_utils_LDADD = $(t_common_ldadd) -t_dns_cert_LDADD = $(t_common_ldadd) $(DNSLIBS) -t_pka_LDADD = $(t_common_ldadd) $(DNSLIBS) t_mapstrings_LDADD = $(t_common_ldadd) t_zb32_LDADD = $(t_common_ldadd) t_mbox_util_LDADD = $(t_common_ldadd) diff --git a/common/dns-cert.c b/common/dns-cert.c deleted file mode 100644 index 405ca293e..000000000 --- a/common/dns-cert.c +++ /dev/null @@ -1,368 +0,0 @@ -/* dns-cert.c - DNS CERT code (rfc-4398) - * Copyright (C) 2005, 2006, 2009 Free Software Foundation, Inc. - * - * This file is part of GNUPG. - * - * This file is free software; you can redistribute it and/or modify - * it under the terms of either - * - * - the GNU Lesser General Public License as published by the Free - * Software Foundation; either version 3 of the License, or (at - * your option) any later version. - * - * or - * - * - the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * or both in parallel, as here. - * - * This file is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -#include <config.h> -#include <sys/types.h> -#ifdef USE_DNS_CERT -# ifdef HAVE_W32_SYSTEM -# ifdef HAVE_WINSOCK2_H -# include <winsock2.h> -# endif -# include <windows.h> -# else -# include <netinet/in.h> -# include <arpa/nameser.h> -# include <resolv.h> -# endif -# include <string.h> -#endif -#ifdef USE_ADNS -# include <adns.h> -#endif - -#include "util.h" -#include "host2net.h" -#include "dns-cert.h" - -/* Not every installation has gotten around to supporting CERTs - yet... */ -#ifndef T_CERT -#define T_CERT 37 -#endif - -/* ADNS has no support for CERT yet. */ -#define my_adns_r_cert 37 - - - -/* Returns 0 on success or an error code. If a PGP CERT record was - found, a new estream with that key will be returned at R_KEY and - the other return parameters are set to NULL/0. If an IPGP CERT - record was found the fingerprint is stored as an allocated block at - R_FPR and its length at R_FPRLEN; an URL is is allocated as a - string and returned at R_URL. If WANT_CERTTYPE is 0 this function - returns the first CERT found with a supported type; it is expected - that only one CERT record is used. If WANT_CERTTYPE is one of the - supported certtypes only records wih this certtype are considered - and the first found is returned. R_KEY is optional. */ -gpg_error_t -get_dns_cert (const char *name, int want_certtype, - estream_t *r_key, - unsigned char **r_fpr, size_t *r_fprlen, char **r_url) -{ -#ifdef USE_DNS_CERT -#ifdef USE_ADNS - gpg_error_t err; - adns_state state; - adns_answer *answer = NULL; - unsigned int ctype; - int count; - - if (r_key) - *r_key = NULL; - *r_fpr = NULL; - *r_fprlen = 0; - *r_url = NULL; - - if (adns_init (&state, adns_if_noerrprint, NULL)) - { - err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); - log_error ("error initializing adns: %s\n", strerror (errno)); - return err; - } - - if (adns_synchronous (state, name, (adns_r_unknown | my_adns_r_cert), - adns_qf_quoteok_query, &answer)) - { - err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); - /* log_error ("DNS query failed: %s\n", strerror (errno)); */ - adns_finish (state); - return err; - } - if (answer->status != adns_s_ok) - { - /* log_error ("DNS query returned an error: %s (%s)\n", */ - /* adns_strerror (answer->status), */ - /* adns_errabbrev (answer->status)); */ - err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND); - goto leave; - } - - err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND); - for (count = 0; count < answer->nrrs; count++) - { - int datalen = answer->rrs.byteblock[count].len; - const unsigned char *data = answer->rrs.byteblock[count].data; - - if (datalen < 5) - continue; /* Truncated CERT record - skip. */ - - ctype = buf16_to_uint (data); - /* (key tag and algorithm fields are not required.) */ - data += 5; - datalen -= 5; - - if (want_certtype && want_certtype != ctype) - ; /* Not of the requested certtype. */ - else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11 && r_key) - { - /* CERT type is PGP. Gpg checks for a minimum length of 11, - thus we do the same. */ - *r_key = es_fopenmem_init (0, "rwb", data, datalen); - if (!*r_key) - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - else - err = 0; - goto leave; - } - else if (ctype == DNS_CERTTYPE_IPGP && datalen && datalen < 1023 - && datalen >= data[0] + 1 && r_fpr && r_fprlen && r_url) - { - /* CERT type is IPGP. We made sure that the data is - plausible and that the caller requested this - information. */ - *r_fprlen = data[0]; - if (*r_fprlen) - { - *r_fpr = xtrymalloc (*r_fprlen); - if (!*r_fpr) - { - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - goto leave; - } - memcpy (*r_fpr, data + 1, *r_fprlen); - } - else - *r_fpr = NULL; - - if (datalen > *r_fprlen + 1) - { - *r_url = xtrymalloc (datalen - (*r_fprlen + 1) + 1); - if (!*r_url) - { - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - xfree (*r_fpr); - *r_fpr = NULL; - goto leave; - } - memcpy (*r_url, - data + (*r_fprlen + 1), datalen - (*r_fprlen + 1)); - (*r_url)[datalen - (*r_fprlen + 1)] = '\0'; - } - else - *r_url = NULL; - - err = 0; - goto leave; - } - } - - leave: - adns_free (answer); - adns_finish (state); - return err; - -#else /*!USE_ADNS*/ - - gpg_error_t err; - unsigned char *answer; - int r; - u16 count; - - if (r_key) - *r_key = NULL; - *r_fpr = NULL; - *r_fprlen = 0; - *r_url = NULL; - - /* Allocate a 64k buffer which is the limit for an DNS response. */ - answer = xtrymalloc (65536); - if (!answer) - return gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); - - err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND); - - r = res_query (name, C_IN, T_CERT, answer, 65536); - /* Not too big, not too small, no errors and at least 1 answer. */ - if (r >= sizeof (HEADER) && r <= 65536 - && (((HEADER *) answer)->rcode) == NOERROR - && (count = ntohs (((HEADER *) answer)->ancount))) - { - int rc; - unsigned char *pt, *emsg; - - emsg = &answer[r]; - - pt = &answer[sizeof (HEADER)]; - - /* Skip over the query */ - - rc = dn_skipname (pt, emsg); - if (rc == -1) - { - err = gpg_err_make (default_errsource, GPG_ERR_INV_OBJ); - goto leave; - } - pt += rc + QFIXEDSZ; - - /* There are several possible response types for a CERT request. - We're interested in the PGP (a key) and IPGP (a URI) types. - Skip all others. TODO: A key is better than a URI since - we've gone through all this bother to fetch it, so favor that - if we have both PGP and IPGP? */ - - while (count-- > 0 && pt < emsg) - { - u16 type, class, dlen, ctype; - - rc = dn_skipname (pt, emsg); /* the name we just queried for */ - if (rc == -1) - { - err = gpg_err_make (default_errsource, GPG_ERR_INV_OBJ); - goto leave; - } - - pt += rc; - - /* Truncated message? 15 bytes takes us to the point where - we start looking at the ctype. */ - if ((emsg - pt) < 15) - break; - - type = buf16_to_u16 (pt); - pt += 2; - - class = buf16_to_u16 (pt); - pt += 2; - - if (class != C_IN) - break; - - /* ttl */ - pt += 4; - - /* data length */ - dlen = buf16_to_u16 (pt); - pt += 2; - - /* We asked for CERT and got something else - might be a - CNAME, so loop around again. */ - if (type != T_CERT) - { - pt += dlen; - continue; - } - - /* The CERT type */ - ctype = buf16_to_u16 (pt); - pt += 2; - - /* Skip the CERT key tag and algo which we don't need. */ - pt += 3; - - dlen -= 5; - - /* 15 bytes takes us to here */ - if (want_certtype && want_certtype != ctype) - ; /* Not of the requested certtype. */ - else if (ctype == DNS_CERTTYPE_PGP && dlen && r_key) - { - /* PGP type */ - *r_key = es_fopenmem_init (0, "rwb", pt, dlen); - if (!*r_key) - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - else - err = 0; - goto leave; - } - else if (ctype == DNS_CERTTYPE_IPGP - && dlen && dlen < 1023 && dlen >= pt[0] + 1) - { - /* IPGP type */ - *r_fprlen = pt[0]; - if (*r_fprlen) - { - *r_fpr = xtrymalloc (*r_fprlen); - if (!*r_fpr) - { - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - goto leave; - } - memcpy (*r_fpr, &pt[1], *r_fprlen); - } - else - *r_fpr = NULL; - - if (dlen > *r_fprlen + 1) - { - *r_url = xtrymalloc (dlen - (*r_fprlen + 1) + 1); - if (!*r_fpr) - { - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - xfree (*r_fpr); - *r_fpr = NULL; - goto leave; - } - memcpy (*r_url, &pt[*r_fprlen + 1], dlen - (*r_fprlen + 1)); - (*r_url)[dlen - (*r_fprlen + 1)] = '\0'; - } - else - *r_url = NULL; - - err = 0; - goto leave; - } - - /* Neither type matches, so go around to the next answer. */ - pt += dlen; - } - } - - leave: - xfree (answer); - return err; - -#endif /*!USE_ADNS */ -#else /* !USE_DNS_CERT */ - (void)name; - if (r_key) - *r_key = NULL; - *r_fpr = NULL; - *r_fprlen = 0; - *r_url = NULL; - - return gpg_err_make (default_errsource, GPG_ERR_NOT_SUPPORTED); -#endif -} diff --git a/common/dns-cert.h b/common/dns-cert.h deleted file mode 100644 index 4b49efc1c..000000000 --- a/common/dns-cert.h +++ /dev/null @@ -1,55 +0,0 @@ -/* dns-cert.h - DNS CERT definition - * Copyright (C) 2006 Free Software Foundation, Inc. - * - * This file is part of GnuPG. - * - * This file is free software; you can redistribute it and/or modify - * it under the terms of either - * - * - the GNU Lesser General Public License as published by the Free - * Software Foundation; either version 3 of the License, or (at - * your option) any later version. - * - * or - * - * - the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * or both in parallel, as here. - * - * This file is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ -#ifndef GNUPG_COMMON_DNS_CERT_H -#define GNUPG_COMMON_DNS_CERT_H - - -#define DNS_CERTTYPE_ANY 0 /* Internal catch all type. */ -/* Certificate types according to RFC-4398: */ -#define DNS_CERTTYPE_PKIX 1 /* X.509 as per PKIX. */ -#define DNS_CERTTYPE_SPKI 2 /* SPKI certificate. */ -#define DNS_CERTTYPE_PGP 3 /* OpenPGP packet. */ -#define DNS_CERTTYPE_IPKIX 4 /* The URL of an X.509 data object. */ -#define DNS_CERTTYPE_ISPKI 5 /* The URL of an SPKI certificate. */ -#define DNS_CERTTYPE_IPGP 6 /* The fingerprint - and URL of an OpenPGP packet. */ -#define DNS_CERTTYPE_ACPKIX 7 /* Attribute Certificate. */ -#define DNS_CERTTYPE_IACPKIX 8 /* The URL of an Attribute Certificate. */ -#define DNS_CERTTYPE_URI 253 /* URI private. */ -#define DNS_CERTTYPE_OID 254 /* OID private. */ - - -gpg_error_t get_dns_cert (const char *name, int want_certtype, - estream_t *r_key, - unsigned char **r_fpr, size_t *r_fprlen, - char **r_url); - - - -#endif /*GNUPG_COMMON_DNS_CERT_H*/ diff --git a/common/pka.c b/common/pka.c deleted file mode 100644 index 1aa5b3343..000000000 --- a/common/pka.c +++ /dev/null @@ -1,107 +0,0 @@ -/* pka.c - DNS Public Key Association RR access - * Copyright (C) 2005, 2009 Free Software Foundation, Inc. - * - * This file is part of GnuPG. - * - * This file is free software; you can redistribute it and/or modify - * it under the terms of either - * - * - the GNU Lesser General Public License as published by the Free - * Software Foundation; either version 3 of the License, or (at - * your option) any later version. - * - * or - * - * - the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * or both in parallel, as here. - * - * This file is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -#include <config.h> - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "util.h" -#include "mbox-util.h" -#include "dns-cert.h" -#include "pka.h" - - -/* For the given email ADDRESS lookup the PKA information in the DNS. - - On success the fingerprint is stored at FPRBUF and the URI will be - returned in an allocated buffer. Note that the URI might be a zero - length string as this information is optional. Caller must xfree - the returned string. FPRBUFLEN gives the size of the expected - fingerprint (usually 20). - - On error NULL is returned and the FPRBUF is not defined. */ -char * -get_pka_info (const char *address, void *fprbuf, size_t fprbuflen) -{ - char *result = NULL; - char *mbox; - char *domain; /* Points to mbox. */ - char hashbuf[20]; - char *hash = NULL; - char *name = NULL; - unsigned char *fpr = NULL; - size_t fpr_len; - char *url = NULL; - - mbox = mailbox_from_userid (address); - if (!mbox) - goto leave; - domain = strchr (mbox, '@'); - if (!domain) - goto leave; - *domain++ = 0; - - gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, mbox, strlen (mbox)); - hash = zb32_encode (hashbuf, 8*20); - if (!hash) - goto leave; - name = strconcat (hash, "._pka.", domain, NULL); - if (!name) - goto leave; - - if (get_dns_cert (name, DNS_CERTTYPE_IPGP, NULL, &fpr, &fpr_len, &url)) - goto leave; - if (!fpr) - goto leave; - - /* Return the fingerprint. */ - if (fpr_len != fprbuflen) - { - /* fprintf (stderr, "get_dns_cert failed: fprlen (%zu/%zu)\n", */ - /* fpr_len, fprbuflen); */ - goto leave; - } - memcpy (fprbuf, fpr, fpr_len); - - /* We return the URL or an empty string. */ - if (!url) - url = xtrycalloc (1, 1); - result = url; - url = NULL; - - leave: - xfree (fpr); - xfree (url); - xfree (name); - xfree (hash); - xfree (mbox); - return result; -} diff --git a/common/pka.h b/common/pka.h deleted file mode 100644 index 93a4eb3ee..000000000 --- a/common/pka.h +++ /dev/null @@ -1,35 +0,0 @@ -/* pka.h - DNS Public Key Association RR access definitions - * Copyright (C) 2006 Free Software Foundation, Inc. - * - * This file is part of GnuPG. - * - * This file is free software; you can redistribute it and/or modify - * it under the terms of either - * - * - the GNU Lesser General Public License as published by the Free - * Software Foundation; either version 3 of the License, or (at - * your option) any later version. - * - * or - * - * - the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * or both in parallel, as here. - * - * This file is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ -#ifndef GNUPG_COMMON_PKA_H -#define GNUPG_COMMON_PKA_H - -char *get_pka_info (const char *address, void *fprbuf, size_t fprbuflen); - - -#endif /*GNUPG_COMMON_PKA_H*/ diff --git a/common/t-dns-cert.c b/common/t-dns-cert.c deleted file mode 100644 index a170ffb2d..000000000 --- a/common/t-dns-cert.c +++ /dev/null @@ -1,95 +0,0 @@ -/* t-dns-cert.c - Module test for dns-cert.c - * Copyright (C) 2011 Free Software Foundation, Inc. - * - * This file is part of GnuPG. - * - * GnuPG is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * GnuPG is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -#include <config.h> -#include <stdio.h> -#include <stdlib.h> -#include <assert.h> - -#include "util.h" -#include "dns-cert.h" - - -int -main (int argc, char **argv) -{ - gpg_error_t err; - unsigned char *fpr; - size_t fpr_len; - char *url; - estream_t key; - char const *name; - - if (argc) - { - argc--; - argv++; - } - - if (!argc) - name = "simon.josefsson.org"; - else if (argc == 1) - name = *argv; - else - { - fputs ("usage: t-dns-cert [name]\n", stderr); - return 1; - } - - printf ("CERT lookup on '%s'\n", name); - - err = get_dns_cert (name, DNS_CERTTYPE_ANY, &key, &fpr, &fpr_len, &url); - if (err) - printf ("get_dns_cert failed: %s <%s>\n", - gpg_strerror (err), gpg_strsource (err)); - else if (key) - { - int count = 0; - - while (es_getc (key) != EOF) - count++; - printf ("Key found (%d bytes)\n", count); - } - else - { - if (fpr) - { - int i; - - printf ("Fingerprint found (%d bytes): ", (int)fpr_len); - for (i = 0; i < fpr_len; i++) - printf ("%02X", fpr[i]); - putchar ('\n'); - } - else - printf ("No fingerprint found\n"); - - if (url) - printf ("URL found: %s\n", url); - else - printf ("No URL found\n"); - - } - - es_fclose (key); - xfree (fpr); - xfree (url); - - return 0; -} diff --git a/common/t-pka.c b/common/t-pka.c deleted file mode 100644 index 7c4d7c306..000000000 --- a/common/t-pka.c +++ /dev/null @@ -1,72 +0,0 @@ -/* t-pak.c - Module test for pka.c - * Copyright (C) 2015 Werner Koch - * - * This file is part of GnuPG. - * - * GnuPG is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * GnuPG is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -#include <config.h> -#include <stdio.h> -#include <stdlib.h> -#include <assert.h> - -#include "util.h" -#include "pka.h" - - -int -main (int argc, char **argv) -{ - unsigned char fpr[20]; - char *url; - char const *name; - int i; - - if (argc) - { - argc--; - argv++; - } - - if (!argc) - name = "[email protected]"; - else if (argc == 1) - name = *argv; - else - { - fputs ("usage: t-pka [userid]\n", stderr); - return 1; - } - - printf ("User id ...: %s\n", name); - - url = get_pka_info (name, fpr, sizeof fpr); - printf ("Fingerprint: "); - if (url) - { - for (i = 0; i < sizeof fpr; i++) - printf ("%02X", fpr[i]); - } - else - printf ("[not found]"); - - putchar ('\n'); - - printf ("URL .......: %s\n", (url && *url)? url : "[none]"); - - xfree (url); - - return 0; -} |