ipsec-tools/racoon/dnssec.c

   1 /*      $NetBSD: dnssec.c,v 1.4 2006/09/09 16:22:09 manu Exp $  */
   2
   3 /*      $KAME: dnssec.c,v 1.2 2001/08/05 18:46:07 itojun Exp $  */
   4
   5 /*
   6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
   7  * All rights reserved.
   8  *
   9  * Redistribution and use in source and binary forms, with or without
  10  * modification, are permitted provided that the following conditions
  11  * are met:
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  * 3. Neither the name of the project nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "config.h"
  35
  36 #if ENABLE_DNSSEC_CERTS
  37
  38 #include <sys/types.h>
  39 #include <sys/param.h>
  40 #include <stdlib.h>
  41 #include <string.h>
  42
  43 #include "var.h"
  44 #include "vmbuf.h"
  45 #include "misc.h"
  46 #include "plog.h"
  47 #include "debug.h"
  48
  49 #include "isakmp_var.h"
  50 #include "isakmp.h"
  51 #include "ipsec_doi.h"
  52 #include "oakley.h"
  53 #include "netdb_dnssec.h"
  54 #include "strnames.h"
  55 #include "dnssec.h"
  56 #include "gcmalloc.h"
  57
  58 extern int h_errno;
  59
  60 cert_t *
  61 dnssec_getcert(id)
  62         vchar_t *id;
  63 {
  64         cert_t *cert = NULL;
  65         struct certinfo *res = NULL;
  66         struct ipsecdoi_id_b *id_b;
  67         int type;
  68         char *name = NULL;
  69         int namelen;
  70         int error;
  71
  72         id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)id->v;
  73
  74         namelen = id->l - sizeof(*id_b);
  75         name = racoon_malloc(namelen + 1);
  76         if (!name) {
  77                 plog(ASL_LEVEL_ERR,
  78                         "failed to get buffer.\n");
  79                 return NULL;
  80         }
  81         memcpy(name, id_b + 1, namelen);
  82         name[namelen] = '\0';
  83
  84         switch (id_b->type) {
  85         case IPSECDOI_ID_FQDN:
  86                 error = getcertsbyname(name, &res);
  87                 if (error != 0) {
  88                         plog(ASL_LEVEL_ERR,
  89                                 "getcertsbyname(\"%s\") failed.\n", name);
  90                         goto err;
  91                 }
  92                 break;
  93         case IPSECDOI_ID_IPV4_ADDR:
  94         case IPSECDOI_ID_IPV6_ADDR:
  95                 /* XXX should be processed to query PTR ? */
  96         default:
  97                 plog(ASL_LEVEL_ERR,
  98                         "impropper ID type passed %s "
  99                         "though getcert method is dnssec.\n",
 100                         s_ipsecdoi_ident(id_b->type));
 101                 goto err;
 102         }
 103
 104         /* check response */
 105         if (res->ci_next != NULL) {
 106                 plog(ASL_LEVEL_WARNING,
 107                         "not supported multiple CERT RR.\n");
 108         }
 109         switch (res->ci_type) {
 110         case DNSSEC_TYPE_PKIX:
 111                 /* XXX is it enough condition to set this type ? */
 112                 type = ISAKMP_CERT_X509SIGN;
 113                 break;
 114         default:
 115                 plog(ASL_LEVEL_ERR,
 116                         "not supported CERT RR type %d.\n", res->ci_type);
 117                 goto err;
 118         }
 119
 120         /* create cert holder */
 121         cert = oakley_newcert();
 122         if (cert == NULL) {
 123                 plog(ASL_LEVEL_ERR,
 124                         "failed to get cert buffer.\n");
 125                 goto err;
 126         }
 127         cert->pl = vmalloc(res->ci_certlen + 1);
 128         if (cert->pl == NULL) {
 129                 plog(ASL_LEVEL_ERR,
 130                         "failed to get cert buffer.\n");
 131                 goto err;
 132         }
 133         memcpy(cert->pl->v + 1, res->ci_cert, res->ci_certlen);
 134         cert->pl->v[0] = type;
 135         cert->cert.v = cert->pl->v + 1;
 136         cert->cert.l = cert->pl->l - 1;
 137
 138         plog(ASL_LEVEL_DEBUG, "created CERT payload:\n");
 139
 140 end:
 141         if (res)
 142                 freecertinfo(res);
 143
 144         return cert;
 145
 146 err:
 147         if (name)
 148                 racoon_free(name);
 149         if (cert) {
 150                 oakley_delcert(cert);
 151                 cert = NULL;
 152         }
 153
 154         goto end;
 155 }
 156
 157 #endif /* ENABLE_DNSSEC_CERTS */