resolved: properly implement RRSIG validation of wildcarded RRsets

Note that this is still not complete, one additional step is still missing: when we verified that a wildcard RRset is properly signed, we still need to do an NSEC/NSEC3 proof that no more specific RRset exists.
author: Lennart Poettering <lennart@poettering.net> 2015-12-21 19:57:34 +0100
committer: Lennart Poettering <lennart@poettering.net> 2015-12-26 19:09:10 +0100
commit: e7ff0e0b391341bdc4d9c08dff1c477e1df6a682 (patch)
tree: 03852136cb91d95a6549b74a983f295abdc8c250 /src/shared
parent: d38d5ca65b3f8fd19348a7919cf1f1f07c955393 (diff)
2 files changed, 62 insertions, 0 deletions
diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c
index c46f7d21b7..f3dbf60395 100644
--- a/src/shared/dns-domain.c
+++ b/src/shared/dns-domain.c
@@ -1159,3 +1159,59 @@ finish:
 
         return 0;
 }
+
+int dns_name_suffix(const char *name, unsigned n_labels, const char **ret) {
+        const char* labels[DNS_N_LABELS_MAX+1];
+        unsigned n = 0;
+        const char *p;
+        int r;
+
+        assert(name);
+        assert(ret);
+
+        p = name;
+        for (;;) {
+                if (n > DNS_N_LABELS_MAX)
+                        return -EINVAL;
+
+                labels[n] = p;
+
+                r = dns_name_parent(&p);
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        break;
+
+                n++;
+        }
+
+        if (n < n_labels)
+                return -EINVAL;
+
+        *ret = labels[n - n_labels];
+        return (int) (n - n_labels);
+}
+
+int dns_name_count_labels(const char *name) {
+        unsigned n = 0;
+        const char *p;
+        int r;
+
+        assert(name);
+
+        p = name;
+        for (;;) {
+                r = dns_name_parent(&p);
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        break;
+
+                if (n >= DNS_N_LABELS_MAX)
+                        return -EINVAL;
+
+                n++;
+        }
+
+        return (int) n;
+}
diff --git a/src/shared/dns-domain.h b/src/shared/dns-domain.h
index 02b51832b6..7b509729fb 100644
--- a/src/shared/dns-domain.h
+++ b/src/shared/dns-domain.h
@@ -42,6 +42,9 @@
 /* Maximum length of a full hostname, on the wire, including the final NUL byte */
 #define DNS_WIRE_FOMAT_HOSTNAME_MAX 255
 
+/* Maximum number of labels per valid hostname */
+#define DNS_N_LABELS_MAX 127
+
 int dns_label_unescape(const char **name, char *dest, size_t sz);
 int dns_label_unescape_suffix(const char *name, const char **label_end, char *dest, size_t sz);
 int dns_label_escape(const char *p, size_t l, char *dest, size_t sz);
@@ -96,3 +99,6 @@ bool dns_service_name_is_valid(const char *name);
 
 int dns_service_join(const char *name, const char *type, const char *domain, char **ret);
 int dns_service_split(const char *joined, char **name, char **type, char **domain);
+
+int dns_name_suffix(const char *name, unsigned n_labels, const char **ret);
+int dns_name_count_labels(const char *name);
author	Lennart Poettering <lennart@poettering.net>	2015-12-21 19:57:34 +0100
committer	Lennart Poettering <lennart@poettering.net>	2015-12-26 19:09:10 +0100
commit	e7ff0e0b391341bdc4d9c08dff1c477e1df6a682 (patch)
tree	03852136cb91d95a6549b74a983f295abdc8c250 /src/shared
parent	d38d5ca65b3f8fd19348a7919cf1f1f07c955393 (diff)