mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-28 21:17:54 +00:00
Code Issues Releases Wiki Activity

Minor fixes in trust anchor code

Browse Source 
This commit makes some minor changes to the trust anchor code:

1. Replace the undescriptive n1, n2 and n3 identifiers with slightly
   better rdata1, rdata2, and rdata3.
2. Fix an occurrence where in the error log message a static number
   32 was printed, rather than the rdata3 length.
3. Add a default case to the switch statement checking DS digest
   algorithms to catch unknown algorithms.
This commit is contained in:
Matthijs Mekking 2019-12-02 09:29:02 +01:00
parent 564707023c
commit eddac8575d
4 changed files with 66 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
bin/delv/delv.c
View File

@ -614,7 +614,7 @@ static isc_result_t
key_fromconfig(const cfg_obj_t *key, dns_client_t *client) { key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
dns_rdata_dnskey_t dnskey; dns_rdata_dnskey_t dnskey;
dns_rdata_ds_t ds; dns_rdata_ds_t ds;
uint32_t n1, n2, n3; uint32_t rdata1, rdata2, rdata3;
const char *datastr = NULL, *keynamestr = NULL, *atstr = NULL; const char *datastr = NULL, *keynamestr = NULL, *atstr = NULL;
unsigned char data[4096]; unsigned char data[4096];
isc_buffer_t databuf; isc_buffer_t databuf;
@ -655,13 +655,13 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s", trust_anchor); delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s", trust_anchor);
/* if DNSKEY, flags; if DS, key tag */ /* if DNSKEY, flags; if DS, key tag */
n1 = cfg_obj_asuint32(cfg_tuple_get(key, "n1")); rdata1 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata1"));
/* if DNSKEY, protocol; if DS, algorithm */ /* if DNSKEY, protocol; if DS, algorithm */
n2 = cfg_obj_asuint32(cfg_tuple_get(key, "n2")); rdata2 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata2"));
/* if DNSKEY, algorithm; if DS, digest type */ /* if DNSKEY, algorithm; if DS, digest type */
n3 = cfg_obj_asuint32(cfg_tuple_get(key, "n3")); rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
/* What type of trust anchor is this? */ /* What type of trust anchor is this? */
atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype")); atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype"));
@ -684,13 +684,13 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
isc_buffer_init(&databuf, data, sizeof(data)); isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata)); isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
if (n1 > 0xffff) { if (rdata1 > 0xffff) {
CHECK(ISC_R_RANGE); CHECK(ISC_R_RANGE);
} }
if (n2 > 0xff) { if (rdata2 > 0xff) {
CHECK(ISC_R_RANGE); CHECK(ISC_R_RANGE);
} }
if (n3 > 0xff) { if (rdata3 > 0xff) {
CHECK(ISC_R_RANGE); CHECK(ISC_R_RANGE);
} }
@ -704,9 +704,9 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
ISC_LINK_INIT(&dnskey.common, link); ISC_LINK_INIT(&dnskey.common, link);
dnskey.flags = (uint16_t)n1; dnskey.flags = (uint16_t)rdata1;
dnskey.protocol = (uint8_t)n2; dnskey.protocol = (uint8_t)rdata2;
dnskey.algorithm = (uint8_t)n3; dnskey.algorithm = (uint8_t)rdata3;
datastr = cfg_obj_asstring(cfg_tuple_get(key, "data")); datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
CHECK(isc_base64_decodestring(datastr, &databuf)); CHECK(isc_base64_decodestring(datastr, &databuf));
@ -729,9 +729,9 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
ISC_LINK_INIT(&ds.common, link); ISC_LINK_INIT(&ds.common, link);
ds.key_tag = (uint16_t)n1; ds.key_tag = (uint16_t)rdata1;
ds.algorithm = (uint8_t)n2; ds.algorithm = (uint8_t)rdata2;
ds.digest_type = (uint8_t)n3; ds.digest_type = (uint8_t)rdata3;
datastr = cfg_obj_asstring(cfg_tuple_get(key, "data")); datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
CHECK(isc_hex_decodestring(datastr, &databuf)); CHECK(isc_hex_decodestring(datastr, &databuf));

42
bin/named/server.c
View File

@ -705,7 +705,7 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, dst_key_t **keyp,
{ {
dns_rdata_dnskey_t keystruct; dns_rdata_dnskey_t keystruct;
dns_rdata_ds_t *ds = NULL; dns_rdata_ds_t *ds = NULL;
uint32_t n1, n2, n3; uint32_t rdata1, rdata2, rdata3;
const char *datastr = NULL, *namestr = NULL; const char *datastr = NULL, *namestr = NULL;
unsigned char data[4096]; unsigned char data[4096];
isc_buffer_t databuf; isc_buffer_t databuf;
@ -731,13 +731,13 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, dst_key_t **keyp,
REQUIRE(namestrp != NULL && *namestrp == NULL); REQUIRE(namestrp != NULL && *namestrp == NULL);
/* if DNSKEY, flags; if DS, key tag */ /* if DNSKEY, flags; if DS, key tag */
n1 = cfg_obj_asuint32(cfg_tuple_get(key, "n1")); rdata1 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata1"));
/* if DNSKEY, protocol; if DS, algorithm */ /* if DNSKEY, protocol; if DS, algorithm */
n2 = cfg_obj_asuint32(cfg_tuple_get(key, "n2")); rdata2 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata2"));
/* if DNSKEY, algorithm; if DS, digest type */ /* if DNSKEY, algorithm; if DS, digest type */
n3 = cfg_obj_asuint32(cfg_tuple_get(key, "n3")); rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
namestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); namestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
*namestrp = namestr; *namestrp = namestr;
@ -793,22 +793,22 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, dst_key_t **keyp,
ISC_LINK_INIT(&keystruct.common, link); ISC_LINK_INIT(&keystruct.common, link);
if (n1 > 0xffff) { if (rdata1 > 0xffff) {
CHECKM(ISC_R_RANGE, "key flags"); CHECKM(ISC_R_RANGE, "key flags");
} }
if (n1 & DNS_KEYFLAG_REVOKE) { if (rdata1 & DNS_KEYFLAG_REVOKE) {
CHECKM(DST_R_BADKEYTYPE, "key flags revoke bit set"); CHECKM(DST_R_BADKEYTYPE, "key flags revoke bit set");
} }
if (n2 > 0xff) { if (rdata2 > 0xff) {
CHECKM(ISC_R_RANGE, "key protocol"); CHECKM(ISC_R_RANGE, "key protocol");
} }
if (n3> 0xff) { if (rdata3> 0xff) {
CHECKM(ISC_R_RANGE, "key algorithm"); CHECKM(ISC_R_RANGE, "key algorithm");
} }
keystruct.flags = (uint16_t)n1; keystruct.flags = (uint16_t)rdata1;
keystruct.protocol = (uint8_t)n2; keystruct.protocol = (uint8_t)rdata2;
keystruct.algorithm = (uint8_t)n3; keystruct.algorithm = (uint8_t)rdata3;
datastr = cfg_obj_asstring(cfg_tuple_get(key, "data")); datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
CHECK(isc_base64_decodestring(datastr, &databuf)); CHECK(isc_base64_decodestring(datastr, &databuf));
@ -834,19 +834,19 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, dst_key_t **keyp,
ISC_LINK_INIT(&ds->common, link); ISC_LINK_INIT(&ds->common, link);
if (n1 > 0xffff) { if (rdata1 > 0xffff) {
CHECKM(ISC_R_RANGE, "key tag"); CHECKM(ISC_R_RANGE, "key tag");
} }
if (n2 > 0xff) { if (rdata2 > 0xff) {
CHECKM(ISC_R_RANGE, "key algorithm"); CHECKM(ISC_R_RANGE, "key algorithm");
} }
if (n3 > 0xff) { if (rdata3 > 0xff) {
CHECKM(ISC_R_RANGE, "digest type"); CHECKM(ISC_R_RANGE, "digest type");
} }
ds->key_tag = (uint16_t)n1; ds->key_tag = (uint16_t)rdata1;
ds->algorithm = (uint8_t)n2; ds->algorithm = (uint8_t)rdata2;
ds->digest_type = (uint8_t)n3; ds->digest_type = (uint8_t)rdata3;
datastr = cfg_obj_asstring(cfg_tuple_get(key, "data")); datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
CHECK(isc_hex_decodestring(datastr, &databuf)); CHECK(isc_hex_decodestring(datastr, &databuf));
@ -868,6 +868,14 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, dst_key_t **keyp,
CHECK(ISC_R_UNEXPECTEDEND); CHECK(ISC_R_UNEXPECTEDEND);
} }
break; break;
default:
cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
"key '%s': "
"unknown ds digest type %u",
namestr, ds->digest_type);
result = ISC_R_FAILURE;
goto cleanup;
break;
} }
ds->mctx = mctx; ds->mctx = mctx;

44
lib/bind9/check.c
View File

@ -3129,7 +3129,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
isc_region_t r; isc_region_t r;
isc_result_t result = ISC_R_SUCCESS; isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult; isc_result_t tresult;
uint32_t n1, n2, n3; uint32_t rdata1, rdata2, rdata3;
unsigned char data[4096]; unsigned char data[4096];
const char *atstr = NULL; const char *atstr = NULL;
enum { enum {
@ -3228,13 +3228,13 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
}; };
/* if DNSKEY, flags; if DS, key tag */ /* if DNSKEY, flags; if DS, key tag */
n1 = cfg_obj_asuint32(cfg_tuple_get(key, "n1")); rdata1 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata1"));
/* if DNSKEY, protocol; if DS, algorithm */ /* if DNSKEY, protocol; if DS, algorithm */
n2 = cfg_obj_asuint32(cfg_tuple_get(key, "n2")); rdata2 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata2"));
/* if DNSKEY, algorithm; if DS, digest type */ /* if DNSKEY, algorithm; if DS, digest type */
n3 = cfg_obj_asuint32(cfg_tuple_get(key, "n3")); rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
namestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); namestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
@ -3283,23 +3283,23 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
case INIT_DNSKEY: case INIT_DNSKEY:
case STATIC_DNSKEY: case STATIC_DNSKEY:
case TRUSTED: case TRUSTED:
if (n1 > 0xffff) { if (rdata1 > 0xffff) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR, cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"flags too big: %u", n1); "flags too big: %u", rdata1);
result = ISC_R_RANGE; result = ISC_R_RANGE;
} }
if (n1 & DNS_KEYFLAG_REVOKE) { if (rdata1 & DNS_KEYFLAG_REVOKE) {
cfg_obj_log(key, logctx, ISC_LOG_WARNING, cfg_obj_log(key, logctx, ISC_LOG_WARNING,
"key flags revoke bit set"); "key flags revoke bit set");
} }
if (n2 > 0xff) { if (rdata2 > 0xff) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR, cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"protocol too big: %u", n2); "protocol too big: %u", rdata2);
result = ISC_R_RANGE; result = ISC_R_RANGE;
} }
if (n3 > 0xff) { if (rdata3 > 0xff) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR, cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"algorithm too big: %u\n", n3); "algorithm too big: %u\n", rdata3);
result = ISC_R_RANGE; result = ISC_R_RANGE;
} }
@ -3315,7 +3315,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
} else { } else {
isc_buffer_usedregion(&b, &r); isc_buffer_usedregion(&b, &r);
if ((n3 == DST_ALG_RSASHA1) && if ((rdata3 == DST_ALG_RSASHA1) &&
r.length > 1 && r.base[0] == 1 && r.base[1] == 3) r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
{ {
cfg_obj_log(key, logctx, ISC_LOG_WARNING, cfg_obj_log(key, logctx, ISC_LOG_WARNING,
@ -3333,7 +3333,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
(managed ? ROOT_KSK_MANAGED : ROOT_KSK_STATIC); (managed ? ROOT_KSK_MANAGED : ROOT_KSK_STATIC);
if (n1 == 257 && n2 == 3 && n3 == 8 && if (rdata1 == 257 && rdata2 == 3 && rdata3 == 8 &&
(isc_buffer_usedlength(&b) == (isc_buffer_usedlength(&b) ==
sizeof(root_ksk_2010)) && sizeof(root_ksk_2010)) &&
memcmp(data, root_ksk_2010, memcmp(data, root_ksk_2010,
@ -3342,7 +3342,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
*flagsp |= ROOT_KSK_2010; *flagsp |= ROOT_KSK_2010;
} }
if (n1 == 257 && n2 == 3 && n3 == 8 && if (rdata1 == 257 && rdata2 == 3 && rdata3 == 8 &&
(isc_buffer_usedlength(&b) == (isc_buffer_usedlength(&b) ==
sizeof(root_ksk_2017)) && sizeof(root_ksk_2017)) &&
memcmp(data, root_ksk_2017, memcmp(data, root_ksk_2017,
@ -3355,19 +3355,19 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
case INIT_DS: case INIT_DS:
case STATIC_DS: case STATIC_DS:
if (n1 > 0xffff) { if (rdata1 > 0xffff) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR, cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"key tag too big: %u", n1); "key tag too big: %u", rdata1);
result = ISC_R_RANGE; result = ISC_R_RANGE;
} }
if (n2 > 0xff) { if (rdata2 > 0xff) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR, cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"algorithm too big: %u\n", n2); "algorithm too big: %u\n", rdata2);
result = ISC_R_RANGE; result = ISC_R_RANGE;
} }
if (n3 > 0xff) { if (rdata3 > 0xff) {
cfg_obj_log(key, logctx, ISC_LOG_ERROR, cfg_obj_log(key, logctx, ISC_LOG_ERROR,
"digest type too big: %u", 32); "digest type too big: %u", rdata3);
result = ISC_R_RANGE; result = ISC_R_RANGE;
} }
@ -3389,7 +3389,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
*flagsp |= *flagsp |=
(managed ? ROOT_KSK_MANAGED : ROOT_KSK_STATIC); (managed ? ROOT_KSK_MANAGED : ROOT_KSK_STATIC);
if (n1 == 20326 && n2 == 8 && n3 == 1 && if (rdata1 == 20326 && rdata2 == 8 && rdata3 == 1 &&
(isc_buffer_usedlength(&b) == (isc_buffer_usedlength(&b) ==
sizeof(root_ds_1_2017)) && sizeof(root_ds_1_2017)) &&
memcmp(data, root_ds_1_2017, memcmp(data, root_ds_1_2017,
@ -3398,7 +3398,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed,
*flagsp |= ROOT_KSK_2017; *flagsp |= ROOT_KSK_2017;
} }
if (n1 == 20326 && n2 == 8 && n3 == 2 && if (rdata1 == 20326 && rdata2 == 8 && rdata3 == 2 &&
(isc_buffer_usedlength(&b) == (isc_buffer_usedlength(&b) ==
sizeof(root_ds_2_2017)) && sizeof(root_ds_2_2017)) &&
memcmp(data, root_ds_2_2017, memcmp(data, root_ds_2_2017,

12
lib/isccfg/namedconf.c
View File

@ -446,9 +446,9 @@ static cfg_type_t cfg_type_category = {
static cfg_tuplefielddef_t dnsseckey_fields[] = { static cfg_tuplefielddef_t dnsseckey_fields[] = {
{ "name", &cfg_type_astring, 0 }, { "name", &cfg_type_astring, 0 },
{ "anchortype", &cfg_type_void, 0 }, { "anchortype", &cfg_type_void, 0 },
{ "n1", &cfg_type_uint32, 0 }, { "rdata1", &cfg_type_uint32, 0 },
{ "n2", &cfg_type_uint32, 0 }, { "rdata2", &cfg_type_uint32, 0 },
{ "n3", &cfg_type_uint32, 0 }, { "rdata3", &cfg_type_uint32, 0 },
{ "data", &cfg_type_qstring, 0 }, { "data", &cfg_type_qstring, 0 },
{ NULL, NULL, 0 } { NULL, NULL, 0 }
}; };
@ -471,9 +471,9 @@ static cfg_type_t cfg_type_anchortype = {
static cfg_tuplefielddef_t managedkey_fields[] = { static cfg_tuplefielddef_t managedkey_fields[] = {
{ "name", &cfg_type_astring, 0 }, { "name", &cfg_type_astring, 0 },
{ "anchortype", &cfg_type_anchortype, 0 }, { "anchortype", &cfg_type_anchortype, 0 },
{ "n1", &cfg_type_uint32, 0 }, { "rdata1", &cfg_type_uint32, 0 },
{ "n2", &cfg_type_uint32, 0 }, { "rdata2", &cfg_type_uint32, 0 },
{ "n3", &cfg_type_uint32, 0 }, { "rdata3", &cfg_type_uint32, 0 },
{ "data", &cfg_type_qstring, 0 }, { "data", &cfg_type_qstring, 0 },
{ NULL, NULL, 0 } { NULL, NULL, 0 }
}; };