desec-io
diff --git a/‎Makefile.top‎
Lines changed: 6 additions & 0 deletions b/‎Makefile.top‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎bin/dnssec/dnssec-keyfromlabel.c‎
Lines changed: 1 addition & 0 deletions b/‎bin/dnssec/dnssec-keyfromlabel.c‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎bin/dnssec/dnssec-keygen.c‎
Lines changed: 5 additions & 0 deletions b/‎bin/dnssec/dnssec-keygen.c‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎bin/dnssec/dnssec-signzone.c‎
Lines changed: 77 additions & 29 deletions b/‎bin/dnssec/dnssec-signzone.c‎
Lines changed: 77 additions & 29 deletions
diff --git a/‎configure.ac‎
Lines changed: 1 addition & 0 deletions b/‎configure.ac‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎lib/Makefile.am‎
Lines changed: 1 addition & 1 deletion b/‎lib/Makefile.am‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/dns/Makefile.am‎
Lines changed: 4 additions & 1 deletion b/‎lib/dns/Makefile.am‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎lib/dns/dnssec.c‎
Lines changed: 0 additions & 1 deletion b/‎lib/dns/dnssec.c‎
Lines changed: 0 additions & 1 deletion
@@ -71,3 +71,9 @@ LIBISCCC_CFLAGS = \
 
 LIBISCCC_LIBS = \
 	$(top_builddir)/lib/isccc/libisccc.la
+
+LIBSAQ_CFLAGS = \
+	-I$(top_srcdir)/lib/saq/include
+
+LIBSAQ_LIBS = \
+	$(top_builddir)/lib/saq/libsaq.la
@@ -403,6 +403,7 @@ main(int argc, char **argv) {
 			case DST_ALG_SPHINCSSHA256128S:
 			case DST_ALG_XMSS:
 			case DST_ALG_XMSSMT:
+			case DST_ALG_MERKLE_TREE:
 				break;
 			default:
 				fatal("%s is incompatible with NSEC3; "
 
@@ -324,6 +324,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 			case DST_ALG_SPHINCSSHA256128S:
 			case DST_ALG_XMSS:
 			case DST_ALG_XMSSMT:
+			case DST_ALG_MERKLE_TREE:
 				break;
 			default:
 				fatal("algorithm %s is incompatible with NSEC3"
@@ -379,6 +380,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 			case DST_ALG_SPHINCSSHA256128S:
 			case DST_ALG_XMSS:
 			case DST_ALG_XMSSMT:
+			case DST_ALG_MERKLE_TREE:
 				break;
 			default:
 				fatal("key size not specified (-b option)");
@@ -578,6 +580,9 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 			fatal("XMSSMT failed to get bits based on param");
 		}
 		break;
+	case DST_ALG_MERKLE_TREE:
+		ctx->size = 256;
+		break;
 	}
 
 	if (ctx->nametype == NULL) {
 
@@ -718,7 +718,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 			if (isksk(key) || !have_ksk ||
 			    (iszsk(key) && !keyset_kskonly))
 			{
-				if (!defer_signing || !iszsk(key) || (set->type == dns_rdatatype_dnskey && dst_key_alg(key->key) != DST_ALG_ECDSA256)) {
+				if (!defer_signing || !iszsk(key) || (set->type == dns_rdatatype_dnskey && !dst_key_is_deferred_signing(key->key))) {
 					signwithkey(name, set, key->key, ttl, add,
 						    "signing with dnskey", check_now);
 				}
@@ -3363,7 +3363,7 @@ print_stats(isc_time_t *timer_start, isc_time_t *timer_finish,
 }
 
 static void
-finalize_node_rrsigs(dns_dbnode_t *node, dns_name_t *name, dns_diff_t *add, dns_diff_t *del, dns_dnsseckey_t *key, uint16_t orig, uint16_t new) {
+finalize_node_rrsigs(dns_dbnode_t *node, dns_name_t *name, dns_diff_t *add, dns_diff_t *del, dns_dnsseckey_t *key, uint16_t old_keytag) {
 	isc_result_t result;
 	dns_rdatasetiter_t *rdsiter = NULL;
 	dns_rdataset_t rdataset;
@@ -3389,22 +3389,14 @@ finalize_node_rrsigs(dns_dbnode_t *node, dns_name_t *name, dns_diff_t *add, dns_
 			if (rrsig_rdata.type == dns_rdatatype_rrsig) {
 				rrsigresult = dns_rdata_tostruct(&rrsig_rdata, &rrsig, NULL);
 				if (rrsigresult == ISC_R_SUCCESS) {
-					if (rrsig.keyid == orig) {
+					if (rrsig.keyid == old_keytag) {
+						char data[4096];
+						isc_buffer_t databuf;
 						dns_difftuple_t *addtuple = NULL;
 						dns_difftuple_t *deltuple = NULL;
 						dns_rdata_t new_rrsig_rdata = DNS_RDATA_INIT;
-						dns_rdata_t old_rrsig_rdata = DNS_RDATA_INIT;
-
-						dns_rdata_clone(&rrsig_rdata, &old_rrsig_rdata);
-						rrsig.keyid = new;
-
-						// TODO finalize sig.
-						unsigned char data[4096];
-						isc_buffer_t buffer;
-
-						isc_buffer_init(&buffer, data, sizeof(data));
-						dns_rdata_fromstruct(&new_rrsig_rdata, rdataset.rdclass,
-								     dns_rdatatype_rrsig, &rrsig, &buffer);
+						isc_buffer_init(&databuf, data, sizeof(data));
+						check_result(dst_key_signature_finalize(key->key, &databuf, &rrsig_rdata, &new_rrsig_rdata), "signature finalize");
 						if (tryverify) {
 							dns_rdataset_t target_rdataset;
 							dns_rdataset_init(&target_rdataset);
@@ -3429,7 +3421,7 @@ finalize_node_rrsigs(dns_dbnode_t *node, dns_name_t *name, dns_diff_t *add, dns_
 						check_result(result, "dns_difftuple_create");
 						result = dns_difftuple_create(mctx,
 								DNS_DIFFOP_DELRESIGN, name,
-								rdataset.ttl, &old_rrsig_rdata, &deltuple);
+								rdataset.ttl, &rrsig_rdata, &deltuple);
 						check_result(result, "dns_difftuple_create");
 						dns_diff_append(add, &addtuple);
 						dns_diff_append(del, &deltuple);
@@ -3446,7 +3438,7 @@ finalize_node_rrsigs(dns_dbnode_t *node, dns_name_t *name, dns_diff_t *add, dns_
 }
 
 static void
-finalize_rrsigs(dns_diff_t *add, dns_diff_t *del, dns_dnsseckey_t *key, uint16_t orig, uint16_t new) {
+finalize_rrsigs(dns_diff_t *add, dns_diff_t *del, dns_dnsseckey_t *key, uint16_t old_keytag) {
 	dns_dbnode_t *node = NULL;
 	dns_fixedname_t fixed;
 	dns_name_t *name;
@@ -3459,7 +3451,7 @@ finalize_rrsigs(dns_diff_t *add, dns_diff_t *del, dns_dnsseckey_t *key, uint16_t
 	check_result(result, "dns_dbiterator_seek()");
 	result = dns_dbiterator_current(dbiter, &node, name);
 	check_dns_dbiterator_current(result);
-	finalize_node_rrsigs(node, name, add, del, key, orig, new);
+	finalize_node_rrsigs(node, name, add, del, key, old_keytag);
 	dns_db_detachnode(gdb, &node);
 	result = dns_dbiterator_first(dbiter);
 	dns_fixedname_t fname;
@@ -3472,7 +3464,7 @@ finalize_rrsigs(dns_diff_t *add, dns_diff_t *del, dns_dnsseckey_t *key, uint16_t
 		if (dns_name_equal(name, gorigin)) {
 			goto next;
 		}
-		finalize_node_rrsigs(node, name, add, del, key, orig, new);
+		finalize_node_rrsigs(node, name, add, del, key, old_keytag);
 	next:
 		result = dns_dbiterator_next(dbiter);
 		dns_db_detachnode(gdb, &node);
@@ -3513,7 +3505,7 @@ defered_finalize_signing(dns_dbnode_t *node, dns_name_t *name) {
 		/* Now that the all other signatures are signed, finalize defer signing
 		 * key and sign DNSKEY set. */
 		if (rdataset.type != dns_rdatatype_dnskey) {
-			goto key_skip;
+			goto finalize_skip;
 		}
 
 		// Finalize all keys located in this set
@@ -3531,32 +3523,54 @@ defered_finalize_signing(dns_dbnode_t *node, dns_name_t *name) {
 				uint16_t keytag = dst_region_computeid(&key_r);
 				keyresult = dns_rdata_tostruct(&key_rdata, &dnskey, NULL);
 				if (keyresult == ISC_R_SUCCESS) {
-					if (dnskey.algorithm == DST_ALG_ECDSA256) {
+					if (dst_algorithm_is_deferred_signing(dnskey.algorithm)) {
 						dns_dnsseckey_t *key = NULL;
-						uint16_t new_keytag = keytag;
 						for (key = ISC_LIST_HEAD(keylist); key != NULL;
 						     key = ISC_LIST_NEXT(key, link))
 						{
 							if (dst_key_id(key->key) == keytag &&
 							    dst_key_alg(key->key) == dnskey.algorithm)
 							{
-								// TODO finalize key here
-								new_keytag = 0;
+								dns_difftuple_t *addtuple = NULL;
+								dns_difftuple_t *deltuple = NULL;
+								unsigned char data[4096];
+								isc_buffer_t buffer;
+								isc_region_t r;
+
+								isc_buffer_init(&buffer, data, sizeof(data));
+								check_result(dst_key_finalize(key->key), "dst_key_finalize");
+								dns_rdata_t new_dnskey_rdata = DNS_RDATA_INIT;
+								dns_rdata_t old_dnskey_rdata = DNS_RDATA_INIT;
+
+								dns_rdata_clone(&key_rdata, &old_dnskey_rdata);
+								result = dst_key_todns(key->key, &buffer);
+								check_result(result, "dst_key_todns");
+								isc_buffer_usedregion(&buffer, &r);
+								dns_rdata_fromregion(&new_dnskey_rdata, key_rdata.rdclass, dns_rdatatype_dnskey, &r);
+
+								result = dns_difftuple_create(mctx,
+										DNS_DIFFOP_ADDRESIGN, name,
+										rdataset.ttl, &new_dnskey_rdata, &addtuple);
+								check_result(result, "dns_difftuple_create");
+								result = dns_difftuple_create(mctx,
+										DNS_DIFFOP_DELRESIGN, name,
+										rdataset.ttl, &old_dnskey_rdata, &deltuple);
+								check_result(result, "dns_difftuple_create");
+								dns_diff_append(&add, &addtuple);
+								dns_diff_append(&del, &deltuple);
 								break;
 							}
 						}
 						if (key != NULL) {
-							finalize_rrsigs(&add, &del, key, keytag, new_keytag);
+							finalize_rrsigs(&add, &del, key, keytag);
 						}
 					}
 					dns_rdata_freestruct(&dnskey);
 				}
 			}
 		}
 
-		signset(&del, &add, node, name, &rdataset, true);
-
-	key_skip:
+	finalize_skip:
 		dns_rdataset_disassociate(&rdataset);
 		result = dns_rdatasetiter_next(rdsiter);
 	}
@@ -3580,6 +3594,40 @@ defered_finalize_signing(dns_dbnode_t *node, dns_name_t *name) {
 
 	dns_diff_clear(&del);
 	dns_diff_clear(&add);
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+
+		/* Now that the all other signatures are signed, finalize defer signing
+		 * key and sign DNSKEY set. */
+		if (rdataset.type != dns_rdatatype_dnskey) {
+			goto sign_skip;
+		}
+
+
+		signset(&del, &add, node, name, &rdataset, true);
+
+	sign_skip:
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(rdsiter);
+	}
+	
+	dns_rdatasetiter_destroy(&rdsiter);
+	result = dns_diff_applysilently(&del, gdb, gversion);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed to delete SIGs at node '%s': %s", namestr,
+		      isc_result_totext(result));
+	}
+
+	result = dns_diff_applysilently(&add, gdb, gversion);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed to add SIGs at node '%s': %s", namestr,
+		      isc_result_totext(result));
+	}
+	dns_diff_clear(&del);
+	dns_diff_clear(&add);
 }
 
 static void
@@ -4290,7 +4338,7 @@ main(int argc, char *argv[]) {
 	     key = ISC_LIST_NEXT(key, link))
 	{
 		key->index = keycount++;
-		if (dst_key_alg(key->key) == DST_ALG_ECDSA256) {
+		if (dst_key_is_deferred_signing(key->key)) {
 			defer_signing = true;
 		}
 	}
 
@@ -1634,6 +1634,7 @@ AC_CONFIG_FILES([bin/Makefile
 
 AC_CONFIG_FILES([lib/Makefile
 		 lib/isc/Makefile
+		 lib/saq/Makefile
 		 lib/dns/Makefile
 		 lib/ns/Makefile
 		 lib/isccfg/Makefile
 
@@ -1,3 +1,3 @@
 include $(top_srcdir)/Makefile.top
 
-SUBDIRS = isc dns isccc ns isccfg
+SUBDIRS = isc saq dns isccc ns isccfg
@@ -195,6 +195,7 @@ libdns_la_SOURCES =			\
 	keymgr.c			\
 	keystore.c			\
 	keytable.c			\
+	liboqsstateful_link.c           \
 	log.c				\
 	master.c			\
 	masterdump.c			\
@@ -205,7 +206,6 @@ libdns_la_SOURCES =			\
 	nsec.c				\
 	nsec3.c				\
 	nta.c				\
-	liboqsstateful_link.c           \
 	openssl_link.c			\
 	openssl_shim.c			\
 	openssl_shim.h			\
@@ -243,6 +243,7 @@ libdns_la_SOURCES =			\
 	rpz.c				\
 	rrl.c				\
 	rriterator.c			\
+	saqmerklestream_link.c		\
 	sdlz.c				\
 	soa.c				\
 	ssu.c				\
@@ -279,6 +280,7 @@ libdns_la_CPPFLAGS =		\
 	$(AM_CPPFLAGS)		\
 	$(LIBDNS_CFLAGS)	\
 	$(LIBISC_CFLAGS)	\
+	$(LIBSAQ_CFLAGS)	\
 	$(LIBURCU_CFLAGS)	\
 	$(LIBUV_CFLAGS)		\
 	$(OPENSSL_CFLAGS)
@@ -289,6 +291,7 @@ libdns_la_LDFLAGS =		\
 
 libdns_la_LIBADD =		\
 	$(LIBISC_LIBS)		\
+	$(LIBSAQ_LIBS)		\
 	$(LIBURCU_LIBS)		\
 	$(LIBUV_LIBS)		\
 	$(OPENSSL_LIBS)
 
@@ -1098,7 +1098,6 @@ dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name,
 		dns_rdataset_current(sigrdataset, &sigrdata);
 		result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
 		if (sig.algorithm == key.algorithm && sig.keyid == keytag) {
 			result = dns_dnssec_verify(name, rdataset, dstkey,
 						   ignoretime, 0, mctx,
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`include $(top_srcdir)/Makefile.top`
`2`	`2`
`3`		`-SUBDIRS = isc dns isccc ns isccfg`
	`3`	`+SUBDIRS = isc saq dns isccc ns isccfg`