From: Otto Moerbeek Date: Wed, 6 Dec 2023 13:15:23 +0000 (+0100) Subject: dsmap_t is actually a set, rename type and a few vars X-Git-Tag: rec-5.1.0-alpha1~9^2~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=794a58e3cdecc58bcea0c94f471e0b68d68961dc;p=thirdparty%2Fpdns.git dsmap_t is actually a set, rename type and a few vars --- diff --git a/pdns/recursordist/rec-lua-conf.hh b/pdns/recursordist/rec-lua-conf.hh index 440068ec6e..e278acd108 100644 --- a/pdns/recursordist/rec-lua-conf.hh +++ b/pdns/recursordist/rec-lua-conf.hh @@ -105,7 +105,7 @@ public: SortList sortlist; DNSFilterEngine dfe; TrustAnchorFileInfo trustAnchorFileInfo; // Used to update the Trust Anchors from file periodically - map dsAnchors; + map dsAnchors; map negAnchors; map ztcConfigs; std::map, AdditionalMode>> allowAdditionalQTypes; diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc index d151e0623b..aded778cf5 100644 --- a/pdns/recursordist/rec-main.cc +++ b/pdns/recursordist/rec-main.cc @@ -2574,7 +2574,7 @@ static void houseKeepingWork(Logr::log_t log) SLOG(g_log << Logger::Debug << "Refreshing Trust Anchors from file" << endl, log->info(Logr::Debug, "Refreshing Trust Anchors from file")); try { - map dsAnchors; + map dsAnchors; if (updateTrustAnchorsFromFile(luaconfsLocal->trustAnchorFileInfo.fname, dsAnchors, log)) { g_luaconfs.modify([&dsAnchors](LuaConfigItems& lci) { lci.dsAnchors = dsAnchors; diff --git a/pdns/recursordist/rec-zonetocache.cc b/pdns/recursordist/rec-zonetocache.cc index 46488f43ec..f7fb5dc1c2 100644 --- a/pdns/recursordist/rec-zonetocache.cc +++ b/pdns/recursordist/rec-zonetocache.cc @@ -258,8 +258,8 @@ vState ZoneData::dnssecValidate(pdns::ZoneMD& zonemd, size_t& zonemdCount) const resolver.setDoDNSSEC(true); resolver.setDNSSECValidationRequested(true); - dsmap_t dsmap; // Actually a set - vState dsState = resolver.getDSRecords(d_zone, dsmap, false, 0, ""); + dsset_t dsset; + vState dsState = resolver.getDSRecords(d_zone, dsset, false, 0, ""); if (dsState != vState::Secure) { return dsState; } @@ -275,7 +275,7 @@ vState ZoneData::dnssecValidate(pdns::ZoneMD& zonemd, size_t& zonemdCount) const } skeyset_t validKeys; - vState dnsKeyState = validateDNSKeysAgainstDS(d_now, d_zone, dsmap, dnsKeys, records, zonemd.getRRSIGs(QType::DNSKEY), validKeys, std::nullopt, validationContext); + vState dnsKeyState = validateDNSKeysAgainstDS(d_now, d_zone, dsset, dnsKeys, records, zonemd.getRRSIGs(QType::DNSKEY), validKeys, std::nullopt, validationContext); if (dnsKeyState != vState::Secure) { return dnsKeyState; } diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc index e87206292c..66d7ad7d6f 100644 --- a/pdns/recursordist/syncres.cc +++ b/pdns/recursordist/syncres.cc @@ -3579,7 +3579,7 @@ void SyncRes::updateValidationState(const DNSName& qname, vState& state, const v LOG(", validation state is now " << state << endl); } -vState SyncRes::getTA(const DNSName& zone, dsmap_t& dsMap, const string& prefix) +vState SyncRes::getTA(const DNSName& zone, dsset_t& dsSet, const string& prefix) { auto luaLocal = g_luaconfs.getLocal(); @@ -3595,7 +3595,7 @@ vState SyncRes::getTA(const DNSName& zone, dsmap_t& dsMap, const string& prefix) return vState::NTA; } - if (getTrustAnchor(luaLocal->dsAnchors, zone, dsMap)) { + if (getTrustAnchor(luaLocal->dsAnchors, zone, dsSet)) { if (!zone.isRoot()) { LOG(prefix << zone << ": Got TA" << endl); } @@ -3610,11 +3610,11 @@ vState SyncRes::getTA(const DNSName& zone, dsmap_t& dsMap, const string& prefix) return vState::Indeterminate; } -size_t SyncRes::countSupportedDS(const dsmap_t& dsmap, const string& prefix) +size_t SyncRes::countSupportedDS(const dsset_t& dsset, const string& prefix) { size_t count = 0; - for (const auto& dsRecordContent : dsmap) { + for (const auto& dsRecordContent : dsset) { if (isSupportedDS(dsRecordContent, LogObject(prefix))) { count++; } @@ -3627,12 +3627,12 @@ void SyncRes::initZoneCutsFromTA(const DNSName& from, const string& prefix) { DNSName zone(from); do { - dsmap_t dsMap; - vState result = getTA(zone, dsMap, prefix); + dsset_t dsSet; + vState result = getTA(zone, dsSet, prefix); if (result != vState::Indeterminate) { if (result == vState::TA) { - if (countSupportedDS(dsMap, prefix) == 0) { - dsMap.clear(); + if (countSupportedDS(dsSet, prefix) == 0) { + dsSet.clear(); result = vState::Insecure; } else { @@ -3648,9 +3648,9 @@ void SyncRes::initZoneCutsFromTA(const DNSName& from, const string& prefix) } while (zone.chopOff()); } -vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& dsMap, bool onlyTA, unsigned int depth, const string& prefix, bool bogusOnNXD, bool* foundCut) +vState SyncRes::getDSRecords(const DNSName& zone, dsset_t& dsSet, bool onlyTA, unsigned int depth, const string& prefix, bool bogusOnNXD, bool* foundCut) { - vState result = getTA(zone, dsMap, prefix); + vState result = getTA(zone, dsSet, prefix); if (result != vState::Indeterminate || onlyTA) { if (foundCut != nullptr) { @@ -3658,8 +3658,8 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& dsMap, bool onlyTA, u } if (result == vState::TA) { - if (countSupportedDS(dsMap, prefix) == 0) { - dsMap.clear(); + if (countSupportedDS(dsSet, prefix) == 0) { + dsSet.clear(); result = vState::Insecure; } else { @@ -3707,7 +3707,7 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& dsMap, bool onlyTA, u if (dscontent->d_digesttype > bestDigestType || (bestDigestType == DNSSECKeeper::DIGEST_GOST && dscontent->d_digesttype == DNSSECKeeper::DIGEST_SHA256)) { bestDigestType = dscontent->d_digesttype; } - dsMap.insert(*dscontent); + dsSet.insert(*dscontent); } } else if (record.d_type == QType::CNAME && record.d_name == zone) { @@ -3719,9 +3719,9 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& dsMap, bool onlyTA, u * digests if DS RRs with SHA-256 digests are present in the DS RRset." * We interpret that as: do not use SHA-1 if SHA-256 or SHA-384 is available */ - for (auto dsrec = dsMap.begin(); dsrec != dsMap.end();) { + for (auto dsrec = dsSet.begin(); dsrec != dsSet.end();) { if (dsrec->d_digesttype == DNSSECKeeper::DIGEST_SHA1 && dsrec->d_digesttype != bestDigestType) { - dsrec = dsMap.erase(dsrec); + dsrec = dsSet.erase(dsrec); } else { ++dsrec; @@ -3729,7 +3729,7 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& dsMap, bool onlyTA, u } if (rcode == RCode::NoError) { - if (dsMap.empty()) { + if (dsSet.empty()) { /* we have no DS, it's either: - a delegation to a non-DNSSEC signed zone - no delegation, we stay in the same zone @@ -3817,7 +3817,7 @@ vState SyncRes::getValidationStatus(const DNSName& name, bool wouldBeValid, bool LOG(prefix << name << ": - Looking for a DS at " << dsName << endl); bool foundCut = false; - dsmap_t results; + dsset_t results; vState dsState = getDSRecords(dsName, results, false, depth, prefix, false, &foundCut); if (foundCut) { @@ -3857,7 +3857,7 @@ vState SyncRes::getValidationStatus(const DNSName& name, bool wouldBeValid, bool vState SyncRes::validateDNSKeys(const DNSName& zone, const std::vector& dnskeys, const std::vector>& signatures, unsigned int depth, const string& prefix) { - dsmap_t dsMap; + dsset_t dsSet; if (signatures.empty()) { LOG(prefix << zone << ": We have " << std::to_string(dnskeys.size()) << " DNSKEYs but no signature, going Bogus!" << endl); return vState::BogusNoRRSIG; @@ -3866,7 +3866,7 @@ vState SyncRes::validateDNSKeys(const DNSName& zone, const std::vector s_maxvalidationsperq) { throw ImmediateServFailException("Server Failure while validating DNSKEYs, too many signature validations for this query"); @@ -4011,7 +4011,7 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const string& prefix or more likely NSEC(3)s proving that it does not exist, we have a problem. In that case let's see if the DS does exist, and if it does let's go Bogus */ - dsmap_t results; + dsset_t results; vState dsState = getDSRecords(signer, results, false, depth, prefix, true); if (vStateIsBogus(dsState) || dsState == vState::Insecure) { state = dsState; diff --git a/pdns/recursordist/syncres.hh b/pdns/recursordist/syncres.hh index 862cd7d396..c2a0048bd7 100644 --- a/pdns/recursordist/syncres.hh +++ b/pdns/recursordist/syncres.hh @@ -101,7 +101,7 @@ public: vState state{vState::Indeterminate}; }; - vState getDSRecords(const DNSName& zone, dsmap_t& dsMap, bool onlyTA, unsigned int depth, const string& prefix, bool bogusOnNXD = true, bool* foundCut = nullptr); + vState getDSRecords(const DNSName& zone, dsset_t& dsSet, bool onlyTA, unsigned int depth, const string& prefix, bool bogusOnNXD = true, bool* foundCut = nullptr); class AuthDomain { @@ -671,11 +671,11 @@ private: dState getDenialValidationState(const NegCache::NegCacheEntry& negEntry, dState expectedState, bool referralToUnsigned, const string& prefix); void updateDenialValidationState(const DNSName& qname, vState& neValidationState, const DNSName& neName, vState& state, dState denialState, dState expectedState, bool isDS, unsigned int depth, const string& prefix); void computeNegCacheValidationStatus(const NegCache::NegCacheEntry& negEntry, const DNSName& qname, QType qtype, int res, vState& state, unsigned int depth, const string& prefix); - vState getTA(const DNSName& zone, dsmap_t& dsMap, const string& prefix); + vState getTA(const DNSName& zone, dsset_t& dsSet, const string& prefix); vState getValidationStatus(const DNSName& name, bool wouldBeValid, bool typeIsDS, unsigned int depth, const string& prefix); void updateValidationStatusInCache(const DNSName& qname, QType qtype, bool aaFlag, vState newState) const; void initZoneCutsFromTA(const DNSName& from, const string& prefix); - size_t countSupportedDS(const dsmap_t& dsmap, const string& prefix); + size_t countSupportedDS(const dsset_t& dsSet, const string& prefix); void handleNewTarget(const std::string& prefix, const DNSName& qname, const DNSName& newtarget, QType qtype, std::vector& ret, int& rcode, unsigned int depth, const std::vector& recordsFromAnswer, vState& state); diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc index 0aa0ceccc2..4db2c8ab73 100644 --- a/pdns/recursordist/test-syncres_cc.cc +++ b/pdns/recursordist/test-syncres_cc.cc @@ -495,7 +495,7 @@ void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, keys[name] = std::pair(dpk, ds); } -void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map& dsAnchors) +void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map& dsAnchors) { generateKeyMaterial(name, algo, digest, keys); dsAnchors[name].insert(keys[name].second); diff --git a/pdns/recursordist/test-syncres_cc.hh b/pdns/recursordist/test-syncres_cc.hh index 11d99c6f30..8978fcffb5 100644 --- a/pdns/recursordist/test-syncres_cc.hh +++ b/pdns/recursordist/test-syncres_cc.hh @@ -69,7 +69,7 @@ void addNSEC3NarrowRecordToLW(const DNSName& domain, const DNSName& zone, const void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys); -void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map& dsAnchors); +void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map& dsAnchors); LWResult::Result genericDSAndDNSKEYHandler(LWResult* res, const DNSName& domain, DNSName auth, int type, const testkeysset_t& keys, bool proveCut = true, boost::optional now = boost::none, bool nsec3 = false, bool optOut = false); diff --git a/pdns/recursordist/test-syncres_cc9.cc b/pdns/recursordist/test-syncres_cc9.cc index d921dc39ee..d33bf184b4 100644 --- a/pdns/recursordist/test-syncres_cc9.cc +++ b/pdns/recursordist/test-syncres_cc9.cc @@ -766,7 +766,7 @@ BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo) return LWResult::Result::Timeout; }); - dsmap_t ds; + dsset_t ds; auto state = sr->getDSRecords(target, ds, false, 0, "", false); BOOST_CHECK_EQUAL(state, vState::Secure); BOOST_REQUIRE_EQUAL(ds.size(), 1U); @@ -819,7 +819,7 @@ BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_all_sha) return LWResult::Result::Timeout; }); - dsmap_t ds; + dsset_t ds; auto state = sr->getDSRecords(target, ds, false, 0, "", false); BOOST_CHECK_EQUAL(state, vState::Secure); BOOST_REQUIRE_EQUAL(ds.size(), 2U); @@ -872,7 +872,7 @@ BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_two_highest) return LWResult::Result::Timeout; }); - dsmap_t ds; + dsset_t ds; auto state = sr->getDSRecords(target, ds, false, 0, "", false); BOOST_CHECK_EQUAL(state, vState::Secure); BOOST_REQUIRE_EQUAL(ds.size(), 2U); diff --git a/pdns/recursordist/validate-recursor.cc b/pdns/recursordist/validate-recursor.cc index d7f2b99c90..7c169f27bc 100644 --- a/pdns/recursordist/validate-recursor.cc +++ b/pdns/recursordist/validate-recursor.cc @@ -42,9 +42,9 @@ vState increaseXDNSSECStateCounter(const vState& state) } // Returns true if dsAnchors were modified -bool updateTrustAnchorsFromFile(const std::string& fname, map& dsAnchors, Logr::log_t log) +bool updateTrustAnchorsFromFile(const std::string& fname, map& dsAnchors, Logr::log_t log) { - map newDSAnchors; + map newDSAnchors; try { auto zoneParser = ZoneParserTNG(fname); zoneParser.disableGenerate(); diff --git a/pdns/recursordist/validate-recursor.hh b/pdns/recursordist/validate-recursor.hh index 7062162832..62aa6ce594 100644 --- a/pdns/recursordist/validate-recursor.hh +++ b/pdns/recursordist/validate-recursor.hh @@ -46,4 +46,4 @@ bool checkDNSSECDisabled(); bool warnIfDNSSECDisabled(const string& msg); vState increaseDNSSECStateCounter(const vState& state); vState increaseXDNSSECStateCounter(const vState& state); -bool updateTrustAnchorsFromFile(const std::string& fname, map& dsAnchors, Logr::log_t); +bool updateTrustAnchorsFromFile(const std::string& fname, map& dsAnchors, Logr::log_t); diff --git a/pdns/validate.cc b/pdns/validate.cc index eb63e2d818..cc9dc40515 100644 --- a/pdns/validate.cc +++ b/pdns/validate.cc @@ -1106,7 +1106,7 @@ vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t return vState::BogusNoValidRRSIG; } -bool getTrustAnchor(const map& anchors, const DNSName& zone, dsmap_t &res) +bool getTrustAnchor(const map& anchors, const DNSName& zone, dsset_t &res) { const auto& iter = anchors.find(zone); @@ -1130,14 +1130,14 @@ bool haveNegativeTrustAnchor(const map& negAnchors, const D return true; } -vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, const OptLog& log, pdns::validation::ValidationContext& context) // NOLINT(readability-function-cognitive-complexity): FIXME +vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsset_t& dsset, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, const OptLog& log, pdns::validation::ValidationContext& context) { /* * Check all DNSKEY records against all DS records and place all DNSKEY records * that have DS records (that we support the algo for) in the tentative key storage */ uint16_t dssConsidered = 0; - for (const auto& dsrc : dsmap) { + for (const auto& dsrc : dsset) { if (g_maxDSsToConsider > 0 && dssConsidered > g_maxDSsToConsider) { VLOG(log, zone << ": We have already considered "<, ContentSigPair>; -using dsmap_t = std::set; +using dsset_t = std::set; struct sharedDNSKeyRecordContentCompare { @@ -107,9 +107,9 @@ vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t bool isCoveredByNSEC(const DNSName& name, const DNSName& begin, const DNSName& next); bool isCoveredByNSEC3Hash(const std::string& hash, const std::string& beginHash, const std::string& nextHash); bool isCoveredByNSEC3Hash(const DNSName& name, const DNSName& beginHash, const DNSName& nextHash); -bool getTrustAnchor(const map& anchors, const DNSName& zone, dsmap_t &res); +bool getTrustAnchor(const map& anchors, const DNSName& zone, dsset_t &res); bool haveNegativeTrustAnchor(const map& negAnchors, const DNSName& zone, std::string& reason); -vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, const OptLog&, pdns::validation::ValidationContext& context); +vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsset_t& dsset, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, const OptLog&, pdns::validation::ValidationContext& context); dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, uint16_t qtype, bool referralToUnsigned, bool wantsNoDataProof, pdns::validation::ValidationContext& context, const OptLog& log = std::nullopt, bool needWildcardProof=true, unsigned int wildcardLabelsCount=0); bool isSupportedDS(const DSRecordContent& dsRecordContent, const OptLog&); DNSName getSigner(const std::vector >& signatures);