From: Vladimír Čunát Date: Wed, 3 Jan 2018 15:02:24 +0000 (+0100) Subject: entry_h_consistent: split for NSEC-chain entries X-Git-Tag: v2.0.0~6^2~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37631e21a080a667b0d210ee88e097bfedd46061;p=thirdparty%2Fknot-resolver.git entry_h_consistent: split for NSEC-chain entries NSEC type can occur for normal (exact-hit) entries, e.g. as negative packet from explicit NSEC query from user in unsigned zone. --- diff --git a/lib/cache.c b/lib/cache.c index 9a5ffa418..24211eddf 100644 --- a/lib/cache.c +++ b/lib/cache.c @@ -172,8 +172,10 @@ struct nsec_p { uint8_t *salt; }; +/* When going stricter, BEWARE of breaking entry_h_consistent_NSEC() */ struct entry_h * entry_h_consistent(knot_db_val_t data, uint16_t ktype) { + (void) ktype; /* unused, for now */ /* Length checks. */ if (data.len < offsetof(struct entry_h, data)) return NULL; @@ -194,18 +196,10 @@ struct entry_h * entry_h_consistent(knot_db_val_t data, uint16_t ktype) ok = ok && (!kr_rank_test(eh->rank, KR_RANK_BOGUS) || eh->is_packet); - switch (ktype) { - case KNOT_RRTYPE_NSEC: - ok = ok && !(eh->is_packet || eh->has_ns || eh->has_cname - || eh->has_dname); - break; - default: - /* doesn't hold, because of temporary NSEC3 packet caching - if (eh->is_packet) - ok = ok && !kr_rank_test(eh->rank, KR_RANK_SECURE); - */ - break; - } + /* doesn't hold, because of temporary NSEC3 packet caching + if (eh->is_packet) + ok = ok && !kr_rank_test(eh->rank, KR_RANK_SECURE); + */ //LATER: rank sanity return ok ? /*const-cast*/(struct entry_h *)eh : NULL; diff --git a/lib/cache/impl.h b/lib/cache/impl.h index b7aff9f27..8c6eb42e6 100644 --- a/lib/cache/impl.h +++ b/lib/cache/impl.h @@ -37,6 +37,9 @@ * TODO: NSEC3 chain descriptors (iff nsec3_cnt > 0) * - is_packet: uint16_t length, otherwise opaque and handled by ./entry_pkt.c * - otherwise RRset + its RRSIG set (possibly empty). + * '1' entry (NSEC1) + * - contents is the same as for exact hit for NSEC + * - flags don't make sense there * */ struct entry_h { uint32_t time; /**< The time of inception. */ @@ -56,9 +59,8 @@ struct entry_h { }; -/** Check basic consistency of entry_h, not looking into ->data. +/** Check basic consistency of entry_h for 'E' entries, not looking into ->data. * (for is_packet the length of data is checked) - * \note only exact hits and NSEC1 are really considered ATM. */ struct entry_h * entry_h_consistent(knot_db_val_t data, uint16_t ktype); diff --git a/lib/cache/nsec1.c b/lib/cache/nsec1.c index 8b56b398e..c5abae7d2 100644 --- a/lib/cache/nsec1.c +++ b/lib/cache/nsec1.c @@ -120,6 +120,14 @@ static int kwz_between(knot_db_val_t k1, knot_db_val_t k2, knot_db_val_t k3) } } +static struct entry_h * entry_h_consistent_NSEC(knot_db_val_t data) +{ + /* ATM it's enough to just extend the checks for exact entries. */ + const struct entry_h *eh = entry_h_consistent(data, KNOT_RRTYPE_NSEC); + bool ok = eh != NULL; + ok = ok && !(eh->is_packet || eh->has_ns || eh->has_cname || eh->has_dname); + return ok ? /*const-cast*/(struct entry_h *)eh : NULL; +} /** NSEC1 range search. * @@ -160,7 +168,7 @@ static const char * find_leq_NSEC1(struct kr_cache *cache, const struct kr_query if (exact_match) { *exact_match = is_exact; } - const struct entry_h *eh = entry_h_consistent(val, KNOT_RRTYPE_NSEC); + const struct entry_h *eh = entry_h_consistent_NSEC(val); if (!eh) { /* This might be just finding something else than NSEC1 entry, * in case we searched before the very first one in the zone. */