1 /* dns-cert.c - DNS CERT code (rfc-4398)
2 * Copyright (C) 2005, 2006, 2009 Free Software Foundation, Inc.
4 * This file is part of GNUPG.
6 * This file is free software; you can redistribute it and/or modify
7 * it under the terms of either
9 * - the GNU Lesser General Public License as published by the Free
10 * Software Foundation; either version 3 of the License, or (at
11 * your option) any later version.
15 * - the GNU General Public License as published by the Free
16 * Software Foundation; either version 2 of the License, or (at
17 * your option) any later version.
19 * or both in parallel, as here.
21 * This file is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
31 #include <sys/types.h>
33 # ifdef HAVE_W32_SYSTEM
34 # ifdef HAVE_WINSOCK2_H
35 # include <winsock2.h>
39 # include <netinet/in.h>
40 # include <arpa/nameser.h>
53 /* Not every installation has gotten around to supporting CERTs
59 /* ADNS has no support for CERT yet. */
60 #define my_adns_r_cert 37
64 /* Returns 0 on success or an error code. If a PGP CERT record was
65 found, the malloced data is returned at (R_KEY, R_KEYLEN) and
66 the other return parameters are set to NULL/0. If an IPGP CERT
67 record was found the fingerprint is stored as an allocated block at
68 R_FPR and its length at R_FPRLEN; an URL is is allocated as a
69 string and returned at R_URL. If WANT_CERTTYPE is 0 this function
70 returns the first CERT found with a supported type; it is expected
71 that only one CERT record is used. If WANT_CERTTYPE is one of the
72 supported certtypes only records wih this certtype are considered
73 and the first found is returned. (R_KEY,R_KEYLEN) are optional. */
75 get_dns_cert (const char *name, int want_certtype,
76 void **r_key, size_t *r_keylen,
77 unsigned char **r_fpr, size_t *r_fprlen, char **r_url)
83 adns_answer *answer = NULL;
95 if (adns_init (&state, adns_if_noerrprint, NULL))
97 err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
98 log_error ("error initializing adns: %s\n", strerror (errno));
102 if (adns_synchronous (state, name, (adns_r_unknown | my_adns_r_cert),
103 adns_qf_quoteok_query, &answer))
105 err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
106 /* log_error ("DNS query failed: %s\n", strerror (errno)); */
110 if (answer->status != adns_s_ok)
112 /* log_error ("DNS query returned an error: %s (%s)\n", */
113 /* adns_strerror (answer->status), */
114 /* adns_errabbrev (answer->status)); */
115 err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND);
119 err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND);
120 for (count = 0; count < answer->nrrs; count++)
122 int datalen = answer->rrs.byteblock[count].len;
123 const unsigned char *data = answer->rrs.byteblock[count].data;
126 continue; /* Truncated CERT record - skip. */
128 ctype = buf16_to_uint (data);
129 /* (key tag and algorithm fields are not required.) */
133 if (want_certtype && want_certtype != ctype)
134 ; /* Not of the requested certtype. */
135 else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11 && r_key && r_keylen)
137 /* CERT type is PGP. Gpg checks for a minimum length of 11,
138 thus we do the same. */
139 *r_key = xtrymalloc (datalen);
141 err = gpg_err_make (default_errsource,
142 gpg_err_code_from_syserror ());
145 memcpy (*r_key, data, datalen);
151 else if (ctype == DNS_CERTTYPE_IPGP && datalen && datalen < 1023
152 && datalen >= data[0] + 1 && r_fpr && r_fprlen && r_url)
154 /* CERT type is IPGP. We made sure that the data is
155 plausible and that the caller requested this
160 *r_fpr = xtrymalloc (*r_fprlen);
163 err = gpg_err_make (default_errsource,
164 gpg_err_code_from_syserror ());
167 memcpy (*r_fpr, data + 1, *r_fprlen);
172 if (datalen > *r_fprlen + 1)
174 *r_url = xtrymalloc (datalen - (*r_fprlen + 1) + 1);
177 err = gpg_err_make (default_errsource,
178 gpg_err_code_from_syserror ());
184 data + (*r_fprlen + 1), datalen - (*r_fprlen + 1));
185 (*r_url)[datalen - (*r_fprlen + 1)] = '\0';
203 unsigned char *answer;
215 /* Allocate a 64k buffer which is the limit for an DNS response. */
216 answer = xtrymalloc (65536);
218 return gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
220 err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND);
222 r = res_query (name, C_IN, T_CERT, answer, 65536);
223 /* Not too big, not too small, no errors and at least 1 answer. */
224 if (r >= sizeof (HEADER) && r <= 65536
225 && (((HEADER *) answer)->rcode) == NOERROR
226 && (count = ntohs (((HEADER *) answer)->ancount)))
229 unsigned char *pt, *emsg;
233 pt = &answer[sizeof (HEADER)];
235 /* Skip over the query */
237 rc = dn_skipname (pt, emsg);
240 err = gpg_err_make (default_errsource, GPG_ERR_INV_OBJ);
245 /* There are several possible response types for a CERT request.
246 We're interested in the PGP (a key) and IPGP (a URI) types.
247 Skip all others. TODO: A key is better than a URI since
248 we've gone through all this bother to fetch it, so favor that
249 if we have both PGP and IPGP? */
251 while (count-- > 0 && pt < emsg)
253 u16 type, class, dlen, ctype;
255 rc = dn_skipname (pt, emsg); /* the name we just queried for */
258 err = gpg_err_make (default_errsource, GPG_ERR_INV_OBJ);
264 /* Truncated message? 15 bytes takes us to the point where
265 we start looking at the ctype. */
266 if ((emsg - pt) < 15)
269 type = buf16_to_u16 (pt);
272 class = buf16_to_u16 (pt);
282 dlen = buf16_to_u16 (pt);
285 /* We asked for CERT and got something else - might be a
286 CNAME, so loop around again. */
294 ctype = buf16_to_u16 (pt);
297 /* Skip the CERT key tag and algo which we don't need. */
302 /* 15 bytes takes us to here */
303 if (want_certtype && want_certtype != ctype)
304 ; /* Not of the requested certtype. */
305 else if (ctype == DNS_CERTTYPE_PGP && dlen && r_key && r_keylen)
308 *r_key = xtrymalloc (dlen);
310 err = gpg_err_make (default_errsource,
311 gpg_err_code_from_syserror ());
314 memcpy (*r_key, pt, dlen);
320 else if (ctype == DNS_CERTTYPE_IPGP
321 && dlen && dlen < 1023 && dlen >= pt[0] + 1)
327 *r_fpr = xtrymalloc (*r_fprlen);
330 err = gpg_err_make (default_errsource,
331 gpg_err_code_from_syserror ());
334 memcpy (*r_fpr, &pt[1], *r_fprlen);
339 if (dlen > *r_fprlen + 1)
341 *r_url = xtrymalloc (dlen - (*r_fprlen + 1) + 1);
344 err = gpg_err_make (default_errsource,
345 gpg_err_code_from_syserror ());
350 memcpy (*r_url, &pt[*r_fprlen + 1], dlen - (*r_fprlen + 1));
351 (*r_url)[dlen - (*r_fprlen + 1)] = '\0';
360 /* Neither type matches, so go around to the next answer. */
369 #endif /*!USE_ADNS */
370 #else /* !USE_DNS_CERT */
380 return gpg_err_make (default_errsource, GPG_ERR_NOT_SUPPORTED);