From: Mark Andrews Date: Tue, 6 Aug 2024 04:41:50 +0000 (+1000) Subject: Add the concept of allowed key tag ranges to kasp X-Git-Tag: v9.21.1~19^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=25bf77fac64935451cf5b4189ef19d9d8c4cce30;p=thirdparty%2Fbind9.git Add the concept of allowed key tag ranges to kasp --- diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index 26af4695465..674e733551c 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -58,6 +58,8 @@ struct dns_kasp_key { uint8_t algorithm; int length; uint8_t role; + uint16_t tag_min; + uint16_t tag_max; }; struct dns_kasp_nsec3param { @@ -721,6 +723,26 @@ dns_kasp_key_zsk(dns_kasp_key_t *key); * */ +uint16_t +dns_kasp_key_tagmin(dns_kasp_key_t *key); +/*%< + * Returns the minimum permitted key tag value. + * + * Requires: + * + *\li key != NULL + */ + +uint16_t +dns_kasp_key_tagmax(dns_kasp_key_t *key); +/*%< + * Returns the maximum permitted key tag value. + * + * Requires: + * + *\li key != NULL + */ + bool dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey); /*%< diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index 50ecba05d6f..03308b44b67 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -401,7 +401,7 @@ dns_kasp_addkey(dns_kasp_t *kasp, dns_kasp_key_t *key) { isc_result_t dns_kasp_key_create(dns_kasp_t *kasp, dns_kasp_key_t **keyp) { dns_kasp_key_t *key = NULL; - dns_kasp_key_t k = { .length = -1 }; + dns_kasp_key_t k = { .tag_max = 0xffff, .length = -1 }; REQUIRE(DNS_KASP_VALID(kasp)); REQUIRE(keyp != NULL && *keyp == NULL); @@ -507,6 +507,18 @@ dns_kasp_key_zsk(dns_kasp_key_t *key) { return (key->role & DNS_KASP_KEY_ROLE_ZSK); } +uint16_t +dns_kasp_key_tagmin(dns_kasp_key_t *key) { + REQUIRE(key != NULL); + return (key->tag_min); +} + +uint16_t +dns_kasp_key_tagmax(dns_kasp_key_t *key) { + REQUIRE(key != NULL); + return (key->tag_min); +} + bool dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey) { isc_result_t ret; diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index 3eb61185e89..782941c3960 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -426,11 +426,19 @@ keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp, } static bool -keymgr_keyid_conflict(dst_key_t *newkey, dns_dnsseckeylist_t *keys) { +keymgr_keyid_conflict(dst_key_t *newkey, uint16_t min, uint16_t max, + dns_dnsseckeylist_t *keys) { uint16_t id = dst_key_id(newkey); uint32_t rid = dst_key_rid(newkey); uint32_t alg = dst_key_alg(newkey); + if (id < min || id > max) { + return (true); + } + if (rid < min || rid > max) { + return (true); + } + for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keys); dkey != NULL; dkey = ISC_LIST_NEXT(dkey, link)) { @@ -484,9 +492,11 @@ keymgr_createkey(dns_kasp_key_t *kkey, const dns_name_t *origin, } /* Key collision? */ - conflict = keymgr_keyid_conflict(newkey, keylist); + conflict = keymgr_keyid_conflict(newkey, kkey->tag_min, + kkey->tag_max, keylist); if (!conflict) { - conflict = keymgr_keyid_conflict(newkey, newkeys); + conflict = keymgr_keyid_conflict( + newkey, kkey->tag_min, kkey->tag_max, newkeys); } if (conflict) { /* Try again. */