Commit 551f84e3 authored by Marek Vavruša's avatar Marek Vavruša

lib/dnssec: cleanup

parent 0c41b060
......@@ -619,7 +619,7 @@ static int wrk_resolve(lua_State *L)
knot_pkt_put_question(pkt, dname, rrclass, rrtype);
knot_wire_set_rd(pkt->wire);
/* Add OPT RR */
pkt->opt_rr = pkt->opt_rr = knot_rrset_copy(worker->engine->resolver.opt_rr, &pkt->mm);
pkt->opt_rr = knot_rrset_copy(worker->engine->resolver.opt_rr, &pkt->mm);
if (!pkt->opt_rr) {
return kr_error(ENOMEM);
}
......
......@@ -74,9 +74,8 @@ static int validate_rrsig_rr(int *flags, const knot_rrset_t *covered,
if (!flags || !covered || !rrsigs || !keys || !key || !zone_name) {
return kr_error(EINVAL);
}
#warning TODO: Make the comparison case-insensitive.
/* bullet 1 */
if ((covered->rclass != rrsigs->rclass) || (knot_dname_cmp(covered->owner, rrsigs->owner) != 0)) {
/* bullet 1 (presume same compression for the owner) */
if ((covered->rclass != rrsigs->rclass) || !knot_dname_is_equal(covered->owner, rrsigs->owner)) {
return kr_error(EINVAL);
}
/* bullet 2 */
......@@ -155,7 +154,7 @@ int kr_rrset_validate(const knot_pkt_t *pkt, knot_section_t section_id,
return kr_error(EINVAL);
}
int ret = kr_error(KNOT_DNSSEC_ENOKEY);
int ret = kr_error(ENOENT);
for (unsigned i = 0; i < keys->rrs.rr_count; ++i) {
ret = kr_rrset_validate_with_key(pkt, section_id, covered, keys, i, NULL, zone_name, timestamp, has_nsec3);
if (ret == 0) {
......@@ -186,7 +185,7 @@ int kr_rrset_validate_with_key(const knot_pkt_t *pkt, knot_section_t section_id,
key = created_key;
}
ret = kr_error(KNOT_DNSSEC_ENOKEY);
ret = kr_error(ENOENT);
const knot_pktsection_t *sec = knot_pkt_section(pkt, section_id);
for (unsigned i = 0; i < sec->count; ++i) {
/* Try every RRSIG. */
......
......@@ -23,7 +23,7 @@
/**
* Check whether bitmap contains given type.
* @param bm Bitmap.
* @patam bm_size Bitmap size.
* @param bm_size Bitmap size.
* @param type RR type to search for.
* @return True if bitmap contains type.
*/
......
......@@ -62,7 +62,7 @@ int kr_authenticate_referral(const knot_rrset_t *ref, const dnssec_key_t *key)
*/
ret = (orig_ds_rdata.size == generated_ds_rdata.size) &&
(memcmp(orig_ds_rdata.data, generated_ds_rdata.data, orig_ds_rdata.size) == 0);
ret = ret ? kr_ok() : kr_error(KNOT_DNSSEC_ENOKEY);
ret = ret ? kr_ok() : kr_error(ENOENT);
fail:
dnssec_binary_free(&generated_ds_rdata);
......@@ -266,8 +266,7 @@ int kr_check_signature(const knot_rrset_t *rrsigs, size_t pos,
ret = dnssec_sign_verify(sign_ctx, &signature);
if (ret != KNOT_EOK) {
#warning TODO: proper DNSSEC error codes needed
ret = kr_error(ENOMEM);
ret = kr_error(EBADMSG);
goto fail;
}
......
......@@ -118,21 +118,17 @@ static int validate_section(struct kr_query *qry, knot_pkt_t *answer,
static int validate_records(struct kr_query *qry, knot_pkt_t *answer, mm_ctx_t *pool, bool has_nsec3)
{
#warning TODO: validate RRSIGS (records with ZSK, keys with KSK), return FAIL if failed
if (!qry->zone_cut.key) {
DEBUG_MSG(qry, "<= no DNSKEY, can't validate\n");
return kr_error(KNOT_DNSSEC_ENOKEY);
return kr_error(EBADMSG);
}
int ret;
ret = validate_section(qry, answer, KNOT_ANSWER, pool, has_nsec3);
int ret = validate_section(qry, answer, KNOT_ANSWER, pool, has_nsec3);
if (ret != 0) {
return ret;
}
ret = validate_section(qry, answer, KNOT_AUTHORITY, pool, has_nsec3);
return ret;
return validate_section(qry, answer, KNOT_AUTHORITY, pool, has_nsec3);
}
static int validate_keyset(struct kr_query *qry, knot_pkt_t *answer, bool has_nsec3)
......@@ -159,10 +155,8 @@ static int validate_keyset(struct kr_query *qry, knot_pkt_t *answer, bool has_ns
}
}
}
if (!qry->zone_cut.key) {
/* TODO -- Not sure about the error value. */
return kr_error(KNOT_DNSSEC_ENOKEY);
return kr_error(EBADMSG);
}
/* Check if there's a key for current TA. */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment