Differential D40226 Diff 122271 contrib/ldns/drill/securetrace.c

Changeset View

Standalone View

contrib/ldns/drill/securetrace.c

Show First 20 Lines • Show All 131 Lines • ▼ Show 20 Lines	do_secure_trace(ldns_resolver local_res, ldns_rdf name, ldns_rr_type t,
/* dnssec */		/* dnssec */
ldns_rr_list *key_list;		ldns_rr_list *key_list;
ldns_rr_list *key_sig_list;		ldns_rr_list *key_sig_list;
ldns_rr_list *ds_list;		ldns_rr_list *ds_list;
ldns_rr_list *ds_sig_list;		ldns_rr_list *ds_sig_list;
ldns_rr_list *correct_key_list;		ldns_rr_list *correct_key_list;
ldns_rr_list *trusted_ds_rrs;		ldns_rr_list *trusted_ds_rrs;
bool new_keys_trusted = false;		bool new_keys_trusted = false;
ldns_rr_list *current_correct_keys;		ldns_rr_list *current_correct_keys = NULL;
ldns_rr_list *dataset;		ldns_rr_list *dataset;

ldns_rr_list *nsec_rrs = NULL;		ldns_rr_list *nsec_rrs = NULL;
ldns_rr_list *nsec_rr_sigs = NULL;		ldns_rr_list *nsec_rr_sigs = NULL;

/* empty non-terminal check */		/* empty non-terminal check */
bool ent;		bool ent;
ldns_rr nsecrr; / The nsec that proofs the non-terminal */		ldns_rr nsecrr; / The nsec that proofs the non-terminal */
▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Lines	if (ldns_dname_is_subdomain(name, start_name)) {
fprintf(stderr, "Error; ");		fprintf(stderr, "Error; ");
ldns_rdf_print(stderr, name);		ldns_rdf_print(stderr, name);
fprintf(stderr, " is not a subdomain of ");		fprintf(stderr, " is not a subdomain of ");
ldns_rdf_print(stderr, start_name);		ldns_rdf_print(stderr, start_name);
fprintf(stderr, "\n");		fprintf(stderr, "\n");
goto done;		goto done;
}		}
}		}
labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2);		labels = LDNS_CALLOC(ldns_rdf*, labels_count + 2);
if (!labels) {		if (!labels) {
goto done;		goto done;
}		}
labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);		labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
labels[1] = ldns_rdf_clone(name);		labels[1] = ldns_rdf_clone(name);
for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {		for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
labels[i] = ldns_dname_left_chop(labels[i - 1]);		labels[i] = ldns_dname_left_chop(labels[i - 1]);
}		}

/* get the nameserver for the label		/* get the nameserver for the label
* ask: dnskey and ds for the label		* ask: dnskey and ds for the label
*/		*/
for(i = (ssize_t)labels_count + 1; i > 0; i--) {		for(i = (ssize_t)labels_count + 1; i > 0; i--) {
status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);		status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
		if (status != LDNS_STATUS_OK) {
		fprintf(stderr, "Error sending query: %s\n", ldns_get_errorstr_by_id(status));
		result = status;
		goto done;
		}

		/* TODO: handle status */

if (verbosity >= 5) {		if (verbosity >= 5) {
ldns_pkt_print(stdout, local_p);		ldns_pkt_print(stdout, local_p);
}		}

new_nss = ldns_pkt_rr_list_by_type(local_p,		new_nss = ldns_pkt_rr_list_by_type(local_p,
LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);		LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
if (!new_nss) {		if (!new_nss) {
/* if it's a delegation, servers put them in the auth section */		/* if it's a delegation, servers put them in the auth section */
▲ Show 20 Lines • Show All 224 Lines • ▼ Show 20 Lines	*/ printf("NS: %s\n", ldns_get_errorstr_by_id(st));
ldns_rr_list_deep_free(key_sig_list);		ldns_rr_list_deep_free(key_sig_list);
key_sig_list = NULL;		key_sig_list = NULL;

/* check the DS records for the next child domain */		/* check the DS records for the next child domain */
if (i > 1) {		if (i > 1) {
p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);		p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
(void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);		(void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
if (!ds_list) {		if (!ds_list) {
		ldns_rr_list_deep_free(ds_sig_list);
		(void) get_dnssec_rr( p, labels[i-1]
		, LDNS_RR_TYPE_CNAME
		, &ds_list, &ds_sig_list);
		if (ds_list) {
		st = ldns_verify( ds_list, ds_sig_list
		, correct_key_list
		, current_correct_keys);

		if (st == LDNS_STATUS_OK) {
		printf(";; No DS record found "
		"for ");
		ldns_rdf_print(stdout,
		labels[i-1]);
		printf(", but valid CNAME");
		} else {
		printf(BOGUS " Unable to verify "
		"denial of existence for ");
		ldns_rdf_print(stdout,
		labels[i-1]);
		printf(", because of BOGUS CNAME");
		}
		printf("\n");
		ldns_rr_list_deep_free(ds_sig_list);
ldns_pkt_free(p);		ldns_pkt_free(p);
if (ds_sig_list) {		ldns_rr_list_deep_free(ds_list);
		ds_list = NULL;
		ds_sig_list = NULL;
		p = NULL;
		} else {
ldns_rr_list_deep_free(ds_sig_list);		ldns_rr_list_deep_free(ds_sig_list);
		ldns_pkt_free(p);
		p = get_dnssec_pkt(res, name,
		LDNS_RR_TYPE_DNSKEY);
		(void) get_ds(p, NULL
		, &ds_list, &ds_sig_list);
}		}
p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
(void) get_ds(p, NULL, &ds_list, &ds_sig_list);
}		}
if (ds_sig_list) {		if (ds_sig_list) {
if (ds_list) {		if (ds_list) {
if (verbosity >= 4) {		if (verbosity >= 4) {
printf("VERIFYING:\n");		printf("VERIFYING:\n");
printf("DS LIST:\n");		printf("DS LIST:\n");
ldns_rr_list_print(stdout, ds_list);		ldns_rr_list_print(stdout, ds_list);
printf("SIGS:\n");		printf("SIGS:\n");
▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Lines	if (i > 1) {
}		}


} else {		} else {
if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {		if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
printf(";; No DS for ");		printf(";; No DS for ");
ldns_rdf_print(stdout, labels[i - 1]);		ldns_rdf_print(stdout, labels[i - 1]);
} else {		} else {
printf("[B] Unable to verify denial of existence for ");		printf(BOGUS " Unable to verify denial of existence for ");
ldns_rdf_print(stdout, labels[i - 1]);		ldns_rdf_print(stdout, labels[i - 1]);
printf(" DS: %s\n", ldns_get_errorstr_by_id(status));		printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
}		}
}		}
if (verbosity >= 2) {		if (verbosity >= 2) {
printf(";; No ds record for delegation\n");		printf(";; No ds record for delegation\n");
}		}
}		}
▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Lines	*/
printf(" type ");		printf(" type ");
if (descriptor && descriptor->_name) {		if (descriptor && descriptor->_name) {
printf("%s", descriptor->_name);		printf("%s", descriptor->_name);
} else {		} else {
printf("TYPE%u", t);		printf("TYPE%u", t);
}		}
printf("\n");		printf("\n");
} else {		} else {
printf("[B] Unable to verify denial of existence for ");		printf(BOGUS " Unable to verify denial of existence for ");
ldns_rdf_print(stdout, name);		ldns_rdf_print(stdout, name);
printf(" type ");		printf(" type ");
if (descriptor && descriptor->_name) {		if (descriptor && descriptor->_name) {
printf("%s", descriptor->_name);		printf("%s", descriptor->_name);
} else {		} else {
printf("TYPE%u", t);		printf("TYPE%u", t);
}		}
printf("\n");		printf("\n");
Show All 9 Lines	*/
ldns_rr_list_deep_free(key_list);		ldns_rr_list_deep_free(key_list);
key_list = NULL;		key_list = NULL;
ldns_rr_list_deep_free(key_sig_list);		ldns_rr_list_deep_free(key_sig_list);
key_sig_list = NULL;		key_sig_list = NULL;
ds_list = NULL;		ds_list = NULL;
ldns_rr_list_deep_free(ds_sig_list);		ldns_rr_list_deep_free(ds_sig_list);
ds_sig_list = NULL;		ds_sig_list = NULL;
}		}
printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");		printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted; " UNSIGNED " unsigned\n");
/* verbose mode?		/* verbose mode?
printf("Trusted keys:\n");		printf("Trusted keys:\n");
ldns_rr_list_print(stdout, trusted_keys);		ldns_rr_list_print(stdout, trusted_keys);
printf("trusted dss:\n");		printf("trusted dss:\n");
ldns_rr_list_print(stdout, trusted_ds_rrs);		ldns_rr_list_print(stdout, trusted_ds_rrs);
*/		*/

done:		done:
Show All 12 Lines