From: Matthijs Mekking Date: Wed, 31 Jan 2024 16:31:16 +0000 (+0100) Subject: Refactor code that calculates signature validity X-Git-Tag: v9.19.24~28^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0438d3655bca9d6aeea41746a01d82e5252eba64;p=thirdparty%2Fbind9.git Refactor code that calculates signature validity There are three code blocks that are (almost) similar, refactor it to one function. --- diff --git a/lib/dns/zone.c b/lib/dns/zone.c index cf092832211..c444709917a 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6911,6 +6911,49 @@ failure: return (result); } +static void +calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now, + isc_stdtime_t *inception, isc_stdtime_t *soaexpire, + isc_stdtime_t *expire, isc_stdtime_t *fullexpire) { + REQUIRE(inception != NULL); + REQUIRE(soaexpire != NULL); + /* expire and fullexpire are optional */ + + isc_stdtime_t sigvalidityinterval = + dns_zone_getsigvalidityinterval(zone); + isc_stdtime_t expiryinterval = dns_zone_getsigresigninginterval(zone); + isc_stdtime_t normaljitter = 0, fulljitter = 0; + + *inception = now - 3600; /* Allow for clock skew. */ + *soaexpire = now + sigvalidityinterval; + if (expiryinterval > sigvalidityinterval) { + expiryinterval = sigvalidityinterval; + } else { + expiryinterval = sigvalidityinterval - expiryinterval; + } + + /* + * Spread out signatures over time if they happen to be + * clumped. We don't do this for each add_sigs() call as + * we still want some clustering to occur. In normal operations + * the records should be re-signed as they fall due and they should + * already be spread out. However if the server is off for a + * period we need to ensure that the clusters don't become + * synchronised by using the full jitter range. + */ + if (sigvalidityinterval >= 3600U) { + if (sigvalidityinterval > 7200U) { + normaljitter = isc_random_uniform(3600); + fulljitter = isc_random_uniform(expiryinterval); + } else { + normaljitter = fulljitter = isc_random_uniform(1200); + } + } + + SET_IF_NOT_NULL(expire, *soaexpire - normaljitter - 1); + SET_IF_NOT_NULL(fullexpire, *soaexpire - fulljitter - 1); +} + static void zone_resigninc(dns_zone_t *zone) { dns_db_t *db = NULL; @@ -6924,7 +6967,6 @@ zone_resigninc(dns_zone_t *zone) { dst_key_t *zone_keys[DNS_MAXZONEKEYS]; isc_result_t result; isc_stdtime_t now, inception, soaexpire, expire, fullexpire, stop; - uint32_t sigvalidityinterval, expiryinterval; unsigned int i; unsigned int nkeys = 0; unsigned int resign; @@ -6972,38 +7014,9 @@ zone_resigninc(dns_zone_t *zone) { goto failure; } - sigvalidityinterval = dns_zone_getsigvalidityinterval(zone); - inception = now - 3600; /* Allow for clock skew. */ - soaexpire = now + sigvalidityinterval; - expiryinterval = dns_zone_getsigresigninginterval(zone); - if (expiryinterval > sigvalidityinterval) { - expiryinterval = sigvalidityinterval; - } else { - expiryinterval = sigvalidityinterval - expiryinterval; - } + calculate_rrsig_validity(zone, now, &inception, &soaexpire, &expire, + &fullexpire); - /* - * Spread out signatures over time if they happen to be - * clumped. We don't do this for each add_sigs() call as - * we still want some clustering to occur. In normal operations - * the records should be re-signed as they fall due and they should - * already be spread out. However if the server is off for a - * period we need to ensure that the clusters don't become - * synchronised by using the full jitter range. - */ - if (sigvalidityinterval >= 3600U) { - uint32_t normaljitter, fulljitter; - if (sigvalidityinterval > 7200U) { - normaljitter = isc_random_uniform(3600); - fulljitter = isc_random_uniform(expiryinterval); - } else { - normaljitter = fulljitter = isc_random_uniform(1200); - } - expire = soaexpire - normaljitter - 1; - fullexpire = soaexpire - fulljitter - 1; - } else { - expire = fullexpire = soaexpire - 1; - } stop = now + 5; name = dns_fixedname_initname(&fixed); @@ -8138,7 +8151,6 @@ zone_nsec3chain(dns_zone_t *zone) { bool first; isc_result_t result; isc_stdtime_t now, inception, soaexpire, expire; - uint32_t jitter, sigvalidityinterval, expiryinterval; unsigned int i; unsigned int nkeys = 0; uint32_t nodes; @@ -8207,31 +8219,8 @@ zone_nsec3chain(dns_zone_t *zone) { goto failure; } - sigvalidityinterval = dns_zone_getsigvalidityinterval(zone); - inception = now - 3600; /* Allow for clock skew. */ - soaexpire = now + sigvalidityinterval; - expiryinterval = dns_zone_getsigresigninginterval(zone); - if (expiryinterval > sigvalidityinterval) { - expiryinterval = sigvalidityinterval; - } else { - expiryinterval = sigvalidityinterval - expiryinterval; - } - - /* - * Spread out signatures over time if they happen to be - * clumped. We don't do this for each add_sigs() call as - * we still want some clustering to occur. - */ - if (sigvalidityinterval >= 3600U) { - if (sigvalidityinterval > 7200U) { - jitter = isc_random_uniform(expiryinterval); - } else { - jitter = isc_random_uniform(1200); - } - expire = soaexpire - jitter - 1; - } else { - expire = soaexpire - 1; - } + calculate_rrsig_validity(zone, now, &inception, &soaexpire, NULL, + &expire); /* * We keep pulling nodes off each iterator in turn until @@ -9240,7 +9229,6 @@ zone_sign(dns_zone_t *zone) { bool first; isc_result_t result; isc_stdtime_t now, inception, soaexpire, expire; - uint32_t jitter, sigvalidityinterval, expiryinterval; unsigned int i, j; unsigned int nkeys = 0; uint32_t nodes; @@ -9293,31 +9281,9 @@ zone_sign(dns_zone_t *zone) { } kasp = zone->kasp; - sigvalidityinterval = dns_zone_getsigvalidityinterval(zone); - inception = now - 3600; /* Allow for clock skew. */ - soaexpire = now + sigvalidityinterval; - expiryinterval = dns_zone_getsigresigninginterval(zone); - if (expiryinterval > sigvalidityinterval) { - expiryinterval = sigvalidityinterval; - } else { - expiryinterval = sigvalidityinterval - expiryinterval; - } - /* - * Spread out signatures over time if they happen to be - * clumped. We don't do this for each add_sigs() call as - * we still want some clustering to occur. - */ - if (sigvalidityinterval >= 3600U) { - if (sigvalidityinterval > 7200U) { - jitter = isc_random_uniform(expiryinterval); - } else { - jitter = isc_random_uniform(1200); - } - expire = soaexpire - jitter - 1; - } else { - expire = soaexpire - 1; - } + calculate_rrsig_validity(zone, now, &inception, &soaexpire, NULL, + &expire); /* * We keep pulling nodes off each iterator in turn until