From 8cbde0b30d77b656503a8e47deb68a6776dbcad9 Mon Sep 17 00:00:00 2001
From: "Steinar H. Gunderson" <sesse@samfundet.no>
Date: Fri, 21 Jun 2013 00:59:17 +0200
Subject: [PATCH] Switch to libunbound as the resolver, primarily to get DNSSEC
 support.

---
 itkacl-2.1/Makefile         |  5 ++-
 itkacl-2.1/debian/changelog |  1 +
 itkacl-2.1/debian/control   |  2 +-
 itkacl-2.1/itkacl.c         | 78 +++++++++++++++++++++++--------------
 4 files changed, 54 insertions(+), 32 deletions(-)

diff --git a/itkacl-2.1/Makefile b/itkacl-2.1/Makefile
index 05801b6..99ef295 100644
--- a/itkacl-2.1/Makefile
+++ b/itkacl-2.1/Makefile
@@ -1,6 +1,7 @@
 CC=gcc
 CFLAGS=-O2 -Wall
 CPPFLAGS=
+LDLIBS=-lunbound
 RANLIB=ranlib
 PREFIX=/usr/local
 
@@ -12,7 +13,7 @@ clean:
 	$(RM) itkacl.o itkacl.PIC.o itkacl-test.o itkacl-test libitkacl.a libitkacl.so.2.0.0
 
 itkacl-test: itkacl.o itkacl-test.o
-	$(CC) -o itkacl-test itkacl.o itkacl-test.o
+	$(CC) -o itkacl-test itkacl.o itkacl-test.o $(LDLIBS)
 
 itkacl.o: itkacl.c
 	$(CC) $(CPPFLAGS) $(CFLAGS) -c itkacl.c -o itkacl.o
@@ -25,7 +26,7 @@ libitkacl.a: itkacl.o
 	$(AR) rc $@ $<
 	$(RANLIB) $@
 $(LIBNAME): itkacl.PIC.o
-	$(CC) -shared -Wl,-soname,$(SONAME) -o $@ $<
+	$(CC) -shared -Wl,-soname,$(SONAME) -o $@ $< $(LDLIBS)
 
 install:
 	cp libitkacl.a $(DESTDIR)$(PREFIX)/lib/
diff --git a/itkacl-2.1/debian/changelog b/itkacl-2.1/debian/changelog
index e553dcc..e3b3837 100644
--- a/itkacl-2.1/debian/changelog
+++ b/itkacl-2.1/debian/changelog
@@ -2,6 +2,7 @@ itkacl (2.1) UNRELEASED; urgency=low
 
   * Make the core library support a configuration file (/etc/itkacl.conf),
     reading the DNS zone name from there instead of hard-coded it in.
+  * Switch to libunbound as the resolver, primarily to get DNSSEC support.
 
  -- Steinar H. Gunderson <sesse@samfundet.no>  Fri, 21 Jun 2013 00:17:34 +0200
 
diff --git a/itkacl-2.1/debian/control b/itkacl-2.1/debian/control
index 7eb1516..2e0da0c 100644
--- a/itkacl-2.1/debian/control
+++ b/itkacl-2.1/debian/control
@@ -1,7 +1,7 @@
 Source: itkacl
 Priority: extra
 Maintainer: Steinar H. Gunderson <sesse@samfundet.no>
-Build-Depends: debhelper (>= 7.0.50~)
+Build-Depends: debhelper (>= 7.0.50~), libunbound-dev
 Standards-Version: 3.9.1
 Section: libs
 
diff --git a/itkacl-2.1/itkacl.c b/itkacl-2.1/itkacl.c
index c50654c..f1cc09a 100644
--- a/itkacl-2.1/itkacl.c
+++ b/itkacl-2.1/itkacl.c
@@ -11,7 +11,7 @@
 #include <unistd.h>
 #include <errno.h>
 #include <ctype.h>
-#include <netdb.h>
+#include <unbound.h>
 
 struct itkacl_config {
 	char nszone[256];
@@ -94,11 +94,12 @@ int itkacl_check(const char * const realm, const char * const user,
 		 char *errmsg, size_t errmsg_size)
 {
 	struct itkacl_config config;
-	struct hostent he, *he_ptr;
-	int ret, host_errno;
+	int ret, nxdomain;
 	const char *ptr;
 	char nszone[256];
-	char temp[256], ns_temp[1024];
+	char temp[256];
+	struct ub_ctx* ctx;
+	struct ub_result* result;
 
 	if (itkacl_read_config(CONFIG_FILENAME, &config, errmsg, errmsg_size) != 0) {
 		return -1;
@@ -173,34 +174,53 @@ int itkacl_check(const char * const realm, const char * const user,
 	strcpy(temp, nszone);
 	sprintf(nszone, "%s.%s", user, temp);
 
-	ret = gethostbyname_r(nszone, &he, ns_temp, 1024, &he_ptr, &host_errno);
+	/* Create the DNS resolver context. */
+	ctx = ub_ctx_create();
+	if (ctx == NULL) {
+		if (errmsg)
+			snprintf(errmsg, errmsg_size, "Host name lookup failure: Could not create DNS context");
+		return -1;
+	}
 
-	/*
-	 * The man page for gethostbyname_r() specifies ret != 0 on failure, but
-	 * that seemingly does not include HOST_NOT_FOUND failure.
-	 */
-	if (he_ptr == NULL) {
-		// Not found => no access, but no error either.
-		if (host_errno == HOST_NOT_FOUND) {
-			return 1;
-		}
+	ret = ub_ctx_resolvconf(ctx, "/etc/resolv.conf");
+	if (ret != 0) {
+		if (errmsg)
+			snprintf(errmsg, errmsg_size,
+			         "Host name lookup failure: Could not read /etc/resolv.conf "
+			         "(resolver error: %s) (system error: %s)",
+			         ub_strerror(ret), strerror(errno));
+		ub_ctx_delete(ctx);
+		return -1;
+	}
 
-		switch (host_errno) {
-		case TRY_AGAIN:
-			snprintf(errmsg, errmsg_size, "Host name lookup failure");
-			break;
-		case NO_RECOVERY:
-			snprintf(errmsg, errmsg_size, "Unknown server error");
-			break;
-		case NO_ADDRESS:
-			snprintf(errmsg, errmsg_size, "No address associated with name");
-			break;
-		default:
-			snprintf(errmsg, errmsg_size, "Unknown DNS error %d", host_errno);
-		}
+	ret = ub_ctx_hosts(ctx, "/etc/hosts");
+	if (ret != 0) {
+		if (errmsg)
+			snprintf(errmsg, errmsg_size,
+			         "Host name lookup failure: Could not read /etc/hosts "
+			         "(resolver error: %s) (system error: %s)",
+			         ub_strerror(ret), strerror(errno));
+		ub_ctx_delete(ctx);
 		return -1;
 	}
 
-	// The lookup succeeded, so we're good.
-	return 0;
+	/* Do the actual DNS lookup (TYPE A, CLASS IN). */
+	ret = ub_resolve(ctx, nszone, 1, 1, &result);
+	if (ret != 0) {
+		if (errmsg)
+			snprintf(errmsg, errmsg_size, "Host name lookup failure: %s",
+			         ub_strerror(ret));
+		ub_ctx_delete(ctx);
+		return -1;
+	}
+
+	nxdomain = result->nxdomain;
+
+	ub_resolve_free(result);
+	ub_ctx_delete(ctx);
+
+	if (nxdomain)
+		return 1;
+	else
+		return 0;
 }
-- 
2.39.2