1 /* dns-stuff.c - DNS related code including CERT RR (rfc-4398)
2 * Copyright (C) 2003, 2005, 2006, 2009 Free Software Foundation, Inc.
3 * Copyright (C) 2005, 2006, 2009, 2015. 2016 Werner Koch
5 * This file is part of GnuPG.
7 * This file is free software; you can redistribute it and/or modify
8 * it under the terms of either
10 * - the GNU Lesser General Public License as published by the Free
11 * Software Foundation; either version 3 of the License, or (at
12 * your option) any later version.
16 * - the GNU General Public License as published by the Free
17 * Software Foundation; either version 2 of the License, or (at
18 * your option) any later version.
20 * or both in parallel, as here.
22 * This file is distributed in the hope that it will be useful,
23 * but WITHOUT ANY WARRANTY; without even the implied warranty of
24 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 * GNU General Public License for more details.
27 * You should have received a copy of the GNU General Public License
28 * along with this program; if not, see <https://www.gnu.org/licenses/>.
32 #include <sys/types.h>
33 #ifdef HAVE_W32_SYSTEM
34 # define WIN32_LEAN_AND_MEAN
35 # ifdef HAVE_WINSOCK2_H
36 # include <winsock2.h>
39 # include <iphlpapi.h>
41 # if HAVE_SYSTEM_RESOLVER
42 # include <netinet/in.h>
43 # include <arpa/nameser.h>
52 /* William Ahern's DNS library, included as a source copy. */
57 /* dns.c has a dns_p_free but it is not exported. We use our own
58 * wrapper here so that we do not accidentally use xfree which would
59 * be wrong for dns.c allocated data. */
60 #define dns_free(a) free ((a))
63 #ifdef WITHOUT_NPTH /* Give the Makefile a chance to build without Pth. */
70 #include "./dirmngr-err.h"
73 #include "dns-stuff.h"
76 # define my_unprotect() npth_unprotect ()
77 # define my_protect() npth_protect ()
79 # define my_unprotect() do { } while(0)
80 # define my_protect() do { } while(0)
83 /* We allow the use of 0 instead of AF_UNSPEC - check this assumption. */
85 # error AF_UNSPEC does not have the value 0
88 /* Windows does not support the AI_ADDRCONFIG flag - use zero instead. */
90 # define AI_ADDRCONFIG 0
93 /* Not every installation has gotten around to supporting SRVs or
102 /* The standard SOCKS and TOR ports. */
103 #define SOCKS_PORT 1080
104 #define TOR_PORT 9050
105 #define TOR_PORT2 9150 /* (Used by the Tor browser) */
108 /* The default nameserver used in Tor mode. */
109 #define DEFAULT_NAMESERVER "8.8.8.8"
111 /* The default timeout in seconds for libdns requests. */
112 #define DEFAULT_TIMEOUT 30
115 /* Two flags to enable verbose and debug mode. */
116 static int opt_verbose;
117 static int opt_debug;
119 /* The timeout in seconds for libdns requests. */
120 static int opt_timeout;
122 /* If set force the use of the standard resolver. */
123 static int standard_resolver;
125 /* If set use recursive resolver when available. */
126 static int recursive_resolver;
128 /* If set Tor mode shall be used. */
131 /* A string with the nameserver IP address used with Tor.
132 (40 should be sufficient for v6 but we add some extra for a scope.) */
133 static char tor_nameserver[40+20];
135 /* Two strings to hold the credentials presented to Tor. */
136 static char tor_socks_user[30];
137 static char tor_socks_password[20];
141 /* Libdns gobal data. */
144 struct dns_resolv_conf *resolv_conf;
145 struct dns_hosts *hosts;
146 struct dns_hints *hints;
148 struct sockaddr_storage socks_host;
151 /* If this flag is set, libdns shall be reinited for the next use. */
152 static int libdns_reinit_pending;
154 /* The Tor port to be used. */
155 static int libdns_tor_port;
157 #endif /*USE_LIBDNS*/
160 /* Calling this function with YES set to True forces the use of the
161 * standard resolver even if dirmngr has been built with support for
162 * an alternative resolver. */
164 enable_standard_resolver (int yes)
166 standard_resolver = yes;
170 /* Return true if the standard resolver is used. */
172 standard_resolver_p (void)
174 return standard_resolver;
178 /* Calling this function with YES switches libdns into recursive mode.
179 * It has no effect on the standard resolver. */
181 enable_recursive_resolver (int yes)
183 recursive_resolver = yes;
185 libdns_reinit_pending = 1;
190 /* Return true iff the recursive resolver is used. */
192 recursive_resolver_p (void)
195 return !standard_resolver && recursive_resolver;
202 /* Sets the module in Tor mode. Returns 0 is this is possible or an
205 enable_dns_tormode (int new_circuit)
207 if (!*tor_socks_user || new_circuit)
209 static unsigned int counter;
211 gpgrt_snprintf (tor_socks_user, sizeof tor_socks_user,
212 "dirmngr-%lu", (unsigned long)getpid ());
213 gpgrt_snprintf (tor_socks_password, sizeof tor_socks_password,
222 /* Set verbosity and debug mode for this module. */
224 set_dns_verbose (int verbose, int debug)
226 opt_verbose = verbose;
231 /* Set the timeout for libdns requests to SECONDS. A value of 0 sets
232 * the default timeout and values are capped at 10 minutes. */
234 set_dns_timeout (int seconds)
237 seconds = DEFAULT_TIMEOUT;
238 else if (seconds < 1)
240 else if (seconds > 600)
243 opt_timeout = seconds;
247 /* Change the default IP address of the nameserver to IPADDR. The
248 address needs to be a numerical IP address and will be used for the
249 next DNS query. Note that this is only used in Tor mode. */
251 set_dns_nameserver (const char *ipaddr)
253 strncpy (tor_nameserver, ipaddr? ipaddr : DEFAULT_NAMESERVER,
254 sizeof tor_nameserver -1);
255 tor_nameserver[sizeof tor_nameserver -1] = 0;
257 libdns_reinit_pending = 1;
258 libdns_tor_port = 0; /* Start again with the default port. */
263 /* Free an addressinfo linked list as returned by resolve_dns_name. */
265 free_dns_addrinfo (dns_addrinfo_t ai)
269 dns_addrinfo_t next = ai->next;
276 #ifndef HAVE_W32_SYSTEM
277 /* Return H_ERRNO mapped to a gpg-error code. Will never return 0. */
279 get_h_errno_as_gpg_error (void)
285 case HOST_NOT_FOUND: ec = GPG_ERR_NO_NAME; break;
286 case TRY_AGAIN: ec = GPG_ERR_TRY_LATER; break;
287 case NO_RECOVERY: ec = GPG_ERR_SERVER_FAILED; break;
288 case NO_DATA: ec = GPG_ERR_NO_DATA; break;
289 default: ec = GPG_ERR_UNKNOWN_ERRNO; break;
291 return gpg_error (ec);
293 #endif /*!HAVE_W32_SYSTEM*/
296 map_eai_to_gpg_error (int ec)
302 case EAI_AGAIN: err = gpg_error (GPG_ERR_EAGAIN); break;
303 case EAI_BADFLAGS: err = gpg_error (GPG_ERR_INV_FLAG); break;
304 case EAI_FAIL: err = gpg_error (GPG_ERR_SERVER_FAILED); break;
305 case EAI_MEMORY: err = gpg_error (GPG_ERR_ENOMEM); break;
307 case EAI_NODATA: err = gpg_error (GPG_ERR_NO_DATA); break;
309 case EAI_NONAME: err = gpg_error (GPG_ERR_NO_NAME); break;
310 case EAI_SERVICE: err = gpg_error (GPG_ERR_NOT_SUPPORTED); break;
311 case EAI_FAMILY: err = gpg_error (GPG_ERR_EAFNOSUPPORT); break;
312 case EAI_SOCKTYPE: err = gpg_error (GPG_ERR_ESOCKTNOSUPPORT); break;
313 #ifndef HAVE_W32_SYSTEM
314 # ifdef EAI_ADDRFAMILY
315 case EAI_ADDRFAMILY:err = gpg_error (GPG_ERR_EADDRNOTAVAIL); break;
317 case EAI_SYSTEM: err = gpg_error_from_syserror (); break;
319 default: err = gpg_error (GPG_ERR_UNKNOWN_ERRNO); break;
327 libdns_error_to_gpg_error (int serr)
333 case 0: ec = 0; break;
335 case DNS_ENOBUFS: ec = GPG_ERR_BUFFER_TOO_SHORT; break;
336 case DNS_EILLEGAL: ec = GPG_ERR_INV_OBJ; break;
337 case DNS_EORDER: ec = GPG_ERR_INV_ORDER; break;
338 case DNS_ESECTION: ec = GPG_ERR_DNS_SECTION; break;
339 case DNS_EUNKNOWN: ec = GPG_ERR_DNS_UNKNOWN; break;
340 case DNS_EADDRESS: ec = GPG_ERR_DNS_ADDRESS; break;
341 case DNS_ENOQUERY: ec = GPG_ERR_DNS_NO_QUERY; break;
342 case DNS_ENOANSWER:ec = GPG_ERR_DNS_NO_ANSWER; break;
343 case DNS_EFETCHED: ec = GPG_ERR_ALREADY_FETCHED; break;
344 case DNS_ESERVICE: ec = GPG_ERR_NOT_SUPPORTED; break;
345 case DNS_ENONAME: ec = GPG_ERR_NO_NAME; break;
346 case DNS_EFAIL: ec = GPG_ERR_SERVER_FAILED; break;
347 case DNS_ECONNFIN: ec = GPG_ERR_DNS_CLOSED; break;
348 case DNS_EVERIFY: ec = GPG_ERR_DNS_VERIFY; break;
352 ec = gpg_err_code_from_errno (serr);
354 ec = GPG_ERR_DNS_UNKNOWN;
357 return gpg_error (ec);
359 #endif /*USE_LIBDNS*/
363 /* Initialize libdns. Returns 0 on success; prints a diagnostic and
364 * returns an error code on failure. */
373 if (libdns.resolv_conf)
374 return 0; /* Already initialized. */
376 memset (&ld, 0, sizeof ld);
378 ld.resolv_conf = dns_resconf_open (&derr);
381 err = libdns_error_to_gpg_error (derr);
382 log_error ("failed to allocate DNS resconf object: %s\n",
389 if (!*tor_nameserver)
390 set_dns_nameserver (NULL);
392 if (!libdns_tor_port)
393 libdns_tor_port = TOR_PORT;
395 cfgstr = xtryasprintf ("[%s]:53", tor_nameserver);
397 err = gpg_error_from_syserror ();
399 err = libdns_error_to_gpg_error
400 (dns_resconf_pton (&ld.resolv_conf->nameserver[0], cfgstr));
402 log_error ("failed to set nameserver '%s': %s\n",
403 cfgstr, gpg_strerror (err));
407 ld.resolv_conf->options.tcp = DNS_RESCONF_TCP_SOCKS;
410 cfgstr = xtryasprintf ("[%s]:%d", "127.0.0.1", libdns_tor_port);
412 err = gpg_error_from_syserror ();
414 err = libdns_error_to_gpg_error
415 (dns_resconf_pton (&ld.socks_host, cfgstr));
418 log_error ("failed to set socks server '%s': %s\n",
419 cfgstr, gpg_strerror (err));
425 #ifdef HAVE_W32_SYSTEM
432 ninfo = xtrymalloc (ninfo_len);
435 err = gpg_error_from_syserror ();
439 if (GetNetworkParams (ninfo, &ninfo_len))
441 log_error ("GetNetworkParms failed: %s\n", w32_strerror (-1));
442 err = gpg_error (GPG_ERR_GENERAL);
447 for (idx=0, pip = &(ninfo->DnsServerList);
448 pip && idx < DIM (ld.resolv_conf->nameserver);
452 log_debug ("dns: dnsserver[%d] '%s'\n", idx, pip->IpAddress.String);
453 err = libdns_error_to_gpg_error
454 (dns_resconf_pton (&ld.resolv_conf->nameserver[idx],
455 pip->IpAddress.String));
457 log_error ("failed to set nameserver[%d] '%s': %s\n",
458 idx, pip->IpAddress.String, gpg_strerror (err));
467 fname = "/etc/resolv.conf";
468 err = libdns_error_to_gpg_error
469 (dns_resconf_loadpath (ld.resolv_conf, fname));
472 log_error ("failed to load '%s': %s\n", fname, gpg_strerror (err));
476 fname = "/etc/nsswitch.conf";
477 err = libdns_error_to_gpg_error
478 (dns_nssconf_loadpath (ld.resolv_conf, fname));
481 log_error ("failed to load '%s': %s\n", fname, gpg_strerror (err));
488 ld.hosts = dns_hosts_open (&derr);
491 log_error ("failed to load hosts file: %s\n", gpg_strerror (err));
492 err = libdns_error_to_gpg_error (derr);
496 /* dns_hints_local for stub mode, dns_hints_root for recursive. */
497 ld.hints = (recursive_resolver
498 ? dns_hints_root (ld.resolv_conf, &derr)
499 : dns_hints_local (ld.resolv_conf, &derr));
502 log_error ("failed to load DNS hints: %s\n", gpg_strerror (err));
503 err = libdns_error_to_gpg_error (derr);
507 /* All fine. Make the data global. */
514 #endif /*USE_LIBDNS*/
518 /* Deinitialize libdns. */
524 if (!libdns.resolv_conf)
525 return; /* Not initialized. */
528 memset (&libdns, 0, sizeof libdns);
529 dns_hints_close (ld.hints);
530 dns_hosts_close (ld.hosts);
531 dns_resconf_close (ld.resolv_conf);
533 #endif /*USE_LIBDNS*/
536 /* SIGHUP action handler for this module. With FORCE set objects are
537 * all immediately released. */
539 reload_dns_stuff (int force)
545 libdns_reinit_pending = 0;
548 libdns_reinit_pending = 1;
557 * Initialize libdns if needed and open a dns_resolver context.
558 * Returns 0 on success and stores the new context at R_RES. On
559 * failure an error code is returned and NULL stored at R_RES.
562 libdns_res_open (struct dns_resolver **r_res)
565 struct dns_resolver *res;
570 if (libdns_reinit_pending)
572 libdns_reinit_pending = 0;
576 err = libdns_init ();
583 res = dns_res_open (libdns.resolv_conf, libdns.hosts, libdns.hints, NULL,
584 dns_opts (.socks_host = &libdns.socks_host,
585 .socks_user = tor_socks_user,
586 .socks_password = tor_socks_password ),
589 return libdns_error_to_gpg_error (derr);
594 #endif /*USE_LIBDNS*/
598 /* Helper to test whether we need totry again after having swicthed
601 libdns_switch_port_p (gpg_error_t err)
603 if (tor_mode && gpg_err_code (err) == GPG_ERR_ECONNREFUSED
604 && libdns_tor_port == TOR_PORT)
606 /* Switch port and try again. */
608 log_debug ("dns: switching from SOCKS port %d to %d\n",
609 TOR_PORT, TOR_PORT2);
610 libdns_tor_port = TOR_PORT2;
611 libdns_reinit_pending = 1;
616 #endif /*USE_LIBDNS*/
620 /* Wrapper around dns_res_submit. */
622 libdns_res_submit (struct dns_resolver *res, const char *qname,
623 enum dns_type qtype, enum dns_class qclass)
625 return libdns_error_to_gpg_error (dns_res_submit (res, qname, qtype, qclass));
627 #endif /*USE_LIBDNS*/
631 /* Standard event handling loop. */
633 libdns_res_wait (struct dns_resolver *res)
637 while ((err = libdns_error_to_gpg_error (dns_res_check (res)))
638 && gpg_err_code (err) == GPG_ERR_EAGAIN)
640 if (dns_res_elapsed (res) > opt_timeout)
642 err = gpg_error (GPG_ERR_DNS_TIMEOUT);
647 dns_res_poll (res, 1);
653 #endif /*USE_LIBDNS*/
658 resolve_name_libdns (const char *name, unsigned short port,
659 int want_family, int want_socktype,
660 dns_addrinfo_t *r_dai, char **r_canonname)
663 dns_addrinfo_t daihead = NULL;
665 struct dns_resolver *res = NULL;
666 struct dns_addrinfo *ai = NULL;
667 struct addrinfo hints;
668 struct addrinfo *ent;
670 char *portstr = NULL;
677 memset (&hints, 0, sizeof hints);
678 hints.ai_family = want_family;
679 hints.ai_socktype = want_socktype;
680 hints.ai_flags = AI_ADDRCONFIG;
682 hints.ai_flags |= AI_CANONNAME;
686 snprintf (portstr_, sizeof portstr_, "%hu", port);
690 err = libdns_res_open (&res);
694 ai = dns_ai_open (name, portstr, 0, &hints, res, &derr);
697 err = libdns_error_to_gpg_error (derr);
701 /* Loop over all records. */
704 err = libdns_error_to_gpg_error (dns_ai_nextent (&ent, ai));
705 if (gpg_err_code (err) == GPG_ERR_ENOENT)
708 err = 0; /* We got some results, we're good. */
711 if (gpg_err_code (err) == GPG_ERR_EAGAIN)
713 if (dns_ai_elapsed (ai) > opt_timeout)
715 err = gpg_error (GPG_ERR_DNS_TIMEOUT);
727 if (r_canonname && ! *r_canonname && ent && ent->ai_canonname)
729 *r_canonname = xtrystrdup (ent->ai_canonname);
732 err = gpg_error_from_syserror ();
735 /* Libdns appends the root zone part which is problematic
736 * for most other functions - strip it. */
737 if (**r_canonname && (*r_canonname)[strlen (*r_canonname)-1] == '.')
738 (*r_canonname)[strlen (*r_canonname)-1] = 0;
741 dai = xtrymalloc (sizeof *dai + ent->ai_addrlen -1);
744 err = gpg_error_from_syserror ();
748 dai->family = ent->ai_family;
749 dai->socktype = ent->ai_socktype;
750 dai->protocol = ent->ai_protocol;
751 dai->addrlen = ent->ai_addrlen;
752 memcpy (dai->addr, ent->ai_addr, ent->ai_addrlen);
767 xfree (*r_canonname);
770 free_dns_addrinfo (daihead);
777 #endif /*USE_LIBDNS*/
780 /* Resolve a name using the standard system function. */
782 resolve_name_standard (const char *name, unsigned short port,
783 int want_family, int want_socktype,
784 dns_addrinfo_t *r_dai, char **r_canonname)
787 dns_addrinfo_t daihead = NULL;
789 struct addrinfo *aibuf = NULL;
790 struct addrinfo hints, *ai;
798 memset (&hints, 0, sizeof hints);
799 hints.ai_family = want_family;
800 hints.ai_socktype = want_socktype;
801 hints.ai_flags = AI_ADDRCONFIG;
803 hints.ai_flags |= AI_CANONNAME;
806 snprintf (portstr, sizeof portstr, "%hu", port);
810 /* We can't use the the AI_IDN flag because that does the conversion
811 using the current locale. However, GnuPG always used UTF-8. To
812 support IDN we would need to make use of the libidn API. */
813 ret = getaddrinfo (name, *portstr? portstr : NULL, &hints, &aibuf);
817 err = map_eai_to_gpg_error (ret);
818 if (gpg_err_code (err) == GPG_ERR_NO_NAME)
820 /* There seems to be a bug in the glibc getaddrinfo function
821 if the CNAME points to a long list of A and AAAA records
822 in which case the function return NO_NAME. Let's do the
823 CNAME redirection again. */
826 if (get_dns_cname (name, &cname))
827 goto leave; /* Still no success. */
829 ret = getaddrinfo (cname, *portstr? portstr : NULL, &hints, &aibuf);
834 err = map_eai_to_gpg_error (ret);
837 err = 0; /* Yep, now it worked. */
843 if (r_canonname && aibuf && aibuf->ai_canonname)
845 *r_canonname = xtrystrdup (aibuf->ai_canonname);
848 err = gpg_error_from_syserror ();
853 for (ai = aibuf; ai; ai = ai->ai_next)
855 if (ai->ai_family != AF_INET6 && ai->ai_family != AF_INET)
858 dai = xtrymalloc (sizeof *dai + ai->ai_addrlen - 1);
859 dai->family = ai->ai_family;
860 dai->socktype = ai->ai_socktype;
861 dai->protocol = ai->ai_protocol;
862 dai->addrlen = ai->ai_addrlen;
863 memcpy (dai->addr, ai->ai_addr, ai->ai_addrlen);
870 freeaddrinfo (aibuf);
875 xfree (*r_canonname);
878 free_dns_addrinfo (daihead);
886 /* Resolve an address using the standard system function. */
888 resolve_addr_standard (const struct sockaddr *addr, int addrlen,
889 unsigned int flags, char **r_name)
899 buffer = xtrymalloc (buflen + 2 + 1);
901 return gpg_error_from_syserror ();
903 if ((flags & DNS_NUMERICHOST) || tor_mode)
906 ec = getnameinfo (addr, addrlen, buffer, buflen, NULL, 0, NI_NAMEREQD);
908 if (!ec && *buffer == '[')
909 ec = EAI_FAIL; /* A name may never start with a bracket. */
910 else if (ec == EAI_NONAME)
913 if (addr->sa_family == AF_INET6 && (flags & DNS_WITHBRACKET))
918 ec = getnameinfo (addr, addrlen, p, buflen, NULL, 0, NI_NUMERICHOST);
919 if (!ec && addr->sa_family == AF_INET6 && (flags & DNS_WITHBRACKET))
920 strcat (buffer, "]");
924 err = map_eai_to_gpg_error (ec);
927 p = xtryrealloc (buffer, strlen (buffer)+1);
929 err = gpg_error_from_syserror ();
946 /* This a wrapper around getaddrinfo with slightly different semantics.
947 NAME is the name to resolve.
948 PORT is the requested port or 0.
949 WANT_FAMILY is either 0 (AF_UNSPEC), AF_INET6, or AF_INET4.
950 WANT_SOCKETTYPE is either SOCK_STREAM or SOCK_DGRAM.
952 On success the result is stored in a linked list with the head
953 stored at the address R_AI; the caller must call gpg_addrinfo_free
954 on this. If R_CANONNAME is not NULL the official name of the host
955 is stored there as a malloced string; if that name is not available
958 resolve_dns_name (const char *name, unsigned short port,
959 int want_family, int want_socktype,
960 dns_addrinfo_t *r_ai, char **r_canonname)
965 if (!standard_resolver)
967 err = resolve_name_libdns (name, port, want_family, want_socktype,
969 if (err && libdns_switch_port_p (err))
970 err = resolve_name_libdns (name, port, want_family, want_socktype,
974 #endif /*USE_LIBDNS*/
975 err = resolve_name_standard (name, port, want_family, want_socktype,
978 log_debug ("dns: resolve_dns_name(%s): %s\n", name, gpg_strerror (err));
984 resolve_dns_addr (const struct sockaddr *addr, int addrlen,
985 unsigned int flags, char **r_name)
987 return resolve_addr_standard (addr, addrlen, flags, r_name);
991 /* Check whether NAME is an IP address. Returns true if it is either
992 an IPv6 or IPv4 numerical address. */
994 is_ip_address (const char *name)
997 int ndots, dblcol, n;
1000 return 1; /* yes: A legal DNS name may not contain this character;
1001 this mut be bracketed v6 address. */
1003 return 0; /* No. A leading dot is not a valid IP address. */
1005 /* Check whether this is a v6 address. */
1006 ndots = n = dblcol = 0;
1007 for (s=name; *s; s++)
1016 return 0; /* No: Only one "::" allowed. */
1025 else if (!strchr ("0123456789abcdefABCDEF", *s))
1026 return 0; /* No: Not a hex digit. */
1028 return 0; /* To many digits in a group. */
1031 return 0; /* No: Too many colons. */
1033 return 1; /* Yes: At least 2 colons indicate an v6 address. */
1036 /* Check whether it is legacy IP address. */
1038 for (s=name; *s; s++)
1043 return 0; /* No: Douple dot. */
1044 if (atoi (s+1) > 255)
1045 return 0; /* No: Ipv4 byte value too large. */
1049 else if (!strchr ("0123456789", *s))
1050 return 0; /* No: Not a digit. */
1052 return 0; /* No: More than 3 digits. */
1054 return !!(ndots == 3);
1058 /* Return true if NAME is an onion address. */
1060 is_onion_address (const char *name)
1064 len = name? strlen (name) : 0;
1065 if (len < 8 || strcmp (name + len - 6, ".onion"))
1067 /* Note that we require at least 2 characters before the suffix. */
1068 return 1; /* Yes. */
1072 /* libdns version of get_dns_cert. */
1075 get_dns_cert_libdns (const char *name, int want_certtype,
1076 void **r_key, size_t *r_keylen,
1077 unsigned char **r_fpr, size_t *r_fprlen, char **r_url)
1080 struct dns_resolver *res = NULL;
1081 struct dns_packet *ans = NULL;
1083 struct dns_rr_i rri;
1084 char host[DNS_D_MAXNAME + 1];
1088 /* Gte the query type from WANT_CERTTYPE (which in general indicates
1089 * the subtype we want). */
1090 qtype = (want_certtype < DNS_CERTTYPE_RRBASE
1092 : (want_certtype - DNS_CERTTYPE_RRBASE));
1095 err = libdns_res_open (&res);
1099 if (dns_d_anchor (host, sizeof host, name, strlen (name)) >= sizeof host)
1101 err = gpg_error (GPG_ERR_ENAMETOOLONG);
1105 err = libdns_res_submit (res, name, qtype, DNS_C_IN);
1109 err = libdns_res_wait (res);
1113 ans = dns_res_fetch (res, &derr);
1116 err = libdns_error_to_gpg_error (derr);
1120 /* Check the rcode. */
1121 switch (dns_p_rcode (ans))
1123 case DNS_RC_NOERROR: break;
1124 case DNS_RC_NXDOMAIN: err = gpg_error (GPG_ERR_NO_NAME); break;
1125 default: err = GPG_ERR_SERVER_FAILED; break;
1130 memset (&rri, 0, sizeof rri);
1131 dns_rr_i_init (&rri, ans);
1132 rri.section = DNS_S_ALL & ~DNS_S_QD;
1136 err = gpg_error (GPG_ERR_NOT_FOUND);
1137 while (dns_rr_grep (&rr, 1, &rri, ans, &derr))
1139 unsigned char *rp = ans->data + rr.rd.p;
1140 unsigned short len = rr.rd.len;
1145 /* Definitely too short - skip. */
1147 else if (want_certtype >= DNS_CERTTYPE_RRBASE
1148 && rr.type == (want_certtype - DNS_CERTTYPE_RRBASE)
1151 *r_key = xtrymalloc (len);
1153 err = gpg_error_from_syserror ();
1156 memcpy (*r_key, rp, len);
1162 else if (want_certtype >= DNS_CERTTYPE_RRBASE)
1164 /* We did not found the requested RR - skip. */
1166 else if (rr.type == T_CERT && len > 5)
1168 /* We got a CERT type. */
1169 subtype = buf16_to_u16 (rp);
1172 /* Skip the CERT key tag and algo which we don't need. */
1175 if (want_certtype && want_certtype != subtype)
1176 ; /* Not the requested subtype - skip. */
1177 else if (subtype == DNS_CERTTYPE_PGP && len && r_key && r_keylen)
1180 *r_key = xtrymalloc (len);
1182 err = gpg_error_from_syserror ();
1185 memcpy (*r_key, rp, len);
1191 else if (subtype == DNS_CERTTYPE_IPGP
1192 && len && len < 1023 && len >= rp[0] + 1)
1198 *r_fpr = xtrymalloc (*r_fprlen);
1201 err = gpg_error_from_syserror ();
1204 memcpy (*r_fpr, rp+1, *r_fprlen);
1209 if (len > *r_fprlen + 1)
1211 *r_url = xtrymalloc (len - (*r_fprlen + 1) + 1);
1214 err = gpg_error_from_syserror ();
1219 memcpy (*r_url, rp + *r_fprlen + 1, len - (*r_fprlen + 1));
1220 (*r_url)[len - (*r_fprlen + 1)] = 0;
1230 /* Unknown subtype or record too short - skip. */
1235 /* Not a requested type - skip. */
1241 dns_res_close (res);
1244 #endif /*USE_LIBDNS*/
1247 /* Standard resolver version of get_dns_cert. */
1249 get_dns_cert_standard (const char *name, int want_certtype,
1250 void **r_key, size_t *r_keylen,
1251 unsigned char **r_fpr, size_t *r_fprlen, char **r_url)
1253 #ifdef HAVE_SYSTEM_RESOLVER
1255 unsigned char *answer;
1259 /* Allocate a 64k buffer which is the limit for an DNS response. */
1260 answer = xtrymalloc (65536);
1262 return gpg_error_from_syserror ();
1264 err = gpg_error (GPG_ERR_NOT_FOUND);
1265 r = res_query (name, C_IN,
1266 (want_certtype < DNS_CERTTYPE_RRBASE
1268 : (want_certtype - DNS_CERTTYPE_RRBASE)),
1270 /* Not too big, not too small, no errors and at least 1 answer. */
1271 if (r >= sizeof (HEADER) && r <= 65536
1272 && (((HEADER *)(void *) answer)->rcode) == NOERROR
1273 && (count = ntohs (((HEADER *)(void *) answer)->ancount)))
1276 unsigned char *pt, *emsg;
1280 pt = &answer[sizeof (HEADER)];
1282 /* Skip over the query */
1284 rc = dn_skipname (pt, emsg);
1287 err = gpg_error (GPG_ERR_INV_OBJ);
1290 pt += rc + QFIXEDSZ;
1292 /* There are several possible response types for a CERT request.
1293 We're interested in the PGP (a key) and IPGP (a URI) types.
1294 Skip all others. TODO: A key is better than a URI since
1295 we've gone through all this bother to fetch it, so favor that
1296 if we have both PGP and IPGP? */
1298 while (count-- > 0 && pt < emsg)
1300 u16 type, class, dlen, ctype;
1302 rc = dn_skipname (pt, emsg); /* the name we just queried for */
1305 err = gpg_error (GPG_ERR_INV_OBJ);
1311 /* Truncated message? 15 bytes takes us to the point where
1312 we start looking at the ctype. */
1313 if ((emsg - pt) < 15)
1316 type = buf16_to_u16 (pt);
1319 class = buf16_to_u16 (pt);
1329 dlen = buf16_to_u16 (pt);
1332 /* Check the type and parse. */
1333 if (want_certtype >= DNS_CERTTYPE_RRBASE
1334 && type == (want_certtype - DNS_CERTTYPE_RRBASE)
1337 *r_key = xtrymalloc (dlen);
1339 err = gpg_error_from_syserror ();
1342 memcpy (*r_key, pt, dlen);
1348 else if (want_certtype >= DNS_CERTTYPE_RRBASE)
1350 /* We did not found the requested RR. */
1353 else if (type == T_CERT)
1355 /* We got a CERT type. */
1356 ctype = buf16_to_u16 (pt);
1359 /* Skip the CERT key tag and algo which we don't need. */
1364 /* 15 bytes takes us to here */
1365 if (want_certtype && want_certtype != ctype)
1366 ; /* Not of the requested certtype. */
1367 else if (ctype == DNS_CERTTYPE_PGP && dlen && r_key && r_keylen)
1370 *r_key = xtrymalloc (dlen);
1372 err = gpg_error_from_syserror ();
1375 memcpy (*r_key, pt, dlen);
1381 else if (ctype == DNS_CERTTYPE_IPGP
1382 && dlen && dlen < 1023 && dlen >= pt[0] + 1)
1388 *r_fpr = xtrymalloc (*r_fprlen);
1391 err = gpg_error_from_syserror ();
1394 memcpy (*r_fpr, &pt[1], *r_fprlen);
1399 if (dlen > *r_fprlen + 1)
1401 *r_url = xtrymalloc (dlen - (*r_fprlen + 1) + 1);
1404 err = gpg_error_from_syserror ();
1409 memcpy (*r_url, &pt[*r_fprlen + 1],
1410 dlen - (*r_fprlen + 1));
1411 (*r_url)[dlen - (*r_fprlen + 1)] = '\0';
1420 /* No subtype matches, so continue with the next answer. */
1425 /* Not a requested type - might be a CNAME. Try next item. */
1435 #else /*!HAVE_SYSTEM_RESOLVER*/
1438 (void)want_certtype;
1444 return gpg_error (GPG_ERR_NOT_SUPPORTED);
1446 #endif /*!HAVE_SYSTEM_RESOLVER*/
1450 /* Returns 0 on success or an error code. If a PGP CERT record was
1451 found, the malloced data is returned at (R_KEY, R_KEYLEN) and
1452 the other return parameters are set to NULL/0. If an IPGP CERT
1453 record was found the fingerprint is stored as an allocated block at
1454 R_FPR and its length at R_FPRLEN; an URL is is allocated as a
1455 string and returned at R_URL. If WANT_CERTTYPE is 0 this function
1456 returns the first CERT found with a supported type; it is expected
1457 that only one CERT record is used. If WANT_CERTTYPE is one of the
1458 supported certtypes only records with this certtype are considered
1459 and the first found is returned. (R_KEY,R_KEYLEN) are optional. */
1461 get_dns_cert (const char *name, int want_certtype,
1462 void **r_key, size_t *r_keylen,
1463 unsigned char **r_fpr, size_t *r_fprlen, char **r_url)
1476 if (!standard_resolver)
1478 err = get_dns_cert_libdns (name, want_certtype, r_key, r_keylen,
1479 r_fpr, r_fprlen, r_url);
1480 if (err && libdns_switch_port_p (err))
1481 err = get_dns_cert_libdns (name, want_certtype, r_key, r_keylen,
1482 r_fpr, r_fprlen, r_url);
1485 #endif /*USE_LIBDNS*/
1486 err = get_dns_cert_standard (name, want_certtype, r_key, r_keylen,
1487 r_fpr, r_fprlen, r_url);
1490 log_debug ("dns: get_dns_cert(%s): %s\n", name, gpg_strerror (err));
1496 priosort(const void *a,const void *b)
1498 const struct srventry *sa=a,*sb=b;
1499 if(sa->priority>sb->priority)
1501 else if(sa->priority<sb->priority)
1508 /* Libdns based helper for getsrv. Note that it is expected that NULL
1509 * is stored at the address of LIST and 0 is stored at the address of
1513 getsrv_libdns (const char *name, struct srventry **list, unsigned int *r_count)
1516 struct dns_resolver *res = NULL;
1517 struct dns_packet *ans = NULL;
1519 struct dns_rr_i rri;
1520 char host[DNS_D_MAXNAME + 1];
1522 unsigned int srvcount = 0;
1524 err = libdns_res_open (&res);
1528 if (dns_d_anchor (host, sizeof host, name, strlen (name)) >= sizeof host)
1530 err = gpg_error (GPG_ERR_ENAMETOOLONG);
1534 err = libdns_res_submit (res, name, DNS_T_SRV, DNS_C_IN);
1538 err = libdns_res_wait (res);
1542 ans = dns_res_fetch (res, &derr);
1545 err = libdns_error_to_gpg_error (derr);
1549 /* Check the rcode. */
1550 switch (dns_p_rcode (ans))
1552 case DNS_RC_NOERROR: break;
1553 case DNS_RC_NXDOMAIN: err = gpg_error (GPG_ERR_NO_NAME); break;
1554 default: err = GPG_ERR_SERVER_FAILED; break;
1559 memset (&rri, 0, sizeof rri);
1560 dns_rr_i_init (&rri, ans);
1561 rri.section = DNS_S_ALL & ~DNS_S_QD;
1563 rri.type = DNS_T_SRV;
1565 while (dns_rr_grep (&rr, 1, &rri, ans, &derr))
1567 struct dns_srv dsrv;
1568 struct srventry *srv;
1569 struct srventry *newlist;
1571 err = libdns_error_to_gpg_error (dns_srv_parse(&dsrv, &rr, ans));
1575 newlist = xtryrealloc (*list, (srvcount+1)*sizeof(struct srventry));
1578 err = gpg_error_from_syserror ();
1582 memset (&(*list)[srvcount], 0, sizeof(struct srventry));
1583 srv = &(*list)[srvcount];
1585 srv->priority = dsrv.priority;
1586 srv->weight = dsrv.weight;
1587 srv->port = dsrv.port;
1588 mem2str (srv->target, dsrv.target, sizeof srv->target);
1591 *r_count = srvcount;
1600 dns_res_close (res);
1603 #endif /*USE_LIBDNS*/
1606 /* Standard resolver based helper for getsrv. Note that it is
1607 * expected that NULL is stored at the address of LIST and 0 is stored
1608 * at the address of R_COUNT. */
1610 getsrv_standard (const char *name,
1611 struct srventry **list, unsigned int *r_count)
1613 #ifdef HAVE_SYSTEM_RESOLVER
1615 unsigned char ans[2048];
1618 unsigned char *answer = res.ans;
1619 HEADER *header = res.header;
1620 unsigned char *pt, *emsg;
1623 unsigned int srvcount = 0;
1626 /* Do not allow a query using the standard resolver in Tor mode. */
1628 return gpg_error (GPG_ERR_NOT_ENABLED);
1631 r = res_query (name, C_IN, T_SRV, answer, sizeof res.ans);
1634 return get_h_errno_as_gpg_error ();
1635 if (r < sizeof (HEADER))
1636 return gpg_error (GPG_ERR_SERVER_FAILED);
1637 if (r > sizeof res.ans)
1638 return gpg_error (GPG_ERR_SYSTEM_BUG);
1639 if (header->rcode != NOERROR || !(count=ntohs (header->ancount)))
1640 return gpg_error (GPG_ERR_NO_NAME); /* Error or no record found. */
1643 pt = &answer[sizeof(HEADER)];
1645 /* Skip over the query */
1646 rc = dn_skipname (pt, emsg);
1650 pt += rc + QFIXEDSZ;
1652 while (count-- > 0 && pt < emsg)
1654 struct srventry *srv;
1656 struct srventry *newlist;
1658 newlist = xtryrealloc (*list, (srvcount+1)*sizeof(struct srventry));
1662 memset (&(*list)[srvcount], 0, sizeof(struct srventry));
1663 srv = &(*list)[srvcount];
1666 rc = dn_skipname (pt, emsg); /* The name we just queried for. */
1671 /* Truncated message? */
1675 type = buf16_to_u16 (pt);
1677 /* We asked for SRV and got something else !? */
1681 class = buf16_to_u16 (pt);
1683 /* We asked for IN and got something else !? */
1688 dlen = buf16_to_u16 (pt);
1691 srv->priority = buf16_to_ushort (pt);
1693 srv->weight = buf16_to_ushort (pt);
1695 srv->port = buf16_to_ushort (pt);
1698 /* Get the name. 2782 doesn't allow name compression, but
1699 * dn_expand still works to pull the name out of the packet. */
1700 rc = dn_expand (answer, emsg, pt, srv->target, sizeof srv->target);
1701 if (rc == 1 && srv->target[0] == 0) /* "." */
1710 /* Corrupt packet? */
1715 *r_count = srvcount;
1721 return gpg_error (GPG_ERR_GENERAL);
1723 #else /*!HAVE_SYSTEM_RESOLVER*/
1728 return gpg_error (GPG_ERR_NOT_SUPPORTED);
1730 #endif /*!HAVE_SYSTEM_RESOLVER*/
1734 /* Note that we do not return NONAME but simply store 0 at R_COUNT. */
1736 get_dns_srv (const char *name, struct srventry **list, unsigned int *r_count)
1739 unsigned int srvcount;
1746 if (!standard_resolver)
1748 err = getsrv_libdns (name, list, &srvcount);
1749 if (err && libdns_switch_port_p (err))
1750 err = getsrv_libdns (name, list, &srvcount);
1753 #endif /*USE_LIBDNS*/
1754 err = getsrv_standard (name, list, &srvcount);
1758 if (gpg_err_code (err) == GPG_ERR_NO_NAME)
1763 /* Now we have an array of all the srv records. */
1765 /* Order by priority */
1766 qsort(*list,srvcount,sizeof(struct srventry),priosort);
1768 /* For each priority, move the zero-weighted items first. */
1769 for (i=0; i < srvcount; i++)
1773 for (j=i;j < srvcount && (*list)[i].priority == (*list)[j].priority; j++)
1775 if((*list)[j].weight==0)
1780 struct srventry temp;
1782 memcpy (&temp,&(*list)[j],sizeof(struct srventry));
1783 memcpy (&(*list)[j],&(*list)[i],sizeof(struct srventry));
1784 memcpy (&(*list)[i],&temp,sizeof(struct srventry));
1792 /* Run the RFC-2782 weighting algorithm. We don't need very high
1793 quality randomness for this, so regular libc srand/rand is
1801 srand (time (NULL)*getpid());
1805 for (i=0; i < srvcount; i++)
1808 float prio_count=0,chose;
1810 for (j=i; j < srvcount && (*list)[i].priority == (*list)[j].priority; j++)
1812 prio_count+=(*list)[j].weight;
1813 (*list)[j].run_count=prio_count;
1816 chose=prio_count*rand()/RAND_MAX;
1818 for (j=i;j<srvcount && (*list)[i].priority==(*list)[j].priority;j++)
1820 if (chose<=(*list)[j].run_count)
1825 struct srventry temp;
1827 memcpy(&temp,&(*list)[j],sizeof(struct srventry));
1828 memcpy(&(*list)[j],&(*list)[i],sizeof(struct srventry));
1829 memcpy(&(*list)[i],&temp,sizeof(struct srventry));
1840 log_debug ("dns: getsrv(%s): %s\n", name, gpg_strerror (err));
1842 log_debug ("dns: getsrv(%s) -> %u records\n", name, srvcount);
1845 *r_count = srvcount;
1852 /* libdns version of get_dns_cname. */
1854 get_dns_cname_libdns (const char *name, char **r_cname)
1857 struct dns_resolver *res;
1858 struct dns_packet *ans = NULL;
1859 struct dns_cname cname;
1862 err = libdns_res_open (&res);
1866 err = libdns_res_submit (res, name, DNS_T_CNAME, DNS_C_IN);
1870 err = libdns_res_wait (res);
1874 ans = dns_res_fetch (res, &derr);
1877 err = libdns_error_to_gpg_error (derr);
1881 /* Check the rcode. */
1882 switch (dns_p_rcode (ans))
1884 case DNS_RC_NOERROR: break;
1885 case DNS_RC_NXDOMAIN: err = gpg_error (GPG_ERR_NO_NAME); break;
1886 default: err = GPG_ERR_SERVER_FAILED; break;
1891 /* Parse the result into CNAME. */
1892 err = libdns_error_to_gpg_error (dns_p_study (ans));
1896 if (!dns_d_cname (&cname, sizeof cname, name, strlen (name), ans, &derr))
1898 err = libdns_error_to_gpg_error (derr);
1903 *r_cname = xtrystrdup (cname.host);
1905 err = gpg_error_from_syserror ();
1908 /* Libdns appends the root zone part which is problematic
1909 * for most other functions - strip it. */
1910 if (**r_cname && (*r_cname)[strlen (*r_cname)-1] == '.')
1911 (*r_cname)[strlen (*r_cname)-1] = 0;
1916 dns_res_close (res);
1919 #endif /*USE_LIBDNS*/
1922 /* Standard resolver version of get_dns_cname. */
1924 get_dns_cname_standard (const char *name, char **r_cname)
1926 #ifdef HAVE_SYSTEM_RESOLVER
1930 unsigned char ans[2048];
1933 unsigned char *answer = res.ans;
1934 HEADER *header = res.header;
1935 unsigned char *pt, *emsg;
1938 int cnamesize = 1025;
1941 /* Do not allow a query using the standard resolver in Tor mode. */
1946 r = res_query (name, C_IN, T_CERT, answer, sizeof res.ans);
1949 return get_h_errno_as_gpg_error ();
1950 if (r < sizeof (HEADER))
1951 return gpg_error (GPG_ERR_SERVER_FAILED);
1952 if (r > sizeof res.ans)
1953 return gpg_error (GPG_ERR_SYSTEM_BUG);
1954 if (header->rcode != NOERROR || !(count=ntohs (header->ancount)))
1955 return gpg_error (GPG_ERR_NO_NAME); /* Error or no record found. */
1957 return gpg_error (GPG_ERR_SERVER_FAILED);
1960 pt = &answer[sizeof(HEADER)];
1961 rc = dn_skipname (pt, emsg);
1963 return gpg_error (GPG_ERR_SERVER_FAILED);
1965 pt += rc + QFIXEDSZ;
1967 return gpg_error (GPG_ERR_SERVER_FAILED);
1969 rc = dn_skipname (pt, emsg);
1971 return gpg_error (GPG_ERR_SERVER_FAILED);
1972 pt += rc + 2 + 2 + 4;
1974 return gpg_error (GPG_ERR_SERVER_FAILED);
1975 pt += 2; /* Skip rdlen */
1977 cname = xtrymalloc (cnamesize);
1979 return gpg_error_from_syserror ();
1981 rc = dn_expand (answer, emsg, pt, cname, cnamesize -1);
1985 return gpg_error (GPG_ERR_SERVER_FAILED);
1987 *r_cname = xtryrealloc (cname, strlen (cname)+1);
1990 err = gpg_error_from_syserror ();
1996 #else /*!HAVE_SYSTEM_RESOLVER*/
2000 return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
2002 #endif /*!HAVE_SYSTEM_RESOLVER*/
2007 get_dns_cname (const char *name, char **r_cname)
2014 if (!standard_resolver)
2016 err = get_dns_cname_libdns (name, r_cname);
2017 if (err && libdns_switch_port_p (err))
2018 err = get_dns_cname_libdns (name, r_cname);
2021 #endif /*USE_LIBDNS*/
2023 err = get_dns_cname_standard (name, r_cname);
2025 log_debug ("get_dns_cname(%s)%s%s\n", name,
2026 err ? ": " : " -> ",
2027 err ? gpg_strerror (err) : *r_cname);