From dc81d8cb672112f88375e7bb71b548d7140f2f67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 15 Jun 2018 09:59:20 +0200 Subject: [PATCH] Extract determine_active_algorithms() from dns_zoneverify_dnssec() Extract the part of dns_zoneverify_dnssec() responsible for determining and printing a list of DNSSEC algorithms active in the verified zone to a separate function. --- lib/dns/zoneverify.c | 83 ++++++++++++++++++++++++++------------------ 1 file changed, 49 insertions(+), 34 deletions(-) diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index da90b8e016..1befc54cec 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -1308,6 +1308,54 @@ check_dnskey(vctx_t *vctx) { } } +static void +determine_active_algorithms(vctx_t *vctx, isc_boolean_t ignore_kskflag, + isc_boolean_t keyset_kskonly) +{ + char algbuf[DNS_SECALG_FORMATSIZE]; + int i; + + zoneverify_print(vctx, + "Verifying the zone using the following algorithms:"); + + for (i = 0; i < 256; i++) { + if (ignore_kskflag) + vctx->act_algorithms[i] = + (vctx->ksk_algorithms[i] != 0 || + vctx->zsk_algorithms[i] != 0) ? 1 : 0; + else + vctx->act_algorithms[i] = + vctx->ksk_algorithms[i] != 0 ? 1 : 0; + if (vctx->act_algorithms[i] != 0) { + dns_secalg_format(i, algbuf, sizeof(algbuf)); + zoneverify_print(vctx, " %s", algbuf); + } + } + zoneverify_print(vctx, ".\n"); + + if (ignore_kskflag || keyset_kskonly) { + return; + } + + for (i = 0; i < 256; i++) { + /* + * The counts should both be zero or both be non-zero. Mark + * the algorithm as bad if this is not met. + */ + if ((vctx->ksk_algorithms[i] != 0) == + (vctx->zsk_algorithms[i] != 0)) + continue; + dns_secalg_format(i, algbuf, sizeof(algbuf)); + zoneverify_log_error(vctx, + "Missing %s for algorithm %s", + (vctx->ksk_algorithms[i] != 0) + ? "ZSK" + : "self-signed KSK", + algbuf); + vctx->bad_algorithms[i] = 1; + } +} + void dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin, isc_mem_t *mctx, @@ -1341,40 +1389,7 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, fatal("No self-signed KSK DNSKEY found. Supply an active\n" "key with the KSK flag set, or use '-P'."); - fprintf(stderr, "Verifying the zone using the following algorithms:"); - for (i = 0; i < 256; i++) { - if (ignore_kskflag) - vctx.act_algorithms[i] = - (vctx.ksk_algorithms[i] != 0 || - vctx.zsk_algorithms[i] != 0) ? 1 : 0; - else - vctx.act_algorithms[i] = - vctx.ksk_algorithms[i] != 0 ? 1 : 0; - if (vctx.act_algorithms[i] != 0) { - dns_secalg_format(i, algbuf, sizeof(algbuf)); - fprintf(stderr, " %s", algbuf); - } - } - fprintf(stderr, ".\n"); - - if (!ignore_kskflag && !keyset_kskonly) { - for (i = 0; i < 256; i++) { - /* - * The counts should both be zero or both be non-zero. - * Mark the algorithm as bad if this is not met. - */ - if ((vctx.ksk_algorithms[i] != 0) == - (vctx.zsk_algorithms[i] != 0)) - continue; - dns_secalg_format(i, algbuf, sizeof(algbuf)); - fprintf(stderr, "Missing %s for algorithm %s\n", - (vctx.ksk_algorithms[i] != 0) - ? "ZSK" - : "self-signed KSK", - algbuf); - vctx.bad_algorithms[i] = 1; - } - } + determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly); /* * Check that all the other records were signed by keys that are