Add basic TLSA support.

Makefile

@@ -9,15 +9,15 @@ validns: main.o carp.o mempool.o textparse.o base64.o base32hex.o \
 	naptr.o srv.o nsec3param.o nsec3.o ds.o \
 	hinfo.o loc.o nsec3checks.o ptr.o \
 	sshfp.o threads.o rp.o spf.o cert.o \
-	dname.o
+	dname.o tlsa.o
 	$(CC) $(CFLAGS) $(OPTIMIZE) -o validns \
 	    main.o carp.o mempool.o textparse.o base64.o base32hex.o \
 	    rr.o soa.o a.o cname.o mx.o ns.o \
 	    rrsig.o nsec.o dnskey.o txt.o aaaa.o \
 	    naptr.o srv.o nsec3param.o nsec3.o ds.o \
 	    hinfo.o loc.o nsec3checks.o ptr.o \
 	    sshfp.o threads.o rp.o spf.o cert.o \
-	    dname.o \
+	    dname.o tlsa.o \
 	    -L/usr/local/lib -L/opt/local/lib -lJudy -lcrypto
 
 clean:
@@ -27,7 +27,7 @@ clean:
 	-rm -f naptr.o srv.o nsec3param.o nsec3.o ds.o
 	-rm -f hinfo.o loc.o nsec3checks.o ptr.o
 	-rm -f sshfp.o base32hex.o base64.o threads.o
-	-rm -f rp.o spf.o cert.o dname.o
+	-rm -f rp.o spf.o cert.o dname.o tlsa.o
 	-rm -f validns.core core
 	@echo ':-)'
 
@@ -124,6 +124,9 @@ cert.o: cert.c common.h textparse.h mempool.h carp.h rr.h
 dname.o: dname.c common.h textparse.h mempool.h carp.h rr.h
 	$(CC) $(CFLAGS) $(OPTIMIZE) -c -o dname.o dname.c $(INCPATH)
 
+tlsa.o: tlsa.c common.h textparse.h mempool.h carp.h rr.h
+	$(CC) $(CFLAGS) $(OPTIMIZE) -c -o tlsa.o tlsa.c $(INCPATH)
+
 threads.o: threads.c
 	$(CC) $(CFLAGS) $(OPTIMIZE) -c -o threads.o threads.c $(INCPATH)
 

cert.c

@@ -123,7 +123,7 @@ static char* cert_human(struct rr *rrv)
 	RRCAST(cert);
     char s[1024];
 
-    snprintf(s, 1024, "CERT %d %d %d ...",
+    snprintf(s, 1024, "%d %d %d ...",
 		rr->type, rr->key_tag, rr->algorithm);
     return quickstrdup_temp(s);
 }

common.h

@@ -65,4 +65,10 @@ struct globals {
 
 extern struct globals G;
 
+#define SHA1_BYTES 20
+#define SHA256_BYTES 32
+#define SHA512_BYTES 64
+/* GOST R 34.11-94 - 32 bytes */
+#define GOST_BYTES 32
+
 #endif

ds.c

@@ -39,25 +39,20 @@ static struct rr* ds_parse(char *name, long ttl, int type, char *s)
 
 	/* See http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xml
 	 * for valid digest types. */
-	/*
-		SHA-1 20 bytes
-		SHA-256 32 bytes
-		GOST R 34.11-94 32 bytes
-	*/
 	switch (digest_type) {
 	case 1:
-		if (rr->digest.length != 20) {
-			return bitch("wrong SHA-1 digest length: %d bytes found, %d bytes expected", rr->digest.length, 20);
+		if (rr->digest.length != SHA1_BYTES) {
+			return bitch("wrong SHA-1 digest length: %d bytes found, %d bytes expected", rr->digest.length, SHA1_BYTES);
 		}
 		break;
 	case 2:
-		if (rr->digest.length != 32) {
-			return bitch("wrong SHA-256 digest length: %d bytes found, %d bytes expected", rr->digest.length, 32);
+		if (rr->digest.length != SHA256_BYTES) {
+			return bitch("wrong SHA-256 digest length: %d bytes found, %d bytes expected", rr->digest.length, SHA256_BYTES);
 		}
 		break;
 	case 3:
-		if (rr->digest.length != 32) {
-			return bitch("wrong GOST R 34.11-94 digest length: %d bytes found, %d bytes expected", rr->digest.length, 32);
+		if (rr->digest.length != GOST_BYTES) {
+			return bitch("wrong GOST R 34.11-94 digest length: %d bytes found, %d bytes expected", rr->digest.length, GOST_BYTES);
 		}
 		break;
 	default:

main.c

@@ -292,6 +292,7 @@ static void initialize_globals(void)
 	rr_methods[T_SPF]          =        spf_methods;
 	rr_methods[T_SRV]          =        srv_methods;
 	rr_methods[T_SSHFP]        =      sshfp_methods;
+	rr_methods[T_TLSA]         =       tlsa_methods;
 	rr_methods[T_TXT]          =        txt_methods;
 }
 

nsec.c

@@ -33,6 +33,8 @@ static struct rr* nsec_parse(char *name, long ttl, int type, char *s)
 		str_type = extract_label(&s, "type list", "temporary");
 		if (!str_type) return NULL;
 		ltype = str2rdtype(str_type);
+		if (ltype < 0)
+			return NULL;
 		add_bit_to_set(&bitmap, ltype);
 	}
 	if (!s)

nsec3.c

@@ -86,6 +86,8 @@ static struct rr* nsec3_parse(char *name, long ttl, int type, char *s)
 		str_type = extract_label(&s, "type list", "temporary");
 		if (!str_type) return NULL;
 		ltype = str2rdtype(str_type);
+		if (ltype < 0)
+			return NULL;
 		add_bit_to_set(&bitmap, ltype);
 	}
 	if (!s)

rr.c

@@ -71,7 +71,8 @@ static char* rdtype2str_map[T_MAX+1] = {
 	"DHCID",
 	"NSEC3", /* 50 */
 	"NSEC3PARAM",
-	0, 0, 0, 0, 0, 0, 0, 0, 0, /* 60 */
+	"TLSA",
+	      0, 0, 0, 0, 0, 0, 0, 0, /* 60 */
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 70 */
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 80 */
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 90 */
@@ -520,6 +521,8 @@ int str2rdtype(char *rdtype)
 	case 't':
 		if (strcmp(rdtype, "txt") == 0) {
 			return T_TXT;
+		} else if (strcmp(rdtype, "tlsa") == 0) {
+			return T_TLSA;
 		} else if (strncmp(rdtype, "type", 4) == 0) {
 			long type = strtol(rdtype+4, NULL, 10);
 			if (type <= 0 || type > 65535)

rr.h

@@ -31,6 +31,7 @@
 #define T_DNSKEY	48
 #define T_NSEC3	50
 #define T_NSEC3PARAM	51
+#define T_TLSA	52
 #define T_SPF	99
 #define T_MAX	99
 
@@ -176,6 +177,16 @@ struct rr_txt
 };
 extern struct rr_methods txt_methods;
 
+struct rr_tlsa
+{
+    struct rr rr;
+	uint8_t cert_usage;
+	uint8_t selector;
+	uint8_t matching_type;
+	struct binary_data association_data;
+};
+extern struct rr_methods tlsa_methods;
+
 struct rr_naptr
 {
     struct rr rr;

sshfp.c

@@ -36,9 +36,9 @@ static struct rr* sshfp_parse(char *name, long ttl, int type, char *s)
 
 	rr->fingerprint = extract_hex_binary_data(&s, "fingerprint", EXTRACT_EAT_WHITESPACE);
 	if (rr->fingerprint.length < 0)	return NULL;
-	if (rr->fingerprint.length != 20) {
+	if (rr->fingerprint.length != SHA1_BYTES) {
 		return bitch("wrong SHA-1 fingerprint length: %d bytes found, %d bytes expected",
-					 rr->fingerprint.length, 20);
+					 rr->fingerprint.length, SHA1_BYTES);
 	}
 
 	if (*s) {

t/test.pl

@@ -75,6 +75,26 @@
 like(shift @e, qr/MX preference expected/, "empty MX");
 like(shift @e, qr/MX exchange expected/, "MX without exchange");
 like(shift @e, qr/garbage after valid MX data/, "bad MX");
+
+like(shift @e, qr/bad SHA-256 hash length/, "TLSA SHA-256");
+like(shift @e, qr/bad SHA-512 hash length/, "TLSA SHA-512");
+like(shift @e, qr/certificate association data: hex data does not represent whole number of bytes/, "TLSA nibbles");
+
+like(shift @e, qr/bad certificate usage field/, "TLSA certificate usage");
+like(shift @e, qr/TTL is not valid/, "TLSA certificate usage fallout");
+like(shift @e, qr/certificate usage field expected/, "TLSA certificate usage");
+like(shift @e, qr/TTL is not valid/, "TLSA certificate usage fallout");
+
+like(shift @e, qr/bad selector field/, "TLSA selector");
+like(shift @e, qr/TTL is not valid/, "TLSA selector fallout");
+like(shift @e, qr/selector field expected/, "TLSA selector");
+like(shift @e, qr/TTL is not valid/, "TLSA selector fallout");
+
+like(shift @e, qr/bad matching type field/, "TLSA matching type");
+like(shift @e, qr/TTL is not valid/, "TLSA matching type fallout");
+like(shift @e, qr/matching type field expected/, "TLSA matching type");
+like(shift @e, qr/TTL is not valid/, "TLSA matching type fallout");
+
 like(shift @e, qr/outside.org. does not belong to zone galaxyplus.org./, "outsider");
 like(shift @e, qr/long.outside.org. does not belong to zone galaxyplus.org./, "long outsider");
 like(shift @e, qr/outsidegalaxyplus.org. does not belong to zone galaxyplus.org./, "tricky outsider");

t/zones/example.sec

@@ -20,6 +20,19 @@ ns2		A	5.6.7.8
 mail	A	2.3.4.5
 www     CNAME example.sec.
 
+_443._tcp.www IN TLSA (
+      0 0 1 d2abde240d7cd3ee6b4b28c54df034b9
+            7983a1d16e8a410e4561cb106618e971 )
+
+_8443._tcp.www.example.sec. IN TLSA (
+      1 1 2 92003ba34942dc74152e2f2c408d29ec
+            a5a520e7f2e06bb944f4dca346baf63c
+            1b177615d466f6c4b71c216a50292bd5
+            8c9ebdd2f74e38fe51ffd48c43326cbc )
+
+_25._tcp.mail IN TLSA (
+      3 0 0 30820307308201efa003020102020123 )
+
 delegation NS ns1
 delegation NS ns2
 delegation DS 60485 5 1 ( 2BB183AF5F22588179A53B0A