[svn] GnuPG - r5219 - in branches/STABLE-BRANCH-2-0: . common

svn author wk cvs at cvs.gnupg.org
Tue Dec 8 13:43:27 CET 2009 

Author: wk
Date: 2009-12-08 13:43:27 +0100 (Tue, 08 Dec 2009)
New Revision: 5219

Modified:
   branches/STABLE-BRANCH-2-0/ChangeLog
   branches/STABLE-BRANCH-2-0/NEWS
   branches/STABLE-BRANCH-2-0/common/ChangeLog
   branches/STABLE-BRANCH-2-0/common/dns-cert.c
   branches/STABLE-BRANCH-2-0/configure.ac
Log:
Support DNS CERT lookups via ADNS


Modified: branches/STABLE-BRANCH-2-0/ChangeLog
===================================================================
--- branches/STABLE-BRANCH-2-0/ChangeLog	2009-12-08 12:20:11 UTC (rev 5218)
+++ branches/STABLE-BRANCH-2-0/ChangeLog	2009-12-08 12:43:27 UTC (rev 5219)
@@ -1,3 +1,7 @@
+2009-12-08  Werner Koch  <wk at g10code.com>
+
+	* configure.ac (USE_DNS_CERT): Support via ADNS.
+
 2009-12-07  Werner Koch  <wk at g10code.com>
 
 	* configure.ac: Check for ADNS before checking for the BIND

Modified: branches/STABLE-BRANCH-2-0/common/ChangeLog
===================================================================
--- branches/STABLE-BRANCH-2-0/common/ChangeLog	2009-12-08 12:20:11 UTC (rev 5218)
+++ branches/STABLE-BRANCH-2-0/common/ChangeLog	2009-12-08 12:43:27 UTC (rev 5219)
@@ -1,3 +1,7 @@
+2009-12-08  Werner Koch  <wk at g10code.com>
+
+	* dns-cert.c: Add support for ADNS.
+
 2009-12-07  Werner Koch  <wk at g10code.com>
 
 	* pka.c (get_pka_info): Add support for ADNS.

Modified: branches/STABLE-BRANCH-2-0/NEWS
===================================================================
--- branches/STABLE-BRANCH-2-0/NEWS	2009-12-08 12:20:11 UTC (rev 5218)
+++ branches/STABLE-BRANCH-2-0/NEWS	2009-12-08 12:43:27 UTC (rev 5219)
@@ -9,7 +9,9 @@
 
  * The GPGSM --audit-log feature is now more complete.
 
+ * Support DNS lookups for SRV, PKA and CERT on W32.
 
+
 Noteworthy changes in version 2.0.13 (2009-09-04)
 -------------------------------------------------
 

Modified: branches/STABLE-BRANCH-2-0/common/dns-cert.c
===================================================================
--- branches/STABLE-BRANCH-2-0/common/dns-cert.c	2009-12-08 12:20:11 UTC (rev 5218)
+++ branches/STABLE-BRANCH-2-0/common/dns-cert.c	2009-12-08 12:43:27 UTC (rev 5219)
@@ -1,5 +1,5 @@
 /* dns-cert.c - DNS CERT code
- * Copyright (C) 2005, 2006 Free Software Foundation, Inc.
+ * Copyright (C) 2005, 2006, 2009 Free Software Foundation, Inc.
  *
  * This file is part of GNUPG.
  *
@@ -21,14 +21,20 @@
 #include <sys/types.h>
 #ifdef USE_DNS_CERT
 # ifdef HAVE_W32_SYSTEM
-# include <windows.h>
+#  include <windows.h>
 # else
-# include <netinet/in.h>
-# include <arpa/nameser.h>
-# include <resolv.h>
+#  include <netinet/in.h>
+#  include <arpa/nameser.h>
+#  include <resolv.h>
 # endif
-#include <string.h>
+# include <string.h>
 #endif
+#ifdef USE_ADNS
+# include <adns.h>
+# ifndef HAVE_ADNS_FREE
+#  define adns_free free
+# endif
+#endif
 
 #include "util.h"
 #include "iobuf.h"
@@ -40,14 +46,106 @@
 #define T_CERT 37
 #endif
 
+/* ADNS has no support for CERT yes. */
+#define my_adns_r_cert 37
 
+
+
 /* Returns -1 on error, 0 for no answer, 1 for PGP provided and 2 for
-   IPGP provided. */
+   IPGP provided.  Note that this fucntion retruns the first CERT
+   found with a supported type; it is expected that only one CERT
+   record is used. */
 int
-get_dns_cert (const char *name,size_t max_size,IOBUF *iobuf,
-              unsigned char **fpr,size_t *fpr_len,char **url)
+get_dns_cert (const char *name, size_t max_size, IOBUF *iobuf,
+              unsigned char **fpr, size_t *fpr_len, char **url)
 {
 #ifdef USE_DNS_CERT
+#ifdef USE_ADNS
+  adns_state state;
+  adns_answer *answer = NULL;
+  int rc;
+  unsigned int ctype;
+  int count;
+
+  rc = adns_init (&state, adns_if_noerrprint, NULL);
+  if (rc)
+    {
+      log_error ("error initializing adns: %s\n", strerror (errno));
+      return -1;
+    }
+
+  rc = adns_synchronous (state, name, (adns_r_unknown | my_adns_r_cert),
+                         adns_qf_quoteok_query, &answer);
+  if (rc)
+    {
+      /* log_error ("DNS query failed: %s\n", strerror (errno)); */
+      adns_finish (state);
+      return -1;
+    }
+  if (answer->status != adns_s_ok) 
+    {
+      /* log_error ("DNS query returned an error: %s (%s)\n", */
+      /*            adns_strerror (answer->status), */
+      /*            adns_errabbrev (answer->status)); */
+      adns_free (answer);
+      adns_finish (state);
+      return 0;
+    }
+
+  for (rc = 0, count=0; !rc && count < answer->nrrs; count++)
+    {
+      int datalen = answer->rrs.byteblock[count].len;
+      const unsigned char *data = answer->rrs.byteblock[count].data;
+
+      if (datalen < 5)
+        continue;  /* Truncated CERT record - skip.  */
+
+      ctype = ((data[0]<<8)|data[1]);
+      /* (key tag and algorithm fields are not required.) */
+      data += 5;
+      datalen -= 5;
+
+      if (ctype == 3 && datalen >= 11)
+        {
+          /* CERT type is PGP.  Gpg checks for a minimum length of 11,
+             thus we do the same.  */
+          *iobuf = iobuf_temp_with_content ((char*)data, datalen);
+          rc = 1;
+        }
+      else if (ctype == 6 && datalen && datalen < 1023 
+               && datalen >= data[0]+1 && fpr && fpr_len && url)
+        {
+          /* CERT type is IPGP.  We made sure tha the data is
+             plausible and that the caller requested the
+             information.  */
+          *fpr_len = data[0];
+          if (*fpr_len)
+            {
+              *fpr = xmalloc (*fpr_len);
+              memcpy (*fpr, data+1, *fpr_len);
+            }
+          else
+            *fpr = NULL;
+              
+          if (datalen > *fpr_len + 1)
+            {
+              *url = xmalloc (datalen - (*fpr_len+1) + 1);
+              memcpy (*url, data + (*fpr_len+1), datalen - (*fpr_len+1));
+              (*url)[datalen - (*fpr_len+1)] = '\0';
+            }
+          else
+            *url = NULL;
+          
+          rc = 2;
+        }
+    }
+  
+  adns_free (answer);
+  adns_finish (state);
+  return rc;
+
+#else /*!USE_ADNS*/
+
   unsigned char *answer;
   int r,ret=-1;
   u16 count;
@@ -178,8 +276,8 @@
 
  fail:
   xfree(answer);
-
   return ret;
+#endif /*!USE_ADNS*/
 #else /* !USE_DNS_CERT */
   return -1;
 #endif

Modified: branches/STABLE-BRANCH-2-0/configure.ac
===================================================================
--- branches/STABLE-BRANCH-2-0/configure.ac	2009-12-08 12:20:11 UTC (rev 5218)
+++ branches/STABLE-BRANCH-2-0/configure.ac	2009-12-08 12:43:27 UTC (rev 5219)
@@ -826,7 +826,6 @@
   else
      # If we have no resolver library but ADNS (e.g. under W32) enable the
      # code parts which can be used with ADNS.
-     use_dns_cert=no
      if test x"$have_adns" = xyes ; then
         DNSLIBS="$ADNSLIBS"
         AC_DEFINE(USE_ADNS,1,[Use ADNS as resolver library.])
@@ -838,9 +837,14 @@
         if test x"$use_dns_pka" = xyes ; then
            AC_DEFINE(USE_DNS_PKA,1)
         fi
+
+        if test x"$use_dns_cert" = xyes ; then
+           AC_DEFINE(USE_DNS_CERT,1,[define to use DNS CERT])
+        fi
      else
         use_dns_srv=no
         use_dns_pka=no
+        use_dns_cert=no
      fi
   fi

More information about the Gnupg-commits mailing list