Add new view method dns_view_istrusted

author Mark Andrews <marka@isc.org>

Tue, 29 Nov 2022 05:17:13 +0000 (16:17 +1100)

committer Petr Špaček <pspacek@isc.org>

Mon, 3 Apr 2023 15:48:31 +0000 (17:48 +0200)
author Mark Andrews <marka@isc.org>
Tue, 29 Nov 2022 05:17:13 +0000 (16:17 +1100)
committer Petr Špaček <pspacek@isc.org>
Mon, 3 Apr 2023 15:48:31 +0000 (17:48 +0200)
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h

index a06110b700f3fd53b7371b58dc1cd2377ed1396c..c844e1c69510b1dfc1d626e49fc858ee67856e54 100644 (file)
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -1214,6 +1214,19 @@ dns_view_untrust(dns_view_t *view, const dns_name_t *keyname,
   * \li 'dnskey' is valid.
   */
  
+bool
+dns_view_istrusted(dns_view_t *view, const dns_name_t *keyname,
+                  const dns_rdata_dnskey_t *dnskey);
+/*%<
+ * Determine if the key defined by 'keyname' and 'dnskey' is
+ * trusted by 'view'.
+ *
+ * Requires:
+ * \li 'view' is valid.
+ * \li 'keyname' is valid.
+ * \li 'dnskey' is valid.
+ */
+
  isc_result_t
  dns_view_setnewzones(dns_view_t *view, bool allow, void *cfgctx,
                      void (*cfg_destroy)(void **), uint64_t mapsize);
diff --git a/lib/dns/view.c b/lib/dns/view.c

index 5bc787db52f87620a25495168251687436a53dcb..47822a43836ae0df38a8c411d14db1e89788ae8c 100644 (file)
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -2026,6 +2026,88 @@ dns_view_untrust(dns_view_t *view, const dns_name_t *keyname,
         dns_keytable_detach(&sr);
  }
  
+bool
+dns_view_istrusted(dns_view_t *view, const dns_name_t *keyname,
+                  const dns_rdata_dnskey_t *dnskey) {
+       isc_result_t result;
+       dns_keytable_t *sr = NULL;
+       dns_keynode_t *knode = NULL;
+       bool answer = false;
+       dns_rdataset_t dsset;
+
+       REQUIRE(DNS_VIEW_VALID(view));
+       REQUIRE(keyname != NULL);
+       REQUIRE(dnskey != NULL);
+
+       result = dns_view_getsecroots(view, &sr);
+       if (result != ISC_R_SUCCESS) {
+               return (false);
+       }
+
+       dns_rdataset_init(&dsset);
+       result = dns_keytable_find(sr, keyname, &knode);
+       if (result == ISC_R_SUCCESS) {
+               if (dns_keynode_dsset(knode, &dsset)) {
+                       dns_rdata_t rdata = DNS_RDATA_INIT;
+                       unsigned char data[4096], digest[DNS_DS_BUFFERSIZE];
+                       dns_rdata_dnskey_t tmpkey = *dnskey;
+                       dns_rdata_ds_t ds;
+                       isc_buffer_t b;
+                       dns_rdataclass_t rdclass = tmpkey.common.rdclass;
+
+                       /*
+                        * Clear the revoke bit, if set, so that the key
+                        * will match what's in secroots now.
+                        */
+                       tmpkey.flags &= ~DNS_KEYFLAG_REVOKE;
+
+                       isc_buffer_init(&b, data, sizeof(data));
+                       result = dns_rdata_fromstruct(&rdata, rdclass,
+                                                     dns_rdatatype_dnskey,
+                                                     &tmpkey, &b);
+                       if (result != ISC_R_SUCCESS) {
+                               goto finish;
+                       }
+
+                       result = dns_ds_fromkeyrdata(keyname, &rdata,
+                                                    DNS_DSDIGEST_SHA256,
+                                                    digest, &ds);
+                       if (result != ISC_R_SUCCESS) {
+                               goto finish;
+                       }
+
+                       dns_rdata_reset(&rdata);
+                       isc_buffer_init(&b, data, sizeof(data));
+                       result = dns_rdata_fromstruct(
+                               &rdata, rdclass, dns_rdatatype_ds, &ds, &b);
+                       if (result != ISC_R_SUCCESS) {
+                               goto finish;
+                       }
+
+                       result = dns_rdataset_first(&dsset);
+                       while (result == ISC_R_SUCCESS) {
+                               dns_rdata_t this = DNS_RDATA_INIT;
+                               dns_rdataset_current(&dsset, &this);
+                               if (dns_rdata_compare(&rdata, &this) == 0) {
+                                       answer = true;
+                                       break;
+                               }
+                               result = dns_rdataset_next(&dsset);
+                       }
+               }
+       }
+
+finish:
+       if (dns_rdataset_isassociated(&dsset)) {
+               dns_rdataset_disassociate(&dsset);
+       }
+       if (knode != NULL) {
+               dns_keytable_detachkeynode(sr, &knode);
+       }
+       dns_keytable_detach(&sr);
+       return (answer);
+}
+
  /*
   * Create path to a directory and a filename constructed from viewname.
   * This is a front-end to isc_file_sanitize(), allowing backward
author	Mark Andrews <marka@isc.org>
	Tue, 29 Nov 2022 05:17:13 +0000 (16:17 +1100)
committer	Petr Špaček <pspacek@isc.org>
	Mon, 3 Apr 2023 15:48:31 +0000 (17:48 +0200)
lib/dns/include/dns/view.h		patch \| blob \| blame \| history
lib/dns/view.c		patch \| blob \| blame \| history