diff options
| author | Linus Nordberg <linus@nordu.net> | 2016-04-13 10:57:23 +0200 |
|---|---|---|
| committer | Linus Nordberg <linus@nordu.net> | 2016-04-13 10:57:23 +0200 |
| commit | 49d8ed9587b1363f2feddc39f31442fd292798f2 (patch) | |
| tree | b761d6a9aa998b5b93a1053c10134cd13a09f16f /c_src/dnssec.c | |
| parent | fc16553ab4f5f956de7e4633d7dc92ea20c118e3 (diff) | |
DNSSEC validation improvements.
Use DS signature inception time as the DNSSEC validation time.
Validate input data a bit more.
Set TTL in DS to "Original TTL" of RRSIG (this time for real).
Diffstat (limited to 'c_src/dnssec.c')
| -rw-r--r-- | c_src/dnssec.c | 41 |
1 files changed, 28 insertions, 13 deletions
diff --git a/c_src/dnssec.c b/c_src/dnssec.c index 6b9431d..440353b 100644 --- a/c_src/dnssec.c +++ b/c_src/dnssec.c @@ -4,23 +4,25 @@ * * Invocation: dnssec <path-to-trust-anchor-file> * - * Once running, read DNSSEC RR's from stdin, canonicalise RR's - * (RFC4034 6.2), validate RR's (todo:ref) and write the result to + * Once running: Read DNSSEC RR's from stdin, canonicalise RR's + * (RFC4034 6.2), validate DS RR (todo:ref) and write the result to * stdout. * * All length fields in the input and output denotes the length of the - * piece of data to follow in number of octets. + * piece of data to follow in number of octets. All integers are + * transfered in network byte order (a.k.a. big-endian). * * Input format: - * - Length of data (4 octets) + * - Length of data in number of octets (integer, 4 octets) + * - Validation time in seconds since the epoch (integer, 4 octets) + * - Validation time skew in seconds (integer, 4 octets) * - DNSSEC RR's as a DNSSEC_key_chain, specified in * draft-zhang-trans-ct-dnssec-03 section 4.1 but without the TLS * data structure encoding. * * Output format: - * - Lenght of data (4 octets) - * - Status code -- the getdns_return_t value in network byte order (2 - * octets) + * - Lenght of data (integer, 4 octets) + * - Status code -- the getdns_return_t value (integer, 2 octets) * - (RR's)* -- if validation succeeded: the DS+RRSIG and the full * chain up to and including the trust anchor; if validation failed: * nothing @@ -33,7 +35,7 @@ #include <string.h> #include <errno.h> #include <time.h> -#include <endian.h> +#include <arpa/inet.h> #include <getopt.h> #include <getdns/getdns.h> #include <getdns/getdns_extra.h> @@ -42,6 +44,16 @@ static int debug = 0; /* DEBUG */ +#define hd(b, l) { \ + for (size_t n = 0; n < (l); n++) { \ + if (n % 16 == 0) { \ + if (n != 0) fprintf(stderr, "\n"); \ + fprintf(stderr, "%08x ", n); \ + } else if (n % 8 == 0) { \ + fprintf(stderr, " "); } \ + fprintf(stderr, "%02hhx ", (b)[n]); } \ + fprintf(stderr, "\n"); } + #if defined(TEST) static char *testmode = NULL; #endif @@ -272,8 +284,6 @@ out: } #endif /* !TEST */ -#define DNSSEC_VALIDATION_SKEW 30 /* Seconds. */ - static void loop(getdns_list *trust_anchors) { @@ -287,8 +297,13 @@ loop(getdns_list *trust_anchors) size_t out_len = 0; #if !defined(TEST) - r = validate(buf, len, trust_anchors, - time(NULL), DNSSEC_VALIDATION_SKEW, + unsigned char *bufp = buf; + uint32_t validation_time = ntohl(*((uint32_t *)bufp)); + bufp += 4; + uint32_t validation_time_skew = ntohl(*((uint32_t *)bufp)); + bufp += 4; + r = validate(bufp, len - 8, trust_anchors, + validation_time, validation_time_skew, reply + 2, &out_len); #else r = test_validate(buf, len, trust_anchors, testmode); @@ -308,7 +323,7 @@ loop(getdns_list *trust_anchors) } } - *((uint16_t *) reply) = htobe16(r); + *((uint16_t *) reply) = htons(r); if (debug) fprintf(stderr, "writing %d octets of data, including status code %d\n", 2 + out_len, r); |