}
ldns_buffer_free(keybuf);
ac32 += (ac32 >> 16) & 0xFFFF;
+/*printf("RETURNING %u\n", (uint16_t) (ac32 & 0xFFFF));*/
return (uint16_t) (ac32 & 0xFFFF);
}
}
}
/* key-tag */
+/*printf("SETTING KEYTAG TO: %u\n", ldns_key_keytag(current_key));*/
(void)ldns_rr_rrsig_set_keytag(current_sig,
ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
ldns_key_keytag(current_key)));
ldns_rr_list *nsec_rrs = NULL;
ldns_rr_list *nsec_rr_sigs = NULL;
+ uint16_t ksk_i;
+ uint16_t ksk_sig_i;
+ ldns_rr *ksk_sig = NULL;
+
uint16_t key_i;
uint16_t tkey_i;
ldns_pkt *pkt;
result = LDNS_STATUS_ERR;
for (key_i = 0; key_i < ldns_rr_list_rr_count(keys); key_i++) {
/* only check matching keys */
-
if (ldns_calc_keytag(ldns_rr_list_rr(keys, key_i))
==
ldns_rdf2native_int16(ldns_rr_rrsig_keytag(cur_sig))
}
/* apparently the key is not trusted, so it must either be signed itself or have a DS in the parent */
if (type == LDNS_RR_TYPE_DNSKEY && ldns_rdf_compare(name, ldns_rr_rdf(cur_sig, 7)) == 0) {
+ /* check the other signatures, there might be a trusted KSK here */
+ for (ksk_sig_i = 0; ksk_sig_i < ldns_rr_list_rr_count(sigs); ksk_sig_i++) {
+ ksk_sig = ldns_rr_list_rr(sigs, ksk_sig_i);
+ if (ldns_rdf2native_int16(ldns_rr_rrsig_keytag(ksk_sig)) !=
+ ldns_calc_keytag(ldns_rr_list_rr(keys, key_i))) {
+ for (ksk_i = 0; ksk_i < ldns_rr_list_rr_count(keys); ksk_i++) {
+ if (ldns_rdf2native_int16(ldns_rr_rrsig_keytag(ksk_sig)) ==
+ ldns_calc_keytag(ldns_rr_list_rr(keys, ksk_i))) {
+ result = ldns_verify_rrsig(rrset, cur_sig, ldns_rr_list_rr(keys, key_i));
+ if (result == LDNS_STATUS_OK) {
+ for (tkey_i = 0; tkey_i < ldns_rr_list_rr_count(trusted_keys); tkey_i++) {
+ if (ldns_rr_compare_ds(ldns_rr_list_rr(keys, ksk_i),
+ ldns_rr_list_rr(trusted_keys, tkey_i)
+ )) {
+ if (verbosity > 1) {
+ mesg("Key is signed by trusted KSK");
+ }
+ ldns_rr_list_deep_free(rrset);
+ ldns_rr_list_deep_free(sigs);
+ ldns_rr_list_deep_free(keys);
+ ldns_pkt_free(pkt);
+ ldns_rr_free(cur_sig);
+ return LDNS_STATUS_OK;
+ }
+ }
+ }
+ }
+ }
+
+ }
+ }
+
/* okay now we are looping in a selfsigned key, find the ds or bail */
/* there can never be a DS for the root label unless it has been given,
* so we can't chase that */
ldns_rr_free(cur_sig);
return result;
}
+ /*
+ } else {
+ printf("Keytag mismatch: %u <> %u\n",
+ ldns_calc_keytag(ldns_rr_list_rr(keys, key_i)),
+ ldns_rdf2native_int16(ldns_rr_rrsig_keytag(cur_sig))
+ );
+ */
}
}
if (result != LDNS_STATUS_OK) {
ldns_rr *k, *ds;
ldns_signing_algorithm alg;
ldns_hash h;
-
+ char *program = argv[0];
+
alg = 0;
h = LDNS_SHA1;
}
if (argc != 1) {
- usage(stderr, argv[0]);
+ usage(stderr, program);
exit(EXIT_FAILURE);
}
keyname = strdup(argv[0]);
data_time = 0;
memcpy(&data_time, &data, sizeof(uint32_t));
+
memset(&tm, 0, sizeof(tm));
if (gmtime_r(&data_time, &tm) && strftime(date_buf, 15, "%Y%m%d%H%M%S", &tm)) {
int ldns_rr_compare_wire(ldns_buffer *rr1_buf, ldns_buffer *rr2_buf)
{
size_t rr1_len, rr2_len, min_len, i, offset;
-
+
rr1_len = ldns_buffer_capacity(rr1_buf);
rr2_len = ldns_buffer_capacity(rr2_buf);
* and especially past TTL */
offset = 0;
while (offset < rr1_len && *ldns_buffer_at(rr1_buf, offset) != 0) {
- offset += *ldns_buffer_at(rr1_buf, offset);
+ offset += *ldns_buffer_at(rr1_buf, offset) + 1;
}
offset += 9;
min_len = (rr1_len < rr2_len) ? rr1_len : rr2_len;
/* Compare RRs RDATA byte for byte. */
for(i = offset; i < min_len; i++) {
- if (*ldns_buffer_at(rr1_buf,i) < *ldns_buffer_at(rr2_buf,i)) {
- return -1;
- } else if (*ldns_buffer_at(rr1_buf,i) > *ldns_buffer_at(rr2_buf,i)) {
- return +1;
- }
- }
+ if (*ldns_buffer_at(rr1_buf,i) < *ldns_buffer_at(rr2_buf,i)) {
+ return -1;
+ } else if (*ldns_buffer_at(rr1_buf,i) > *ldns_buffer_at(rr2_buf,i)) {
+ return +1;
+ }
+ }
+
/* If both RDATAs are the same up to min_len, then the shorter one sorts first. */
if (rr1_len < rr2_len) {
return -1;
}
result = ldns_rr_compare_wire(rr1_buf, rr2_buf);
-
+
ldns_buffer_free(rr1_buf);
ldns_buffer_free(rr2_buf);
}
ldns_rr_get_type(rr2) == LDNS_RR_TYPE_DS) {
ds_repr = ldns_key_rr2ds(rr1, LDNS_SHA1);
result = (ldns_rr_compare(rr2, ds_repr) == 0);
+
ldns_rr_free(ds_repr);
} else {
result = (ldns_rr_compare(rr1, rr2) == 0);
projects / thirdparty / ldns.git / commitdiff
