dnsruby 1.55 → 1.56.0

data/lib/{Dnsruby → dnsruby}/dnssec.rb

@@ -1,74 +1,74 @@
-#--
-#Copyright 2007 Nominet UK
-#
-#Licensed under the Apache License, Version 2.0 (the "License");
-#you may not use this file except in compliance with the License. 
-#You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0 
-#
-#Unless required by applicable law or agreed to in writing, software 
-#distributed under the License is distributed on an "AS IS" BASIS, 
-#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
-#See the License f181or the specific language governing permissions and 
-#limitations under the License.
-#++
+# --
+# Copyright 2007 Nominet UK
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License f181or the specific language governing permissions and
+# limitations under the License.
+# ++
 require 'digest/sha2'
 require 'net/ftp'
-require 'Dnsruby/key_cache'
-require 'Dnsruby/single_verifier'
+require 'dnsruby/key_cache'
+require 'dnsruby/single_verifier'
 module Dnsruby
 
-  # RFC4033, section 7
-  #   "There is one more step that a security-aware stub resolver can take
-  #   if, for whatever reason, it is not able to establish a useful trust
-  #   relationship with the recursive name servers that it uses: it can
-  #   perform its own signature validation by setting the Checking Disabled
-  #   (CD) bit in its query messages.  A validating stub resolver is thus
-  #   able to treat the DNSSEC signatures as trust relationships between
-  #   the zone administrators and the stub resolver itself. "
-  #
-  # Dnsruby is configured to validate responses by default. However, it is not
-  # configured with any trusted keys by default. Applications may use the
-  # verify() method to perform verification with of RRSets of Messages with
-  # given keys. Alternatively, trusted keys may be added to this class (either
-  # directly, or by loading the IANA TAR or the DLV ISC ZSK). Validation will then
-  # be performed from these keys (or the DLV registry, if configured). Negative
-  # and positive responses are validation.
-  #
-  # Messages are tagged with the current security_level (Message::SecurityLevel).
-  # UNCHECKED means Dnsruby has not attempted to validate the response.
-  # BOGUS means the response has been checked, and is bogus.
-  # INSECURE means the response has been validated to be insecure (e.g. in an unsigned zone)
-  # SECURE means that the response has been verfied to be correct.
-  #
-  # Several validators are provided, with each maintaining its own cache of trusted keys.
-  # If validators are added or removed, the caches of the other validators are not affected.
+  #  RFC4033, section 7
+  #    "There is one more step that a security-aware stub resolver can take
+  #    if, for whatever reason, it is not able to establish a useful trust
+  #    relationship with the recursive name servers that it uses: it can
+  #    perform its own signature validation by setting the Checking Disabled
+  #    (CD) bit in its query messages.  A validating stub resolver is thus
+  #    able to treat the DNSSEC signatures as trust relationships between
+  #    the zone administrators and the stub resolver itself. "
+  # 
+  #  Dnsruby is configured to validate responses by default. However, it is not
+  #  configured with any trusted keys by default. Applications may use the
+  #  verify() method to perform verification with of RRSets of Messages with
+  #  given keys. Alternatively, trusted keys may be added to this class (either
+  #  directly, or by loading the IANA TAR or the DLV ISC ZSK). Validation will then
+  #  be performed from these keys (or the DLV registry, if configured). Negative
+  #  and positive responses are validation.
+  # 
+  #  Messages are tagged with the current security_level (Message::SecurityLevel).
+  #  UNCHECKED means Dnsruby has not attempted to validate the response.
+  #  BOGUS means the response has been checked, and is bogus.
+  #  INSECURE means the response has been validated to be insecure (e.g. in an unsigned zone)
+  #  SECURE means that the response has been verfied to be correct.
+  # 
+  #  Several validators are provided, with each maintaining its own cache of trusted keys.
+  #  If validators are added or removed, the caches of the other validators are not affected.
   class Dnssec
-    # A class to cache trusted keys
+    #  A class to cache trusted keys
 
 
     class ValidationPolicy
-      # @TODO@ Could do this by getting client to add verifiers in the order they
-      # want them to be used. Could then dispense with all this logic
-      # Note that any DLV registries which have been configured will only be tried
-      # after both the root and any local trust anchors (RFC 5074 section 5)
-      
-      #* Always use the root and ignore local trust anchors.
+      #  @TODO@ Could do this by getting client to add verifiers in the order they
+      #  want them to be used. Could then dispense with all this logic
+      #  Note that any DLV registries which have been configured will only be tried
+      #  after both the root and any local trust anchors (RFC 5074 section 5)
+
+      # * Always use the root and ignore local trust anchors.
       ALWAYS_ROOT_ONLY = 1
-      #* Use the root if successful, otherwise try local anchors.
+      # * Use the root if successful, otherwise try local anchors.
       ROOT_THEN_LOCAL_ANCHORS = 2
-      #* Use local trust anchors if available, otherwise use root.
+      # * Use local trust anchors if available, otherwise use root.
       LOCAL_ANCHORS_THEN_ROOT = 3
-      #* Always use local trust anchors and ignore the root.
+      # * Always use local trust anchors and ignore the root.
       ALWAYS_LOCAL_ANCHORS_ONLY = 4
     end
     @@validation_policy = ValidationPolicy::LOCAL_ANCHORS_THEN_ROOT
-    
+
     def Dnssec.validation_policy=(p)
       if ((p >= ALWAYS_ROOT_ONY) && (p <= ALWAYS_LOCAL_ANCHORS))
         @@validation_policy = p
-        # @TODO@ Should we be clearing the trusted keys now?
+        #  @TODO@ Should we be clearing the trusted keys now?
       end
     end
     def Dnssec.validation_policy
@@ -77,40 +77,40 @@ module Dnsruby
 
     @@root_verifier = SingleVerifier.new(SingleVerifier::VerifierType::ROOT)
 
-    # #NOTE# You may wish to import these via a secure channel yourself, if
-    # using Dnsruby for validation.
+    #  #NOTE# You may wish to import these via a secure channel yourself, if
+    #  using Dnsruby for validation.
     @@root_key = RR.create(". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5")
     @@root_verifier.add_root_ds(@@root_key)
 
     @@dlv_verifier = SingleVerifier.new(SingleVerifier::VerifierType::DLV)
 
-    # @TODO@ Could add a new one of these for each anchor.
+    #  @TODO@ Could add a new one of these for each anchor.
     @@anchor_verifier = SingleVerifier.new(SingleVerifier::VerifierType::ANCHOR)
 
 
-    # Add a trusted Key Signing Key for the ISC DLV registry.
+    #  Add a trusted Key Signing Key for the ISC DLV registry.
     def Dnssec.add_dlv_key(dlv_key)
       @@dlv_verifier.add_dlv_key(dlv_key)
     end
-    # Add a new trust anchor
+    #  Add a new trust anchor
     def Dnssec.add_trust_anchor(t)
-      # @TODO@ Create a new verifier?
+      #  @TODO@ Create a new verifier?
       @@anchor_verifier.add_trust_anchor(t)
     end
-    # Add the trusted key with the given expiration time
+    #  Add the trusted key with the given expiration time
     def self.add_trust_anchor_with_expiration(k, expiration)
-      # Create a new verifier?
+      #  Create a new verifier?
       @@anchor_verifier.add_trust_anchor_with_expiration(k, expiration)
     end
-    # Remove the trusted key
+    #  Remove the trusted key
     def Dnssec.remove_trust_anchor(t)
       @@anchor_verifier.remove_trust_anchor(t)
     end
-    # Wipes the cache of trusted keys
+    #  Wipes the cache of trusted keys
     def self.clear_trust_anchors
       @@anchor_verifier.clear_trust_anchors
     end
-    
+
     def self.trust_anchors
       return @@anchor_verifier.trust_anchors
     end
@@ -128,7 +128,7 @@ module Dnsruby
 
       @@dlv_verifier = SingleVerifier.new(SingleVerifier::VerifierType::DLV)
 
-      # @TODO@ Could add a new one of these for each anchor.
+      #  @TODO@ Could add a new one of these for each anchor.
       @@anchor_verifier = SingleVerifier.new(SingleVerifier::VerifierType::ANCHOR)
       @@do_validation_with_recursor = true # Many nameservers don't handle DNSSEC correctly yet
       @@default_resolver = Resolver.new
@@ -152,20 +152,20 @@ module Dnsruby
 
     @@do_validation_with_recursor = true # Many nameservers don't handle DNSSEC correctly yet
     @@default_resolver = Resolver.new
-    # This method defines the choice of Resolver or Recursor, when the validator
-    # is checking responses.
-    # If set to true, then a Recursor will be used to query for the DNSSEC records.
-    # Otherwise, the default system resolver will be used.
+    #  This method defines the choice of Resolver or Recursor, when the validator
+    #  is checking responses.
+    #  If set to true, then a Recursor will be used to query for the DNSSEC records.
+    #  Otherwise, the default system resolver will be used.
     def self.do_validation_with_recursor(on)
       @@do_validation_with_recursor = on
     end
     def self.do_validation_with_recursor?
       return @@do_validation_with_recursor
     end
-    # This method overrides the system default resolver configuration for validation
-    # If default_resolver is set, then it will be used to follow the chain of trust.
-    # If it is not, then the default system resolver will be used (unless do_validation_with_recursor
-    # is set.
+    #  This method overrides the system default resolver configuration for validation
+    #  If default_resolver is set, then it will be used to follow the chain of trust.
+    #  If it is not, then the default system resolver will be used (unless do_validation_with_recursor
+    #  is set.
     def self.default_resolver=(res)
       @@default_resolver = res
     end
@@ -173,22 +173,22 @@ module Dnsruby
       return @@default_resolver
     end
 
-    # Returns true for secure/insecure, false otherwise
-    # This method will set the security_level on msg to the appropriate value.
-    # Could be : secure, insecure, bogus or indeterminate
-    # If an error is encountered during verification, then the thrown exception
-    # will define the error.
+    #  Returns true for secure/insecure, false otherwise
+    #  This method will set the security_level on msg to the appropriate value.
+    #  Could be : secure, insecure, bogus or indeterminate
+    #  If an error is encountered during verification, then the thrown exception
+    #  will define the error.
     def self.validate(msg)
       query = Message.new()
       query.header.cd=true
       return self.validate_with_query(query, msg)
     end
-    
+
     def self.validate_with_query(query, msg)
       if (!msg)
         return false
       end
-      # First, just check there is something to validate!
+      #  First, just check there is something to validate!
       found_sigs = false
       msg.each_resource {|rr|
         if (rr.type == Types::RRSIG)
@@ -206,16 +206,16 @@ module Dnsruby
         end
       end
 
-      # SHOULD ALWAYS VERIFY DNSSEC-SIGNED RESPONSES?
-      # Yes - if a trust anchor is configured. Otherwise, act on CD bit (in query)
+      #  SHOULD ALWAYS VERIFY DNSSEC-SIGNED RESPONSES?
+      #  Yes - if a trust anchor is configured. Otherwise, act on CD bit (in query)
       TheLog.debug("Checking whether to validate, query.cd = #{query.header.cd}")
       if (((@@validation_policy > ValidationPolicy::ALWAYS_ROOT_ONLY) && (self.trust_anchors().length > 0)) ||
-            # Check query here, and validate if CD is true
+            #  Check query here, and validate if CD is true
           ((query.header.cd == true))) # && (query.do_validation)))
         TheLog.debug("Starting validation")
 
-        # Validate!
-        # Need to think about trapping/storing exceptions and security_levels here
+        #  Validate!
+        #  Need to think about trapping/storing exceptions and security_levels here
         last_error = ""
         last_level = Message::SecurityLevel.BOGUS
         last_error_level = Message::SecurityLevel.BOGUS
@@ -226,7 +226,7 @@ module Dnsruby
           last_level, last_error, last_error_level = try_validation(last_level, last_error, last_error_level,
             Proc.new{|m, q| validate_with_root(m, q)}, msg, query)
         elsif (@@validation_policy == ValidationPolicy::LOCAL_ANCHORS_THEN_ROOT)
-          last_level, last_error, last_error_level = try_validation(last_level, last_error, last_error_level, 
+          last_level, last_error, last_error_level = try_validation(last_level, last_error, last_error_level,
             Proc.new{|m, q| validate_with_anchors(m, q)}, msg, query)
           if (last_level != Message::SecurityLevel.SECURE)
             last_level, last_error, last_error_level = try_validation(last_level, last_error, last_error_level,
@@ -241,10 +241,10 @@ module Dnsruby
           end
         end
         if (last_level != Message::SecurityLevel.SECURE)
-          last_level, last_error, last_error_level = try_validation(last_level, last_error, last_error_level, 
+          last_level, last_error, last_error_level = try_validation(last_level, last_error, last_error_level,
             Proc.new{|m, q| validate_with_dlv(m, q)}, msg, query)
         end
-        # Set the message security level!
+        #  Set the message security level!
         msg.security_level = last_level
         msg.security_error = last_error
         raise VerifyError.new(last_error) if (last_level < 0)
@@ -266,7 +266,7 @@ module Dnsruby
       end
       return last_level, last_error, last_error_level
     end
-        
+
     def self.validate_with_anchors(msg, query)
       return @@anchor_verifier.validate(msg, query)
     end
@@ -310,4 +310,4 @@ module Dnsruby
             @@dlv_verifier.verify_rrset(rrset, keys)))
     end
   end
-end
+end

data/lib/{Dnsruby/Hosts.rb → dnsruby/hosts.rb}

@@ -1,126 +1,126 @@
-#--
-#Copyright 2007 Nominet UK
-#
-#Licensed under the Apache License, Version 2.0 (the "License");
-#you may not use this file except in compliance with the License. 
-#You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0 
-#
-#Unless required by applicable law or agreed to in writing, software 
-#distributed under the License is distributed on an "AS IS" BASIS, 
-#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
-#See the License for the specific language governing permissions and 
-#limitations under the License.
-#++
-module Dnsruby
-#== Dnsruby::Hosts class
-#Dnsruby::Hosts is a hostname resolver that uses the system hosts file
-#
-#=== class methods
-#* Dnsruby::Hosts.new(hosts='/etc/hosts')
-#
-#=== methods
-#* Dnsruby::Hosts#getaddress(name)
-#* Dnsruby::Hosts#getaddresses(name)
-#* Dnsruby::Hosts#each_address(name) {|address| ...}
-#    address lookup methods.
-#
-#* Dnsruby::Hosts#getname(address)
-#* Dnsruby::Hosts#getnames(address)
-#* Dnsruby::Hosts#each_name(address) {|name| ...}
-#    hostnames lookup methods.
-#
-  class Hosts
-    if /mswin32|cygwin|mingw|bccwin/ =~ RUBY_PLATFORM
-      require 'win32/resolv'
-      DefaultFileName = Win32::Resolv.get_hosts_path
-    else
-      DefaultFileName = '/etc/hosts'
-    end
-    
-    #Creates a new Dnsruby::Hosts using +filename+ for its data source
-    def initialize(filename = DefaultFileName)
-      @filename = filename
-      @mutex = Mutex.new
-      @initialized = nil
-    end
-    
-    def lazy_initialize# :nodoc:
-      @mutex.synchronize {
-        unless @initialized
-          @name2addr = {}
-          @addr2name = {}
-          begin
-            open(@filename) {|f|
-              f.each {|line|
-                line.sub!(/#.*/, '')
-                addr, hostname, *aliases = line.split(/\s+/)
-                next unless addr
-                addr.untaint
-                hostname.untaint
-                @addr2name[addr] = [] unless @addr2name.include? addr
-                @addr2name[addr] << hostname
-                @addr2name[addr] += aliases
-                @name2addr[hostname] = [] unless @name2addr.include? hostname
-                @name2addr[hostname] << addr
-                aliases.each {|n|
-                  n.untaint
-                  @name2addr[n] = [] unless @name2addr.include? n
-                  @name2addr[n] << addr
-                }
-              }
-            }
-          rescue Exception
-            # Java won't find this file if running on Windows
-          end
-          @name2addr.each {|name, arr| arr.reverse!}
-          @initialized = true
-        end
-      }
-      self
-    end
-    
-    #Gets the first IP address for +name+ from the hosts file
-    def getaddress(name)
-      each_address(name) {|address| return address}
-      raise ResolvError.new("#{@filename} has no name: #{name}")
-    end
-    
-    #Gets all IP addresses for +name+ from the hosts file
-    def getaddresses(name)
-      ret = []
-      each_address(name) {|address| ret << address}
-      return ret
-    end
-    
-    #Iterates over all IP addresses for +name+ retrieved from the hosts file
-    def each_address(name, &proc)
-      lazy_initialize
-      if @name2addr.include?(name)
-        @name2addr[name].each(&proc)
-      end
-    end
-    
-    #Gets the first hostname of +address+ from the hosts file
-    def getname(address)
-      each_name(address) {|name| return name}
-      raise ResolvError.new("#{@filename} has no address: #{address}")
-    end
-    
-    #Gets all hostnames for +address+ from the hosts file
-    def getnames(address)
-      ret = []
-      each_name(address) {|name| ret << name}
-      return ret
-    end
-    
-    #Iterates over all hostnames for +address+ retrieved from the hosts file
-    def each_name(address, &proc)
-      lazy_initialize
-      if @addr2name.include?(address)
-        @addr2name[address].each(&proc)
-      end
-    end
-  end
+# --
+# Copyright 2007 Nominet UK
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ++
+module Dnsruby
+# == Dnsruby::Hosts class
+# Dnsruby::Hosts is a hostname resolver that uses the system hosts file
+# 
+# === class methods
+# * Dnsruby::Hosts.new(hosts='/etc/hosts')
+# 
+# === methods
+# * Dnsruby::Hosts#getaddress(name)
+# * Dnsruby::Hosts#getaddresses(name)
+# * Dnsruby::Hosts#each_address(name) {|address| ...}
+#    address lookup methods.
+# 
+# * Dnsruby::Hosts#getname(address)
+# * Dnsruby::Hosts#getnames(address)
+# * Dnsruby::Hosts#each_name(address) {|name| ...}
+#    hostnames lookup methods.
+# 
+  class Hosts
+    if /mswin32|cygwin|mingw|bccwin/ =~ RUBY_PLATFORM
+      require 'win32/resolv'
+      DefaultFileName = Win32::Resolv.get_hosts_path
+    else
+      DefaultFileName = '/etc/hosts'
+    end
+
+    # Creates a new Dnsruby::Hosts using +filename+ for its data source
+    def initialize(filename = DefaultFileName)
+      @filename = filename
+      @mutex = Mutex.new
+      @initialized = nil
+    end
+
+    def lazy_initialize# :nodoc:
+      @mutex.synchronize {
+        unless @initialized
+          @name2addr = {}
+          @addr2name = {}
+          begin
+            open(@filename) {|f|
+              f.each {|line|
+                line.sub!(/#.*/, '')
+                addr, hostname, *aliases = line.split(/\s+/)
+                next unless addr
+                addr.untaint
+                hostname.untaint
+                @addr2name[addr] = [] unless @addr2name.include? addr
+                @addr2name[addr] << hostname
+                @addr2name[addr] += aliases
+                @name2addr[hostname] = [] unless @name2addr.include? hostname
+                @name2addr[hostname] << addr
+                aliases.each {|n|
+                  n.untaint
+                  @name2addr[n] = [] unless @name2addr.include? n
+                  @name2addr[n] << addr
+                }
+              }
+            }
+          rescue Exception
+            #  Java won't find this file if running on Windows
+          end
+          @name2addr.each {|name, arr| arr.reverse!}
+          @initialized = true
+        end
+      }
+      self
+    end
+
+    # Gets the first IP address for +name+ from the hosts file
+    def getaddress(name)
+      each_address(name) {|address| return address}
+      raise ResolvError.new("#{@filename} has no name: #{name}")
+    end
+
+    # Gets all IP addresses for +name+ from the hosts file
+    def getaddresses(name)
+      ret = []
+      each_address(name) {|address| ret << address}
+      return ret
+    end
+
+    # Iterates over all IP addresses for +name+ retrieved from the hosts file
+    def each_address(name, &proc)
+      lazy_initialize
+      if @name2addr.include?(name)
+        @name2addr[name].each(&proc)
+      end
+    end
+
+    # Gets the first hostname of +address+ from the hosts file
+    def getname(address)
+      each_name(address) {|name| return name}
+      raise ResolvError.new("#{@filename} has no address: #{address}")
+    end
+
+    # Gets all hostnames for +address+ from the hosts file
+    def getnames(address)
+      ret = []
+      each_name(address) {|name| ret << name}
+      return ret
+    end
+
+    # Iterates over all hostnames for +address+ retrieved from the hosts file
+    def each_name(address, &proc)
+      lazy_initialize
+      if @addr2name.include?(address)
+        @addr2name[address].each(&proc)
+      end
+    end
+  end
 end