From: Vladimír Čunát Date: Mon, 3 Sep 2018 12:43:02 +0000 (+0200) Subject: Re-revert "kr_nsec_bitmap_contains_type(): moved to libdnssec" X-Git-Tag: v3.1.0~20^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=66aa683c3b22d2d3150fe2e89a7013d7a4b51c22;p=thirdparty%2Fknot-resolver.git Re-revert "kr_nsec_bitmap_contains_type(): moved to libdnssec" This reverts commit 512f4aee63cbad71639d7865a8b9f5a3c32ffed2. knot-dns-2.7.2 fixed this. --- diff --git a/lib/dnssec/nsec.c b/lib/dnssec/nsec.c index 0a3edf68d..4ae13b23f 100644 --- a/lib/dnssec/nsec.c +++ b/lib/dnssec/nsec.c @@ -24,42 +24,11 @@ #include #include #include +#include #include "lib/defines.h" #include "lib/dnssec/nsec.h" -bool kr_nsec_bitmap_contains_type(const uint8_t *bm, uint16_t bm_size, uint16_t type) -{ - if (!bm || bm_size == 0) { - assert(bm); - return false; - } - - const uint8_t type_hi = (type >> 8); - const uint8_t type_lo = (type & 0xff); - const uint8_t bitmap_idx = (type_lo >> 3); - const uint8_t bitmap_bit_mask = 1 << (7 - (type_lo & 0x07)); - - size_t bm_pos = 0; - while (bm_pos + 3 <= bm_size) { - uint8_t win = bm[bm_pos++]; - uint8_t win_size = bm[bm_pos++]; - /* Check remaining window length. */ - if (win_size < 1 || bm_pos + win_size > bm_size) - return false; - /* Check that we have a correct window. */ - if (win == type_hi) { - if (bitmap_idx < win_size) { - return bm[bm_pos + bitmap_idx] & bitmap_bit_mask; - } - return false; - } else { - bm_pos += win_size; - } - } - - return false; -} int kr_nsec_children_in_zone_check(const uint8_t *bm, uint16_t bm_size) { @@ -67,9 +36,9 @@ int kr_nsec_children_in_zone_check(const uint8_t *bm, uint16_t bm_size) return kr_error(EINVAL); } const bool parent_side = - kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_DNAME) - || (kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_NS) - && !kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_SOA) + dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_DNAME) + || (dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_NS) + && !dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_SOA) ); return parent_side ? abs(ENOENT) : kr_ok(); /* LATER: after refactoring, probably also check if signer name equals owner, @@ -262,12 +231,12 @@ int kr_nsec_bitmap_nodata_check(const uint8_t *bm, uint16_t bm_size, uint16_t ty if (!bm || !owner) { return kr_error(EINVAL); } - if (kr_nsec_bitmap_contains_type(bm, bm_size, type)) { + if (dnssec_nsec_bitmap_contains(bm, bm_size, type)) { return NO_PROOF; } if (type != KNOT_RRTYPE_CNAME - && kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_CNAME)) { + && dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_CNAME)) { return NO_PROOF; } /* Special behavior around zone cuts. */ @@ -279,7 +248,7 @@ int kr_nsec_bitmap_nodata_check(const uint8_t *bm, uint16_t bm_size, uint16_t ty * See RFC4035 5.2, next-to-last paragraph. * This doesn't apply for root DS as it doesn't exist in DNS hierarchy. */ - if (owner[0] != '\0' && kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_SOA)) { + if (owner[0] != '\0' && dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_SOA)) { return NO_PROOF; } break; @@ -291,8 +260,8 @@ int kr_nsec_bitmap_nodata_check(const uint8_t *bm, uint16_t bm_size, uint16_t ty default: /* Parent-side delegation record isn't authoritative for non-DS; * see RFC6840 4.1. */ - if (kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_NS) - && !kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_SOA)) { + if (dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_NS) + && !dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_SOA)) { return NO_PROOF; } /* LATER(opt): perhaps short-circuit test if we repeat it here. */ @@ -520,11 +489,11 @@ int kr_nsec_ref_to_unsigned(const knot_pkt_t *pkt) if (!bm) { return kr_error(EINVAL); } - if (kr_nsec_bitmap_contains_type(bm, bm_size, + if (dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_NS) && - !kr_nsec_bitmap_contains_type(bm, bm_size, + !dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_DS) && - !kr_nsec_bitmap_contains_type(bm, bm_size, + !dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_SOA)) { /* rfc4035, 5.2 */ return kr_ok(); @@ -563,7 +532,7 @@ int kr_nsec_matches_name_and_type(const knot_rrset_t *nsec, if (!bm) { return kr_error(EINVAL); } - if (kr_nsec_bitmap_contains_type(bm, bm_size, type)) { + if (dnssec_nsec_bitmap_contains(bm, bm_size, type)) { return kr_ok(); } else { return kr_error(ENOENT); diff --git a/lib/dnssec/nsec.h b/lib/dnssec/nsec.h index 58542414d..9439a8825 100644 --- a/lib/dnssec/nsec.h +++ b/lib/dnssec/nsec.h @@ -18,15 +18,6 @@ #include -/** - * Check whether bitmap contains given type. - * @param bm Bitmap from NSEC or NSEC3. - * @param bm_size Bitmap size. - * @param type RR type to search for. - * @return True if bitmap contains type. - */ -bool kr_nsec_bitmap_contains_type(const uint8_t *bm, uint16_t bm_size, uint16_t type); - /** * Check bitmap that child names are contained in the same zone. * @note see RFC6840 4.1. diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c index c71cadd0b..2f61b0357 100644 --- a/lib/dnssec/nsec3.c +++ b/lib/dnssec/nsec3.c @@ -708,11 +708,11 @@ int kr_nsec3_ref_to_unsigned(const knot_pkt_t *pkt) if (!bm) { return kr_error(EINVAL); } - if (kr_nsec_bitmap_contains_type(bm, bm_size, + if (dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_NS) && - !kr_nsec_bitmap_contains_type(bm, bm_size, + !dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_DS) && - !kr_nsec_bitmap_contains_type(bm, bm_size, + !dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_SOA)) { /* Satisfies rfc5155, 8.9. paragraph 2 */ return kr_ok(); @@ -768,7 +768,7 @@ int kr_nsec3_matches_name_and_type(const knot_rrset_t *nsec3, if (!bm) { return kr_error(EINVAL); } - if (kr_nsec_bitmap_contains_type(bm, bm_size, type)) { + if (dnssec_nsec_bitmap_contains(bm, bm_size, type)) { return kr_ok(); } else { return kr_error(ENOENT);