Skip to content
Browse files

improved getcertsbyname(). it will use lwres_getrrsetbyname() for get…

…ting

CERT RR if HAVE_LWRES is defined.
XXX the response in my test environment cannot be valid,
XXX so it is need more improvement.
  • Loading branch information...
1 parent 4e80bec commit 7113c5c66c2a300f7cadfe7340c9da348139083d sakane committed
Showing with 127 additions and 18 deletions.
  1. +125 −17 kame/kame/racoon/getcertsbyname.c
  2. +2 −1 kame/kame/racoon/netdb_dnssec.h
View
142 kame/kame/racoon/getcertsbyname.c
@@ -1,4 +1,4 @@
-/* $KAME: getcertsbyname.c,v 1.1 2001/04/11 06:11:55 sakane Exp $ */
+/* $KAME: getcertsbyname.c,v 1.2 2001/04/11 09:51:59 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -34,7 +34,12 @@
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <resolv.h>
+#ifdef HAVE_LWRES
+#include <lwres/netdb.h>
+#include <lwres/lwres.h>
+#else
#include <netdb.h>
+#endif
#include <stdlib.h>
#include <errno.h>
@@ -48,6 +53,35 @@
/* XXX should it use ci_errno to hold errno instead of h_errno ? */
extern int h_errno;
+static struct certinfo *getnewci __P((int, int, int, int, int, char *));
+
+static struct certinfo *
+getnewci(qtype, keytag, algorithm, flags, certlen, cert)
+ int qtype, keytag, algorithm, flags, certlen;
+ char *cert;
+{
+ struct certinfo *res;
+
+ res = malloc(sizeof(*res));
+ if (!res)
+ return NULL;
+
+ memset(res, 0, sizeof(*res));
+ res->ci_type = qtype;
+ res->ci_keytag = keytag;
+ res->ci_algorithm = algorithm;
+ res->ci_flags = flags;
+ res->ci_certlen = certlen;
+ res->ci_cert = malloc(certlen);
+ if (!res->ci_cert) {
+ free(res);
+ return NULL;
+ }
+ memcpy(res->ci_cert, cert, certlen);
+
+ return res;
+}
+
void
freecertinfo(ci)
struct certinfo *ci;
@@ -66,6 +100,90 @@ freecertinfo(ci)
/*
* get CERT RR by FQDN and create certinfo structure chain.
*/
+#ifdef HAVE_LWRES
+int
+getcertsbyname(name, res)
+ char *name;
+ struct certinfo **res;
+{
+ int rdlength;
+ char *cp;
+ int type, keytag, algorithm;
+ struct certinfo head, *cur;
+ struct rrsetinfo *rr = NULL;
+ int i;
+ int error = -1;
+
+ /* initialize res */
+ *res = NULL;
+
+ memset(&head, 0, sizeof(head));
+ cur = &head;
+
+ error = lwres_getrrsetbyname(name, C_IN, T_CERT, 0, &rr);
+ if (error) {
+#ifdef DNSSEC_DEBUG
+ printf("lwres_getrrsetbyname: %s\n", lwres_hstrerror(error));
+#endif
+ h_errno = NO_RECOVERY;
+ goto end;
+ }
+
+ if (rr->rri_rdclass != C_IN
+ || rr->rri_rdtype != T_CERT
+ || rr->rri_nrdatas == 0) {
+#ifdef DNSSEC_DEBUG
+ printf("lwres_getrrsetbyname: %s", lwres_hstrerror(error));
+#endif
+ h_errno = NO_RECOVERY;
+ goto end;
+ }
+#ifdef DNSSEC_DEBUG
+ if (!(rr->rri_flags & LWRDATA_VALIDATED))
+ printf("rr is not valid");
+#endif
+
+ for (i = 0; i < rr->rri_nrdatas; i++) {
+ rdlength = rr->rri_rdatas[i].rdi_length;
+ cp = rr->rri_rdatas[i].rdi_data;
+
+ GETSHORT(type, cp); /* type */
+ rdlength -= INT16SZ;
+ GETSHORT(keytag, cp); /* key tag */
+ rdlength -= INT16SZ;
+ algorithm = *cp++; /* algorithm */
+ rdlength -= 1;
+
+#ifdef DNSSEC_DEBUG
+ printf("type=%d keytag=%d alg=%d len=%d\n",
+ type, keytag, algorithm, rdlength);
+#endif
+
+ /* create new certinfo */
+ cur->ci_next = getnewci(type, keytag, algorithm,
+ rr->rri_flags, rdlength, cp);
+ if (!cur->ci_next) {
+#ifdef DNSSEC_DEBUG
+ printf("getnewci: %s", strerror(errno));
+#endif
+ h_errno = NO_RECOVERY;
+ goto end;
+ }
+ cur = cur->ci_next;
+ }
+
+ *res = head.ci_next;
+ error = 0;
+
+end:
+ if (rr)
+ lwres_freerrset(rr);
+ if (error && head.ci_next)
+ freecertinfo(head.ci_next);
+
+ return error;
+}
+#else /*!HAVE_LWRES*/
int
getcertsbyname(name, res)
char *name;
@@ -181,29 +299,17 @@ getcertsbyname(name, res)
#endif
/* create new certinfo */
- cur->ci_next = malloc(sizeof(*cur));
+ cur->ci_next = getnewci(qtype, keytag, algorithm,
+ 0, rdlength, cp);
if (!cur->ci_next) {
#ifdef DNSSEC_DEBUG
- printf("malloc(certinfo): %s", strerror(errno));
+ printf("getnewci: %s", strerror(errno));
#endif
h_errno = NO_RECOVERY;
goto end;
}
cur = cur->ci_next;
- memset(cur, 0, sizeof(*cur));
- cur->ci_type = qtype;
- cur->ci_keytag = keytag;
- cur->ci_algorithm = algorithm;
- cur->ci_certlen = rdlength;
- cur->ci_cert = malloc(rdlength);
- if (!cur->ci_cert) {
-#ifdef DNSSEC_DEBUG
- printf("malloc(cert): %s", strerror(errno));
-#endif
- h_errno = NO_RECOVERY;
- goto end;
- }
- memcpy(cur->ci_cert, cp, rdlength);
+
cp += rdlength;
}
@@ -218,6 +324,7 @@ getcertsbyname(name, res)
return error;
}
+#endif
#ifdef DNSSEC_DEBUG
int
@@ -280,6 +387,7 @@ main(ac, av)
printf("\tci_type=%d\n", p->ci_type);
printf("\tci_keytag=%d\n", p->ci_keytag);
printf("\tci_algorithm=%d\n", p->ci_algorithm);
+ printf("\tci_flags=%d\n", p->ci_flags);
printf("\tci_certlen=%d\n", p->ci_certlen);
printf("\tci_cert: ");
b64encode(p->ci_cert, p->ci_certlen);
View
3 kame/kame/racoon/netdb_dnssec.h
@@ -1,4 +1,4 @@
-/* $KAME: netdb_dnssec.h,v 1.1 2001/04/11 06:11:55 sakane Exp $ */
+/* $KAME: netdb_dnssec.h,v 1.2 2001/04/11 09:52:00 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -57,6 +57,7 @@ struct certinfo {
int ci_type; /* certificate type */
int ci_keytag; /* keytag */
int ci_algorithm; /* algorithm */
+ int ci_flags; /* currently, 1:valid or 0:uncertain */
size_t ci_certlen; /* length of certificate */
char *ci_cert; /* certificate */
struct certinfo *ci_next; /* next structure */

0 comments on commit 7113c5c

Please sign in to comment.
Something went wrong with that request. Please try again.