mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-03 13:59:27 -04:00
Add the concept of allowed key tag ranges to kasp
(cherry picked from commit 25bf77fac6)
This commit is contained in:
Mark Andrews
parent
57c7c5452a
commit
a5c3e3b9f7
3 changed files with 48 additions and 4 deletions
|
|
@ -58,6 +58,8 @@ struct dns_kasp_key {
|
|||
uint8_t algorithm;
|
||||
int length;
|
||||
uint8_t role;
|
||||
uint16_t tag_min;
|
||||
uint16_t tag_max;
|
||||
};
|
||||
|
||||
struct dns_kasp_nsec3param {
|
||||
|
|
@ -721,6 +723,26 @@ dns_kasp_key_zsk(dns_kasp_key_t *key);
|
|||
*
|
||||
*/
|
||||
|
||||
uint16_t
|
||||
dns_kasp_key_tagmin(dns_kasp_key_t *key);
|
||||
/*%<
|
||||
* Returns the minimum permitted key tag value.
|
||||
*
|
||||
* Requires:
|
||||
*
|
||||
*\li key != NULL
|
||||
*/
|
||||
|
||||
uint16_t
|
||||
dns_kasp_key_tagmax(dns_kasp_key_t *key);
|
||||
/*%<
|
||||
* Returns the maximum permitted key tag value.
|
||||
*
|
||||
* Requires:
|
||||
*
|
||||
*\li key != NULL
|
||||
*/
|
||||
|
||||
bool
|
||||
dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey);
|
||||
/*%<
|
||||
|
|
|
|||
|
|
@ -402,7 +402,7 @@ dns_kasp_addkey(dns_kasp_t *kasp, dns_kasp_key_t *key) {
|
|||
isc_result_t
|
||||
dns_kasp_key_create(dns_kasp_t *kasp, dns_kasp_key_t **keyp) {
|
||||
dns_kasp_key_t *key = NULL;
|
||||
dns_kasp_key_t k = { .length = -1 };
|
||||
dns_kasp_key_t k = { .tag_max = 0xffff, .length = -1 };
|
||||
|
||||
REQUIRE(DNS_KASP_VALID(kasp));
|
||||
REQUIRE(keyp != NULL && *keyp == NULL);
|
||||
|
|
@ -508,6 +508,18 @@ dns_kasp_key_zsk(dns_kasp_key_t *key) {
|
|||
return (key->role & DNS_KASP_KEY_ROLE_ZSK);
|
||||
}
|
||||
|
||||
uint16_t
|
||||
dns_kasp_key_tagmin(dns_kasp_key_t *key) {
|
||||
REQUIRE(key != NULL);
|
||||
return (key->tag_min);
|
||||
}
|
||||
|
||||
uint16_t
|
||||
dns_kasp_key_tagmax(dns_kasp_key_t *key) {
|
||||
REQUIRE(key != NULL);
|
||||
return (key->tag_min);
|
||||
}
|
||||
|
||||
bool
|
||||
dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey) {
|
||||
isc_result_t ret;
|
||||
|
|
|
|||
|
|
@ -427,11 +427,19 @@ keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp,
|
|||
}
|
||||
|
||||
static bool
|
||||
keymgr_keyid_conflict(dst_key_t *newkey, dns_dnsseckeylist_t *keys) {
|
||||
keymgr_keyid_conflict(dst_key_t *newkey, uint16_t min, uint16_t max,
|
||||
dns_dnsseckeylist_t *keys) {
|
||||
uint16_t id = dst_key_id(newkey);
|
||||
uint32_t rid = dst_key_rid(newkey);
|
||||
uint32_t alg = dst_key_alg(newkey);
|
||||
|
||||
if (id < min || id > max) {
|
||||
return (true);
|
||||
}
|
||||
if (rid < min || rid > max) {
|
||||
return (true);
|
||||
}
|
||||
|
||||
for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keys); dkey != NULL;
|
||||
dkey = ISC_LIST_NEXT(dkey, link))
|
||||
{
|
||||
|
|
@ -485,9 +493,11 @@ keymgr_createkey(dns_kasp_key_t *kkey, const dns_name_t *origin,
|
|||
}
|
||||
|
||||
/* Key collision? */
|
||||
conflict = keymgr_keyid_conflict(newkey, keylist);
|
||||
conflict = keymgr_keyid_conflict(newkey, kkey->tag_min,
|
||||
kkey->tag_max, keylist);
|
||||
if (!conflict) {
|
||||
conflict = keymgr_keyid_conflict(newkey, newkeys);
|
||||
conflict = keymgr_keyid_conflict(
|
||||
newkey, kkey->tag_min, kkey->tag_max, newkeys);
|
||||
}
|
||||
if (conflict) {
|
||||
/* Try again. */
|
||||
|
|
|
|||
Loading…
Reference in a new issue