Commit 0ad073bf authored by Vladimír Čunát's avatar Vladimír Čunát

removal of pos from parameters

parent dc648668
...@@ -290,8 +290,8 @@ int kr_pkt_recycle(knot_pkt_t *); ...@@ -290,8 +290,8 @@ int kr_pkt_recycle(knot_pkt_t *);
int kr_pkt_clear_payload(knot_pkt_t *); int kr_pkt_clear_payload(knot_pkt_t *);
uint16_t kr_pkt_qclass(const knot_pkt_t *); uint16_t kr_pkt_qclass(const knot_pkt_t *);
uint16_t kr_pkt_qtype(const knot_pkt_t *); uint16_t kr_pkt_qtype(const knot_pkt_t *);
uint32_t kr_rrsig_sig_inception(const knot_rdataset_t *, size_t); uint32_t kr_rrsig_sig_inception(const knot_rdata_t *);
uint32_t kr_rrsig_sig_expiration(const knot_rdataset_t *, size_t); uint32_t kr_rrsig_sig_expiration(const knot_rdata_t *);
const char *kr_inaddr(const struct sockaddr *); const char *kr_inaddr(const struct sockaddr *);
int kr_inaddr_family(const struct sockaddr *); int kr_inaddr_family(const struct sockaddr *);
int kr_inaddr_len(const struct sockaddr *); int kr_inaddr_len(const struct sockaddr *);
......
...@@ -290,8 +290,10 @@ static int zi_put_glue(zone_import_ctx_t *z_import, knot_pkt_t *pkt, ...@@ -290,8 +290,10 @@ static int zi_put_glue(zone_import_ctx_t *z_import, knot_pkt_t *pkt,
knot_rrset_t *rr) knot_rrset_t *rr)
{ {
int err = 0; int err = 0;
for (uint16_t i = 0; i < rr->rrs.count; ++i) { knot_rdata_t *rdata_i = rr->rrs.rdata;
const knot_dname_t *ns_name = knot_ns_name(&rr->rrs, i); for (uint16_t i = 0; i < rr->rrs.count;
++i, rdata_i = knot_rdataset_next(rdata_i)) {
const knot_dname_t *ns_name = knot_ns_name(rdata_i);
err = zi_rrset_find_put(z_import, pkt, ns_name, err = zi_rrset_find_put(z_import, pkt, ns_name,
rr->rclass, KNOT_RRTYPE_A, 0); rr->rclass, KNOT_RRTYPE_A, 0);
if (err < 0) { if (err < 0) {
......
...@@ -430,7 +430,7 @@ static ssize_t stash_rrset(struct kr_cache *cache, const struct kr_query *qry, ...@@ -430,7 +430,7 @@ static ssize_t stash_rrset(struct kr_cache *cache, const struct kr_query *qry,
} }
const int wild_labels = rr_sigs == NULL ? 0 : const int wild_labels = rr_sigs == NULL ? 0 :
knot_dname_labels(rr->owner, NULL) - knot_rrsig_labels(&rr_sigs->rrs, 0); knot_dname_labels(rr->owner, NULL) - knot_rrsig_labels(rr_sigs->rrs.rdata);
if (wild_labels < 0) { if (wild_labels < 0) {
return kr_ok(); return kr_ok();
} }
...@@ -448,7 +448,7 @@ static ssize_t stash_rrset(struct kr_cache *cache, const struct kr_query *qry, ...@@ -448,7 +448,7 @@ static ssize_t stash_rrset(struct kr_cache *cache, const struct kr_query *qry,
case KNOT_RRTYPE_NSEC3: case KNOT_RRTYPE_NSEC3:
/* Skip "suspicious" or opt-out NSEC3 sets. */ /* Skip "suspicious" or opt-out NSEC3 sets. */
if (rr->rrs.count != 1) return kr_ok(); if (rr->rrs.count != 1) return kr_ok();
if (KNOT_NSEC3_FLAG_OPT_OUT & knot_nsec3_flags(&rr->rrs, 0)) { if (KNOT_NSEC3_FLAG_OPT_OUT & knot_nsec3_flags(rr->rrs.rdata)) {
if (has_optout) *has_optout = true; if (has_optout) *has_optout = true;
return kr_ok(); return kr_ok();
} }
...@@ -462,7 +462,7 @@ static ssize_t stash_rrset(struct kr_cache *cache, const struct kr_query *qry, ...@@ -462,7 +462,7 @@ static ssize_t stash_rrset(struct kr_cache *cache, const struct kr_query *qry,
assert(!EINVAL); assert(!EINVAL);
return kr_error(EINVAL); return kr_error(EINVAL);
} }
const knot_dname_t *signer = knot_rrsig_signer_name(&rr_sigs->rrs, 0); const knot_dname_t *signer = knot_rrsig_signer_name(rr_sigs->rrs.rdata);
const int signer_size = knot_dname_size(signer); const int signer_size = knot_dname_size(signer);
k->zlf_len = signer_size - 1; k->zlf_len = signer_size - 1;
...@@ -590,7 +590,7 @@ static int stash_rrarray_entry(ranked_rr_array_t *arr, int arr_i, ...@@ -590,7 +590,7 @@ static int stash_rrarray_entry(ranked_rr_array_t *arr, int arr_i,
ranked_rr_array_entry_t *e = arr->at[j]; ranked_rr_array_entry_t *e = arr->at[j];
bool ok = e->qry_uid == qry->uid && !e->cached bool ok = e->qry_uid == qry->uid && !e->cached
&& e->rr->type == KNOT_RRTYPE_RRSIG && e->rr->type == KNOT_RRTYPE_RRSIG
&& knot_rrsig_type_covered(&e->rr->rrs, 0) == rr->type && knot_rrsig_type_covered(e->rr->rrs.rdata) == rr->type
&& knot_dname_is_equal(rr->owner, e->rr->owner); && knot_dname_is_equal(rr->owner, e->rr->owner);
if (!ok) continue; if (!ok) continue;
entry_rrsigs = e; entry_rrsigs = e;
......
...@@ -341,7 +341,7 @@ int nsec1_encloser(struct key *k, struct answer *ans, ...@@ -341,7 +341,7 @@ int nsec1_encloser(struct key *k, struct answer *ans,
/* NXDOMAIN proven *except* for wildcards. */ /* NXDOMAIN proven *except* for wildcards. */
WITH_VERBOSE(qry) { WITH_VERBOSE(qry) {
auto_free char *owner_str = kr_dname_text(nsec_rr->owner), auto_free char *owner_str = kr_dname_text(nsec_rr->owner),
*next_str = kr_dname_text(knot_nsec_next(&nsec_rr->rrs)); *next_str = kr_dname_text(knot_nsec_next(nsec_rr->rrs.rdata));
VERBOSE_MSG(qry, "=> NSEC sname: covered by: %s -> %s, new TTL %d\n", VERBOSE_MSG(qry, "=> NSEC sname: covered by: %s -> %s, new TTL %d\n",
owner_str, next_str, new_ttl); owner_str, next_str, new_ttl);
} }
...@@ -356,7 +356,7 @@ int nsec1_encloser(struct key *k, struct answer *ans, ...@@ -356,7 +356,7 @@ int nsec1_encloser(struct key *k, struct answer *ans,
* LATER(optim.): it might be faster to use the LFs we already have. * LATER(optim.): it might be faster to use the LFs we already have.
*/ */
knot_dname_t next[KNOT_DNAME_MAXLEN]; knot_dname_t next[KNOT_DNAME_MAXLEN];
int ret = knot_dname_to_wire(next, knot_nsec_next(&nsec_rr->rrs), sizeof(next)); int ret = knot_dname_to_wire(next, knot_nsec_next(nsec_rr->rrs.rdata), sizeof(next));
if (ret < 0) { if (ret < 0) {
assert(!ret); assert(!ret);
return kr_error(ret); return kr_error(ret);
...@@ -470,7 +470,7 @@ int nsec1_src_synth(struct key *k, struct answer *ans, const knot_dname_t *clenc ...@@ -470,7 +470,7 @@ int nsec1_src_synth(struct key *k, struct answer *ans, const knot_dname_t *clenc
/* We have a record proving wildcard non-existence. */ /* We have a record proving wildcard non-existence. */
WITH_VERBOSE(qry) { WITH_VERBOSE(qry) {
auto_free char *owner_str = kr_dname_text(nsec_rr->owner), auto_free char *owner_str = kr_dname_text(nsec_rr->owner),
*next_str = kr_dname_text(knot_nsec_next(&nsec_rr->rrs)); *next_str = kr_dname_text(knot_nsec_next(nsec_rr->rrs.rdata));
VERBOSE_MSG(qry, "=> NSEC wildcard: covered by: %s -> %s, new TTL %d\n", VERBOSE_MSG(qry, "=> NSEC wildcard: covered by: %s -> %s, new TTL %d\n",
owner_str, next_str, new_ttl_log); owner_str, next_str, new_ttl_log);
} }
......
...@@ -61,38 +61,38 @@ void kr_crypto_reinit(void) ...@@ -61,38 +61,38 @@ void kr_crypto_reinit(void)
* Check the RRSIG RR validity according to RFC4035 5.3.1 . * Check the RRSIG RR validity according to RFC4035 5.3.1 .
* @param flags The flags are going to be set according to validation result. * @param flags The flags are going to be set according to validation result.
* @param cov_labels Covered RRSet owner label count. * @param cov_labels Covered RRSet owner label count.
* @param rrsigs RRSet containing the signatures. * @param rrsigs rdata containing the signatures.
* @param sig_pos Specifies the signature within the RRSIG RRSet. * @param key_owner Associated DNSKEY's owner.
* @param keys Associated DNSKEY RRSet. * @param key_rdata Associated DNSKEY's rdata.
* @param key_pos Specifies the key within the DNSKEY RRSet,
* @param keytag Used key tag. * @param keytag Used key tag.
* @param zone_name The name of the zone cut. * @param zone_name The name of the zone cut.
* @param timestamp Validation time. * @param timestamp Validation time.
*/ */
static int validate_rrsig_rr(int *flags, int cov_labels, static int validate_rrsig_rr(int *flags, int cov_labels,
const knot_rrset_t *rrsigs, size_t sig_pos, const knot_rdata_t *rrsigs,
const knot_rrset_t *keys, size_t key_pos, uint16_t keytag, const knot_dname_t *key_owner, const knot_rdata_t *key_rdata,
uint16_t keytag,
const knot_dname_t *zone_name, uint32_t timestamp) const knot_dname_t *zone_name, uint32_t timestamp)
{ {
if (!flags || !rrsigs || !keys || !zone_name) { if (!flags || !rrsigs || !key_owner || !key_rdata || !zone_name) {
return kr_error(EINVAL); return kr_error(EINVAL);
} }
/* bullet 5 */ /* bullet 5 */
if (knot_rrsig_sig_expiration(&rrsigs->rrs, sig_pos) < timestamp) { if (knot_rrsig_sig_expiration(rrsigs) < timestamp) {
return kr_error(EINVAL); return kr_error(EINVAL);
} }
/* bullet 6 */ /* bullet 6 */
if (knot_rrsig_sig_inception(&rrsigs->rrs, sig_pos) > timestamp) { if (knot_rrsig_sig_inception(rrsigs) > timestamp) {
return kr_error(EINVAL); return kr_error(EINVAL);
} }
/* bullet 2 */ /* bullet 2 */
const knot_dname_t *signer_name = knot_rrsig_signer_name(&rrsigs->rrs, sig_pos); const knot_dname_t *signer_name = knot_rrsig_signer_name(rrsigs);
if (!signer_name || !knot_dname_is_equal(signer_name, zone_name)) { if (!signer_name || !knot_dname_is_equal(signer_name, zone_name)) {
return kr_error(EAGAIN); return kr_error(EAGAIN);
} }
/* bullet 4 */ /* bullet 4 */
{ {
int rrsig_labels = knot_rrsig_labels(&rrsigs->rrs, sig_pos); int rrsig_labels = knot_rrsig_labels(rrsigs);
if (rrsig_labels > cov_labels) { if (rrsig_labels > cov_labels) {
return kr_error(EINVAL); return kr_error(EINVAL);
} }
...@@ -102,9 +102,9 @@ static int validate_rrsig_rr(int *flags, int cov_labels, ...@@ -102,9 +102,9 @@ static int validate_rrsig_rr(int *flags, int cov_labels,
} }
/* bullet 7 */ /* bullet 7 */
if ((!knot_dname_is_equal(keys->owner, signer_name)) || if ((!knot_dname_is_equal(key_owner, signer_name)) ||
(knot_dnskey_alg(&keys->rrs, key_pos) != knot_rrsig_algorithm(&rrsigs->rrs, sig_pos)) || (knot_dnskey_alg(key_rdata) != knot_rrsig_alg(rrsigs)) ||
(keytag != knot_rrsig_key_tag(&rrsigs->rrs, sig_pos))) { (keytag != knot_rrsig_key_tag(rrsigs))) {
return kr_error(EINVAL); return kr_error(EINVAL);
} }
/* bullet 8 */ /* bullet 8 */
...@@ -122,14 +122,14 @@ static int validate_rrsig_rr(int *flags, int cov_labels, ...@@ -122,14 +122,14 @@ static int validate_rrsig_rr(int *flags, int cov_labels,
* @param sig_pos Specifies the signature within the RRSIG RRSet. * @param sig_pos Specifies the signature within the RRSIG RRSet.
* @return Number of added labels, -1 on error. * @return Number of added labels, -1 on error.
*/ */
static int wildcard_radix_len_diff(const knot_dname_t *expanded, static inline int wildcard_radix_len_diff(const knot_dname_t *expanded,
const knot_rrset_t *rrsigs, size_t sig_pos) const knot_rdata_t *rrsig)
{ {
if (!expanded || !rrsigs) { if (!expanded || !rrsig) {
return -1; return -1;
} }
return knot_dname_labels(expanded, NULL) - knot_rrsig_labels(&rrsigs->rrs, sig_pos); return knot_dname_labels(expanded, NULL) - knot_rrsig_labels(rrsig);
} }
int kr_rrset_validate(kr_rrset_validation_ctx_t *vctx, const knot_rrset_t *covered) int kr_rrset_validate(kr_rrset_validation_ctx_t *vctx, const knot_rrset_t *covered)
...@@ -178,10 +178,10 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx, ...@@ -178,10 +178,10 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
return vctx->result; return vctx->result;
} }
const knot_rdata_t *key_rdata = knot_rdataset_at(&keys->rrs, key_pos);
if (key == NULL) { if (key == NULL) {
const knot_rdata_t *krr = knot_rdataset_at(&keys->rrs, key_pos);
int ret = kr_dnssec_key_from_rdata(&created_key, keys->owner, int ret = kr_dnssec_key_from_rdata(&created_key, keys->owner,
krr->rdata, krr->len); key_rdata->data, key_rdata->len);
if (ret != 0) { if (ret != 0) {
vctx->result = ret; vctx->result = ret;
return vctx->result; return vctx->result;
...@@ -204,14 +204,15 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx, ...@@ -204,14 +204,15 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
if ((covered->rclass != rrsig->rclass) || !knot_dname_is_equal(covered->owner, rrsig->owner)) { if ((covered->rclass != rrsig->rclass) || !knot_dname_is_equal(covered->owner, rrsig->owner)) {
continue; continue;
} }
for (uint16_t j = 0; j < rrsig->rrs.count; ++j) { knot_rdata_t *rdata_j = rrsig->rrs.rdata;
for (uint16_t j = 0; j < rrsig->rrs.count; ++j, rdata_j = knot_rdataset_next(rdata_j)) {
int val_flgs = 0; int val_flgs = 0;
int trim_labels = 0; int trim_labels = 0;
if (knot_rrsig_type_covered(&rrsig->rrs, j) != covered->type) { if (knot_rrsig_type_covered(rdata_j) != covered->type) {
continue; continue;
} }
int ret = validate_rrsig_rr(&val_flgs, covered_labels, rrsig, j, int ret = validate_rrsig_rr(&val_flgs, covered_labels, rdata_j,
keys, key_pos, keytag, keys->owner, key_rdata, keytag,
zone_name, timestamp); zone_name, timestamp);
if (ret == kr_error(EAGAIN)) { if (ret == kr_error(EAGAIN)) {
kr_dnssec_key_free(&created_key); kr_dnssec_key_free(&created_key);
...@@ -221,12 +222,12 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx, ...@@ -221,12 +222,12 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
continue; continue;
} }
if (val_flgs & FLG_WILDCARD_EXPANSION) { if (val_flgs & FLG_WILDCARD_EXPANSION) {
trim_labels = wildcard_radix_len_diff(covered->owner, rrsig, j); trim_labels = wildcard_radix_len_diff(covered->owner, rdata_j);
if (trim_labels < 0) { if (trim_labels < 0) {
break; break;
} }
} }
if (kr_check_signature(rrsig, j, (dnssec_key_t *) key, covered, trim_labels) != 0) { if (kr_check_signature(rdata_j, (dnssec_key_t *) key, covered, trim_labels) != 0) {
continue; continue;
} }
if (val_flgs & FLG_WILDCARD_EXPANSION) { if (val_flgs & FLG_WILDCARD_EXPANSION) {
...@@ -259,9 +260,11 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx, ...@@ -259,9 +260,11 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
static bool kr_ds_algo_support(const knot_rrset_t *ta) static bool kr_ds_algo_support(const knot_rrset_t *ta)
{ {
for (uint16_t i = 0; i < ta->rrs.count; ++i) { knot_rdata_t *rdata_i = ta->rrs.rdata;
if (dnssec_algorithm_digest_support(knot_ds_digest_type(&ta->rrs, i)) for (uint16_t i = 0; i < ta->rrs.count;
&& dnssec_algorithm_key_support(knot_ds_alg(&ta->rrs, i))) { ++i, rdata_i = knot_rdataset_next(rdata_i)) {
if (dnssec_algorithm_digest_support(knot_ds_digest_type(rdata_i))
&& dnssec_algorithm_key_support(knot_ds_alg(rdata_i))) {
return true; return true;
} }
} }
......
...@@ -60,20 +60,15 @@ static int nsec_covers(const knot_rrset_t *nsec, const knot_dname_t *sname) ...@@ -60,20 +60,15 @@ static int nsec_covers(const knot_rrset_t *nsec, const knot_dname_t *sname)
} }
/* If NSEC 'owner' >= 'next', it means that there is nothing after 'owner' */ /* If NSEC 'owner' >= 'next', it means that there is nothing after 'owner' */
#if KNOT_VERSION_HEX < ((2 << 16) | (7 << 8) | 0)
const knot_dname_t *next = knot_nsec_next(&nsec->rrs);
#else
/* We have to lower-case it with libknot >= 2.7; see also RFC 6840 5.1. */ /* We have to lower-case it with libknot >= 2.7; see also RFC 6840 5.1. */
knot_dname_t next[KNOT_DNAME_MAXLEN]; knot_dname_t next[KNOT_DNAME_MAXLEN];
int ret = knot_dname_to_wire(next, knot_nsec_next(&nsec->rrs), sizeof(next)); int ret = knot_dname_to_wire(next, knot_nsec_next(nsec->rrs.rdata), sizeof(next));
if (ret >= 0) {
ret = knot_dname_to_lower(next);
}
if (ret < 0) { if (ret < 0) {
assert(!ret); assert(!ret);
return kr_error(ret); return kr_error(ret);
} }
#endif knot_dname_to_lower(next);
const bool is_last_nsec = knot_dname_cmp(nsec->owner, next) >= 0; const bool is_last_nsec = knot_dname_cmp(nsec->owner, next) >= 0;
const bool in_range = is_last_nsec || knot_dname_cmp(sname, next) < 0; const bool in_range = is_last_nsec || knot_dname_cmp(sname, next) < 0;
if (!in_range) { if (!in_range) {
...@@ -209,15 +204,17 @@ static int coverign_rrsig_labels(const knot_rrset_t *nsec, const knot_pktsection ...@@ -209,15 +204,17 @@ static int coverign_rrsig_labels(const knot_rrset_t *nsec, const knot_pktsection
continue; continue;
} }
for (uint16_t j = 0; j < rrset->rrs.count; ++j) { knot_rdata_t *rdata_j = rrset->rrs.rdata;
if (knot_rrsig_type_covered(&rrset->rrs, j) != KNOT_RRTYPE_NSEC) { for (uint16_t j = 0; j < rrset->rrs.count;
++j, rdata_j = knot_rdataset_next(rdata_j)) {
if (knot_rrsig_type_covered(rdata_j) != KNOT_RRTYPE_NSEC) {
continue; continue;
} }
if (ret < 0) { if (ret < 0) {
ret = knot_rrsig_labels(&rrset->rrs, j); ret = knot_rrsig_labels(rdata_j);
} else { } else {
if (ret != knot_rrsig_labels(&rrset->rrs, j)) { if (ret != knot_rrsig_labels(rdata_j)) {
return kr_error(EINVAL); return kr_error(EINVAL);
} }
} }
......
...@@ -54,7 +54,7 @@ static int nsec3_parameters(dnssec_nsec3_params_t *params, const knot_rrset_t *n ...@@ -54,7 +54,7 @@ static int nsec3_parameters(dnssec_nsec3_params_t *params, const knot_rrset_t *n
/* Every NSEC3 RR contains data from NSEC3PARAMS. */ /* Every NSEC3 RR contains data from NSEC3PARAMS. */
const size_t SALT_OFFSET = 5; /* First 5 octets contain { Alg, Flags, Iterations, Salt length } */ const size_t SALT_OFFSET = 5; /* First 5 octets contain { Alg, Flags, Iterations, Salt length } */
dnssec_binary_t rdata = { dnssec_binary_t rdata = {
.size = SALT_OFFSET + (size_t) knot_nsec3_salt_length(&nsec3->rrs, 0), .size = SALT_OFFSET + (size_t)knot_nsec3_salt_len(nsec3->rrs.rdata),
.data = /*const-cast*/(uint8_t *)rr->data, .data = /*const-cast*/(uint8_t *)rr->data,
}; };
if (rdata.size > rr->len) if (rdata.size > rr->len)
...@@ -218,9 +218,8 @@ static int covers_name(int *flags, const knot_rrset_t *nsec3, const knot_dname_t ...@@ -218,9 +218,8 @@ static int covers_name(int *flags, const knot_rrset_t *nsec3, const knot_dname_t
goto fail; goto fail;
} }
uint8_t next_size = 0; uint8_t next_size = knot_nsec3_next_len(nsec3->rrs.rdata);
uint8_t *next_hash = NULL; const uint8_t *next_hash = knot_nsec3_next(nsec3->rrs.rdata);
knot_nsec3_next_hashed(&nsec3->rrs, 0, &next_hash, &next_size);
if ((next_size > 0) && (owner_hash.size == next_size) && (name_hash.size == next_size)) { if ((next_size > 0) && (owner_hash.size == next_size) && (name_hash.size == next_size)) {
/* All hash lengths must be same. */ /* All hash lengths must be same. */
...@@ -252,7 +251,7 @@ static int covers_name(int *flags, const knot_rrset_t *nsec3, const knot_dname_t ...@@ -252,7 +251,7 @@ static int covers_name(int *flags, const knot_rrset_t *nsec3, const knot_dname_t
if (covered) { if (covered) {
*flags |= FLG_NAME_COVERED; *flags |= FLG_NAME_COVERED;
uint8_t nsec3_flags = knot_nsec3_flags(&nsec3->rrs, 0); uint8_t nsec3_flags = knot_nsec3_flags(nsec3->rrs.rdata);
if (nsec3_flags & ~OPT_OUT_BIT) { if (nsec3_flags & ~OPT_OUT_BIT) {
/* RFC5155 3.1.2 */ /* RFC5155 3.1.2 */
ret = kr_error(EINVAL); ret = kr_error(EINVAL);
...@@ -285,7 +284,7 @@ static bool has_optout(const knot_rrset_t *nsec3) ...@@ -285,7 +284,7 @@ static bool has_optout(const knot_rrset_t *nsec3)
return false; return false;
} }
uint8_t nsec3_flags = knot_nsec3_flags(&nsec3->rrs, 0); uint8_t nsec3_flags = knot_nsec3_flags(nsec3->rrs.rdata);
if (nsec3_flags & ~OPT_OUT_BIT) { if (nsec3_flags & ~OPT_OUT_BIT) {
/* RFC5155 3.1.2 */ /* RFC5155 3.1.2 */
return false; return false;
......
...@@ -70,7 +70,7 @@ int kr_authenticate_referral(const knot_rrset_t *ref, const dnssec_key_t *key) ...@@ -70,7 +70,7 @@ int kr_authenticate_referral(const knot_rrset_t *ref, const dnssec_key_t *key)
.size = rd->len, .size = rd->len,
.data = rd->data .data = rd->data
}; };
ret = authenticate_ds(key, &ds_rdata, knot_ds_digest_type(&ref->rrs, i)); ret = authenticate_ds(key, &ds_rdata, knot_ds_digest_type(rd));
if (ret == 0) { /* Found a good DS */ if (ret == 0) { /* Found a good DS */
return kr_ok(); return kr_ok();
} }
...@@ -263,19 +263,20 @@ static int sign_ctx_add_data(dnssec_sign_ctx_t *ctx, const uint8_t *rrsig_rdata, ...@@ -263,19 +263,20 @@ static int sign_ctx_add_data(dnssec_sign_ctx_t *ctx, const uint8_t *rrsig_rdata,
return sign_ctx_add_records(ctx, covered, orig_ttl, trim_labels); return sign_ctx_add_records(ctx, covered, orig_ttl, trim_labels);
} }
int kr_check_signature(const knot_rrset_t *rrsigs, size_t pos, int kr_check_signature(const knot_rdata_t *rrsig,
const dnssec_key_t *key, const knot_rrset_t *covered, const dnssec_key_t *key, const knot_rrset_t *covered,
int trim_labels) int trim_labels)
{ {
if (!rrsigs || !key || !dnssec_key_can_verify(key)) { if (!rrsig || !key || !dnssec_key_can_verify(key)) {
return kr_error(EINVAL); return kr_error(EINVAL);
} }
int ret = 0; int ret = 0;
dnssec_sign_ctx_t *sign_ctx = NULL; dnssec_sign_ctx_t *sign_ctx = NULL;
dnssec_binary_t signature = { 0, NULL }; dnssec_binary_t signature = {
.data = /*const-cast*/(uint8_t*)knot_rrsig_signature(rrsig),
knot_rrsig_signature(&rrsigs->rrs, pos, &signature.data, &signature.size); .size = knot_rrsig_signature_len(rrsig),
};
if (!signature.data || !signature.size) { if (!signature.data || !signature.size) {
ret = kr_error(EINVAL); ret = kr_error(EINVAL);
goto fail; goto fail;
...@@ -286,10 +287,9 @@ int kr_check_signature(const knot_rrset_t *rrsigs, size_t pos, ...@@ -286,10 +287,9 @@ int kr_check_signature(const knot_rrset_t *rrsigs, size_t pos,
goto fail; goto fail;
} }
uint32_t orig_ttl = knot_rrsig_original_ttl(&rrsigs->rrs, pos); uint32_t orig_ttl = knot_rrsig_original_ttl(rrsig);
const knot_rdata_t *rd = knot_rdataset_at(&rrsigs->rrs, pos);
if (sign_ctx_add_data(sign_ctx, rd->data, covered, orig_ttl, trim_labels) != 0) { if (sign_ctx_add_data(sign_ctx, rrsig->data, covered, orig_ttl, trim_labels) != 0) {
ret = kr_error(ENOMEM); ret = kr_error(ENOMEM);
goto fail; goto fail;
} }
......
...@@ -37,6 +37,6 @@ int kr_authenticate_referral(const knot_rrset_t *ref, const dnssec_key_t *key); ...@@ -37,6 +37,6 @@ int kr_authenticate_referral(const knot_rrset_t *ref, const dnssec_key_t *key);
* @param trim_labels Number of the leftmost labels to be removed and replaced with '*.'. * @param trim_labels Number of the leftmost labels to be removed and replaced with '*.'.
* @return 0 if signature valid, error code else. * @return 0 if signature valid, error code else.
*/ */
int kr_check_signature(const knot_rrset_t *rrsigs, size_t pos, int kr_check_signature(const knot_rdata_t *rrsig,
const dnssec_key_t *key, const knot_rrset_t *covered, const dnssec_key_t *key, const knot_rrset_t *covered,
int trim_labels); int trim_labels);
...@@ -286,8 +286,10 @@ static int update_cut(knot_pkt_t *pkt, const knot_rrset_t *rr, ...@@ -286,8 +286,10 @@ static int update_cut(knot_pkt_t *pkt, const knot_rrset_t *rr,
} }
/* Fetch glue for each NS */ /* Fetch glue for each NS */
for (unsigned i = 0; i < rr->rrs.count; ++i) { knot_rdata_t *rdata_i = rr->rrs.rdata;
const knot_dname_t *ns_name = knot_ns_name(&rr->rrs, i); for (unsigned i = 0; i < rr->rrs.count;
++i, rdata_i = knot_rdataset_next(rdata_i)) {
const knot_dname_t *ns_name = knot_ns_name(rdata_i);
/* Glue is mandatory for NS below zone */ /* Glue is mandatory for NS below zone */
if (knot_dname_in(rr->owner, ns_name) && !has_glue(pkt, ns_name)) { if (knot_dname_in(rr->owner, ns_name) && !has_glue(pkt, ns_name)) {
const char *msg = const char *msg =
...@@ -504,7 +506,7 @@ static int unroll_cname(knot_pkt_t *pkt, struct kr_request *req, bool referral, ...@@ -504,7 +506,7 @@ static int unroll_cname(knot_pkt_t *pkt, struct kr_request *req, bool referral,
} }
if (rr->type == KNOT_RRTYPE_RRSIG) { if (rr->type == KNOT_RRTYPE_RRSIG) {
int rrsig_labels = knot_rrsig_labels(&rr->rrs, 0); int rrsig_labels = knot_rrsig_labels(rr->rrs.rdata);
if (rrsig_labels > cname_labels) { if (rrsig_labels > cname_labels) {
/* clearly wrong RRSIG, don't pick it. /* clearly wrong RRSIG, don't pick it.
* don't fail immediately, * don't fail immediately,
...@@ -541,7 +543,7 @@ static int unroll_cname(knot_pkt_t *pkt, struct kr_request *req, bool referral, ...@@ -541,7 +543,7 @@ static int unroll_cname(knot_pkt_t *pkt, struct kr_request *req, bool referral,
continue; continue;
} }
cname_chain_len += 1; cname_chain_len += 1;
pending_cname = knot_cname_name(&rr->rrs); pending_cname = knot_cname_name(rr->rrs.rdata);
if (!pending_cname) { if (!pending_cname) {
break; break;
} }
......
...@@ -104,7 +104,7 @@ static int validate_section(kr_rrset_validation_ctx_t *vctx, const struct kr_que ...@@ -104,7 +104,7 @@ static int validate_section(kr_rrset_validation_ctx_t *vctx, const struct kr_que
} }
if (rr->type == KNOT_RRTYPE_RRSIG) { if (rr->type == KNOT_RRTYPE_RRSIG) {
const knot_dname_t *signer_name = knot_rrsig_signer_name(&rr->rrs, 0); const knot_dname_t *signer_name = knot_rrsig_signer_name(rr->rrs.rdata);
if (!knot_dname_is_equal(vctx->zone_name, signer_name)) { if (!knot_dname_is_equal(vctx->zone_name, signer_name)) {
kr_rank_set(&entry->rank, KR_RANK_MISMATCH); kr_rank_set(&entry->rank, KR_RANK_MISMATCH);
vctx->err_cnt += 1; vctx->err_cnt += 1;
...@@ -464,7 +464,7 @@ static const knot_dname_t *find_first_signer(ranked_rr_array_t *arr) ...@@ -464,7 +464,7 @@ static const knot_dname_t *find_first_signer(ranked_rr_array_t *arr)
continue; continue;
} }
if (rr->type == KNOT_RRTYPE_RRSIG) { if (rr->type == KNOT_RRTYPE_RRSIG) {
return knot_rrsig_signer_name(&rr->rrs, 0); return knot_rrsig_signer_name(rr->rrs.rdata);
} }
} }
return NULL; return NULL;
...@@ -567,7 +567,7 @@ static int check_validation_result(kr_layer_t *ctx, ranked_rr_array_t *arr) ...@@ -567,7 +567,7 @@ static int check_validation_result(kr_layer_t *ctx, ranked_rr_array_t *arr)
const knot_rrset_t *rr = invalid_entry->rr; const knot_rrset_t *rr = invalid_entry->rr;
if (kr_rank_test(invalid_entry->rank, KR_RANK_MISMATCH)) { if (kr_rank_test(invalid_entry->rank, KR_RANK_MISMATCH)) {
const knot_dname_t *signer_name = knot_rrsig_signer_name(&rr->rrs, 0); const knot_dname_t *signer_name = knot_rrsig_signer_name(rr->rrs.rdata);
if (knot_dname_is_sub(signer_name, qry->zone_cut.name)) { if (knot_dname_is_sub(signer_name, qry->zone_cut.name)) {
qry->zone_cut.name = knot_dname_copy(signer_name, &req->pool); qry->zone_cut.name = knot_dname_copy(signer_name, &req->pool);
qry->flags.AWAIT_CUT = true; qry->flags.AWAIT_CUT = true;
...@@ -828,8 +828,10 @@ static void check_wildcard(kr_layer_t *ctx) ...@@ -828,8 +828,10 @@ static void check_wildcard(kr_layer_t *ctx)
int owner_labels = knot_dname_labels(rrsigs->owner, NULL); int owner_labels = knot_dname_labels(rrsigs->owner, NULL);
for (int k = 0; k < rrsigs->rrs.count; ++k) { knot_rdata_t *rdata_k = rrsigs->rrs.rdata;
if (knot_rrsig_labels(&rrsigs->rrs, k) != owner_labels) { for (int k = 0; k < rrsigs->rrs.count;
++k, rdata_k = knot_rdataset_next(rdata_k)) {
if (knot_rrsig_labels(rdata_k) != owner_labels) {
qry->flags.DNSSEC_WEXPAND = true; qry->flags.DNSSEC_WEXPAND = true;
} }
} }
......
...@@ -659,8 +659,8 @@ static inline bool rrsets_match(const knot_rrset_t *rr1, const knot_rrset_t *rr2 ...@@ -659,8 +659,8 @@ static inline bool rrsets_match(const knot_rrset_t *rr1, const knot_rrset_t *rr2
{ {
bool match = rr1->type == rr2->type && rr1->rclass == rr2->rclass; bool match = rr1->type == rr2->type && rr1->rclass == rr2->rclass;
if (match && rr2->type == KNOT_RRTYPE_RRSIG) { if (match && rr2->type == KNOT_RRTYPE_RRSIG) {
match = match && knot_rrsig_type_covered(&rr1->rrs, 0) match = match && knot_rrsig_type_covered(rr1->rrs.rdata)
== knot_rrsig_type_covered(&rr2->rrs, 0); == knot_rrsig_type_covered(rr2->rrs.rdata);
} }
match = match && knot_dname_is_equal(rr1->owner, rr2->owner); match = match && knot_dname_is_equal(rr1->owner, rr2->owner);
return match; return match;
...@@ -1025,11 +1025,11 @@ uint16_t kr_pkt_qtype(const knot_pkt_t *pkt) ...@@ -1025,11 +1025,11 @@ uint16_t kr_pkt_qtype(const knot_pkt_t *pkt)
{ {
return knot_pkt_qtype(pkt); return knot_pkt_qtype(pkt);
} }
uint32_t kr_rrsig_sig_inception(const knot_rdataset_t *rrs, size_t pos) uint32_t kr_rrsig_sig_inception(const knot_rdata_t *rdata)
{ {
return knot_rrsig_sig_inception(rrs, pos); return knot_rrsig_sig_inception(rdata);
} }
uint32_t kr_rrsig_sig_expiration(const knot_rdataset_t *rrs, size_t pos) uint32_t kr_rrsig_sig_expiration(const knot_rdata_t *rdata)
{ {
return knot_rrsig_sig_expiration(rrs, pos); return knot_rrsig_sig_expiration(rdata);
} }
...@@ -368,7 +368,7 @@ static inline uint16_t kr_rrset_type_maysig(const knot_rrset_t *rr) ...@@ -368,7 +368,7 @@ static inline uint16_t kr_rrset_type_maysig(const knot_rrset_t *rr)
assert(rr && rr->rrs.count && rr->rrs.rdata); assert(rr && rr->rrs.count && rr->rrs.rdata);
uint16_t type = rr->type; uint16_t type = rr->type;
if (type == KNOT_RRTYPE_RRSIG) if (type == KNOT_RRTYPE_RRSIG)
type = knot_rrsig_type_covered(&rr->rrs, 0); type = knot_rrsig_type_covered(rr->rrs.rdata);
return type; return type;
} }
...@@ -442,5 +442,5 @@ KR_EXPORT void kr_rrset_init(knot_rrset_t *rrset, knot_dname_t *owner, ...@@ -442,5 +442,5 @@ KR_EXPORT void kr_rrset_init(knot_rrset_t *rrset, knot_dname_t *owner,
uint16_t type, uint16_t rclass, uint32_t ttl); uint16_t type, uint16_t rclass, uint32_t ttl);
KR_EXPORT uint16_t kr_pkt_qclass(const knot_pkt_t *pkt); KR_EXPORT uint16_t kr_pkt_qclass(const knot_pkt_t *pkt);
KR_EXPORT uint16_t kr_pkt_qtype(const knot_pkt_t *pkt); KR_EXPORT uint16_t kr_pkt_qtype(const knot_pkt_t *pkt);
KR_EXPORT uint32_t kr_rrsig_sig_inception(const knot_rdataset_t *rrs, size_t pos); KR_EXPORT uint32_t kr_rrsig_sig_inception(const knot_rdata_t *rdata);
KR_EXPORT uint32_t kr_rrsig_sig_expiration(const knot_rdataset_t *rrs, size_t pos); KR_EXPORT uint32_t kr_rrsig_sig_expiration(const knot_rdata_t *rdata);
...@@ -335,8 +335,10 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut, ...@@ -335,8 +335,10 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut,
/* Insert name servers for this zone cut, addresses will be looked up /* Insert name servers for this zone cut, addresses will be looked up
* on-demand (either from cache or iteratively) */ * on-demand (either from cache or iteratively) */
for (unsigned i = 0; i < ns_rds.count; ++i) { knot_rdata_t *rdata_i = ns_rds.rdata;
const knot_dname_t *ns_name = knot_ns_name(&ns_rds, i); for (unsigned i = 0; i < ns_rds.count;
++i, rdata_i = knot_rdataset_next(rdata_i)) {
const knot_dname_t *ns_name = knot_ns_name(rdata_i);
(void) kr_zonecut_add(cut, ns_name, NULL); (void) kr_zonecut_add(cut, ns_name, NULL);
/* Fetch NS reputation and decide whether to prefetch A/AAAA records. */ /* Fetch NS reputation and decide whether to prefetch A/AAAA records. */
unsigned *cached = lru_get_try(ctx->cache_rep, unsigned *cached = lru_get_try(ctx->cache_rep,
......
...@@ -4,6 +4,8 @@ local ffi = require('ffi') ...@@ -4,6 +4,8 @@ local ffi = require('ffi')
local mod = {} local mod = {}
local event_id = nil local event_id = nil