* reported in the TAT query.
*/
static isc_result_t
-get_tat_qname(dns_name_t *target, dns_name_t *keyname,
- dns_keytable_t *keytable, dns_keynode_t *keynode)
-{
- dns_keynode_t *firstnode = keynode;
- dns_keynode_t *nextnode = NULL;
+get_tat_qname(dns_name_t *target, dns_name_t *keyname, dns_keynode_t *keynode) {
dns_rdataset_t *dsset = NULL;
unsigned int i, n = 0;
uint16_t ids[12];
n++;
}
}
- } else {
- do {
- dst_key_t *key = dns_keynode_key(keynode);
- if (key != NULL) {
- if (n < (sizeof(ids)/sizeof(ids[0]))) {
- ids[n] = dst_key_id(key);
- n++;
- }
- }
- nextnode = NULL;
- (void)dns_keytable_nextkeynode(keytable, keynode,
- &nextnode);
- if (keynode != firstnode) {
- dns_keytable_detachkeynode(keytable, &keynode);
- }
- keynode = nextnode;
- } while (keynode != NULL);
}
if (n == 0) {
task = dotat_arg->task;
tatname = dns_fixedname_initname(&fixed);
- result = get_tat_qname(tatname, keyname, keytable, keynode);
+ result = get_tat_qname(tatname, keyname, keynode);
if (result != ISC_R_SUCCESS) {
return;
}
dns_keytable_find(dns_keytable_t *keytable, const dns_name_t *keyname,
dns_keynode_t **keynodep);
/*%<
- * Search for the first instance of a key named 'name' in 'keytable',
- * without regard to keyid and algorithm. Use dns_keytable_nextkeynode()
- * to find subsequent instances.
+ * Search for the first instance of a trust anchor named 'name' in
+ * 'keytable', without regard to keyid and algorithm.
*
* Requires:
*
*\li Any other result indicates an error.
*/
-isc_result_t
-dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
- dns_keynode_t **nextnodep);
-/*%<
- * Return for the next key after 'keynode' in 'keytable', without regard to
- * keyid and algorithm.
- *
- * Requires:
- *
- *\li 'keytable' is a valid keytable.
- *
- *\li 'keynode' is a valid keynode.
- *
- *\li nextnodep != NULL && *nextnodep == NULL
- *
- * Returns:
- *
- *\li ISC_R_SUCCESS
- *\li ISC_R_NOTFOUND
- *
- *\li Any other result indicates an error.
- */
-
-isc_result_t
-dns_keytable_findkeynode(dns_keytable_t *keytable, const dns_name_t *name,
- dns_secalg_t algorithm, dns_keytag_t tag,
- dns_keynode_t **keynodep);
-/*%<
- * Search for a key named 'name', matching 'algorithm' and 'tag' in
- * 'keytable'. This finds the first instance which matches. Use
- * dns_keytable_findnextkeynode() to find other instances.
- *
- * Requires:
- *
- *\li 'keytable' is a valid keytable.
- *
- *\li 'name' is a valid absolute name.
- *
- *\li keynodep != NULL && *keynodep == NULL
- *
- * Returns:
- *
- *\li ISC_R_SUCCESS
- *\li DNS_R_PARTIALMATCH the name existed in the keytable.
- *\li ISC_R_NOTFOUND
- *
- *\li Any other result indicates an error.
- */
-
-isc_result_t
-dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
- dns_keynode_t **nextnodep);
-/*%<
- * Search for the next key with the same properties as 'keynode' in
- * 'keytable' as found by dns_keytable_findkeynode().
- *
- * Requires:
- *
- *\li 'keytable' is a valid keytable.
- *
- *\li 'keynode' is a valid keynode.
- *
- *\li nextnodep != NULL && *nextnodep == NULL
- *
- * Returns:
- *
- *\li ISC_R_SUCCESS
- *\li ISC_R_NOTFOUND
- *
- *\li Any other result indicates an error.
- */
-
isc_result_t
dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name,
dns_name_t *foundname);
* Dump the keytable to buffer at 'buf'
*/
-dst_key_t *
-dns_keynode_key(dns_keynode_t *keynode);
-/*%<
- * Get the DST key associated with keynode.
- */
-
dns_rdataset_t *
dns_keynode_dsset(dns_keynode_t *keynode);
/*%<
void
dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **target);
/*%<
- * Detach a single keynode, without touching any keynodes that
- * may be pointed to by its 'next' pointer
+ * Detach a keynode.
*/
void
return (result);
}
-isc_result_t
-dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
- dns_keynode_t **nextnodep)
-{
- /*
- * Return the next key after 'keynode', regardless of
- * properties.
- */
-
- REQUIRE(VALID_KEYTABLE(keytable));
- REQUIRE(VALID_KEYNODE(keynode));
- REQUIRE(nextnodep != NULL && *nextnodep == NULL);
-
- if (keynode->next == NULL) {
- return (ISC_R_NOTFOUND);
- }
-
- dns_keytable_attachkeynode(keytable, keynode->next, nextnodep);
-
- return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_keytable_findkeynode(dns_keytable_t *keytable, const dns_name_t *name,
- dns_secalg_t algorithm, dns_keytag_t tag,
- dns_keynode_t **keynodep)
-{
- isc_result_t result;
- dns_keynode_t *knode;
- void *data;
-
- /*
- * Search for a key named 'name', matching 'algorithm' and 'tag' in
- * 'keytable'.
- */
-
- REQUIRE(VALID_KEYTABLE(keytable));
- REQUIRE(dns_name_isabsolute(name));
- REQUIRE(keynodep != NULL && *keynodep == NULL);
-
- RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
- /*
- * Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname()
- * as that indicates that 'name' was not found.
- *
- * DNS_R_PARTIALMATCH indicates that the name was found but we
- * didn't get a match on algorithm and key id arguments.
- */
- knode = NULL;
- data = NULL;
- result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
- if (result == ISC_R_SUCCESS) {
- INSIST(data != NULL);
-
- for (knode = data; knode != NULL; knode = knode->next) {
- if (knode->key == NULL) {
- knode = NULL;
- break;
- }
- if (algorithm == dst_key_alg(knode->key) &&
- tag == dst_key_id(knode->key))
- {
- break;
- }
- }
- if (knode != NULL) {
- dns_keytable_attachkeynode(keytable, knode, keynodep);
- } else {
- result = DNS_R_PARTIALMATCH;
- }
- } else if (result == DNS_R_PARTIALMATCH) {
- result = ISC_R_NOTFOUND;
- }
-
- RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
- return (result);
-}
-
-isc_result_t
-dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
- dns_keynode_t **nextnodep)
-{
- isc_result_t result;
- dns_keynode_t *knode;
-
- /*
- * Search for the next key with the same properties as 'keynode' in
- * 'keytable'.
- */
-
- REQUIRE(VALID_KEYTABLE(keytable));
- REQUIRE(VALID_KEYNODE(keynode));
- REQUIRE(nextnodep != NULL && *nextnodep == NULL);
-
- for (knode = keynode->next; knode != NULL; knode = knode->next) {
- if (knode->key == NULL) {
- knode = NULL;
- break;
- }
- if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) &&
- dst_key_id(keynode->key) == dst_key_id(knode->key))
- {
- break;
- }
- }
- if (knode != NULL) {
- dns_keytable_attachkeynode(keytable, knode, nextnodep);
- result = ISC_R_SUCCESS;
- } else {
- result = ISC_R_NOTFOUND;
- }
-
- return (result);
-}
-
isc_result_t
dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name,
dns_name_t *foundname)
REQUIRE(VALID_KEYNODE(source));
REQUIRE(target != NULL && *target == NULL);
- REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes, 1) < UINT32_MAX);
+ REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes,
+ 1) < UINT32_MAX);
dns_keynode_attach(source, target);
}
}
goto cleanup;
}
- REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes, 1)
- < UINT32_MAX);
+ REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes,
+ 1) < UINT32_MAX);
for (;;) {
dns_rbtnodechain_current(&chain, foundname, origin, &node);
if (node->data != NULL) {
return (result);
}
-dst_key_t *
-dns_keynode_key(dns_keynode_t *keynode) {
- REQUIRE(VALID_KEYNODE(keynode));
-
- return (keynode->key);
-}
-
dns_rdataset_t *
dns_keynode_dsset(dns_keynode_t *keynode) {
REQUIRE(VALID_KEYNODE(keynode));
add_test(void **state) {
dst_key_t *key = NULL;
dns_keynode_t *keynode = NULL;
- dns_keynode_t *next_keynode = NULL;
dns_keynode_t *null_keynode = NULL;
UNUSED(state);
create_tables();
/*
- * Get the keynode for the example.com key. There's no other key for
- * the name, so nextkeynode() should return NOTFOUND.
+ * Getting the keynode for the example.com key should succeed.
*/
assert_int_equal(dns_keytable_find(keytable, str2name("example.com"),
&keynode),
ISC_R_SUCCESS);
- assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
- &next_keynode),
- ISC_R_NOTFOUND);
/*
- * Try to add the same key. This should have no effect, so
- * nextkeynode() should still return NOTFOUND.
+ * Try to add the same key. This should have no effect but
+ * report success.
*/
create_key(257, 3, 5, "example.com", keystr1, &key);
assert_int_equal(dns_keytable_add(keytable, false, false,
dst_key_name(key), &key, NULL),
ISC_R_SUCCESS);
- assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
- &next_keynode),
- ISC_R_NOTFOUND);
+ dns_keytable_detachkeynode(keytable, &keynode);
+ assert_int_equal(dns_keytable_find(keytable, str2name("example.com"),
+ &keynode),
+ ISC_R_SUCCESS);
/* Add another key (different keydata) */
dns_keytable_detachkeynode(keytable, &keynode);
assert_int_equal(dns_keytable_find(keytable, str2name("example.com"),
&keynode),
ISC_R_SUCCESS);
- assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
- &next_keynode),
- ISC_R_SUCCESS);
- dns_keytable_detachkeynode(keytable, &next_keynode);
dns_keytable_detachkeynode(keytable, &keynode);
/*
- * Get the keynode for the managed.com key. There's no other key for
- * the name, so nextkeynode() should return NOTFOUND. Ensure the
+ * Get the keynode for the managed.com key. Ensure the
* retrieved key is an initializing key, then mark it as trusted using
* dns_keynode_trust() and ensure the latter works as expected.
*/
assert_int_equal(dns_keytable_find(keytable, str2name("managed.com"),
&keynode),
ISC_R_SUCCESS);
- assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
- &next_keynode),
- ISC_R_NOTFOUND);
assert_int_equal(dns_keynode_initial(keynode), true);
dns_keynode_trust(keynode);
assert_int_equal(dns_keynode_initial(keynode), false);
/*
* Add a different managed key for managed.com, marking it as an
- * initializing key. Ensure nextkeynode() no longer returns
- * ISC_R_NOTFOUND and that the added key is an initializing key.
+ * initializing key.
*/
create_key(257, 3, 5, "managed.com", keystr2, &key);
assert_int_equal(dns_keytable_add(keytable, true, true,
assert_int_equal(dns_keytable_find(keytable, str2name("managed.com"),
&keynode),
ISC_R_SUCCESS);
- assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
- &next_keynode),
- ISC_R_SUCCESS);
assert_int_equal(dns_keynode_initial(keynode), true);
- dns_keytable_detachkeynode(keytable, &next_keynode);
dns_keytable_detachkeynode(keytable, &keynode);
/*
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keynode_initial(keynode), false);
- assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
- &next_keynode),
- ISC_R_SUCCESS);
- dns_keytable_detachkeynode(keytable, &keynode);
- keynode = next_keynode;
- next_keynode = NULL;
- assert_int_equal(dns_keynode_initial(keynode), false);
- assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
- &next_keynode),
- ISC_R_NOTFOUND);
dns_keytable_detachkeynode(keytable, &keynode);
/*
* Add a managed key at a new node, two.com, marking it as an
- * initializing key. Ensure nextkeynode() returns ISC_R_NOTFOUND and
- * that the added key is an initializing key.
+ * initializing key.
*/
create_key(257, 3, 5, "two.com", keystr1, &key);
assert_int_equal(dns_keytable_add(keytable, true, true,
assert_int_equal(dns_keytable_find(keytable, str2name("two.com"),
&keynode),
ISC_R_SUCCESS);
- assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
- &next_keynode),
- ISC_R_NOTFOUND);
assert_int_equal(dns_keynode_initial(keynode), true);
dns_keytable_detachkeynode(keytable, &keynode);
/*
* Add a different managed key for two.com, marking it as a
- * non-initializing key. Ensure nextkeynode() no longer returns
- * ISC_R_NOTFOUND and that the added key is not an initializing key.
+ * non-initializing key.
*/
create_key(257, 3, 5, "two.com", keystr2, &key);
assert_int_equal(dns_keytable_add(keytable, true, false,
assert_int_equal(dns_keytable_find(keytable, str2name("two.com"),
&keynode),
ISC_R_SUCCESS);
- assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
- &next_keynode), ISC_R_SUCCESS);
assert_int_equal(dns_keynode_initial(keynode), false);
- dns_keytable_detachkeynode(keytable, &next_keynode);
dns_keytable_detachkeynode(keytable, &keynode);
/*
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keynode_initial(keynode), false);
- assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
- &next_keynode),
- ISC_R_SUCCESS);
- dns_keytable_detachkeynode(keytable, &keynode);
- keynode = next_keynode;
- next_keynode = NULL;
- assert_int_equal(dns_keynode_initial(keynode), false);
- assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
- &next_keynode),
- ISC_R_NOTFOUND);
dns_keytable_detachkeynode(keytable, &keynode);
/*
&keynode),
ISC_R_SUCCESS);
assert_int_equal(keynode, null_keynode); /* should be the same node */
- assert_non_null(dns_keynode_key(keynode)); /* now have a key */
dns_keytable_detachkeynode(keytable, &null_keynode);
/*
* Try to add a null key to a name that already has a key. It's
- * effectively no-op, so the same key node is still there, with no
- * no next node.
+ * effectively no-op, so the same key node is still there.
* (Note: this and above checks confirm that if a name has a null key
* that's the only key for the name).
*/
&null_keynode),
ISC_R_SUCCESS);
assert_int_equal(keynode, null_keynode);
- assert_non_null(dns_keynode_key(keynode));
- assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
- &next_keynode),
- ISC_R_NOTFOUND);
dns_keytable_detachkeynode(keytable, &null_keynode);
dns_keytable_detachkeynode(keytable, &keynode);
str2name("null.example"),
&keynode),
ISC_R_SUCCESS);
- assert_int_equal(dns_keynode_key(keynode), NULL);
dns_keytable_detachkeynode(keytable, &keynode);
/*
ISC_R_SUCCESS);
assert_true(dns_name_equal(name, str2name("null.example")));
- /*
- * dns_keytable_findkeynode() requires exact name, algorithm, keytag
- * match. If algorithm or keytag doesn't match, should result in
- * PARTIALMATCH. Same for a node with a null key.
- */
- assert_int_equal(dns_keytable_findkeynode(keytable,
- str2name("example.org"),
- 5, keytag1, &keynode),
- ISC_R_NOTFOUND);
- assert_int_equal(dns_keytable_findkeynode(keytable,
- str2name("sub.example.com"),
- 5, keytag1, &keynode),
- ISC_R_NOTFOUND);
- assert_int_equal(dns_keytable_findkeynode(keytable,
- str2name("example.com"),
- 4, keytag1, &keynode),
- DNS_R_PARTIALMATCH); /* different algorithm */
- assert_int_equal(dns_keytable_findkeynode(keytable,
- str2name("example.com"),
- 5, keytag1 + 1, &keynode),
- DNS_R_PARTIALMATCH); /* different keytag */
- assert_int_equal(dns_keytable_findkeynode(keytable,
- str2name("null.example"),
- 5, 0, &keynode),
- DNS_R_PARTIALMATCH); /* null key */
- assert_int_equal(dns_keytable_findkeynode(keytable,
- str2name("example.com"),
- 5, keytag1, &keynode),
- ISC_R_SUCCESS); /* complete match */
- dns_keytable_detachkeynode(keytable, &keynode);
-
destroy_tables();
}
return (result);
}
-static isc_result_t
-anchor_signed(dns_validator_t *val, isc_result_t *resp) {
- isc_result_t result;
- bool atsep = false;
-
- /*
- * First, see if this key was signed by a trust anchor.
- */
- for (result = dns_rdataset_first(val->event->sigrdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(val->event->sigrdataset))
- {
- dns_keynode_t *keynode = NULL;
- dns_rdata_t sigrdata = DNS_RDATA_INIT;
- dns_fixedname_t fixed;
- dns_name_t *found;
- dst_key_t *dstkey;
- dns_rdata_rrsig_t sig;
-
- found = dns_fixedname_initname(&fixed);
- dns_rdata_reset(&sigrdata);
- dns_rdataset_current(val->event->sigrdataset, &sigrdata);
- result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
- if (!dns_name_equal(val->event->name, &sig.signer)) {
- continue;
- }
-
- result = dns_keytable_findkeynode(val->keytable,
- val->event->name,
- sig.algorithm, sig.keyid,
- &keynode);
- if (result == ISC_R_NOTFOUND) {
- result = dns_keytable_finddeepestmatch(val->keytable,
- val->event->name,
- found);
- if (result != ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "not beneath secure root");
- *resp = markanswer(val, "validate_dnskey (1)",
- "not beneath secure root");
- return (ISC_R_COMPLETE);
- }
- continue;
- }
-
- if (result == DNS_R_PARTIALMATCH || result == ISC_R_SUCCESS) {
- atsep = true;
- }
-
- while (result == ISC_R_SUCCESS) {
- dns_keynode_t *nextnode = NULL;
- dstkey = dns_keynode_key(keynode);
- if (dstkey == NULL) {
- dns_keytable_detachkeynode(val->keytable,
- &keynode);
- break;
- }
-
- result = verify(val, dstkey, &sigrdata, sig.keyid);
- if (result == ISC_R_SUCCESS) {
- dns_keytable_detachkeynode(val->keytable,
- &keynode);
- break;
- }
-
- result = dns_keytable_findnextkeynode(val->keytable,
- keynode,
- &nextnode);
- dns_keytable_detachkeynode(val->keytable, &keynode);
- keynode = nextnode;
- }
-
- if (result == ISC_R_SUCCESS) {
- marksecure(val->event);
- validator_log(val, ISC_LOG_DEBUG(3),
- "signed by trusted key; "
- "marking as secure");
- *resp = result;
- return (ISC_R_COMPLETE);
- }
- }
-
- if (atsep) {
- /*
- * We have not found a key to verify this DNSKEY
- * RRset, but there is a trust anchor defined for this
- * name, so we have to assume that the RRset is invalid.
- */
- char namebuf[DNS_NAME_FORMATSIZE];
-
- dns_name_format(val->event->name, namebuf, sizeof(namebuf));
- validator_log(val, ISC_LOG_NOTICE,
- "unable to find a DNSKEY which verifies "
- "the DNSKEY RRset and also matches a "
- "trusted key for '%s'", namebuf);
- *resp = DNS_R_NOVALIDKEY;
- return (ISC_R_COMPLETE);
- }
-
- return (result);
-}
-
/*
* get_dsset is called to look up a DS RRset corresponding to the name
* of a DNSKEY record, either in the cache or, if necessary, by starting a
if (val->dsset == NULL) {
isc_result_t tresult = ISC_R_SUCCESS;
- /*
- * First, check whether the key to be validated was
- * signed by a trust anchor.
- */
- result = anchor_signed(val, &tresult);
- if (result == ISC_R_COMPLETE) {
- return (tresult);
- }
-
/*
* If this is the root name and there was no trusted key,
* we can give up now, since there's no DS at the root.
dns_keynode_detachall
dns_keynode_dsset
dns_keynode_initial
-dns_keynode_key
dns_keynode_managed
dns_keynode_trust
dns_keyring_restore
dns_keytable_dump
dns_keytable_find
dns_keytable_finddeepestmatch
-dns_keytable_findkeynode
-dns_keytable_findnextkeynode
dns_keytable_forall
dns_keytable_issecuredomain
dns_keytable_marksecure
-dns_keytable_nextkeynode
dns_keytable_totext
dns_lib_init
dns_lib_shutdown
isc_stdtime_get(&now);
/*
- * If the keynode has neither a key nor a DS RRset,
- * we shouldn't be here.
+ * If the keynode has no trust anchor set, we shouldn't be here.
*/
- if (dns_keynode_key(keynode) == NULL &&
- dns_keynode_dsset(keynode) == NULL)
- {
+ if (dns_keynode_dsset(keynode) == NULL) {
return (ISC_R_FAILURE);
}
}
/*
- * If the keynode has neither a key-style nor a DS-style
- * trust anchor, return.
+ * If the keynode has no trust anchor set, return.
*/
- if (dns_keynode_dsset(keynode) == NULL &&
- dns_keynode_key(keynode) == NULL)
- {
+ if (dns_keynode_dsset(keynode) == NULL) {
return;
}
}
/*
- * If the first keynode has a DS trust anchor, use that for
- * verification.
+ * If the keynode has a DS trust anchor, use it for verification.
*/
if ((dsset = dns_keynode_dsset(keynode)) != NULL) {
for (result = dns_rdataset_first(dnskeysigs);
break;
}
}
- goto anchors_done;
- } else {
- dns_keytable_detachkeynode(secroots, &keynode);
- }
-
- /*
- * Validate the DNSKEY set against using the key-style
- * trust anchor(s).
- */
- for (result = dns_rdataset_first(dnskeysigs);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(dnskeysigs))
- {
- result = dns_keytable_find(secroots, keyname, &keynode);
- if (result != ISC_R_SUCCESS) {
- goto anchors_done;
- }
- dns_rdata_reset(&sigrr);
- dns_rdataset_current(dnskeysigs, &sigrr);
- result = dns_rdata_tostruct(&sigrr, &sig, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
- result = ISC_R_SUCCESS;
- while (result == ISC_R_SUCCESS) {
- dns_keynode_t *nextnode = NULL;
-
- dstkey = dns_keynode_key(keynode);
- if (dstkey == NULL) {
- /* fail_secure() was called */
- break;
- }
-
- if (dst_key_alg(dstkey) == sig.algorithm &&
- dst_key_id(dstkey) == sig.keyid)
- {
- result = dns_dnssec_verify(keyname, dnskeys,
- dstkey, false, 0,
- mctx, &sigrr, NULL);
-
- dnssec_log(zone, ISC_LOG_DEBUG(3),
- "Verifying DNSKEY set "
- "for zone '%s' "
- "using key %d/%d: %s",
- namebuf, sig.keyid,
- sig.algorithm,
- dns_result_totext(result));
-
- if (result == ISC_R_SUCCESS) {
- dnskeys->trust = dns_trust_secure;
- dnskeysigs->trust = dns_trust_secure;
- secure = true;
- initial = dns_keynode_initial(keynode);
- dns_keynode_trust(keynode);
- break;
- }
- }
-
- result = dns_keytable_nextkeynode(secroots, keynode,
- &nextnode);
- if (result == ISC_R_SUCCESS) {
- dns_keytable_detachkeynode(secroots, &keynode);
- keynode = nextnode;
- }
- }
- dns_keytable_detachkeynode(secroots, &keynode);
- if (secure) {
- break;
- }
}
anchors_done:
goto cleanup;
}
- /*
- * The keynode didn't have any DS trust anchors, so we now try to
- * find a matching DNSKEY trust anchor.
- */
- result = dns_keytable_findkeynode(vctx->secroots, vctx->origin,
- dst_key_alg(key), dst_key_id(key),
- &keynode);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
-
- /*
- * Walk the keynode list until we find a matching key or
- * reach the end.
- */
- while (result == ISC_R_SUCCESS) {
- dns_keynode_t *nextnode = NULL;
-
- if (dst_key_compare(key, dns_keynode_key(keynode))) {
- dns_keytable_detachkeynode(vctx->secroots, &keynode);
- dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
- dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
- *goodkey = true;
-
- goto cleanup;
- }
-
- result = dns_keytable_findnextkeynode(vctx->secroots,
- keynode, &nextnode);
- dns_keytable_detachkeynode(vctx->secroots, &keynode);
- keynode = nextnode;
- }
-
cleanup:
if (keynode != NULL) {
dns_keytable_detachkeynode(vctx->secroots, &keynode);
}
}
- while (result == ISC_R_SUCCESS) {
- dns_keynode_t *nextnode = NULL;
- dns_keytag_t keyid = dst_key_id(dns_keynode_key(keynode));
- if (keyid == sentinel) {
- dns_keytable_detachkeynode(keytable, &keynode);
- dns_keytable_detach(&keytable);
- return (true);
- }
- result = dns_keytable_nextkeynode(keytable, keynode, &nextnode);
- dns_keytable_detachkeynode(keytable, &keynode);
- keynode = nextnode;
- }
-
if (keynode != NULL) {
dns_keytable_detachkeynode(keytable, &keynode);
}
+
dns_keytable_detach(&keytable);
+
return (false);
}
projects / thirdparty / bind9.git / commitdiff
