From: Vladimír Čunát Date: Tue, 12 Jun 2018 13:03:52 +0000 (+0200) Subject: opt-out nitpicks, eradicate kr_rank_test_noassert X-Git-Tag: v2.4.0~19^2~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=24cda63449953affb0210cdb6a870bcb26e0fb95;p=thirdparty%2Fknot-resolver.git opt-out nitpicks, eradicate kr_rank_test_noassert --- diff --git a/lib/cache/api.c b/lib/cache/api.c index 64e8704b3..0fa6f5770 100644 --- a/lib/cache/api.c +++ b/lib/cache/api.c @@ -204,16 +204,11 @@ struct entry_h * entry_h_consistent(knot_db_val_t data, uint16_t type) } bool ok = true; - ok = ok && (!kr_rank_test_noassert(eh->rank, KR_RANK_BOGUS) + ok = ok && kr_rank_check(eh->rank); + ok = ok && (!kr_rank_test(eh->rank, KR_RANK_BOGUS) || eh->is_packet); ok = ok && (eh->is_packet || !eh->has_optout); - /* doesn't hold, because of temporary NSEC3 packet caching - if (eh->is_packet) - ok = ok && !kr_rank_test(eh->rank, KR_RANK_SECURE); - */ - - //LATER: rank sanity return ok ? /*const-cast*/(struct entry_h *)eh : NULL; } diff --git a/lib/cache/entry_pkt.c b/lib/cache/entry_pkt.c index cf72e5a05..bfbfce1e2 100644 --- a/lib/cache/entry_pkt.c +++ b/lib/cache/entry_pkt.c @@ -68,11 +68,12 @@ void stash_pkt(const knot_pkt_t *pkt, const struct kr_query *qry, const bool is_negative = kr_response_classify(pkt) & (PKT_NODATA|PKT_NXDOMAIN); const struct kr_qflags * const qf = &qry->flags; - const bool want_pkt = qf->DNSSEC_BOGUS - || (is_negative && (qf->DNSSEC_INSECURE || !qf->DNSSEC_WANT)); + const bool want_negative = qf->DNSSEC_INSECURE || !qf->DNSSEC_WANT || has_optout; + const bool want_pkt = qf->DNSSEC_BOGUS /*< useful for +cd answers */ + || (is_negative && want_negative); - if (!(want_pkt || has_optout) || !knot_wire_get_aa(pkt->wire) - || pkt->parsed != pkt->size /* malformed packet; still can't detect KNOT_EFEWDATA */ + if (!want_pkt || !knot_wire_get_aa(pkt->wire) + || pkt->parsed != pkt->size /*< malformed packet; still can't detect KNOT_EFEWDATA */ ) { return; } @@ -94,7 +95,6 @@ void stash_pkt(const knot_pkt_t *pkt, const struct kr_query *qry, } else if (!qf->DNSSEC_WANT) { /* no TAs at all, leave _RANK_AUTH */ } else if (has_optout) { - /* FIXME XXX review OPTOUT in this function again! */ /* All bad cases should be filtered above, * at least the same way as pktcache in kresd 1.5.x. */ kr_rank_set(&rank, KR_RANK_SECURE); diff --git a/lib/cache/impl.h b/lib/cache/impl.h index 0a1aff1de..74271315e 100644 --- a/lib/cache/impl.h +++ b/lib/cache/impl.h @@ -53,7 +53,7 @@ struct entry_h { uint32_t ttl; /**< TTL at inception moment. Assuming it fits into int32_t ATM. */ uint8_t rank : 6; /**< See enum kr_rank */ bool is_packet : 1; /**< Negative-answer packet for insecure/bogus name. */ - bool has_optout : 1; /**< Only for packets with NSEC3. */ + bool has_optout : 1; /**< Only for packets; persisted DNSSEC_OPTOUT. */ uint8_t data[]; }; struct entry_apex; @@ -237,7 +237,8 @@ void entry_list_memcpy(struct entry_apex *ea, entry_list_t list); /* Packet caching; implementation in ./entry_pkt.c */ -/** Stash the packet into cache (if suitable, etc.) */ +/** Stash the packet into cache (if suitable, etc.) + * \param has_optout whether the packet contains an opt-out NSEC3 */ void stash_pkt(const knot_pkt_t *pkt, const struct kr_query *qry, const struct kr_request *req, bool has_optout); diff --git a/lib/cache/nsec1.c b/lib/cache/nsec1.c index b7feea7df..ee225e7c0 100644 --- a/lib/cache/nsec1.c +++ b/lib/cache/nsec1.c @@ -180,7 +180,7 @@ static const char * find_leq_NSEC1(struct kr_cache *cache, const struct kr_query * have it reconstructed at this point. */ int32_t new_ttl_ = get_new_ttl(eh, qry, k->zname, KNOT_RRTYPE_NSEC, qry->timestamp.tv_sec); - if (new_ttl_ < 0 || !kr_rank_test_noassert(eh->rank, KR_RANK_SECURE)) { + if (new_ttl_ < 0 || !kr_rank_test(eh->rank, KR_RANK_SECURE)) { return "range search found stale or insecure entry"; /* TODO: remove the stale record *and* retry, * in case we haven't run off. Perhaps start by in_zone check. */ diff --git a/lib/cache/nsec3.c b/lib/cache/nsec3.c index b2077d6f5..7d503acb7 100644 --- a/lib/cache/nsec3.c +++ b/lib/cache/nsec3.c @@ -182,7 +182,7 @@ static const char * find_leq_NSEC3(struct kr_cache *cache, const struct kr_query /* Passing just zone name instead of owner. */ int32_t new_ttl_ = get_new_ttl(eh, qry, k->zname, KNOT_RRTYPE_NSEC3, qry->timestamp.tv_sec); - if (new_ttl_ < 0 || !kr_rank_test_noassert(eh->rank, KR_RANK_SECURE)) { + if (new_ttl_ < 0 || !kr_rank_test(eh->rank, KR_RANK_SECURE)) { return "range search found stale or insecure entry"; /* TODO: remove the stale record *and* retry, * in case we haven't run off. Perhaps start by in_zone check. */ diff --git a/lib/resolve.h b/lib/resolve.h index dbfbe9759..95598e80b 100644 --- a/lib/resolve.h +++ b/lib/resolve.h @@ -121,10 +121,10 @@ enum kr_rank { /** Check that a rank value is valid. Meant for assertions. */ bool kr_rank_check(uint8_t rank) KR_PURE; -/** kr_rank_test() except that `rank` may be rubbish (don't assert that). */ -static inline bool kr_rank_test_noassert(uint8_t rank, uint8_t kr_flag) +/** Test the presence of any flag/state in a rank, i.e. including KR_RANK_AUTH. */ +static inline bool kr_rank_test(uint8_t rank, uint8_t kr_flag) { - assert(kr_rank_check(kr_flag)); + assert(kr_rank_check(rank) && kr_rank_check(kr_flag)); if (kr_flag == KR_RANK_AUTH) { return rank & KR_RANK_AUTH; } @@ -132,12 +132,6 @@ static inline bool kr_rank_test_noassert(uint8_t rank, uint8_t kr_flag) /* The rest are exclusive values - exactly one has to be set. */ return (rank & ~KR_RANK_AUTH) == kr_flag; } -/** Test the presence of any flag/state in a rank, i.e. including KR_RANK_AUTH. */ -static inline bool kr_rank_test(uint8_t rank, uint8_t kr_flag) -{ - assert(kr_rank_check(rank)); - return kr_rank_test_noassert(rank, kr_flag); -} /** Set the rank state. The _AUTH flag is kept as it was. */ static inline void kr_rank_set(uint8_t *rank, uint8_t kr_flag)