From: Diego Fronza Date: Thu, 18 Jun 2020 19:49:40 +0000 (-0300) Subject: Minor refactoring on function match_nsec3 X-Git-Tag: v9.17.18~20^2~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=98d1e40143bf5c9dde5497ed9bfb465be511dcc8;p=thirdparty%2Fbind9.git Minor refactoring on function match_nsec3 The logic for matching a set of nsec3 objects against an nsec3param object was moved to a specific function. For more details check thread: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/291#note_12176 --- diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index c54be29074f..5b1e185090e 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -424,17 +424,15 @@ record_nsec3(const vctx_t *vctx, const unsigned char *rawhash, return (result); } +/* + * Check whether any NSEC3 within 'rdataset' matches the parameters in + * 'nsec3param'. + */ static isc_result_t -match_nsec3(const vctx_t *vctx, const dns_name_t *name, - const dns_rdata_nsec3param_t *nsec3param, dns_rdataset_t *rdataset, - const unsigned char types[8192], unsigned int maxtype, - const unsigned char *rawhash, size_t rhsize, - isc_result_t *vresult) { - unsigned char cbm[8244]; - char namebuf[DNS_NAME_FORMATSIZE]; - dns_rdata_nsec3_t nsec3; +find_nsec3_match(const dns_rdata_nsec3param_t *nsec3param, + dns_rdataset_t *rdataset, size_t rhsize, + dns_rdata_nsec3_t *nsec3_match) { isc_result_t result; - unsigned int len; /* * Find matching NSEC3 record. @@ -444,18 +442,35 @@ match_nsec3(const vctx_t *vctx, const dns_name_t *name, { dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &nsec3, NULL); + result = dns_rdata_tostruct(&rdata, nsec3_match, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if (nsec3.hash == nsec3param->hash && - nsec3.next_length == rhsize && - nsec3.iterations == nsec3param->iterations && - nsec3.salt_length == nsec3param->salt_length && - memcmp(nsec3.salt, nsec3param->salt, + if (nsec3_match->hash == nsec3param->hash && + nsec3_match->next_length == rhsize && + nsec3_match->iterations == nsec3param->iterations && + nsec3_match->salt_length == nsec3param->salt_length && + memcmp(nsec3_match->salt, nsec3param->salt, nsec3param->salt_length) == 0) { - break; + return (ISC_R_SUCCESS); } } + + return (result); +} + +static isc_result_t +match_nsec3(const vctx_t *vctx, const dns_name_t *name, + const dns_rdata_nsec3param_t *nsec3param, dns_rdataset_t *rdataset, + const unsigned char types[8192], unsigned int maxtype, + const unsigned char *rawhash, size_t rhsize, + isc_result_t *vresult) { + unsigned char cbm[8244]; + char namebuf[DNS_NAME_FORMATSIZE]; + dns_rdata_nsec3_t nsec3; + isc_result_t result; + unsigned int len; + + result = find_nsec3_match(nsec3param, rdataset, rhsize, &nsec3); if (result != ISC_R_SUCCESS) { dns_name_format(name, namebuf, sizeof(namebuf)); zoneverify_log_error(vctx, "Missing NSEC3 record for %s",