2018-12-17 16:36:44 +00:00
|
|
|
From ab194ed7ca433e4e2e8b2ec338bfa4e6aa886a4b Mon Sep 17 00:00:00 2001
|
|
|
|
From: Simon Kelley <simon@thekelleys.org.uk>
|
|
|
|
Date: Tue, 1 Jan 2019 01:35:30 +0000
|
2019-08-03 19:55:52 +00:00
|
|
|
Subject: [PATCH 20/32] Futher address union tidying.
|
2018-12-17 16:36:44 +00:00
|
|
|
|
|
|
|
Pass DNSKEY and DS data into cache_insert via the address argument,
|
|
|
|
now these data types are included in struct all_addr.
|
|
|
|
|
|
|
|
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
|
|
|
---
|
|
|
|
src/cache.c | 116 ++++++++++++++++----------------------------------
|
|
|
|
src/dnsmasq.h | 26 +++++------
|
|
|
|
src/dnssec.c | 53 +++++++++++------------
|
|
|
|
3 files changed, 73 insertions(+), 122 deletions(-)
|
|
|
|
|
|
|
|
--- a/src/cache.c
|
|
|
|
+++ b/src/cache.c
|
|
|
|
@@ -202,9 +202,9 @@ static void cache_hash(struct crec *crec
|
|
|
|
static void cache_blockdata_free(struct crec *crecp)
|
|
|
|
{
|
|
|
|
if (crecp->flags & F_DNSKEY)
|
|
|
|
- blockdata_free(crecp->addr.key.keydata);
|
|
|
|
+ blockdata_free(crecp->addr.addr.addr.key.keydata);
|
|
|
|
else if ((crecp->flags & F_DS) && !(crecp->flags & F_NEG))
|
|
|
|
- blockdata_free(crecp->addr.ds.keydata);
|
|
|
|
+ blockdata_free(crecp->addr.addr.addr.ds.keydata);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
@@ -659,33 +659,22 @@ void cache_end_insert(void)
|
|
|
|
read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->ttd, sizeof(new_chain->ttd), 0);
|
|
|
|
read_write(daemon->pipe_to_parent, (unsigned char *)&flags, sizeof(flags), 0);
|
|
|
|
|
|
|
|
- if (flags & (F_IPV4 | F_IPV6))
|
|
|
|
+ if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS))
|
|
|
|
read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr, sizeof(new_chain->addr), 0);
|
|
|
|
#ifdef HAVE_DNSSEC
|
|
|
|
- else if (flags & F_DNSKEY)
|
|
|
|
+ if (flags & F_DNSKEY)
|
|
|
|
{
|
|
|
|
read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
|
|
|
|
- read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.key.algo, sizeof(new_chain->addr.key.algo), 0);
|
|
|
|
- read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.key.keytag, sizeof(new_chain->addr.key.keytag), 0);
|
|
|
|
- read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.key.flags, sizeof(new_chain->addr.key.flags), 0);
|
|
|
|
- read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.key.keylen, sizeof(new_chain->addr.key.keylen), 0);
|
|
|
|
- blockdata_write(new_chain->addr.key.keydata, new_chain->addr.key.keylen, daemon->pipe_to_parent);
|
|
|
|
+ blockdata_write(new_chain->addr.addr.addr.key.keydata, new_chain->addr.addr.addr.key.keylen, daemon->pipe_to_parent);
|
|
|
|
}
|
|
|
|
else if (flags & F_DS)
|
|
|
|
{
|
|
|
|
read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
|
|
|
|
/* A negative DS entry is possible and has no data, obviously. */
|
|
|
|
if (!(flags & F_NEG))
|
|
|
|
- {
|
|
|
|
- read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.ds.algo, sizeof(new_chain->addr.ds.algo), 0);
|
|
|
|
- read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.ds.keytag, sizeof(new_chain->addr.ds.keytag), 0);
|
|
|
|
- read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.ds.digest, sizeof(new_chain->addr.ds.digest), 0);
|
|
|
|
- read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.ds.keylen, sizeof(new_chain->addr.ds.keylen), 0);
|
|
|
|
- blockdata_write(new_chain->addr.ds.keydata, new_chain->addr.ds.keylen, daemon->pipe_to_parent);
|
|
|
|
- }
|
|
|
|
+ blockdata_write(new_chain->addr.addr.addr.ds.keydata, new_chain->addr.addr.addr.ds.keylen, daemon->pipe_to_parent);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
-
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
@@ -736,11 +725,30 @@ int cache_recv_insert(time_t now, int fd
|
|
|
|
|
|
|
|
ttl = difftime(ttd, now);
|
|
|
|
|
|
|
|
- if (flags & (F_IPV4 | F_IPV6))
|
|
|
|
+ if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS))
|
|
|
|
{
|
|
|
|
+ unsigned short class = C_IN;
|
|
|
|
+
|
|
|
|
if (!read_write(fd, (unsigned char *)&addr, sizeof(addr), 1))
|
|
|
|
return 0;
|
|
|
|
- crecp = really_insert(daemon->namebuff, &addr, C_IN, now, ttl, flags);
|
|
|
|
+
|
|
|
|
+#ifdef HAVE_DNSSEC
|
|
|
|
+ if (flags & F_DNSKEY)
|
|
|
|
+ {
|
|
|
|
+ if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1) ||
|
|
|
|
+ !(addr.addr.key.keydata = blockdata_read(fd, addr.addr.key.keylen)))
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+ else if (flags & F_DS)
|
|
|
|
+ {
|
|
|
|
+ if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1) ||
|
|
|
|
+ (flags & F_NEG) ||
|
|
|
|
+ !(addr.addr.key.keydata = blockdata_read(fd, addr.addr.key.keylen)))
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+#endif
|
|
|
|
+
|
|
|
|
+ crecp = really_insert(daemon->namebuff, &addr, class, now, ttl, flags);
|
|
|
|
}
|
|
|
|
else if (flags & F_CNAME)
|
|
|
|
{
|
|
|
|
@@ -764,58 +772,6 @@ int cache_recv_insert(time_t now, int fd
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
-#ifdef HAVE_DNSSEC
|
|
|
|
- else if (flags & (F_DNSKEY | F_DS))
|
|
|
|
- {
|
|
|
|
- unsigned short class, keylen, keyflags, keytag;
|
|
|
|
- unsigned char algo, digest;
|
|
|
|
- struct blockdata *keydata;
|
|
|
|
-
|
|
|
|
- if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1))
|
|
|
|
- return 0;
|
|
|
|
-
|
|
|
|
- crecp = really_insert(daemon->namebuff, NULL, class, now, ttl, flags);
|
|
|
|
-
|
|
|
|
- if (flags & F_DNSKEY)
|
|
|
|
- {
|
|
|
|
- if (!read_write(fd, (unsigned char *)&algo, sizeof(algo), 1) ||
|
|
|
|
- !read_write(fd, (unsigned char *)&keytag, sizeof(keytag), 1) ||
|
|
|
|
- !read_write(fd, (unsigned char *)&keyflags, sizeof(keyflags), 1) ||
|
|
|
|
- !read_write(fd, (unsigned char *)&keylen, sizeof(keylen), 1) ||
|
|
|
|
- !(keydata = blockdata_read(fd, keylen)))
|
|
|
|
- return 0;
|
|
|
|
- }
|
|
|
|
- else if (!(flags & F_NEG))
|
|
|
|
- {
|
|
|
|
- if (!read_write(fd, (unsigned char *)&algo, sizeof(algo), 1) ||
|
|
|
|
- !read_write(fd, (unsigned char *)&keytag, sizeof(keytag), 1) ||
|
|
|
|
- !read_write(fd, (unsigned char *)&digest, sizeof(digest), 1) ||
|
|
|
|
- !read_write(fd, (unsigned char *)&keylen, sizeof(keylen), 1) ||
|
|
|
|
- !(keydata = blockdata_read(fd, keylen)))
|
|
|
|
- return 0;
|
|
|
|
- }
|
|
|
|
-
|
|
|
|
- if (crecp)
|
|
|
|
- {
|
|
|
|
- if (flags & F_DNSKEY)
|
|
|
|
- {
|
|
|
|
- crecp->addr.key.algo = algo;
|
|
|
|
- crecp->addr.key.keytag = keytag;
|
|
|
|
- crecp->addr.key.flags = flags;
|
|
|
|
- crecp->addr.key.keylen = keylen;
|
|
|
|
- crecp->addr.key.keydata = keydata;
|
|
|
|
- }
|
|
|
|
- else if (!(flags & F_NEG))
|
|
|
|
- {
|
|
|
|
- crecp->addr.ds.algo = algo;
|
|
|
|
- crecp->addr.ds.keytag = keytag;
|
|
|
|
- crecp->addr.ds.digest = digest;
|
|
|
|
- crecp->addr.ds.keylen = keylen;
|
|
|
|
- crecp->addr.ds.keydata = keydata;
|
|
|
|
- }
|
|
|
|
- }
|
|
|
|
- }
|
|
|
|
-#endif
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
@@ -1290,15 +1246,15 @@ void cache_reload(void)
|
|
|
|
#ifdef HAVE_DNSSEC
|
|
|
|
for (ds = daemon->ds; ds; ds = ds->next)
|
|
|
|
if ((cache = whine_malloc(SIZEOF_POINTER_CREC)) &&
|
|
|
|
- (cache->addr.ds.keydata = blockdata_alloc(ds->digest, ds->digestlen)))
|
|
|
|
+ (cache->addr.addr.addr.ds.keydata = blockdata_alloc(ds->digest, ds->digestlen)))
|
|
|
|
{
|
|
|
|
cache->flags = F_FORWARD | F_IMMORTAL | F_DS | F_CONFIG | F_NAMEP;
|
|
|
|
cache->ttd = daemon->local_ttl;
|
|
|
|
cache->name.namep = ds->name;
|
|
|
|
- cache->addr.ds.keylen = ds->digestlen;
|
|
|
|
- cache->addr.ds.algo = ds->algo;
|
|
|
|
- cache->addr.ds.keytag = ds->keytag;
|
|
|
|
- cache->addr.ds.digest = ds->digest_type;
|
|
|
|
+ cache->addr.addr.addr.ds.keylen = ds->digestlen;
|
|
|
|
+ cache->addr.addr.addr.ds.algo = ds->algo;
|
|
|
|
+ cache->addr.addr.addr.ds.keytag = ds->keytag;
|
|
|
|
+ cache->addr.addr.addr.ds.digest = ds->digest_type;
|
|
|
|
cache->uid = ds->class;
|
|
|
|
cache_hash(cache);
|
|
|
|
make_non_terminals(cache);
|
|
|
|
@@ -1775,12 +1731,12 @@ void dump_cache(time_t now)
|
|
|
|
else if (cache->flags & F_DS)
|
|
|
|
{
|
|
|
|
if (!(cache->flags & F_NEG))
|
|
|
|
- sprintf(a, "%5u %3u %3u", cache->addr.ds.keytag,
|
|
|
|
- cache->addr.ds.algo, cache->addr.ds.digest);
|
|
|
|
+ sprintf(a, "%5u %3u %3u", cache->addr.addr.addr.ds.keytag,
|
|
|
|
+ cache->addr.addr.addr.ds.algo, cache->addr.addr.addr.ds.digest);
|
|
|
|
}
|
|
|
|
else if (cache->flags & F_DNSKEY)
|
|
|
|
- sprintf(a, "%5u %3u %3u", cache->addr.key.keytag,
|
|
|
|
- cache->addr.key.algo, cache->addr.key.flags);
|
|
|
|
+ sprintf(a, "%5u %3u %3u", cache->addr.addr.addr.key.keytag,
|
|
|
|
+ cache->addr.addr.addr.key.algo, cache->addr.addr.addr.key.flags);
|
|
|
|
#endif
|
|
|
|
else if (!(cache->flags & F_NEG) || !(cache->flags & F_FORWARD))
|
|
|
|
{
|
|
|
|
--- a/src/dnsmasq.h
|
|
|
|
+++ b/src/dnsmasq.h
|
|
|
|
@@ -277,14 +277,21 @@ struct all_addr {
|
|
|
|
union {
|
|
|
|
struct in_addr addr4;
|
|
|
|
struct in6_addr addr6;
|
|
|
|
+ struct {
|
|
|
|
+ struct blockdata *keydata;
|
|
|
|
+ unsigned short keylen, flags, keytag;
|
|
|
|
+ unsigned char algo;
|
|
|
|
+ } key;
|
|
|
|
+ struct {
|
|
|
|
+ struct blockdata *keydata;
|
|
|
|
+ unsigned short keylen, keytag;
|
|
|
|
+ unsigned char algo;
|
|
|
|
+ unsigned char digest;
|
|
|
|
+ } ds;
|
|
|
|
/* for log_query */
|
|
|
|
struct {
|
|
|
|
unsigned short keytag, algo, digest, rcode;
|
|
|
|
} log;
|
|
|
|
- /* for cache_insert of DNSKEY, DS */
|
|
|
|
- struct {
|
|
|
|
- unsigned short class, type;
|
|
|
|
- } dnssec;
|
|
|
|
} addr;
|
|
|
|
};
|
|
|
|
|
|
|
|
@@ -414,17 +421,6 @@ struct crec {
|
|
|
|
} target;
|
|
|
|
unsigned int uid; /* 0 if union is interface-name */
|
|
|
|
} cname;
|
|
|
|
- struct {
|
|
|
|
- struct blockdata *keydata;
|
|
|
|
- unsigned short keylen, flags, keytag;
|
|
|
|
- unsigned char algo;
|
|
|
|
- } key;
|
|
|
|
- struct {
|
|
|
|
- struct blockdata *keydata;
|
|
|
|
- unsigned short keylen, keytag;
|
|
|
|
- unsigned char algo;
|
|
|
|
- unsigned char digest;
|
|
|
|
- } ds;
|
|
|
|
} addr;
|
|
|
|
time_t ttd; /* time to die */
|
|
|
|
/* used as class if DNSKEY/DS, index to source for F_HOSTS */
|
|
|
|
--- a/src/dnssec.c
|
|
|
|
+++ b/src/dnssec.c
|
|
|
|
@@ -628,10 +628,10 @@ static int validate_rrset(time_t now, st
|
|
|
|
{
|
|
|
|
/* iterate through all possible keys 4035 5.3.1 */
|
|
|
|
for (; crecp; crecp = cache_find_by_name(crecp, keyname, now, F_DNSKEY))
|
|
|
|
- if (crecp->addr.key.algo == algo &&
|
|
|
|
- crecp->addr.key.keytag == key_tag &&
|
|
|
|
+ if (crecp->addr.addr.addr.key.algo == algo &&
|
|
|
|
+ crecp->addr.addr.addr.key.keytag == key_tag &&
|
|
|
|
crecp->uid == (unsigned int)class &&
|
|
|
|
- verify(crecp->addr.key.keydata, crecp->addr.key.keylen, sig, sig_len, digest, hash->digest_size, algo))
|
|
|
|
+ verify(crecp->addr.addr.addr.key.keydata, crecp->addr.addr.addr.key.keylen, sig, sig_len, digest, hash->digest_size, algo))
|
|
|
|
return (labels < name_labels) ? STAT_SECURE_WILDCARD : STAT_SECURE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@@ -728,10 +728,10 @@ int dnssec_validate_by_ds(time_t now, st
|
|
|
|
const struct nettle_hash *hash;
|
|
|
|
int sigcnt, rrcnt;
|
|
|
|
|
|
|
|
- if (recp1->addr.ds.algo == algo &&
|
|
|
|
- recp1->addr.ds.keytag == keytag &&
|
|
|
|
+ if (recp1->addr.addr.addr.ds.algo == algo &&
|
|
|
|
+ recp1->addr.addr.addr.ds.keytag == keytag &&
|
|
|
|
recp1->uid == (unsigned int)class &&
|
|
|
|
- (hash = hash_find(ds_digest_name(recp1->addr.ds.digest))) &&
|
|
|
|
+ (hash = hash_find(ds_digest_name(recp1->addr.addr.addr.ds.digest))) &&
|
|
|
|
hash_init(hash, &ctx, &digest))
|
|
|
|
|
|
|
|
{
|
|
|
|
@@ -746,9 +746,9 @@ int dnssec_validate_by_ds(time_t now, st
|
|
|
|
from_wire(name);
|
|
|
|
|
|
|
|
if (!(recp1->flags & F_NEG) &&
|
|
|
|
- recp1->addr.ds.keylen == (int)hash->digest_size &&
|
|
|
|
- (ds_digest = blockdata_retrieve(recp1->addr.key.keydata, recp1->addr.ds.keylen, NULL)) &&
|
|
|
|
- memcmp(ds_digest, digest, recp1->addr.ds.keylen) == 0 &&
|
|
|
|
+ recp1->addr.addr.addr.ds.keylen == (int)hash->digest_size &&
|
|
|
|
+ (ds_digest = blockdata_retrieve(recp1->addr.addr.addr.ds.keydata, recp1->addr.addr.addr.ds.keylen, NULL)) &&
|
|
|
|
+ memcmp(ds_digest, digest, recp1->addr.addr.addr.ds.keylen) == 0 &&
|
|
|
|
explore_rrset(header, plen, class, T_DNSKEY, name, keyname, &sigcnt, &rrcnt) &&
|
|
|
|
sigcnt != 0 && rrcnt != 0 &&
|
|
|
|
validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name, keyname,
|
|
|
|
@@ -800,7 +800,13 @@ int dnssec_validate_by_ds(time_t now, st
|
|
|
|
|
|
|
|
if ((key = blockdata_alloc((char*)p, rdlen - 4)))
|
|
|
|
{
|
|
|
|
- if (!(recp1 = cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DNSKEY | F_DNSSECOK)))
|
|
|
|
+ a.addr.key.keylen = rdlen - 4;
|
|
|
|
+ a.addr.key.keydata = key;
|
|
|
|
+ a.addr.key.algo = algo;
|
|
|
|
+ a.addr.key.keytag = keytag;
|
|
|
|
+ a.addr.key.flags = flags;
|
|
|
|
+
|
|
|
|
+ if (!cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DNSKEY | F_DNSSECOK))
|
|
|
|
{
|
|
|
|
blockdata_free(key);
|
|
|
|
return STAT_BOGUS;
|
|
|
|
@@ -813,12 +819,6 @@ int dnssec_validate_by_ds(time_t now, st
|
|
|
|
log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu");
|
|
|
|
else
|
|
|
|
log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)");
|
|
|
|
-
|
|
|
|
- recp1->addr.key.keylen = rdlen - 4;
|
|
|
|
- recp1->addr.key.keydata = key;
|
|
|
|
- recp1->addr.key.algo = algo;
|
|
|
|
- recp1->addr.key.keytag = keytag;
|
|
|
|
- recp1->addr.key.flags = flags;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@@ -915,8 +915,7 @@ int dnssec_validate_ds(time_t now, struc
|
|
|
|
int algo, digest, keytag;
|
|
|
|
unsigned char *psave = p;
|
|
|
|
struct blockdata *key;
|
|
|
|
- struct crec *crecp;
|
|
|
|
-
|
|
|
|
+
|
|
|
|
if (rdlen < 4)
|
|
|
|
return STAT_BOGUS; /* bad packet */
|
|
|
|
|
|
|
|
@@ -926,7 +925,13 @@ int dnssec_validate_ds(time_t now, struc
|
|
|
|
|
|
|
|
if ((key = blockdata_alloc((char*)p, rdlen - 4)))
|
|
|
|
{
|
|
|
|
- if (!(crecp = cache_insert(name, NULL, class, now, ttl, F_FORWARD | F_DS | F_DNSSECOK)))
|
|
|
|
+ a.addr.ds.digest = digest;
|
|
|
|
+ a.addr.ds.keydata = key;
|
|
|
|
+ a.addr.ds.algo = algo;
|
|
|
|
+ a.addr.ds.keytag = keytag;
|
|
|
|
+ a.addr.ds.keylen = rdlen - 4;
|
|
|
|
+
|
|
|
|
+ if (!cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DS | F_DNSSECOK))
|
|
|
|
{
|
|
|
|
blockdata_free(key);
|
|
|
|
return STAT_BOGUS;
|
|
|
|
@@ -940,12 +945,6 @@ int dnssec_validate_ds(time_t now, struc
|
|
|
|
log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu");
|
|
|
|
else
|
|
|
|
log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu (not supported)");
|
|
|
|
-
|
|
|
|
- crecp->addr.ds.digest = digest;
|
|
|
|
- crecp->addr.ds.keydata = key;
|
|
|
|
- crecp->addr.ds.algo = algo;
|
|
|
|
- crecp->addr.ds.keytag = keytag;
|
|
|
|
- crecp->addr.ds.keylen = rdlen - 4;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
@@ -1711,8 +1710,8 @@ static int zone_status(char *name, int c
|
|
|
|
do
|
|
|
|
{
|
|
|
|
if (crecp->uid == (unsigned int)class &&
|
|
|
|
- ds_digest_name(crecp->addr.ds.digest) &&
|
|
|
|
- algo_digest_name(crecp->addr.ds.algo))
|
|
|
|
+ ds_digest_name(crecp->addr.addr.addr.ds.digest) &&
|
|
|
|
+ algo_digest_name(crecp->addr.addr.addr.ds.algo))
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS)));
|