From a5c3e3b9f75b7b981a320f0b574bad2d2ce45873 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 6 Aug 2024 14:41:50 +1000 Subject: [PATCH] Add the concept of allowed key tag ranges to kasp (cherry picked from commit 25bf77fac64935451cf5b4189ef19d9d8c4cce30) --- lib/dns/include/dns/kasp.h | 22 ++++++++++++++++++++++ lib/dns/kasp.c | 14 +++++++++++++- lib/dns/keymgr.c | 16 +++++++++++++--- 3 files changed, 48 insertions(+), 4 deletions(-) diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index 26af469546..674e733551 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -58,6 +58,8 @@ struct dns_kasp_key { uint8_t algorithm; int length; uint8_t role; + uint16_t tag_min; + uint16_t tag_max; }; struct dns_kasp_nsec3param { @@ -721,6 +723,26 @@ dns_kasp_key_zsk(dns_kasp_key_t *key); * */ +uint16_t +dns_kasp_key_tagmin(dns_kasp_key_t *key); +/*%< + * Returns the minimum permitted key tag value. + * + * Requires: + * + *\li key != NULL + */ + +uint16_t +dns_kasp_key_tagmax(dns_kasp_key_t *key); +/*%< + * Returns the maximum permitted key tag value. + * + * Requires: + * + *\li key != NULL + */ + bool dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey); /*%< diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index d300e32f7c..38ca4158be 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -402,7 +402,7 @@ dns_kasp_addkey(dns_kasp_t *kasp, dns_kasp_key_t *key) { isc_result_t dns_kasp_key_create(dns_kasp_t *kasp, dns_kasp_key_t **keyp) { dns_kasp_key_t *key = NULL; - dns_kasp_key_t k = { .length = -1 }; + dns_kasp_key_t k = { .tag_max = 0xffff, .length = -1 }; REQUIRE(DNS_KASP_VALID(kasp)); REQUIRE(keyp != NULL && *keyp == NULL); @@ -508,6 +508,18 @@ dns_kasp_key_zsk(dns_kasp_key_t *key) { return (key->role & DNS_KASP_KEY_ROLE_ZSK); } +uint16_t +dns_kasp_key_tagmin(dns_kasp_key_t *key) { + REQUIRE(key != NULL); + return (key->tag_min); +} + +uint16_t +dns_kasp_key_tagmax(dns_kasp_key_t *key) { + REQUIRE(key != NULL); + return (key->tag_min); +} + bool dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey) { isc_result_t ret; diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index 83a217530b..b4d44dc314 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -427,11 +427,19 @@ keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp, } static bool -keymgr_keyid_conflict(dst_key_t *newkey, dns_dnsseckeylist_t *keys) { +keymgr_keyid_conflict(dst_key_t *newkey, uint16_t min, uint16_t max, + dns_dnsseckeylist_t *keys) { uint16_t id = dst_key_id(newkey); uint32_t rid = dst_key_rid(newkey); uint32_t alg = dst_key_alg(newkey); + if (id < min || id > max) { + return (true); + } + if (rid < min || rid > max) { + return (true); + } + for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keys); dkey != NULL; dkey = ISC_LIST_NEXT(dkey, link)) { @@ -485,9 +493,11 @@ keymgr_createkey(dns_kasp_key_t *kkey, const dns_name_t *origin, } /* Key collision? */ - conflict = keymgr_keyid_conflict(newkey, keylist); + conflict = keymgr_keyid_conflict(newkey, kkey->tag_min, + kkey->tag_max, keylist); if (!conflict) { - conflict = keymgr_keyid_conflict(newkey, newkeys); + conflict = keymgr_keyid_conflict( + newkey, kkey->tag_min, kkey->tag_max, newkeys); } if (conflict) { /* Try again. */