From: Jelte Jansen Date: Wed, 28 Mar 2007 08:56:31 +0000 (+0000) Subject: rest of canonicalization fix X-Git-Tag: release-1.2.0~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=614372b336612b43d2e7fe0fb02fe219eb98bbb8;p=thirdparty%2Fldns.git rest of canonicalization fix --- diff --git a/dnssec.c b/dnssec.c index 230d0005..78c83582 100644 --- a/dnssec.c +++ b/dnssec.c @@ -831,9 +831,11 @@ ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys) ldns_rdf_deep_free(first_label); /* make it canonical */ + /* for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) { ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i)); } + */ /* sort */ ldns_rr_list_sort(rrset_clone); @@ -1315,16 +1317,18 @@ ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list) /* there should only be 1 SOA, so the soa record is 1 rrset */ cur_rrsigs = NULL; ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone))); - ldns_rr2canonical(ldns_zone_soa(signed_zone)); + /*ldns_rr2canonical(ldns_zone_soa(signed_zone));*/ orig_zone_rrs = ldns_rr_list_clone(ldns_zone_rrs(zone)); ldns_rr_list_push_rr(orig_zone_rrs, ldns_rr_clone(ldns_zone_soa(zone))); /* canon now, needed for correct nsec creation */ + /* for (i = 0; i < ldns_rr_list_rr_count(orig_zone_rrs); i++) { ldns_rr2canonical(ldns_rr_list_rr(orig_zone_rrs, i)); } + */ glue_rrs = ldns_zone_glue_rr_list(zone); /* add the key (TODO: check if it's there already? */ diff --git a/drill/chasetrace.c b/drill/chasetrace.c index 84bc6134..a12743c0 100644 --- a/drill/chasetrace.c +++ b/drill/chasetrace.c @@ -575,7 +575,7 @@ do_chase(ldns_resolver *res, ldns_rdf *name, ldns_rr_type type, ldns_rr_class c, fprintf(stdout, "TYPE%d\t", type); } - printf("\n;; was DENIED by nsec(3), chasing nsec record\n"); + printf("\n;; was DENIED by nsec, chasing nsec record\n"); } /* verify them, they can't be blindly chased */ diff --git a/drill/dnssec.c b/drill/dnssec.c index f90d0fca..1345bbad 100644 --- a/drill/dnssec.c +++ b/drill/dnssec.c @@ -164,11 +164,6 @@ ldns_verify_denial(ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type, ldns_rr_lis /* Try to see if there are NSECS in the packet */ nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC, LDNS_SECTION_ANY_NOQUESTION); if (nsecs) { - /* - result = LDNS_STATUS_OK; - */ - ldns_rr_list2canonical(nsecs); - for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsecs); nsec_i++) { /* there are four options: * - name equals ownername and is covered by the type bitmap diff --git a/rr.c b/rr.c index f4f2e448..6d688083 100644 --- a/rr.c +++ b/rr.c @@ -1207,6 +1207,11 @@ qsort_schwartz_rr_compare(const void *a, const void *b) ldns_buffer *rr1_buf, *rr2_buf; struct ldns_schwartzian_compare_struct *sa = *(struct ldns_schwartzian_compare_struct **) a; struct ldns_schwartzian_compare_struct *sb = *(struct ldns_schwartzian_compare_struct **) b; + /* if we are doing 2wire, we need to do lowercasing on the dname (and maybe on the rdata) + * this must be done for comparison only, so we need to have a temp var for both buffers, + * which is only used when the transformed object value isn't there yet + */ + ldns_rr *canonical_a, *canonical_b; rr1 = (ldns_rr *) sa->original_object; rr2 = (ldns_rr *) sb->original_object; @@ -1215,18 +1220,26 @@ qsort_schwartz_rr_compare(const void *a, const void *b) if (result == 0) { if (!sa->transformed_object) { - sa->transformed_object = ldns_buffer_new(ldns_rr_uncompressed_size(sa->original_object)); - if (ldns_rr2buffer_wire(sa->transformed_object, sa->original_object, LDNS_SECTION_ANY) != LDNS_STATUS_OK) { + canonical_a = ldns_rr_clone(sa->original_object); + ldns_rr2canonical(canonical_a); + sa->transformed_object = ldns_buffer_new(ldns_rr_uncompressed_size(canonical_a)); + if (ldns_rr2buffer_wire(sa->transformed_object, canonical_a, LDNS_SECTION_ANY) != LDNS_STATUS_OK) { fprintf(stderr, "ERR!\n"); + ldns_rr_free(canonical_a); return 0; } + ldns_rr_free(canonical_a); } if (!sb->transformed_object) { - sb->transformed_object = ldns_buffer_new(ldns_rr_uncompressed_size(sb->original_object)); - if (ldns_rr2buffer_wire(sb->transformed_object, sb->original_object, LDNS_SECTION_ANY) != LDNS_STATUS_OK) { + canonical_b = ldns_rr_clone(sb->original_object); + ldns_rr2canonical(canonical_b); + sb->transformed_object = ldns_buffer_new(ldns_rr_uncompressed_size(canonical_b)); + if (ldns_rr2buffer_wire(sb->transformed_object, canonical_b, LDNS_SECTION_ANY) != LDNS_STATUS_OK) { fprintf(stderr, "ERR!\n"); + ldns_rr_free(canonical_b); return 0; } + ldns_rr_free(canonical_b); } rr1_buf = (ldns_buffer *) sa->transformed_object; rr2_buf = (ldns_buffer *) sb->transformed_object; @@ -1468,10 +1481,48 @@ void ldns_rr2canonical(ldns_rr *rr) { uint16_t i; + + if (!rr) { + return; + } - ldns_dname2canonical(ldns_rr_owner(rr)); - for (i = 0; i < ldns_rr_rd_count(rr); i++) { - ldns_dname2canonical(ldns_rr_rdf(rr, i)); + ldns_dname2canonical(ldns_rr_owner(rr)); + + /* + * lowercase the rdata dnames if the rr type is one + * of the list in chapter 7 of RFC3597 + */ + switch(ldns_rr_get_type(rr)) { + case LDNS_RR_TYPE_NS: + case LDNS_RR_TYPE_MD: + case LDNS_RR_TYPE_MF: + case LDNS_RR_TYPE_CNAME: + case LDNS_RR_TYPE_SOA: + case LDNS_RR_TYPE_MB: + case LDNS_RR_TYPE_MG: + case LDNS_RR_TYPE_MR: + case LDNS_RR_TYPE_PTR: + case LDNS_RR_TYPE_HINFO: + case LDNS_RR_TYPE_MINFO: + case LDNS_RR_TYPE_MX: + case LDNS_RR_TYPE_RP: + case LDNS_RR_TYPE_AFSDB: + case LDNS_RR_TYPE_RT: + case LDNS_RR_TYPE_SIG: + case LDNS_RR_TYPE_PX: + case LDNS_RR_TYPE_NXT: + case LDNS_RR_TYPE_NAPTR: + case LDNS_RR_TYPE_KX: + case LDNS_RR_TYPE_SRV: + case LDNS_RR_TYPE_DNAME: + case LDNS_RR_TYPE_A6: + for (i = 0; i < ldns_rr_rd_count(rr); i++) { + ldns_dname2canonical(ldns_rr_rdf(rr, i)); + } + return; + default: + /* do nothing */ + return; } }