From: Evan Hunt <each@isc.org>
Date: Tue, 17 Sep 2019 14:19:32 +0000 (-0700)
Subject: add a global function to match a DS rdata to a DNSKEY
X-Git-Tag: v9.15.6~7^2~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ac0d3c21c6d9cfa4390bcf2888c88c0fa7265bfa;p=thirdparty%2Fbind9.git

add a global function to match a DS rdata to a DNSKEY
---

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 9e21cc35b1c..d2d57448b89 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -2270,3 +2270,53 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
  failure:
 	return (result);
 }
+
+isc_result_t
+dns_dnssec_matchdskey(dns_name_t *name, dns_rdata_t *dsrdata,
+		      dns_rdataset_t *keyset, dns_rdata_t *keyrdata)
+{
+	isc_result_t result;
+	unsigned char buf[DNS_DS_BUFFERSIZE];
+	dns_keytag_t keytag;
+	dns_rdata_dnskey_t key;
+	dns_rdata_ds_t ds;
+	isc_region_t r;
+
+	result = dns_rdata_tostruct(dsrdata, &ds, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	for (result = dns_rdataset_first(keyset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(keyset))
+	{
+		dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+
+		dns_rdata_reset(keyrdata);
+		dns_rdataset_current(keyset, keyrdata);
+
+		result = dns_rdata_tostruct(keyrdata, &key, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		dns_rdata_toregion(keyrdata, &r);
+		keytag = dst_region_computeid(&r);
+
+		if (ds.key_tag != keytag || ds.algorithm != key.algorithm) {
+			continue;
+		}
+
+		result = dns_ds_buildrdata(name, keyrdata, ds.digest_type,
+					   buf, &newdsrdata);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		if (dns_rdata_compare(dsrdata, &newdsrdata) == 0) {
+			break;
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 767e5e9b23a..eb6cbb18c44 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -360,6 +360,18 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
  * Update the CDS and CDNSKEY RRsets, adding and removing keys as needed.
  */
 
+isc_result_t
+dns_dnssec_matchdskey(dns_name_t *name, dns_rdata_t *dsrdata,
+		      dns_rdataset_t *keyset, dns_rdata_t *keyrdata);
+/*%<
+ * Given a DS rdata and a DNSKEY RRset, find the DNSKEY rdata that matches
+ * the DS, and place it in 'keyrdata'.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ *\li	Other values indicate error
+ */
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_DNSSEC_H */
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 11bafb567ed..6f5306b5151 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1684,49 +1684,6 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata,
 	return (result);
 }
 
-/*%
- * Find the DNSKEY that corresponds to the DS.
- */
-static isc_result_t
-dnskey_for_ds(dns_validator_t *val, dns_rdataset_t *rdataset,
-	      dns_rdata_t *dsrdata, dns_rdata_ds_t *ds, dns_rdata_t *keyrdata)
-{
-	dns_keytag_t keytag;
-	dns_rdata_dnskey_t key;
-	isc_result_t result;
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
-
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset))
-	{
-		dns_rdata_t newdsrdata = DNS_RDATA_INIT;
-
-		dns_rdata_reset(keyrdata);
-		dns_rdataset_current(rdataset, keyrdata);
-		result = dns_rdata_tostruct(keyrdata, &key, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		keytag = compute_keytag(keyrdata);
-		if (ds->key_tag != keytag || ds->algorithm != key.algorithm) {
-			continue;
-		}
-		dns_rdata_reset(&newdsrdata);
-		result = dns_ds_buildrdata(val->event->name, keyrdata,
-					   ds->digest_type,
-					   dsbuf, &newdsrdata);
-		if (result != ISC_R_SUCCESS) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "dns_ds_buildrdata() -> %s",
-				      dns_result_totext(result));
-			continue;
-		}
-		if (dns_rdata_compare(dsrdata, &newdsrdata) == 0) {
-			break;
-		}
-	}
-	return (result);
-}
-
 static isc_result_t
 anchor_signed(dns_validator_t *val, isc_result_t *resp) {
 	isc_result_t result;
@@ -1935,7 +1892,6 @@ get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) {
 static isc_result_t
 validate_dnskey(dns_validator_t *val) {
 	isc_result_t result;
-	dns_rdataset_t trdataset;
 	dns_rdata_t dsrdata = DNS_RDATA_INIT;
 	dns_rdata_t keyrdata = DNS_RDATA_INIT;
 	dns_rdata_ds_t ds;
@@ -2069,16 +2025,14 @@ validate_dnskey(dns_validator_t *val) {
 
 		supported_algorithm = true;
 
-		dns_rdataset_init(&trdataset);
-		dns_rdataset_clone(val->event->rdataset, &trdataset);
-
 		/*
 		 * Find the DNSKEY matching the DS...
 		 */
-		result = dnskey_for_ds(val, &trdataset, &dsrdata,
-				       &ds, &keyrdata);
+		result = dns_dnssec_matchdskey(val->event->name,
+					       &dsrdata,
+					       val->event->rdataset,
+					       &keyrdata);
 		if (result != ISC_R_SUCCESS) {
-			dns_rdataset_disassociate(&trdataset);
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "no DNSKEY matching DS");
 			continue;
@@ -2088,7 +2042,6 @@ validate_dnskey(dns_validator_t *val) {
 		 * ... and check that it signed the DNSKEY RRset.
 		 */
 		result = check_signer(val, &keyrdata, ds.key_tag, ds.algorithm);
-		dns_rdataset_disassociate(&trdataset);
 		if (result == ISC_R_SUCCESS) {
 			break;
 		}
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index 31af4b1c1e3..0988db5d275 100644
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -320,6 +320,7 @@ dns_dnssec_get_hints
 dns_dnssec_keyactive
 dns_dnssec_keyfromrdata
 dns_dnssec_keylistfromrdataset
+dns_dnssec_matchdskey
 dns_dnssec_selfsigns
 dns_dnssec_sign
 dns_dnssec_signmessage