picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

resolved: dnssec - rename some variables 

Makes the NSEC3 proof somewhat simpler to follow.
This commit is contained in:
Tom Gundersen 2016-01-01 22:10:55 +01:00
parent 935a999f7d
commit d1511b3338
1 changed files with 22 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
src/resolve/resolved-dns-dnssec.c
View File

@ -1195,8 +1195,8 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsAnswerFlags flags, DnsResourc
static int dnssec_test_nsec3(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated) { static int dnssec_test_nsec3(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated) {
_cleanup_free_ char *next_closer_domain = NULL, *l = NULL; _cleanup_free_ char *next_closer_domain = NULL, *l = NULL;
uint8_t hashed[DNSSEC_HASH_SIZE_MAX]; uint8_t hashed[DNSSEC_HASH_SIZE_MAX];
const char *suffix, *p, *pp = NULL; const char *zone, *p, *pp = NULL;
DnsResourceRecord *rr, *suffix_rr; DnsResourceRecord *rr, *enclosure_rr, *suffix_rr;
DnsAnswerFlags flags; DnsAnswerFlags flags;
int hashed_size, r; int hashed_size, r;
bool a; bool a;
@ -1205,8 +1205,12 @@ static int dnssec_test_nsec3(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecR
assert(result); assert(result);
assert(authenticated); assert(authenticated);
/* First step, look for the longest common suffix we find with any NSEC3 RR in the response. */ /* First step, find the zone name and the NSEC3 parameters of the zone.
suffix = DNS_RESOURCE_KEY_NAME(key); * it is sufficient to look for the longest common suffix we find with
* any NSEC3 RR in the response. Any NSEC3 record will do as all NSEC3
* records from a given zone in a response must use the same
* parameters. */
zone = DNS_RESOURCE_KEY_NAME(key);
for (;;) { for (;;) {
DNS_ANSWER_FOREACH_FLAGS(suffix_rr, flags, answer) { DNS_ANSWER_FOREACH_FLAGS(suffix_rr, flags, answer) {
r = nsec3_is_good(suffix_rr, flags, NULL); r = nsec3_is_good(suffix_rr, flags, NULL);
@ -1215,15 +1219,15 @@ static int dnssec_test_nsec3(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecR
if (r == 0) if (r == 0)
continue; continue;
r = dns_name_equal_skip(DNS_RESOURCE_KEY_NAME(suffix_rr->key), 1, suffix); r = dns_name_equal_skip(DNS_RESOURCE_KEY_NAME(suffix_rr->key), 1, zone);
if (r < 0) if (r < 0)
return r; return r;
if (r > 0) if (r > 0)
goto found_suffix; goto found_zone;
} }
/* Strip one label from the front */ /* Strip one label from the front */
r = dns_name_parent(&suffix); r = dns_name_parent(&zone);
if (r < 0) if (r < 0)
return r; return r;
if (r == 0) if (r == 0)
@ -1233,7 +1237,7 @@ static int dnssec_test_nsec3(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecR
*result = DNSSEC_NSEC_NO_RR; *result = DNSSEC_NSEC_NO_RR;
return 0; return 0;
found_suffix: found_zone:
/* Second step, find the closest encloser NSEC3 RR in 'answer' that matches 'key' */ /* Second step, find the closest encloser NSEC3 RR in 'answer' that matches 'key' */
p = DNS_RESOURCE_KEY_NAME(key); p = DNS_RESOURCE_KEY_NAME(key);
for (;;) { for (;;) {
@ -1251,22 +1255,22 @@ found_suffix:
if (!label) if (!label)
return -ENOMEM; return -ENOMEM;
hashed_domain = strjoin(label, ".", suffix, NULL); hashed_domain = strjoin(label, ".", zone, NULL);
if (!hashed_domain) if (!hashed_domain)
return -ENOMEM; return -ENOMEM;
DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) { DNS_ANSWER_FOREACH_FLAGS(enclosure_rr, flags, answer) {
r = nsec3_is_good(rr, flags, suffix_rr); r = nsec3_is_good(enclosure_rr, flags, suffix_rr);
if (r < 0) if (r < 0)
return r; return r;
if (r == 0) if (r == 0)
continue; continue;
if (rr->nsec3.next_hashed_name_size != (size_t) hashed_size) if (enclosure_rr->nsec3.next_hashed_name_size != (size_t) hashed_size)
continue; continue;
r = dns_name_equal(DNS_RESOURCE_KEY_NAME(rr->key), hashed_domain); r = dns_name_equal(DNS_RESOURCE_KEY_NAME(enclosure_rr->key), hashed_domain);
if (r < 0) if (r < 0)
return r; return r;
if (r > 0) { if (r > 0) {
@ -1296,25 +1300,25 @@ found_closest_encloser:
/* We found a closest encloser in 'p'; next closer is 'pp' */ /* We found a closest encloser in 'p'; next closer is 'pp' */
/* Ensure this is not a DNAME domain, see RFC5155, section 8.3. */ /* Ensure this is not a DNAME domain, see RFC5155, section 8.3. */
if (bitmap_isset(rr->nsec3.types, DNS_TYPE_DNAME)) if (bitmap_isset(enclosure_rr->nsec3.types, DNS_TYPE_DNAME))
return -EBADMSG; return -EBADMSG;
/* Ensure that this data is from the delegated domain /* Ensure that this data is from the delegated domain
* (i.e. originates from the "lower" DNS server), and isn't * (i.e. originates from the "lower" DNS server), and isn't
* just glue records (i.e. doesn't originate from the "upper" * just glue records (i.e. doesn't originate from the "upper"
* DNS server). */ * DNS server). */
if (bitmap_isset(rr->nsec3.types, DNS_TYPE_NS) && if (bitmap_isset(enclosure_rr->nsec3.types, DNS_TYPE_NS) &&
!bitmap_isset(rr->nsec3.types, DNS_TYPE_SOA)) !bitmap_isset(enclosure_rr->nsec3.types, DNS_TYPE_SOA))
return -EBADMSG; return -EBADMSG;
if (!pp) { if (!pp) {
/* No next closer NSEC3 RR. That means there's a direct NSEC3 RR for our key. */ /* No next closer NSEC3 RR. That means there's a direct NSEC3 RR for our key. */
*result = bitmap_isset(rr->nsec3.types, key->type) ? DNSSEC_NSEC_FOUND : DNSSEC_NSEC_NODATA; *result = bitmap_isset(enclosure_rr->nsec3.types, key->type) ? DNSSEC_NSEC_FOUND : DNSSEC_NSEC_NODATA;
*authenticated = a; *authenticated = a;
return 0; return 0;
} }
r = dnssec_nsec3_hash(rr, pp, hashed); r = dnssec_nsec3_hash(enclosure_rr, pp, hashed);
if (r < 0) if (r < 0)
return r; return r;
if (r != hashed_size) if (r != hashed_size)