summaryrefslogtreecommitdiffstats
path: root/lib/dnssec
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-05 04:15:13 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-05 04:15:13 +0000
commit672fd03e83f0333e8d8cb98c222520cd61a2f7a9 (patch)
tree271a0f975ff09b00661f2aba4b9eb2cf21e8457b /lib/dnssec
parentAdding debian version 5.7.2-1. (diff)
downloadknot-resolver-672fd03e83f0333e8d8cb98c222520cd61a2f7a9.tar.xz
knot-resolver-672fd03e83f0333e8d8cb98c222520cd61a2f7a9.zip
Merging upstream version 5.7.3.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'lib/dnssec')
-rw-r--r--lib/dnssec/nsec.c20
-rw-r--r--lib/dnssec/nsec3.c12
-rw-r--r--lib/dnssec/signature.c2
-rw-r--r--lib/dnssec/ta.c13
4 files changed, 24 insertions, 23 deletions
diff --git a/lib/dnssec/nsec.c b/lib/dnssec/nsec.c
index 8b17247..be34d92 100644
--- a/lib/dnssec/nsec.c
+++ b/lib/dnssec/nsec.c
@@ -16,7 +16,7 @@
#include "lib/defines.h"
#include "lib/dnssec/nsec.h"
#include "lib/utils.h"
-#include "resolve.h"
+#include "lib/resolve.h"
int kr_nsec_children_in_zone_check(const uint8_t *bm, uint16_t bm_size)
{
@@ -81,15 +81,13 @@ static int dname_cmp(const knot_dname_t *d1, const knot_dname_t *d2)
dname_reverse(d1, d1_len, d1_rev_arr);
dname_reverse(d2, d2_len, d2_rev_arr);
- int res = 0;
- while (res == 0 && d1_rev != NULL) {
- res = lf_cmp(d1_rev, d2_rev);
- d1_rev = knot_wire_next_label(d1_rev, NULL);
- d2_rev = knot_wire_next_label(d2_rev, NULL);
- }
-
- kr_require(res != 0 || d2_rev == NULL);
- return res;
+ do {
+ int res = lf_cmp(d1_rev, d2_rev);
+ if (res != 0 || d1_rev[0] == '\0')
+ return res;
+ d1_rev = knot_dname_next_label(d1_rev);
+ d2_rev = knot_dname_next_label(d2_rev);
+ } while (true);
}
@@ -251,7 +249,7 @@ int kr_nsec_negative(const ranked_rr_array_t *rrrs, uint32_t qry_uid,
ssynth[1] = '*';
const knot_dname_t *clencl = sname;
for (int l = sname_labels; l > clencl_labels; --l)
- clencl = knot_wire_next_label(clencl, NULL);
+ clencl = knot_dname_next_label(clencl);
(void)!!knot_dname_store(&ssynth[2], clencl);
// Try to (dis)prove the source of synthesis by a covering or matching NSEC.
diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
index 4199f25..4ff2750 100644
--- a/lib/dnssec/nsec3.c
+++ b/lib/dnssec/nsec3.c
@@ -143,7 +143,7 @@ static int closest_encloser_match(int *flags, const knot_rrset_t *nsec3,
goto fail;
}
- const knot_dname_t *encloser = knot_wire_next_label(name, NULL);
+ const knot_dname_t *encloser = knot_dname_next_label(name);
*skipped = 1;
/* Avoid doing too much work on SHA1, mitigating:
@@ -154,7 +154,7 @@ static int closest_encloser_match(int *flags, const knot_rrset_t *nsec3,
const int max_labels = knot_dname_labels(nsec3->owner, NULL) - 1
+ kr_nsec3_max_depth(&params);
for (int l = knot_dname_labels(encloser, NULL); l > max_labels; --l) {
- encloser = knot_wire_next_label(encloser, NULL);
+ encloser = knot_dname_next_label(encloser);
++(*skipped);
}
@@ -174,7 +174,7 @@ static int closest_encloser_match(int *flags, const knot_rrset_t *nsec3,
if (!encloser[0])
break;
- encloser = knot_wire_next_label(encloser, NULL);
+ encloser = knot_dname_next_label(encloser);
++(*skipped);
}
@@ -404,7 +404,7 @@ static int closest_encloser_proof(const knot_pkt_t *pkt,
for (unsigned j = 0; j < skipped; ++j) {
if (kr_fails_assert(next_closer[0]))
return kr_error(EINVAL);
- next_closer = knot_wire_next_label(next_closer, NULL);
+ next_closer = knot_dname_next_label(next_closer);
}
for (unsigned j = 0; j < sec->count; ++j) {
const knot_rrset_t *rrset_j = knot_pkt_rr(sec, j);
@@ -425,7 +425,7 @@ static int closest_encloser_proof(const knot_pkt_t *pkt,
if ((flags & FLG_CLOSEST_PROVABLE_ENCLOSER) && (flags & FLG_NAME_COVERED) && next_closer) {
if (encloser_name && next_closer[0])
- *encloser_name = knot_wire_next_label(next_closer, NULL);
+ *encloser_name = knot_dname_next_label(next_closer);
if (matching_encloser_nsec3)
*matching_encloser_nsec3 = matching;
if (covering_next_nsec3)
@@ -569,7 +569,7 @@ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_
for (int i = 0; i < trim_to_next; ++i) {
if (kr_fails_assert(sname[0]))
return kr_error(EINVAL);
- sname = knot_wire_next_label(sname, NULL);
+ sname = knot_dname_next_label(sname);
}
int flags = 0;
diff --git a/lib/dnssec/signature.c b/lib/dnssec/signature.c
index aadb5cb..12ed09e 100644
--- a/lib/dnssec/signature.c
+++ b/lib/dnssec/signature.c
@@ -208,7 +208,7 @@ static int sign_ctx_add_records(dnssec_sign_ctx_t *ctx, const knot_rrset_t *cove
for (int j = 0; j < trim_labels; ++j) {
if (kr_fails_assert(beginp[0]))
return kr_error(EINVAL);
- beginp = (uint8_t *) knot_wire_next_label(beginp, NULL);
+ beginp = (uint8_t *) knot_dname_next_label(beginp);
if (kr_fails_assert(beginp))
return kr_error(EFAULT);
}
diff --git a/lib/dnssec/ta.c b/lib/dnssec/ta.c
index becf7d8..13659c1 100644
--- a/lib/dnssec/ta.c
+++ b/lib/dnssec/ta.c
@@ -28,9 +28,9 @@ const knot_dname_t * kr_ta_closest(const struct kr_context *ctx, const knot_dnam
kr_require(ctx && name);
if (type == KNOT_RRTYPE_DS && name[0] != '\0') {
/* DS is parent-side record, so the parent name needs to be covered. */
- name = knot_wire_next_label(name, NULL);
+ name = knot_dname_next_label(name);
}
- while (name) {
+ do {
struct kr_context *ctx_nc = (struct kr_context *)/*const-cast*/ctx;
if (kr_ta_get(ctx_nc->trust_anchors, name)) {
return name;
@@ -38,9 +38,12 @@ const knot_dname_t * kr_ta_closest(const struct kr_context *ctx, const knot_dnam
if (kr_ta_get(ctx_nc->negative_anchors, name)) {
return NULL;
}
- name = knot_wire_next_label(name, NULL);
- }
- return NULL;
+ if (name[0] == '\0') {
+ return NULL;
+ } else {
+ name = knot_dname_next_label(name);
+ }
+ } while (true);
}
/* @internal Create DS from DNSKEY, caller MUST free dst if successful. */