Commit Diff
Diff:
40df8d684e052f145329e406c1c08d0c7e60705e
eab3f47f6cb99121dc42a0d325dfcabd13ee89ce
Commit:
eab3f47f6cb99121dc42a0d325dfcabd13ee89ce
Tree:
6de2971a3b9932fb3c2121c57a3e418ab6f4df74
Author:
pjp <pjp@delphinusdns.org>
Committer:
pjp <pjp@delphinusdns.org>
Date:
Fri May 11 23:21:20 2018 UTC
Message:
In the dddctl sign code, I forgot to create ENT's with NSEC3 hashes. After consulting with jdnssec-verifyzone and ldns-verify-zone I think I have it right. This work unearthed a bug with the check_ent() routine which would make the base of an ENT and ENT in fact. This I tried to correct in ent.c, I hope it's right.
blob - ad08b2ea4bba4f33e931445cb0e66677f3ad248b
blob + e8a7ca63cc2b769569780b4835da86b73a4b93e6
--- dddctl.c
+++ dddctl.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: dddctl.c,v 1.11 2018/05/11 20:54:29 pjp Exp $
+ * $Id: dddctl.c,v 1.12 2018/05/11 23:21:20 pjp Exp $
*/
#include "ddd-include.h"
@@ -197,6 +197,9 @@ extern int label_count(char *);
extern char *get_dns_type(int, int);
extern char * hash_name(char *, int, struct nsec3param *);
extern char * base32hex_encode(u_char *input, int len);
+extern int init_entlist(ddDB *);
+extern int check_ent(char *, int);
+
extern int dnssec;
extern int domaincmp(struct node *e1, struct node *e2);
@@ -513,6 +516,12 @@ signmain(int argc, char *argv[])
exit(1);
}
+ /* create ENT list */
+ if (init_entlist(db) < 0) {
+ dolog(LOG_INFO, "creating entlist failed\n");
+ exit(1);
+ }
+
/* three passes to "sign" our zones */
/* first pass, add dnskey records, on apex */
@@ -521,7 +530,7 @@ signmain(int argc, char *argv[])
exit(1);
}
- /* second pass construct NSEC3 records */
+ /* second pass construct NSEC3 records, including ENT's */
if ((mask & MASK_CONSTRUCT_NSEC3) && construct_nsec3(db, zonename, iterations, salt) < 0) {
dolog(LOG_INFO, "construct nsec3 failed\n");
@@ -6056,12 +6065,13 @@ construct_nsec3(ddDB *db, char *zone, int iterations,
char bitmap[4096];
char *dnsname;
char *hashname = NULL;
+ char *p;
int labellen;
int retval, lzerrno;
u_int32_t ttl = 0;
- int j, rs;
+ int j, rs, len, rootlen;
TAILQ_HEAD(listhead, mynsec3) head;
@@ -6094,6 +6104,9 @@ construct_nsec3(ddDB *db, char *zone, int iterations,
return -1;
}
+ /* get the rootzone's len */
+ rootlen = sd->zonelen;
+
/* RFC 5155 page 3 */
ttl = sd->ttl[INTERNAL_TYPE_SOA];
@@ -6118,7 +6131,6 @@ construct_nsec3(ddDB *db, char *zone, int iterations,
memcpy((char *)sd, (char *)n->data, n->datalen);
-
hashname = hash_name(sd->zone, sd->zonelen, &n3p);
if (hashname == NULL) {
dolog(LOG_INFO, "hash_name return NULL");
@@ -6198,6 +6210,68 @@ construct_nsec3(ddDB *db, char *zone, int iterations,
}
} /* RB_FOREACH_SAFE */
+
+ /* check ENT's which we'll create */
+
+ RB_FOREACH_SAFE(n, domaintree, &rbhead, nx) {
+ rs = n->datalen;
+ if ((sd = calloc(1, rs)) == NULL) {
+ dolog(LOG_INFO, "calloc: %s\n", strerror(errno));
+ exit(1);
+ }
+
+ memcpy((char *)sd, (char *)n->data, n->datalen);
+
+ len = sd->zonelen;
+ for (p = sd->zone; *p && len > rootlen; p++, len--) {
+ if (check_ent(p, len))
+ break;
+
+ len -= *p;
+ p += *p;
+ }
+
+ if (len > rootlen) {
+ /* we have an ENT */
+ hashname = hash_name(p, len, &n3p);
+ if (hashname == NULL) {
+ dolog(LOG_INFO, "hash_name return NULL");
+ return -1;
+ }
+
+ bitmap[0] = '\0';
+
+ n1 = malloc(sizeof(struct mynsec3));
+ if (n1 == NULL) {
+ dolog(LOG_INFO, "out of memory");
+ return -1;
+ }
+
+ n1->hashname = strdup(hashname);
+ n1->bitmap = strdup(bitmap);
+ if (n1->hashname == NULL || n1->bitmap == NULL) {
+ dolog(LOG_INFO, "out of memory");
+ return -1;
+ }
+
+ if (TAILQ_EMPTY(&head))
+ TAILQ_INSERT_TAIL(&head, n1, entries);
+ else {
+ TAILQ_FOREACH(n2, &head, entries) {
+ if (strcmp(n1->hashname, n2->hashname) < 0)
+ break;
+ }
+
+ if (n2 != NULL)
+ TAILQ_INSERT_BEFORE(n2, n1, entries);
+ else
+ TAILQ_INSERT_TAIL(&head, n1, entries);
+ }
+
+ } /* if len > rootlen */
+
+ } /* RB_FOREACH_SAFE */
+
TAILQ_FOREACH(n2, &head, entries) {
np = TAILQ_NEXT(n2, entries);
blob - 1e2c7f0d329a722ba59bb35d3eb5e7c4f207abe4
blob + b0be36de3328564fd1b67a80fdb421a2ac39c5f0
--- ent.c
+++ ent.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: ent.c,v 1.4 2017/10/26 15:49:29 pjp Exp $
+ * $Id: ent.c,v 1.5 2018/05/11 23:21:20 pjp Exp $
*/
/*
@@ -140,8 +140,24 @@ ent_contains(char *name, int len, char *entname, int e
continue;
if (memcasecmp(name, p, l) == 0)
- return 1;
+ goto exists; /* ? */
}
return 0;
+
+exists:
+ /*
+ * we take a second look, to make sure that we don't hit the
+ * base of an ENT...this was overlooked originally
+ */
+
+ SLIST_FOREACH(entp, &enthead, ent_entry) {
+ if (entp->len != l)
+ continue;
+
+ if (memcasecmp(entp->name, p, l) == 0)
+ return 0;
+ }
+
+ return 1;
}
repomaster@centroid.eu