diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/dnssec.c | 28 | ||||
| -rw-r--r-- | lib/dnssec.h | 28 | ||||
| -rw-r--r-- | lib/dnssec/ta.c | 5 |
3 files changed, 31 insertions, 30 deletions
diff --git a/lib/dnssec.c b/lib/dnssec.c index 262570c4..6d809abf 100644 --- a/lib/dnssec.c +++ b/lib/dnssec.c @@ -225,7 +225,7 @@ struct kr_svldr_ctx * kr_svldr_new_ctx(const knot_rrset_t *ds, knot_rrset_t *dns array_reserve(ctx->keys, dnskey->rrs.count); knot_rdata_t *krr = dnskey->rrs.rdata; for (int i = 0; i < dnskey->rrs.count; ++i, krr = knot_rdataset_next(krr)) { - if (!kr_dnssec_key_zsk(krr->data) || kr_dnssec_key_revoked(krr->data)) + if (!kr_dnssec_key_usable(krr->data)) continue; // key not usable for this kr_svldr_key_t key; if (unlikely(svldr_key_new(krr, NULL/*seems OK here*/, &key) != 0)) @@ -448,6 +448,12 @@ bool kr_ds_algo_support(const knot_rrset_t *ta) return false; } +// Now we instantiate these two as non-inline externally linkable code here (for lua). +KR_EXPORT extern inline KR_PURE +bool kr_dnssec_key_sep_flag(const uint8_t *dnskey_rdata); +KR_EXPORT extern inline KR_PURE +bool kr_dnssec_key_revoked(const uint8_t *dnskey_rdata); + int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *sigs, const knot_rrset_t *ta) { @@ -464,8 +470,8 @@ int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *s */ knot_rdata_t *krr = keys->rrs.rdata; for (int i = 0; i < keys->rrs.count; ++i, krr = knot_rdataset_next(krr)) { - /* RFC4035 5.3.1, bullet 8 */ /* ZSK */ - if (!kr_dnssec_key_zsk(krr->data) || kr_dnssec_key_revoked(krr->data)) + /* RFC4035 5.3.1, bullet 8 requires the Zone Flag bit */ + if (!kr_dnssec_key_usable(krr->data)) continue; kr_svldr_key_t key; @@ -487,22 +493,6 @@ int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *s return vctx->result; } -bool kr_dnssec_key_zsk(const uint8_t *dnskey_rdata) -{ - return knot_wire_read_u16(dnskey_rdata) & 0x0100; -} - -bool kr_dnssec_key_ksk(const uint8_t *dnskey_rdata) -{ - return knot_wire_read_u16(dnskey_rdata) & 0x0001; -} - -/** Return true if the DNSKEY is revoked. */ -bool kr_dnssec_key_revoked(const uint8_t *dnskey_rdata) -{ - return knot_wire_read_u16(dnskey_rdata) & 0x0080; -} - int kr_dnssec_key_tag(uint16_t rrtype, const uint8_t *rdata, size_t rdlen) { if (!rdata || rdlen == 0 || (rrtype != KNOT_RRTYPE_DS && rrtype != KNOT_RRTYPE_DNSKEY)) { diff --git a/lib/dnssec.h b/lib/dnssec.h index ca737cfe..52465042 100644 --- a/lib/dnssec.h +++ b/lib/dnssec.h @@ -94,17 +94,29 @@ bool kr_ds_algo_support(const knot_rrset_t *ta); int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *sigs, const knot_rrset_t *ta); -/** Return true if the DNSKEY can be used as a ZSK. */ -KR_EXPORT KR_PURE -bool kr_dnssec_key_zsk(const uint8_t *dnskey_rdata); +// flags: https://www.iana.org/assignments/dnskey-flags/dnskey-flags.xhtml +// https://datatracker.ietf.org/doc/html/rfc4034#section-2.1 -/** Return true if the DNSKEY indicates being KSK (=> has SEP). */ -KR_EXPORT KR_PURE -bool kr_dnssec_key_ksk(const uint8_t *dnskey_rdata); +/** Return true if the DNSKEY has the SEP flag (normally ignored). */ +KR_EXPORT inline KR_PURE +bool kr_dnssec_key_sep_flag(const uint8_t *dnskey_rdata) +{ + return dnskey_rdata[1] & 0x01; +} /** Return true if the DNSKEY is revoked. */ -KR_EXPORT KR_PURE -bool kr_dnssec_key_revoked(const uint8_t *dnskey_rdata); +KR_EXPORT inline KR_PURE +bool kr_dnssec_key_revoked(const uint8_t *dnskey_rdata) +{ + return dnskey_rdata[1] & 0x80; +} + +/** Return true if the DNSKEY could be used to validate zone records. */ +static inline KR_PURE +bool kr_dnssec_key_usable(const uint8_t *dnskey_rdata) +{ + return (dnskey_rdata[0] & 0x01) && !kr_dnssec_key_revoked(dnskey_rdata); +} /** Return DNSKEY tag. * @param rrtype RR type (either DS or DNSKEY are supported) diff --git a/lib/dnssec/ta.c b/lib/dnssec/ta.c index becf7d81..67f0a206 100644 --- a/lib/dnssec/ta.c +++ b/lib/dnssec/ta.c @@ -56,14 +56,13 @@ static int dnskey2ds(dnssec_binary_t *dst, const knot_dname_t *owner, const uint /* Accept only keys with Zone and SEP flags that aren't revoked, * as a precaution. RFC 5011 also utilizes these flags. * TODO: kr_dnssec_key_* names are confusing. */ - const bool flags_ok = kr_dnssec_key_zsk(rdata) && !kr_dnssec_key_revoked(rdata); - if (!flags_ok) { + if (!kr_dnssec_key_usable(rdata)) { auto_free char *owner_str = kr_dname_text(owner); kr_log_error(TA, "refusing to trust %s DNSKEY because of flags %d\n", owner_str, dnssec_key_get_flags(key)); ret = kr_error(EILSEQ); goto cleanup; - } else if (!kr_dnssec_key_ksk(rdata)) { + } else if (!kr_dnssec_key_sep_flag(rdata)) { auto_free char *owner_str = kr_dname_text(owner); int flags = dnssec_key_get_flags(key); kr_log_warning(TA, "warning: %s DNSKEY is missing the SEP bit; " |