Commit eddac857 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Minor fixes in trust anchor code

This commit makes some minor changes to the trust anchor code:

1. Replace the undescriptive n1, n2 and n3 identifiers with slightly
   better rdata1, rdata2, and rdata3.
2. Fix an occurrence where in the error log message a static number
   32 was printed, rather than the rdata3 length.
3. Add a default case to the switch statement checking DS digest
   algorithms to catch unknown algorithms.
parent 56470702
Pipeline #27281 passed with stages
in 20 minutes and 48 seconds
......@@ -614,7 +614,7 @@ static isc_result_t
key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
dns_rdata_dnskey_t dnskey;
dns_rdata_ds_t ds;
uint32_t n1, n2, n3;
uint32_t rdata1, rdata2, rdata3;
const char *datastr = NULL, *keynamestr = NULL, *atstr = NULL;
unsigned char data[4096];
isc_buffer_t databuf;
......@@ -655,13 +655,13 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s", trust_anchor);
/* if DNSKEY, flags; if DS, key tag */
n1 = cfg_obj_asuint32(cfg_tuple_get(key, "n1"));
rdata1 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata1"));
/* if DNSKEY, protocol; if DS, algorithm */
n2 = cfg_obj_asuint32(cfg_tuple_get(key, "n2"));
rdata2 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata2"));
/* if DNSKEY, algorithm; if DS, digest type */
n3 = cfg_obj_asuint32(cfg_tuple_get(key, "n3"));
rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
/* What type of trust anchor is this? */
atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype"));
......@@ -684,13 +684,13 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
if (n1 > 0xffff) {
if (rdata1 > 0xffff) {
CHECK(ISC_R_RANGE);
}
if (n2 > 0xff) {
if (rdata2 > 0xff) {
CHECK(ISC_R_RANGE);
}
if (n3 > 0xff) {
if (rdata3 > 0xff) {
CHECK(ISC_R_RANGE);
}
......@@ -704,9 +704,9 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
ISC_LINK_INIT(&dnskey.common, link);
dnskey.flags = (uint16_t)n1;
dnskey.protocol = (uint8_t)n2;
dnskey.algorithm = (uint8_t)n3;
dnskey.flags = (uint16_t)rdata1;
dnskey.protocol = (uint8_t)rdata2;
dnskey.algorithm = (uint8_t)rdata3;
datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
CHECK(isc_base64_decodestring(datastr, &databuf));
......@@ -729,9 +729,9 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
ISC_LINK_INIT(&ds.common, link);
ds.key_tag = (uint16_t)n1;
ds.algorithm = (uint8_t)n2;
ds.digest_type = (uint8_t)n3;
ds.key_tag = (uint16_t)rdata1;
ds.algorithm = (uint8_t)rdata2;
ds.digest_type = (uint8_t)rdata3;
datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
CHECK(isc_hex_decodestring(datastr, &databuf));
......
......@@ -705,7 +705,7 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, dst_key_t **keyp,
{
dns_rdata_dnskey_t keystruct;
dns_rdata_ds_t *ds = NULL;
uint32_t n1, n2, n3;
uint32_t rdata1, rdata2, rdata3;
const char *datastr = NULL, *namestr = NULL;
unsigned char data[4096];
isc_buffer_t databuf;
......@@ -731,13 +731,13 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, dst_key_t **keyp,
REQUIRE(namestrp != NULL && *namestrp == NULL);
/* if DNSKEY, flags; if DS, key tag */
n1 = cfg_obj_asuint32(cfg_tuple_get(key, "n1"));
rdata1 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata1"));
/* if DNSKEY, protocol; if DS, algorithm */
n2 = cfg_obj_asuint32(cfg_tuple_get(key, "n2"));
rdata2 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata2"));
/* if DNSKEY, algorithm; if DS, digest type */
n3 = cfg_obj_asuint32(cfg_tuple_get(key, "n3"));
rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
namestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
*namestrp = namestr;
......@@ -793,22 +793,22 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, dst_key_t **keyp,
ISC_LINK_INIT(&keystruct.common, link);
if (n1 > 0xffff) {
if (rdata1 > 0xffff) {
CHECKM(ISC_R_RANGE, "key flags");
}
if (n1 & DNS_KEYFLAG_REVOKE) {
if (rdata1 & DNS_KEYFLAG_REVOKE) {
CHECKM(DST_R_BADKEYTYPE, "key flags revoke bit set");
}
if (n2 > 0xff) {
if (rdata2 > 0xff) {
CHECKM(ISC_R_RANGE, "key protocol");
}
if (n3> 0xff) {
if (rdata3> 0xff) {
CHECKM(ISC_R_RANGE, "key algorithm");
}
keystruct.flags = (uint16_t)n1;
keystruct.protocol = (uint8_t)n2;
keystruct.algorithm = (uint8_t)n3;
keystruct.flags = (uint16_t)rdata1;
keystruct.protocol = (uint8_t)rdata2;
keystruct.algorithm = (uint8_t)rdata3;
datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
CHECK(isc_base64_decodestring(datastr, &databuf));
......@@ -834,19 +834,19 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, dst_key_t **keyp,
ISC_LINK_INIT(&ds->common, link);
if (n1 > 0xffff) {
if (rdata1 > 0xffff) {
CHECKM(ISC_R_RANGE, "key tag");
}
if (n2 > 0xff) {
if (rdata2 > 0xff) {
CHECKM(ISC_R_RANGE, "key algorithm");
}
if (n3 > 0xff) {
if (rdata3 > 0xff) {
CHECKM(ISC_R_RANGE, "digest type");
}
ds->key_tag = (uint16_t)n1;
ds->algorithm = (uint8_t)n2;
ds->digest_type = (uint8_t)n3;
ds->key_tag = (uint16_t)rdata1;
ds->algorithm = (uint8_t)rdata2;
ds->digest_type = (uint8_t)rdata3;
datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
CHECK(isc_hex_decodestring(datastr, &databuf));
......@@ -868,6 +868,14 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, dst_key_t **keyp,
CHECK(ISC_R_UNEXPECTEDEND);
}
break;
default:
cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
"key '%s': "
"unknown ds digest type %u",
namestr, ds->digest_type);
result = ISC_R_FAILURE;
goto cleanup;
break;
}
ds->mctx = mctx;
......
......@@ -3129,7 +3129,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
isc_region_t r;
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
uint32_t n1, n2, n3;
uint32_t rdata1, rdata2, rdata3;
unsigned char data[4096];
const char *atstr = NULL;
enum {
......@@ -3228,13 +3228,13 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
};
/* if DNSKEY, flags; if DS, key tag */
n1 = cfg_obj_asuint32(cfg_tuple_get(key, "n1"));
rdata1 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata1"));
/* if DNSKEY, protocol; if DS, algorithm */
n2 = cfg_obj_asuint32(cfg_tuple_get(key, "n2"));
rdata2 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata2"));
/* if DNSKEY, algorithm; if DS, digest type */
n3 = cfg_obj_asuint32(cfg_tuple_get(key, "n3"));
rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
namestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
......@@ -3283,23 +3283,23 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
case INIT_DNSKEY:
case STATIC_DNSKEY:
case TRUSTED:
if (n1 > 0xffff) {
if (rdata1 > 0xffff) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"flags too big: %u", n1);
"flags too big: %u", rdata1);
result = ISC_R_RANGE;
}
if (n1 & DNS_KEYFLAG_REVOKE) {
if (rdata1 & DNS_KEYFLAG_REVOKE) {
cfg_obj_log(key, logctx, ISC_LOG_WARNING,
"key flags revoke bit set");
}
if (n2 > 0xff) {
if (rdata2 > 0xff) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"protocol too big: %u", n2);
"protocol too big: %u", rdata2);
result = ISC_R_RANGE;
}
if (n3 > 0xff) {
if (rdata3 > 0xff) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"algorithm too big: %u\n", n3);
"algorithm too big: %u\n", rdata3);
result = ISC_R_RANGE;
}
......@@ -3315,7 +3315,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
} else {
isc_buffer_usedregion(&b, &r);
if ((n3 == DST_ALG_RSASHA1) &&
if ((rdata3 == DST_ALG_RSASHA1) &&
r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
{
cfg_obj_log(key, logctx, ISC_LOG_WARNING,
......@@ -3333,7 +3333,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
(managed ? ROOT_KSK_MANAGED : ROOT_KSK_STATIC);
if (n1 == 257 && n2 == 3 && n3 == 8 &&
if (rdata1 == 257 && rdata2 == 3 && rdata3 == 8 &&
(isc_buffer_usedlength(&b) ==
sizeof(root_ksk_2010)) &&
memcmp(data, root_ksk_2010,
......@@ -3342,7 +3342,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
*flagsp |= ROOT_KSK_2010;
}
if (n1 == 257 && n2 == 3 && n3 == 8 &&
if (rdata1 == 257 && rdata2 == 3 && rdata3 == 8 &&
(isc_buffer_usedlength(&b) ==
sizeof(root_ksk_2017)) &&
memcmp(data, root_ksk_2017,
......@@ -3355,19 +3355,19 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
case INIT_DS:
case STATIC_DS:
if (n1 > 0xffff) {
if (rdata1 > 0xffff) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"key tag too big: %u", n1);
"key tag too big: %u", rdata1);
result = ISC_R_RANGE;
}
if (n2 > 0xff) {
if (rdata2 > 0xff) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"algorithm too big: %u\n", n2);
"algorithm too big: %u\n", rdata2);
result = ISC_R_RANGE;
}
if (n3 > 0xff) {
if (rdata3 > 0xff) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"digest type too big: %u", 32);
"digest type too big: %u", rdata3);
result = ISC_R_RANGE;
}
......@@ -3389,7 +3389,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
*flagsp |=
(managed ? ROOT_KSK_MANAGED : ROOT_KSK_STATIC);
if (n1 == 20326 && n2 == 8 && n3 == 1 &&
if (rdata1 == 20326 && rdata2 == 8 && rdata3 == 1 &&
(isc_buffer_usedlength(&b) ==
sizeof(root_ds_1_2017)) &&
memcmp(data, root_ds_1_2017,
......@@ -3398,7 +3398,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
*flagsp |= ROOT_KSK_2017;
}
if (n1 == 20326 && n2 == 8 && n3 == 2 &&
if (rdata1 == 20326 && rdata2 == 8 && rdata3 == 2 &&
(isc_buffer_usedlength(&b) ==
sizeof(root_ds_2_2017)) &&
memcmp(data, root_ds_2_2017,
......
......@@ -446,9 +446,9 @@ static cfg_type_t cfg_type_category = {
static cfg_tuplefielddef_t dnsseckey_fields[] = {
{ "name", &cfg_type_astring, 0 },
{ "anchortype", &cfg_type_void, 0 },
{ "n1", &cfg_type_uint32, 0 },
{ "n2", &cfg_type_uint32, 0 },
{ "n3", &cfg_type_uint32, 0 },
{ "rdata1", &cfg_type_uint32, 0 },
{ "rdata2", &cfg_type_uint32, 0 },
{ "rdata3", &cfg_type_uint32, 0 },
{ "data", &cfg_type_qstring, 0 },
{ NULL, NULL, 0 }
};
......@@ -471,9 +471,9 @@ static cfg_type_t cfg_type_anchortype = {
static cfg_tuplefielddef_t managedkey_fields[] = {
{ "name", &cfg_type_astring, 0 },
{ "anchortype", &cfg_type_anchortype, 0 },
{ "n1", &cfg_type_uint32, 0 },
{ "n2", &cfg_type_uint32, 0 },
{ "n3", &cfg_type_uint32, 0 },
{ "rdata1", &cfg_type_uint32, 0 },
{ "rdata2", &cfg_type_uint32, 0 },
{ "rdata3", &cfg_type_uint32, 0 },
{ "data", &cfg_type_qstring, 0 },
{ NULL, NULL, 0 }
};
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment