From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Wed, 26 Jan 2022 16:58:59 +0000 (+0100)
Subject: lib/dnssec: validate rrsig stamps by serial arithmetics
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=refs%2Fheads%2Frrsig-serial;p=thirdparty%2Fknot-resolver.git

lib/dnssec: validate rrsig stamps by serial arithmetics
---

diff --git a/lib/dnssec.c b/lib/dnssec.c
index f56ab759f..744816051 100644
--- a/lib/dnssec.c
+++ b/lib/dnssec.c
@@ -44,6 +44,12 @@ void kr_crypto_reinit(void)
 
 #define FLG_WILDCARD_EXPANSION 0x01 /**< Possibly generated by using wildcard expansion. */
 
+/** Return t1 <= t2 in 32-bit serial arithmetic (RFC 1982) */
+static inline bool serial_ordered(uint32_t t1, uint32_t t2)
+{
+	return (int32_t)(t2 - t1) >= 0;
+}
+
 /**
  * Check the RRSIG RR validity according to RFC4035 5.3.1 .
  * @param flags     The flags are going to be set according to validation result.
@@ -63,13 +69,13 @@ static int validate_rrsig_rr(int *flags, int cov_labels,
 	if (kr_fails_assert(flags && rrsigs && vctx && vctx->zone_name)) {
 		return kr_error(EINVAL);
 	}
-	/* bullet 5 */
-	if (knot_rrsig_sig_expiration(rrsigs) < vctx->timestamp) {
+	/* bullet 5; also https://www.rfc-editor.org/rfc/rfc4034.html#section-3.1.5 */
+	if (!serial_ordered(vctx->timestamp, knot_rrsig_sig_expiration(rrsigs))) {
 		vctx->rrs_counters.expired++;
 		return kr_error(EINVAL);
 	}
 	/* bullet 6 */
-	if (knot_rrsig_sig_inception(rrsigs) > vctx->timestamp) {
+	if (!serial_ordered(knot_rrsig_sig_inception(rrsigs), vctx->timestamp)) {
 		vctx->rrs_counters.notyet++;
 		return kr_error(EINVAL);
 	}