From 5055b617a94587580bc16a56bb82333077b05693 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 21 Oct 2015 10:29:02 +0200 Subject: dirmngr: Rename file dns-cert.c. * dirmngr/dns-cert.c: Rename to dirmngr/dns-stuff.c. * dirmngr/dns-cert.h: Rename to dirmngr/dns-stuff.h and change includers. * dirmngr/t-dns-cert.c: Rename to dirmngr/t-dns-stuff.c. * dirmngr/Makefile.am: Adjust. Signed-off-by: Werner Koch --- dirmngr/Makefile.am | 8 +- dirmngr/dns-cert.c | 450 ------------------------------------------------- dirmngr/dns-cert.h | 58 ------- dirmngr/dns-stuff.c | 451 ++++++++++++++++++++++++++++++++++++++++++++++++++ dirmngr/dns-stuff.h | 63 +++++++ dirmngr/server.c | 2 +- dirmngr/t-dns-cert.c | 93 ----------- dirmngr/t-dns-stuff.c | 94 +++++++++++ 8 files changed, 613 insertions(+), 606 deletions(-) delete mode 100644 dirmngr/dns-cert.c delete mode 100644 dirmngr/dns-cert.h create mode 100644 dirmngr/dns-stuff.c create mode 100644 dirmngr/dns-stuff.h delete mode 100644 dirmngr/t-dns-cert.c create mode 100644 dirmngr/t-dns-stuff.c diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am index ae16660e7..8cb1bb761 100644 --- a/dirmngr/Makefile.am +++ b/dirmngr/Makefile.am @@ -61,7 +61,7 @@ dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c \ certcache.c certcache.h \ cdb.h cdblib.c misc.c dirmngr-err.h \ ocsp.c ocsp.h validate.c validate.h \ - dns-cert.c dns-cert.h \ + dns-stuff.c dns-stuff.h \ http.c http.h \ ks-action.c ks-action.h ks-engine.h \ ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c ks-engine-kdns.c @@ -114,7 +114,7 @@ t_common_ldadd = $(libcommon) no-libgcrypt.o $(LIBASSUAN_LIBS) \ $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) \ $(DNSLIBS) $(LIBINTL) $(LIBICONV) -module_tests = t-dns-cert +module_tests = t-dns-stuff if USE_LDAP module_tests += t-ldap-parse-uri @@ -141,7 +141,7 @@ t_ldap_parse_uri_SOURCES = \ t_ldap_parse_uri_CFLAGS = -DWITHOUT_NPTH=1 t_ldap_parse_uri_LDADD = $(ldaplibs) $(t_common_ldadd) -t_dns_cert_SOURCES = t-dns-cert.c dns-cert.c -t_dns_cert_LDADD = $(t_common_ldadd) +t_dns_stuff_SOURCES = t-dns-stuff.c dns-stuff.c +t_dns_stuff_LDADD = $(t_common_ldadd) $(PROGRAMS) : $(libcommon) $(libcommonpth) diff --git a/dirmngr/dns-cert.c b/dirmngr/dns-cert.c deleted file mode 100644 index 712dfc017..000000000 --- a/dirmngr/dns-cert.c +++ /dev/null @@ -1,450 +0,0 @@ -/* dns-cert.c - DNS CERT code (rfc-4398) - * Copyright (C) 2005, 2006, 2009 Free Software Foundation, Inc. - * - * This file is part of GNUPG. - * - * This file is free software; you can redistribute it and/or modify - * it under the terms of either - * - * - the GNU Lesser General Public License as published by the Free - * Software Foundation; either version 3 of the License, or (at - * your option) any later version. - * - * or - * - * - the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * or both in parallel, as here. - * - * This file is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see . - */ - -#include -#include -#ifdef USE_DNS_CERT -# ifdef HAVE_W32_SYSTEM -# ifdef HAVE_WINSOCK2_H -# include -# endif -# include -# else -# include -# include -# include -# endif -# include -#endif -#ifdef USE_ADNS -# include -#endif - -#include "util.h" -#include "host2net.h" -#include "dns-cert.h" - -/* Not every installation has gotten around to supporting CERTs - yet... */ -#ifndef T_CERT -# define T_CERT 37 -#endif - -/* ADNS has no support for CERT yet. */ -#define my_adns_r_cert 37 - -/* If set Tor mode shall be used. */ -static int tor_mode; - -/* Sets the module in TOR mode. Returns 0 is this is possible or an - error code. */ -gpg_error_t -enable_dns_tormode (void) -{ -#if defined(USE_DNS_CERT) && defined(USE_ADNS) -# if HAVE_ADNS_IF_TORMODE - tor_mode = 1; - return 0; -# endif -#endif - return gpg_error (GPG_ERR_NOT_IMPLEMENTED); -} - -/* Returns 0 on success or an error code. If a PGP CERT record was - found, the malloced data is returned at (R_KEY, R_KEYLEN) and - the other return parameters are set to NULL/0. If an IPGP CERT - record was found the fingerprint is stored as an allocated block at - R_FPR and its length at R_FPRLEN; an URL is is allocated as a - string and returned at R_URL. If WANT_CERTTYPE is 0 this function - returns the first CERT found with a supported type; it is expected - that only one CERT record is used. If WANT_CERTTYPE is one of the - supported certtypes only records with this certtype are considered - and the first found is returned. (R_KEY,R_KEYLEN) are optional. */ -gpg_error_t -get_dns_cert (const char *name, int want_certtype, - void **r_key, size_t *r_keylen, - unsigned char **r_fpr, size_t *r_fprlen, char **r_url) -{ -#ifdef USE_DNS_CERT -#ifdef USE_ADNS - gpg_error_t err; - adns_state state; - adns_answer *answer = NULL; - unsigned int ctype; - int count; - - if (r_key) - *r_key = NULL; - if (r_keylen) - *r_keylen = 0; - *r_fpr = NULL; - *r_fprlen = 0; - *r_url = NULL; - - if (tor_mode? adns_init_strcfg (&state, adns_if_noerrprint|adns_if_tormode, - NULL, "nameserver 8.8.8.8") - /* */: adns_init (&state, adns_if_noerrprint, NULL)) - { - err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); - log_error ("error initializing adns: %s\n", strerror (errno)); - return err; - } - - if (adns_synchronous (state, name, - (adns_r_unknown - | (want_certtype < DNS_CERTTYPE_RRBASE - ? my_adns_r_cert - : (want_certtype - DNS_CERTTYPE_RRBASE))), - adns_qf_quoteok_query, &answer)) - { - err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); - /* log_error ("DNS query failed: %s\n", strerror (errno)); */ - adns_finish (state); - return err; - } - if (answer->status != adns_s_ok) - { - /* log_error ("DNS query returned an error: %s (%s)\n", */ - /* adns_strerror (answer->status), */ - /* adns_errabbrev (answer->status)); */ - err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND); - goto leave; - } - - err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND); - for (count = 0; count < answer->nrrs; count++) - { - int datalen = answer->rrs.byteblock[count].len; - const unsigned char *data = answer->rrs.byteblock[count].data; - - /* First check for our generic RR hack. */ - if (datalen - && want_certtype >= DNS_CERTTYPE_RRBASE - && ((want_certtype - DNS_CERTTYPE_RRBASE) - == (answer->type & ~adns_r_unknown))) - { - /* Found the requested record - return it. */ - *r_key = xtrymalloc (datalen); - if (!*r_key) - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - else - { - memcpy (*r_key, data, datalen); - *r_keylen = datalen; - err = 0; - } - goto leave; - } - - if (datalen < 5) - continue; /* Truncated CERT record - skip. */ - - ctype = buf16_to_uint (data); - /* (key tag and algorithm fields are not required.) */ - data += 5; - datalen -= 5; - - if (want_certtype && want_certtype != ctype) - ; /* Not of the requested certtype. */ - else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11 && r_key && r_keylen) - { - /* CERT type is PGP. Gpg checks for a minimum length of 11, - thus we do the same. */ - *r_key = xtrymalloc (datalen); - if (!*r_key) - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - else - { - memcpy (*r_key, data, datalen); - *r_keylen = datalen; - err = 0; - } - goto leave; - } - else if (ctype == DNS_CERTTYPE_IPGP && datalen && datalen < 1023 - && datalen >= data[0] + 1 && r_fpr && r_fprlen && r_url) - { - /* CERT type is IPGP. We made sure that the data is - plausible and that the caller requested this - information. */ - *r_fprlen = data[0]; - if (*r_fprlen) - { - *r_fpr = xtrymalloc (*r_fprlen); - if (!*r_fpr) - { - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - goto leave; - } - memcpy (*r_fpr, data + 1, *r_fprlen); - } - else - *r_fpr = NULL; - - if (datalen > *r_fprlen + 1) - { - *r_url = xtrymalloc (datalen - (*r_fprlen + 1) + 1); - if (!*r_url) - { - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - xfree (*r_fpr); - *r_fpr = NULL; - goto leave; - } - memcpy (*r_url, - data + (*r_fprlen + 1), datalen - (*r_fprlen + 1)); - (*r_url)[datalen - (*r_fprlen + 1)] = '\0'; - } - else - *r_url = NULL; - - err = 0; - goto leave; - } - } - - leave: - adns_free (answer); - adns_finish (state); - return err; - -#else /*!USE_ADNS*/ - - gpg_error_t err; - unsigned char *answer; - int r; - u16 count; - - if (r_key) - *r_key = NULL; - if (r_keylen) - *r_keylen = 0; - *r_fpr = NULL; - *r_fprlen = 0; - *r_url = NULL; - - /* Allocate a 64k buffer which is the limit for an DNS response. */ - answer = xtrymalloc (65536); - if (!answer) - return gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); - - err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND); - - r = res_query (name, C_IN, - (want_certtype < DNS_CERTTYPE_RRBASE - ? T_CERT - : (want_certtype - DNS_CERTTYPE_RRBASE)), - answer, 65536); - /* Not too big, not too small, no errors and at least 1 answer. */ - if (r >= sizeof (HEADER) && r <= 65536 - && (((HEADER *) answer)->rcode) == NOERROR - && (count = ntohs (((HEADER *) answer)->ancount))) - { - int rc; - unsigned char *pt, *emsg; - - emsg = &answer[r]; - - pt = &answer[sizeof (HEADER)]; - - /* Skip over the query */ - - rc = dn_skipname (pt, emsg); - if (rc == -1) - { - err = gpg_err_make (default_errsource, GPG_ERR_INV_OBJ); - goto leave; - } - pt += rc + QFIXEDSZ; - - /* There are several possible response types for a CERT request. - We're interested in the PGP (a key) and IPGP (a URI) types. - Skip all others. TODO: A key is better than a URI since - we've gone through all this bother to fetch it, so favor that - if we have both PGP and IPGP? */ - - while (count-- > 0 && pt < emsg) - { - u16 type, class, dlen, ctype; - - rc = dn_skipname (pt, emsg); /* the name we just queried for */ - if (rc == -1) - { - err = gpg_err_make (default_errsource, GPG_ERR_INV_OBJ); - goto leave; - } - - pt += rc; - - /* Truncated message? 15 bytes takes us to the point where - we start looking at the ctype. */ - if ((emsg - pt) < 15) - break; - - type = buf16_to_u16 (pt); - pt += 2; - - class = buf16_to_u16 (pt); - pt += 2; - - if (class != C_IN) - break; - - /* ttl */ - pt += 4; - - /* data length */ - dlen = buf16_to_u16 (pt); - pt += 2; - - /* Check the type and parse. */ - if (want_certtype >= DNS_CERTTYPE_RRBASE - && type == (want_certtype - DNS_CERTTYPE_RRBASE) - && r_key) - { - *r_key = xtrymalloc (dlen); - if (!*r_key) - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - else - { - memcpy (*r_key, pt, dlen); - *r_keylen = dlen; - err = 0; - } - goto leave; - } - else if (want_certtype >= DNS_CERTTYPE_RRBASE) - { - /* We did not found the requested RR. */ - pt += dlen; - } - else if (type == T_CERT) - { - /* We got a CERT type. */ - ctype = buf16_to_u16 (pt); - pt += 2; - - /* Skip the CERT key tag and algo which we don't need. */ - pt += 3; - - dlen -= 5; - - /* 15 bytes takes us to here */ - if (want_certtype && want_certtype != ctype) - ; /* Not of the requested certtype. */ - else if (ctype == DNS_CERTTYPE_PGP && dlen && r_key && r_keylen) - { - /* PGP type */ - *r_key = xtrymalloc (dlen); - if (!*r_key) - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - else - { - memcpy (*r_key, pt, dlen); - *r_keylen = dlen; - err = 0; - } - goto leave; - } - else if (ctype == DNS_CERTTYPE_IPGP - && dlen && dlen < 1023 && dlen >= pt[0] + 1) - { - /* IPGP type */ - *r_fprlen = pt[0]; - if (*r_fprlen) - { - *r_fpr = xtrymalloc (*r_fprlen); - if (!*r_fpr) - { - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - goto leave; - } - memcpy (*r_fpr, &pt[1], *r_fprlen); - } - else - *r_fpr = NULL; - - if (dlen > *r_fprlen + 1) - { - *r_url = xtrymalloc (dlen - (*r_fprlen + 1) + 1); - if (!*r_fpr) - { - err = gpg_err_make (default_errsource, - gpg_err_code_from_syserror ()); - xfree (*r_fpr); - *r_fpr = NULL; - goto leave; - } - memcpy (*r_url, &pt[*r_fprlen + 1], - dlen - (*r_fprlen + 1)); - (*r_url)[dlen - (*r_fprlen + 1)] = '\0'; - } - else - *r_url = NULL; - - err = 0; - goto leave; - } - - /* No subtype matches, so continue with the next answer. */ - pt += dlen; - } - else - { - /* Not a requested type - might be a CNAME. Try next item. */ - pt += dlen; - } - } - } - - leave: - xfree (answer); - return err; - -#endif /*!USE_ADNS */ -#else /* !USE_DNS_CERT */ - (void)name; - if (r_key) - *r_key = NULL; - if (r_keylen) - *r_keylen = NULL; - *r_fpr = NULL; - *r_fprlen = 0; - *r_url = NULL; - - return gpg_err_make (default_errsource, GPG_ERR_NOT_SUPPORTED); -#endif -} diff --git a/dirmngr/dns-cert.h b/dirmngr/dns-cert.h deleted file mode 100644 index e5cd4eb84..000000000 --- a/dirmngr/dns-cert.h +++ /dev/null @@ -1,58 +0,0 @@ -/* dns-cert.h - DNS CERT definition - * Copyright (C) 2006 Free Software Foundation, Inc. - * - * This file is part of GnuPG. - * - * This file is free software; you can redistribute it and/or modify - * it under the terms of either - * - * - the GNU Lesser General Public License as published by the Free - * Software Foundation; either version 3 of the License, or (at - * your option) any later version. - * - * or - * - * - the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * or both in parallel, as here. - * - * This file is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see . - */ -#ifndef GNUPG_DIRMNGR_DNS_CERT_H -#define GNUPG_DIRMNGR_DNS_CERT_H - - -#define DNS_CERTTYPE_ANY 0 /* Internal catch all type. */ -/* Certificate types according to RFC-4398: */ -#define DNS_CERTTYPE_PKIX 1 /* X.509 as per PKIX. */ -#define DNS_CERTTYPE_SPKI 2 /* SPKI certificate. */ -#define DNS_CERTTYPE_PGP 3 /* OpenPGP packet. */ -#define DNS_CERTTYPE_IPKIX 4 /* The URL of an X.509 data object. */ -#define DNS_CERTTYPE_ISPKI 5 /* The URL of an SPKI certificate. */ -#define DNS_CERTTYPE_IPGP 6 /* The fingerprint - and URL of an OpenPGP packet. */ -#define DNS_CERTTYPE_ACPKIX 7 /* Attribute Certificate. */ -#define DNS_CERTTYPE_IACPKIX 8 /* The URL of an Attribute Certificate. */ -#define DNS_CERTTYPE_URI 253 /* URI private. */ -#define DNS_CERTTYPE_OID 254 /* OID private. */ -/* Hacks for our implementation. */ -#define DNS_CERTTYPE_RRBASE 1024 /* Base of special constants. */ -#define DNS_CERTTYPE_RR61 (DNS_CERTTYPE_RRBASE + 61) - -gpg_error_t enable_dns_tormode (void); -gpg_error_t get_dns_cert (const char *name, int want_certtype, - void **r_key, size_t *r_keylen, - unsigned char **r_fpr, size_t *r_fprlen, - char **r_url); - - - -#endif /*GNUPG_DIRMNGR_DNS_CERT_H*/ diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c new file mode 100644 index 000000000..c2d40c9ad --- /dev/null +++ b/dirmngr/dns-stuff.c @@ -0,0 +1,451 @@ +/* dns-stuff.c - DNS related code including CERT RR (rfc-4398) + * Copyright (C) 2005, 2006, 2009 Free Software Foundation, Inc. + * Copyright (C) 2005, 2006, 2009, 2015 Werner Koch + * + * This file is part of GnuPG. + * + * This file is free software; you can redistribute it and/or modify + * it under the terms of either + * + * - the GNU Lesser General Public License as published by the Free + * Software Foundation; either version 3 of the License, or (at + * your option) any later version. + * + * or + * + * - the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * or both in parallel, as here. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + */ + +#include +#include +#ifdef USE_DNS_CERT +# ifdef HAVE_W32_SYSTEM +# ifdef HAVE_WINSOCK2_H +# include +# endif +# include +# else +# include +# include +# include +# endif +# include +#endif +#ifdef USE_ADNS +# include +#endif + +#include "util.h" +#include "host2net.h" +#include "dns-stuff.h" + +/* Not every installation has gotten around to supporting CERTs + yet... */ +#ifndef T_CERT +# define T_CERT 37 +#endif + +/* ADNS has no support for CERT yet. */ +#define my_adns_r_cert 37 + +/* If set Tor mode shall be used. */ +static int tor_mode; + +/* Sets the module in TOR mode. Returns 0 is this is possible or an + error code. */ +gpg_error_t +enable_dns_tormode (void) +{ +#if defined(USE_DNS_CERT) && defined(USE_ADNS) +# if HAVE_ADNS_IF_TORMODE + tor_mode = 1; + return 0; +# endif +#endif + return gpg_error (GPG_ERR_NOT_IMPLEMENTED); +} + +/* Returns 0 on success or an error code. If a PGP CERT record was + found, the malloced data is returned at (R_KEY, R_KEYLEN) and + the other return parameters are set to NULL/0. If an IPGP CERT + record was found the fingerprint is stored as an allocated block at + R_FPR and its length at R_FPRLEN; an URL is is allocated as a + string and returned at R_URL. If WANT_CERTTYPE is 0 this function + returns the first CERT found with a supported type; it is expected + that only one CERT record is used. If WANT_CERTTYPE is one of the + supported certtypes only records with this certtype are considered + and the first found is returned. (R_KEY,R_KEYLEN) are optional. */ +gpg_error_t +get_dns_cert (const char *name, int want_certtype, + void **r_key, size_t *r_keylen, + unsigned char **r_fpr, size_t *r_fprlen, char **r_url) +{ +#ifdef USE_DNS_CERT +#ifdef USE_ADNS + gpg_error_t err; + adns_state state; + adns_answer *answer = NULL; + unsigned int ctype; + int count; + + if (r_key) + *r_key = NULL; + if (r_keylen) + *r_keylen = 0; + *r_fpr = NULL; + *r_fprlen = 0; + *r_url = NULL; + + if (tor_mode? adns_init_strcfg (&state, adns_if_noerrprint|adns_if_tormode, + NULL, "nameserver 8.8.8.8") + /* */: adns_init (&state, adns_if_noerrprint, NULL)) + { + err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); + log_error ("error initializing adns: %s\n", strerror (errno)); + return err; + } + + if (adns_synchronous (state, name, + (adns_r_unknown + | (want_certtype < DNS_CERTTYPE_RRBASE + ? my_adns_r_cert + : (want_certtype - DNS_CERTTYPE_RRBASE))), + adns_qf_quoteok_query, &answer)) + { + err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); + /* log_error ("DNS query failed: %s\n", strerror (errno)); */ + adns_finish (state); + return err; + } + if (answer->status != adns_s_ok) + { + /* log_error ("DNS query returned an error: %s (%s)\n", */ + /* adns_strerror (answer->status), */ + /* adns_errabbrev (answer->status)); */ + err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND); + goto leave; + } + + err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND); + for (count = 0; count < answer->nrrs; count++) + { + int datalen = answer->rrs.byteblock[count].len; + const unsigned char *data = answer->rrs.byteblock[count].data; + + /* First check for our generic RR hack. */ + if (datalen + && want_certtype >= DNS_CERTTYPE_RRBASE + && ((want_certtype - DNS_CERTTYPE_RRBASE) + == (answer->type & ~adns_r_unknown))) + { + /* Found the requested record - return it. */ + *r_key = xtrymalloc (datalen); + if (!*r_key) + err = gpg_err_make (default_errsource, + gpg_err_code_from_syserror ()); + else + { + memcpy (*r_key, data, datalen); + *r_keylen = datalen; + err = 0; + } + goto leave; + } + + if (datalen < 5) + continue; /* Truncated CERT record - skip. */ + + ctype = buf16_to_uint (data); + /* (key tag and algorithm fields are not required.) */ + data += 5; + datalen -= 5; + + if (want_certtype && want_certtype != ctype) + ; /* Not of the requested certtype. */ + else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11 && r_key && r_keylen) + { + /* CERT type is PGP. Gpg checks for a minimum length of 11, + thus we do the same. */ + *r_key = xtrymalloc (datalen); + if (!*r_key) + err = gpg_err_make (default_errsource, + gpg_err_code_from_syserror ()); + else + { + memcpy (*r_key, data, datalen); + *r_keylen = datalen; + err = 0; + } + goto leave; + } + else if (ctype == DNS_CERTTYPE_IPGP && datalen && datalen < 1023 + && datalen >= data[0] + 1 && r_fpr && r_fprlen && r_url) + { + /* CERT type is IPGP. We made sure that the data is + plausible and that the caller requested this + information. */ + *r_fprlen = data[0]; + if (*r_fprlen) + { + *r_fpr = xtrymalloc (*r_fprlen); + if (!*r_fpr) + { + err = gpg_err_make (default_errsource, + gpg_err_code_from_syserror ()); + goto leave; + } + memcpy (*r_fpr, data + 1, *r_fprlen); + } + else + *r_fpr = NULL; + + if (datalen > *r_fprlen + 1) + { + *r_url = xtrymalloc (datalen - (*r_fprlen + 1) + 1); + if (!*r_url) + { + err = gpg_err_make (default_errsource, + gpg_err_code_from_syserror ()); + xfree (*r_fpr); + *r_fpr = NULL; + goto leave; + } + memcpy (*r_url, + data + (*r_fprlen + 1), datalen - (*r_fprlen + 1)); + (*r_url)[datalen - (*r_fprlen + 1)] = '\0'; + } + else + *r_url = NULL; + + err = 0; + goto leave; + } + } + + leave: + adns_free (answer); + adns_finish (state); + return err; + +#else /*!USE_ADNS*/ + + gpg_error_t err; + unsigned char *answer; + int r; + u16 count; + + if (r_key) + *r_key = NULL; + if (r_keylen) + *r_keylen = 0; + *r_fpr = NULL; + *r_fprlen = 0; + *r_url = NULL; + + /* Allocate a 64k buffer which is the limit for an DNS response. */ + answer = xtrymalloc (65536); + if (!answer) + return gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); + + err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND); + + r = res_query (name, C_IN, + (want_certtype < DNS_CERTTYPE_RRBASE + ? T_CERT + : (want_certtype - DNS_CERTTYPE_RRBASE)), + answer, 65536); + /* Not too big, not too small, no errors and at least 1 answer. */ + if (r >= sizeof (HEADER) && r <= 65536 + && (((HEADER *) answer)->rcode) == NOERROR + && (count = ntohs (((HEADER *) answer)->ancount))) + { + int rc; + unsigned char *pt, *emsg; + + emsg = &answer[r]; + + pt = &answer[sizeof (HEADER)]; + + /* Skip over the query */ + + rc = dn_skipname (pt, emsg); + if (rc == -1) + { + err = gpg_err_make (default_errsource, GPG_ERR_INV_OBJ); + goto leave; + } + pt += rc + QFIXEDSZ; + + /* There are several possible response types for a CERT request. + We're interested in the PGP (a key) and IPGP (a URI) types. + Skip all others. TODO: A key is better than a URI since + we've gone through all this bother to fetch it, so favor that + if we have both PGP and IPGP? */ + + while (count-- > 0 && pt < emsg) + { + u16 type, class, dlen, ctype; + + rc = dn_skipname (pt, emsg); /* the name we just queried for */ + if (rc == -1) + { + err = gpg_err_make (default_errsource, GPG_ERR_INV_OBJ); + goto leave; + } + + pt += rc; + + /* Truncated message? 15 bytes takes us to the point where + we start looking at the ctype. */ + if ((emsg - pt) < 15) + break; + + type = buf16_to_u16 (pt); + pt += 2; + + class = buf16_to_u16 (pt); + pt += 2; + + if (class != C_IN) + break; + + /* ttl */ + pt += 4; + + /* data length */ + dlen = buf16_to_u16 (pt); + pt += 2; + + /* Check the type and parse. */ + if (want_certtype >= DNS_CERTTYPE_RRBASE + && type == (want_certtype - DNS_CERTTYPE_RRBASE) + && r_key) + { + *r_key = xtrymalloc (dlen); + if (!*r_key) + err = gpg_err_make (default_errsource, + gpg_err_code_from_syserror ()); + else + { + memcpy (*r_key, pt, dlen); + *r_keylen = dlen; + err = 0; + } + goto leave; + } + else if (want_certtype >= DNS_CERTTYPE_RRBASE) + { + /* We did not found the requested RR. */ + pt += dlen; + } + else if (type == T_CERT) + { + /* We got a CERT type. */ + ctype = buf16_to_u16 (pt); + pt += 2; + + /* Skip the CERT key tag and algo which we don't need. */ + pt += 3; + + dlen -= 5; + + /* 15 bytes takes us to here */ + if (want_certtype && want_certtype != ctype) + ; /* Not of the requested certtype. */ + else if (ctype == DNS_CERTTYPE_PGP && dlen && r_key && r_keylen) + { + /* PGP type */ + *r_key = xtrymalloc (dlen); + if (!*r_key) + err = gpg_err_make (default_errsource, + gpg_err_code_from_syserror ()); + else + { + memcpy (*r_key, pt, dlen); + *r_keylen = dlen; + err = 0; + } + goto leave; + } + else if (ctype == DNS_CERTTYPE_IPGP + && dlen && dlen < 1023 && dlen >= pt[0] + 1) + { + /* IPGP type */ + *r_fprlen = pt[0]; + if (*r_fprlen) + { + *r_fpr = xtrymalloc (*r_fprlen); + if (!*r_fpr) + { + err = gpg_err_make (default_errsource, + gpg_err_code_from_syserror ()); + goto leave; + } + memcpy (*r_fpr, &pt[1], *r_fprlen); + } + else + *r_fpr = NULL; + + if (dlen > *r_fprlen + 1) + { + *r_url = xtrymalloc (dlen - (*r_fprlen + 1) + 1); + if (!*r_fpr) + { + err = gpg_err_make (default_errsource, + gpg_err_code_from_syserror ()); + xfree (*r_fpr); + *r_fpr = NULL; + goto leave; + } + memcpy (*r_url, &pt[*r_fprlen + 1], + dlen - (*r_fprlen + 1)); + (*r_url)[dlen - (*r_fprlen + 1)] = '\0'; + } + else + *r_url = NULL; + + err = 0; + goto leave; + } + + /* No subtype matches, so continue with the next answer. */ + pt += dlen; + } + else + { + /* Not a requested type - might be a CNAME. Try next item. */ + pt += dlen; + } + } + } + + leave: + xfree (answer); + return err; + +#endif /*!USE_ADNS */ +#else /* !USE_DNS_CERT */ + (void)name; + if (r_key) + *r_key = NULL; + if (r_keylen) + *r_keylen = NULL; + *r_fpr = NULL; + *r_fprlen = 0; + *r_url = NULL; + + return gpg_err_make (default_errsource, GPG_ERR_NOT_SUPPORTED); +#endif +} diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h new file mode 100644 index 000000000..aea0e69f6 --- /dev/null +++ b/dirmngr/dns-stuff.h @@ -0,0 +1,63 @@ +/* dns-stuff.c - DNS related code including CERT RR (rfc-4398) + * Copyright (C) 2006 Free Software Foundation, Inc. + * Copyright (C) 2006, 2015 Werner Koch + * + * This file is part of GnuPG. + * + * This file is free software; you can redistribute it and/or modify + * it under the terms of either + * + * - the GNU Lesser General Public License as published by the Free + * Software Foundation; either version 3 of the License, or (at + * your option) any later version. + * + * or + * + * - the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * or both in parallel, as here. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + */ +#ifndef GNUPG_DIRMNGR_DNS_STUFF_H +#define GNUPG_DIRMNGR_DNS_STUFF_H + + +#define DNS_CERTTYPE_ANY 0 /* Internal catch all type. */ +/* Certificate types according to RFC-4398: */ +#define DNS_CERTTYPE_PKIX 1 /* X.509 as per PKIX. */ +#define DNS_CERTTYPE_SPKI 2 /* SPKI certificate. */ +#define DNS_CERTTYPE_PGP 3 /* OpenPGP packet. */ +#define DNS_CERTTYPE_IPKIX 4 /* The URL of an X.509 data object. */ +#define DNS_CERTTYPE_ISPKI 5 /* The URL of an SPKI certificate. */ +#define DNS_CERTTYPE_IPGP 6 /* The fingerprint + and URL of an OpenPGP packet. */ +#define DNS_CERTTYPE_ACPKIX 7 /* Attribute Certificate. */ +#define DNS_CERTTYPE_IACPKIX 8 /* The URL of an Attribute Certificate. */ +#define DNS_CERTTYPE_URI 253 /* URI private. */ +#define DNS_CERTTYPE_OID 254 /* OID private. */ +/* Hacks for our implementation. */ +#define DNS_CERTTYPE_RRBASE 1024 /* Base of special constants. */ +#define DNS_CERTTYPE_RR61 (DNS_CERTTYPE_RRBASE + 61) + +/* Calling this function switches the DNS code into Tor mode if + possibe. Return 0 on success. */ +gpg_error_t enable_dns_tormode (void); + +/* Return a CERT record or an arbitray RR. */ +gpg_error_t get_dns_cert (const char *name, int want_certtype, + void **r_key, size_t *r_keylen, + unsigned char **r_fpr, size_t *r_fprlen, + char **r_url); + + + +#endif /*GNUPG_DIRMNGR_DNS_STUFF_H*/ diff --git a/dirmngr/server.c b/dirmngr/server.c index f6225d438..23ecdd8b9 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -50,7 +50,7 @@ #if USE_LDAP # include "ldap-parse-uri.h" #endif -#include "dns-cert.h" +#include "dns-stuff.h" #include "mbox-util.h" /* To avoid DoS attacks we limit the size of a certificate to diff --git a/dirmngr/t-dns-cert.c b/dirmngr/t-dns-cert.c deleted file mode 100644 index 61536c566..000000000 --- a/dirmngr/t-dns-cert.c +++ /dev/null @@ -1,93 +0,0 @@ -/* t-dns-cert.c - Module test for dns-cert.c - * Copyright (C) 2011 Free Software Foundation, Inc. - * - * This file is part of GnuPG. - * - * GnuPG is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * GnuPG is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see . - */ - -#include -#include -#include -#include - -#include "util.h" -#include "dns-cert.h" - - -int -main (int argc, char **argv) -{ - gpg_error_t err; - unsigned char *fpr; - size_t fpr_len; - char *url; - void *key; - size_t keylen; - char const *name; - - if (argc) - { - argc--; - argv++; - } - - if (!argc) - name = "simon.josefsson.org"; - else if (argc == 1) - name = *argv; - else - { - fputs ("usage: t-dns-cert [name]\n", stderr); - return 1; - } - - printf ("CERT lookup on '%s'\n", name); - - err = get_dns_cert (name, DNS_CERTTYPE_ANY, &key, &keylen, - &fpr, &fpr_len, &url); - if (err) - printf ("get_dns_cert failed: %s <%s>\n", - gpg_strerror (err), gpg_strsource (err)); - else if (key) - { - printf ("Key found (%u bytes)\n", (unsigned int)keylen); - } - else - { - if (fpr) - { - int i; - - printf ("Fingerprint found (%d bytes): ", (int)fpr_len); - for (i = 0; i < fpr_len; i++) - printf ("%02X", fpr[i]); - putchar ('\n'); - } - else - printf ("No fingerprint found\n"); - - if (url) - printf ("URL found: %s\n", url); - else - printf ("No URL found\n"); - - } - - xfree (key); - xfree (fpr); - xfree (url); - - return 0; -} diff --git a/dirmngr/t-dns-stuff.c b/dirmngr/t-dns-stuff.c new file mode 100644 index 000000000..e34f80971 --- /dev/null +++ b/dirmngr/t-dns-stuff.c @@ -0,0 +1,94 @@ +/* t-dns-cert.c - Module test for dns-stuff.c + * Copyright (C) 2011 Free Software Foundation, Inc. + * Copyright (C) 2011, 2015 Werner Koch + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + */ + +#include +#include +#include +#include + +#include "util.h" +#include "dns-stuff.h" + + +int +main (int argc, char **argv) +{ + gpg_error_t err; + unsigned char *fpr; + size_t fpr_len; + char *url; + void *key; + size_t keylen; + char const *name; + + if (argc) + { + argc--; + argv++; + } + + if (!argc) + name = "simon.josefsson.org"; + else if (argc == 1) + name = *argv; + else + { + fputs ("usage: t-dns-stuff [name]\n", stderr); + return 1; + } + + printf ("CERT lookup on '%s'\n", name); + + err = get_dns_cert (name, DNS_CERTTYPE_ANY, &key, &keylen, + &fpr, &fpr_len, &url); + if (err) + printf ("get_dns_cert failed: %s <%s>\n", + gpg_strerror (err), gpg_strsource (err)); + else if (key) + { + printf ("Key found (%u bytes)\n", (unsigned int)keylen); + } + else + { + if (fpr) + { + int i; + + printf ("Fingerprint found (%d bytes): ", (int)fpr_len); + for (i = 0; i < fpr_len; i++) + printf ("%02X", fpr[i]); + putchar ('\n'); + } + else + printf ("No fingerprint found\n"); + + if (url) + printf ("URL found: %s\n", url); + else + printf ("No URL found\n"); + + } + + xfree (key); + xfree (fpr); + xfree (url); + + return 0; +} -- cgit v1.2.3