From: Matthijs Mekking Date: Tue, 11 Jul 2023 12:51:24 +0000 (+0200) Subject: Tiny refactor revoked key check X-Git-Tag: v9.19.16~32^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3bcb096a0e3db7bcb09cef4dd938e6d80a86a147;p=thirdparty%2Fbind9.git Tiny refactor revoked key check This makes the code flow a bit more readable. --- diff --git a/lib/dns/update.c b/lib/dns/update.c index 6063a50199d..6d7e563c0f5 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -1160,17 +1160,6 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, continue; } - if (!REVOKE(keys[i])) { - /* - * Don't consider inactive keys, however the KSK may be - * temporary offline, so do consider KSKs which private - * key files are unavailable. - */ - both = dst_key_have_ksk_and_zsk( - keys, nkeys, i, false, KSK(keys[i]), - !KSK(keys[i]), NULL, NULL); - } - if (use_kasp) { /* * A dnssec-policy is found. Check what RRsets this @@ -1216,26 +1205,34 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, */ continue; } - - /* - * If this key is revoked, it may only sign the - * DNSKEY RRset. - */ - if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) { - continue; - } - } else if (both) { + } else if (!REVOKE(keys[i])) { /* - * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1). + * Don't consider inactive keys, however the KSK may be + * temporary offline, so do consider KSKs which private + * key files are unavailable. */ - if (dns_rdatatype_iskeymaterial(type)) { - if (!KSK(keys[i])) { + both = dst_key_have_ksk_and_zsk( + keys, nkeys, i, false, KSK(keys[i]), + !KSK(keys[i]), NULL, NULL); + if (both) { + /* + * CDS and CDNSKEY are signed with KSK (RFC + * 7344, 4.1). + */ + if (dns_rdatatype_iskeymaterial(type)) { + if (!KSK(keys[i])) { + continue; + } + } else if (KSK(keys[i])) { continue; } - } else if (KSK(keys[i])) { - continue; } - } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) { + } + + /* + * If this key is revoked, it may only sign the DNSKEY RRset. + */ + if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) { continue; } diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 4b07ae66992..5f284829d03 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6596,16 +6596,6 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, continue; } - if (!REVOKE(keys[i])) { - /* - * Don't consider inactive keys, however the KSK may be - * temporary offline, so do consider keys which private - * key files are unavailable. - */ - both = dst_key_have_ksk_and_zsk( - keys, nkeys, i, false, KSK(keys[i]), - !KSK(keys[i]), NULL, NULL); - } if (use_kasp) { /* * A dnssec-policy is found. Check what RRsets this @@ -6665,26 +6655,34 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, */ continue; } - - /* - * If this key is revoked, it may only sign the - * DNSKEY RRset. - */ - if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) { - continue; - } - } else if (both) { + } else if (!REVOKE(keys[i])) { /* - * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1). + * Don't consider inactive keys, however the KSK may be + * temporary offline, so do consider keys which private + * key files are unavailable. */ - if (dns_rdatatype_iskeymaterial(type)) { - if (!KSK(keys[i])) { + bool both = dst_key_have_ksk_and_zsk( + keys, nkeys, i, false, KSK(keys[i]), + !KSK(keys[i]), NULL, NULL); + if (both) { + /* + * CDS and CDNSKEY are signed with KSK (RFC + * 7344, 4.1). + */ + if (dns_rdatatype_iskeymaterial(type)) { + if (!KSK(keys[i])) { + continue; + } + } else if (KSK(keys[i])) { continue; } - } else if (KSK(keys[i])) { - continue; } - } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) { + } + + /* + * If this key is revoked, it may only sign the DNSKEY RRset. + */ + if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) { continue; } @@ -9279,17 +9277,6 @@ zone_sign(dns_zone_t *zone) { /* * We do KSK processing. */ - if (!REVOKE(zone_keys[i])) { - /* - * Don't consider inactive keys, however the key - * may be temporary offline, so do consider KSKs - * which private key files are unavailable. - */ - both = dst_key_have_ksk_and_zsk( - zone_keys, nkeys, i, false, - KSK(zone_keys[i]), !KSK(zone_keys[i]), - NULL, NULL); - } if (use_kasp) { /* * A dnssec-policy is found. Check what