From: Remi Gacogne Date: Tue, 31 May 2022 19:51:46 +0000 (+0200) Subject: auth: Compute the public key only once, when creating the private one X-Git-Tag: dnsdist-1.8.0-rc1~98^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a326009522efbc510a7d1cd2767de1ef18278711;p=thirdparty%2Fpdns.git auth: Compute the public key only once, when creating the private one Note that one big drawback is that setKey() should NO LONGER be used before the algo and flags have been set. --- diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index de20ab9ed0..7228789df5 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -110,9 +110,9 @@ bool DNSSECKeeper::addKey(const DNSName& name, bool setSEPBit, int algorithm, in } catch (const std::runtime_error& error){ throw runtime_error("The algorithm does not support the given bit size."); } - dspk.setKey(dpk); dspk.d_algorithm = algorithm; dspk.d_flags = setSEPBit ? 257 : 256; + dspk.setKey(dpk); return addKey(name, dspk, id, active, published) && clearKeyCache(name); } @@ -171,9 +171,9 @@ DNSSECPrivateKey DNSSECKeeper::getKeyById(const DNSName& zname, unsigned int id) DNSSECPrivateKey dpk; DNSKEYRecordContent dkrc; auto key = shared_ptr(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)); - dpk.setKey(key); dpk.d_flags = kd.flags; dpk.d_algorithm = dkrc.d_algorithm; + dpk.setKey(key); return dpk; } @@ -585,10 +585,9 @@ DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const DNSName& zone, bool useCache) DNSSECPrivateKey dpk; DNSKEYRecordContent dkrc; auto key = shared_ptr(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)); - dpk.setKey(key); - dpk.d_flags = kd.flags; dpk.d_algorithm = dkrc.d_algorithm; + dpk.setKey(key); KeyMetaData kmd; diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc index 971a0b39f2..8e5f0cd1a3 100644 --- a/pdns/dnssecinfra.cc +++ b/pdns/dnssecinfra.cc @@ -595,9 +595,14 @@ void decrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-) } } -DNSKEYRecordContent DNSSECPrivateKey::getDNSKEY() const +const DNSKEYRecordContent& DNSSECPrivateKey::getDNSKEY() const { - return makeDNSKEYFromDNSCryptoKeyEngine(getKey(), d_algorithm, d_flags); + return d_dnskey; +} + +void DNSSECPrivateKey::computeDNSKEY() +{ + d_dnskey = makeDNSKEYFromDNSCryptoKeyEngine(getKey(), d_algorithm, d_flags); } static string calculateHMAC(const std::string& key, const std::string& text, TSIGHashEnum hasher) { diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh index 246ea51d29..94cf23f7bc 100644 --- a/pdns/dnssecinfra.hh +++ b/pdns/dnssecinfra.hh @@ -152,20 +152,25 @@ struct DNSSECPrivateKey { d_key = key; d_algorithm = d_key->getAlgorithm(); + computeDNSKEY(); } void setKey(std::unique_ptr&& key) { d_key = std::move(key); d_algorithm = d_key->getAlgorithm(); + computeDNSKEY(); } - DNSKEYRecordContent getDNSKEY() const; + const DNSKEYRecordContent& getDNSKEY() const; uint16_t d_flags; uint8_t d_algorithm; private: + void computeDNSKEY(); + + DNSKEYRecordContent d_dnskey; std::shared_ptr d_key; }; diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc index 1ce73ea034..1454e2a465 100644 --- a/pdns/pdnsutil.cc +++ b/pdns/pdnsutil.cc @@ -3488,7 +3488,6 @@ try } DNSSECPrivateKey dpk; - dpk.setKey(key); pdns::checked_stoi_into(dpk.d_algorithm, cmds.at(3)); if (dpk.d_algorithm == DNSSECKeeper::RSASHA1NSEC3SHA1) { @@ -3512,6 +3511,7 @@ try else { dpk.d_flags = 257; // ksk } + dpk.setKey(key); int64_t id; if (!dk.addKey(DNSName(zone), dpk, id)) { @@ -3539,7 +3539,6 @@ try DNSSECPrivateKey dpk; DNSKEYRecordContent drc; shared_ptr key(DNSCryptoKeyEngine::makeFromISCFile(drc, fname.c_str())); - dpk.setKey(key); dpk.d_algorithm = drc.d_algorithm; if(dpk.d_algorithm == DNSSECKeeper::RSASHA1NSEC3SHA1) @@ -3567,6 +3566,7 @@ try return 1; } } + dpk.setKey(key); int64_t id; if (!dk.addKey(DNSName(zone), dpk, id, active, published)) { cerr<<"Adding key failed, perhaps DNSSEC not enabled in configuration?"<create(bits); - dspk.setKey(dpk); dspk.d_algorithm = algorithm; dspk.d_flags = keyOrZone ? 257 : 256; + dspk.setKey(dpk); // print key to stdout cout << "Flags: " << dspk.d_flags << endl << diff --git a/pdns/recursordist/test-syncres_cc4.cc b/pdns/recursordist/test-syncres_cc4.cc index 23358d9bc8..47cc29dafc 100644 --- a/pdns/recursordist/test-syncres_cc4.cc +++ b/pdns/recursordist/test-syncres_cc4.cc @@ -1203,9 +1203,9 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_algorithm) dcke->create(dcke->getBits()); DNSSECPrivateKey dpk; dpk.d_flags = 256; - dpk.setKey(std::move(dcke)); /* Fake algorithm number (private) */ dpk.d_algorithm = 253; + dpk.setKey(std::move(dcke)); DSRecordContent drc = makeDSFromDNSKey(target, dpk.getDNSKEY(), DNSSECKeeper::DIGEST_SHA256); keys[target] = std::pair(dpk, drc); diff --git a/pdns/test-signers.cc b/pdns/test-signers.cc index f8e544980b..a89e48b3ef 100644 --- a/pdns/test-signers.cc +++ b/pdns/test-signers.cc @@ -305,8 +305,8 @@ static void checkRR(const SignerParams& signer) DNSKEYRecordContent drc; auto dcke = std::shared_ptr(DNSCryptoKeyEngine::makeFromISCString(drc, signer.iscMap)); DNSSECPrivateKey dpk; - dpk.setKey(dcke); dpk.d_flags = signer.rfcFlags; + dpk.setKey(dcke); sortedRecords_t rrs; /* values taken from rfc8080 for ed25519 and ed448, rfc5933 for gost */ @@ -375,8 +375,8 @@ static void test_generic_signer(std::shared_ptr dcke, DNSKEY BOOST_CHECK_EQUAL(drc.d_algorithm, signer.algorithm); DNSSECPrivateKey dpk; - dpk.setKey(dcke); dpk.d_flags = signer.flags; + dpk.setKey(dcke); drc = dpk.getDNSKEY(); BOOST_CHECK_EQUAL(drc.d_algorithm, signer.algorithm);