Sunday, November 20, 2011

Fetching the TLSA record with libunbound

Here's the modified code that fetches a TLSA record and prints the bytes in hex:

#include
#include
#include
#include
#include

int main(void)
{
struct ub_ctx* ctx;
struct ub_result* result;
int retval;

/* create context */
ctx = ub_ctx_create();
if(!ctx) {
printf("error: could not create unbound context\n");
return 1;
}
/* read /etc/resolv.conf for DNS proxy settings (from DHCP) */
if( (retval=ub_ctx_resolvconf(ctx, "/etc/resolv.conf")) != 0) {
printf("error reading resolv.conf: %s. errno says: %s\n",
ub_strerror(retval), strerror(errno));
return 1;
}
/* read /etc/hosts for locally supplied host addresses */
if( (retval=ub_ctx_hosts(ctx, "/etc/hosts")) != 0) {
printf("error reading hosts: %s. errno says: %s\n",
ub_strerror(retval), strerror(errno));
return 1;
}

/* read public keys for DNSSEC verification */
if( (retval=ub_ctx_add_ta_file(ctx, "keys")) != 0) {
printf("error adding keys: %s\n", ub_strerror(retval));
return 1;
}

/* query for webserver */
retval = ub_resolve(ctx, "_443._tcp.www.example.com",
65468 /* TYPE A (IPv4 address) */,
1 /* CLASS IN (internet) */, &result);
if(retval != 0) {
printf("resolve error: %s\n", ub_strerror(retval));
return 1;
}

/* show first result */
if(result->havedata) {
unsigned char *buf = (char*)result->data[0];
int i;
printf("The record length is %d\n", result->len[0]);
for (i = 0; i < result->len[0]; i++) {
printf("%2X", *buf);
buf++;
}
printf("\n");
}
/* show security status */
if(result->secure)
printf("Result is secure\n");
else if(result->bogus)
printf("Result is bogus: %s\n", result->why_bogus);
else printf("Result is insecure\n");

ub_resolve_free(result);
ub_ctx_delete(ctx);
return 0;
}

To compile and run:
$ gcc -o unb_secure_resolve unb_secure_resolve.c -I/usr/local/include -L/usr/local/lib -lunbound
$ ./unb_secure_resolve The record length is 699
1 03082 2B53082 21E 2 9 087DEC83E4049FDBD30 D 6 92A864886F7 D 1 1 5 5 030819E31 B30 9 6 355 4 613 2555331133011 6 355 4 8 C A43616C69666F726E696131163014 6 355 4 7 C D4D6F756E7461696E2056696577311C301A 6 355 4 A C1344656661756C7420436F6D70616E79204C746431183016 6 355 4 3 C F7777772E6578616D706C652E636F6D312A3028 6 92A864886F7 D 1 9 1161B6D6174686961732E73616D75656C736F6E40676D61696C2E636F6D301E17 D3131313131333232333633395A17 D3132313131323232333633395A30819E31 B30 9 6 355 4 613 2555331133011 6 355 4 8 C A43616C69666F726E696131163014 6 355 4 7 C D4D6F756E7461696E2056696577311C301A 6 355 4 A C1344656661756C7420436F6D70616E79204C746431183016 6 355 4 3 C F7777772E6578616D706C652E636F6D312A3028 6 92A864886F7 D 1 9 1161B6D6174686961732E73616D75656C736F6E40676D61696C2E636F6D30819F30 D 6 92A864886F7 D 1 1 1 5 0 3818D 0308189 28181 0A8148A 27BB0DA5613 5963ABF7092741E443543AA16DEE369ED4E9542298BEF3DFCB16A2D 1C38EC6A89E8CD6 58889BC6E8BBD659F84726AA5E9F2A459BD40 1169AF91479 99CA34747 B75A5D3FC5FE1AF8823D4FC4B 9D7FD92A48244457911B466652E8AC69458E8EA4EA9896A D5AE76A6D 32F5DEB961B24AC61D331 2 3 1 0 130 D 6 92A864886F7 D 1 1 5 5 0 38181 08C2ACCCB27885E42DB35724E3BCE6CD58DA5671CE5AD7B8EC0B5C52421C4AA84BD 3 28D5CFF 19A853DE74ED7 471D3F610489C7FC232522B13623AA4F4B38A 82F28 51016917CE588DA8326156629CF70FFB2663C8A63CE 860CA81E7815F82A4FB3BF7DD385F 38696F5 04254C5BC39451DA220FE24D0578483464F6D58
Result is insecure

Obviously the output leaves something to be desired, but that's not the point. Next post will show the equivalent output from OpenSSL.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)