* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.96 2001/11/30 01:59:21 gson Exp $ */
+/* $Id: validator.c,v 1.97 2002/02/01 20:08:56 bwelling Exp $ */
#include <config.h>
static void
nullkeyvalidated(isc_task_t *task, isc_event_t *event);
-static inline isc_boolean_t
+static isc_boolean_t
containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset);
-static inline isc_result_t
+static isc_result_t
get_dst_key(dns_validator_t *val, dns_rdata_sig_t *siginfo,
dns_rdataset_t *rdataset);
-static inline isc_result_t
+static isc_result_t
validate(dns_validator_t *val, isc_boolean_t resume);
-static inline isc_result_t
+static isc_result_t
nxtvalidate(dns_validator_t *val, isc_boolean_t resume);
-static inline isc_result_t
+static isc_result_t
proveunsecure(dns_validator_t *val, isc_boolean_t resume);
+static void
+validator_logv(dns_validator_t *val, isc_logcategory_t *category,
+ isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+ ISC_FORMAT_PRINTF(5, 0);
+
static void
validator_log(dns_validator_t *val, int level, const char *fmt, ...)
ISC_FORMAT_PRINTF(3, 4);
* Try to find a null zone key among those in 'rdataset'. If found, build
* a dst_key_t for it and point val->key at it.
*/
-static inline isc_boolean_t
+static isc_boolean_t
containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset) {
isc_result_t result;
dst_key_t *key = NULL;
*
* If val->key is non-NULL, this returns the next matching key.
*/
-static inline isc_result_t
+static isc_result_t
get_dst_key(dns_validator_t *val, dns_rdata_sig_t *siginfo,
dns_rdataset_t *rdataset)
{
return (result);
}
-static inline isc_result_t
+static isc_result_t
get_key(dns_validator_t *val, dns_rdata_sig_t *siginfo) {
isc_result_t result;
- dns_validatorevent_t *event;
unsigned int nbits, nlabels;
int order;
dns_namereln_t namereln;
- event = val->event;
-
/*
- * Is the key name appropriate for this signature?
- * This previously checked for self-signed keys. Now, if the key
- * is self signed with a preconfigured key, it's ok.
+ * Is the signer name appropriate for this signature?
+ *
+ * The signer name must be at the same level as the owner name
+ * or closer to the the DNS root.
*/
- namereln = dns_name_fullcompare(event->name, &siginfo->signer,
+ namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
&order, &nlabels, &nbits);
if (namereln != dns_namereln_subdomain &&
- namereln != dns_namereln_equal) {
- /*
- * The key name is not at the same level
- * as 'rdataset', nor is it closer to the
- * DNS root.
- */
+ namereln != dns_namereln_equal)
return (DNS_R_CONTINUE);
- }
/*
* Is the key used for the signature a security root?
*/
INSIST(val->keynode == NULL);
- val->keytable = val->view->secroots;
- result = dns_keytable_findkeynode(val->view->secroots,
+ result = dns_keytable_findkeynode(val->keytable,
&siginfo->signer,
siginfo->algorithm, siginfo->keyid,
&val->keynode);
* itself, so we ignore the signature if it was not made by
* an ancestor of the KEY or a preconfigured key.
*/
- if (event->rdataset->type == dns_rdatatype_key &&
+ if (val->event->rdataset->type == dns_rdatatype_key &&
namereln == dns_namereln_equal)
{
validator_log(val, ISC_LOG_DEBUG(3),
dns_name_t *name;
dns_rdataset_t *rdataset;
isc_mem_t *mctx;
- dns_keytable_t *secroots;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
dns_keynode_t *keynode, *nextnode;
name = val->event->name;
rdataset = val->event->rdataset;
mctx = val->view->mctx;
- secroots = val->view->secroots;
for (result = dns_rdataset_first(rdataset);
result == ISC_R_SUCCESS;
continue;
keynode = NULL;
result = dns_keytable_findkeynode(
- secroots, name,
+ val->keytable, name,
(dns_secalg_t)dst_key_alg(key),
dst_key_id(key),
&keynode);
secrootkey = dns_keynode_key(keynode);
if (dst_key_compare(key, secrootkey)) {
match = ISC_TRUE;
- dns_keytable_detachkeynode(secroots, &keynode);
+ dns_keytable_detachkeynode(val->keytable,
+ &keynode);
break;
}
nextnode = NULL;
- result = dns_keytable_findnextkeynode(secroots,
+ result = dns_keytable_findnextkeynode(val->keytable,
keynode,
&nextnode);
- dns_keytable_detachkeynode(secroots, &keynode);
+ dns_keytable_detachkeynode(val->keytable, &keynode);
}
dst_key_free(&key);
* for an event.
* Other return codes are possible and all indicate failure.
*/
-static inline isc_result_t
+static isc_result_t
validate(dns_validator_t *val, isc_boolean_t resume) {
isc_result_t result;
dns_validatorevent_t *event;
/*
* If this is a security root, it's ok.
*/
- if (!resume) {
+ if (val->event->type == dns_rdatatype_key && !resume) {
dns_fixedname_t fsecroot;
dns_name_t *secroot;
dns_fixedname_init(&fsecroot);
secroot = dns_fixedname_name(&fsecroot);
- result = dns_keytable_finddeepestmatch(val->view->secroots,
+ result = dns_keytable_finddeepestmatch(val->keytable,
val->event->name,
secroot);
if (result == ISC_R_SUCCESS &&
- val->event->type == dns_rdatatype_key &&
dns_name_equal(val->event->name, secroot) &&
issecurityroot(val))
{
{
dns_rdata_reset(&rdata);
dns_rdataset_current(event->sigrdataset, &rdata);
- if (val->siginfo != NULL)
- isc_mem_put(val->view->mctx, val->siginfo,
- sizeof(*val->siginfo));
- val->siginfo = isc_mem_get(val->view->mctx,
- sizeof(*val->siginfo));
- if (val->siginfo == NULL)
- return (ISC_R_NOMEMORY);
+ if (val->siginfo == NULL) {
+ val->siginfo = isc_mem_get(val->view->mctx,
+ sizeof(*val->siginfo));
+ if (val->siginfo == NULL)
+ return (ISC_R_NOMEMORY);
+ }
result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
if (result != ISC_R_SUCCESS)
return (result);
return (result);
}
+ /*
+ * The key is insecure, so mark the data as insecure also.
+ */
if (val->key == NULL) {
event->rdataset->trust = dns_trust_answer;
event->sigrdataset->trust = dns_trust_answer;
}
-static inline isc_result_t
+static isc_result_t
nxtvalidate(dns_validator_t *val, isc_boolean_t resume) {
dns_name_t *name;
dns_message_t *message = val->event->message;
}
}
-static inline isc_result_t
+static isc_result_t
proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
isc_result_t result;
dns_fixedname_t secroot, tfname;
dns_fixedname_init(&secroot);
dns_fixedname_init(&tfname);
- result = dns_keytable_finddeepestmatch(val->view->secroots,
+ result = dns_keytable_finddeepestmatch(val->keytable,
val->event->name,
dns_fixedname_name(&secroot));
/*
/*
* This looks like a simple validation. We say "looks like"
- * because we don't know if wildcards are involved yet so it
- * could still get complicated.
+ * because it might end up requiring an insecurity proof.
*/
validator_log(val, ISC_LOG_DEBUG(3),
"attempting positive response validation");
result = proveunsecure(val, ISC_FALSE);
} else if (val->event->rdataset == NULL &&
- val->event->sigrdataset == NULL)
+ val->event->sigrdataset == NULL)
{
/*
* This is a nonexistence validation.
val->fetch = NULL;
val->keyvalidator = NULL;
val->authvalidator = NULL;
+ val->keytable = NULL;
+ dns_keytable_attach(val->view->secroots, &val->keytable);
val->keynode = NULL;
val->key = NULL;
val->siginfo = NULL;
dns_keytable_detachkeynode(val->keytable, &val->keynode);
else if (val->key != NULL)
dst_key_free(&val->key);
+ if (val->keytable != NULL)
+ dns_keytable_detach(&val->keytable);
if (val->keyvalidator != NULL)
dns_validator_destroy(&val->keyvalidator);
if (val->authvalidator != NULL)
*validatorp = NULL;
}
-
-static void
-validator_logv(dns_validator_t *val, isc_logcategory_t *category,
- isc_logmodule_t *module, int level, const char *fmt, va_list ap)
- ISC_FORMAT_PRINTF(5, 0);
-
static void
validator_logv(dns_validator_t *val, isc_logcategory_t *category,
isc_logmodule_t *module, int level, const char *fmt, va_list ap)
projects / thirdparty / bind9.git / commitdiff
