diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2014-05-14 18:44:22 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2014-05-14 18:44:22 +0000 |
| commit | 79dd93c19fd35899133800562b0db20f1a4c0f56 (patch) | |
| tree | 86c1332d2843f4c80ae64365c16ba04306b6f542 /validator | |
| parent | f61d78fb42d2662643e7f0dbdcb97adbc2589dbc (diff) | |
| download | src-test-79dd93c19fd35899133800562b0db20f1a4c0f56.tar.gz src-test-79dd93c19fd35899133800562b0db20f1a4c0f56.zip | |
Notes
Diffstat (limited to 'validator')
| -rw-r--r-- | validator/autotrust.c | 826 | ||||
| -rw-r--r-- | validator/autotrust.h | 27 | ||||
| -rw-r--r-- | validator/val_anchor.c | 237 | ||||
| -rw-r--r-- | validator/val_anchor.h | 23 | ||||
| -rw-r--r-- | validator/val_kcache.c | 20 | ||||
| -rw-r--r-- | validator/val_kcache.h | 20 | ||||
| -rw-r--r-- | validator/val_kentry.c | 25 | ||||
| -rw-r--r-- | validator/val_kentry.h | 20 | ||||
| -rw-r--r-- | validator/val_neg.c | 28 | ||||
| -rw-r--r-- | validator/val_neg.h | 23 | ||||
| -rw-r--r-- | validator/val_nsec.c | 21 | ||||
| -rw-r--r-- | validator/val_nsec.h | 20 | ||||
| -rw-r--r-- | validator/val_nsec3.c | 121 | ||||
| -rw-r--r-- | validator/val_nsec3.h | 34 | ||||
| -rw-r--r-- | validator/val_secalgo.c | 64 | ||||
| -rw-r--r-- | validator/val_secalgo.h | 23 | ||||
| -rw-r--r-- | validator/val_sigcrypt.c | 151 | ||||
| -rw-r--r-- | validator/val_sigcrypt.h | 34 | ||||
| -rw-r--r-- | validator/val_utils.c | 20 | ||||
| -rw-r--r-- | validator/val_utils.h | 20 | ||||
| -rw-r--r-- | validator/validator.c | 63 | ||||
| -rw-r--r-- | validator/validator.h | 20 |
22 files changed, 1059 insertions, 781 deletions
diff --git a/validator/autotrust.c b/validator/autotrust.c index 3d22637b8c2e1..a597633828f54 100644 --- a/validator/autotrust.c +++ b/validator/autotrust.c @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -41,7 +41,6 @@ * It was modified to fit into unbound. The state table process is the same. */ #include "config.h" -#include <ldns/ldns.h> #include "validator/autotrust.h" #include "validator/val_anchor.h" #include "validator/val_utils.h" @@ -58,6 +57,13 @@ #include "services/mesh.h" #include "services/cache/rrset.h" #include "validator/val_kcache.h" +#include "ldns/sbuffer.h" +#include "ldns/wire2str.h" +#include "ldns/str2wire.h" +#include "ldns/keyraw.h" +#include "ldns/rrdef.h" +#include <stdarg.h> +#include <ctype.h> /** number of times a key must be seen before it can become valid */ #define MIN_PENDINGCOUNT 2 @@ -138,8 +144,11 @@ verbose_key(struct autr_ta* ta, enum verbosity_value level, va_list args; va_start(args, format); if(verbosity >= level) { - char* str = ldns_rdf2str(ldns_rr_owner(ta->rr)); - int keytag = (int)ldns_calc_keytag(ta->rr); + char* str = sldns_wire2str_dname(ta->rr, ta->dname_len); + int keytag = (int)sldns_calc_keytag_raw(sldns_wirerr_get_rdata( + ta->rr, ta->rr_len, ta->dname_len), + sldns_wirerr_get_rdatalen(ta->rr, ta->rr_len, + ta->dname_len)); char msg[MAXSYSLOGMSGLEN]; vsnprintf(msg, sizeof(msg), format, args); verbose(level, "%s key %d %s", str?str:"??", keytag, msg); @@ -262,55 +271,76 @@ str_contains_data(char* str, char comment) return 0; } -/** Get DNSKEY flags */ +/** Get DNSKEY flags + * rdata without rdatalen in front of it. */ static int -dnskey_flags(ldns_rr* rr) +dnskey_flags(uint16_t t, uint8_t* rdata, size_t len) { - if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_DNSKEY) + uint16_t f; + if(t != LDNS_RR_TYPE_DNSKEY) return 0; - return (int)ldns_read_uint16(ldns_rdf_data(ldns_rr_dnskey_flags(rr))); + if(len < 2) + return 0; + memmove(&f, rdata, 2); + f = ntohs(f); + return (int)f; } +/** Check if KSK DNSKEY. + * pass rdata without rdatalen in front of it */ +static int +rr_is_dnskey_sep(uint16_t t, uint8_t* rdata, size_t len) +{ + return (dnskey_flags(t, rdata, len)&DNSKEY_BIT_SEP); +} -/** Check if KSK DNSKEY */ +/** Check if TA is KSK DNSKEY */ static int -rr_is_dnskey_sep(ldns_rr* rr) +ta_is_dnskey_sep(struct autr_ta* ta) { - return (dnskey_flags(rr)&DNSKEY_BIT_SEP); + return (dnskey_flags( + sldns_wirerr_get_type(ta->rr, ta->rr_len, ta->dname_len), + sldns_wirerr_get_rdata(ta->rr, ta->rr_len, ta->dname_len), + sldns_wirerr_get_rdatalen(ta->rr, ta->rr_len, ta->dname_len) + ) & DNSKEY_BIT_SEP); } -/** Check if REVOKED DNSKEY */ +/** Check if REVOKED DNSKEY + * pass rdata without rdatalen in front of it */ static int -rr_is_dnskey_revoked(ldns_rr* rr) +rr_is_dnskey_revoked(uint16_t t, uint8_t* rdata, size_t len) { - return (dnskey_flags(rr)&LDNS_KEY_REVOKE_KEY); + return (dnskey_flags(t, rdata, len)&LDNS_KEY_REVOKE_KEY); } /** create ta */ static struct autr_ta* -autr_ta_create(ldns_rr* rr) +autr_ta_create(uint8_t* rr, size_t rr_len, size_t dname_len) { struct autr_ta* ta = (struct autr_ta*)calloc(1, sizeof(*ta)); if(!ta) { - ldns_rr_free(rr); + free(rr); return NULL; } ta->rr = rr; + ta->rr_len = rr_len; + ta->dname_len = dname_len; return ta; } /** create tp */ static struct trust_anchor* -autr_tp_create(struct val_anchors* anchors, ldns_rdf* own, uint16_t dc) +autr_tp_create(struct val_anchors* anchors, uint8_t* own, size_t own_len, + uint16_t dc) { struct trust_anchor* tp = (struct trust_anchor*)calloc(1, sizeof(*tp)); if(!tp) return NULL; - tp->name = memdup(ldns_rdf_data(own), ldns_rdf_size(own)); + tp->name = memdup(own, own_len); if(!tp->name) { free(tp); return NULL; } - tp->namelen = ldns_rdf_size(own); + tp->namelen = own_len; tp->namelabs = dname_count_labels(tp->name); tp->node.key = tp; tp->dclass = dc; @@ -371,7 +401,7 @@ void autr_point_delete(struct trust_anchor* tp) struct autr_ta* p = tp->autr->keys, *np; while(p) { np = p->next; - ldns_rr_free(p->rr); + free(p->rr); free(p); p = np; } @@ -384,13 +414,12 @@ void autr_point_delete(struct trust_anchor* tp) /** find or add a new trust point for autotrust */ static struct trust_anchor* -find_add_tp(struct val_anchors* anchors, ldns_rr* rr) +find_add_tp(struct val_anchors* anchors, uint8_t* rr, size_t rr_len, + size_t dname_len) { struct trust_anchor* tp; - ldns_rdf* own = ldns_rr_owner(rr); - tp = anchor_find(anchors, ldns_rdf_data(own), - dname_count_labels(ldns_rdf_data(own)), - ldns_rdf_size(own), ldns_rr_get_class(rr)); + tp = anchor_find(anchors, rr, dname_count_labels(rr), dname_len, + sldns_wirerr_get_class(rr, rr_len, dname_len)); if(tp) { if(!tp->autr) { log_err("anchor cannot be with and without autotrust"); @@ -399,22 +428,23 @@ find_add_tp(struct val_anchors* anchors, ldns_rr* rr) } return tp; } - tp = autr_tp_create(anchors, ldns_rr_owner(rr), ldns_rr_get_class(rr)); + tp = autr_tp_create(anchors, rr, dname_len, sldns_wirerr_get_class(rr, + rr_len, dname_len)); lock_basic_lock(&tp->lock); return tp; } /** Add trust anchor from RR */ static struct autr_ta* -add_trustanchor_frm_rr(struct val_anchors* anchors, ldns_rr* rr, - struct trust_anchor** tp) +add_trustanchor_frm_rr(struct val_anchors* anchors, uint8_t* rr, size_t rr_len, + size_t dname_len, struct trust_anchor** tp) { - struct autr_ta* ta = autr_ta_create(rr); + struct autr_ta* ta = autr_ta_create(rr, rr_len, dname_len); if(!ta) return NULL; - *tp = find_add_tp(anchors, rr); + *tp = find_add_tp(anchors, rr, rr_len, dname_len); if(!*tp) { - ldns_rr_free(ta->rr); + free(ta->rr); free(ta); return NULL; } @@ -431,34 +461,51 @@ add_trustanchor_frm_rr(struct val_anchors* anchors, ldns_rr* rr, * @param str: string with anchor and comments, if any comments. * @param tp: trust point returned. * @param origin: what to use for @ + * @param origin_len: length of origin * @param prev: previous rr name + * @param prev_len: length of prev * @param skip: if true, the result is NULL, but not an error, skip it. * @return new key in trust point. */ static struct autr_ta* add_trustanchor_frm_str(struct val_anchors* anchors, char* str, - struct trust_anchor** tp, ldns_rdf* origin, ldns_rdf** prev, int* skip) + struct trust_anchor** tp, uint8_t* origin, size_t origin_len, + uint8_t** prev, size_t* prev_len, int* skip) { - ldns_rr* rr; - ldns_status lstatus; + uint8_t rr[LDNS_RR_BUF_SIZE]; + size_t rr_len = sizeof(rr), dname_len; + uint8_t* drr; + int lstatus; if (!str_contains_data(str, ';')) { *skip = 1; return NULL; /* empty line */ } - if (LDNS_STATUS_OK != - (lstatus = ldns_rr_new_frm_str(&rr, str, 0, origin, prev))) - { - log_err("ldns error while converting string to RR: %s", - ldns_get_errorstr_by_id(lstatus)); - return NULL; - } - if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_DNSKEY && - ldns_rr_get_type(rr) != LDNS_RR_TYPE_DS) { - ldns_rr_free(rr); + if(0 != (lstatus = sldns_str2wire_rr_buf(str, rr, &rr_len, &dname_len, + 0, origin, origin_len, *prev, *prev_len))) + { + log_err("ldns error while converting string to RR at%d: %s: %s", + LDNS_WIREPARSE_OFFSET(lstatus), + sldns_get_errorstr_parse(lstatus), str); + return NULL; + } + free(*prev); + *prev = memdup(rr, dname_len); + *prev_len = dname_len; + if(!*prev) { + log_err("malloc failure in add_trustanchor"); + return NULL; + } + if(sldns_wirerr_get_type(rr, rr_len, dname_len)!=LDNS_RR_TYPE_DNSKEY && + sldns_wirerr_get_type(rr, rr_len, dname_len)!=LDNS_RR_TYPE_DS) { *skip = 1; return NULL; /* only DS and DNSKEY allowed */ } - return add_trustanchor_frm_rr(anchors, rr, tp); + drr = memdup(rr, rr_len); + if(!drr) { + log_err("malloc failure in add trustanchor"); + return NULL; + } + return add_trustanchor_frm_rr(anchors, drr, rr_len, dname_len, tp); } /** @@ -467,18 +514,22 @@ add_trustanchor_frm_str(struct val_anchors* anchors, char* str, * @param str: comments line * @param fname: filename * @param origin: the $ORIGIN. + * @param origin_len: length of origin * @param prev: passed to ldns. + * @param prev_len: length of prev * @param skip: if true, the result is NULL, but not an error, skip it. * @return false on failure, otherwise the tp read. */ static struct trust_anchor* load_trustanchor(struct val_anchors* anchors, char* str, const char* fname, - ldns_rdf* origin, ldns_rdf** prev, int* skip) + uint8_t* origin, size_t origin_len, uint8_t** prev, size_t* prev_len, + int* skip) { - struct autr_ta* ta = NULL; - struct trust_anchor* tp = NULL; + struct autr_ta* ta = NULL; + struct trust_anchor* tp = NULL; - ta = add_trustanchor_frm_str(anchors, str, &tp, origin, prev, skip); + ta = add_trustanchor_frm_str(anchors, str, &tp, origin, origin_len, + prev, prev_len, skip); if(!ta) return NULL; lock_basic_lock(&tp->lock); @@ -498,70 +549,228 @@ load_trustanchor(struct val_anchors* anchors, char* str, const char* fname, return tp; } +/** iterator for DSes from keylist. return true if a next element exists */ +static int +assemble_iterate_ds(struct autr_ta** list, uint8_t** rr, size_t* rr_len, + size_t* dname_len) +{ + while(*list) { + if(sldns_wirerr_get_type((*list)->rr, (*list)->rr_len, + (*list)->dname_len) == LDNS_RR_TYPE_DS) { + *rr = (*list)->rr; + *rr_len = (*list)->rr_len; + *dname_len = (*list)->dname_len; + *list = (*list)->next; + return 1; + } + *list = (*list)->next; + } + return 0; +} + +/** iterator for DNSKEYs from keylist. return true if a next element exists */ +static int +assemble_iterate_dnskey(struct autr_ta** list, uint8_t** rr, size_t* rr_len, + size_t* dname_len) +{ + while(*list) { + if(sldns_wirerr_get_type((*list)->rr, (*list)->rr_len, + (*list)->dname_len) != LDNS_RR_TYPE_DS && + ((*list)->s == AUTR_STATE_VALID || + (*list)->s == AUTR_STATE_MISSING)) { + *rr = (*list)->rr; + *rr_len = (*list)->rr_len; + *dname_len = (*list)->dname_len; + *list = (*list)->next; + return 1; + } + *list = (*list)->next; + } + return 0; +} + +/** see if iterator-list has any elements in it, or it is empty */ +static int +assemble_iterate_hasfirst(int iter(struct autr_ta**, uint8_t**, size_t*, + size_t*), struct autr_ta* list) +{ + uint8_t* rr = NULL; + size_t rr_len = 0, dname_len = 0; + return iter(&list, &rr, &rr_len, &dname_len); +} + +/** number of elements in iterator list */ +static size_t +assemble_iterate_count(int iter(struct autr_ta**, uint8_t**, size_t*, + size_t*), struct autr_ta* list) +{ + uint8_t* rr = NULL; + size_t i = 0, rr_len = 0, dname_len = 0; + while(iter(&list, &rr, &rr_len, &dname_len)) { + i++; + } + return i; +} + +/** + * Create a ub_packed_rrset_key allocated on the heap. + * It therefore does not have the correct ID value, and cannot be used + * inside the cache. It can be used in storage outside of the cache. + * Keys for the cache have to be obtained from alloc.h . + * @param iter: iterator over the elements in the list. It filters elements. + * @param list: the list. + * @return key allocated or NULL on failure. + */ +static struct ub_packed_rrset_key* +ub_packed_rrset_heap_key(int iter(struct autr_ta**, uint8_t**, size_t*, + size_t*), struct autr_ta* list) +{ + uint8_t* rr = NULL; + size_t rr_len = 0, dname_len = 0; + struct ub_packed_rrset_key* k; + if(!iter(&list, &rr, &rr_len, &dname_len)) + return NULL; + k = (struct ub_packed_rrset_key*)calloc(1, sizeof(*k)); + if(!k) + return NULL; + k->rk.type = htons(sldns_wirerr_get_type(rr, rr_len, dname_len)); + k->rk.rrset_class = htons(sldns_wirerr_get_class(rr, rr_len, dname_len)); + k->rk.dname_len = dname_len; + k->rk.dname = memdup(rr, dname_len); + if(!k->rk.dname) { + free(k); + return NULL; + } + return k; +} + +/** + * Create packed_rrset data on the heap. + * @param iter: iterator over the elements in the list. It filters elements. + * @param list: the list. + * @return data allocated or NULL on failure. + */ +static struct packed_rrset_data* +packed_rrset_heap_data(int iter(struct autr_ta**, uint8_t**, size_t*, + size_t*), struct autr_ta* list) +{ + uint8_t* rr = NULL; + size_t rr_len = 0, dname_len = 0; + struct packed_rrset_data* data; + size_t count=0, rrsig_count=0, len=0, i, total; + uint8_t* nextrdata; + struct autr_ta* list_i; + time_t ttl = 0; + + list_i = list; + while(iter(&list_i, &rr, &rr_len, &dname_len)) { + if(sldns_wirerr_get_type(rr, rr_len, dname_len) == + LDNS_RR_TYPE_RRSIG) + rrsig_count++; + else count++; + /* sizeof the rdlength + rdatalen */ + len += 2 + sldns_wirerr_get_rdatalen(rr, rr_len, dname_len); + ttl = (time_t)sldns_wirerr_get_ttl(rr, rr_len, dname_len); + } + if(count == 0 && rrsig_count == 0) + return NULL; + + /* allocate */ + total = count + rrsig_count; + len += sizeof(*data) + total*(sizeof(size_t) + sizeof(time_t) + + sizeof(uint8_t*)); + data = (struct packed_rrset_data*)calloc(1, len); + if(!data) + return NULL; + + /* fill it */ + data->ttl = ttl; + data->count = count; + data->rrsig_count = rrsig_count; + data->rr_len = (size_t*)((uint8_t*)data + + sizeof(struct packed_rrset_data)); + data->rr_data = (uint8_t**)&(data->rr_len[total]); + data->rr_ttl = (time_t*)&(data->rr_data[total]); + nextrdata = (uint8_t*)&(data->rr_ttl[total]); + + /* fill out len, ttl, fields */ + list_i = list; + i = 0; + while(iter(&list_i, &rr, &rr_len, &dname_len)) { + data->rr_ttl[i] = (time_t)sldns_wirerr_get_ttl(rr, rr_len, + dname_len); + if(data->rr_ttl[i] < data->ttl) + data->ttl = data->rr_ttl[i]; + data->rr_len[i] = 2 /* the rdlength */ + + sldns_wirerr_get_rdatalen(rr, rr_len, dname_len); + i++; + } + + /* fixup rest of ptrs */ + for(i=0; i<total; i++) { + data->rr_data[i] = nextrdata; + nextrdata += data->rr_len[i]; + } + + /* copy data in there */ + list_i = list; + i = 0; + while(iter(&list_i, &rr, &rr_len, &dname_len)) { + memmove(data->rr_data[i], + sldns_wirerr_get_rdatawl(rr, rr_len, dname_len), + data->rr_len[i]); + i++; + } + + if(data->rrsig_count && data->count == 0) { + data->count = data->rrsig_count; /* rrset type is RRSIG */ + data->rrsig_count = 0; + } + return data; +} + /** * Assemble the trust anchors into DS and DNSKEY packed rrsets. * Uses only VALID and MISSING DNSKEYs. - * Read the ldns_rrs and builds packed rrsets + * Read the sldns_rrs and builds packed rrsets * @param tp: the trust point. Must be locked. * @return false on malloc failure. */ static int autr_assemble(struct trust_anchor* tp) { - ldns_rr_list* ds, *dnskey; - struct autr_ta* ta; struct ub_packed_rrset_key* ubds=NULL, *ubdnskey=NULL; - ds = ldns_rr_list_new(); - dnskey = ldns_rr_list_new(); - if(!ds || !dnskey) { - ldns_rr_list_free(ds); - ldns_rr_list_free(dnskey); - return 0; - } - for(ta = tp->autr->keys; ta; ta = ta->next) { - if(ldns_rr_get_type(ta->rr) == LDNS_RR_TYPE_DS) { - if(!ldns_rr_list_push_rr(ds, ta->rr)) { - ldns_rr_list_free(ds); - ldns_rr_list_free(dnskey); - return 0; - } - } else if(ta->s == AUTR_STATE_VALID || - ta->s == AUTR_STATE_MISSING) { - if(!ldns_rr_list_push_rr(dnskey, ta->rr)) { - ldns_rr_list_free(ds); - ldns_rr_list_free(dnskey); - return 0; - } - } - } - /* make packed rrset keys - malloced with no ID number, they * are not in the cache */ /* make packed rrset data (if there is a key) */ - - if(ldns_rr_list_rr_count(ds) > 0) { - ubds = ub_packed_rrset_heap_key(ds); - if(!ubds) + if(assemble_iterate_hasfirst(assemble_iterate_ds, tp->autr->keys)) { + ubds = ub_packed_rrset_heap_key( + assemble_iterate_ds, tp->autr->keys); + if(!ubds) goto error_cleanup; - ubds->entry.data = packed_rrset_heap_data(ds); + ubds->entry.data = packed_rrset_heap_data( + assemble_iterate_ds, tp->autr->keys); if(!ubds->entry.data) goto error_cleanup; } - if(ldns_rr_list_rr_count(dnskey) > 0) { - ubdnskey = ub_packed_rrset_heap_key(dnskey); + + /* make packed DNSKEY data */ + if(assemble_iterate_hasfirst(assemble_iterate_dnskey, tp->autr->keys)) { + ubdnskey = ub_packed_rrset_heap_key( + assemble_iterate_dnskey, tp->autr->keys); if(!ubdnskey) goto error_cleanup; - ubdnskey->entry.data = packed_rrset_heap_data(dnskey); + ubdnskey->entry.data = packed_rrset_heap_data( + assemble_iterate_dnskey, tp->autr->keys); if(!ubdnskey->entry.data) { error_cleanup: autr_rrset_delete(ubds); autr_rrset_delete(ubdnskey); - ldns_rr_list_free(ds); - ldns_rr_list_free(dnskey); return 0; } } + /* we have prepared the new keys so nothing can go wrong any more. * And we are sure we cannot be left without trustanchor after * any errors. Put in the new keys and remove old ones. */ @@ -573,11 +782,10 @@ autr_assemble(struct trust_anchor* tp) /* assign the data to replace the old */ tp->ds_rrset = ubds; tp->dnskey_rrset = ubdnskey; - tp->numDS = ldns_rr_list_rr_count(ds); - tp->numDNSKEY = ldns_rr_list_rr_count(dnskey); - - ldns_rr_list_free(ds); - ldns_rr_list_free(dnskey); + tp->numDS = assemble_iterate_count(assemble_iterate_ds, + tp->autr->keys); + tp->numDNSKEY = assemble_iterate_count(assemble_iterate_dnskey, + tp->autr->keys); return 1; } @@ -601,27 +809,28 @@ parse_id(struct val_anchors* anchors, char* line) { struct trust_anchor *tp; int r; - ldns_rdf* rdf; uint16_t dclass; + uint8_t* dname; + size_t dname_len; /* read the owner name */ char* next = strchr(line, ' '); if(!next) return NULL; next[0] = 0; - rdf = ldns_dname_new_frm_str(line); - if(!rdf) + dname = sldns_str2wire_dname(line, &dname_len); + if(!dname) return NULL; /* read the class */ dclass = parse_int(next+1, &r); if(r == -1) { - ldns_rdf_deep_free(rdf); + free(dname); return NULL; } /* find the trust point */ - tp = autr_tp_create(anchors, rdf, dclass); - ldns_rdf_deep_free(rdf); + tp = autr_tp_create(anchors, dname, dname_len, dclass); + free(dname); return tp; } @@ -690,17 +899,19 @@ parse_var_line(char* line, struct val_anchors* anchors, /** handle origin lines */ static int -handle_origin(char* line, ldns_rdf** origin) +handle_origin(char* line, uint8_t** origin, size_t* origin_len) { + size_t len = 0; while(isspace((int)*line)) line++; if(strncmp(line, "$ORIGIN", 7) != 0) return 0; - ldns_rdf_deep_free(*origin); + free(*origin); line += 7; while(isspace((int)*line)) line++; - *origin = ldns_dname_new_frm_str(line); + *origin = sldns_str2wire_dname(line, &len); + *origin_len = len; if(!*origin) log_warn("malloc failure or parse error in $ORIGIN"); return 1; @@ -781,7 +992,8 @@ int autr_read_file(struct val_anchors* anchors, const char* nm) struct trust_anchor *tp = NULL, *tp2; int r; /* for $ORIGIN parsing */ - ldns_rdf *origin=NULL, *prev=NULL; + uint8_t *origin=NULL, *prev=NULL; + size_t origin_len=0, prev_len=0; if (!(fd = fopen(nm, "r"))) { log_err("unable to open %s for reading: %s", @@ -794,25 +1006,25 @@ int autr_read_file(struct val_anchors* anchors, const char* nm) log_err("could not parse auto-trust-anchor-file " "%s line %d", nm, line_nr); fclose(fd); - ldns_rdf_deep_free(origin); - ldns_rdf_deep_free(prev); + free(origin); + free(prev); return 0; } else if(r == 1) { continue; } else if(r == 2) { log_warn("trust anchor %s has been revoked", nm); fclose(fd); - ldns_rdf_deep_free(origin); - ldns_rdf_deep_free(prev); + free(origin); + free(prev); return 1; } if (!str_contains_data(line, ';')) continue; /* empty lines allowed */ - if(handle_origin(line, &origin)) + if(handle_origin(line, &origin, &origin_len)) continue; r = 0; - if(!(tp2=load_trustanchor(anchors, line, nm, origin, &prev, - &r))) { + if(!(tp2=load_trustanchor(anchors, line, nm, origin, + origin_len, &prev, &prev_len, &r))) { if(!r) log_err("failed to load trust anchor from %s " "at line %i, skipping", nm, line_nr); /* try to do the rest */ @@ -823,15 +1035,15 @@ int autr_read_file(struct val_anchors* anchors, const char* nm) "the file may only contain keys for one name, " "remove keys for other domain names", nm); fclose(fd); - ldns_rdf_deep_free(origin); - ldns_rdf_deep_free(prev); + free(origin); + free(prev); return 0; } tp = tp2; } fclose(fd); - ldns_rdf_deep_free(origin); - ldns_rdf_deep_free(prev); + free(origin); + free(prev); if(!tp) { log_err("failed to read %s", nm); return 0; @@ -865,41 +1077,24 @@ trustanchor_state2str(autr_state_t s) /** print ID to file */ static int -print_id(FILE* out, char* fname, struct module_env* env, - uint8_t* nm, size_t nmlen, uint16_t dclass) +print_id(FILE* out, char* fname, uint8_t* nm, size_t nmlen, uint16_t dclass) { - ldns_rdf rdf; -#ifdef UNBOUND_DEBUG - ldns_status s; -#endif - - memset(&rdf, 0, sizeof(rdf)); - ldns_rdf_set_data(&rdf, nm); - ldns_rdf_set_size(&rdf, nmlen); - ldns_rdf_set_type(&rdf, LDNS_RDF_TYPE_DNAME); - - ldns_buffer_clear(env->scratch_buffer); -#ifdef UNBOUND_DEBUG - s = -#else - (void) -#endif - ldns_rdf2buffer_str_dname(env->scratch_buffer, &rdf); - log_assert(s == LDNS_STATUS_OK); - ldns_buffer_write_u8(env->scratch_buffer, 0); - ldns_buffer_flip(env->scratch_buffer); - if(fprintf(out, ";;id: %s %d\n", - (char*)ldns_buffer_begin(env->scratch_buffer), - (int)dclass) < 0) { + char* s = sldns_wire2str_dname(nm, nmlen); + if(!s) { + log_err("malloc failure in write to %s", fname); + return 0; + } + if(fprintf(out, ";;id: %s %d\n", s, (int)dclass) < 0) { log_err("could not write to %s: %s", fname, strerror(errno)); + free(s); return 0; } + free(s); return 1; } static int -autr_write_contents(FILE* out, char* fn, struct module_env* env, - struct trust_anchor* tp) +autr_write_contents(FILE* out, char* fn, struct trust_anchor* tp) { char tmi[32]; struct autr_ta* ta; @@ -921,7 +1116,7 @@ autr_write_contents(FILE* out, char* fn, struct module_env* env, return 0; } } - if(!print_id(out, fn, env, tp->name, tp->namelen, tp->dclass)) { + if(!print_id(out, fn, tp->name, tp->namelen, tp->dclass)) { return 0; } if(fprintf(out, ";;last_queried: %u ;;%s", @@ -949,9 +1144,10 @@ autr_write_contents(FILE* out, char* fn, struct module_env* env, if(ta->s == AUTR_STATE_REMOVED) continue; /* only store keys */ - if(ldns_rr_get_type(ta->rr) != LDNS_RR_TYPE_DNSKEY) + if(sldns_wirerr_get_type(ta->rr, ta->rr_len, ta->dname_len) + != LDNS_RR_TYPE_DNSKEY) continue; - str = ldns_rr2str(ta->rr); + str = sldns_wire2str_rr(ta->rr, ta->rr_len); if(!str || !str[0]) { free(str); log_err("malloc failure writing %s", fn); @@ -992,15 +1188,20 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp) tempf, strerror(errno)); return; } - if(!autr_write_contents(out, tempf, env, tp)) { + if(!autr_write_contents(out, tempf, tp)) { /* failed to write contents (completely) */ fclose(out); unlink(tempf); log_err("could not completely write: %s", fname); return; } + if(fclose(out) != 0) { + log_err("could not complete write: %s: %s", + fname, strerror(errno)); + unlink(tempf); + return; + } /* success; overwrite actual file */ - fclose(out); verbose(VERB_ALGO, "autotrust: replaced %s", fname); #ifdef UB_ON_WINDOWS (void)unlink(fname); /* windows does not replace file with rename() */ @@ -1036,19 +1237,25 @@ verify_dnskey(struct module_env* env, struct val_env* ve, return sec == sec_status_secure; } +static int32_t +rrsig_get_expiry(uint8_t* d, size_t len) +{ + /* rrsig: 2(rdlen), 2(type) 1(alg) 1(v) 4(origttl), then 4(expi), (4)incep) */ + if(len < 2+8+4) + return 0; + return sldns_read_uint32(d+2+8); +} + /** Find minimum expiration interval from signatures */ static time_t -min_expiry(struct module_env* env, ldns_rr_list* rrset) +min_expiry(struct module_env* env, struct packed_rrset_data* dd) { size_t i; int32_t t, r = 15 * 24 * 3600; /* 15 days max */ - for(i=0; i<ldns_rr_list_rr_count(rrset); i++) { - ldns_rr* rr = ldns_rr_list_rr(rrset, i); - if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_RRSIG) - continue; - t = ldns_rdf2native_int32(ldns_rr_rrsig_expiration(rr)); + for(i=dd->count; i<dd->count+dd->rrsig_count; i++) { + t = rrsig_get_expiry(dd->rr_data[i], dd->rr_len[i]); if((int32_t)t - (int32_t)*env->now > 0) { - t -= *env->now; + t -= (int32_t)*env->now; if(t < r) r = t; } @@ -1092,131 +1299,92 @@ seen_revoked_trustanchor(struct autr_ta* ta, uint8_t revoked) static void revoke_dnskey(struct autr_ta* ta, int off) { - ldns_rdf* rdf; - uint16_t flags; - log_assert(ta && ta->rr); - if(ldns_rr_get_type(ta->rr) != LDNS_RR_TYPE_DNSKEY) + uint16_t flags; + uint8_t* data; + if(sldns_wirerr_get_type(ta->rr, ta->rr_len, ta->dname_len) != + LDNS_RR_TYPE_DNSKEY) return; - rdf = ldns_rr_dnskey_flags(ta->rr); - flags = ldns_read_uint16(ldns_rdf_data(rdf)); - + if(sldns_wirerr_get_rdatalen(ta->rr, ta->rr_len, ta->dname_len) < 2) + return; + data = sldns_wirerr_get_rdata(ta->rr, ta->rr_len, ta->dname_len); + flags = sldns_read_uint16(data); if (off && (flags&LDNS_KEY_REVOKE_KEY)) flags ^= LDNS_KEY_REVOKE_KEY; /* flip */ else flags |= LDNS_KEY_REVOKE_KEY; - ldns_write_uint16(ldns_rdf_data(rdf), flags); + sldns_write_uint16(data, flags); } -/** Compare two RR buffers skipping the REVOKED bit */ +/** Compare two RRs skipping the REVOKED bit. Pass rdata(no len) */ static int -ldns_rr_compare_wire_skip_revbit(ldns_buffer* rr1_buf, ldns_buffer* rr2_buf) -{ - size_t rr1_len, rr2_len, min_len, i, offset; - rr1_len = ldns_buffer_capacity(rr1_buf); - rr2_len = ldns_buffer_capacity(rr2_buf); - /* jump past dname (checked in earlier part) and especially past TTL */ - offset = 0; - while (offset < rr1_len && *ldns_buffer_at(rr1_buf, offset) != 0) - offset += *ldns_buffer_at(rr1_buf, offset) + 1; - /* jump to rdata section (PAST the rdata length field) */ - offset += 11; /* 0-dname-end + type + class + ttl + rdatalen */ - min_len = (rr1_len < rr2_len) ? rr1_len : rr2_len; +dnskey_compare_skip_revbit(uint8_t* a, size_t a_len, uint8_t* b, size_t b_len) +{ + size_t i; + if(a_len != b_len) + return -1; /* compare RRs RDATA byte for byte. */ - for(i = offset; i < min_len; i++) + for(i = 0; i < a_len; i++) { - uint8_t *rdf1, *rdf2; - rdf1 = ldns_buffer_at(rr1_buf, i); - rdf2 = ldns_buffer_at(rr2_buf, i); - if (i==(offset+1)) - { + uint8_t rdf1, rdf2; + rdf1 = a[i]; + rdf2 = b[i]; + if(i==1) { /* this is the second part of the flags field */ - *rdf1 = *rdf1 | LDNS_KEY_REVOKE_KEY; - *rdf2 = *rdf2 | LDNS_KEY_REVOKE_KEY; + rdf1 |= LDNS_KEY_REVOKE_KEY; + rdf2 |= LDNS_KEY_REVOKE_KEY; } - if (*rdf1 < *rdf2) return -1; - else if (*rdf1 > *rdf2) return 1; + if (rdf1 < rdf2) return -1; + else if (rdf1 > rdf2) return 1; } return 0; } -/** Compare two RRs skipping the REVOKED bit */ -static int -ldns_rr_compare_skip_revbit(const ldns_rr* rr1, const ldns_rr* rr2, int* result) -{ - size_t rr1_len, rr2_len; - ldns_buffer* rr1_buf; - ldns_buffer* rr2_buf; - *result = ldns_rr_compare_no_rdata(rr1, rr2); - if (*result == 0) - { - rr1_len = ldns_rr_uncompressed_size(rr1); - rr2_len = ldns_rr_uncompressed_size(rr2); - rr1_buf = ldns_buffer_new(rr1_len); - rr2_buf = ldns_buffer_new(rr2_len); - if(!rr1_buf || !rr2_buf) { - ldns_buffer_free(rr1_buf); - ldns_buffer_free(rr2_buf); - return 0; - } - if (ldns_rr2buffer_wire_canonical(rr1_buf, rr1, - LDNS_SECTION_ANY) != LDNS_STATUS_OK) - { - ldns_buffer_free(rr1_buf); - ldns_buffer_free(rr2_buf); - return 0; - } - if (ldns_rr2buffer_wire_canonical(rr2_buf, rr2, - LDNS_SECTION_ANY) != LDNS_STATUS_OK) { - ldns_buffer_free(rr1_buf); - ldns_buffer_free(rr2_buf); - return 0; - } - *result = ldns_rr_compare_wire_skip_revbit(rr1_buf, rr2_buf); - ldns_buffer_free(rr1_buf); - ldns_buffer_free(rr2_buf); - } - return 1; -} - - -/** compare two trust anchors */ +/** compare trust anchor with rdata, 0 if equal. Pass rdata(no len) */ static int -ta_compare(ldns_rr* a, ldns_rr* b, int* result) -{ - if (!a && !b) *result = 0; - else if (!a) *result = -1; - else if (!b) *result = 1; - else if (ldns_rr_get_type(a) != ldns_rr_get_type(b)) - *result = (int)ldns_rr_get_type(a) - (int)ldns_rr_get_type(b); - else if (ldns_rr_get_type(a) == LDNS_RR_TYPE_DNSKEY) { - if(!ldns_rr_compare_skip_revbit(a, b, result)) - return 0; +ta_compare(struct autr_ta* a, uint16_t t, uint8_t* b, size_t b_len) +{ + if(!a) return -1; + else if(!b) return -1; + else if(sldns_wirerr_get_type(a->rr, a->rr_len, a->dname_len) != t) + return (int)sldns_wirerr_get_type(a->rr, a->rr_len, + a->dname_len) - (int)t; + else if(t == LDNS_RR_TYPE_DNSKEY) { + return dnskey_compare_skip_revbit( + sldns_wirerr_get_rdata(a->rr, a->rr_len, a->dname_len), + sldns_wirerr_get_rdatalen(a->rr, a->rr_len, + a->dname_len), b, b_len); + } + else if(t == LDNS_RR_TYPE_DS) { + if(sldns_wirerr_get_rdatalen(a->rr, a->rr_len, a->dname_len) != + b_len) + return -1; + return memcmp(sldns_wirerr_get_rdata(a->rr, + a->rr_len, a->dname_len), b, b_len); } - else if (ldns_rr_get_type(a) == LDNS_RR_TYPE_DS) - *result = ldns_rr_compare(a, b); - else *result = -1; - return 1; + return -1; } /** * Find key * @param tp: to search in - * @param rr: to look for + * @param t: rr type of the rdata. + * @param rdata: to look for (no rdatalen in it) + * @param rdata_len: length of rdata * @param result: returns NULL or the ta key looked for. * @return false on malloc failure during search. if true examine result. */ static int -find_key(struct trust_anchor* tp, ldns_rr* rr, struct autr_ta** result) +find_key(struct trust_anchor* tp, uint16_t t, uint8_t* rdata, size_t rdata_len, + struct autr_ta** result) { struct autr_ta* ta; - int ret; - if(!tp || !rr) + if(!tp || !rdata) { + *result = NULL; return 0; + } for(ta=tp->autr->keys; ta; ta=ta->next) { - if(!ta_compare(ta->rr, rr, &ret)) - return 0; - if(ret == 0) { + if(ta_compare(ta, t, rdata, rdata_len) == 0) { *result = ta; return 1; } @@ -1225,17 +1393,30 @@ find_key(struct trust_anchor* tp, ldns_rr* rr, struct autr_ta** result) return 1; } -/** add key and clone RR and tp already locked */ +/** add key and clone RR and tp already locked. rdata without rdlen. */ static struct autr_ta* -add_key(struct trust_anchor* tp, ldns_rr* rr) +add_key(struct trust_anchor* tp, uint32_t ttl, uint8_t* rdata, size_t rdata_len) { - ldns_rr* c; struct autr_ta* ta; - c = ldns_rr_clone(rr); - if(!c) return NULL; - ta = autr_ta_create(c); + uint8_t* rr; + size_t rr_len, dname_len; + uint16_t rrtype = htons(LDNS_RR_TYPE_DNSKEY); + uint16_t rrclass = htons(LDNS_RR_CLASS_IN); + uint16_t rdlen = htons(rdata_len); + dname_len = tp->namelen; + ttl = htonl(ttl); + rr_len = dname_len + 10 /* type,class,ttl,rdatalen */ + rdata_len; + rr = (uint8_t*)malloc(rr_len); + if(!rr) return NULL; + memmove(rr, tp->name, tp->namelen); + memmove(rr+dname_len, &rrtype, 2); + memmove(rr+dname_len+2, &rrclass, 2); + memmove(rr+dname_len+4, &ttl, 4); + memmove(rr+dname_len+8, &rdlen, 2); + memmove(rr+dname_len+10, rdata, rdata_len); + ta = autr_ta_create(rr, rr_len, dname_len); if(!ta) { - ldns_rr_free(c); + /* rr freed in autr_ta_create */ return NULL; } /* link in, tp already locked */ @@ -1308,21 +1489,19 @@ check_contains_revoked(struct module_env* env, struct val_env* ve, struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset, int* changed) { - ldns_rr_list* r = packed_rrset_to_rr_list(dnskey_rrset, - env->scratch_buffer); + struct packed_rrset_data* dd = (struct packed_rrset_data*) + dnskey_rrset->entry.data; size_t i; - if(!r) { - log_err("malloc failure"); - return; - } - for(i=0; i<ldns_rr_list_rr_count(r); i++) { - ldns_rr* rr = ldns_rr_list_rr(r, i); + log_assert(ntohs(dnskey_rrset->rk.type) == LDNS_RR_TYPE_DNSKEY); + for(i=0; i<dd->count; i++) { struct autr_ta* ta = NULL; - if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_DNSKEY) - continue; - if(!rr_is_dnskey_sep(rr) || !rr_is_dnskey_revoked(rr)) + if(!rr_is_dnskey_sep(ntohs(dnskey_rrset->rk.type), + dd->rr_data[i]+2, dd->rr_len[i]-2) || + !rr_is_dnskey_revoked(ntohs(dnskey_rrset->rk.type), + dd->rr_data[i]+2, dd->rr_len[i]-2)) continue; /* not a revoked KSK */ - if(!find_key(tp, rr, &ta)) { + if(!find_key(tp, ntohs(dnskey_rrset->rk.type), + dd->rr_data[i]+2, dd->rr_len[i]-2, &ta)) { log_err("malloc failure"); continue; /* malloc fail in compare*/ } @@ -1330,8 +1509,18 @@ check_contains_revoked(struct module_env* env, struct val_env* ve, continue; /* key not found */ if(rr_is_selfsigned_revoked(env, ve, dnskey_rrset, i)) { /* checked if there is an rrsig signed by this key. */ - log_assert(dnskey_calc_keytag(dnskey_rrset, i) == - ldns_calc_keytag(rr)); /* checks conversion*/ + /* same keytag, but stored can be revoked already, so + * compare keytags, with +0 or +128(REVOKE flag) */ + log_assert(dnskey_calc_keytag(dnskey_rrset, i)-128 == + sldns_calc_keytag_raw(sldns_wirerr_get_rdata( + ta->rr, ta->rr_len, ta->dname_len), + sldns_wirerr_get_rdatalen(ta->rr, ta->rr_len, + ta->dname_len)) || + dnskey_calc_keytag(dnskey_rrset, i) == + sldns_calc_keytag_raw(sldns_wirerr_get_rdata( + ta->rr, ta->rr_len, ta->dname_len), + sldns_wirerr_get_rdatalen(ta->rr, ta->rr_len, + ta->dname_len))); /* checks conversion*/ verbose_key(ta, VERB_ALGO, "is self-signed revoked"); if(!ta->revoked) *changed = 1; @@ -1339,7 +1528,6 @@ check_contains_revoked(struct module_env* env, struct val_env* ve, do_revoked(env, ta, changed); } } - ldns_rr_list_deep_free(r); } /** See if a DNSKEY is verified by one of the DSes */ @@ -1386,20 +1574,18 @@ update_events(struct module_env* env, struct val_env* ve, struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset, int* changed) { - ldns_rr_list* r = packed_rrset_to_rr_list(dnskey_rrset, - env->scratch_buffer); + struct packed_rrset_data* dd = (struct packed_rrset_data*) + dnskey_rrset->entry.data; size_t i; - if(!r) - return 0; + log_assert(ntohs(dnskey_rrset->rk.type) == LDNS_RR_TYPE_DNSKEY); init_events(tp); - for(i=0; i<ldns_rr_list_rr_count(r); i++) { - ldns_rr* rr = ldns_rr_list_rr(r, i); + for(i=0; i<dd->count; i++) { struct autr_ta* ta = NULL; - if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_DNSKEY) - continue; - if(!rr_is_dnskey_sep(rr)) + if(!rr_is_dnskey_sep(ntohs(dnskey_rrset->rk.type), + dd->rr_data[i]+2, dd->rr_len[i]-2)) continue; - if(rr_is_dnskey_revoked(rr)) { + if(rr_is_dnskey_revoked(ntohs(dnskey_rrset->rk.type), + dd->rr_data[i]+2, dd->rr_len[i]-2)) { /* self-signed revoked keys already detected before, * other revoked keys are not 'added' again */ continue; @@ -1415,12 +1601,13 @@ update_events(struct module_env* env, struct val_env* ve, } /* is it new? if revocation bit set, find the unrevoked key */ - if(!find_key(tp, rr, &ta)) { - ldns_rr_list_deep_free(r); /* malloc fail in compare*/ + if(!find_key(tp, ntohs(dnskey_rrset->rk.type), + dd->rr_data[i]+2, dd->rr_len[i]-2, &ta)) { return 0; } if(!ta) { - ta = add_key(tp, rr); + ta = add_key(tp, (uint32_t)dd->rr_ttl[i], + dd->rr_data[i]+2, dd->rr_len[i]-2); *changed = 1; /* first time seen, do we have DSes? if match: VALID */ if(ta && tp->ds_rrset && key_matches_a_ds(env, ve, @@ -1430,14 +1617,12 @@ update_events(struct module_env* env, struct val_env* ve, } } if(!ta) { - ldns_rr_list_deep_free(r); return 0; } seen_trustanchor(ta, 1); verbose_key(ta, VERB_ALGO, "in DNS response"); } - set_tp_times(tp, min_expiry(env, r), key_ttl(dnskey_rrset), changed); - ldns_rr_list_deep_free(r); + set_tp_times(tp, min_expiry(env, dd), key_ttl(dnskey_rrset), changed); return 1; } @@ -1463,7 +1648,7 @@ check_holddown(struct module_env* env, struct autr_ta* ta, if (elapsed > (time_t)holddown) { return elapsed-(time_t)holddown; } - verbose_key(ta, VERB_ALGO, "holddown time %lld seconds to go", + verbose_key(ta, VERB_ALGO, "holddown time " ARG_LL "d seconds to go", (long long) ((time_t)holddown-elapsed)); return 0; } @@ -1507,7 +1692,7 @@ do_addtime(struct module_env* env, struct autr_ta* anchor, int* c) time_t exceeded = check_holddown(env, anchor, env->cfg->add_holddown); if (exceeded && anchor->s == AUTR_STATE_ADDPEND) { verbose_key(anchor, VERB_ALGO, "add-holddown time exceeded " - "%lld seconds ago, and pending-count %d", + ARG_LL "d seconds ago, and pending-count %d", (long long)exceeded, anchor->pending_count); if(anchor->pending_count >= MIN_PENDINGCOUNT) { set_trustanchor_state(env, anchor, c, AUTR_STATE_VALID); @@ -1526,7 +1711,7 @@ do_remtime(struct module_env* env, struct autr_ta* anchor, int* c) time_t exceeded = check_holddown(env, anchor, env->cfg->del_holddown); if(exceeded && anchor->s == AUTR_STATE_REVOKED) { verbose_key(anchor, VERB_ALGO, "del-holddown time exceeded " - "%lld seconds ago", (long long)exceeded); + ARG_LL "d seconds ago", (long long)exceeded); set_trustanchor_state(env, anchor, c, AUTR_STATE_REMOVED); } } @@ -1628,16 +1813,17 @@ init_zsk_to_ksk(struct module_env* env, struct trust_anchor* tp, int* changed) int validksk = 0; for(anchor = tp->autr->keys; anchor; anchor = anchor->next) { /* last_change test makes sure it was manually configured */ - if (ldns_rr_get_type(anchor->rr) == LDNS_RR_TYPE_DNSKEY && + if(sldns_wirerr_get_type(anchor->rr, anchor->rr_len, + anchor->dname_len) == LDNS_RR_TYPE_DNSKEY && anchor->last_change == 0 && - !rr_is_dnskey_sep(anchor->rr) && + !ta_is_dnskey_sep(anchor) && anchor->s == AUTR_STATE_VALID) validzsk++; } if(validzsk == 0) return 0; for(anchor = tp->autr->keys; anchor; anchor = anchor->next) { - if (rr_is_dnskey_sep(anchor->rr) && + if (ta_is_dnskey_sep(anchor) && anchor->s == AUTR_STATE_ADDPEND) { verbose_key(anchor, VERB_ALGO, "trust KSK from " "ZSK(config)"); @@ -1660,7 +1846,7 @@ remove_missing_trustanchors(struct module_env* env, struct trust_anchor* tp, /* see if we have anchors that are valid */ for(anchor = tp->autr->keys; anchor; anchor = anchor->next) { /* Only do KSKs */ - if (!rr_is_dnskey_sep(anchor->rr)) + if (!ta_is_dnskey_sep(anchor)) continue; if (anchor->s == AUTR_STATE_VALID) valid++; @@ -1683,7 +1869,7 @@ remove_missing_trustanchors(struct module_env* env, struct trust_anchor* tp, if(anchor->s == AUTR_STATE_START) continue; /* remove ZSKs if a KSK is present */ - if (!rr_is_dnskey_sep(anchor->rr)) { + if (!ta_is_dnskey_sep(anchor)) { if(valid > 0) { verbose_key(anchor, VERB_ALGO, "remove ZSK " "[%d key(s) VALID]", valid); @@ -1703,7 +1889,7 @@ remove_missing_trustanchors(struct module_env* env, struct trust_anchor* tp, * one valid KSK: remove missing trust anchor */ if (exceeded && valid > 0) { verbose_key(anchor, VERB_ALGO, "keep-missing time " - "exceeded %lld seconds ago, [%d key(s) VALID]", + "exceeded " ARG_LL "d seconds ago, [%d key(s) VALID]", (long long)exceeded, valid); set_trustanchor_state(env, anchor, changed, AUTR_STATE_REMOVED); @@ -1718,7 +1904,7 @@ do_statetable(struct module_env* env, struct trust_anchor* tp, int* changed) struct autr_ta* anchor; for(anchor = tp->autr->keys; anchor; anchor = anchor->next) { /* Only do KSKs */ - if(!rr_is_dnskey_sep(anchor->rr)) + if(!ta_is_dnskey_sep(anchor)) continue; anchor_state_update(env, anchor, changed); } @@ -1732,7 +1918,7 @@ autr_holddown_exceed(struct module_env* env, struct trust_anchor* tp, int* c) { struct autr_ta* anchor; for(anchor = tp->autr->keys; anchor; anchor = anchor->next) { - if(rr_is_dnskey_sep(anchor->rr) && + if(ta_is_dnskey_sep(anchor) && anchor->s == AUTR_STATE_ADDPEND) do_addtime(env, anchor, c); } @@ -1748,10 +1934,11 @@ autr_cleanup_keys(struct trust_anchor* tp) while(p) { /* do we want to remove this key? */ if(p->s == AUTR_STATE_START || p->s == AUTR_STATE_REMOVED || - ldns_rr_get_type(p->rr) != LDNS_RR_TYPE_DNSKEY) { + sldns_wirerr_get_type(p->rr, p->rr_len, p->dname_len) + != LDNS_RR_TYPE_DNSKEY) { struct autr_ta* np = p->next; /* remove */ - ldns_rr_free(p->rr); + free(p->rr); free(p); /* snip and go to next item */ *prevp = np; @@ -1806,7 +1993,7 @@ reset_worker_timer(struct module_env* env) #endif tv.tv_usec = 0; comm_timer_set(env->probe_timer, &tv); - verbose(VERB_ALGO, "scheduled next probe in %lld sec", (long long)tv.tv_sec); + verbose(VERB_ALGO, "scheduled next probe in " ARG_LL "d sec", (long long)tv.tv_sec); } /** set next probe for trust anchor */ @@ -2023,7 +2210,7 @@ static void autr_debug_print_ta(struct autr_ta* ta) { char buf[32]; - char* str = ldns_rr2str(ta->rr); + char* str = sldns_wire2str_rr(ta->rr, ta->rr_len); if(!str) { log_info("out of memory in debug_print_ta"); return; @@ -2049,20 +2236,11 @@ autr_debug_print_tp(struct trust_anchor* tp) log_info("trust point %s : %d", buf, (int)tp->dclass); log_info("assembled %d DS and %d DNSKEYs", (int)tp->numDS, (int)tp->numDNSKEY); - if(0) { /* turned off because it prints to stderr */ - ldns_buffer* bf = ldns_buffer_new(70000); - ldns_rr_list* list; - if(tp->ds_rrset) { - list = packed_rrset_to_rr_list(tp->ds_rrset, bf); - ldns_rr_list_print(stderr, list); - ldns_rr_list_deep_free(list); - } - if(tp->dnskey_rrset) { - list = packed_rrset_to_rr_list(tp->dnskey_rrset, bf); - ldns_rr_list_print(stderr, list); - ldns_rr_list_deep_free(list); - } - ldns_buffer_free(bf); + if(tp->ds_rrset) { + log_packed_rrset(0, "DS:", tp->ds_rrset); + } + if(tp->dnskey_rrset) { + log_packed_rrset(0, "DNSKEY:", tp->dnskey_rrset); } log_info("file %s", tp->autr->file); ctime_r(&tp->autr->last_queried, buf); @@ -2098,7 +2276,7 @@ autr_debug_print(struct val_anchors* anchors) } void probe_answer_cb(void* arg, int ATTR_UNUSED(rcode), - ldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(sec), + sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus)) { /* retry was set before the query was done, @@ -2123,7 +2301,7 @@ probe_anchor(struct module_env* env, struct trust_anchor* tp) struct query_info qinfo; uint16_t qflags = BIT_RD; struct edns_data edns; - ldns_buffer* buf = env->scratch_buffer; + sldns_buffer* buf = env->scratch_buffer; qinfo.qname = regional_alloc_init(env->scratch, tp->name, tp->namelen); if(!qinfo.qname) { log_err("out of memory making 5011 probe"); @@ -2139,8 +2317,8 @@ probe_anchor(struct module_env* env, struct trust_anchor* tp) edns.ext_rcode = 0; edns.edns_version = 0; edns.bits = EDNS_DO; - if(ldns_buffer_capacity(buf) < 65535) - edns.udp_size = (uint16_t)ldns_buffer_capacity(buf); + if(sldns_buffer_capacity(buf) < 65535) + edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); else edns.udp_size = 65535; /* can't hold the lock while mesh_run is processing */ diff --git a/validator/autotrust.h b/validator/autotrust.h index 193135cb66e68..ae61f8a872b4f 100644 --- a/validator/autotrust.h +++ b/validator/autotrust.h @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -48,6 +48,7 @@ struct trust_anchor; struct ub_packed_rrset_key; struct module_env; struct val_env; +struct sldns_buffer; /** Autotrust anchor states */ typedef enum { @@ -66,7 +67,9 @@ struct autr_ta { /** next key */ struct autr_ta* next; /** the RR */ - ldns_rr* rr; + uint8_t* rr; + /** length of rr */ + size_t rr_len, dname_len; /** last update of key state (new pending count keeps date the same) */ time_t last_change; /** 5011 state */ @@ -199,7 +202,7 @@ int autr_process_prime(struct module_env* env, struct val_env* ve, void autr_debug_print(struct val_anchors* anchors); /** callback for query answer to 5011 probe */ -void probe_answer_cb(void* arg, int rcode, ldns_buffer* buf, +void probe_answer_cb(void* arg, int rcode, struct sldns_buffer* buf, enum sec_status sec, char* errinf); #endif /* VALIDATOR_AUTOTRUST_H */ diff --git a/validator/val_anchor.c b/validator/val_anchor.c index e710f2f24083a..a4adfe2d9ddee 100644 --- a/validator/val_anchor.c +++ b/validator/val_anchor.c @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -40,8 +40,6 @@ */ #include "config.h" #include <ctype.h> -#include <ldns/dname.h> -#include <ldns/host2wire.h> #include "validator/val_anchor.h" #include "validator/val_sigcrypt.h" #include "validator/autotrust.h" @@ -50,6 +48,9 @@ #include "util/log.h" #include "util/net_help.h" #include "util/config_file.h" +#include "ldns/sbuffer.h" +#include "ldns/rrdef.h" +#include "ldns/str2wire.h" #ifdef HAVE_GLOB_H #include <glob.h> #endif @@ -346,36 +347,26 @@ anchor_store_new_key(struct val_anchors* anchors, uint8_t* name, uint16_t type, /** * Add new RR. It converts ldns RR to wire format. * @param anchors: anchor storage. - * @param buffer: parsing buffer. - * @param rr: the rr (allocated by caller). + * @param rr: the wirerr. + * @param rl: length of rr. + * @param dl: length of dname. * @return NULL on error, else the trust anchor. */ static struct trust_anchor* -anchor_store_new_rr(struct val_anchors* anchors, ldns_buffer* buffer, - ldns_rr* rr) +anchor_store_new_rr(struct val_anchors* anchors, uint8_t* rr, size_t rl, + size_t dl) { struct trust_anchor* ta; - ldns_rdf* owner = ldns_rr_owner(rr); - ldns_status status; - ldns_buffer_clear(buffer); - ldns_buffer_skip(buffer, 2); /* skip rdatalen */ - status = ldns_rr_rdata2buffer_wire(buffer, rr); - if(status != LDNS_STATUS_OK) { - log_err("error converting trustanchor to wireformat: %s", - ldns_get_errorstr_by_id(status)); - return NULL; - } - ldns_buffer_flip(buffer); - ldns_buffer_write_u16_at(buffer, 0, ldns_buffer_limit(buffer) - 2); - - if(!(ta=anchor_store_new_key(anchors, ldns_rdf_data(owner), - ldns_rr_get_type(rr), ldns_rr_get_class(rr), - ldns_buffer_begin(buffer), ldns_buffer_limit(buffer)))) { + if(!(ta=anchor_store_new_key(anchors, rr, + sldns_wirerr_get_type(rr, rl, dl), + sldns_wirerr_get_class(rr, rl, dl), + sldns_wirerr_get_rdatawl(rr, rl, dl), + sldns_wirerr_get_rdatalen(rr, rl, dl)+2))) { return NULL; } log_nametypeclass(VERB_QUERY, "adding trusted key", - ldns_rdf_data(owner), - ldns_rr_get_type(rr), ldns_rr_get_class(rr)); + rr, sldns_wirerr_get_type(rr, rl, dl), + sldns_wirerr_get_class(rr, rl, dl)); return ta; } @@ -389,36 +380,37 @@ static struct trust_anchor* anchor_insert_insecure(struct val_anchors* anchors, const char* str) { struct trust_anchor* ta; - ldns_rdf* nm = ldns_dname_new_frm_str(str); + size_t dname_len = 0; + uint8_t* nm = sldns_str2wire_dname(str, &dname_len); if(!nm) { log_err("parse error in domain name '%s'", str); return NULL; } - ta = anchor_store_new_key(anchors, ldns_rdf_data(nm), LDNS_RR_TYPE_DS, + ta = anchor_store_new_key(anchors, nm, LDNS_RR_TYPE_DS, LDNS_RR_CLASS_IN, NULL, 0); - ldns_rdf_deep_free(nm); + free(nm); return ta; } struct trust_anchor* -anchor_store_str(struct val_anchors* anchors, ldns_buffer* buffer, +anchor_store_str(struct val_anchors* anchors, sldns_buffer* buffer, const char* str) { struct trust_anchor* ta; - ldns_rr* rr = NULL; - ldns_status status = ldns_rr_new_frm_str(&rr, str, 0, NULL, NULL); - if(status != LDNS_STATUS_OK) { - log_err("error parsing trust anchor: %s", - ldns_get_errorstr_by_id(status)); - ldns_rr_free(rr); + uint8_t* rr = sldns_buffer_begin(buffer); + size_t len = sldns_buffer_capacity(buffer), dname_len = 0; + int status = sldns_str2wire_rr_buf(str, rr, &len, &dname_len, + 0, NULL, 0, NULL, 0); + if(status != 0) { + log_err("error parsing trust anchor %s: at %d: %s", + str, LDNS_WIREPARSE_OFFSET(status), + sldns_get_errorstr_parse(status)); return NULL; } - if(!(ta=anchor_store_new_rr(anchors, buffer, rr))) { + if(!(ta=anchor_store_new_rr(anchors, rr, len, dname_len))) { log_err("out of memory"); - ldns_rr_free(rr); return NULL; } - ldns_rr_free(rr); return ta; } @@ -431,44 +423,43 @@ anchor_store_str(struct val_anchors* anchors, ldns_buffer* buffer, * @return NULL on error. Else last trust-anchor point. */ static struct trust_anchor* -anchor_read_file(struct val_anchors* anchors, ldns_buffer* buffer, +anchor_read_file(struct val_anchors* anchors, sldns_buffer* buffer, const char* fname, int onlyone) { struct trust_anchor* ta = NULL, *tanew; - uint32_t default_ttl = 3600; - ldns_rdf* origin = NULL, *prev = NULL; - int line_nr = 1; - ldns_status status; - ldns_rr* rr; + struct sldns_file_parse_state pst; + int status; + size_t len, dname_len; + uint8_t* rr = sldns_buffer_begin(buffer); int ok = 1; FILE* in = fopen(fname, "r"); if(!in) { log_err("error opening file %s: %s", fname, strerror(errno)); return 0; } + memset(&pst, 0, sizeof(pst)); + pst.default_ttl = 3600; + pst.lineno = 1; while(!feof(in)) { - rr = NULL; - status = ldns_rr_new_frm_fp_l(&rr, in, &default_ttl, &origin, - &prev, &line_nr); - if(status == LDNS_STATUS_SYNTAX_EMPTY /* empty line */ - || status == LDNS_STATUS_SYNTAX_TTL /* $TTL */ - || status == LDNS_STATUS_SYNTAX_ORIGIN /* $ORIGIN */) + len = sldns_buffer_capacity(buffer); + dname_len = 0; + status = sldns_fp2wire_rr_buf(in, rr, &len, &dname_len, &pst); + if(len == 0) /* empty, $TTL, $ORIGIN */ continue; - if(status != LDNS_STATUS_OK) { - log_err("parse error in %s:%d : %s", fname, line_nr, - ldns_get_errorstr_by_id(status)); - ldns_rr_free(rr); + if(status != 0) { + log_err("parse error in %s:%d:%d : %s", fname, + pst.lineno, LDNS_WIREPARSE_OFFSET(status), + sldns_get_errorstr_parse(status)); ok = 0; break; } - if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_DS && - ldns_rr_get_type(rr) != LDNS_RR_TYPE_DNSKEY) { - ldns_rr_free(rr); + if(sldns_wirerr_get_type(rr, len, dname_len) != + LDNS_RR_TYPE_DS && sldns_wirerr_get_type(rr, len, + dname_len) != LDNS_RR_TYPE_DNSKEY) { continue; } - if(!(tanew=anchor_store_new_rr(anchors, buffer, rr))) { - log_err("error at %s line %d", fname, line_nr); - ldns_rr_free(rr); + if(!(tanew=anchor_store_new_rr(anchors, rr, len, dname_len))) { + log_err("mem error at %s line %d", fname, pst.lineno); ok = 0; break; } @@ -476,16 +467,12 @@ anchor_read_file(struct val_anchors* anchors, ldns_buffer* buffer, log_err("error at %s line %d: no multiple anchor " "domains allowed (you can have multiple " "keys, but they must have the same name).", - fname, line_nr); - ldns_rr_free(rr); + fname, pst.lineno); ok = 0; break; } ta = tanew; - ldns_rr_free(rr); } - ldns_rdf_deep_free(origin); - ldns_rdf_deep_free(prev); fclose(in); if(!ok) return NULL; /* empty file is OK when multiple anchors are allowed */ @@ -540,7 +527,7 @@ is_bind_special(int c) * 0 on end of file. */ static int -readkeyword_bindfile(FILE* in, ldns_buffer* buf, int* line, int comments) +readkeyword_bindfile(FILE* in, sldns_buffer* buf, int* line, int comments) { int c; int numdone = 0; @@ -550,17 +537,17 @@ readkeyword_bindfile(FILE* in, ldns_buffer* buf, int* line, int comments) (*line)++; continue; } else if(comments && c=='/' && numdone>0 && /* /_/ bla*/ - ldns_buffer_read_u8_at(buf, - ldns_buffer_position(buf)-1) == '/') { - ldns_buffer_skip(buf, -1); + sldns_buffer_read_u8_at(buf, + sldns_buffer_position(buf)-1) == '/') { + sldns_buffer_skip(buf, -1); numdone--; skip_to_eol(in); (*line)++; continue; } else if(comments && c=='*' && numdone>0 && /* /_* bla *_/ */ - ldns_buffer_read_u8_at(buf, - ldns_buffer_position(buf)-1) == '/') { - ldns_buffer_skip(buf, -1); + sldns_buffer_read_u8_at(buf, + sldns_buffer_position(buf)-1) == '/') { + sldns_buffer_skip(buf, -1); numdone--; /* skip to end of comment */ while(c != EOF && (c=getc(in)) != EOF ) { @@ -590,10 +577,10 @@ readkeyword_bindfile(FILE* in, ldns_buffer* buf, int* line, int comments) (*line)++; } /* space for 1 char + 0 string terminator */ - if(ldns_buffer_remaining(buf) < 2) { + if(sldns_buffer_remaining(buf) < 2) { fatal_exit("trusted-keys, %d, string too long", *line); } - ldns_buffer_write_u8(buf, (uint8_t)c); + sldns_buffer_write_u8(buf, (uint8_t)c); numdone++; if(isspace(c)) { /* collate whitespace into ' ' */ @@ -615,17 +602,17 @@ readkeyword_bindfile(FILE* in, ldns_buffer* buf, int* line, int comments) /** skip through file to { or ; */ static int -skip_to_special(FILE* in, ldns_buffer* buf, int* line, int spec) +skip_to_special(FILE* in, sldns_buffer* buf, int* line, int spec) { int rdlen; - ldns_buffer_clear(buf); + sldns_buffer_clear(buf); while((rdlen=readkeyword_bindfile(in, buf, line, 1))) { - if(rdlen == 1 && isspace((int)*ldns_buffer_begin(buf))) { - ldns_buffer_clear(buf); + if(rdlen == 1 && isspace((int)*sldns_buffer_begin(buf))) { + sldns_buffer_clear(buf); continue; } - if(rdlen != 1 || *ldns_buffer_begin(buf) != (uint8_t)spec) { - ldns_buffer_write_u8(buf, 0); + if(rdlen != 1 || *sldns_buffer_begin(buf) != (uint8_t)spec) { + sldns_buffer_write_u8(buf, 0); log_err("trusted-keys, line %d, expected %c", *line, spec); return 0; @@ -645,7 +632,7 @@ skip_to_special(FILE* in, ldns_buffer* buf, int* line, int spec) * @return 0 on error. */ static int -process_bind_contents(struct val_anchors* anchors, ldns_buffer* buf, +process_bind_contents(struct val_anchors* anchors, sldns_buffer* buf, int* line, FILE* in) { /* loop over contents, collate strings before ; */ @@ -658,41 +645,41 @@ process_bind_contents(struct val_anchors* anchors, ldns_buffer* buf, int comments = 1; int rdlen; char* str = 0; - ldns_buffer_clear(buf); + sldns_buffer_clear(buf); while((rdlen=readkeyword_bindfile(in, buf, line, comments))) { - if(rdlen == 1 && ldns_buffer_position(buf) == 1 - && isspace((int)*ldns_buffer_begin(buf))) { + if(rdlen == 1 && sldns_buffer_position(buf) == 1 + && isspace((int)*sldns_buffer_begin(buf))) { /* starting whitespace is removed */ - ldns_buffer_clear(buf); + sldns_buffer_clear(buf); continue; - } else if(rdlen == 1 && ldns_buffer_current(buf)[-1] == '"') { + } else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == '"') { /* remove " from the string */ if(contnum == 0) { quoted = 1; comments = 0; } - ldns_buffer_skip(buf, -1); + sldns_buffer_skip(buf, -1); if(contnum > 0 && quoted) { - if(ldns_buffer_remaining(buf) < 8+1) { + if(sldns_buffer_remaining(buf) < 8+1) { log_err("line %d, too long", *line); return 0; } - ldns_buffer_write(buf, " DNSKEY ", 8); + sldns_buffer_write(buf, " DNSKEY ", 8); quoted = 0; comments = 1; } else if(contnum > 0) comments = !comments; continue; - } else if(rdlen == 1 && ldns_buffer_current(buf)[-1] == ';') { + } else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == ';') { if(contnum < 5) { - ldns_buffer_write_u8(buf, 0); + sldns_buffer_write_u8(buf, 0); log_err("line %d, bad key", *line); return 0; } - ldns_buffer_skip(buf, -1); - ldns_buffer_write_u8(buf, 0); - str = strdup((char*)ldns_buffer_begin(buf)); + sldns_buffer_skip(buf, -1); + sldns_buffer_write_u8(buf, 0); + str = strdup((char*)sldns_buffer_begin(buf)); if(!str) { log_err("line %d, allocation failure", *line); return 0; @@ -703,30 +690,30 @@ process_bind_contents(struct val_anchors* anchors, ldns_buffer* buf, return 0; } free(str); - ldns_buffer_clear(buf); + sldns_buffer_clear(buf); contnum = 0; quoted = 0; comments = 1; continue; - } else if(rdlen == 1 && ldns_buffer_current(buf)[-1] == '}') { + } else if(rdlen == 1 && sldns_buffer_current(buf)[-1] == '}') { if(contnum > 0) { - ldns_buffer_write_u8(buf, 0); + sldns_buffer_write_u8(buf, 0); log_err("line %d, bad key before }", *line); return 0; } return 1; } else if(rdlen == 1 && - isspace((int)ldns_buffer_current(buf)[-1])) { + isspace((int)sldns_buffer_current(buf)[-1])) { /* leave whitespace here */ } else { /* not space or whatnot, so actual content */ contnum ++; if(contnum == 1 && !quoted) { - if(ldns_buffer_remaining(buf) < 8+1) { + if(sldns_buffer_remaining(buf) < 8+1) { log_err("line %d, too long", *line); return 0; } - ldns_buffer_write(buf, " DNSKEY ", 8); + sldns_buffer_write(buf, " DNSKEY ", 8); } } } @@ -743,7 +730,7 @@ process_bind_contents(struct val_anchors* anchors, ldns_buffer* buf, * @return false on error. */ static int -anchor_read_bind_file(struct val_anchors* anchors, ldns_buffer* buffer, +anchor_read_bind_file(struct val_anchors* anchors, sldns_buffer* buffer, const char* fname) { int line_nr = 1; @@ -755,11 +742,11 @@ anchor_read_bind_file(struct val_anchors* anchors, ldns_buffer* buffer, } verbose(VERB_QUERY, "reading in bind-compat-mode: '%s'", fname); /* scan for trusted-keys keyword, ignore everything else */ - ldns_buffer_clear(buffer); + sldns_buffer_clear(buffer); while((rdlen=readkeyword_bindfile(in, buffer, &line_nr, 1)) != 0) { - if(rdlen != 12 || strncmp((char*)ldns_buffer_begin(buffer), + if(rdlen != 12 || strncmp((char*)sldns_buffer_begin(buffer), "trusted-keys", 12) != 0) { - ldns_buffer_clear(buffer); + sldns_buffer_clear(buffer); /* ignore everything but trusted-keys */ continue; } @@ -779,7 +766,7 @@ anchor_read_bind_file(struct val_anchors* anchors, ldns_buffer* buffer, fclose(in); return 0; } - ldns_buffer_clear(buffer); + sldns_buffer_clear(buffer); } fclose(in); return 1; @@ -794,7 +781,7 @@ anchor_read_bind_file(struct val_anchors* anchors, ldns_buffer* buffer, * @return false on error. */ static int -anchor_read_bind_file_wild(struct val_anchors* anchors, ldns_buffer* buffer, +anchor_read_bind_file_wild(struct val_anchors* anchors, sldns_buffer* buffer, const char* pat) { #ifdef HAVE_GLOB @@ -1052,13 +1039,13 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) { struct config_strlist* f; char* nm; - ldns_buffer* parsebuf = ldns_buffer_new(65535); + sldns_buffer* parsebuf = sldns_buffer_new(65535); for(f = cfg->domain_insecure; f; f = f->next) { if(!f->str || f->str[0] == 0) /* empty "" */ continue; if(!anchor_insert_insecure(anchors, f->str)) { log_err("error in domain-insecure: %s", f->str); - ldns_buffer_free(parsebuf); + sldns_buffer_free(parsebuf); return 0; } } @@ -1071,7 +1058,7 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) nm += strlen(cfg->chrootdir); if(!anchor_read_file(anchors, parsebuf, nm, 0)) { log_err("error reading trust-anchor-file: %s", f->str); - ldns_buffer_free(parsebuf); + sldns_buffer_free(parsebuf); return 0; } } @@ -1084,7 +1071,7 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) nm += strlen(cfg->chrootdir); if(!anchor_read_bind_file_wild(anchors, parsebuf, nm)) { log_err("error reading trusted-keys-file: %s", f->str); - ldns_buffer_free(parsebuf); + sldns_buffer_free(parsebuf); return 0; } } @@ -1093,7 +1080,7 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) continue; if(!anchor_store_str(anchors, parsebuf, f->str)) { log_err("error in trust-anchor: \"%s\"", f->str); - ldns_buffer_free(parsebuf); + sldns_buffer_free(parsebuf); return 0; } } @@ -1107,7 +1094,7 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) nm, 1))) { log_err("error reading dlv-anchor-file: %s", cfg->dlv_anchor_file); - ldns_buffer_free(parsebuf); + sldns_buffer_free(parsebuf); return 0; } lock_basic_lock(&anchors->lock); @@ -1121,7 +1108,7 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) if(!(dlva = anchor_store_str( anchors, parsebuf, f->str))) { log_err("error in dlv-anchor: \"%s\"", f->str); - ldns_buffer_free(parsebuf); + sldns_buffer_free(parsebuf); return 0; } lock_basic_lock(&anchors->lock); @@ -1140,14 +1127,14 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) if(!autr_read_file(anchors, nm)) { log_err("error reading auto-trust-anchor-file: %s", f->str); - ldns_buffer_free(parsebuf); + sldns_buffer_free(parsebuf); return 0; } } /* first assemble, since it may delete useless anchors */ anchors_assemble_rrsets(anchors); init_parents(anchors); - ldns_buffer_free(parsebuf); + sldns_buffer_free(parsebuf); if(verbosity >= VERB_ALGO) autr_debug_print(anchors); return 1; } @@ -1197,6 +1184,8 @@ anchors_get_mem(struct val_anchors* anchors) { struct trust_anchor *ta; size_t s = sizeof(*anchors); + if(!anchors) + return 0; RBTREE_FOR(ta, struct trust_anchor*, anchors->tree) { s += sizeof(*ta) + ta->namelen; /* keys and so on */ diff --git a/validator/val_anchor.h b/validator/val_anchor.h index 5a3ad409a83e3..4951b9996cb02 100644 --- a/validator/val_anchor.h +++ b/validator/val_anchor.h @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -48,6 +48,7 @@ struct config_file; struct ub_packed_rrset_key; struct autr_point_data; struct autr_global_data; +struct sldns_buffer; /** * Trust anchor store. @@ -184,7 +185,7 @@ struct trust_anchor* anchor_find(struct val_anchors* anchors, * @return NULL on error. */ struct trust_anchor* anchor_store_str(struct val_anchors* anchors, - ldns_buffer* buffer, const char* str); + struct sldns_buffer* buffer, const char* str); /** * Get memory in use by the trust anchor storage diff --git a/validator/val_kcache.c b/validator/val_kcache.c index 6d4ad8f32a149..22070cc6a90ef 100644 --- a/validator/val_kcache.c +++ b/validator/val_kcache.c @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** diff --git a/validator/val_kcache.h b/validator/val_kcache.h index 8f562109621a4..76c9dd094d1a3 100644 --- a/validator/val_kcache.h +++ b/validator/val_kcache.h @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** diff --git a/validator/val_kentry.c b/validator/val_kentry.c index e9144838feb80..f99f18e894a11 100644 --- a/validator/val_kentry.c +++ b/validator/val_kentry.c @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -39,13 +39,14 @@ * This file contains functions for dealing with validator key entries. */ #include "config.h" -#include <ldns/ldns.h> #include "validator/val_kentry.h" #include "util/data/packed_rrset.h" #include "util/data/dname.h" #include "util/storage/lookup3.h" #include "util/regional.h" #include "util/net_help.h" +#include "ldns/rrdef.h" +#include "ldns/keyraw.h" size_t key_entry_sizefunc(void* key, void* data) @@ -377,7 +378,7 @@ dnskey_get_keysize(struct packed_rrset_data* data, size_t idx) algo = (int)data->rr_data[idx][2+3]; pk = (unsigned char*)data->rr_data[idx]+2+4; pklen = (unsigned)data->rr_len[idx]-2-4; - return ldns_rr_dnskey_key_size_raw(pk, pklen, algo); + return sldns_rr_dnskey_key_size_raw(pk, pklen, algo); } /** get dnskey flags from data */ diff --git a/validator/val_kentry.h b/validator/val_kentry.h index 6a308f160f249..ade65571a57aa 100644 --- a/validator/val_kentry.h +++ b/validator/val_kentry.h @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** diff --git a/validator/val_neg.c b/validator/val_neg.c index e8d9d56ad6fae..1d7a5c56e85fe 100644 --- a/validator/val_neg.c +++ b/validator/val_neg.c @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -59,6 +59,8 @@ #include "util/config_file.h" #include "services/cache/rrset.h" #include "services/cache/dns.h" +#include "ldns/rrdef.h" +#include "ldns/sbuffer.h" int val_neg_data_compare(const void* a, const void* b) { @@ -1174,7 +1176,7 @@ grab_nsec(struct rrset_cache* rrset_cache, uint8_t* qname, size_t qname_len, /** find nsec3 closest encloser in neg cache */ static struct val_neg_data* neg_find_nsec3_ce(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len, - int qlabs, ldns_buffer* buf, uint8_t* hashnc, size_t* nclen) + int qlabs, sldns_buffer* buf, uint8_t* hashnc, size_t* nclen) { struct val_neg_data* data; uint8_t hashce[NSEC3_SHA_LEN]; @@ -1257,7 +1259,7 @@ neg_nsec3_getnc(struct val_neg_zone* zone, uint8_t* hashnc, size_t nclen, /** neg cache nsec3 proof procedure*/ static struct dns_msg* neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len, - int qlabs, ldns_buffer* buf, struct rrset_cache* rrset_cache, + int qlabs, sldns_buffer* buf, struct rrset_cache* rrset_cache, struct regional* region, time_t now, uint8_t* topname) { struct dns_msg* msg; @@ -1388,7 +1390,7 @@ static int add_soa(struct rrset_cache* rrset_cache, time_t now, struct dns_msg* val_neg_getmsg(struct val_neg_cache* neg, struct query_info* qinfo, struct regional* region, struct rrset_cache* rrset_cache, - ldns_buffer* buf, time_t now, int addsoa, uint8_t* topname) + sldns_buffer* buf, time_t now, int addsoa, uint8_t* topname) { struct dns_msg* msg; struct ub_packed_rrset_key* rrset; diff --git a/validator/val_neg.h b/validator/val_neg.h index ec4f42f6ab7da..967d1a70f9c41 100644 --- a/validator/val_neg.h +++ b/validator/val_neg.h @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -46,6 +46,7 @@ #define VALIDATOR_VAL_NEG_H #include "util/locks.h" #include "util/rbtree.h" +struct sldns_buffer; struct val_neg_data; struct config_file; struct reply_info; @@ -255,7 +256,7 @@ int val_neg_dlvlookup(struct val_neg_cache* neg, uint8_t* qname, size_t len, */ struct dns_msg* val_neg_getmsg(struct val_neg_cache* neg, struct query_info* qinfo, struct regional* region, - struct rrset_cache* rrset_cache, ldns_buffer* buf, time_t now, + struct rrset_cache* rrset_cache, struct sldns_buffer* buf, time_t now, int addsoa, uint8_t* topname); diff --git a/validator/val_nsec.c b/validator/val_nsec.c index e377ca4b9401d..bdfe3c8fa18f3 100644 --- a/validator/val_nsec.c +++ b/validator/val_nsec.c @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -41,7 +41,6 @@ * for denial of existance, and proofs for presence of types. */ #include "config.h" -#include <ldns/packet.h> #include "validator/val_nsec.h" #include "validator/val_utils.h" #include "util/data/msgreply.h" diff --git a/validator/val_nsec.h b/validator/val_nsec.h index 2e86fa978f746..f680d08c0ae42 100644 --- a/validator/val_nsec.h +++ b/validator/val_nsec.h @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c index 20580c0d755fc..fe5091c0a384c 100644 --- a/validator/val_nsec3.c +++ b/validator/val_nsec3.c @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -62,18 +62,19 @@ #include "util/data/msgreply.h" /* we include nsec.h for the bitmap_has_type function */ #include "validator/val_nsec.h" +#include "ldns/sbuffer.h" /** * This function we get from ldns-compat or from base system * it returns the number of data bytes stored at the target, or <0 on error. */ -int ldns_b32_ntop_extended_hex(uint8_t const *src, size_t srclength, +int sldns_b32_ntop_extended_hex(uint8_t const *src, size_t srclength, char *target, size_t targsize); /** * This function we get from ldns-compat or from base system * it returns the number of data bytes stored at the target, or <0 on error. */ -int ldns_b32_pton_extended_hex(char const *src, size_t hashed_owner_str_len, +int sldns_b32_pton_extended_hex(char const *src, size_t hashed_owner_str_len, uint8_t *target, size_t targsize); /** @@ -259,7 +260,7 @@ size_t nsec3_hash_to_b32(uint8_t* hash, size_t hashlen, uint8_t* zone, int ret; if(max < hashlen*2+1) /* quick approx of b32, as if hexb16 */ return 0; - ret = ldns_b32_ntop_extended_hex(hash, hashlen, (char*)buf+1, max-1); + ret = sldns_b32_ntop_extended_hex(hash, hashlen, (char*)buf+1, max-1); if(ret < 1) return 0; buf[0] = (uint8_t)ret; /* length of b32 label */ @@ -534,16 +535,16 @@ nsec3_hash_cmp(const void* c1, const void* c2) } size_t -nsec3_get_hashed(ldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo, +nsec3_get_hashed(sldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo, size_t iter, uint8_t* salt, size_t saltlen, uint8_t* res, size_t max) { size_t i, hash_len; /* prepare buffer for first iteration */ - ldns_buffer_clear(buf); - ldns_buffer_write(buf, nm, nmlen); - query_dname_tolower(ldns_buffer_begin(buf)); - ldns_buffer_write(buf, salt, saltlen); - ldns_buffer_flip(buf); + sldns_buffer_clear(buf); + sldns_buffer_write(buf, nm, nmlen); + query_dname_tolower(sldns_buffer_begin(buf)); + sldns_buffer_write(buf, salt, saltlen); + sldns_buffer_flip(buf); switch(algo) { #if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS) case NSEC3_HASH_SHA1: @@ -555,29 +556,29 @@ nsec3_get_hashed(ldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo, if(hash_len > max) return 0; # ifdef HAVE_SSL - (void)SHA1((unsigned char*)ldns_buffer_begin(buf), - (unsigned long)ldns_buffer_limit(buf), + (void)SHA1((unsigned char*)sldns_buffer_begin(buf), + (unsigned long)sldns_buffer_limit(buf), (unsigned char*)res); # else (void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)res, - (unsigned char*)ldns_buffer_begin(buf), - (unsigned long)ldns_buffer_limit(buf)); + (unsigned char*)sldns_buffer_begin(buf), + (unsigned long)sldns_buffer_limit(buf)); # endif for(i=0; i<iter; i++) { - ldns_buffer_clear(buf); - ldns_buffer_write(buf, res, hash_len); - ldns_buffer_write(buf, salt, saltlen); - ldns_buffer_flip(buf); + sldns_buffer_clear(buf); + sldns_buffer_write(buf, res, hash_len); + sldns_buffer_write(buf, salt, saltlen); + sldns_buffer_flip(buf); # ifdef HAVE_SSL (void)SHA1( - (unsigned char*)ldns_buffer_begin(buf), - (unsigned long)ldns_buffer_limit(buf), + (unsigned char*)sldns_buffer_begin(buf), + (unsigned long)sldns_buffer_limit(buf), (unsigned char*)res); # else (void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)res, - (unsigned char*)ldns_buffer_begin(buf), - (unsigned long)ldns_buffer_limit(buf)); + (unsigned char*)sldns_buffer_begin(buf), + (unsigned long)sldns_buffer_limit(buf)); # endif } break; @@ -591,7 +592,7 @@ nsec3_get_hashed(ldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo, /** perform hash of name */ static int -nsec3_calc_hash(struct regional* region, ldns_buffer* buf, +nsec3_calc_hash(struct regional* region, sldns_buffer* buf, struct nsec3_cached_hash* c) { int algo = nsec3_get_algo(c->nsec3, c->rr); @@ -601,11 +602,11 @@ nsec3_calc_hash(struct regional* region, ldns_buffer* buf, if(!nsec3_get_salt(c->nsec3, c->rr, &salt, &saltlen)) return -1; /* prepare buffer for first iteration */ - ldns_buffer_clear(buf); - ldns_buffer_write(buf, c->dname, c->dname_len); - query_dname_tolower(ldns_buffer_begin(buf)); - ldns_buffer_write(buf, salt, saltlen); - ldns_buffer_flip(buf); + sldns_buffer_clear(buf); + sldns_buffer_write(buf, c->dname, c->dname_len); + query_dname_tolower(sldns_buffer_begin(buf)); + sldns_buffer_write(buf, salt, saltlen); + sldns_buffer_flip(buf); switch(algo) { #if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS) case NSEC3_HASH_SHA1: @@ -619,30 +620,30 @@ nsec3_calc_hash(struct regional* region, ldns_buffer* buf, if(!c->hash) return 0; # ifdef HAVE_SSL - (void)SHA1((unsigned char*)ldns_buffer_begin(buf), - (unsigned long)ldns_buffer_limit(buf), + (void)SHA1((unsigned char*)sldns_buffer_begin(buf), + (unsigned long)sldns_buffer_limit(buf), (unsigned char*)c->hash); # else (void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)c->hash, - (unsigned char*)ldns_buffer_begin(buf), - (unsigned long)ldns_buffer_limit(buf)); + (unsigned char*)sldns_buffer_begin(buf), + (unsigned long)sldns_buffer_limit(buf)); # endif for(i=0; i<iter; i++) { - ldns_buffer_clear(buf); - ldns_buffer_write(buf, c->hash, c->hash_len); - ldns_buffer_write(buf, salt, saltlen); - ldns_buffer_flip(buf); + sldns_buffer_clear(buf); + sldns_buffer_write(buf, c->hash, c->hash_len); + sldns_buffer_write(buf, salt, saltlen); + sldns_buffer_flip(buf); # ifdef HAVE_SSL (void)SHA1( - (unsigned char*)ldns_buffer_begin(buf), - (unsigned long)ldns_buffer_limit(buf), + (unsigned char*)sldns_buffer_begin(buf), + (unsigned long)sldns_buffer_limit(buf), (unsigned char*)c->hash); # else (void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)c->hash, - (unsigned char*)ldns_buffer_begin(buf), - (unsigned long)ldns_buffer_limit(buf)); + (unsigned char*)sldns_buffer_begin(buf), + (unsigned long)sldns_buffer_limit(buf)); # endif } break; @@ -656,19 +657,19 @@ nsec3_calc_hash(struct regional* region, ldns_buffer* buf, /** perform b32 encoding of hash */ static int -nsec3_calc_b32(struct regional* region, ldns_buffer* buf, +nsec3_calc_b32(struct regional* region, sldns_buffer* buf, struct nsec3_cached_hash* c) { int r; - ldns_buffer_clear(buf); - r = ldns_b32_ntop_extended_hex(c->hash, c->hash_len, - (char*)ldns_buffer_begin(buf), ldns_buffer_limit(buf)); + sldns_buffer_clear(buf); + r = sldns_b32_ntop_extended_hex(c->hash, c->hash_len, + (char*)sldns_buffer_begin(buf), sldns_buffer_limit(buf)); if(r < 1) { log_err("b32_ntop_extended_hex: error in encoding: %d", r); return 0; } c->b32_len = (size_t)r; - c->b32 = regional_alloc_init(region, ldns_buffer_begin(buf), + c->b32 = regional_alloc_init(region, sldns_buffer_begin(buf), c->b32_len); if(!c->b32) return 0; @@ -676,7 +677,7 @@ nsec3_calc_b32(struct regional* region, ldns_buffer* buf, } int -nsec3_hash_name(rbtree_t* table, struct regional* region, ldns_buffer* buf, +nsec3_hash_name(rbtree_t* table, struct regional* region, sldns_buffer* buf, struct ub_packed_rrset_key* nsec3, int rr, uint8_t* dname, size_t dname_len, struct nsec3_cached_hash** hash) { @@ -816,7 +817,7 @@ find_matching_nsec3(struct module_env* env, struct nsec3_filter* flt, int nsec3_covers(uint8_t* zone, struct nsec3_cached_hash* hash, - struct ub_packed_rrset_key* rrset, int rr, ldns_buffer* buf) + struct ub_packed_rrset_key* rrset, int rr, sldns_buffer* buf) { uint8_t* next, *owner; size_t nextlen; @@ -840,10 +841,10 @@ nsec3_covers(uint8_t* zone, struct nsec3_cached_hash* hash, return 1; /* convert owner name from text to binary */ - ldns_buffer_clear(buf); - owner = ldns_buffer_begin(buf); - len = ldns_b32_pton_extended_hex((char*)rrset->rk.dname+1, - hash->b32_len, owner, ldns_buffer_limit(buf)); + sldns_buffer_clear(buf); + owner = sldns_buffer_begin(buf); + len = sldns_b32_pton_extended_hex((char*)rrset->rk.dname+1, + hash->b32_len, owner, sldns_buffer_limit(buf)); if(len<1) return 0; /* bad owner name in some way */ if((size_t)len != hash->hash_len || (size_t)len != nextlen) diff --git a/validator/val_nsec3.h b/validator/val_nsec3.h index ae4326daffb62..d619d672d12c2 100644 --- a/validator/val_nsec3.h +++ b/validator/val_nsec3.h @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -75,6 +75,7 @@ struct ub_packed_rrset_key; struct reply_info; struct query_info; struct key_entry_key; +struct sldns_buffer; /** * 0 1 2 3 4 5 6 7 @@ -270,9 +271,9 @@ int nsec3_hash_cmp(const void* c1, const void* c2); * 0 on a malloc failure. * -1 if the NSEC3 rr was badly formatted (i.e. formerr). */ -int nsec3_hash_name(rbtree_t* table, struct regional* region, ldns_buffer* buf, - struct ub_packed_rrset_key* nsec3, int rr, uint8_t* dname, - size_t dname_len, struct nsec3_cached_hash** hash); +int nsec3_hash_name(rbtree_t* table, struct regional* region, + struct sldns_buffer* buf, struct ub_packed_rrset_key* nsec3, int rr, + uint8_t* dname, size_t dname_len, struct nsec3_cached_hash** hash); /** * Get next owner name, converted to base32 encoding and with the @@ -328,8 +329,9 @@ int nsec3_get_params(struct ub_packed_rrset_key* rrset, int r, * @param max: maximum space for result. * @return 0 on failure, otherwise bytelength stored. */ -size_t nsec3_get_hashed(ldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo, - size_t iter, uint8_t* salt, size_t saltlen, uint8_t* res, size_t max); +size_t nsec3_get_hashed(struct sldns_buffer* buf, uint8_t* nm, size_t nmlen, + int algo, size_t iter, uint8_t* salt, size_t saltlen, uint8_t* res, + size_t max); /** * see if NSEC3 RR contains given type @@ -373,6 +375,6 @@ int nsec3_get_nextowner(struct ub_packed_rrset_key* rrset, int r, * @return true if covers, false if not. */ int nsec3_covers(uint8_t* zone, struct nsec3_cached_hash* hash, - struct ub_packed_rrset_key* rrset, int rr, ldns_buffer* buf); + struct ub_packed_rrset_key* rrset, int rr, struct sldns_buffer* buf); #endif /* VALIDATOR_VAL_NSEC3_H */ diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index 92fd0cc4c8c20..d89675f835b09 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -41,10 +41,12 @@ * and do the library calls (for the crypto library in use). */ #include "config.h" -#include <ldns/ldns.h> #include "validator/val_secalgo.h" #include "util/data/packed_rrset.h" #include "util/log.h" +#include "ldns/rrdef.h" +#include "ldns/keyraw.h" +#include "ldns/sbuffer.h" #if !defined(HAVE_SSL) && !defined(HAVE_NSS) #error "Need crypto library to do digital signature cryptography" @@ -108,7 +110,7 @@ do_gost94(unsigned char* data, size_t len, unsigned char* dest) const EVP_MD* md = EVP_get_digestbyname("md_gost94"); if(!md) return 0; - return ldns_digest_evp(data, (unsigned int)len, dest, md); + return sldns_digest_evp(data, (unsigned int)len, dest, md); } #endif @@ -172,7 +174,7 @@ dnskey_algo_id_is_supported(int id) #ifdef USE_GOST case LDNS_ECC_GOST: /* we support GOST if it can be loaded */ - return ldns_key_EVP_load_gost_id(); + return sldns_key_EVP_load_gost_id(); #endif default: return 0; @@ -304,10 +306,10 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, log_err("verify: malloc failure in crypto"); return 0; } - dsa = ldns_key_buf2dsa_raw(key, keylen); + dsa = sldns_key_buf2dsa_raw(key, keylen); if(!dsa) { verbose(VERB_QUERY, "verify: " - "ldns_key_buf2dsa_raw failed"); + "sldns_key_buf2dsa_raw failed"); return 0; } if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { @@ -331,10 +333,10 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, log_err("verify: malloc failure in crypto"); return 0; } - rsa = ldns_key_buf2rsa_raw(key, keylen); + rsa = sldns_key_buf2rsa_raw(key, keylen); if(!rsa) { verbose(VERB_QUERY, "verify: " - "ldns_key_buf2rsa_raw SHA failed"); + "sldns_key_buf2rsa_raw SHA failed"); return 0; } if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { @@ -363,10 +365,10 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, log_err("verify: malloc failure in crypto"); return 0; } - rsa = ldns_key_buf2rsa_raw(key, keylen); + rsa = sldns_key_buf2rsa_raw(key, keylen); if(!rsa) { verbose(VERB_QUERY, "verify: " - "ldns_key_buf2rsa_raw MD5 failed"); + "sldns_key_buf2rsa_raw MD5 failed"); return 0; } if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { @@ -379,10 +381,10 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, break; #ifdef USE_GOST case LDNS_ECC_GOST: - *evp_key = ldns_gost2pkey_raw(key, keylen); + *evp_key = sldns_gost2pkey_raw(key, keylen); if(!*evp_key) { verbose(VERB_QUERY, "verify: " - "ldns_gost2pkey_raw failed"); + "sldns_gost2pkey_raw failed"); return 0; } *digest_type = EVP_get_digestbyname("md_gost94"); @@ -395,11 +397,11 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, #endif #ifdef USE_ECDSA case LDNS_ECDSAP256SHA256: - *evp_key = ldns_ecdsa2pkey_raw(key, keylen, + *evp_key = sldns_ecdsa2pkey_raw(key, keylen, LDNS_ECDSAP256SHA256); if(!*evp_key) { verbose(VERB_QUERY, "verify: " - "ldns_ecdsa2pkey_raw failed"); + "sldns_ecdsa2pkey_raw failed"); return 0; } #ifdef USE_ECDSA_EVP_WORKAROUND @@ -422,11 +424,11 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, #endif break; case LDNS_ECDSAP384SHA384: - *evp_key = ldns_ecdsa2pkey_raw(key, keylen, + *evp_key = sldns_ecdsa2pkey_raw(key, keylen, LDNS_ECDSAP384SHA384); if(!*evp_key) { verbose(VERB_QUERY, "verify: " - "ldns_ecdsa2pkey_raw failed"); + "sldns_ecdsa2pkey_raw failed"); return 0; } #ifdef USE_ECDSA_EVP_WORKAROUND @@ -471,7 +473,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, * unchecked on format errors and alloc failures. */ enum sec_status -verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, +verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, unsigned int sigblock_len, unsigned char* key, unsigned int keylen, char** reason) { @@ -518,8 +520,8 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, if(dofree) free(sigblock); return sec_status_unchecked; } - if(EVP_VerifyUpdate(&ctx, (unsigned char*)ldns_buffer_begin(buf), - (unsigned int)ldns_buffer_limit(buf)) == 0) { + if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf), + (unsigned int)sldns_buffer_limit(buf)) == 0) { verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed"); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); @@ -963,7 +965,7 @@ nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, * unchecked on format errors and alloc failures. */ enum sec_status -verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, +verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, unsigned int sigblock_len, unsigned char* key, unsigned int keylen, char** reason) { @@ -1019,8 +1021,8 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, SECKEY_DestroyPublicKey(pubkey); return sec_status_unchecked; } - if(HASH_HashBuf(htype, hash, (unsigned char*)ldns_buffer_begin(buf), - (unsigned int)ldns_buffer_limit(buf)) != SECSuccess) { + if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), + (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); SECKEY_DestroyPublicKey(pubkey); return sec_status_unchecked; diff --git a/validator/val_secalgo.h b/validator/val_secalgo.h index a5832af871e81..085fbc5a44f8f 100644 --- a/validator/val_secalgo.h +++ b/validator/val_secalgo.h @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -42,6 +42,7 @@ #ifndef VALIDATOR_VAL_SECALGO_H #define VALIDATOR_VAL_SECALGO_H +struct sldns_buffer; /** * Return size of DS digest according to its hash algorithm. @@ -76,7 +77,7 @@ int dnskey_algo_id_is_supported(int id); * @return secure if verification succeeded, bogus on crypto failure, * unchecked on format errors and alloc failures. */ -enum sec_status verify_canonrrset(ldns_buffer* buf, int algo, +enum sec_status verify_canonrrset(struct sldns_buffer* buf, int algo, unsigned char* sigblock, unsigned int sigblock_len, unsigned char* key, unsigned int keylen, char** reason); diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c index 37e1ce14e21ae..5a4d0f471a84f 100644 --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -41,7 +41,6 @@ * bridging between RR wireformat data and crypto calls. */ #include "config.h" -#include <ldns/ldns.h> #include "validator/val_sigcrypt.h" #include "validator/val_secalgo.h" #include "validator/validator.h" @@ -52,7 +51,12 @@ #include "util/module.h" #include "util/net_help.h" #include "util/regional.h" +#include "ldns/keyraw.h" +#include "ldns/sbuffer.h" +#include "ldns/parseutil.h" +#include "ldns/wire2str.h" +#include <ctype.h> #if !defined(HAVE_SSL) && !defined(HAVE_NSS) #error "Need crypto library to do digital signature cryptography" #endif @@ -286,7 +290,7 @@ ds_create_dnskey_digest(struct module_env* env, struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, uint8_t* digest) { - ldns_buffer* b = env->scratch_buffer; + sldns_buffer* b = env->scratch_buffer; uint8_t* dnskey_rdata; size_t dnskey_len; rrset_get_rdata(dnskey_rrset, dnskey_idx, &dnskey_rdata, &dnskey_len); @@ -294,15 +298,15 @@ ds_create_dnskey_digest(struct module_env* env, /* create digest source material in buffer * digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA); * DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key. */ - ldns_buffer_clear(b); - ldns_buffer_write(b, dnskey_rrset->rk.dname, + sldns_buffer_clear(b); + sldns_buffer_write(b, dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len); - query_dname_tolower(ldns_buffer_begin(b)); - ldns_buffer_write(b, dnskey_rdata+2, dnskey_len-2); /* skip rdatalen*/ - ldns_buffer_flip(b); + query_dname_tolower(sldns_buffer_begin(b)); + sldns_buffer_write(b, dnskey_rdata+2, dnskey_len-2); /* skip rdatalen*/ + sldns_buffer_flip(b); return secalgo_ds_digest(ds_get_digest_algo(ds_rrset, ds_idx), - (unsigned char*)ldns_buffer_begin(b), ldns_buffer_limit(b), + (unsigned char*)sldns_buffer_begin(b), sldns_buffer_limit(b), (unsigned char*)digest); } @@ -366,7 +370,7 @@ dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx) size_t len; rrset_get_rdata(dnskey_rrset, dnskey_idx, &data, &len); /* do not pass rdatalen to ldns */ - return ldns_calc_keytag_raw(data+2, len-2); + return sldns_calc_keytag_raw(data+2, len-2); } int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset, @@ -530,7 +534,7 @@ dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve, void algo_needs_reason(struct module_env* env, int alg, char** reason, char* s) { char buf[256]; - ldns_lookup_table *t = ldns_lookup_by_id(ldns_algorithms, alg); + sldns_lookup_table *t = sldns_lookup_by_id(sldns_algorithms, alg); if(t&&t->name) snprintf(buf, sizeof(buf), "%s with algorithm %s", s, t->name); else snprintf(buf, sizeof(buf), "%s with algorithm ALG%u", s, @@ -640,7 +644,7 @@ struct canon_rr { */ static int canonical_compare_byfield(struct packed_rrset_data* d, - const ldns_rr_descriptor* desc, size_t i, size_t j) + const sldns_rr_descriptor* desc, size_t i, size_t j) { /* sweep across rdata, keep track of some state: * which rr field, and bytes left in field. @@ -784,7 +788,7 @@ canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j) { struct packed_rrset_data* d = (struct packed_rrset_data*) rrset->entry.data; - const ldns_rr_descriptor* desc; + const sldns_rr_descriptor* desc; uint16_t type = ntohs(rrset->rk.type); size_t minlen; int c; @@ -836,7 +840,7 @@ canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j) case LDNS_RR_TYPE_PX: case LDNS_RR_TYPE_NAPTR: case LDNS_RR_TYPE_SRV: - desc = ldns_rr_descript(type); + desc = sldns_rr_descript(type); log_assert(desc); /* this holds for the types that need canonicalizing */ log_assert(desc->_minimum == desc->_maximum); @@ -909,15 +913,15 @@ canonical_sort(struct ub_packed_rrset_key* rrset, struct packed_rrset_data* d, * @param can_owner_len: length of canonical owner name. */ static void -insert_can_owner(ldns_buffer* buf, struct ub_packed_rrset_key* k, +insert_can_owner(sldns_buffer* buf, struct ub_packed_rrset_key* k, uint8_t* sig, uint8_t** can_owner, size_t* can_owner_len) { int rrsig_labels = (int)sig[3]; int fqdn_labels = dname_signame_label_count(k->rk.dname); - *can_owner = ldns_buffer_current(buf); + *can_owner = sldns_buffer_current(buf); if(rrsig_labels == fqdn_labels) { /* no change */ - ldns_buffer_write(buf, k->rk.dname, k->rk.dname_len); + sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len); query_dname_tolower(*can_owner); *can_owner_len = k->rk.dname_len; return; @@ -933,8 +937,8 @@ insert_can_owner(ldns_buffer* buf, struct ub_packed_rrset_key* k, dname_remove_label(&nm, &len); } *can_owner_len = len+2; - ldns_buffer_write(buf, (uint8_t*)"\001*", 2); - ldns_buffer_write(buf, nm, len); + sldns_buffer_write(buf, (uint8_t*)"\001*", 2); + sldns_buffer_write(buf, nm, len); query_dname_tolower(*can_owner); } } @@ -946,10 +950,10 @@ insert_can_owner(ldns_buffer* buf, struct ub_packed_rrset_key* k, * @param len: length of the rdata (including rdatalen uint16). */ static void -canonicalize_rdata(ldns_buffer* buf, struct ub_packed_rrset_key* rrset, +canonicalize_rdata(sldns_buffer* buf, struct ub_packed_rrset_key* rrset, size_t len) { - uint8_t* datstart = ldns_buffer_current(buf)-len+2; + uint8_t* datstart = sldns_buffer_current(buf)-len+2; switch(ntohs(rrset->rk.type)) { case LDNS_RR_TYPE_NXT: case LDNS_RR_TYPE_NS: @@ -1040,6 +1044,69 @@ canonicalize_rdata(ldns_buffer* buf, struct ub_packed_rrset_key* rrset, } } +int rrset_canonical_equal(struct regional* region, + struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2) +{ + struct rbtree_t sortree1, sortree2; + struct canon_rr *rrs1, *rrs2, *p1, *p2; + struct packed_rrset_data* d1=(struct packed_rrset_data*)k1->entry.data; + struct packed_rrset_data* d2=(struct packed_rrset_data*)k2->entry.data; + struct ub_packed_rrset_key fk; + struct packed_rrset_data fd; + size_t flen[2]; + uint8_t* fdata[2]; + + /* basic compare */ + if(k1->rk.dname_len != k2->rk.dname_len || + k1->rk.flags != k2->rk.flags || + k1->rk.type != k2->rk.type || + k1->rk.rrset_class != k2->rk.rrset_class || + query_dname_compare(k1->rk.dname, k2->rk.dname) != 0) + return 0; + if(d1->ttl != d2->ttl || + d1->count != d2->count || + d1->rrsig_count != d2->rrsig_count || + d1->trust != d2->trust || + d1->security != d2->security) + return 0; + + /* init */ + memset(&fk, 0, sizeof(fk)); + memset(&fd, 0, sizeof(fd)); + fk.entry.data = &fd; + fd.count = 2; + fd.rr_len = flen; + fd.rr_data = fdata; + rbtree_init(&sortree1, &canonical_tree_compare); + rbtree_init(&sortree2, &canonical_tree_compare); + rrs1 = regional_alloc(region, sizeof(struct canon_rr)*d1->count); + rrs2 = regional_alloc(region, sizeof(struct canon_rr)*d2->count); + if(!rrs1 || !rrs2) return 1; /* alloc failure */ + + /* sort */ + canonical_sort(k1, d1, &sortree1, rrs1); + canonical_sort(k2, d2, &sortree2, rrs2); + + /* compare canonical-sorted RRs for canonical-equality */ + if(sortree1.count != sortree2.count) + return 0; + p1 = (struct canon_rr*)rbtree_first(&sortree1); + p2 = (struct canon_rr*)rbtree_first(&sortree2); + while(p1 != (struct canon_rr*)RBTREE_NULL && + p2 != (struct canon_rr*)RBTREE_NULL) { + flen[0] = d1->rr_len[p1->rr_idx]; + flen[1] = d2->rr_len[p2->rr_idx]; + fdata[0] = d1->rr_data[p1->rr_idx]; + fdata[1] = d2->rr_data[p2->rr_idx]; + + if(canonical_compare(&fk, 0, 1) != 0) + return 0; + p1 = (struct canon_rr*)rbtree_next(&p1->node); + p2 = (struct canon_rr*)rbtree_next(&p2->node); + } + return 1; +} + /** * Create canonical form of rrset in the scratch buffer. * @param region: temporary region. @@ -1053,7 +1120,7 @@ canonicalize_rdata(ldns_buffer* buf, struct ub_packed_rrset_key* rrset, * @return false on alloc error. */ static int -rrset_canonical(struct regional* region, ldns_buffer* buf, +rrset_canonical(struct regional* region, sldns_buffer* buf, struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen, struct rbtree_t** sortree) { @@ -1077,13 +1144,13 @@ rrset_canonical(struct regional* region, ldns_buffer* buf, canonical_sort(k, d, *sortree, rrs); } - ldns_buffer_clear(buf); - ldns_buffer_write(buf, sig, siglen); + sldns_buffer_clear(buf); + sldns_buffer_write(buf, sig, siglen); /* canonicalize signer name */ - query_dname_tolower(ldns_buffer_begin(buf)+18); + query_dname_tolower(sldns_buffer_begin(buf)+18); RBTREE_FOR(walk, struct canon_rr*, (*sortree)) { /* see if there is enough space left in the buffer */ - if(ldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4 + if(sldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4 + d->rr_len[walk->rr_idx]) { log_err("verify: failed to canonicalize, " "rrset too big"); @@ -1091,17 +1158,17 @@ rrset_canonical(struct regional* region, ldns_buffer* buf, } /* determine canonical owner name */ if(can_owner) - ldns_buffer_write(buf, can_owner, can_owner_len); + sldns_buffer_write(buf, can_owner, can_owner_len); else insert_can_owner(buf, k, sig, &can_owner, &can_owner_len); - ldns_buffer_write(buf, &k->rk.type, 2); - ldns_buffer_write(buf, &k->rk.rrset_class, 2); - ldns_buffer_write(buf, sig+4, 4); - ldns_buffer_write(buf, d->rr_data[walk->rr_idx], + sldns_buffer_write(buf, &k->rk.type, 2); + sldns_buffer_write(buf, &k->rk.rrset_class, 2); + sldns_buffer_write(buf, sig+4, 4); + sldns_buffer_write(buf, d->rr_data[walk->rr_idx], d->rr_len[walk->rr_idx]); canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]); } - ldns_buffer_flip(buf); + sldns_buffer_flip(buf); return 1; } @@ -1233,7 +1300,7 @@ adjust_ttl(struct val_env* ve, uint32_t unow, } enum sec_status -dnskey_verify_rrset_sig(struct regional* region, ldns_buffer* buf, +dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf, struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, size_t sig_idx, diff --git a/validator/val_sigcrypt.h b/validator/val_sigcrypt.h index 9859d3c39087b..68aa9a445ae8f 100644 --- a/validator/val_sigcrypt.h +++ b/validator/val_sigcrypt.h @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -49,6 +49,7 @@ struct module_env; struct ub_packed_rrset_key; struct rbtree_t; struct regional; +struct sldns_buffer; /** number of entries in algorithm needs array */ #define ALGO_NEEDS_MAX 256 @@ -298,7 +299,7 @@ enum sec_status dnskeyset_verify_rrset_sig(struct module_env* env, * bogus if it did not validate. */ enum sec_status dnskey_verify_rrset_sig(struct regional* region, - ldns_buffer* buf, struct val_env* ve, time_t now, + struct sldns_buffer* buf, struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_t** sortree, int* buf_canon, char** reason); @@ -308,4 +309,15 @@ enum sec_status dnskey_verify_rrset_sig(struct regional* region, */ int canonical_tree_compare(const void* k1, const void* k2); +/** + * Compare two rrsets and see if they are the same, canonicalised. + * The rrsets are not altered. + * @param region: temporary region. + * @param k1: rrset1 + * @param k2: rrset2 + * @return true if equal. + */ +int rrset_canonical_equal(struct regional* region, + struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2); + #endif /* VALIDATOR_VAL_SIGCRYPT_H */ diff --git a/validator/val_utils.c b/validator/val_utils.c index 73e7dbd9020f8..ecf2dfaf05c89 100644 --- a/validator/val_utils.c +++ b/validator/val_utils.c @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** diff --git a/validator/val_utils.h b/validator/val_utils.h index f0afc3756e9f1..b0344eff7de9f 100644 --- a/validator/val_utils.h +++ b/validator/val_utils.h @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** diff --git a/validator/validator.c b/validator/validator.c index ad472cc6a9534..aefa26a279486 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** @@ -40,7 +40,6 @@ * According to RFC 4034. */ #include "config.h" -#include <ldns/ldns.h> #include "validator/validator.h" #include "validator/val_anchor.h" #include "validator/val_kcache.h" @@ -59,6 +58,8 @@ #include "util/regional.h" #include "util/config_file.h" #include "util/fptr_wlist.h" +#include "ldns/rrdef.h" +#include "ldns/wire2str.h" /* forward decl for cache response and normal super inform calls of a DS */ static void process_ds_response(struct module_qstate* qstate, @@ -294,9 +295,12 @@ needs_validation(struct module_qstate* qstate, int ret_rc, else rcode = (int)FLAGS_GET_RCODE(ret_msg->rep->flags); if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN) { - verbose(VERB_ALGO, "cannot validate non-answer, rcode %s", - ldns_lookup_by_id(ldns_rcodes, rcode)? - ldns_lookup_by_id(ldns_rcodes, rcode)->name:"??"); + if(verbosity >= VERB_ALGO) { + char rc[16]; + rc[0]=0; + (void)sldns_wire2str_rcode_buf(rcode, rc, sizeof(rc)); + verbose(VERB_ALGO, "cannot validate non-answer, rcode %s", rc); + } return 0; } @@ -758,11 +762,12 @@ validate_nodata_response(struct module_env* env, struct val_env* ve, * @param chase_reply: answer to that query to validate. * @param kkey: the key entry, which is trusted, and which matches * the signer of the answer. The key entry isgood(). + * @param rcode: adjusted RCODE, in case of RCODE/proof mismatch leniency. */ static void validate_nameerror_response(struct module_env* env, struct val_env* ve, struct query_info* qchase, struct reply_info* chase_reply, - struct key_entry_key* kkey) + struct key_entry_key* kkey, int* rcode) { int has_valid_nsec = 0; int has_valid_wnsec = 0; @@ -809,6 +814,10 @@ validate_nameerror_response(struct module_env* env, struct val_env* ve, verbose(VERB_QUERY, "NameError response has failed to prove: " "qname does not exist"); chase_reply->security = sec_status_bogus; + /* Be lenient with RCODE in NSEC NameError responses */ + validate_nodata_response(env, ve, qchase, chase_reply, kkey); + if (chase_reply->security == sec_status_secure) + *rcode = LDNS_RCODE_NOERROR; return; } @@ -816,6 +825,10 @@ validate_nameerror_response(struct module_env* env, struct val_env* ve, verbose(VERB_QUERY, "NameError response has failed to prove: " "covering wildcard does not exist"); chase_reply->security = sec_status_bogus; + /* Be lenient with RCODE in NSEC NameError responses */ + validate_nodata_response(env, ve, qchase, chase_reply, kkey); + if (chase_reply->security == sec_status_secure) + *rcode = LDNS_RCODE_NOERROR; return; } @@ -1564,6 +1577,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq, struct val_env* ve, int id) { enum val_classification subtype; + int rcode; if(!vq->key_entry) { verbose(VERB_ALGO, "validate: no key entry, failed"); @@ -1647,7 +1661,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq, sec_status_to_string( vq->chase_reply->security)); break; - + case VAL_CLASS_NODATA: verbose(VERB_ALGO, "Validating a nodata response"); validate_nodata_response(qstate->env, ve, @@ -1658,12 +1672,15 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq, break; case VAL_CLASS_NAMEERROR: + rcode = (int)FLAGS_GET_RCODE(vq->orig_msg->rep->flags); verbose(VERB_ALGO, "Validating a nxdomain response"); validate_nameerror_response(qstate->env, ve, - &vq->qchase, vq->chase_reply, vq->key_entry); + &vq->qchase, vq->chase_reply, vq->key_entry, &rcode); verbose(VERB_DETAIL, "validate(nxdomain): %s", sec_status_to_string( vq->chase_reply->security)); + FLAGS_SET_RCODE(vq->orig_msg->rep->flags, rcode); + FLAGS_SET_RCODE(vq->chase_reply->flags, rcode); break; case VAL_CLASS_CNAME: @@ -2344,12 +2361,13 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, char* reason = NULL; enum val_classification subtype; if(rcode != LDNS_RCODE_NOERROR) { - char* rc = ldns_pkt_rcode2str(rcode); + char rc[16]; + rc[0]=0; + (void)sldns_wire2str_rcode_buf(rcode, rc, sizeof(rc)); /* errors here pretty much break validation */ verbose(VERB_DETAIL, "DS response was error, thus bogus"); errinf(qstate, rc); errinf(qstate, "no DS"); - free(rc); goto return_bogus; } @@ -2521,10 +2539,11 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, "DS response, thus bogus."); errinf(qstate, "no DS and"); if(FLAGS_GET_RCODE(msg->rep->flags) != LDNS_RCODE_NOERROR) { - char* rc = ldns_pkt_rcode2str( - FLAGS_GET_RCODE(msg->rep->flags)); + char rc[16]; + rc[0]=0; + (void)sldns_wire2str_rcode_buf((int)FLAGS_GET_RCODE( + msg->rep->flags), rc, sizeof(rc)); errinf(qstate, rc); - free(rc); } else errinf(qstate, val_classification_to_string(subtype)); errinf(qstate, "message fails to prove that"); goto return_bogus; diff --git a/validator/validator.h b/validator/validator.h index 1a29c161b9f25..20f806adab359 100644 --- a/validator/validator.h +++ b/validator/validator.h @@ -21,16 +21,16 @@ * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** |