From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 17 Mar 2010 09:49:18 +0000 (+0000)
Subject: cache verify work for nsec and nsec3.
X-Git-Tag: release-1.4.4rc1~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=091050add6b286841c562b4bd53e8d2a97b2b90b;p=thirdparty%2Funbound.git

cache verify work for nsec and nsec3.

git-svn-id: file:///svn/unbound/trunk@2047 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/validator/val_nsec.c b/validator/val_nsec.c
index 195b5494a..30f75773f 100644
--- a/validator/val_nsec.c
+++ b/validator/val_nsec.c
@@ -171,6 +171,27 @@ val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
 	return sec_status_secure;
 }
 
+/** check security status from cache or verify rrset, returns true if secure */
+static int
+nsec_verify_rrset(struct module_env* env, struct val_env* ve, 
+	struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey, 
+	char** reason)
+{
+	struct packed_rrset_data* d = (struct packed_rrset_data*)
+		nsec->entry.data;
+	if(d->security == sec_status_secure)
+		return 1;
+	rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
+	if(d->security == sec_status_secure)
+		return 1;
+	d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
+	if(d->security == sec_status_secure) {
+		rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
+		return 1;
+	}
+	return 0;
+}
+
 enum sec_status 
 val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve, 
 	struct query_info* qinfo, struct reply_info* rep, 
@@ -191,8 +212,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
 	 * 1) this is a delegation point and there is no DS
 	 * 2) this is not a delegation point */
 	if(nsec) {
-		sec = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
-		if(sec != sec_status_secure) {
+		if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) {
 			verbose(VERB_ALGO, "NSEC RRset for the "
 				"referral did not verify.");
 			return sec_status_bogus;
@@ -221,9 +241,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
 		i++) {
 		if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
 			continue;
-		sec = val_verify_rrset_entry(env, ve, rep->rrsets[i], kkey,
-			reason);
-		if(sec != sec_status_secure) {
+		if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) {
 			verbose(VERB_ALGO, "NSEC for empty non-terminal "
 				"did not verify.");
 			return sec_status_bogus;
diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index c0108e8a4..79a788932 100644
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -1252,11 +1252,10 @@ list_is_secure(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key** list, size_t num,
 	struct key_entry_key* kkey, char** reason)
 {
+	struct packed_rrset_data* d;
 	size_t i;
-	enum sec_status sec;
 	for(i=0; i<num; i++) {
-		struct packed_rrset_data* d = (struct packed_rrset_data*)
-			list[i]->entry.data;
+		d = (struct packed_rrset_data*)list[i]->entry.data;
 		if(list[i]->rk.type != htons(LDNS_RR_TYPE_NSEC3))
 			continue;
 		if(d->security == sec_status_secure)
@@ -1264,8 +1263,9 @@ list_is_secure(struct module_env* env, struct val_env* ve,
 		rrset_check_sec_status(env->rrset_cache, list[i], *env->now);
 		if(d->security == sec_status_secure)
 			continue;
-		sec = val_verify_rrset_entry(env, ve, list[i], kkey, reason);
-		if(sec != sec_status_secure) {
+		d->security = val_verify_rrset_entry(env, ve, list[i], kkey,
+			reason);
+		if(d->security != sec_status_secure) {
 			verbose(VERB_ALGO, "NSEC3 did not verify");
 			return 0;
 		}