colin/hickory-dns
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove unnecessary clones of rrsig in dnssec

Browse Source
This commit is contained in:
Benjamin Fry
2023-10-26 21:33:54 -07:00
parent 8538d68f8d
commit c15b91abdf
1 changed files with 5 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
crates/proto/src/xfer/dnssec_dns_handle.rs
View File

@@ -24,7 +24,6 @@ use crate::{
Algorithm, Proof, SupportedAlgorithms, TrustAnchor, Algorithm, Proof, SupportedAlgorithms, TrustAnchor,
}, },
rdata::opt::EdnsOption, rdata::opt::EdnsOption,
resource::RecordRef,
DNSClass, Name, RData, Record, RecordData, RecordType, DNSClass, Name, RData, Record, RecordData, RecordType,
}, },
xfer::{dns_handle::DnsHandle, DnsRequest, DnsRequestOptions, DnsResponse, FirstAnswer}, xfer::{dns_handle::DnsHandle, DnsRequest, DnsRequestOptions, DnsResponse, FirstAnswer},
@@ -63,11 +62,9 @@ impl Rrset<RData> {
} = self; } = self;
let original_len = records.len(); let original_len = records.len();
// This allocation is unfortunate,
let ok = records let ok = records
.into_iter() .into_iter()
.map_while(|r| Record::<R>::try_from(r.clone()).ok()) .map_while(|r| Record::<R>::try_from(r).ok())
.collect::<Vec<Record<R>>>(); .collect::<Vec<Record<R>>>();
debug_assert_eq!(ok.len(), original_len); debug_assert_eq!(ok.len(), original_len);
@@ -733,8 +730,8 @@ where
// the DNSKey validation should come after, see verify_rrset(). // the DNSKey validation should come after, see verify_rrset().
return future::ready( return future::ready(
rrsigs rrsigs
.into_iter() .iter()
.filter_map(|sig| { .find_map(|rrsig| {
let rrset = Arc::clone(&rrset); let rrset = Arc::clone(&rrset);
if rrset if rrset
@@ -743,7 +740,7 @@ where
.filter_map(|r| r.data().map(|d| (d, r.name()))) .filter_map(|r| r.data().map(|d| (d, r.name())))
.filter_map(|(d, n)| DNSKEY::try_borrow(d).map(|d| (d, n))) .filter_map(|(d, n)| DNSKEY::try_borrow(d).map(|d| (d, n)))
.any(|(dnskey, dnskey_name)| { .any(|(dnskey, dnskey_name)| {
verify_rrset_with_dnskey(dnskey_name, dnskey, &sig, &rrset).is_ok() verify_rrset_with_dnskey(dnskey_name, dnskey, rrsig, &rrset).is_ok()
}) })
{ {
Some(()) Some(())
@@ -751,7 +748,6 @@ where
None None
} }
}) })
.next()
.ok_or_else(|| { .ok_or_else(|| {
ProtoError::from(ProtoErrorKind::Message("self-signed dnskey is invalid")) ProtoError::from(ProtoErrorKind::Message("self-signed dnskey is invalid"))
}), }),
@@ -769,7 +765,7 @@ where
// susceptible until that algorithm is removed as an option. // susceptible until that algorithm is removed as an option.
// dns over TLS will mitigate this. // dns over TLS will mitigate this.
// TODO: strip RRSIGS to accepted algorithms and make algorithms configurable. // TODO: strip RRSIGS to accepted algorithms and make algorithms configurable.
let verifications = rrsigs.into_iter() let verifications = rrsigs.iter()
.map(|sig| { .map(|sig| {
let rrset = Arc::clone(&rrset); let rrset = Arc::clone(&rrset);
let handle = handle.clone_with_context(); let handle = handle.clone_with_context();