Pull up following revision(s) (requested by manu in ticket #887):
lib/libc/nameser/ns_samedomain.c		1.7-1.8
lib/libresolv/Makefile				1.12
lib/libresolv/dst_api.c				1.1-1.3
lib/libresolv/dst_internal.h			1.1-1.2
lib/libresolv/hmac_link.c			1.1-1.2
lib/libresolv/ns_date.c				1.1
lib/libresolv/ns_sign.c				1.1
lib/libresolv/ns_verify.c			1.1-1.2
lib/libresolv/res_findzonecut.c			1.1
lib/libresolv/res_mkupdate.c			1.1-1.2
lib/libresolv/res_mkupdate.h			1.1
lib/libresolv/res_private.h			1.1
lib/libresolv/res_sendsigned.c			1.1
lib/libresolv/res_update.c			1.1
lib/libresolv/support.c				1.1
lib/libresolv/shlib_version			1.7
include/res_update.h				1.8
distrib/sets/lists/base/ad.mips64eb		1.102
distrib/sets/lists/base/ad.mips64el		1.101
distrib/sets/lists/base/md.amd64		1.178
distrib/sets/lists/base/md.sparc64		1.167
distrib/sets/lists/base/shl.mi			1.639
distrib/sets/lists/comp/ad.mips64eb		1.91
distrib/sets/lists/comp/ad.mips64el		1.93
distrib/sets/lists/comp/md.amd64		1.181
distrib/sets/lists/comp/md.sparc64		1.159
distrib/sets/lists/comp/shl.mi			1.238

 Bring libresolv to its latest version which restore missing bits such
as DNS update.


(msaitoh)

/*	$NetBSD: dst_api.c,v 1.3.10.2 2013/06/13 04:20:30 msaitoh Exp $	*/

/*
 * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
 *
 * Permission to use, copy modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
 * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
 * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
 * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
 */
/*
 * This file contains the interface between the DST API and the crypto API.
 * This is the only file that needs to be changed if the crypto system is
 * changed.  Exported functions are:
 * void dst_init()	 Initialize the toolkit
 * int  dst_check_algorithm()   Function to determines if alg is suppored.
 * int  dst_compare_keys()      Function to compare two keys for equality.
 * int  dst_sign_data()         Incremental signing routine.
 * int  dst_verify_data()       Incremental verify routine.
 * int  dst_generate_key()      Function to generate new KEY
 * DST_KEY *dst_read_key()      Function to retrieve private/public KEY.
 * void dst_write_key()         Function to write out a key.
 * DST_KEY *dst_dnskey_to_key() Function to convert DNS KEY RR to a DST
 *				KEY structure.
 * int dst_key_to_dnskey() 	Function to return a public key in DNS 
 *				format binary
 * DST_KEY *dst_buffer_to_key() Converst a data in buffer to KEY
 * int *dst_key_to_buffer()	Writes out DST_KEY key matterial in buffer
 * void dst_free_key()       	Releases all memory referenced by key structure
 */
#include <sys/cdefs.h>
#if 0
static const char rcsid[] = "Header: /proj/cvs/prod/libbind/dst/dst_api.c,v 1.17 2007/09/24 17:18:25 each Exp ";
#else
__RCSID("$NetBSD: dst_api.c,v 1.3.10.2 2013/06/13 04:20:30 msaitoh Exp $");
#endif


#include "port_before.h"
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <memory.h>
#include <ctype.h>
#include <time.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <resolv.h>

#include "dst_internal.h"
#include "port_after.h"

/* static variables */
static int done_init = 0;
dst_func *dst_t_func[DST_MAX_ALGS];
const char *dst_path = "";

/* internal I/O functions */
static DST_KEY *dst_s_read_public_key(const char *in_name, 
				      const u_int16_t in_id, int in_alg);
static int dst_s_read_private_key_file(char *name, DST_KEY *pk_key,
				       u_int16_t in_id, int in_alg);
static int dst_s_write_public_key(const DST_KEY *key);
static int dst_s_write_private_key(const DST_KEY *key);

/* internal function to set up data structure */
static DST_KEY *dst_s_get_key_struct(const char *name, const int alg,
				     const int flags, const int protocol,
				     const int bits);

/*%
 *  dst_init
 *	This function initializes the Digital Signature Toolkit.
 *	Right now, it just checks the DSTKEYPATH environment variable.
 *  Parameters
 *	none
 *  Returns
 *	none
 */
void
dst_init(void)
{
	char *s;
	size_t len;

	if (done_init != 0)
		return;
	done_init = 1;

	s = getenv("DSTKEYPATH");
	len = 0;
	if (s) {
		struct stat statbuf;

		len = strlen(s);
		if (len > PATH_MAX) {
			EREPORT(("%s: %s is longer than %d characters,"
			    " ignoring\n", __func__, s, PATH_MAX));
		} else if (stat(s, &statbuf) != 0 ||
		    !S_ISDIR(statbuf.st_mode)) {
			EREPORT(("%s: %s is not a valid directory\n",
			    __func__, s));
		} else {
			char *tmp;
			tmp = (char *) malloc(len + 2);
			memcpy(tmp, s, len + 1);
			if (tmp[strlen(tmp) - 1] != '/') {
				tmp[strlen(tmp) + 1] = 0;
				tmp[strlen(tmp)] = '/';
			}
			dst_path = tmp;
		}
	}
	memset(dst_t_func, 0, sizeof(dst_t_func));
	/* first one is selected */
	dst_hmac_md5_init();
}

/*%
 *  dst_check_algorithm
 *	This function determines if the crypto system for the specified
 *	algorithm is present.
 *  Parameters
 *	alg     1       KEY_RSA
 *		3       KEY_DSA
 *	      157     KEY_HMAC_MD5
 *		      future algorithms TBD and registered with IANA.
 *  Returns
 *	1 - The algorithm is available.
 *	0 - The algorithm is not available.
 */
int
dst_check_algorithm(const int alg)
{
	return (dst_t_func[alg] != NULL);
}

/*%
 * dst_s_get_key_struct 
 *	This function allocates key structure and fills in some of the 
 *	fields of the structure. 
 * Parameters: 
 *	name:     the name of the key 
 *	alg:      the algorithm number 
 *	flags:    the dns flags of the key
 *	protocol: the dns protocol of the key
 *	bits:     the size of the key
 * Returns:
 *       NULL if error
 *       valid pointer otherwise
 */
static DST_KEY *
dst_s_get_key_struct(const char *name, const int alg, const int flags,
		     const int protocol, const int bits)
{
	DST_KEY *new_key = NULL; 

	if (dst_check_algorithm(alg)) /*%< make sure alg is available */
		new_key = (DST_KEY *) malloc(sizeof(*new_key));
	if (new_key == NULL)
		return (NULL);

	memset(new_key, 0, sizeof(*new_key));
	new_key->dk_key_name = strdup(name);
	if (new_key->dk_key_name == NULL) {
		free(new_key);
		return (NULL);
	}
	new_key->dk_alg = alg;
	new_key->dk_flags = flags;
	new_key->dk_proto = protocol;
	new_key->dk_KEY_struct = NULL;
	new_key->dk_key_size = bits;
	new_key->dk_func = dst_t_func[alg];
	return (new_key);
}

/*%
 *  dst_compare_keys
 *	Compares two keys for equality.
 *  Parameters
 *	key1, key2      Two keys to be compared.
 *  Returns
 *	0	       The keys are equal.
 *	non-zero	The keys are not equal.
 */

int
dst_compare_keys(const DST_KEY *key1, const DST_KEY *key2)
{
	if (key1 == key2)
		return (0);
	if (key1 == NULL || key2 == NULL)
		return (4);
	if (key1->dk_alg != key2->dk_alg)
		return (1);
	if (key1->dk_key_size != key2->dk_key_size)
		return (2);
	if (key1->dk_id != key2->dk_id)
		return (3);
	return (key1->dk_func->compare(key1, key2));
}

/*%
 * dst_sign_data
 *	An incremental signing function.  Data is signed in steps.
 *	First the context must be initialized (SIG_MODE_INIT).
 *	Then data is hashed (SIG_MODE_UPDATE).  Finally the signature
 *	itself is created (SIG_MODE_FINAL).  This function can be called
 *	once with INIT, UPDATE and FINAL modes all set, or it can be
 *	called separately with a different mode set for each step.  The
 *	UPDATE step can be repeated.
 * Parameters
 *	mode    A bit mask used to specify operation(s) to be performed.
 *		  SIG_MODE_INIT	   1   Initialize digest
 *		  SIG_MODE_UPDATE	 2   Add data to digest
 *		  SIG_MODE_FINAL	  4   Generate signature
 *					      from signature
 *		  SIG_MODE_ALL (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL
 *	data    Data to be signed.
 *	len     The length in bytes of data to be signed.
 *	in_key  Contains a private key to sign with.
 *		  KEY structures should be handled (created, converted,
 *		  compared, stored, freed) by the DST.
 *	signature
 *	      The location to which the signature will be written.
 *	sig_len Length of the signature field in bytes.
 * Return
 *	 0      Successfull INIT or Update operation
 *	&gt;0      success FINAL (sign) operation
 *	&lt;0      failure
 */

int
dst_sign_data(const int mode, DST_KEY *in_key, void **context, 
	      const u_char *data, const int len,
	      u_char *signature, const int sig_len)
{
	DUMP(data, mode, len, "dst_sign_data()");

	if (mode & SIG_MODE_FINAL &&
	    (in_key->dk_KEY_struct == NULL || signature == NULL))
		return (MISSING_KEY_OR_SIGNATURE);

	if (in_key->dk_func && in_key->dk_func->sign)
		return (in_key->dk_func->sign(mode, in_key, context, data, len,
					      signature, sig_len));
	return (UNKNOWN_KEYALG);
}

/*%
 *  dst_verify_data
 *	An incremental verify function.  Data is verified in steps.
 *	First the context must be initialized (SIG_MODE_INIT).
 *	Then data is hashed (SIG_MODE_UPDATE).  Finally the signature
 *	is verified (SIG_MODE_FINAL).  This function can be called
 *	once with INIT, UPDATE and FINAL modes all set, or it can be
 *	called separately with a different mode set for each step.  The
 *	UPDATE step can be repeated.
 *  Parameters
 *	mode	Operations to perform this time.
 *		      SIG_MODE_INIT       1   Initialize digest
 *		      SIG_MODE_UPDATE     2   add data to digest
 *		      SIG_MODE_FINAL      4   verify signature
 *		      SIG_MODE_ALL
 *			  (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL)
 *	data	Data to pass through the hash function.
 *	len	 Length of the data in bytes.
 *	in_key      Key for verification.
 *	signature   Location of signature.
 *	sig_len     Length of the signature in bytes.
 *  Returns
 *	0	   Verify success
 *	Non-Zero    Verify Failure
 */

int
dst_verify_data(const int mode, DST_KEY *in_key, void **context, 
		const u_char *data, const int len,
		const u_char *signature, const int sig_len)
{
	DUMP(data, mode, len, "dst_verify_data()");
	if (mode & SIG_MODE_FINAL &&
	    (in_key->dk_KEY_struct == NULL || signature == NULL))
		return (MISSING_KEY_OR_SIGNATURE);

	if (in_key->dk_func == NULL || in_key->dk_func->verify == NULL)
		return (UNSUPPORTED_KEYALG);
	return (in_key->dk_func->verify(mode, in_key, context, data, len,
					signature, sig_len));
}

/*%
 *  dst_read_private_key
 *	Access a private key.  First the list of private keys that have
 *	already been read in is searched, then the key accessed on disk.
 *	If the private key can be found, it is returned.  If the key cannot
 *	be found, a null pointer is returned.  The options specify required
 *	key characteristics.  If the private key requested does not have
 *	these characteristics, it will not be read.
 *  Parameters
 *	in_keyname  The private key name.
 *	in_id	    The id of the private key.
 *	options     DST_FORCE_READ  Read from disk - don't use a previously
 *				      read key.
 *		  DST_CAN_SIGN    The key must be useable for signing.
 *		  DST_NO_AUTHEN   The key must be useable for authentication.
 *		  DST_STANDARD    Return any key 
 *  Returns
 *	NULL	If there is no key found in the current directory or
 *		      this key has not been loaded before.
 *	!NULL       Success - KEY structure returned.
 */

DST_KEY *
dst_read_key(const char *in_keyname, const u_int16_t in_id, 
	     const int in_alg, const int type)
{
	char keyname[PATH_MAX];
	DST_KEY *dg_key = NULL, *pubkey = NULL;

	if (!dst_check_algorithm(in_alg)) { /*%< make sure alg is available */
		EREPORT(("%s: Algorithm %d not suppored\n", __func__, in_alg));
		return (NULL);
	}
	if ((type & (DST_PUBLIC | DST_PRIVATE)) == 0) 
		return (NULL);
	if (in_keyname == NULL) {
		EREPORT(("%s: Null key name passed in\n", __func__));
		return (NULL);
	} else if (strlen(in_keyname) >= sizeof(keyname)) {
		EREPORT(("%s: keyname too big\n", __func__));
		return (NULL);
	} else 
		strcpy(keyname, in_keyname);

	/* before I read in the public key, check if it is allowed to sign */
	if ((pubkey = dst_s_read_public_key(keyname, in_id, in_alg)) == NULL)
		return (NULL);

	if (type == DST_PUBLIC) 
		return pubkey; 

	if (!(dg_key = dst_s_get_key_struct(keyname, pubkey->dk_alg,
					    (int)pubkey->dk_flags,
					    pubkey->dk_proto, 0)))
		return (dg_key);
	/* Fill in private key and some fields in the general key structure */
	if (dst_s_read_private_key_file(keyname, dg_key, pubkey->dk_id,
					pubkey->dk_alg) == 0)
		dg_key = dst_free_key(dg_key);

	(void)dst_free_key(pubkey);
	return (dg_key);
}

int 
dst_write_key(const DST_KEY *key, const int type)
{
	int pub = 0, priv = 0;

	if (key == NULL) 
		return (0);
	if (!dst_check_algorithm(key->dk_alg)) { /*%< make sure alg is available */
		EREPORT(("%s: Algorithm %d not suppored\n", __func__,
		    key->dk_alg));
		return (UNSUPPORTED_KEYALG);
	}
	if ((type & (DST_PRIVATE|DST_PUBLIC)) == 0)
		return (0);

	if (type & DST_PUBLIC) 
		if ((pub = dst_s_write_public_key(key)) < 0)
			return (pub);
	if (type & DST_PRIVATE)
		if ((priv = dst_s_write_private_key(key)) < 0)
			return (priv);
	return (priv+pub);
}

/*%
 *  dst_write_private_key
 *	Write a private key to disk.  The filename will be of the form:
 *	K&lt;key-&gt;dk_name&gt;+&lt;key-&gt;dk_alg+&gt;&lt;key-d&gt;k_id.&gt;&lt;private key suffix&gt;.
 *	If there is already a file with this name, an error is returned.
 *
 *  Parameters
 *	key     A DST managed key structure that contains
 *	      all information needed about a key.
 *  Return
 *	&gt;= 0    Correct behavior.  Returns length of encoded key value
 *		  written to disk.
 *	&lt;  0    error.
 */

static int
dst_s_write_private_key(const DST_KEY *key)
{
	u_char encoded_block[RAW_KEY_SIZE];
	char file[PATH_MAX];
	int len;
	FILE *fp;

	/* First encode the key into the portable key format */
	if (key == NULL)
		return (-1);
	if (key->dk_KEY_struct == NULL)
		return (0);	/*%< null key has no private key */
	if (key->dk_func == NULL || key->dk_func->to_file_fmt == NULL) {
		EREPORT(("%s: Unsupported operation %d\n", __func__,
		    key->dk_alg));
		return (-5);
	} else if ((len = key->dk_func->to_file_fmt(key, (char *)encoded_block,
					 (int)sizeof(encoded_block))) <= 0) {
		EREPORT(("%s: Failed encoding private RSA bsafe key %d\n",
		    __func__, len));
		return (-8);
	}
	/* Now I can create the file I want to use */
	dst_s_build_filename(file, key->dk_key_name, key->dk_id, key->dk_alg,
			     PRIVATE_KEY, PATH_MAX);

	/* Do not overwrite an existing file */
	if ((fp = dst_s_fopen(file, "w", 0600)) != NULL) {
		ssize_t nn;
		nn = fwrite(encoded_block, 1, len, fp);
		if (nn != len) {
			EREPORT(("%s: Write failure on %s %d != %zd"
			    " errno=%d\n", __func__, file, len, nn, errno));

			fclose(fp);
			return (-5);
		}
		fclose(fp);
	} else {
		EREPORT(("%s: Can not create file %s\n", __func__,
		    file));
		return (-6);
	}
	memset(encoded_block, 0, len);
	return (len);
}

/*%
*
 *  dst_read_public_key
 *	Read a public key from disk and store in a DST key structure.
 *  Parameters
 *	in_name	 K&lt;in_name&gt;&lt;in_id&gt;.&lt;public key suffix&gt; is the
 *		      filename of the key file to be read.
 *  Returns
 *	NULL	    If the key does not exist or no name is supplied.
 *	NON-NULL	Initialized key structure if the key exists.
 */

static DST_KEY *
dst_s_read_public_key(const char *in_name, const u_int16_t in_id, int in_alg)
{
	int flags, proto, alg, dlen;
	size_t len;
	int c;
	char name[PATH_MAX], enckey[RAW_KEY_SIZE], *notspace;
	u_char deckey[RAW_KEY_SIZE];
	FILE *fp;

	if (in_name == NULL) {
		EREPORT(("%s: No key name given\n", __func__));
		return (NULL);
	}
	if (dst_s_build_filename(name, in_name, in_id, in_alg, PUBLIC_KEY,
				 PATH_MAX) == -1) {
		EREPORT(("%s: Cannot make filename from %s, %d, and %s\n",
		    __func__, in_name, in_id, PUBLIC_KEY));
		return (NULL);
	}
	/*
	 * Open the file and read it's formatted contents up to key
	 * File format:
	 *    domain.name [ttl] [IN] KEY  &lt;flags&gt; &lt;protocol&gt; &lt;algorithm&gt; &lt;key&gt;
	 * flags, proto, alg stored as decimal (or hex numbers FIXME).
	 * (FIXME: handle parentheses for line continuation.)
	 */
	if ((fp = dst_s_fopen(name, "r", 0)) == NULL) {
		EREPORT(("%s: Public Key not found %s\n", __func__, name));
		return (NULL);
	}
	/* Skip domain name, which ends at first blank */
	while ((c = getc(fp)) != EOF)
		if (isspace(c))
			break;
	/* Skip blank to get to next field */
	while ((c = getc(fp)) != EOF)
		if (!isspace(c))
			break;

	/* Skip optional TTL -- if initial digit, skip whole word. */
	if (isdigit(c)) {
		while ((c = getc(fp)) != EOF)
			if (isspace(c))
				break;
		while ((c = getc(fp)) != EOF)
			if (!isspace(c))
				break;
	}
	/* Skip optional "IN" */
	if (c == 'I' || c == 'i') {
		while ((c = getc(fp)) != EOF)
			if (isspace(c))
				break;
		while ((c = getc(fp)) != EOF)
			if (!isspace(c))
				break;
	}
	/* Locate and skip "KEY" */
	if (c != 'K' && c != 'k') {
		EREPORT(("%s: \"KEY\" doesn't appear in file: %s", __func__,
		    name));
		return NULL;
	}
	while ((c = getc(fp)) != EOF)
		if (isspace(c))
			break;
	while ((c = getc(fp)) != EOF)
		if (!isspace(c))
			break;
	ungetc(c, fp);		/*%< return the charcter to the input field */
	/* Handle hex!! FIXME.  */

	if (fscanf(fp, "%d %d %d", &flags, &proto, &alg) != 3) {
		EREPORT(("%s: Can not read flag/proto/alg field from %s\n",
		    __func__, name));
		return (NULL);
	}
	/* read in the key string */
	fgets(enckey, (int)sizeof(enckey), fp);

	/* If we aren't at end-of-file, something is wrong.  */
	while ((c = getc(fp)) != EOF)
		if (!isspace(c))
			break;
	if (!feof(fp)) {
		EREPORT(("%s: Key too long in file: %s", __func__, name));
		return NULL;
	}
	fclose(fp);

	if ((len = strlen(enckey)) == 0)
		return (NULL);

	/* discard \n */
	enckey[--len] = '\0';

	/* remove leading spaces */
	for (notspace = (char *) enckey; isspace((*notspace)&0xff); len--)
		notspace++;

	dlen = b64_pton(notspace, deckey, sizeof(deckey));
	if (dlen < 0) {
		EREPORT(("%s: bad return from b64_pton = %d", __func__, dlen));
		return (NULL);
	}
	/* store key and info in a key structure that is returned */
/*	return dst_store_public_key(in_name, alg, proto, 666, flags, deckey,
				    dlen);*/
	return dst_buffer_to_key(in_name, alg, flags, proto, deckey, dlen);
}

/*%
 *  dst_write_public_key
 *	Write a key to disk in DNS format.
 *  Parameters
 *	key     Pointer to a DST key structure.
 *  Returns
 *	0       Failure
 *	1       Success
 */

static int
dst_s_write_public_key(const DST_KEY *key)
{
	FILE *fp;
	char filename[PATH_MAX];
	u_char out_key[RAW_KEY_SIZE];
	char enc_key[RAW_KEY_SIZE];
	int len = 0;
	int mode;

	memset(out_key, 0, sizeof(out_key));
	if (key == NULL) {
		EREPORT(("%s: No key specified \n", __func__));
		return (0);
	} else if ((len = dst_key_to_dnskey(key, out_key,
	    (int)sizeof(out_key)))< 0)
		return (0);

	/* Make the filename */
	if (dst_s_build_filename(filename, key->dk_key_name, key->dk_id,
				 key->dk_alg, PUBLIC_KEY, PATH_MAX) == -1) {
		EREPORT(("%s: Cannot make filename from %s, %d, and %s\n",
		    __func__, key->dk_key_name, key->dk_id, PUBLIC_KEY));
		return (0);
	}
	/* XXX in general this should be a check for symmetric keys */
	mode = (key->dk_alg == KEY_HMAC_MD5) ? 0600 : 0644;
	/* create public key file */
	if ((fp = dst_s_fopen(filename, "w+", mode)) == NULL) {
		EREPORT(("%s: open of file:%s failed (errno=%d)\n",
		    __func__, filename, errno));
		return (0);
	}
	/*write out key first base64 the key data */
	if (key->dk_flags & DST_EXTEND_FLAG)
		b64_ntop(&out_key[6], len - 6, enc_key, sizeof(enc_key));
	else
		b64_ntop(&out_key[4], len - 4, enc_key, sizeof(enc_key));
	fprintf(fp, "%s IN KEY %d %d %d %s\n",
		key->dk_key_name,
		key->dk_flags, key->dk_proto, key->dk_alg, enc_key);
	fclose(fp);
	return (1);
}

/*%
 *  dst_dnskey_to_public_key
 *	This function converts the contents of a DNS KEY RR into a DST
 *	key structure.
 *  Paramters
 *	len	 Length of the RDATA of the KEY RR RDATA
 *	rdata	 A pointer to the the KEY RR RDATA.
 *	in_name     Key name to be stored in key structure.
 *  Returns
 *	NULL	    Failure
 *	NON-NULL	Success.  Pointer to key structure.
 *			Caller's responsibility to free() it.
 */

DST_KEY *
dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len)
{
	DST_KEY *key_st;
	int alg ;
	int start = DST_KEY_START;

	if (rdata == NULL || len <= DST_KEY_ALG) /*%< no data */
		return (NULL);
	alg = (u_int8_t) rdata[DST_KEY_ALG];
	if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */
		EREPORT(("%s: Algorithm %d not suppored\n", __func__,
		    alg));
		return (NULL);
	}

	if (in_name == NULL)
		return (NULL);

	if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL)
		return (NULL);

	key_st->dk_id = dst_s_dns_key_id(rdata, len);
	key_st->dk_flags = dst_s_get_int16(rdata);
	key_st->dk_proto = (u_int16_t) rdata[DST_KEY_PROT];
	if (key_st->dk_flags & DST_EXTEND_FLAG) {
		u_int32_t ext_flags;
		ext_flags = (u_int32_t) dst_s_get_int16(&rdata[DST_EXT_FLAG]);
		key_st->dk_flags = key_st->dk_flags | (ext_flags << 16);
		start += 2;
	}
	/*
	 * now point to the begining of the data representing the encoding
	 * of the key
	 */
	if (key_st->dk_func && key_st->dk_func->from_dns_key) {
		if (key_st->dk_func->from_dns_key(key_st, &rdata[start],
						  len - start) > 0)
			return (key_st);
	} else
		EREPORT(("%s: unsuppored alg %d\n", __func__,
			 alg));

	SAFE_FREE(key_st);
	return (NULL);
}

/*%
 *  dst_public_key_to_dnskey
 *	Function to encode a public key into DNS KEY wire format 
 *  Parameters
 *	key	     Key structure to encode.
 *	out_storage     Location to write the encoded key to.
 *	out_len	 Size of the output array.
 *  Returns
 *	<0      Failure
 *	>=0     Number of bytes written to out_storage
 */

int
dst_key_to_dnskey(const DST_KEY *key, u_char *out_storage,
			 const int out_len)
{
	u_int16_t val;
	int loc = 0;
	int enc_len = 0;
	if (key == NULL)
		return (-1);

	if (!dst_check_algorithm(key->dk_alg)) { /*%< make sure alg is available */
		EREPORT(("%s: Algorithm %d not suppored\n", __func__,
		    key->dk_alg));
		return (UNSUPPORTED_KEYALG);
	}
	memset(out_storage, 0, out_len);
	val = (u_int16_t)(key->dk_flags & 0xffff);
	dst_s_put_int16(out_storage, val);
	loc += 2;

	out_storage[loc++] = (u_char) key->dk_proto;
	out_storage[loc++] = (u_char) key->dk_alg;

	if (key->dk_flags > 0xffff) {	/*%< Extended flags */
		val = (u_int16_t)((key->dk_flags >> 16) & 0xffff);
		dst_s_put_int16(&out_storage[loc], val);
		loc += 2;
	}
	if (key->dk_KEY_struct == NULL)
		return (loc);
	if (key->dk_func && key->dk_func->to_dns_key) {
		enc_len = key->dk_func->to_dns_key(key,
						 (u_char *) &out_storage[loc],
						   out_len - loc);
		if (enc_len > 0)
			return (enc_len + loc);
		else
			return (-1);
	} else
		EREPORT(("%s: Unsupported ALG %d\n", __func__, key->dk_alg));
	return (-1);
}

/*%
 *  dst_buffer_to_key
 *	Function to encode a string of raw data into a DST key
 *  Parameters
 *	alg		The algorithm (HMAC only)
 *	key		A pointer to the data
 *	keylen		The length of the data
 *  Returns
 *	NULL	    an error occurred
 *	NON-NULL	the DST key
 */
DST_KEY *
dst_buffer_to_key(const char *key_name,		/*!< name of the key  */
		  const int alg,		/*!< algorithm  */
		  const int flags,		/*!< dns flags  */
		  const int protocol,		/*!< dns protocol  */
		  const u_char *key_buf,	/*!< key in dns wire fmt  */
		  const int key_len)		/*!< size of key  */
{
	
	DST_KEY *dkey = NULL; 
	int dnslen;
	u_char dns[2048];

	if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */
		EREPORT(("%s: Algorithm %d not suppored\n", __func__, alg));
		return (NULL);
	}

	dkey = dst_s_get_key_struct(key_name, alg, flags, protocol, -1);

	if (dkey == NULL || dkey->dk_func == NULL ||
	    dkey->dk_func->from_dns_key == NULL) 
		return (dst_free_key(dkey));

	if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) {
		EREPORT(("%s: dst_buffer_to_hmac failed\n", __func__));
		return (dst_free_key(dkey));
	}

	dnslen = dst_key_to_dnskey(dkey, dns, (int)sizeof(dns));
	dkey->dk_id = dst_s_dns_key_id(dns, dnslen);
	return (dkey);
}

int 
dst_key_to_buffer(DST_KEY *key, u_char *out_buff, int buf_len)
{
	int len;
  /* this function will extrac the secret of HMAC into a buffer */
	if (key == NULL) 
		return (0);
	if (key->dk_func != NULL && key->dk_func->to_dns_key != NULL) {
		len = key->dk_func->to_dns_key(key, out_buff, buf_len);
		if (len < 0)
			return (0);
		return (len);
	}
	return (0);
}

/*%
 * dst_s_read_private_key_file
 *     Function reads in private key from a file.
 *     Fills out the KEY structure.
 * Parameters
 *     name    Name of the key to be read.
 *     pk_key  Structure that the key is returned in.
 *     in_id   Key identifier (tag)
 * Return
 *     1 if everthing works
 *     0 if there is any problem
 */

static int
dst_s_read_private_key_file(char *name, DST_KEY *pk_key, u_int16_t in_id,
			    int in_alg)
{
	int alg, major, minor, file_major, file_minor;
	ssize_t cnt;
	size_t len;
	int ret, id;
	char filename[PATH_MAX];
	u_char in_buff[RAW_KEY_SIZE], *p;
	FILE *fp;
	int dnslen;
	u_char dns[2048];

	if (name == NULL || pk_key == NULL) {
		EREPORT(("%s: No key name given\n", __func__));
		return (0);
	}
	/* Make the filename */
	if (dst_s_build_filename(filename, name, in_id, in_alg, PRIVATE_KEY,
				 PATH_MAX) == -1) {
		EREPORT(("%s: Cannot make filename from %s, %d, and %s\n",
		    __func__, name, in_id, PRIVATE_KEY));
		return (0);
	}
	/* first check if we can find the key file */
	if ((fp = dst_s_fopen(filename, "r", 0)) == NULL) {
		EREPORT(("%s: Could not open file %s in directory %s\n",
		    __func__, filename, dst_path[0] ? dst_path :
		    getcwd(NULL, PATH_MAX - 1)));
		return (0);
	}
	/* now read the header info from the file */
	if ((cnt = fread(in_buff, 1, sizeof(in_buff), fp)) < 5) {
		fclose(fp);
		EREPORT(("%s: error reading file %s (empty file)\n",
		    __func__, filename));
		return (0);
	}
	len = cnt;
	/* decrypt key */
	fclose(fp);
	if (memcmp(in_buff, "Private-key-format: v", 20) != 0)
		goto fail;
	p = in_buff;

	if (!dst_s_verify_str((const char **) (void *)&p,
			       "Private-key-format: v")) {
		EREPORT(("%s: Not a Key file/Decrypt failed %s\n", __func__,
		    name));
		goto fail;
	}
	/* read in file format */
	sscanf((char *)p, "%d.%d", &file_major, &file_minor);
	sscanf(KEY_FILE_FORMAT, "%d.%d", &major, &minor);
	if (file_major < 1) {
		EREPORT(("%s: Unknown keyfile %d.%d version for %s\n",
		    __func__, file_major, file_minor, name));
		goto fail;
	} else if (file_major > major || file_minor > minor)
		EREPORT(("%s: Keyfile %s version higher than mine %d.%d MAY"
		    " FAIL\n", __func__, name, file_major, file_minor));

	while (*p++ != '\n') ;	/*%< skip to end of line */

	if (!dst_s_verify_str((const char **) (void *)&p, "Algorithm: "))
		goto fail;

	if (sscanf((char *)p, "%d", &alg) != 1)
		goto fail;
	while (*p++ != '\n') ;	/*%< skip to end of line */

	if (pk_key->dk_key_name && !strcmp(pk_key->dk_key_name, name))
		SAFE_FREE2(pk_key->dk_key_name, strlen(pk_key->dk_key_name));
	pk_key->dk_key_name = strdup(name);

	/* allocate and fill in key structure */
	if (pk_key->dk_func == NULL || pk_key->dk_func->from_file_fmt == NULL)
		goto fail;

	ret = pk_key->dk_func->from_file_fmt(pk_key, (char *)p,
	    (int)(&in_buff[len] - p));
	if (ret < 0)
		goto fail;

	dnslen = dst_key_to_dnskey(pk_key, dns, (int)sizeof(dns));
	id = dst_s_dns_key_id(dns, dnslen);

	/* Make sure the actual key tag matches the input tag used in the
	 * filename */
	if (id != in_id) {
		EREPORT(("%s: actual tag of key read %d != input tag used to"
		    "build filename %d.\n", __func__, id, in_id));
		goto fail;
	}
	pk_key->dk_id = (u_int16_t) id;
	pk_key->dk_alg = alg;
	memset(in_buff, 0, len);
	return (1);

 fail:
	memset(in_buff, 0, len);
	return (0);
}

/*%
 *	Generate and store a public/private keypair.
 *	Keys will be stored in formatted files.
 *
 *  Parameters
 &
 *\par	name    Name of the new key.  Used to create key files
 *\li		  K&lt;name&gt;+&lt;alg&gt;+&lt;id&gt;.public and K&lt;name&gt;+&lt;alg&gt;+&lt;id&gt;.private.
 *\par	bits    Size of the new key in bits.
 *\par	exp     What exponent to use:
 *\li		  0	   use exponent 3
 *\li		  non-zero    use Fermant4
 *\par	flags   The default value of the DNS Key flags.
 *\li		  The DNS Key RR Flag field is defined in RFC2065,
 *		  section 3.3.  The field has 16 bits.
 *\par	protocol
 *\li	      Default value of the DNS Key protocol field.
 *\li		  The DNS Key protocol field is defined in RFC2065,
 *		  section 3.4.  The field has 8 bits.
 *\par	alg     What algorithm to use.  Currently defined:
 *\li		  KEY_RSA       1
 *\li		  KEY_DSA       3
 *\li		  KEY_HMAC    157
 *\par	out_id The key tag is returned.
 *
 *  Return
 *\li	NULL		Failure
 *\li	non-NULL 	the generated key pair
 *			Caller frees the result, and its dk_name pointer.
 */
DST_KEY *
dst_generate_key(const char *name, const int bits, const int exp,
		 const int flags, const int protocol, const int alg)
{
	DST_KEY *new_key = NULL;
	int dnslen;
	u_char dns[2048];

	if (name == NULL)
		return (NULL);

	if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */
		EREPORT(("%s: Algorithm %d not suppored\n", __func__, alg));
		return (NULL);
	}

	new_key = dst_s_get_key_struct(name, alg, flags, protocol, bits);
	if (new_key == NULL)
		return (NULL);
	if (bits == 0) /*%< null key we are done */
		return (new_key);
	if (new_key->dk_func == NULL || new_key->dk_func->generate == NULL) {
		EREPORT(("%s: Unsupported algorithm %d\n", __func__, alg));
		return (dst_free_key(new_key));
	}
	if (new_key->dk_func->generate(new_key, exp) <= 0) {
		EREPORT(("%s: Key generation failure %s %d %d %d\n", __func__,
		    new_key->dk_key_name, new_key->dk_alg,
		    new_key->dk_key_size, exp));
		return (dst_free_key(new_key));
	}

	dnslen = dst_key_to_dnskey(new_key, dns, (int)sizeof(dns));
	if (dnslen != UNSUPPORTED_KEYALG)
		new_key->dk_id = dst_s_dns_key_id(dns, dnslen);
	else
		new_key->dk_id = 0;

	return (new_key);
}

/*%
 *	Release all data structures pointed to by a key structure.
 *
 *  Parameters
 *\li	f_key   Key structure to be freed.
 */

DST_KEY *
dst_free_key(DST_KEY *f_key)
{

	if (f_key == NULL)
		return (f_key);
	if (f_key->dk_func && f_key->dk_func->destroy)
		f_key->dk_KEY_struct =
			f_key->dk_func->destroy(f_key->dk_KEY_struct);
	else {
		EREPORT(("%s: Unknown key alg %d\n", __func__, f_key->dk_alg));
	}
	if (f_key->dk_KEY_struct) {
		free(f_key->dk_KEY_struct);
		f_key->dk_KEY_struct = NULL;
	}
	if (f_key->dk_key_name)
		SAFE_FREE(f_key->dk_key_name);
	SAFE_FREE(f_key);
	return (NULL);
}

/*%
 *	Return the maximim size of signature from the key specified in bytes
 *
 * Parameters
 *\li      key 
 *
 * Returns
 *  \li   bytes
 */
int
dst_sig_size(DST_KEY *key) {
	switch (key->dk_alg) {
	    case KEY_HMAC_MD5:
		return (16);
	    case KEY_HMAC_SHA1:
		return (20);
	    case KEY_RSA:
		return (key->dk_key_size + 7) / 8;
	    case KEY_DSA:
		return (40);
	    default:
		EREPORT(("%s: Unknown key alg %d\n", __func__, key->dk_alg));
		return -1;
	}
}

/*! \file */

/*	$NetBSD: dst_internal.h,v 1.2.10.2 2013/06/13 04:20:30 msaitoh Exp $	*/

#ifndef DST_INTERNAL_H
#define DST_INTERNAL_H

/*
 * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
 *
 * Permission to use, copy modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
 * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
 * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
 * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
 */
#include <limits.h>
#include <sys/param.h>
#if (!defined(BSD)) || (BSD < 199306)
# include <sys/bitypes.h>
#else
# include <sys/types.h>
#endif

#ifndef PATH_MAX
# ifdef POSIX_PATH_MAX
#  define PATH_MAX POSIX_PATH_MAX
# else
#  define PATH_MAX 255 /*%< this is the value of POSIX_PATH_MAX */
# endif
#endif 

typedef struct dst_key {
	char	*dk_key_name;   /*%< name of the key */
	int	dk_key_size;    /*%< this is the size of the key in bits */
	int	dk_proto;       /*%< what protocols this key can be used for */
	int	dk_alg;         /*%< algorithm number from key record */
	u_int32_t dk_flags;     /*%< and the flags of the public key */
	u_int16_t dk_id;        /*%< identifier of the key */
	void	*dk_KEY_struct; /*%< pointer to key in crypto pkg fmt */
	struct dst_func *dk_func; /*%< point to cryptto pgk specific function table */
} DST_KEY;
#define HAS_DST_KEY 

#include <isc/dst.h>
/* 
 * define what crypto systems are supported for RSA, 
 * BSAFE is prefered over RSAREF; only one can be set at any time
 */
#if defined(BSAFE) && defined(RSAREF)
# error "Cannot have both BSAFE and RSAREF defined"
#endif

/* Declare dst_lib specific constants */
#define KEY_FILE_FORMAT "1.2"

/* suffixes for key file names */
#define PRIVATE_KEY		"private"
#define PUBLIC_KEY		"key"

/* error handling */
#ifdef DEBUG
#define EREPORT(str)		printf str
#else
#define EREPORT(str)		do {} while (/*CONSTCOND*/0)
#endif

/* use our own special macro to FRRE memory */

#ifndef SAFE_FREE2
#define SAFE_FREE2(a, s) do { \
	if ((a) != NULL) { \
		memset((a), 0, (s)); \
		free((a)); \
		(a) = NULL; \
	} \
} while (/*CONSTCOND*/0)
#endif

#ifndef SAFE_FREE
#define SAFE_FREE(a) SAFE_FREE2((a), sizeof(*(a)))
#endif

typedef struct dst_func {
	int (*sign)(const int mode, DST_KEY *key, void **context,
		     const u_int8_t *data, const int len,
		     u_int8_t *signature, const int sig_len);
	int (*verify)(const int mode, DST_KEY *key, void **context,
		       const u_int8_t *data, const int len,
		       const u_int8_t *signature, const int sig_len);
	int (*compare)(const DST_KEY *key1, const DST_KEY *key2);
	int (*generate)(DST_KEY *key, int parms);
	void *(*destroy)(void *key);
	/* conversion functions */
	int (*to_dns_key)(const DST_KEY *key, u_int8_t *out,
			   const int out_len);
	int (*from_dns_key)(DST_KEY *key, const u_int8_t *str,
			     const int str_len);
	int (*to_file_fmt)(const DST_KEY *key, char *out,
			    const int out_len);
	int (*from_file_fmt)(DST_KEY *key, const char *out,
			      const int out_len);

} dst_func;

extern dst_func *dst_t_func[DST_MAX_ALGS];
extern const char *key_file_fmt_str;
extern const char *dst_path;

#ifndef DST_HASH_SIZE
#define DST_HASH_SIZE 20	/*%< RIPEMD160 and SHA-1 are 20 bytes MD5 is 16 */
#endif

int dst_bsafe_init(void);

int dst_rsaref_init(void);

int dst_hmac_md5_init(void);

int dst_cylink_init(void);

int dst_eay_dss_init(void);

/* from higher level support routines */
int       dst_s_calculate_bits( const u_int8_t *str, const int max_bits); 
int       dst_s_verify_str( const char **buf, const char *str);


/* conversion between dns names and key file names */
size_t    dst_s_filename_length( const char *name, const char *suffix); 
int       dst_s_build_filename(  char *filename, const char *name, 
			         u_int16_t id, int alg, const char *suffix, 
			         size_t filename_length);

FILE      *dst_s_fopen (const char *filename, const char *mode, int perm);

/*%
 * read and write network byte order into u_int?_t  
 *  all of these should be retired
 */
u_int16_t dst_s_get_int16( const u_int8_t *buf);
void      dst_s_put_int16( u_int8_t *buf, const u_int16_t val);

u_int32_t dst_s_get_int32( const u_int8_t *buf);
void      dst_s_put_int32( u_int8_t *buf, const u_int32_t val);

#ifdef DUMP
# undef DUMP
# define DUMP(a,b,c,d) dst_s_dump(a,b,c,d)
#else
# define DUMP(a,b,c,d)
#endif
void
dst_s_dump(const int mode, const u_char *data, const int size,
            const char *msg);

#define  KEY_FILE_FMT_STR "Private-key-format: v%s\nAlgorithm: %d (%s)\n"


#endif /* DST_INTERNAL_H */
/*! \file */

/*	$NetBSD: hmac_link.c,v 1.2.10.2 2013/06/13 04:20:30 msaitoh Exp $	*/

/*
 * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
 *
 * Permission to use, copy modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
 * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
 * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
 * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
 */
#include <sys/cdefs.h>
#if 0
static const char rcsid[] = "Header: /proj/cvs/prod/libbind/dst/hmac_link.c,v 1.8 2007/09/24 17:18:25 each Exp ";
#else
__RCSID("$NetBSD: hmac_link.c,v 1.2.10.2 2013/06/13 04:20:30 msaitoh Exp $");
#endif

/*%
 * This file contains an implementation of the HMAC-MD5 algorithm.
 */
#include "port_before.h"

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <memory.h>
#include <sys/param.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <resolv.h>

#include "dst_internal.h"

#include <md5.h>
#include "port_after.h"


#define HMAC_LEN	64
#define HMAC_IPAD	0x36
#define HMAC_OPAD	0x5c
#define MD5_LEN		16


typedef struct hmackey {
	u_char hk_ipad[64], hk_opad[64];
} HMAC_Key;


/************************************************************************** 
 * dst_hmac_md5_sign
 *     Call HMAC signing functions to sign a block of data.
 *     There are three steps to signing, INIT (initialize structures), 
 *     UPDATE (hash (more) data), FINAL (generate a signature).  This
 *     routine performs one or more of these steps.
 * Parameters
 *     mode	SIG_MODE_INIT, SIG_MODE_UPDATE and/or SIG_MODE_FINAL.
 *     priv_key    key to use for signing.
 *     context   the context to be used in this digest
 *     data	data to be signed.
 *     len	 length in bytes of data.
 *     signature   location to store signature.
 *     sig_len     size of the signature location
 * returns 
 *	N  Success on SIG_MODE_FINAL = returns signature length in bytes
 *	0  Success on SIG_MODE_INIT  and UPDATE
 *	 <0  Failure
 */

static int
dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context, 
		  const u_char *data, const int len, 
		  u_char *signature, const int sig_len)
{
	HMAC_Key *key;
	int sign_len = 0;
	MD5_CTX *ctx = NULL;

	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
		return (-1);

	if (mode & SIG_MODE_INIT) 
		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
	else if (context)
		ctx = (MD5_CTX *) *context;
	if (ctx == NULL) 
		return (-1);

	key = (HMAC_Key *) d_key->dk_KEY_struct;

	if (mode & SIG_MODE_INIT) {
		MD5Init(ctx);
		MD5Update(ctx, key->hk_ipad, HMAC_LEN);
	}

	if ((mode & SIG_MODE_UPDATE) && (data && len > 0))
		MD5Update(ctx, data, (unsigned int)len);

	if (mode & SIG_MODE_FINAL) {
		if (signature == NULL || sig_len < MD5_LEN)
			return (SIGN_FINAL_FAILURE);
		MD5Final(signature, ctx);

		/* perform outer MD5 */
		MD5Init(ctx);
		MD5Update(ctx, key->hk_opad, HMAC_LEN);
		MD5Update(ctx, signature, MD5_LEN);
		MD5Final(signature, ctx);
		sign_len = MD5_LEN;
		SAFE_FREE(ctx);
	}
	else { 
		if (context == NULL) 
			return (-1);
		*context = (void *) ctx;
	}		
	return (sign_len);
}


/************************************************************************** 
 * dst_hmac_md5_verify() 
 *     Calls HMAC verification routines.  There are three steps to 
 *     verification, INIT (initialize structures), UPDATE (hash (more) data), 
 *     FINAL (generate a signature).  This routine performs one or more of 
 *     these steps.
 * Parameters
 *     mode	SIG_MODE_INIT, SIG_MODE_UPDATE and/or SIG_MODE_FINAL.
 *     dkey	key to use for verify.
 *     data	data signed.
 *     len	 length in bytes of data.
 *     signature   signature.
 *     sig_len     length in bytes of signature.
 * returns 
 *     0  Success 
 *    <0  Failure
 */

static int
dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
		const u_char *data, const int len,
		const u_char *signature, const int sig_len)
{
	HMAC_Key *key;
	MD5_CTX *ctx = NULL;

	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
		return (-1);

	if (mode & SIG_MODE_INIT) 
		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
	else if (context)
		ctx = (MD5_CTX *) *context;
	if (ctx == NULL) 
		return (-1);

	key = (HMAC_Key *) d_key->dk_KEY_struct;
	if (mode & SIG_MODE_INIT) {
		MD5Init(ctx);
		MD5Update(ctx, key->hk_ipad, HMAC_LEN);
	}
	if ((mode & SIG_MODE_UPDATE) && (data && len > 0))
		MD5Update(ctx, data, (unsigned int)len);

	if (mode & SIG_MODE_FINAL) {
		u_char digest[MD5_LEN];
		if (signature == NULL || key == NULL || sig_len != MD5_LEN)
			return (VERIFY_FINAL_FAILURE);
		MD5Final(digest, ctx);

		/* perform outer MD5 */
		MD5Init(ctx);
		MD5Update(ctx, key->hk_opad, HMAC_LEN);
		MD5Update(ctx, digest, MD5_LEN);
		MD5Final(digest, ctx);

		SAFE_FREE(ctx);
		if (memcmp(digest, signature, MD5_LEN) != 0)
			return (VERIFY_FINAL_FAILURE);
	}
	else { 
		if (context == NULL) 
			return (-1);
		*context = (void *) ctx;
	}		
	return (0);
}


/************************************************************************** 
 * dst_buffer_to_hmac_md5
 *     Converts key from raw data to an HMAC Key
 *     This function gets in a pointer to the data
 * Parameters
 *     hkey	the HMAC key to be filled in
 *     key	the key in raw format
 *     keylen	the length of the key
 * Return
 *	0	Success
 *	<0	Failure
 */
static int
dst_buffer_to_hmac_md5(DST_KEY *dkey, const u_char *key, const int keylen)
{
	int i;
	HMAC_Key *hkey = NULL;
	MD5_CTX ctx;
	int local_keylen = keylen;
	u_char tk[MD5_LEN];

	if (dkey == NULL || key == NULL || keylen < 0)
		return (-1);

	if ((hkey = (HMAC_Key *) malloc(sizeof(HMAC_Key))) == NULL)
		  return (-2);

	memset(hkey->hk_ipad, 0, sizeof(hkey->hk_ipad));
	memset(hkey->hk_opad, 0, sizeof(hkey->hk_opad));

	/* if key is longer than HMAC_LEN bytes reset it to key=MD5(key) */
	if (keylen > HMAC_LEN) {
		MD5Init(&ctx);
		MD5Update(&ctx, key, (unsigned int)keylen);
		MD5Final(tk, &ctx);
		memset((void *) &ctx, 0, sizeof(ctx));
		key = tk;
		local_keylen = MD5_LEN;
	}
	/* start out by storing key in pads */
	memcpy(hkey->hk_ipad, key, local_keylen);
	memcpy(hkey->hk_opad, key, local_keylen);

	/* XOR key with hk_ipad and opad values */
	for (i = 0; i < HMAC_LEN; i++) {
		hkey->hk_ipad[i] ^= HMAC_IPAD;
		hkey->hk_opad[i] ^= HMAC_OPAD;
	}
	dkey->dk_key_size = local_keylen;
	dkey->dk_KEY_struct = (void *) hkey;
	return (1);
}


/************************************************************************** 
 *  dst_hmac_md5_key_to_file_format
 *	Encodes an HMAC Key into the portable file format.
 *  Parameters 
 *	hkey      HMAC KEY structure 
 *	buff      output buffer
 *	buff_len  size of output buffer 
 *  Return
 *	0  Failure - null input hkey
 *     -1  Failure - not enough space in output area
 *	N  Success - Length of data returned in buff
 */

static int
dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
			        const int buff_len)
{
	char *bp;
	int len, i, key_len;
	u_char key[HMAC_LEN];
	HMAC_Key *hkey;

	if (dkey == NULL || dkey->dk_KEY_struct == NULL) 
		return (0);
	/*
	 * Using snprintf() would be so much simpler here.
	 */
	if (buff == NULL ||
	    buff_len <= (int)(strlen(KEY_FILE_FMT_STR) +
			      strlen(KEY_FILE_FORMAT) + 4))
		return (-1);	/*%< no OR not enough space in output area */
	hkey = (HMAC_Key *) dkey->dk_KEY_struct;
	memset(buff, 0, buff_len);	/*%< just in case */
	/* write file header */
	snprintf(buff, buff_len, KEY_FILE_FMT_STR, KEY_FILE_FORMAT,
	    KEY_HMAC_MD5, "HMAC");

	bp = buff + strlen(buff);

	memset(key, 0, HMAC_LEN);
	for (i = 0; i < HMAC_LEN; i++)
		key[i] = hkey->hk_ipad[i] ^ HMAC_IPAD;
	for (i = HMAC_LEN - 1; i >= 0; i--)
		if (key[i] != 0)
			break;
	key_len = i + 1;

	if (buff_len - (bp - buff) < 6)
		return (-1);
	strcat(bp, "Key: ");
	bp += strlen("Key: ");

	len = b64_ntop(key, key_len, bp, (size_t)(buff_len - (bp - buff)));
	if (len < 0) 
		return (-1);
	bp += len;
	if (buff_len - (bp - buff) < 2)
		return (-1);
	*(bp++) = '\n';
	*bp = '\0';

	return (int)(bp - buff);
}


/************************************************************************** 
 * dst_hmac_md5_key_from_file_format
 *     Converts contents of a key file into an HMAC key. 
 * Parameters 
 *     hkey    structure to put key into 
 *     buff       buffer containing the encoded key 
 *     buff_len   the length of the buffer
 * Return
 *     n >= 0 Foot print of the key converted 
 *     n <  0 Error in conversion 
 */

static int
dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
			      const int buff_len)
{
	const char *p = buff, *eol;
	u_char key[HMAC_LEN+1];	/* b64_pton needs more than 64 bytes do decode
				 * it should probably be fixed rather than doing
				 * this
				 */
	u_char *tmp;
	int key_len, len;

	if (dkey == NULL)
		return (-2);
	if (buff == NULL || buff_len < 0)
		return (-1);

	memset(key, 0, sizeof(key));

	if (!dst_s_verify_str(&p, "Key: "))
		return (-3);

	eol = strchr(p, '\n');
	if (eol == NULL)
		return (-4);
	len = (int)(eol - p);
	tmp = malloc(len + 2);
	if (tmp == NULL)
		return (-5);
	memcpy(tmp, p, len);
	*(tmp + len) = 0x0;
	key_len = b64_pton((char *)tmp, key, HMAC_LEN+1);	/*%< see above */
	SAFE_FREE2(tmp, len + 2);

	if (dst_buffer_to_hmac_md5(dkey, key, key_len) < 0) {
		return (-6);
	}
	return (0);
}

/*%
 * dst_hmac_md5_to_dns_key() 
 *         function to extract hmac key from DST_KEY structure 
 * intput: 
 *      in_key:  HMAC-MD5 key 
 * output: 
 *	out_str: buffer to write ot
 *      out_len: size of output buffer 
 * returns:
 *      number of bytes written to output buffer 
 */
static int
dst_hmac_md5_to_dns_key(const DST_KEY *in_key, u_char *out_str,
			const int out_len)
{

	HMAC_Key *hkey;
	int i;
	
	if (in_key == NULL || in_key->dk_KEY_struct == NULL ||
	    out_len <= in_key->dk_key_size || out_str == NULL)
		return (-1);

	hkey = (HMAC_Key *) in_key->dk_KEY_struct;
	for (i = 0; i < in_key->dk_key_size; i++)
		out_str[i] = hkey->hk_ipad[i] ^ HMAC_IPAD;
	return (i);
}

/************************************************************************** 
 *  dst_hmac_md5_compare_keys
 *	Compare two keys for equality.
 *  Return
 *	0	  The keys are equal
 *	NON-ZERO   The keys are not equal
 */

static int
dst_hmac_md5_compare_keys(const DST_KEY *key1, const DST_KEY *key2)
{
	HMAC_Key *hkey1 = (HMAC_Key *) key1->dk_KEY_struct;
	HMAC_Key *hkey2 = (HMAC_Key *) key2->dk_KEY_struct;
	return memcmp(hkey1->hk_ipad, hkey2->hk_ipad, HMAC_LEN);
}

/************************************************************************** 
 * dst_hmac_md5_free_key_structure
 *     Frees all (none) dynamically allocated structures in hkey
 */

static void *
dst_hmac_md5_free_key_structure(void *key)
{
	HMAC_Key *hkey = key;
	SAFE_FREE(hkey);
	return (NULL);
}


/*************************************************************************** 
 * dst_hmac_md5_generate_key
 *     Creates a HMAC key of size size with a maximum size of 63 bytes
 *     generating a HMAC key larger than 63 bytes makes no sense as that key 
 *     is digested before use. 
 */

static int
/*ARGSUSED*/
dst_hmac_md5_generate_key(DST_KEY *key, const int nothing)
{
	return (-1);
}

/*%
 * dst_hmac_md5_init()  Function to answer set up function pointers for HMAC
 *	   related functions 
 */
int
#ifdef	SUNW_LIBMD5
dst_md5_hmac_init(void)
#else
dst_hmac_md5_init(void)
#endif
{
	if (dst_t_func[KEY_HMAC_MD5] != NULL)
		return (1);
	dst_t_func[KEY_HMAC_MD5] = malloc(sizeof(struct dst_func));
	if (dst_t_func[KEY_HMAC_MD5] == NULL)
		return (0);
	memset(dst_t_func[KEY_HMAC_MD5], 0, sizeof(struct dst_func));
	dst_t_func[KEY_HMAC_MD5]->sign = dst_hmac_md5_sign;
	dst_t_func[KEY_HMAC_MD5]->verify = dst_hmac_md5_verify;
	dst_t_func[KEY_HMAC_MD5]->compare = dst_hmac_md5_compare_keys;
	dst_t_func[KEY_HMAC_MD5]->generate = dst_hmac_md5_generate_key;
	dst_t_func[KEY_HMAC_MD5]->destroy = dst_hmac_md5_free_key_structure;
	dst_t_func[KEY_HMAC_MD5]->to_dns_key = dst_hmac_md5_to_dns_key;
	dst_t_func[KEY_HMAC_MD5]->from_dns_key = dst_buffer_to_hmac_md5;
	dst_t_func[KEY_HMAC_MD5]->to_file_fmt = dst_hmac_md5_key_to_file_format;
	dst_t_func[KEY_HMAC_MD5]->from_file_fmt = dst_hmac_md5_key_from_file_format;
	return (1);
}

/*! \file */

/*	$NetBSD: ns_verify.c,v 1.2.10.2 2013/06/13 04:20:30 msaitoh Exp $	*/

/*
 * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 * Copyright (c) 1999 by Internet Software Consortium, Inc.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#ifndef lint
static const char rcsid[] = "Id: ns_verify.c,v 1.5 2006/03/09 23:57:56 marka Exp ";
#endif

/* Import. */

#include "port_before.h"
#include "fd_setsize.h"

#include <sys/types.h>
#include <sys/param.h>

#include <netinet/in.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>

#include <errno.h>
#include <netdb.h>
#include <resolv.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>

#include <isc/dst.h>

#include "port_after.h"

/* Private. */

#define BOUNDS_CHECK(ptr, count) \
	do { \
		if ((ptr) + (count) > eom) { \
			return (NS_TSIG_ERROR_FORMERR); \
		} \
	} while (/*CONSTCOND*/0)

/* Public. */

u_char *
ns_find_tsig(u_char *msg, u_char *eom) {
	HEADER *hp = (void *)msg;
	int n, type;
	u_char *cp = msg, *start;

	if (msg == NULL || eom == NULL || msg > eom)
		return (NULL);

	if (cp + HFIXEDSZ >= eom)
		return (NULL);

	if (hp->arcount == 0)
		return (NULL);

	cp += HFIXEDSZ;

	n = ns_skiprr(cp, eom, ns_s_qd, ntohs(hp->qdcount));
	if (n < 0)
		return (NULL);
	cp += n;

	n = ns_skiprr(cp, eom, ns_s_an, ntohs(hp->ancount));
	if (n < 0)
		return (NULL);
	cp += n;

	n = ns_skiprr(cp, eom, ns_s_ns, ntohs(hp->nscount));
	if (n < 0)
		return (NULL);
	cp += n;

	n = ns_skiprr(cp, eom, ns_s_ar, ntohs(hp->arcount) - 1);
	if (n < 0)
		return (NULL);
	cp += n;

	start = cp;
	n = dn_skipname(cp, eom);
	if (n < 0)
		return (NULL);
	cp += n;
	if (cp + INT16SZ >= eom)
		return (NULL);

	GETSHORT(type, cp);
	if (type != ns_t_tsig)
		return (NULL);
	return (start);
}

/* ns_verify
 *
 * Parameters:
 *\li	statp		res stuff
 *\li	msg		received message
 *\li	msglen		length of message
 *\li	key		tsig key used for verifying.
 *\li	querysig	(response), the signature in the query
 *\li	querysiglen	(response), the length of the signature in the query
 *\li	sig		(query), a buffer to hold the signature
 *\li	siglen		(query), input - length of signature buffer
 *				 output - length of signature
 *
 * Errors:
 *\li	- bad input (-1)
 *\li	- invalid dns message (NS_TSIG_ERROR_FORMERR)
 *\li	- TSIG is not present (NS_TSIG_ERROR_NO_TSIG)
 *\li	- key doesn't match (-ns_r_badkey)
 *\li	- TSIG verification fails with BADKEY (-ns_r_badkey)
 *\li	- TSIG verification fails with BADSIG (-ns_r_badsig)
 *\li	- TSIG verification fails with BADTIME (-ns_r_badtime)
 *\li	- TSIG verification succeeds, error set to BAKEY (ns_r_badkey)
 *\li	- TSIG verification succeeds, error set to BADSIG (ns_r_badsig)
 *\li	- TSIG verification succeeds, error set to BADTIME (ns_r_badtime)
 */
int
ns_verify(u_char *msg, int *msglen, void *k,
	  const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
	  time_t *timesigned, int nostrip)
{
	HEADER *hp = (void *)msg;
	DST_KEY *key = (DST_KEY *)k;
	u_char *cp = msg, *eom;
	char name[MAXDNAME], alg[MAXDNAME];
	u_char *recstart, *rdatastart;
	u_char *sigstart, *otherstart;
	int n;
	int error;
	u_int16_t type, length;
	u_int16_t fudge, sigfieldlen, otherfieldlen;

	dst_init();
	if (msg == NULL || msglen == NULL || *msglen < 0)
		return (-1);

	eom = msg + *msglen;

	recstart = ns_find_tsig(msg, eom);
	if (recstart == NULL)
		return (NS_TSIG_ERROR_NO_TSIG);

	cp = recstart;

	/* Read the key name. */
	n = dn_expand(msg, eom, cp, name, MAXDNAME);
	if (n < 0)
		return (NS_TSIG_ERROR_FORMERR);
	cp += n;

	/* Read the type. */
	BOUNDS_CHECK(cp, 2*INT16SZ + INT32SZ + INT16SZ);
	GETSHORT(type, cp);
	if (type != ns_t_tsig)
		return (NS_TSIG_ERROR_NO_TSIG);

	/* Skip the class and TTL, save the length. */
	cp += INT16SZ + INT32SZ;
	GETSHORT(length, cp);
	if (eom - cp != length)
		return (NS_TSIG_ERROR_FORMERR);

	/* Read the algorithm name. */
	rdatastart = cp;
	n = dn_expand(msg, eom, cp, alg, MAXDNAME);
	if (n < 0)
		return (NS_TSIG_ERROR_FORMERR);
	if (ns_samename(alg, NS_TSIG_ALG_HMAC_MD5) != 1)
		return (-ns_r_badkey);
	cp += n;

	/* Read the time signed and fudge. */
	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
	cp += INT16SZ;
	GETLONG((*timesigned), cp);
	GETSHORT(fudge, cp);

	/* Read the signature. */
	BOUNDS_CHECK(cp, INT16SZ);
	GETSHORT(sigfieldlen, cp);
	BOUNDS_CHECK(cp, sigfieldlen);
	sigstart = cp;
	cp += sigfieldlen;

	/* Skip id and read error. */
	BOUNDS_CHECK(cp, 2*INT16SZ);
	cp += INT16SZ;
	GETSHORT(error, cp);

	/* Parse the other data. */
	BOUNDS_CHECK(cp, INT16SZ);
	GETSHORT(otherfieldlen, cp);
	BOUNDS_CHECK(cp, otherfieldlen);
	otherstart = cp;
	cp += otherfieldlen;

	if (cp != eom)
		return (NS_TSIG_ERROR_FORMERR);

	/* Verify that the key used is OK. */
	if (key != NULL) {
		if (key->dk_alg != KEY_HMAC_MD5)
			return (-ns_r_badkey);
		if (error != ns_r_badsig && error != ns_r_badkey) {
			if (ns_samename(key->dk_key_name, name) != 1)
				return (-ns_r_badkey);
		}
	}

	hp->arcount = htons(ntohs(hp->arcount) - 1);

	/*
	 * Do the verification.
	 */

	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
		void *ctx;
		u_char buf[MAXDNAME];
		u_char buf2[MAXDNAME];

		/* Digest the query signature, if this is a response. */
		dst_verify_data(SIG_MODE_INIT, key, &ctx, NULL, 0, NULL, 0);
		if (querysiglen > 0 && querysig != NULL) {
			u_int16_t len_n = htons(querysiglen);
			dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
					(void *)&len_n, INT16SZ, NULL, 0);
			dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
					querysig, querysiglen, NULL, 0);
		}
		
 		/* Digest the message. */
		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, msg,
		    (int)(recstart - msg), NULL, 0);

		/* Digest the key name. */
		n = ns_name_pton(name, buf2, sizeof(buf2));
		if (n < 0)
			return (-1);
		n = ns_name_ntol(buf2, buf, sizeof(buf));
		if (n < 0)
			return (-1);
		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);

		/* Digest the class and TTL. */
		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
				recstart + dn_skipname(recstart, eom) + INT16SZ,
				INT16SZ + INT32SZ, NULL, 0);

		/* Digest the algorithm. */
		n = ns_name_pton(alg, buf2, sizeof(buf2));
		if (n < 0)
			return (-1);
		n = ns_name_ntol(buf2, buf, sizeof(buf));
		if (n < 0)
			return (-1);
		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);

		/* Digest the time signed and fudge. */
		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
				rdatastart + dn_skipname(rdatastart, eom),
				INT16SZ + INT32SZ + INT16SZ, NULL, 0);

		/* Digest the error and other data. */
		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
				otherstart - INT16SZ - INT16SZ,
				otherfieldlen + INT16SZ + INT16SZ, NULL, 0);

		n = dst_verify_data(SIG_MODE_FINAL, key, &ctx, NULL, 0,
				    sigstart, sigfieldlen);

		if (n < 0)
			return (-ns_r_badsig);

		if (sig != NULL && siglen != NULL) {
			if (*siglen < sigfieldlen)
				return (NS_TSIG_ERROR_NO_SPACE);
			memcpy(sig, sigstart, sigfieldlen);
			*siglen = sigfieldlen;
		}
	} else {
		if (sigfieldlen > 0)
			return (NS_TSIG_ERROR_FORMERR);
		if (sig != NULL && siglen != NULL)
			*siglen = 0;
	}

	/* Reset the counter, since we still need to check for badtime. */
	hp->arcount = htons(ntohs(hp->arcount) + 1);

	/* Verify the time. */
	if (abs((int)((*timesigned) - time(NULL))) > fudge)
		return (-ns_r_badtime);

	if (nostrip == 0) {
		*msglen = (int)(recstart - msg);
		hp->arcount = htons(ntohs(hp->arcount) - 1);
	}

	if (error != NOERROR)
		return (error);

	return (0);
}

int
ns_verify_tcp_init(void *k, const u_char *querysig, int querysiglen,
		   ns_tcp_tsig_state *state)
{
	dst_init();
	if (state == NULL || k == NULL || querysig == NULL || querysiglen < 0)
		return (-1);
	state->counter = -1;
	state->key = k;
	if (state->key->dk_alg != KEY_HMAC_MD5)
		return (-ns_r_badkey);
	if (querysiglen > (int)sizeof(state->sig))
		return (-1);
	memcpy(state->sig, querysig, querysiglen);
	state->siglen = querysiglen;
	return (0);
}

int
ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
	      int required)
{
	HEADER *hp = (void *)msg;
	u_char *recstart, *sigstart;
	unsigned int sigfieldlen, otherfieldlen;
	u_char *cp, *eom, *cp2;
	char name[MAXDNAME], alg[MAXDNAME];
	u_char buf[MAXDNAME];
	int n, type, length, fudge, error;
	time_t timesigned;

	if (msg == NULL || msglen == NULL || state == NULL)
		return (-1);

	eom = msg + *msglen;

	state->counter++;
	if (state->counter == 0)
		return (ns_verify(msg, msglen, state->key,
				  state->sig, state->siglen,
				  state->sig, &state->siglen, &timesigned, 0));

	if (state->siglen > 0) {
		u_int16_t siglen_n = htons(state->siglen);

		dst_verify_data(SIG_MODE_INIT, state->key, &state->ctx,
				NULL, 0, NULL, 0);
		dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
				(void *)&siglen_n, INT16SZ, NULL, 0);
		dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
				state->sig, state->siglen, NULL, 0);
		state->siglen = 0;
	}

	cp = recstart = ns_find_tsig(msg, eom);

	if (recstart == NULL) {
		if (required)
			return (NS_TSIG_ERROR_NO_TSIG);
		dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
				msg, *msglen, NULL, 0);
		return (0);
	}

	hp->arcount = htons(ntohs(hp->arcount) - 1);
	dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
			msg, (int)(recstart - msg), NULL, 0);
	
	/* Read the key name. */
	n = dn_expand(msg, eom, cp, name, MAXDNAME);
	if (n < 0)
		return (NS_TSIG_ERROR_FORMERR);
	cp += n;

	/* Read the type. */
	BOUNDS_CHECK(cp, 2*INT16SZ + INT32SZ + INT16SZ);
	GETSHORT(type, cp);
	if (type != ns_t_tsig)
		return (NS_TSIG_ERROR_NO_TSIG);

	/* Skip the class and TTL, save the length. */
	cp += INT16SZ + INT32SZ;
	GETSHORT(length, cp);
	if (eom - cp != length)
		return (NS_TSIG_ERROR_FORMERR);

	/* Read the algorithm name. */
	n = dn_expand(msg, eom, cp, alg, MAXDNAME);
	if (n < 0)
		return (NS_TSIG_ERROR_FORMERR);
	if (ns_samename(alg, NS_TSIG_ALG_HMAC_MD5) != 1)
		return (-ns_r_badkey);
	cp += n;

	/* Verify that the key used is OK. */
	if ((ns_samename(state->key->dk_key_name, name) != 1 ||
	     state->key->dk_alg != KEY_HMAC_MD5))
		return (-ns_r_badkey);

	/* Read the time signed and fudge. */
	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
	cp += INT16SZ;
	GETLONG(timesigned, cp);
	GETSHORT(fudge, cp);

	/* Read the signature. */
	BOUNDS_CHECK(cp, INT16SZ);
	GETSHORT(sigfieldlen, cp);
	BOUNDS_CHECK(cp, sigfieldlen);
	sigstart = cp;
	cp += sigfieldlen;

	/* Skip id and read error. */
	BOUNDS_CHECK(cp, 2*INT16SZ);
	cp += INT16SZ;
	GETSHORT(error, cp);

	/* Parse the other data. */
	BOUNDS_CHECK(cp, INT16SZ);
	GETSHORT(otherfieldlen, cp);
	BOUNDS_CHECK(cp, otherfieldlen);
	cp += otherfieldlen;

	if (cp != eom)
		return (NS_TSIG_ERROR_FORMERR);

	/*
	 * Do the verification.
	 */

	/* Digest the time signed and fudge. */
	cp2 = buf;
	PUTSHORT(0, cp2);       /*%< Top 16 bits of time. */
	PUTLONG(timesigned, cp2);
	PUTSHORT(NS_TSIG_FUDGE, cp2);

	dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
			buf, (int)(cp2 - buf), NULL, 0);

	n = dst_verify_data(SIG_MODE_FINAL, state->key, &state->ctx, NULL, 0,
			    sigstart, (int)sigfieldlen);
	if (n < 0)
		return (-ns_r_badsig);

	if (sigfieldlen > sizeof(state->sig))
		return (NS_TSIG_ERROR_NO_SPACE);

	memcpy(state->sig, sigstart, sigfieldlen);
	state->siglen = sigfieldlen;

	/* Verify the time. */
	if (abs((int)(timesigned - time(NULL))) > fudge)
		return (-ns_r_badtime);

	*msglen = (int)(recstart - msg);

	if (error != NOERROR)
		return (error);

	return (0);
}

/*! \file */

/*	$NetBSD: ns_date.c,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $	*/

/*
 * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 * Copyright (c) 1999 by Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <sys/cdefs.h>
#if 0
static const char rcsid[] = "Id: ns_date.c,v 1.6 2005/04/27 04:56:39 sra Exp ";
#else
__RCSID("$NetBSD: ns_date.c,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $");
#endif

/* Import. */

#include "port_before.h"

#include <arpa/nameser.h>

#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <time.h>

#include "port_after.h"

#ifdef SPRINTF_CHAR
# define SPRINTF(x) strlen(sprintf/**/x)
#else
# define SPRINTF(x) ((size_t)sprintf x)
#endif

/* Forward. */

static int	datepart(const char *, int, int, int, int *);

/* Public. */

/*%
 * Convert a date in ASCII into the number of seconds since
 * 1 January 1970 (GMT assumed).  Format is yyyymmddhhmmss, all
 * digits required, no spaces allowed.
 */

u_int32_t
ns_datetosecs(const char *cp, int *errp) {
	struct tm tim;
	u_int32_t result;
	int mdays, i;
	static const int days_per_month[12] =
		{31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};

	if (strlen(cp) != 14U) {
		*errp = 1;
		return (0);
	}
	*errp = 0;

	memset(&tim, 0, sizeof tim);
	tim.tm_year  = datepart(cp +  0, 4, 1990, 9999, errp) - 1900;
	tim.tm_mon   = datepart(cp +  4, 2,   01,   12, errp) - 1;
	tim.tm_mday  = datepart(cp +  6, 2,   01,   31, errp);
	tim.tm_hour  = datepart(cp +  8, 2,   00,   23, errp);
	tim.tm_min   = datepart(cp + 10, 2,   00,   59, errp);
	tim.tm_sec   = datepart(cp + 12, 2,   00,   59, errp);
	if (*errp)		/*%< Any parse errors? */
		return (0);

	/* 
	 * OK, now because timegm() is not available in all environments,
	 * we will do it by hand.  Roll up sleeves, curse the gods, begin!
	 */

#define SECS_PER_DAY    ((u_int32_t)24*60*60)
#define isleap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)

	result  = tim.tm_sec;				/*%< Seconds */
	result += tim.tm_min * 60;			/*%< Minutes */
	result += tim.tm_hour * (60*60);		/*%< Hours */
	result += (tim.tm_mday - 1) * SECS_PER_DAY;	/*%< Days */
	/* Months are trickier.  Look without leaping, then leap */
	mdays = 0;
	for (i = 0; i < tim.tm_mon; i++)
		mdays += days_per_month[i];
	result += mdays * SECS_PER_DAY;			/*%< Months */
	if (tim.tm_mon > 1 && isleap(1900+tim.tm_year))
		result += SECS_PER_DAY;		/*%< Add leapday for this year */
	/* First figure years without leapdays, then add them in.  */
	/* The loop is slow, FIXME, but simple and accurate.  */
	result += (tim.tm_year - 70) * (SECS_PER_DAY*365); /*%< Years */
	for (i = 70; i < tim.tm_year; i++)
		if (isleap(1900+i))
			result += SECS_PER_DAY; /*%< Add leapday for prev year */
	return (result);
}

/* Private. */

/*%
 * Parse part of a date.  Set error flag if any error.
 * Don't reset the flag if there is no error.
 */
static int
datepart(const char *buf, int size, int min, int max, int *errp) {
	int result = 0;
	int i;

	for (i = 0; i < size; i++) {
		if (!isdigit((unsigned char)(buf[i])))
			*errp = 1;
		result = (result * 10) + buf[i] - '0';
	}
	if (result < min)
		*errp = 1;
	if (result > max)
		*errp = 1;
	return (result);
}

/*! \file */

/*	$NetBSD: ns_sign.c,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $	*/

/*
 * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 * Copyright (c) 1999 by Internet Software Consortium, Inc.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
#include <sys/cdefs.h>
#if 0
static const char rcsid[] = "Id: ns_sign.c,v 1.6 2006/03/09 23:57:56 marka Exp ";
#else
__RCSID("$NetBSD: ns_sign.c,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $");
#endif

/* Import. */

#include "port_before.h"
#include "fd_setsize.h"

#include <sys/types.h>
#include <sys/param.h>

#include <netinet/in.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>

#include <errno.h>
#include <netdb.h>
#include <resolv.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>

#include <isc/dst.h>
#include <isc/assertions.h>

#include "port_after.h"

#define BOUNDS_CHECK(ptr, count) \
	do { \
		if ((ptr) + (count) > eob) { \
			errno = EMSGSIZE; \
			return(NS_TSIG_ERROR_NO_SPACE); \
		} \
	} while (/*CONSTCOND*/0)

/*%
 *  ns_sign
 *
 * Parameters:
 *\li	msg		message to be sent
 *\li	msglen		input - length of message
 *			output - length of signed message
 *\li	msgsize		length of buffer containing message
 *\li	error		value to put in the error field
 *\li	key		tsig key used for signing
 *\li	querysig	(response), the signature in the query
 *\li	querysiglen	(response), the length of the signature in the query
 *\li	sig		a buffer to hold the generated signature
 *\li	siglen		input - length of signature buffer
 *			output - length of signature
 *
 * Errors:
 *\li	- bad input data (-1)
 *\li	- bad key / sign failed (-BADKEY)
 *\li	- not enough space (NS_TSIG_ERROR_NO_SPACE)
 */
int
ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k,
	const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
	time_t in_timesigned)
{
	return(ns_sign2(msg, msglen, msgsize, error, k,
			querysig, querysiglen, sig, siglen,
			in_timesigned, NULL, NULL));
}

int
ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
	 const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
	 time_t in_timesigned, u_char **dnptrs, u_char **lastdnptr)
{
	HEADER *hp = (void *)msg;
	DST_KEY *key = (DST_KEY *)k;
	u_char *cp, *eob;
	u_char *lenp;
	u_char *alg;
	int n;
	time_t timesigned;
        u_char name[NS_MAXCDNAME];

	dst_init();
	if (msg == NULL || msglen == NULL || sig == NULL || siglen == NULL)
		return (-1);

	cp = msg + *msglen;
	eob = msg + msgsize;

	/* Name. */
	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
		n = ns_name_pton(key->dk_key_name, name, sizeof name);
		if (n != -1)
			n = ns_name_pack(name, cp, (int)(eob - cp),
					 (void *)dnptrs,
					 (void *)lastdnptr);

	} else {
		n = ns_name_pton("", name, sizeof name);
		if (n != -1)
			n = ns_name_pack(name, cp, (int)(eob - cp), NULL, NULL);
	}
	if (n < 0)
		return (NS_TSIG_ERROR_NO_SPACE);
	cp += n;

	/* Type, class, ttl, length (not filled in yet). */
	BOUNDS_CHECK(cp, INT16SZ + INT16SZ + INT32SZ + INT16SZ);
	PUTSHORT(ns_t_tsig, cp);
	PUTSHORT(ns_c_any, cp);
	PUTLONG(0, cp);		/*%< TTL */
	lenp = cp;
	cp += 2;

	/* Alg. */
	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
		if (key->dk_alg != KEY_HMAC_MD5)
			return (-ns_r_badkey);
		n = dn_comp(NS_TSIG_ALG_HMAC_MD5, cp, (int)(eob - cp), NULL,
		    NULL);
	}
	else
		n = dn_comp("", cp, (int)(eob - cp), NULL, NULL);
	if (n < 0)
		return (NS_TSIG_ERROR_NO_SPACE);
	alg = cp;
	cp += n;
	
	/* Time. */
	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
	PUTSHORT(0, cp);
	timesigned = time(NULL);
	if (error != ns_r_badtime)
		PUTLONG(timesigned, cp);
	else
		PUTLONG(in_timesigned, cp);
	PUTSHORT(NS_TSIG_FUDGE, cp);

	/* Compute the signature. */
	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
		void *ctx;
		u_char buf[NS_MAXCDNAME], *cp2;
		int nn;

		dst_sign_data(SIG_MODE_INIT, key, &ctx, NULL, 0, NULL, 0);

		/* Digest the query signature, if this is a response. */
		if (querysiglen > 0 && querysig != NULL) {
			u_int16_t len_n = htons(querysiglen);
			dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
				      (void *)&len_n, INT16SZ, NULL, 0);
			dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
				      querysig, querysiglen, NULL, 0);
		}

		/* Digest the message. */
		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, msg, *msglen,
			      NULL, 0);

		/* Digest the key name. */
		nn = ns_name_ntol(name, buf, sizeof(buf));
		INSIST(nn > 0);
		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, nn, NULL, 0);

		/* Digest the class and TTL. */
		cp2 = buf;
		PUTSHORT(ns_c_any, cp2);
		PUTLONG(0, cp2);
		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, (int)(cp2 - buf),
			      NULL, 0);

		/* Digest the algorithm. */
		nn = ns_name_ntol(alg, buf, sizeof(buf));
		INSIST(nn > 0);
		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, nn, NULL, 0);

		/* Digest the time signed, fudge, error, and other data */
		cp2 = buf;
		PUTSHORT(0, cp2);	/*%< Top 16 bits of time */
		if (error != ns_r_badtime)
			PUTLONG(timesigned, cp2);
		else
			PUTLONG(in_timesigned, cp2);
		PUTSHORT(NS_TSIG_FUDGE, cp2);
		PUTSHORT(error, cp2);	/*%< Error */
		if (error != ns_r_badtime)
			PUTSHORT(0, cp2);	/*%< Other data length */
		else {
			PUTSHORT(INT16SZ+INT32SZ, cp2);	/*%< Other data length */
			PUTSHORT(0, cp2);	/*%< Top 16 bits of time */
			PUTLONG(timesigned, cp2);
		}
		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, (int)(cp2 - buf),
			      NULL, 0);

		nn = dst_sign_data(SIG_MODE_FINAL, key, &ctx, NULL, 0,
				  sig, *siglen);
		if (nn < 0)
			return (-ns_r_badkey);
		*siglen = nn;
	} else
		*siglen = 0;

	/* Add the signature. */
	BOUNDS_CHECK(cp, INT16SZ + (*siglen));
	PUTSHORT(*siglen, cp);
	memcpy(cp, sig, *siglen);
	cp += (*siglen);

	/* The original message ID & error. */
	BOUNDS_CHECK(cp, INT16SZ + INT16SZ);
	PUTSHORT(ntohs(hp->id), cp);	/*%< already in network order */
	PUTSHORT(error, cp);

	/* Other data. */
	BOUNDS_CHECK(cp, INT16SZ);
	if (error != ns_r_badtime)
		PUTSHORT(0, cp);	/*%< Other data length */
	else {
		PUTSHORT(INT16SZ+INT32SZ, cp);	/*%< Other data length */
		BOUNDS_CHECK(cp, INT32SZ+INT16SZ);
		PUTSHORT(0, cp);	/*%< Top 16 bits of time */
		PUTLONG(timesigned, cp);
	}

	/* Go back and fill in the length. */
	PUTSHORT(cp - lenp - INT16SZ, lenp);

	hp->arcount = htons(ntohs(hp->arcount) + 1);
	*msglen = (int)(cp - msg);
	return (0);
}

int
ns_sign_tcp_init(void *k, const u_char *querysig, int querysiglen,
		 ns_tcp_tsig_state *state)
{
	dst_init();
	if (state == NULL || k == NULL || querysig == NULL || querysiglen < 0)
		return (-1);
	state->counter = -1;
	state->key = k;
	if (state->key->dk_alg != KEY_HMAC_MD5)
		return (-ns_r_badkey);
	if (querysiglen > (int)sizeof(state->sig))
		return (-1);
	memcpy(state->sig, querysig, querysiglen);
	state->siglen = querysiglen;
	return (0);
}

int
ns_sign_tcp(u_char *msg, int *msglen, int msgsize, int error,
	    ns_tcp_tsig_state *state, int done)
{
	return (ns_sign_tcp2(msg, msglen, msgsize, error, state,
			     done, NULL, NULL));
}

int
ns_sign_tcp2(u_char *msg, int *msglen, int msgsize, int error,
	     ns_tcp_tsig_state *state, int done,
	     u_char **dnptrs, u_char **lastdnptr)
{
	u_char *cp, *eob, *lenp;
	u_char buf[MAXDNAME], *cp2;
	HEADER *hp = (void *)msg;
	time_t timesigned;
	int n;

	if (msg == NULL || msglen == NULL || state == NULL)
		return (-1);

	state->counter++;
	if (state->counter == 0)
		return (ns_sign2(msg, msglen, msgsize, error, state->key,
				 state->sig, state->siglen,
				 state->sig, &state->siglen, 0,
				 dnptrs, lastdnptr));

	if (state->siglen > 0) {
		u_int16_t siglen_n = htons(state->siglen);
		dst_sign_data(SIG_MODE_INIT, state->key, &state->ctx,
			      NULL, 0, NULL, 0);
		dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx,
			      (void *)&siglen_n, INT16SZ, NULL, 0);
		dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx,
			      state->sig, state->siglen, NULL, 0);
		state->siglen = 0;
	}

	dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx, msg, *msglen,
		      NULL, 0);

	if (done == 0 && (state->counter % 100 != 0))
		return (0);

	cp = msg + *msglen;
	eob = msg + msgsize;

	/* Name. */
	n = dn_comp(state->key->dk_key_name, cp, (int)(eob - cp), dnptrs,
	    lastdnptr);
	if (n < 0)
		return (NS_TSIG_ERROR_NO_SPACE);
	cp += n;

	/* Type, class, ttl, length (not filled in yet). */
	BOUNDS_CHECK(cp, INT16SZ + INT16SZ + INT32SZ + INT16SZ);
	PUTSHORT(ns_t_tsig, cp);
	PUTSHORT(ns_c_any, cp);
	PUTLONG(0, cp);		/*%< TTL */
	lenp = cp;
	cp += 2;

	/* Alg. */
	n = dn_comp(NS_TSIG_ALG_HMAC_MD5, cp, (int)(eob - cp), NULL, NULL);
	if (n < 0)
		return (NS_TSIG_ERROR_NO_SPACE);
	cp += n;
	
	/* Time. */
	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
	PUTSHORT(0, cp);
	timesigned = time(NULL);
	PUTLONG(timesigned, cp);
	PUTSHORT(NS_TSIG_FUDGE, cp);

	/*
	 * Compute the signature.
	 */

	/* Digest the time signed and fudge. */
	cp2 = buf;
	PUTSHORT(0, cp2);	/*%< Top 16 bits of time */
	PUTLONG(timesigned, cp2);
	PUTSHORT(NS_TSIG_FUDGE, cp2);

	dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx,
		      buf, (int)(cp2 - buf), NULL, 0);

	n = dst_sign_data(SIG_MODE_FINAL, state->key, &state->ctx, NULL, 0,
			  state->sig, (int)sizeof(state->sig));
	if (n < 0)
		return (-ns_r_badkey);
	state->siglen = n;

	/* Add the signature. */
	BOUNDS_CHECK(cp, INT16SZ + state->siglen);
	PUTSHORT(state->siglen, cp);
	memcpy(cp, state->sig, state->siglen);
	cp += state->siglen;

	/* The original message ID & error. */
	BOUNDS_CHECK(cp, INT16SZ + INT16SZ);
	PUTSHORT(ntohs(hp->id), cp);	/*%< already in network order */
	PUTSHORT(error, cp);

	/* Other data. */
	BOUNDS_CHECK(cp, INT16SZ);
	PUTSHORT(0, cp);

	/* Go back and fill in the length. */
	PUTSHORT(cp - lenp - INT16SZ, lenp);

	hp->arcount = htons(ntohs(hp->arcount) + 1);
	*msglen = (int)(cp - msg);
	return (0);
}

/*! \file */

/*	$NetBSD: res_findzonecut.c,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $	*/

/*
 * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 * Copyright (c) 1999 by Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
#include <sys/cdefs.h>
#if 0
static const char rcsid[] = "Id: res_findzonecut.c,v 1.10 2005/10/11 00:10:16 marka Exp ";
#else
__RCSID("$NetBSD: res_findzonecut.c,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $");
#endif


/* Import. */

#include "port_before.h"

#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/queue.h>

#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>

#include <errno.h>
#include <limits.h>
#include <netdb.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "port_after.h"

#include <resolv.h>

/* Data structures. */

typedef struct rr_a {
	TAILQ_ENTRY(rr_a)	link;
	union res_sockaddr_union addr;
} rr_a;
typedef TAILQ_HEAD(rrset_a, rr_a) rrset_a;

typedef struct rr_ns {
	TAILQ_ENTRY(rr_ns)	link;
	const char *		name;
	unsigned int		flags;
	rrset_a			addrs;
} rr_ns;
typedef TAILQ_HEAD(rrset_ns, rr_ns) rrset_ns;

#define	RR_NS_HAVE_V4		0x01
#define	RR_NS_HAVE_V6		0x02

/* Forward. */

static int	satisfy(res_state, const char *, rrset_ns *,
			union res_sockaddr_union *, int);
static int	add_addrs(res_state, rr_ns *,
			  union res_sockaddr_union *, int);
static int	get_soa(res_state, const char *, ns_class, int,
			char *, size_t, char *, size_t,
			rrset_ns *);
static int	get_ns(res_state, const char *, ns_class, int, rrset_ns *);
static int	get_glue(res_state, ns_class, int, rrset_ns *);
static int	save_ns(res_state, ns_msg *, ns_sect,
			const char *, ns_class, int, rrset_ns *);
static int	save_a(res_state, ns_msg *, ns_sect,
		       const char *, ns_class, int, rr_ns *);
static void	free_nsrrset(rrset_ns *);
static void	free_nsrr(rrset_ns *, rr_ns *);
static rr_ns *	find_ns(rrset_ns *, const char *);
static int	do_query(res_state, const char *, ns_class, ns_type,
			 u_char *, ns_msg *);
static void	res_dprintf(const char *, ...) ISC_FORMAT_PRINTF(1, 2);

/* Macros. */

#define DPRINTF(x) do {\
		int save_errno = errno; \
		if ((statp->options & RES_DEBUG) != 0U) res_dprintf x; \
		errno = save_errno; \
	} while (/*CONSTCOND*/0)

/* Public. */

/*%
 *	find enclosing zone for a <dname,class>, and some server addresses
 *
 * parameters:
 *\li	res - resolver context to work within (is modified)
 *\li	dname - domain name whose enclosing zone is desired
 *\li	class - class of dname (and its enclosing zone)
 *\li	zname - found zone name
 *\li	zsize - allocated size of zname
 *\li	addrs - found server addresses
 *\li	naddrs - max number of addrs
 *
 * return values:
 *\li	< 0 - an error occurred (check errno)
 *\li	= 0 - zname is now valid, but addrs[] wasn't changed
 *\li	> 0 - zname is now valid, and return value is number of addrs[] found
 *
 * notes:
 *\li	this function calls res_nsend() which means it depends on correctly
 *	functioning recursive nameservers (usually defined in /etc/resolv.conf
 *	or its local equivilent).
 *
 *\li	we start by asking for an SOA<dname,class>.  if we get one as an
 *	answer, that just means <dname,class> is a zone top, which is fine.
 *	more than likely we'll be told to go pound sand, in the form of a
 *	negative answer.
 *
 *\li	note that we are not prepared to deal with referrals since that would
 *	only come from authority servers and our correctly functioning local
 *	recursive server would have followed the referral and got us something
 *	more definite.
 *
 *\li	if the authority section contains an SOA, this SOA should also be the
 *	closest enclosing zone, since any intermediary zone cuts would've been
 *	returned as referrals and dealt with by our correctly functioning local
 *	recursive name server.  but an SOA in the authority section should NOT
 *	match our dname (since that would have been returned in the answer
 *	section).  an authority section SOA has to be "above" our dname.
 *
 *\li	however, since authority section SOA's were once optional, it's
 *	possible that we'll have to go hunting for the enclosing SOA by
 *	ripping labels off the front of our dname -- this is known as "doing
 *	it the hard way."
 *
 *\li	ultimately we want some server addresses, which are ideally the ones
 *	pertaining to the SOA.MNAME, but only if there is a matching NS RR.
 *	so the second phase (after we find an SOA) is to go looking for the
 *	NS RRset for that SOA's zone.
 *
 *\li	no answer section processed by this code is allowed to contain CNAME
 *	or DNAME RR's.  for the SOA query this means we strip a label and
 *	keep going.  for the NS and A queries this means we just give up.
 */

int
res_findzonecut(res_state statp, const char *dname, ns_class class, int opts,
		char *zname, size_t zsize, struct in_addr *addrs, int naddrs)
{
	int result, i;
	union res_sockaddr_union *u;

	
	opts |= RES_IPV4ONLY;
	opts &= ~RES_IPV6ONLY;

	u = calloc(naddrs, sizeof(*u));
	if (u == NULL)
		return(-1);

	result = res_findzonecut2(statp, dname, class, opts, zname, zsize,
				  u, naddrs);

	for (i = 0; i < result; i++) {
		addrs[i] = u[i].sin.sin_addr;
	}
	free(u);
	return (result);
}

int
res_findzonecut2(res_state statp, const char *dname, ns_class class, int opts,
		 char *zname, size_t zsize, union res_sockaddr_union *addrs,
		 int naddrs)
{
	char mname[NS_MAXDNAME];
	u_long save_pfcode;
	rrset_ns nsrrs;
	int n;

	DPRINTF(("START dname='%s' class=%s, zsize=%ld, naddrs=%d",
		 dname, p_class(class), (long)zsize, naddrs));
	save_pfcode = statp->pfcode;
	statp->pfcode |= RES_PRF_HEAD2 | RES_PRF_HEAD1 | RES_PRF_HEADX |
			 RES_PRF_QUES | RES_PRF_ANS |
			 RES_PRF_AUTH | RES_PRF_ADD;
	TAILQ_INIT(&nsrrs);

	DPRINTF(("get the soa, and see if it has enough glue"));
	if ((n = get_soa(statp, dname, class, opts, zname, zsize,
			 mname, sizeof mname, &nsrrs)) < 0 ||
	    ((opts & RES_EXHAUSTIVE) == 0 &&
	     (n = satisfy(statp, mname, &nsrrs, addrs, naddrs)) > 0))
		goto done;

	DPRINTF(("get the ns rrset and see if it has enough glue"));
	if ((n = get_ns(statp, zname, class, opts, &nsrrs)) < 0 ||
	    ((opts & RES_EXHAUSTIVE) == 0 &&
	     (n = satisfy(statp, mname, &nsrrs, addrs, naddrs)) > 0))
		goto done;

	DPRINTF(("get the missing glue and see if it's finally enough"));
	if ((n = get_glue(statp, class, opts, &nsrrs)) >= 0)
		n = satisfy(statp, mname, &nsrrs, addrs, naddrs);

 done:
	DPRINTF(("FINISH n=%d (%s)", n, (n < 0) ? strerror(errno) : "OK"));
	free_nsrrset(&nsrrs);
	statp->pfcode = save_pfcode;
	return (n);
}

/* Private. */

static int
satisfy(res_state statp, const char *mname, rrset_ns *nsrrsp,
	union res_sockaddr_union *addrs, int naddrs)
{
	rr_ns *nsrr;
	int n, x;

	n = 0;
	nsrr = find_ns(nsrrsp, mname);
	if (nsrr != NULL) {
		x = add_addrs(statp, nsrr, addrs, naddrs);
		addrs += x;
		naddrs -= x;
		n += x;
	}
	TAILQ_FOREACH(nsrr, nsrrsp, link) {
		if (naddrs <= 0)
			break;
		if (ns_samename(nsrr->name, mname) != 1) {
			x = add_addrs(statp, nsrr, addrs, naddrs);
			addrs += x;
			naddrs -= x;
			n += x;
		}
	}
	DPRINTF(("satisfy(%s): %d", mname, n));
	return (n);
}

static int
add_addrs(res_state statp, rr_ns *nsrr,
	  union res_sockaddr_union *addrs, int naddrs)
{
	rr_a *arr;
	int n = 0;

	TAILQ_FOREACH(arr, &nsrr->addrs, link) {
		if (naddrs <= 0)
			return (0);
		*addrs++ = arr->addr;
		naddrs--;
		n++;
	}
	DPRINTF(("add_addrs: %d", n));
	return (n);
}

static int
get_soa(res_state statp, const char *dname, ns_class class, int opts,
	char *zname, size_t zsize, char *mname, size_t msize,
	rrset_ns *nsrrsp)
{
	char tname[NS_MAXDNAME];
	u_char *resp = NULL;
	int n, i, ancount, nscount;
	ns_sect sect;
	ns_msg msg;
	u_int rcode;

	/*
	 * Find closest enclosing SOA, even if it's for the root zone.
	 */

	/* First canonicalize dname (exactly one unescaped trailing "."). */
	if (ns_makecanon(dname, tname, sizeof tname) < 0)
		goto cleanup;
	dname = tname;

	resp = malloc(NS_MAXMSG);
	if (resp == NULL)
		goto cleanup;

	/* Now grovel the subdomains, hunting for an SOA answer or auth. */
	for (;;) {
		/* Leading or inter-label '.' are skipped here. */
		while (*dname == '.')
			dname++;

		/* Is there an SOA? */
		n = do_query(statp, dname, class, ns_t_soa, resp, &msg);
		if (n < 0) {
			DPRINTF(("get_soa: do_query('%s', %s) failed (%d)",
				 dname, p_class(class), n));
			goto cleanup;
		}
		if (n > 0) {
			DPRINTF(("get_soa: CNAME or DNAME found"));
			sect = ns_s_max, n = 0;
		} else {
			rcode = ns_msg_getflag(msg, ns_f_rcode);
			ancount = ns_msg_count(msg, ns_s_an);
			nscount = ns_msg_count(msg, ns_s_ns);
			if (ancount > 0 && rcode == ns_r_noerror)
				sect = ns_s_an, n = ancount;
			else if (nscount > 0)
				sect = ns_s_ns, n = nscount;
			else
				sect = ns_s_max, n = 0;
		}
		for (i = 0; i < n; i++) {
			const char *t;
			const u_char *rdata;
			ns_rr rr;

			if (ns_parserr(&msg, sect, i, &rr) < 0) {
				DPRINTF(("get_soa: ns_parserr(%s, %d) failed",
					 p_section(sect, ns_o_query), i));
				goto cleanup;
			}
			if (ns_rr_type(rr) == ns_t_cname ||
			    ns_rr_type(rr) == ns_t_dname)
				break;
			if (ns_rr_type(rr) != ns_t_soa ||
			    ns_rr_class(rr) != class)
				continue;
			t = ns_rr_name(rr);
			switch (sect) {
			case ns_s_an:
				if (ns_samedomain(dname, t) == 0) {
					DPRINTF(
				    ("get_soa: ns_samedomain('%s', '%s') == 0",
						dname, t)
						);
					errno = EPROTOTYPE;
					goto cleanup;
				}
				break;
			case ns_s_ns:
				if (ns_samename(dname, t) == 1 ||
				    ns_samedomain(dname, t) == 0) {
					DPRINTF(
		       ("get_soa: ns_samename() || !ns_samedomain('%s', '%s')",
						dname, t)
						);
					errno = EPROTOTYPE;
					goto cleanup;
				}
				break;
			default:
				abort();
			}
			if (strlen(t) + 1 > zsize) {
				DPRINTF(("get_soa: zname(%lu) too small (%lu)",
					 (unsigned long)zsize,
					 (unsigned long)strlen(t) + 1));
				errno = EMSGSIZE;
				goto cleanup;
			}
			strcpy(zname, t);
			rdata = ns_rr_rdata(rr);
			if (ns_name_uncompress(resp, ns_msg_end(msg), rdata,
					       mname, msize) < 0) {
				DPRINTF(("get_soa: ns_name_uncompress failed")
					);
				goto cleanup;
			}
			if (save_ns(statp, &msg, ns_s_ns,
				    zname, class, opts, nsrrsp) < 0) {
				DPRINTF(("get_soa: save_ns failed"));
				goto cleanup;
			}
			free(resp);
			return (0);
		}

		/* If we're out of labels, then not even "." has an SOA! */
		if (*dname == '\0')
			break;

		/* Find label-terminating "."; top of loop will skip it. */
		while (*dname != '.') {
			if (*dname == '\\')
				if (*++dname == '\0') {
					errno = EMSGSIZE;
					goto cleanup;
				}
			dname++;
		}
	}
	DPRINTF(("get_soa: out of labels"));
	errno = EDESTADDRREQ;
 cleanup:
	if (resp != NULL)
		free(resp);
	return (-1);
}

static int
get_ns(res_state statp, const char *zname, ns_class class, int opts,
      rrset_ns *nsrrsp)
{
	u_char *resp;
	ns_msg msg;
	int n;

	resp = malloc(NS_MAXMSG);
	if (resp == NULL)
		return (-1);

	/* Go and get the NS RRs for this zone. */
	n = do_query(statp, zname, class, ns_t_ns, resp, &msg);
	if (n != 0) {
		DPRINTF(("get_ns: do_query('%s', %s) failed (%d)",
			 zname, p_class(class), n));
		free(resp);
		return (-1);
	}

	/* Remember the NS RRs and associated A RRs that came back. */
	if (save_ns(statp, &msg, ns_s_an, zname, class, opts, nsrrsp) < 0) {
		DPRINTF(("get_ns save_ns('%s', %s) failed",
			 zname, p_class(class)));
		free(resp);
		return (-1);
	}

	free(resp);
	return (0);
}

static int
get_glue(res_state statp, ns_class class, int opts, rrset_ns *nsrrsp) {
	rr_ns *nsrr, *nsrr_n;
	u_char *resp;

	resp = malloc(NS_MAXMSG);
	if (resp == NULL)
		return(-1);

	/* Go and get the A RRs for each empty NS RR on our list. */
	TAILQ_FOREACH_SAFE(nsrr, nsrrsp, link, nsrr_n) {
		ns_msg msg;
		int n;

		if ((nsrr->flags & RR_NS_HAVE_V4) == 0) {
			n = do_query(statp, nsrr->name, class, ns_t_a,
				     resp, &msg);
			if (n < 0) {
				DPRINTF(
				       ("get_glue: do_query('%s', %s') failed",
					nsrr->name, p_class(class)));
				goto cleanup;
			}
			if (n > 0) {
				DPRINTF((
			"get_glue: do_query('%s', %s') CNAME or DNAME found",
					 nsrr->name, p_class(class)));
			}
			if (save_a(statp, &msg, ns_s_an, nsrr->name, class,
				   opts, nsrr) < 0) {
				DPRINTF(("get_glue: save_r('%s', %s) failed",
					 nsrr->name, p_class(class)));
				goto cleanup;
			}
		}

		if ((nsrr->flags & RR_NS_HAVE_V6) == 0) {
			n = do_query(statp, nsrr->name, class, ns_t_aaaa,
				     resp, &msg);
			if (n < 0) {
				DPRINTF(
				       ("get_glue: do_query('%s', %s') failed",
					nsrr->name, p_class(class)));
				goto cleanup;
			}
			if (n > 0) {
				DPRINTF((
			"get_glue: do_query('%s', %s') CNAME or DNAME found",
					 nsrr->name, p_class(class)));
			}
			if (save_a(statp, &msg, ns_s_an, nsrr->name, class,
				   opts, nsrr) < 0) {
				DPRINTF(("get_glue: save_r('%s', %s) failed",
					 nsrr->name, p_class(class)));
				goto cleanup;
			}
		}

		/* If it's still empty, it's just chaff. */
		if (TAILQ_EMPTY(&nsrr->addrs)) {
			DPRINTF(("get_glue: removing empty '%s' NS",
				 nsrr->name));
			free_nsrr(nsrrsp, nsrr);
		}
	}
	free(resp);
	return (0);

 cleanup:
	free(resp);
	return (-1);
}

static int
save_ns(res_state statp, ns_msg *msg, ns_sect sect,
	const char *owner, ns_class class, int opts,
	rrset_ns *nsrrsp)
{
	int i;

	for (i = 0; i < ns_msg_count(*msg, sect); i++) {
		char tname[MAXDNAME];
		const u_char *rdata;
		rr_ns *nsrr;
		ns_rr rr;

		if (ns_parserr(msg, sect, i, &rr) < 0) {
			DPRINTF(("save_ns: ns_parserr(%s, %d) failed",
				 p_section(sect, ns_o_query), i));
			return (-1);
		}
		if (ns_rr_type(rr) != ns_t_ns ||
		    ns_rr_class(rr) != class ||
		    ns_samename(ns_rr_name(rr), owner) != 1)
			continue;
		nsrr = find_ns(nsrrsp, ns_rr_name(rr));
		if (nsrr == NULL) {
			nsrr = malloc(sizeof *nsrr);
			if (nsrr == NULL) {
				DPRINTF(("save_ns: malloc failed"));
				return (-1);
			}
			rdata = ns_rr_rdata(rr);
			if (ns_name_uncompress(ns_msg_base(*msg),
					       ns_msg_end(*msg), rdata,
					       tname, sizeof tname) < 0) {
				DPRINTF(("save_ns: ns_name_uncompress failed")
					);
				free(nsrr);
				return (-1);
			}
			nsrr->name = strdup(tname);
			if (nsrr->name == NULL) {
				DPRINTF(("save_ns: strdup failed"));
				free(nsrr);
				return (-1);
			}
			TAILQ_INIT(&nsrr->addrs);
			nsrr->flags = 0;
			TAILQ_INSERT_TAIL(nsrrsp, nsrr, link);
		}
		if (save_a(statp, msg, ns_s_ar,
			   nsrr->name, class, opts, nsrr) < 0) {
			DPRINTF(("save_ns: save_r('%s', %s) failed",
				 nsrr->name, p_class(class)));
			return (-1);
		}
	}
	return (0);
}

static int
save_a(res_state statp, ns_msg *msg, ns_sect sect,
       const char *owner, ns_class class, int opts,
       rr_ns *nsrr)
{
	int i;

	for (i = 0; i < ns_msg_count(*msg, sect); i++) {
		ns_rr rr;
		rr_a *arr;

		if (ns_parserr(msg, sect, i, &rr) < 0) {
			DPRINTF(("save_a: ns_parserr(%s, %d) failed",
				 p_section(sect, ns_o_query), i));
			return (-1);
		}
		if ((ns_rr_type(rr) != ns_t_a &&
		     ns_rr_type(rr) != ns_t_aaaa) ||
		    ns_rr_class(rr) != class ||
		    ns_samename(ns_rr_name(rr), owner) != 1 ||
		    ns_rr_rdlen(rr) != NS_INADDRSZ)
			continue;
		if ((opts & RES_IPV6ONLY) != 0 && ns_rr_type(rr) != ns_t_aaaa)
			continue;
		if ((opts & RES_IPV4ONLY) != 0 && ns_rr_type(rr) != ns_t_a)
			continue;
		arr = malloc(sizeof *arr);
		if (arr == NULL) {
			DPRINTF(("save_a: malloc failed"));
			return (-1);
		}
		memset(&arr->addr, 0, sizeof(arr->addr));
		switch (ns_rr_type(rr)) {
		case ns_t_a:
			arr->addr.sin.sin_family = AF_INET;
#ifdef HAVE_SA_LEN
			arr->addr.sin.sin_len = sizeof(arr->addr.sin);
#endif
			memcpy(&arr->addr.sin.sin_addr, ns_rr_rdata(rr),
			       NS_INADDRSZ);
			arr->addr.sin.sin_port = htons(NAMESERVER_PORT);
			nsrr->flags |= RR_NS_HAVE_V4;
			break;
		case ns_t_aaaa:
			arr->addr.sin6.sin6_family = AF_INET6;
#ifdef HAVE_SA_LEN
			arr->addr.sin6.sin6_len = sizeof(arr->addr.sin6);
#endif
			memcpy(&arr->addr.sin6.sin6_addr, ns_rr_rdata(rr), 16);
			arr->addr.sin.sin_port = htons(NAMESERVER_PORT);
			nsrr->flags |= RR_NS_HAVE_V6;
			break;
		default:
			abort();
		}
		TAILQ_INSERT_TAIL(&nsrr->addrs, arr, link);
	}
	return (0);
}

static void
free_nsrrset(rrset_ns *nsrrsp) {
	rr_ns *nsrr, *tmp;

	TAILQ_FOREACH_SAFE(nsrr, nsrrsp, link, tmp)
		free_nsrr(nsrrsp, nsrr);
}

static void
free_nsrr(rrset_ns *nsrrsp, rr_ns *nsrr) {
	rr_a *arr, *n_arr;
	char *tmp;

	TAILQ_FOREACH_SAFE(arr, &nsrr->addrs, link, n_arr) {
		TAILQ_REMOVE(&nsrr->addrs, arr, link);
		free(arr);
	}
	DE_CONST(nsrr->name, tmp);
	free(tmp);
	TAILQ_REMOVE(nsrrsp, nsrr, link);
	free(nsrr);
}

static rr_ns *
find_ns(rrset_ns *nsrrsp, const char *dname) {
	rr_ns *nsrr;

	TAILQ_FOREACH(nsrr, nsrrsp, link)
		if (ns_samename(nsrr->name, dname) == 1)
			return (nsrr);
	return (NULL);
}

static int
do_query(res_state statp, const char *dname, ns_class class, ns_type qtype,
	 u_char *resp, ns_msg *msg)
{
	u_char req[NS_PACKETSZ];
	int i, n;

	n = res_nmkquery(statp, ns_o_query, dname, class, qtype,
			 NULL, 0, NULL, req, NS_PACKETSZ);
	if (n < 0) {
		DPRINTF(("do_query: res_nmkquery failed"));
		return (-1);
	}
	n = res_nsend(statp, req, n, resp, NS_MAXMSG);
	if (n < 0) {
		DPRINTF(("do_query: res_nsend failed"));
		return (-1);
	}
	if (n == 0) {
		DPRINTF(("do_query: res_nsend returned 0"));
		errno = EMSGSIZE;
		return (-1);
	}
	if (ns_initparse(resp, n, msg) < 0) {
		DPRINTF(("do_query: ns_initparse failed"));
		return (-1);
	}
	n = 0;
	for (i = 0; i < ns_msg_count(*msg, ns_s_an); i++) {
		ns_rr rr;

		if (ns_parserr(msg, ns_s_an, i, &rr) < 0) {
			DPRINTF(("do_query: ns_parserr failed"));
			return (-1);
		}
		n += (ns_rr_class(rr) == class &&
		      (ns_rr_type(rr) == ns_t_cname ||
		       ns_rr_type(rr) == ns_t_dname));
	}
	return (n);
}

static void
res_dprintf(const char *fmt, ...) {
	va_list ap;

	va_start(ap, fmt);
	fputs(";; res_findzonecut: ", stderr);
	vfprintf(stderr, fmt, ap);
	fputc('\n', stderr);
	va_end(ap);
}

/*! \file */

/*	$NetBSD: res_mkupdate.h,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $	*/

/*
 * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 * Copyright (c) 1998,1999 by Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#ifndef _RES_MKUPDATE_H_
#define _RES_MKUPDATE_H_

__BEGIN_DECLS
__END_DECLS

#endif /* _RES_MKUPDATE_H_ */ 
/*! \file */

/*	$NetBSD: res_private.h,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $	*/

#ifndef res_private_h
#define res_private_h

struct __res_state_ext {
	union res_sockaddr_union nsaddrs[MAXNS];
	struct sort_list {
		int     af;
		union {
			struct in_addr  ina;
			struct in6_addr in6a;
		} addr, mask;
	} sort_list[MAXRESOLVSORT];
	char nsuffix[64];
	char nsuffix2[64];
};

extern int
res_ourserver_p(const res_state statp, const struct sockaddr *sa);

#endif

/*! \file */

/*	$NetBSD: res_sendsigned.c,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $	*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: res_sendsigned.c,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $");

#include "port_before.h"
#include "fd_setsize.h"

#include <sys/types.h>
#include <sys/param.h>

#include <netinet/in.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>

#include <isc/dst.h>

#include <errno.h>
#include <netdb.h>
#include <resolv.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include "port_after.h"

#include "res_debug.h"


/*% res_nsendsigned */
int
res_nsendsigned(res_state statp, const u_char *msg, int msglen,
		ns_tsig_key *key, u_char *answer, int anslen)
{
	res_state nstatp;
	DST_KEY *dstkey;
	int usingTCP = 0;
	u_char *newmsg;
	int newmsglen, bufsize, siglen;
	u_char sig[64];
	HEADER *hp;
	time_t tsig_time;
	int ret;
	int len;

	dst_init();

	nstatp = (res_state) malloc(sizeof(*statp));
	if (nstatp == NULL) {
		errno = ENOMEM;
		return (-1);
	}
	memcpy(nstatp, statp, sizeof(*statp));

	bufsize = msglen + 1024;
	newmsg = (u_char *) malloc(bufsize);
	if (newmsg == NULL) {
		free(nstatp);
		errno = ENOMEM;
		return (-1);
	}
	memcpy(newmsg, msg, msglen);
	newmsglen = msglen;

	if (ns_samename(key->alg, NS_TSIG_ALG_HMAC_MD5) != 1)
		dstkey = NULL;
	else
		dstkey = dst_buffer_to_key(key->name, KEY_HMAC_MD5,
					   NS_KEY_TYPE_AUTH_ONLY,
					   NS_KEY_PROT_ANY,
					   key->data, key->len);
	if (dstkey == NULL) {
		errno = EINVAL;
		free(nstatp);
		free(newmsg);
		return (-1);
	}

	nstatp->nscount = 1;
	siglen = sizeof(sig);
	ret = ns_sign(newmsg, &newmsglen, bufsize, NOERROR, dstkey, NULL, 0,
		      sig, &siglen, 0);
	if (ret < 0) {
		free (nstatp);
		free (newmsg);
		dst_free_key(dstkey);
		if (ret == NS_TSIG_ERROR_NO_SPACE)
			errno  = EMSGSIZE;
		else if (ret == -1)
			errno  = EINVAL;
		return (ret);
	}

	if (newmsglen > PACKETSZ || nstatp->options & RES_USEVC)
		usingTCP = 1;
	if (usingTCP == 0)
		nstatp->options |= RES_IGNTC;
	else
		nstatp->options |= RES_USEVC;
	/*
	 * Stop res_send printing the answer.
	 */
	nstatp->options &= ~RES_DEBUG;
	nstatp->pfcode &= ~RES_PRF_REPLY;

retry:

	len = res_nsend(nstatp, newmsg, newmsglen, answer, anslen);
	if (len < 0) {
		free (nstatp);
		free (newmsg);
		dst_free_key(dstkey);
		return (len);
	}

	ret = ns_verify(answer, &len, dstkey, sig, siglen,
	    NULL, NULL, &tsig_time, (nstatp->options & RES_KEEPTSIG) != 0);
	if (ret != 0) {
		Dprint((statp->options & RES_DEBUG) ||
		       ((statp->pfcode & RES_PRF_REPLY) &&
			(statp->pfcode & RES_PRF_HEAD1)),
		       (stdout, ";; got answer:\n"));

		DprintQ((statp->options & RES_DEBUG) ||
			(statp->pfcode & RES_PRF_REPLY),
			(stdout, "%s", ""),
			answer, (anslen > len) ? len : anslen);

		if (ret > 0) {
			Dprint(statp->pfcode & RES_PRF_REPLY,
			       (stdout, ";; server rejected TSIG (%s)\n",
				p_rcode(ret)));
		} else {
			Dprint(statp->pfcode & RES_PRF_REPLY,
			       (stdout, ";; TSIG invalid (%s)\n",
				p_rcode(-ret)));
		}

		free (nstatp);
		free (newmsg);
		dst_free_key(dstkey);
		if (ret == -1)
			errno = EINVAL;
		else
			errno = ENOTTY;
		return (-1);
	}

	hp = (HEADER *)(void *)answer;
	if (hp->tc && !usingTCP && (statp->options & RES_IGNTC) == 0U) {
		nstatp->options &= ~RES_IGNTC;
		usingTCP = 1;
		goto retry;
	}
	Dprint((statp->options & RES_DEBUG) ||
	       ((statp->pfcode & RES_PRF_REPLY) &&
		(statp->pfcode & RES_PRF_HEAD1)),
	       (stdout, ";; got answer:\n"));

	DprintQ((statp->options & RES_DEBUG) ||
		(statp->pfcode & RES_PRF_REPLY),
		(stdout, "%s", ""),
		answer, (anslen > len) ? len : anslen);

	Dprint(statp->pfcode & RES_PRF_REPLY, (stdout, ";; TSIG ok\n"));

	free (nstatp);
	free (newmsg);
	dst_free_key(dstkey);
	return (len);
}

/*! \file */

/*	$NetBSD: res_update.c,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $	*/

/*
 * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 * Copyright (c) 1996-1999 by Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

/*! \file
 * \brief
 * Based on the Dynamic DNS reference implementation by Viraj Bais
 * <viraj_bais@ccm.fm.intel.com>
 */
#include <sys/cdefs.h>
#if 0
static const char rcsid[] = "Id: res_update.c,v 1.13 2005/04/27 04:56:43 sra Exp ";
#else
__RCSID("$NetBSD: res_update.c,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $");
#endif


#include "port_before.h"

#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>

#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>

#include <errno.h>
#include <limits.h>
#include <netdb.h>
#include <res_update.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <isc/list.h>
#include <resolv.h>

#include "port_after.h"
#include "res_private.h"

/*%
 * Separate a linked list of records into groups so that all records
 * in a group will belong to a single zone on the nameserver.
 * Create a dynamic update packet for each zone and send it to the
 * nameservers for that zone, and await answer.
 * Abort if error occurs in updating any zone.
 * Return the number of zones updated on success, < 0 on error.
 *
 * On error, caller must deal with the unsynchronized zones
 * eg. an A record might have been successfully added to the forward
 * zone but the corresponding PTR record would be missing if error
 * was encountered while updating the reverse zone.
 */

struct zonegrp {
	char			z_origin[MAXDNAME];
	ns_class		z_class;
	union res_sockaddr_union z_nsaddrs[MAXNS];
	int			z_nscount;
	int			z_flags;
	TAILQ_HEAD(, ns_updrec)	z_rrlist;
	TAILQ_ENTRY(zonegrp)	z_link;
};

#define ZG_F_ZONESECTADDED	0x0001

/* Forward. */

static void	res_dprintf(const char *, ...) ISC_FORMAT_PRINTF(1, 2);

/* Macros. */

#define DPRINTF(x) do {\
		int save_errno = errno; \
		if ((statp->options & RES_DEBUG) != 0U) res_dprintf x; \
		errno = save_errno; \
	} while (/*CONSTCOND*/0)

/* Public. */

int
res_nupdate(res_state statp, ns_updrec *rrecp_in, ns_tsig_key *key) {
	ns_updrec *rrecp;
	u_char answer[PACKETSZ];
	u_char *packet;
	struct zonegrp *zptr, tgrp;
	TAILQ_HEAD(, zonegrp) zgrps;
	int nzones = 0, nscount = 0, n;
	union res_sockaddr_union nsaddrs[MAXNS];

	packet = malloc(NS_MAXMSG);
	if (packet == NULL) {
		DPRINTF(("malloc failed"));
		return (0);
	}
	/* Thread all of the updates onto a list of groups. */
	TAILQ_INIT(&zgrps);
	memset(&tgrp, 0, sizeof (tgrp));
	for (rrecp = rrecp_in; rrecp; rrecp = TAILQ_NEXT(rrecp, r_link)) {
		int nscnt;
		/* Find the origin for it if there is one. */
		tgrp.z_class = rrecp->r_class;
		nscnt = res_findzonecut2(statp, rrecp->r_dname, tgrp.z_class,
					 RES_EXHAUSTIVE, tgrp.z_origin,
					 sizeof tgrp.z_origin, 
					 tgrp.z_nsaddrs, MAXNS);
		if (nscnt <= 0) {
			DPRINTF(("res_findzonecut failed (%d)", nscnt));
			goto done;
		}
		tgrp.z_nscount = nscnt;
		/* Find the group for it if there is one. */
		TAILQ_FOREACH(zptr, &zgrps, z_link)
			if (ns_samename(tgrp.z_origin, zptr->z_origin) == 1 &&
			    tgrp.z_class == zptr->z_class)
				break;
		/* Make a group for it if there isn't one. */
		if (zptr == NULL) {
			zptr = malloc(sizeof *zptr);
			if (zptr == NULL) {
				DPRINTF(("malloc failed"));
				goto done;
			}
			*zptr = tgrp;
			zptr->z_flags = 0;
			TAILQ_INIT(&zptr->z_rrlist);
			TAILQ_INSERT_TAIL(&zgrps, zptr, z_link);
		}
		/* Thread this rrecp onto the right group. */
		TAILQ_INSERT_TAIL(&zptr->z_rrlist, rrecp, r_glink);
	}

	TAILQ_FOREACH(zptr, &zgrps, z_link) {
		HEADER h;
		/* Construct zone section and prepend it. */
		rrecp = res_mkupdrec(ns_s_zn, zptr->z_origin,
				     (u_int)zptr->z_class, ns_t_soa, 0);
		if (rrecp == NULL) {
			DPRINTF(("res_mkupdrec failed"));
			goto done;
		}
		TAILQ_INSERT_HEAD(&zptr->z_rrlist, rrecp, r_glink);
		zptr->z_flags |= ZG_F_ZONESECTADDED;

		/* Marshall the update message. */
		n = res_nmkupdate(statp, TAILQ_FIRST(&zptr->z_rrlist),
				  packet, NS_MAXMSG);
		DPRINTF(("res_mkupdate -> %d", n));
		if (n < 0)
			goto done;

		/* Temporarily replace the resolver's nameserver set. */
		nscount = res_getservers(statp, nsaddrs, MAXNS);
		res_setservers(statp, zptr->z_nsaddrs, zptr->z_nscount);

		/* Send the update and remember the result. */
		if (key != NULL)
			n = res_nsendsigned(statp, packet, n, key,
					    answer, (int)sizeof answer);
		else
			n = res_nsend(statp, packet, n, answer,
				      (int)sizeof answer);
		if (n < 0) {
			DPRINTF(("res_nsend: send error, n=%d (%s)\n",
				 n, strerror(errno)));
			goto done;
		}
		memcpy(&h, answer, sizeof(h));
		if (h.rcode == NOERROR)
			nzones++;

		/* Restore resolver's nameserver set. */
		res_setservers(statp, nsaddrs, nscount);
		nscount = 0;
	}
 done:
	while (!TAILQ_EMPTY(&zgrps)) {
		zptr = TAILQ_FIRST(&zgrps);
		if ((zptr->z_flags & ZG_F_ZONESECTADDED) != 0)
			res_freeupdrec(TAILQ_FIRST(&zptr->z_rrlist));
		TAILQ_REMOVE(&zgrps, zptr, z_link);
		free(zptr);
	}
	if (nscount != 0)
		res_setservers(statp, nsaddrs, nscount);

	free(packet);
	return (nzones);
}

/* Private. */

static void
res_dprintf(const char *fmt, ...) {
	va_list ap;

	va_start(ap, fmt);
	fputs(";; res_nupdate: ", stderr);
	vfprintf(stderr, fmt, ap);
	fputc('\n', stderr);
	va_end(ap);
}

/*	$NetBSD: support.c,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $	*/

/*
 * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
 *
 * Permission to use, copy modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
 * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
 * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
 * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
 */
#include <sys/cdefs.h>
#if 0
static const char rcsid[] = "Header: /proj/cvs/prod/libbind/dst/support.c,v 1.6 2005/10/11 00:10:13 marka Exp ";
#else
__RCSID("$NetBSD: support.c,v 1.1.10.2 2013/06/13 04:20:30 msaitoh Exp $");
#endif

#include "port_before.h"

#include <stdio.h>
#include <unistd.h>
#include <memory.h>
#include <string.h>
#include <errno.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <resolv.h>

#include "dst_internal.h"

#include "port_after.h"

/*%
 * dst_s_verify_str()
 *     Validate that the input string(*str) is at the head of the input
 *     buffer(**buf).  If so, move the buffer head pointer (*buf) to
 *     the first byte of data following the string(*str).
 * Parameters
 *     buf     Input buffer.
 *     str     Input string.
 * Return
 *	0       *str is not the head of **buff
 *	1       *str is the head of **buff, *buf is is advanced to
 *	the tail of **buf.
 */

int
dst_s_verify_str(const char **buf, const char *str)
{
	size_t b, s;
	if (*buf == NULL)	/*%< error checks */
		return (0);
	if (str == NULL || *str == '\0')
		return (1);

	b = strlen(*buf);	/*%< get length of strings */
	s = strlen(str);
	if (s > b || strncmp(*buf, str, s))	/*%< check if same */
		return (0);	/*%< not a match */
	(*buf) += s;		/*%< advance pointer */
	return (1);
}

/*%
 * dst_s_calculate_bits
 *     Given a binary number represented in a u_char[], determine
 *     the number of significant bits used.
 * Parameters
 *     str       An input character string containing a binary number.
 *     max_bits The maximum possible significant bits.
 * Return
 *     N       The number of significant bits in str.
 */

int
dst_s_calculate_bits(const u_char *str, const int max_bits)
{
	const u_char *p = str;
	u_char i, j = 0x80;
	int bits;
	for (bits = max_bits; *p == 0x00 && bits > 0; p++)
		bits -= 8;
	for (i = *p; (i & j) != j; j >>= 1)
		bits--;
	return (bits);
}

/*%
 * calculates a checksum used in dst for an id.
 * takes an array of bytes and a length.
 * returns a 16  bit checksum.
 */
u_int16_t
dst_s_id_calc(const u_char *key, const int keysize)
{
	u_int32_t ac;
	const u_char *kp = key;
	int size = keysize;

	if (!key || (keysize <= 0))
		return (0xffffU);
 
	for (ac = 0; size > 1; size -= 2, kp += 2)
		ac += ((*kp) << 8) + *(kp + 1);

	if (size > 0)
		ac += ((*kp) << 8);
	ac += (ac >> 16) & 0xffff;

	return (ac & 0xffff);
}

/*%
 * dst_s_dns_key_id() Function to calculate DNSSEC footprint from KEY record
 *   rdata
 * Input:
 *	dns_key_rdata: the raw data in wire format 
 *      rdata_len: the size of the input data 
 * Output:
 *      the key footprint/id calculated from the key data 
 */ 
u_int16_t
dst_s_dns_key_id(const u_char *dns_key_rdata, const int rdata_len)
{
	if (!dns_key_rdata)
		return 0;

	/* compute id */
	if (dns_key_rdata[3] == KEY_RSA)	/*%< Algorithm RSA */
		return dst_s_get_int16((const u_char *)
				       &dns_key_rdata[rdata_len - 3]);
	else if (dns_key_rdata[3] == KEY_HMAC_MD5)
		/* compatibility */
		return 0;
	else
		/* compute a checksum on the key part of the key rr */
		return dst_s_id_calc(dns_key_rdata, rdata_len);
}

/*%
 * dst_s_get_int16
 *     This routine extracts a 16 bit integer from a two byte character
 *     string.  The character string is assumed to be in network byte
 *     order and may be unaligned.  The number returned is in host order.
 * Parameter
 *     buf     A two byte character string.
 * Return
 *     The converted integer value.
 */

u_int16_t
dst_s_get_int16(const u_char *buf)
{
	register u_int16_t a = 0;
	a = ((u_int16_t)(buf[0] << 8)) | ((u_int16_t)(buf[1]));
	return (a);
}

/*%
 * dst_s_get_int32
 *     This routine extracts a 32 bit integer from a four byte character
 *     string.  The character string is assumed to be in network byte
 *     order and may be unaligned.  The number returned is in host order.
 * Parameter
 *     buf     A four byte character string.
 * Return
 *     The converted integer value.
 */

u_int32_t
dst_s_get_int32(const u_char *buf)
{
	register u_int32_t a = 0;
	a = ((u_int32_t)(buf[0] << 24)) | ((u_int32_t)(buf[1] << 16)) |
		((u_int32_t)(buf[2] << 8)) | ((u_int32_t)(buf[3]));
	return (a);
}

/*%
 * dst_s_put_int16
 *     Take a 16 bit integer and store the value in a two byte
 *     character string.  The integer is assumed to be in network
 *     order and the string is returned in host order.
 *
 * Parameters
 *     buf     Storage for a two byte character string.
 *     val     16 bit integer.
 */

void
dst_s_put_int16(u_int8_t *buf, const u_int16_t val)
{
	buf[0] = (u_int8_t)((uint32_t)val >> 8);
	buf[1] = (u_int8_t)(val);
}

/*%
 * dst_s_put_int32
 *     Take a 32 bit integer and store the value in a four byte
 *     character string.  The integer is assumed to be in network
 *     order and the string is returned in host order.
 *
 * Parameters
 *     buf     Storage for a four byte character string.
 *     val     32 bit integer.
 */

void
dst_s_put_int32(u_int8_t *buf, const u_int32_t val)
{
	buf[0] = (u_int8_t)(val >> 24);
	buf[1] = (u_int8_t)(val >> 16);
	buf[2] = (u_int8_t)(val >> 8);
	buf[3] = (u_int8_t)(val);
}

/*%
 *  dst_s_filename_length
 *
 *	This function returns the number of bytes needed to hold the
 *	filename for a key file.  '/', '\' and ':' are not allowed.
 *	form:  K&lt;keyname&gt;+&lt;alg&gt;+&lt;id&gt;.&lt;suffix&gt;
 *
 *	Returns 0 if the filename would contain either '\', '/' or ':'
 */
size_t
dst_s_filename_length(const char *name, const char *suffix)
{
	if (name == NULL)
		return (0);
	if (strrchr(name, '\\'))
		return (0);
	if (strrchr(name, '/'))
		return (0);
	if (strrchr(name, ':'))
		return (0);
	if (suffix == NULL)
		return (0);
	if (strrchr(suffix, '\\'))
		return (0);
	if (strrchr(suffix, '/'))
		return (0);
	if (strrchr(suffix, ':'))
		return (0);
	return (1 + strlen(name) + 6 + strlen(suffix));
}

/*%
 *  dst_s_build_filename ()
 *	Builds a key filename from the key name, it's id, and a
 *	suffix.  '\', '/' and ':' are not allowed. fA filename is of the
 *	form:  K&lt;keyname&gt;&lt;id&gt;.&lt;suffix&gt;
 *	form: K&lt;keyname&gt;+&lt;alg&gt;+&lt;id&gt;.&lt;suffix&gt;
 *
 *	Returns -1 if the conversion fails:
 *	  if the filename would be too long for space allotted
 *	  if the filename would contain a '\', '/' or ':'
 *	Returns 0 on success
 */

int
dst_s_build_filename(char *filename, const char *name, u_int16_t id,
		     int alg, const char *suffix, size_t filename_length)
{
	u_int32_t my_id;
	if (filename == NULL)
		return (-1);
	memset(filename, 0, filename_length);
	if (name == NULL)
		return (-1);
	if (suffix == NULL)
		return (-1);
	if (filename_length < 1 + strlen(name) + 4 + 6 + 1 + strlen(suffix))
		return (-1);
	my_id = id;
	sprintf(filename, "K%s+%03d+%05d.%s", name, alg, my_id,
		(const char *) suffix);
	if (strrchr(filename, '/'))
		return (-1);
	if (strrchr(filename, '\\'))
		return (-1);
	if (strrchr(filename, ':'))
		return (-1);
	return (0);
}

/*%
 *  dst_s_fopen ()
 *     Open a file in the dst_path directory.  If perm is specified, the
 *     file is checked for existence first, and not opened if it exists.
 *  Parameters
 *     filename  File to open
 *     mode       Mode to open the file (passed directly to fopen)
 *     perm       File permission, if creating a new file.
 *  Returns
 *     NULL       Failure
 *     NON-NULL  (FILE *) of opened file.
 */
FILE *
dst_s_fopen(const char *filename, const char *mode, int perm)
{
	FILE *fp;
	char pathname[PATH_MAX];

	if (strlen(filename) + strlen(dst_path) >= sizeof(pathname))
		return (NULL);

	if (*dst_path != '\0') {
		strcpy(pathname, dst_path);
		strcat(pathname, filename);
	} else
		strcpy(pathname, filename);
	
	fp = fopen(pathname, mode);
	if (perm)
		chmod(pathname, (mode_t)perm);
	return (fp);
}

void
dst_s_dump(const int mode, const u_char *data, const int size, 
	    const char *msg)
{
	UNUSED(data);

	if (size > 0) {
#ifdef LONG_TEST
		static u_char scratch[1000];
		int n ;
		n = b64_ntop(data, scratch, size, sizeof(scratch));
		printf("%s: %x %d %s\n", msg, mode, n, scratch);
#else
		printf("%s,%x %d\n", msg, mode, size);
#endif
	}
}

/*! \file */

/*	$NetBSD: res_mkupdate.c,v 1.2.8.2 2013/06/13 04:20:30 msaitoh Exp $	*/

/*
 * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 * Copyright (c) 1996-1999 by Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

/*! \file
 * \brief
 * Based on the Dynamic DNS reference implementation by Viraj Bais
 * <viraj_bais@ccm.fm.intel.com>
 */
#include <sys/cdefs.h>
#if 0
static const char rcsid[] = "Id: res_mkupdate.c,v 1.10 2008/12/11 09:59:00 marka Exp ";
#else
__RCSID("$NetBSD: res_mkupdate.c,v 1.2.8.2 2013/06/13 04:20:30 msaitoh Exp $");
#endif

#include "port_before.h"

#include <sys/types.h>
#include <sys/param.h>

#include <netinet/in.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>

#include <errno.h>
#include <limits.h>
#include <netdb.h>
#include <resolv.h>
#include <res_update.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <ctype.h>

#include "port_after.h"

/* Options.  Leave them on. */
#define MAXPORT 1024

static int getnum_str(u_char **, u_char *);
static int gethexnum_str(u_char **, u_char *);
static int getword_str(char *, size_t, u_char **, u_char *);
static int getstr_str(char *, size_t, u_char **, u_char *);

#define ShrinkBuffer(x)  if ((buflen -= x) < 0) return (-2);

/* Forward. */

int res_protocolnumber(const char *);
int res_servicenumber(const char *);

/*%
 * Form update packets.
 * Returns the size of the resulting packet if no error
 *
 * On error,
 *	returns 
 *\li              -1 if error in reading a word/number in rdata
 *		   portion for update packets
 *\li		-2 if length of buffer passed is insufficient
 *\li		-3 if zone section is not the first section in
 *		   the linked list, or section order has a problem
 *\li		-4 on a number overflow
 *\li		-5 unknown operation or no records
 */
int
res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) {
	ns_updrec *rrecp_start = rrecp_in;
	HEADER *hp;
	u_char *cp, *sp2, *startp, *endp;
	int n, i, soanum, multiline;
	ns_updrec *rrecp;
	struct in_addr ina;
	struct in6_addr in6a;
        char buf2[MAXDNAME];
	u_char buf3[MAXDNAME];
	int section, numrrs = 0, counts[ns_s_max];
	u_int16_t rtype, rclass;
	u_int32_t n1, rttl;
	u_char *dnptrs[20], **dpp, **lastdnptr;
	int siglen, keylen, certlen;

	/*
	 * Initialize header fields.
	 */
	if ((buf == NULL) || (buflen < HFIXEDSZ))
		return (-1);
	memset(buf, 0, HFIXEDSZ);
	hp = (void *)buf;
	statp->id = res_nrandomid(statp);
	hp->id = htons(statp->id);
	hp->opcode = ns_o_update;
	hp->rcode = NOERROR;
	cp = buf + HFIXEDSZ;
	buflen -= HFIXEDSZ;
	dpp = dnptrs;
	*dpp++ = buf;
	*dpp++ = NULL;
	lastdnptr = dnptrs + sizeof dnptrs / sizeof dnptrs[0];

	if (rrecp_start == NULL)
		return (-5);
	else if (rrecp_start->r_section != S_ZONE)
		return (-3);

	memset(counts, 0, sizeof counts);
	for (rrecp = rrecp_start; rrecp; rrecp = TAILQ_NEXT(rrecp, r_glink)) {
		numrrs++;
                section = rrecp->r_section;
		if (section < 0 || section >= ns_s_max)
			return (-1);
		counts[section]++;
		for (i = section + 1; i < ns_s_max; i++)
			if (counts[i])
				return (-3);
		rtype = rrecp->r_type;
		rclass = rrecp->r_class;
		rttl = rrecp->r_ttl;
		/* overload class and type */
		if (section == S_PREREQ) {
			rttl = 0;
			switch (rrecp->r_opcode) {
			case YXDOMAIN:
				rclass = C_ANY;
				rtype = T_ANY;
				rrecp->r_size = 0;
				break;
			case NXDOMAIN:
				rclass = C_NONE;
				rtype = T_ANY;
				rrecp->r_size = 0;
				break;
			case NXRRSET:
				rclass = C_NONE;
				rrecp->r_size = 0;
				break;
			case YXRRSET:
				if (rrecp->r_size == 0)
					rclass = C_ANY;
				break;
			default:
				fprintf(stderr,
					"res_mkupdate: incorrect opcode: %d\n",
					rrecp->r_opcode);
				fflush(stderr);
				return (-1);
			}
		} else if (section == S_UPDATE) {
			switch (rrecp->r_opcode) {
			case DELETE:
				rclass = rrecp->r_size == 0 ? C_ANY : C_NONE;
				break;
			case ADD:
				break;
			default:
				fprintf(stderr,
					"res_mkupdate: incorrect opcode: %d\n",
					rrecp->r_opcode);
				fflush(stderr);
				return (-1);
			}
		}

		/*
		 * XXX	appending default domain to owner name is omitted,
		 *	fqdn must be provided
		 */
		if ((n = dn_comp(rrecp->r_dname, cp, buflen, dnptrs,
				 lastdnptr)) < 0)
			return (-1);
		cp += n;
		ShrinkBuffer(n + 2*INT16SZ);
		PUTSHORT(rtype, cp);
		PUTSHORT(rclass, cp);
		if (section == S_ZONE) {
			if (numrrs != 1 || rrecp->r_type != T_SOA)
				return (-3);
			continue;
		}
		ShrinkBuffer(INT32SZ + INT16SZ);
		PUTLONG(rttl, cp);
		sp2 = cp;  /*%< save pointer to length byte */
		cp += INT16SZ;
		if (rrecp->r_size == 0) {
			if (section == S_UPDATE && rclass != C_ANY)
				return (-1);
			else {
				PUTSHORT(0, sp2);
				continue;
			}
		}
		startp = rrecp->r_data;
		endp = startp + rrecp->r_size - 1;
		/* XXX this should be done centrally. */
		switch (rrecp->r_type) {
		case T_A:
			if (!getword_str(buf2, sizeof buf2, &startp, endp))
				return (-1);
			if (!inet_aton(buf2, &ina))
				return (-1);
			n1 = ntohl(ina.s_addr);
			ShrinkBuffer(INT32SZ);
			PUTLONG(n1, cp);
			break;
		case T_CNAME:
		case T_MB:
		case T_MG:
		case T_MR:
		case T_NS:
		case T_PTR:
		case ns_t_dname:
			if (!getword_str(buf2, sizeof buf2, &startp, endp))
				return (-1);
			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
			if (n < 0)
				return (-1);
			cp += n;
			ShrinkBuffer(n);
			break;
		case T_MINFO:
		case T_SOA:
		case T_RP:
			for (i = 0; i < 2; i++) {
				if (!getword_str(buf2, sizeof buf2, &startp,
						 endp))
				return (-1);
				n = dn_comp(buf2, cp, buflen,
					    dnptrs, lastdnptr);
				if (n < 0)
					return (-1);
				cp += n;
				ShrinkBuffer(n);
			}
			if (rrecp->r_type == T_SOA) {
				ShrinkBuffer(5 * INT32SZ);
				while (isspace(*startp) || !*startp)
					startp++;
				if (*startp == '(') {
					multiline = 1;
					startp++;
				} else
					multiline = 0;
				/* serial, refresh, retry, expire, minimum */
				for (i = 0; i < 5; i++) {
					soanum = getnum_str(&startp, endp);
					if (soanum < 0)
						return (-1);
					PUTLONG(soanum, cp);
				}
				if (multiline) {
					while (isspace(*startp) || !*startp)
						startp++;
					if (*startp != ')')
						return (-1);
				}
			}
			break;
		case T_MX:
		case T_AFSDB:
		case T_RT:
			n = getnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			ShrinkBuffer(INT16SZ);
			PUTSHORT(n, cp);
			if (!getword_str(buf2, sizeof buf2, &startp, endp))
				return (-1);
			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
			if (n < 0)
				return (-1);
			cp += n;
			ShrinkBuffer(n);
			break;
		case T_SRV:
			n = getnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			ShrinkBuffer(INT16SZ);
			PUTSHORT(n, cp);

			n = getnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			ShrinkBuffer(INT16SZ);
			PUTSHORT(n, cp);

			n = getnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			ShrinkBuffer(INT16SZ);
			PUTSHORT(n, cp);

			if (!getword_str(buf2, sizeof buf2, &startp, endp))
				return (-1);
			n = dn_comp(buf2, cp, buflen, NULL, NULL);
			if (n < 0)
				return (-1);
			cp += n;
			ShrinkBuffer(n);
			break;
		case T_PX:
			n = getnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			PUTSHORT(n, cp);
			ShrinkBuffer(INT16SZ);
			for (i = 0; i < 2; i++) {
				if (!getword_str(buf2, sizeof buf2, &startp,
						 endp))
					return (-1);
				n = dn_comp(buf2, cp, buflen, dnptrs,
					    lastdnptr);
				if (n < 0)
					return (-1);
				cp += n;
				ShrinkBuffer(n);
			}
			break;
		case T_WKS: {
			char bm[MAXPORT/8];
			unsigned int maxbm = 0;

			if (!getword_str(buf2, sizeof buf2, &startp, endp))
				return (-1);
			if (!inet_aton(buf2, &ina))
				return (-1);
			n1 = ntohl(ina.s_addr);
			ShrinkBuffer(INT32SZ);
			PUTLONG(n1, cp);

			if (!getword_str(buf2, sizeof buf2, &startp, endp))
				return (-1);
			if ((i = res_protocolnumber(buf2)) < 0)
				return (-1);
			ShrinkBuffer(1);
			*cp++ = i & 0xff;
			 
			for (i = 0; i < MAXPORT/8 ; i++)
				bm[i] = 0;

			while (getword_str(buf2, sizeof buf2, &startp, endp)) {
				if ((n = res_servicenumber(buf2)) <= 0)
					return (-1);

				if (n < MAXPORT) {
					bm[n/8] |= (0x80>>(n%8));
					if ((unsigned)n > maxbm)
						maxbm = n;
				} else
					return (-1);
			}
			maxbm = maxbm/8 + 1;
			ShrinkBuffer(maxbm);
			memcpy(cp, bm, maxbm);
			cp += maxbm;
			break;
		}
		case T_HINFO:
			for (i = 0; i < 2; i++) {
				if ((n = getstr_str(buf2, sizeof buf2,
						&startp, endp)) < 0)
					return (-1);
				if (n > 255)
					return (-1);
				ShrinkBuffer(n+1);
				*cp++ = n;
				memcpy(cp, buf2, n);
				cp += n;
			}
			break;
		case T_TXT:
			for (;;) {
				if ((n = getstr_str(buf2, sizeof buf2,
						&startp, endp)) < 0) {
					if (cp != (sp2 + INT16SZ))
						break;
					return (-1);
				}
				if (n > 255)
					return (-1);
				ShrinkBuffer(n+1);
				*cp++ = n;
				memcpy(cp, buf2, n);
				cp += n;
			}
			break;
		case T_X25:
			/* RFC1183 */
			if ((n = getstr_str(buf2, sizeof buf2, &startp,
					 endp)) < 0)
				return (-1);
			if (n > 255)
				return (-1);
			ShrinkBuffer(n+1);
			*cp++ = n;
			memcpy(cp, buf2, n);
			cp += n;
			break;
		case T_ISDN:
			/* RFC1183 */
			if ((n = getstr_str(buf2, sizeof buf2, &startp,
					 endp)) < 0)
				return (-1);
			if ((n > 255) || (n == 0))
				return (-1);
			ShrinkBuffer(n+1);
			*cp++ = n;
			memcpy(cp, buf2, n);
			cp += n;
			if ((n = getstr_str(buf2, sizeof buf2, &startp,
					 endp)) < 0)
				n = 0;
			if (n > 255)
				return (-1);
			ShrinkBuffer(n+1);
			*cp++ = n;
			memcpy(cp, buf2, n);
			cp += n;
			break;
		case T_NSAP:
			if ((n = inet_nsap_addr((char *)startp, (u_char *)buf2,
						(int)sizeof(buf2))) != 0) {
				ShrinkBuffer(n);
				memcpy(cp, buf2, n);
				cp += n;
			} else {
				return (-1);
			}
			break;
		case T_LOC:
			if ((n = loc_aton((char *)startp, (u_char *)buf2)) != 0) {
				ShrinkBuffer(n);
				memcpy(cp, buf2, n);
				cp += n;
			} else
				return (-1);
			break;
		case ns_t_sig:
		    {
			int sig_type, success, dateerror;
			u_int32_t exptime, timesigned;

			/* type */
			if ((n = getword_str(buf2, sizeof buf2,
					     &startp, endp)) < 0)
				return (-1);
			sig_type = sym_ston(__p_type_syms, buf2, &success);
			if (!success || sig_type == ns_t_any)
				return (-1);
			ShrinkBuffer(INT16SZ);
			PUTSHORT(sig_type, cp);
			/* alg */
			n = getnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			ShrinkBuffer(1);
			*cp++ = n;
			/* labels */
			n = getnum_str(&startp, endp);
			if (n <= 0 || n > 255)
				return (-1);
			ShrinkBuffer(1);
			*cp++ = n;
			/* ottl  & expire */
			if (!getword_str(buf2, sizeof buf2, &startp, endp))
				return (-1);
			exptime = ns_datetosecs(buf2, &dateerror);
			if (!dateerror) {
				ShrinkBuffer(INT32SZ);
				PUTLONG(rttl, cp);
			}
			else {
				char *ulendp;
				u_int32_t ottl;
				unsigned long ul;

				errno = 0;
				ul = strtoul(buf2, &ulendp, 10);
				if (ul > 0xffffffffU)
					errno = ERANGE;
				ottl = (u_int32_t)ul;
				if (errno != 0 ||
				    (ulendp != NULL && *ulendp != '\0'))
					return (-1);
				ShrinkBuffer(INT32SZ);
				PUTLONG(ottl, cp);
				if (!getword_str(buf2, sizeof buf2, &startp,
						 endp))
					return (-1);
				exptime = ns_datetosecs(buf2, &dateerror);
				if (dateerror)
					return (-1);
			}
			/* expire */
			ShrinkBuffer(INT32SZ);
			PUTLONG(exptime, cp);
			/* timesigned */
			if (!getword_str(buf2, sizeof buf2, &startp, endp))
				return (-1);
			timesigned = ns_datetosecs(buf2, &dateerror);
			if (!dateerror) {
				ShrinkBuffer(INT32SZ);
				PUTLONG(timesigned, cp);
			}
			else
				return (-1);
			/* footprint */
			n = getnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			ShrinkBuffer(INT16SZ);
			PUTSHORT(n, cp);
			/* signer name */
			if (!getword_str(buf2, sizeof buf2, &startp, endp))
				return (-1);
			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
			if (n < 0)
				return (-1);
			cp += n;
			ShrinkBuffer(n);
			/* sig */
			if ((n = getword_str(buf2, sizeof buf2,
					     &startp, endp)) < 0)
				return (-1);
			siglen = b64_pton(buf2, buf3, sizeof(buf3));
			if (siglen < 0)
				return (-1);
			ShrinkBuffer(siglen);
			memcpy(cp, buf3, siglen);
			cp += siglen;
			break;
		    }
		case ns_t_key:
			/* flags */
			n = gethexnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			ShrinkBuffer(INT16SZ);
			PUTSHORT(n, cp);
			/* proto */
			n = getnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			ShrinkBuffer(1);
			*cp++ = n;
			/* alg */
			n = getnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			ShrinkBuffer(1);
			*cp++ = n;
			/* key */
			if ((n = getword_str(buf2, sizeof buf2,
					     &startp, endp)) < 0)
				return (-1);
			keylen = b64_pton(buf2, buf3, sizeof(buf3));
			if (keylen < 0)
				return (-1);
			ShrinkBuffer(keylen);
			memcpy(cp, buf3, keylen);
			cp += keylen;
			break;
		case ns_t_nxt:
		    {
			int success, nxt_type;
			u_char data[32];
			int maxtype;

			/* next name */
			if (!getword_str(buf2, sizeof buf2, &startp, endp))
				return (-1);
			n = dn_comp(buf2, cp, buflen, NULL, NULL);
			if (n < 0)
				return (-1);
			cp += n;
			ShrinkBuffer(n);
			maxtype = 0;
			memset(data, 0, sizeof data);
			for (;;) {
				if (!getword_str(buf2, sizeof buf2, &startp,
						 endp))
					break;
				nxt_type = sym_ston(__p_type_syms, buf2,
						    &success);
				if (!success || !ns_t_rr_p(nxt_type))
					return (-1);
				NS_NXT_BIT_SET(nxt_type, data);
				if (nxt_type > maxtype)
					maxtype = nxt_type;
			}
			n = maxtype/NS_NXT_BITS+1;
			ShrinkBuffer(n);
			memcpy(cp, data, n);
			cp += n;
			break;
		    }
		case ns_t_cert:
			/* type */
			n = getnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			ShrinkBuffer(INT16SZ);
			PUTSHORT(n, cp);
			/* key tag */
			n = getnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			ShrinkBuffer(INT16SZ);
			PUTSHORT(n, cp);
			/* alg */
			n = getnum_str(&startp, endp);
			if (n < 0)
				return (-1);
			ShrinkBuffer(1);
			*cp++ = n;
			/* cert */
			if ((n = getword_str(buf2, sizeof buf2,
					     &startp, endp)) < 0)
				return (-1);
			certlen = b64_pton(buf2, buf3, sizeof(buf3));
			if (certlen < 0)
				return (-1);
			ShrinkBuffer(certlen);
			memcpy(cp, buf3, certlen);
			cp += certlen;
			break;
		case ns_t_aaaa:
			if (!getword_str(buf2, sizeof buf2, &startp, endp))
				return (-1);
			if (inet_pton(AF_INET6, buf2, &in6a) <= 0)
				return (-1);
			ShrinkBuffer(NS_IN6ADDRSZ);
			memcpy(cp, &in6a, NS_IN6ADDRSZ);
			cp += NS_IN6ADDRSZ;
			break;
		case ns_t_naptr:
			/* Order Preference Flags Service Replacement Regexp */
			/* Order */
			n = getnum_str(&startp, endp);
			if (n < 0 || n > 65535)
				return (-1);
			ShrinkBuffer(INT16SZ);
			PUTSHORT(n, cp);
			/* Preference */
			n = getnum_str(&startp, endp);
			if (n < 0 || n > 65535)
				return (-1);
			ShrinkBuffer(INT16SZ);
			PUTSHORT(n, cp);
			/* Flags */
			if ((n = getstr_str(buf2, sizeof buf2,
					&startp, endp)) < 0) {
				return (-1);
			}
			if (n > 255)
				return (-1);
			ShrinkBuffer(n+1);
			*cp++ = n;
			memcpy(cp, buf2, n);
			cp += n;
			/* Service Classes */
			if ((n = getstr_str(buf2, sizeof buf2,
					&startp, endp)) < 0) {
				return (-1);
			}
			if (n > 255)
				return (-1);
			ShrinkBuffer(n+1);
			*cp++ = n;
			memcpy(cp, buf2, n);
			cp += n;
			/* Pattern */
			if ((n = getstr_str(buf2, sizeof buf2,
					&startp, endp)) < 0) {
				return (-1);
			}
			if (n > 255)
				return (-1);
			ShrinkBuffer(n+1);
			*cp++ = n;
			memcpy(cp, buf2, n);
			cp += n;
			/* Replacement */
			if (!getword_str(buf2, sizeof buf2, &startp, endp))
				return (-1);
			n = dn_comp(buf2, cp, buflen, NULL, NULL);
			if (n < 0)
				return (-1);
			cp += n;
			ShrinkBuffer(n);
			break;
		default:
			return (-1);
		} /*switch*/
		n = (u_int16_t)((cp - sp2) - INT16SZ);
		PUTSHORT(n, sp2);
	} /*for*/
		
	hp->qdcount = htons(counts[0]);
	hp->ancount = htons(counts[1]);
	hp->nscount = htons(counts[2]);
	hp->arcount = htons(counts[3]);
	return (int)(cp - buf);
}

/*%
 * Get a whitespace delimited word from a string (not file)
 * into buf. modify the start pointer to point after the
 * word in the string.
 */
static int
getword_str(char *buf, size_t size, u_char **startpp, u_char *endp) {
        char *cp;
        int c;
 
        for (cp = buf; *startpp <= endp; ) {
                c = **startpp;
                if (isspace(c) || c == '\0') {
                        if (cp != buf) /*%< trailing whitespace */
                                break;
                        else { /*%< leading whitespace */
                                (*startpp)++;
                                continue;
                        }
                }
                (*startpp)++;
                if (cp >= buf+size-1)
                        break;
                *cp++ = (u_char)c;
        }
        *cp = '\0';
        return (cp != buf);
}

/*%
 * get a white spae delimited string from memory.  Process quoted strings
 * and \\DDD escapes.  Return length or -1 on error.  Returned string may
 * contain nulls.
 */
static char digits[] = "0123456789";
static int
getstr_str(char *buf, size_t size, u_char **startpp, u_char *endp) {
        char *cp;
        int c, c1 = 0;
	int inquote = 0;
	int seen_quote = 0;
	int escape = 0;
	int dig = 0;
 
	for (cp = buf; *startpp <= endp; ) {
                if ((c = **startpp) == '\0')
			break;
		/* leading white space */
		if ((cp == buf) && !seen_quote && isspace(c)) {
			(*startpp)++;
			continue;
		}

		switch (c) {
		case '\\':
			if (!escape)  {
				escape = 1;
				dig = 0;
				c1 = 0;
				(*startpp)++;
				continue;
			} 
			goto do_escape;
		case '"':
			if (!escape) {
				inquote = !inquote;
				seen_quote = 1;
				(*startpp)++;
				continue;
			}
			/*FALLTHROUGH*/
		default:
		do_escape:
			if (escape) {
				switch (c) {
				case '0':
				case '1':
				case '2':
				case '3':
				case '4':
				case '5':
				case '6':
				case '7':
				case '8':
				case '9':
					c1 = c1 * 10 + 
					    (int)(strchr(digits, c) - digits);

					if (++dig == 3) {
						c = c1 &0xff;
						break;
					}
					(*startpp)++;
					continue;
				}
				escape = 0;
			} else if (!inquote && isspace(c))
				goto done;
			if (cp >= buf+size-1)
				goto done;
			*cp++ = (u_char)c;
			(*startpp)++;
		}
	}
 done:
	*cp = '\0';
	return ((cp == buf)?  (seen_quote? 0: -1): (int)(cp - buf));
}

/*%
 * Get a whitespace delimited base 16 number from a string (not file) into buf
 * update the start pointer to point after the number in the string.
 */
static int
gethexnum_str(u_char **startpp, u_char *endp) {
        int c, n;
        int seendigit = 0;
        int m = 0;

	if (*startpp + 2 >= endp || strncasecmp((char *)*startpp, "0x", 2) != 0)
		return getnum_str(startpp, endp);
	(*startpp)+=2;
        for (n = 0; *startpp <= endp; ) {
                c = **startpp;
                if (isspace(c) || c == '\0') {
                        if (seendigit) /*%< trailing whitespace */
                                break;
                        else { /*%< leading whitespace */
                                (*startpp)++;
                                continue;
                        }
                }
                if (c == ';') {
                        while ((*startpp <= endp) &&
			       ((c = **startpp) != '\n'))
					(*startpp)++;
                        if (seendigit)
                                break;
                        continue;
                }
                if (!isxdigit(c)) {
                        if (c == ')' && seendigit) {
                                (*startpp)--;
                                break;
                        }
			return (-1);
                }        
                (*startpp)++;
		if (isdigit(c))
	                n = n * 16 + (c - '0');
		else
			n = n * 16 + (tolower(c) - 'a' + 10);
                seendigit = 1;
        }
        return (n + m);
}

/*%
 * Get a whitespace delimited base 10 number from a string (not file) into buf
 * update the start pointer to point after the number in the string.
 */
static int
getnum_str(u_char **startpp, u_char *endp) {
        int c, n;
        int seendigit = 0;
        int m = 0;

        for (n = 0; *startpp <= endp; ) {
                c = **startpp;
                if (isspace(c) || c == '\0') {
                        if (seendigit) /*%< trailing whitespace */
                                break;
                        else { /*%< leading whitespace */
                                (*startpp)++;
                                continue;
                        }
                }
                if (c == ';') {
                        while ((*startpp <= endp) &&
			       ((c = **startpp) != '\n'))
					(*startpp)++;
                        if (seendigit)
                                break;
                        continue;
                }
                if (!isdigit(c)) {
                        if (c == ')' && seendigit) {
                                (*startpp)--;
                                break;
                        }
			return (-1);
                }        
                (*startpp)++;
                n = n * 10 + (c - '0');
                seendigit = 1;
        }
        return (n + m);
}

/*%
 * Allocate a resource record buffer & save rr info.
 */
ns_updrec *
res_mkupdrec(int section, const char *dname,
	     u_int class, u_int type, u_long ttl) {
	ns_updrec *rrecp = (ns_updrec *)calloc(1, sizeof(ns_updrec));

	if (!rrecp || !(rrecp->r_dname = strdup(dname))) {
		if (rrecp)
			free(rrecp);
		return (NULL);
	}
 	rrecp->r_class = (ns_class)class;
	rrecp->r_type = (ns_type)type;
	rrecp->r_ttl = (u_int)ttl;
	rrecp->r_section = (ns_sect)section;
	return (rrecp);
}

/*%
 * Free a resource record buffer created by res_mkupdrec.
 */
void
res_freeupdrec(ns_updrec *rrecp) {
	/* Note: freeing r_dp is the caller's responsibility. */
	if (rrecp->r_dname != NULL)
		free(rrecp->r_dname);
	free(rrecp);
}

struct valuelist {
	struct valuelist *	next;
	struct valuelist *	prev;
	char *			name;
	char *			proto;
	int			port;
};
static struct valuelist *servicelist, *protolist;

static void
res_buildservicelist(void) {
	struct servent *sp;
	struct valuelist *slp;

#ifdef MAYBE_HESIOD
	setservent(0);
#else
	setservent(1);
#endif
	while ((sp = getservent()) != NULL) {
		slp = (struct valuelist *)malloc(sizeof(struct valuelist));
		if (!slp)
			break;
		slp->name = strdup(sp->s_name);
		slp->proto = strdup(sp->s_proto);
		if ((slp->name == NULL) || (slp->proto == NULL)) {
			if (slp->name) free(slp->name);
			if (slp->proto) free(slp->proto);
			free(slp);
			break;
		}
		slp->port = ntohs((u_int16_t)sp->s_port);  /*%< host byt order */
		slp->next = servicelist;
		slp->prev = NULL;
		if (servicelist)
			servicelist->prev = slp;
		servicelist = slp;
	}
	endservent();
}

void
res_destroyservicelist(void) {
	struct valuelist *slp, *slp_next;

	for (slp = servicelist; slp != NULL; slp = slp_next) {
		slp_next = slp->next;
		free(slp->name);
		free(slp->proto);
		free(slp);
	}
	servicelist = (struct valuelist *)0;
}

void
res_buildprotolist(void) {
	struct protoent *pp;
	struct valuelist *slp;

#ifdef MAYBE_HESIOD
	setprotoent(0);
#else
	setprotoent(1);
#endif
	while ((pp = getprotoent()) != NULL) {
		slp = (struct valuelist *)malloc(sizeof(struct valuelist));
		if (!slp)
			break;
		slp->name = strdup(pp->p_name);
		if (slp->name == NULL) {
			free(slp);
			break;
		}
		slp->port = pp->p_proto;	/*%< host byte order */
		slp->next = protolist;
		slp->prev = NULL;
		if (protolist)
			protolist->prev = slp;
		protolist = slp;
	}
	endprotoent();
}

void
res_destroyprotolist(void) {
	struct valuelist *plp, *plp_next;

	for (plp = protolist; plp != NULL; plp = plp_next) {
		plp_next = plp->next;
		free(plp->name);
		free(plp);
	}
	protolist = (struct valuelist *)0;
}

static int
findservice(const char *s, struct valuelist **list) {
	struct valuelist *lp = *list;
	int n;

	for (; lp != NULL; lp = lp->next)
		if (strcasecmp(lp->name, s) == 0) {
			if (lp != *list) {
				lp->prev->next = lp->next;
				if (lp->next)
					lp->next->prev = lp->prev;
				(*list)->prev = lp;
				lp->next = *list;
				*list = lp;
			}
			return (lp->port);	/*%< host byte order */
		}
	if (sscanf(s, "%d", &n) != 1 || n <= 0)
		n = -1;
	return (n);
}

/*%
 * Convert service name or (ascii) number to int.
 */
int
res_servicenumber(const char *p) {
	if (servicelist == (struct valuelist *)0)
		res_buildservicelist();
	return (findservice(p, &servicelist));
}

/*%
 * Convert protocol name or (ascii) number to int.
 */
int
res_protocolnumber(const char *p) {
	if (protolist == (struct valuelist *)0)
		res_buildprotolist();
	return (findservice(p, &protolist));
}

static struct servent *
cgetservbyport(u_int16_t port, const char *proto) {	/*%< Host byte order. */
	struct valuelist **list = &servicelist;
	struct valuelist *lp = *list;
	static struct servent serv;

	port = ntohs(port);
	for (; lp != NULL; lp = lp->next) {
		if (port != (u_int16_t)lp->port)	/*%< Host byte order. */
			continue;
		if (strcasecmp(lp->proto, proto) == 0) {
			if (lp != *list) {
				lp->prev->next = lp->next;
				if (lp->next)
					lp->next->prev = lp->prev;
				(*list)->prev = lp;
				lp->next = *list;
				*list = lp;
			}
			serv.s_name = lp->name;
			serv.s_port = htons((u_int16_t)lp->port);
			serv.s_proto = lp->proto;
			return (&serv);
		}
	}
	return (0);
}

static struct protoent *
cgetprotobynumber(int proto) {				/*%< Host byte order. */
	struct valuelist **list = &protolist;
	struct valuelist *lp = *list;
	static struct protoent prot;

	for (; lp != NULL; lp = lp->next)
		if (lp->port == proto) {		/*%< Host byte order. */
			if (lp != *list) {
				lp->prev->next = lp->next;
				if (lp->next)
					lp->next->prev = lp->prev;
				(*list)->prev = lp;
				lp->next = *list;
				*list = lp;
			}
			prot.p_name = lp->name;
			prot.p_proto = lp->port;	/*%< Host byte order. */
			return (&prot);
		}
	return (0);
}

const char *
res_protocolname(int num) {
	static char number[8];
	struct protoent *pp;

	if (protolist == (struct valuelist *)0)
		res_buildprotolist();
	pp = cgetprotobynumber(num);
	if (pp == 0)  {
		(void) sprintf(number, "%d", num);
		return (number);
	}
	return (pp->p_name);
}

const char *
res_servicename(u_int16_t port, const char *proto) {	/*%< Host byte order. */
	static char number[8];
	struct servent *ss;

	if (servicelist == (struct valuelist *)0)
		res_buildservicelist();
	ss = cgetservbyport(htons(port), proto);
	if (ss == 0)  {
		(void) sprintf(number, "%d", port);
		return (number);
	}
	return (ss->s_name);
}