From: Brian Wellington Date: Fri, 1 Feb 2002 20:08:56 +0000 (+0000) Subject: minor cleanup X-Git-Tag: v9.0.1^2~8568 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23e4260821eefa5019808e18e14e2b366461aad7;p=thirdparty%2Fbind9.git minor cleanup --- diff --git a/lib/dns/validator.c b/lib/dns/validator.c index b436d334dcd..5115cc403f4 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.96 2001/11/30 01:59:21 gson Exp $ */ +/* $Id: validator.c,v 1.97 2002/02/01 20:08:56 bwelling Exp $ */ #include @@ -51,22 +51,27 @@ static void nullkeyvalidated(isc_task_t *task, isc_event_t *event); -static inline isc_boolean_t +static isc_boolean_t containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset); -static inline isc_result_t +static isc_result_t get_dst_key(dns_validator_t *val, dns_rdata_sig_t *siginfo, dns_rdataset_t *rdataset); -static inline isc_result_t +static isc_result_t validate(dns_validator_t *val, isc_boolean_t resume); -static inline isc_result_t +static isc_result_t nxtvalidate(dns_validator_t *val, isc_boolean_t resume); -static inline isc_result_t +static isc_result_t proveunsecure(dns_validator_t *val, isc_boolean_t resume); +static void +validator_logv(dns_validator_t *val, isc_logcategory_t *category, + isc_logmodule_t *module, int level, const char *fmt, va_list ap) + ISC_FORMAT_PRINTF(5, 0); + static void validator_log(dns_validator_t *val, int level, const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4); @@ -602,7 +607,7 @@ nullkeyvalidated(isc_task_t *task, isc_event_t *event) { * Try to find a null zone key among those in 'rdataset'. If found, build * a dst_key_t for it and point val->key at it. */ -static inline isc_boolean_t +static isc_boolean_t containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset) { isc_result_t result; dst_key_t *key = NULL; @@ -642,7 +647,7 @@ containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset) { * * If val->key is non-NULL, this returns the next matching key. */ -static inline isc_result_t +static isc_result_t get_dst_key(dns_validator_t *val, dns_rdata_sig_t *siginfo, dns_rdataset_t *rdataset) { @@ -703,39 +708,30 @@ get_dst_key(dns_validator_t *val, dns_rdata_sig_t *siginfo, return (result); } -static inline isc_result_t +static isc_result_t get_key(dns_validator_t *val, dns_rdata_sig_t *siginfo) { isc_result_t result; - dns_validatorevent_t *event; unsigned int nbits, nlabels; int order; dns_namereln_t namereln; - event = val->event; - /* - * Is the key name appropriate for this signature? - * This previously checked for self-signed keys. Now, if the key - * is self signed with a preconfigured key, it's ok. + * Is the signer name appropriate for this signature? + * + * The signer name must be at the same level as the owner name + * or closer to the the DNS root. */ - namereln = dns_name_fullcompare(event->name, &siginfo->signer, + namereln = dns_name_fullcompare(val->event->name, &siginfo->signer, &order, &nlabels, &nbits); if (namereln != dns_namereln_subdomain && - namereln != dns_namereln_equal) { - /* - * The key name is not at the same level - * as 'rdataset', nor is it closer to the - * DNS root. - */ + namereln != dns_namereln_equal) return (DNS_R_CONTINUE); - } /* * Is the key used for the signature a security root? */ INSIST(val->keynode == NULL); - val->keytable = val->view->secroots; - result = dns_keytable_findkeynode(val->view->secroots, + result = dns_keytable_findkeynode(val->keytable, &siginfo->signer, siginfo->algorithm, siginfo->keyid, &val->keynode); @@ -753,7 +749,7 @@ get_key(dns_validator_t *val, dns_rdata_sig_t *siginfo) { * itself, so we ignore the signature if it was not made by * an ancestor of the KEY or a preconfigured key. */ - if (event->rdataset->type == dns_rdatatype_key && + if (val->event->rdataset->type == dns_rdatatype_key && namereln == dns_namereln_equal) { validator_log(val, ISC_LOG_DEBUG(3), @@ -873,7 +869,6 @@ issecurityroot(dns_validator_t *val) { dns_name_t *name; dns_rdataset_t *rdataset; isc_mem_t *mctx; - dns_keytable_t *secroots; dns_rdata_t rdata = DNS_RDATA_INIT; isc_result_t result; dns_keynode_t *keynode, *nextnode; @@ -883,7 +878,6 @@ issecurityroot(dns_validator_t *val) { name = val->event->name; rdataset = val->event->rdataset; mctx = val->view->mctx; - secroots = val->view->secroots; for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; @@ -897,7 +891,7 @@ issecurityroot(dns_validator_t *val) { continue; keynode = NULL; result = dns_keytable_findkeynode( - secroots, name, + val->keytable, name, (dns_secalg_t)dst_key_alg(key), dst_key_id(key), &keynode); @@ -907,14 +901,15 @@ issecurityroot(dns_validator_t *val) { secrootkey = dns_keynode_key(keynode); if (dst_key_compare(key, secrootkey)) { match = ISC_TRUE; - dns_keytable_detachkeynode(secroots, &keynode); + dns_keytable_detachkeynode(val->keytable, + &keynode); break; } nextnode = NULL; - result = dns_keytable_findnextkeynode(secroots, + result = dns_keytable_findnextkeynode(val->keytable, keynode, &nextnode); - dns_keytable_detachkeynode(secroots, &keynode); + dns_keytable_detachkeynode(val->keytable, &keynode); } dst_key_free(&key); @@ -933,7 +928,7 @@ issecurityroot(dns_validator_t *val) { * for an event. * Other return codes are possible and all indicate failure. */ -static inline isc_result_t +static isc_result_t validate(dns_validator_t *val, isc_boolean_t resume) { isc_result_t result; dns_validatorevent_t *event; @@ -948,17 +943,16 @@ validate(dns_validator_t *val, isc_boolean_t resume) { /* * If this is a security root, it's ok. */ - if (!resume) { + if (val->event->type == dns_rdatatype_key && !resume) { dns_fixedname_t fsecroot; dns_name_t *secroot; dns_fixedname_init(&fsecroot); secroot = dns_fixedname_name(&fsecroot); - result = dns_keytable_finddeepestmatch(val->view->secroots, + result = dns_keytable_finddeepestmatch(val->keytable, val->event->name, secroot); if (result == ISC_R_SUCCESS && - val->event->type == dns_rdatatype_key && dns_name_equal(val->event->name, secroot) && issecurityroot(val)) { @@ -983,13 +977,12 @@ validate(dns_validator_t *val, isc_boolean_t resume) { { dns_rdata_reset(&rdata); dns_rdataset_current(event->sigrdataset, &rdata); - if (val->siginfo != NULL) - isc_mem_put(val->view->mctx, val->siginfo, - sizeof(*val->siginfo)); - val->siginfo = isc_mem_get(val->view->mctx, - sizeof(*val->siginfo)); - if (val->siginfo == NULL) - return (ISC_R_NOMEMORY); + if (val->siginfo == NULL) { + val->siginfo = isc_mem_get(val->view->mctx, + sizeof(*val->siginfo)); + if (val->siginfo == NULL) + return (ISC_R_NOMEMORY); + } result = dns_rdata_tostruct(&rdata, val->siginfo, NULL); if (result != ISC_R_SUCCESS) return (result); @@ -1008,6 +1001,9 @@ validate(dns_validator_t *val, isc_boolean_t resume) { return (result); } + /* + * The key is insecure, so mark the data as insecure also. + */ if (val->key == NULL) { event->rdataset->trust = dns_trust_answer; event->sigrdataset->trust = dns_trust_answer; @@ -1100,7 +1096,7 @@ validate(dns_validator_t *val, isc_boolean_t resume) { } -static inline isc_result_t +static isc_result_t nxtvalidate(dns_validator_t *val, isc_boolean_t resume) { dns_name_t *name; dns_message_t *message = val->event->message; @@ -1222,7 +1218,7 @@ nxtvalidate(dns_validator_t *val, isc_boolean_t resume) { } } -static inline isc_result_t +static isc_result_t proveunsecure(dns_validator_t *val, isc_boolean_t resume) { isc_result_t result; dns_fixedname_t secroot, tfname; @@ -1230,7 +1226,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { dns_fixedname_init(&secroot); dns_fixedname_init(&tfname); - result = dns_keytable_finddeepestmatch(val->view->secroots, + result = dns_keytable_finddeepestmatch(val->keytable, val->event->name, dns_fixedname_name(&secroot)); /* @@ -1399,8 +1395,7 @@ validator_start(isc_task_t *task, isc_event_t *event) { /* * This looks like a simple validation. We say "looks like" - * because we don't know if wildcards are involved yet so it - * could still get complicated. + * because it might end up requiring an insecurity proof. */ validator_log(val, ISC_LOG_DEBUG(3), "attempting positive response validation"); @@ -1426,7 +1421,7 @@ validator_start(isc_task_t *task, isc_event_t *event) { result = proveunsecure(val, ISC_FALSE); } else if (val->event->rdataset == NULL && - val->event->sigrdataset == NULL) + val->event->sigrdataset == NULL) { /* * This is a nonexistence validation. @@ -1501,6 +1496,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, val->fetch = NULL; val->keyvalidator = NULL; val->authvalidator = NULL; + val->keytable = NULL; + dns_keytable_attach(val->view->secroots, &val->keytable); val->keynode = NULL; val->key = NULL; val->siginfo = NULL; @@ -1568,6 +1565,8 @@ destroy(dns_validator_t *val) { dns_keytable_detachkeynode(val->keytable, &val->keynode); else if (val->key != NULL) dst_key_free(&val->key); + if (val->keytable != NULL) + dns_keytable_detach(&val->keytable); if (val->keyvalidator != NULL) dns_validator_destroy(&val->keyvalidator); if (val->authvalidator != NULL) @@ -1609,12 +1608,6 @@ dns_validator_destroy(dns_validator_t **validatorp) { *validatorp = NULL; } - -static void -validator_logv(dns_validator_t *val, isc_logcategory_t *category, - isc_logmodule_t *module, int level, const char *fmt, va_list ap) - ISC_FORMAT_PRINTF(5, 0); - static void validator_logv(dns_validator_t *val, isc_logcategory_t *category, isc_logmodule_t *module, int level, const char *fmt, va_list ap)