Home | History | Annotate | Download | only in racoon 
      1 /*	$NetBSD: dnssec.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
      2 
      3 /*	$KAME: dnssec.c,v 1.2 2001/08/05 18:46:07 itojun Exp $	*/
      4 
      5 /*
      6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
      7  * All rights reserved.
      8  *
      9  * Redistribution and use in source and binary forms, with or without
     10  * modification, are permitted provided that the following conditions
     11  * are met:
     12  * 1. Redistributions of source code must retain the above copyright
     13  *    notice, this list of conditions and the following disclaimer.
     14  * 2. Redistributions in binary form must reproduce the above copyright
     15  *    notice, this list of conditions and the following disclaimer in the
     16  *    documentation and/or other materials provided with the distribution.
     17  * 3. Neither the name of the project nor the names of its contributors
     18  *    may be used to endorse or promote products derived from this software
     19  *    without specific prior written permission.
     20  *
     21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
     22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
     25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     31  * SUCH DAMAGE.
     32  */
     33 
     34 #include "config.h"
     35 
     36 #include <sys/types.h>
     37 #include <sys/param.h>
     38 #include <stdlib.h>
     39 #include <string.h>
     40 
     41 #include "var.h"
     42 #include "vmbuf.h"
     43 #include "misc.h"
     44 #include "plog.h"
     45 #include "debug.h"
     46 
     47 #include "isakmp_var.h"
     48 #include "isakmp.h"
     49 #include "ipsec_doi.h"
     50 #include "oakley.h"
     51 #include "netdb_dnssec.h"
     52 #include "strnames.h"
     53 #include "dnssec.h"
     54 #include "gcmalloc.h"
     55 
     56 extern int h_errno;
     57 
     58 cert_t *
     59 dnssec_getcert(id)
     60 	vchar_t *id;
     61 {
     62 	cert_t *cert = NULL;
     63 	struct certinfo *res = NULL;
     64 	struct ipsecdoi_id_b *id_b;
     65 	int type;
     66 	char *name = NULL;
     67 	int namelen;
     68 	int error;
     69 
     70 	id_b = (struct ipsecdoi_id_b *)id->v;
     71 
     72 	namelen = id->l - sizeof(*id_b);
     73 	name = racoon_malloc(namelen + 1);
     74 	if (!name) {
     75 		plog(LLV_ERROR, LOCATION, NULL,
     76 			"failed to get buffer.\n");
     77 		return NULL;
     78 	}
     79 	memcpy(name, id_b + 1, namelen);
     80 	name[namelen] = '\0';
     81 
     82 	switch (id_b->type) {
     83 	case IPSECDOI_ID_FQDN:
     84 		error = getcertsbyname(name, &res);
     85 		if (error != 0) {
     86 			plog(LLV_ERROR, LOCATION, NULL,
     87 				"getcertsbyname(\"%s\") failed.\n", name);
     88 			goto err;
     89 		}
     90 		break;
     91 	case IPSECDOI_ID_IPV4_ADDR:
     92 	case IPSECDOI_ID_IPV6_ADDR:
     93 		/* XXX should be processed to query PTR ? */
     94 	default:
     95 		plog(LLV_ERROR, LOCATION, NULL,
     96 			"inpropper ID type passed %s "
     97 			"though getcert method is dnssec.\n",
     98 			s_ipsecdoi_ident(id_b->type));
     99 		goto err;
    100 	}
    101 
    102 	/* check response */
    103 	if (res->ci_next != NULL) {
    104 		plog(LLV_WARNING, LOCATION, NULL,
    105 			"not supported multiple CERT RR.\n");
    106 	}
    107 	switch (res->ci_type) {
    108 	case DNSSEC_TYPE_PKIX:
    109 		/* XXX is it enough condition to set this type ? */
    110 		type = ISAKMP_CERT_X509SIGN;
    111 		break;
    112 	default:
    113 		plog(LLV_ERROR, LOCATION, NULL,
    114 			"not supported CERT RR type %d.\n", res->ci_type);
    115 		goto err;
    116 	}
    117 
    118 	/* create cert holder */
    119 	cert = oakley_newcert();
    120 	if (cert == NULL) {
    121 		plog(LLV_ERROR, LOCATION, NULL,
    122 			"failed to get cert buffer.\n");
    123 		goto err;
    124 	}
    125 	cert->pl = vmalloc(res->ci_certlen + 1);
    126 	if (cert->pl == NULL) {
    127 		plog(LLV_ERROR, LOCATION, NULL,
    128 			"failed to get cert buffer.\n");
    129 		goto err;
    130 	}
    131 	memcpy(cert->pl->v + 1, res->ci_cert, res->ci_certlen);
    132 	cert->pl->v[0] = type;
    133 	cert->cert.v = cert->pl->v + 1;
    134 	cert->cert.l = cert->pl->l - 1;
    135 
    136 	plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n");
    137 	plogdump(LLV_DEBUG, cert->pl->v, cert->pl->l);
    138 
    139 end:
    140 	if (res)
    141 		freecertinfo(res);
    142 
    143 	return cert;
    144 
    145 err:
    146 	if (name)
    147 		racoon_free(name);
    148 	if (cert) {
    149 		oakley_delcert(cert);
    150 		cert = NULL;
    151 	}
    152 
    153 	goto end;
    154 }
    155