Permalink
Browse files

Add basic TLSA support.

  • Loading branch information...
tobez committed Jul 17, 2012
1 parent 823e21a commit 117db4994fdeadca6798a8a399ffb0364a11dd42
Showing with 808 additions and 419 deletions.
  1. +6 −3 Makefile
  2. +1 −1 cert.c
  3. +6 −0 common.h
  4. +6 −11 ds.c
  5. +1 −0 main.c
  6. +2 −0 nsec.c
  7. +2 −0 nsec3.c
  8. +4 −1 rr.c
  9. +11 −0 rr.h
  10. +2 −2 sshfp.c
  11. +20 −0 t/test.pl
  12. +13 −0 t/zones/example.sec
  13. +598 −399 t/zones/example.sec.signed
  14. +45 −0 t/zones/manyerrors.zone
  15. +4 −2 textparse.c
  16. +87 −0 tlsa.c
View
@@ -9,15 +9,15 @@ validns: main.o carp.o mempool.o textparse.o base64.o base32hex.o \
naptr.o srv.o nsec3param.o nsec3.o ds.o \
hinfo.o loc.o nsec3checks.o ptr.o \
sshfp.o threads.o rp.o spf.o cert.o \
dname.o
dname.o tlsa.o
$(CC) $(CFLAGS) $(OPTIMIZE) -o validns \
main.o carp.o mempool.o textparse.o base64.o base32hex.o \
rr.o soa.o a.o cname.o mx.o ns.o \
rrsig.o nsec.o dnskey.o txt.o aaaa.o \
naptr.o srv.o nsec3param.o nsec3.o ds.o \
hinfo.o loc.o nsec3checks.o ptr.o \
sshfp.o threads.o rp.o spf.o cert.o \
dname.o \
dname.o tlsa.o \
-L/usr/local/lib -L/opt/local/lib -lJudy -lcrypto
clean:
@@ -27,7 +27,7 @@ clean:
-rm -f naptr.o srv.o nsec3param.o nsec3.o ds.o
-rm -f hinfo.o loc.o nsec3checks.o ptr.o
-rm -f sshfp.o base32hex.o base64.o threads.o
-rm -f rp.o spf.o cert.o dname.o
-rm -f rp.o spf.o cert.o dname.o tlsa.o
-rm -f validns.core core
@echo ':-)'
@@ -124,6 +124,9 @@ cert.o: cert.c common.h textparse.h mempool.h carp.h rr.h
dname.o: dname.c common.h textparse.h mempool.h carp.h rr.h
$(CC) $(CFLAGS) $(OPTIMIZE) -c -o dname.o dname.c $(INCPATH)
tlsa.o: tlsa.c common.h textparse.h mempool.h carp.h rr.h
$(CC) $(CFLAGS) $(OPTIMIZE) -c -o tlsa.o tlsa.c $(INCPATH)
threads.o: threads.c
$(CC) $(CFLAGS) $(OPTIMIZE) -c -o threads.o threads.c $(INCPATH)
View
2 cert.c
@@ -123,7 +123,7 @@ static char* cert_human(struct rr *rrv)
RRCAST(cert);
char s[1024];
snprintf(s, 1024, "CERT %d %d %d ...",
snprintf(s, 1024, "%d %d %d ...",
rr->type, rr->key_tag, rr->algorithm);
return quickstrdup_temp(s);
}
View
@@ -65,4 +65,10 @@ struct globals {
extern struct globals G;
#define SHA1_BYTES 20
#define SHA256_BYTES 32
#define SHA512_BYTES 64
/* GOST R 34.11-94 - 32 bytes */
#define GOST_BYTES 32
#endif
View
17 ds.c
@@ -39,25 +39,20 @@ static struct rr* ds_parse(char *name, long ttl, int type, char *s)
/* See http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xml
* for valid digest types. */
/*
SHA-1 20 bytes
SHA-256 32 bytes
GOST R 34.11-94 32 bytes
*/
switch (digest_type) {
case 1:
if (rr->digest.length != 20) {
return bitch("wrong SHA-1 digest length: %d bytes found, %d bytes expected", rr->digest.length, 20);
if (rr->digest.length != SHA1_BYTES) {
return bitch("wrong SHA-1 digest length: %d bytes found, %d bytes expected", rr->digest.length, SHA1_BYTES);
}
break;
case 2:
if (rr->digest.length != 32) {
return bitch("wrong SHA-256 digest length: %d bytes found, %d bytes expected", rr->digest.length, 32);
if (rr->digest.length != SHA256_BYTES) {
return bitch("wrong SHA-256 digest length: %d bytes found, %d bytes expected", rr->digest.length, SHA256_BYTES);
}
break;
case 3:
if (rr->digest.length != 32) {
return bitch("wrong GOST R 34.11-94 digest length: %d bytes found, %d bytes expected", rr->digest.length, 32);
if (rr->digest.length != GOST_BYTES) {
return bitch("wrong GOST R 34.11-94 digest length: %d bytes found, %d bytes expected", rr->digest.length, GOST_BYTES);
}
break;
default:
View
1 main.c
@@ -292,6 +292,7 @@ static void initialize_globals(void)
rr_methods[T_SPF] = spf_methods;
rr_methods[T_SRV] = srv_methods;
rr_methods[T_SSHFP] = sshfp_methods;
rr_methods[T_TLSA] = tlsa_methods;
rr_methods[T_TXT] = txt_methods;
}
View
2 nsec.c
@@ -33,6 +33,8 @@ static struct rr* nsec_parse(char *name, long ttl, int type, char *s)
str_type = extract_label(&s, "type list", "temporary");
if (!str_type) return NULL;
ltype = str2rdtype(str_type);
if (ltype < 0)
return NULL;
add_bit_to_set(&bitmap, ltype);
}
if (!s)
View
@@ -86,6 +86,8 @@ static struct rr* nsec3_parse(char *name, long ttl, int type, char *s)
str_type = extract_label(&s, "type list", "temporary");
if (!str_type) return NULL;
ltype = str2rdtype(str_type);
if (ltype < 0)
return NULL;
add_bit_to_set(&bitmap, ltype);
}
if (!s)
View
5 rr.c
@@ -71,7 +71,8 @@ static char* rdtype2str_map[T_MAX+1] = {
"DHCID",
"NSEC3", /* 50 */
"NSEC3PARAM",
0, 0, 0, 0, 0, 0, 0, 0, 0, /* 60 */
"TLSA",
0, 0, 0, 0, 0, 0, 0, 0, /* 60 */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 70 */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 80 */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 90 */
@@ -520,6 +521,8 @@ int str2rdtype(char *rdtype)
case 't':
if (strcmp(rdtype, "txt") == 0) {
return T_TXT;
} else if (strcmp(rdtype, "tlsa") == 0) {
return T_TLSA;
} else if (strncmp(rdtype, "type", 4) == 0) {
long type = strtol(rdtype+4, NULL, 10);
if (type <= 0 || type > 65535)
View
11 rr.h
@@ -31,6 +31,7 @@
#define T_DNSKEY 48
#define T_NSEC3 50
#define T_NSEC3PARAM 51
#define T_TLSA 52
#define T_SPF 99
#define T_MAX 99
@@ -176,6 +177,16 @@ struct rr_txt
};
extern struct rr_methods txt_methods;
struct rr_tlsa
{
struct rr rr;
uint8_t cert_usage;
uint8_t selector;
uint8_t matching_type;
struct binary_data association_data;
};
extern struct rr_methods tlsa_methods;
struct rr_naptr
{
struct rr rr;
View
@@ -36,9 +36,9 @@ static struct rr* sshfp_parse(char *name, long ttl, int type, char *s)
rr->fingerprint = extract_hex_binary_data(&s, "fingerprint", EXTRACT_EAT_WHITESPACE);
if (rr->fingerprint.length < 0) return NULL;
if (rr->fingerprint.length != 20) {
if (rr->fingerprint.length != SHA1_BYTES) {
return bitch("wrong SHA-1 fingerprint length: %d bytes found, %d bytes expected",
rr->fingerprint.length, 20);
rr->fingerprint.length, SHA1_BYTES);
}
if (*s) {
View
@@ -75,6 +75,26 @@
like(shift @e, qr/MX preference expected/, "empty MX");
like(shift @e, qr/MX exchange expected/, "MX without exchange");
like(shift @e, qr/garbage after valid MX data/, "bad MX");
like(shift @e, qr/bad SHA-256 hash length/, "TLSA SHA-256");
like(shift @e, qr/bad SHA-512 hash length/, "TLSA SHA-512");
like(shift @e, qr/certificate association data: hex data does not represent whole number of bytes/, "TLSA nibbles");
like(shift @e, qr/bad certificate usage field/, "TLSA certificate usage");
like(shift @e, qr/TTL is not valid/, "TLSA certificate usage fallout");
like(shift @e, qr/certificate usage field expected/, "TLSA certificate usage");
like(shift @e, qr/TTL is not valid/, "TLSA certificate usage fallout");
like(shift @e, qr/bad selector field/, "TLSA selector");
like(shift @e, qr/TTL is not valid/, "TLSA selector fallout");
like(shift @e, qr/selector field expected/, "TLSA selector");
like(shift @e, qr/TTL is not valid/, "TLSA selector fallout");
like(shift @e, qr/bad matching type field/, "TLSA matching type");
like(shift @e, qr/TTL is not valid/, "TLSA matching type fallout");
like(shift @e, qr/matching type field expected/, "TLSA matching type");
like(shift @e, qr/TTL is not valid/, "TLSA matching type fallout");
like(shift @e, qr/outside.org. does not belong to zone galaxyplus.org./, "outsider");
like(shift @e, qr/long.outside.org. does not belong to zone galaxyplus.org./, "long outsider");
like(shift @e, qr/outsidegalaxyplus.org. does not belong to zone galaxyplus.org./, "tricky outsider");
View
@@ -20,6 +20,19 @@ ns2 A 5.6.7.8
mail A 2.3.4.5
www CNAME example.sec.
_443._tcp.www IN TLSA (
0 0 1 d2abde240d7cd3ee6b4b28c54df034b9
7983a1d16e8a410e4561cb106618e971 )
_8443._tcp.www.example.sec. IN TLSA (
1 1 2 92003ba34942dc74152e2f2c408d29ec
a5a520e7f2e06bb944f4dca346baf63c
1b177615d466f6c4b71c216a50292bd5
8c9ebdd2f74e38fe51ffd48c43326cbc )
_25._tcp.mail IN TLSA (
3 0 0 30820307308201efa003020102020123 )
delegation NS ns1
delegation NS ns2
delegation DS 60485 5 1 ( 2BB183AF5F22588179A53B0A
Oops, something went wrong.

0 comments on commit 117db49

Please sign in to comment.