interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Allow NSEC spans starting from (unexpanded) wildcards

This commit is contained in:
Willem Toorop 2018-05-01 13:19:24 +02:00
parent a834d32718
commit 7fecf5a93d
1 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/dnssec.c
View File

@ -1685,7 +1685,7 @@ static int a_key_signed_rrset_no_wc(struct mem_funcs *mf, time_t now,
uint32_t skew, _getdns_rrset *keyset, _getdns_rrset *rrset) uint32_t skew, _getdns_rrset *keyset, _getdns_rrset *rrset)
{ {
_getdns_rrtype_iter dnskey_spc, *dnskey; _getdns_rrtype_iter dnskey_spc, *dnskey;
const uint8_t *nc_name; const uint8_t *nc_name; /* Initialized by dnskey_signed_rrset() */
int keytag; int keytag;
assert(keyset->rr_type == GETDNS_RRTYPE_DNSKEY); assert(keyset->rr_type == GETDNS_RRTYPE_DNSKEY);
@ -1693,8 +1693,17 @@ static int a_key_signed_rrset_no_wc(struct mem_funcs *mf, time_t now,
for ( dnskey = _getdns_rrtype_iter_init(&dnskey_spc, keyset) for ( dnskey = _getdns_rrtype_iter_init(&dnskey_spc, keyset)
; dnskey ; dnskey = _getdns_rrtype_iter_next(dnskey) ) { ; dnskey ; dnskey = _getdns_rrtype_iter_next(dnskey) ) {
if ((keytag = dnskey_signed_rrset(mf, now, skew, if (!(keytag = dnskey_signed_rrset(mf, now, skew,
dnskey, rrset, &nc_name)) && !nc_name) dnskey, rrset, &nc_name)))
continue;
if (!nc_name) /* Not a wildcard, then success! */
return keytag;
/* Not a wildcard expansion, but the wildcard name itself. */
if (rrset->rr_type == GETDNS_RRTYPE_NSEC &&
rrset->name[0] == 1 && rrset->name[1] == '*' &&
nc_name == rrset->name)
return keytag; return keytag;
} }
return 0; return 0;
@ -1709,7 +1718,8 @@ static int a_key_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
_getdns_rrset *keyset, _getdns_rrset *rrset) _getdns_rrset *keyset, _getdns_rrset *rrset)
{ {
_getdns_rrtype_iter dnskey_spc, *dnskey; _getdns_rrtype_iter dnskey_spc, *dnskey;
const uint8_t *nc_name; const uint8_t *nc_name; /* Initialized by dnskey_signed_rrset() */
int keytag; int keytag;
assert(keyset->rr_type == GETDNS_RRTYPE_DNSKEY); assert(keyset->rr_type == GETDNS_RRTYPE_DNSKEY);
@ -1728,7 +1738,8 @@ static int a_key_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
* There is no more specific! * There is no more specific!
*/ */
if (rrset->rr_type == GETDNS_RRTYPE_NSEC && if (rrset->rr_type == GETDNS_RRTYPE_NSEC &&
rrset->name[0] == 1 && rrset->name[1] == '*') rrset->name[0] == 1 && rrset->name[1] == '*' &&
nc_name == rrset->name)
return keytag; return keytag;
debug_sec_print_rrset("wildcard expanded to: ", rrset); debug_sec_print_rrset("wildcard expanded to: ", rrset);
@ -1751,7 +1762,7 @@ static int ds_authenticates_keys(struct mem_funcs *mf,
_getdns_rrtype_iter dnskey_spc, *dnskey; _getdns_rrtype_iter dnskey_spc, *dnskey;
_getdns_rrtype_iter ds_spc, *ds; _getdns_rrtype_iter ds_spc, *ds;
uint16_t keytag; uint16_t keytag;
const uint8_t *nc_name; const uint8_t *nc_name; /* Initialized by dnskey_signed_rrset() */
size_t valid_dsses = 0, supported_dsses = 0; size_t valid_dsses = 0, supported_dsses = 0;
uint8_t max_supported_digest = 0; uint8_t max_supported_digest = 0;
int max_supported_result = 0; int max_supported_result = 0;