From: Witold Kręcicki Date: Tue, 3 Apr 2018 13:24:33 +0000 (+0200) Subject: libdns refactoring: get rid of multiple versions of dns_dnssec_findmatchingkeys and... X-Git-Tag: v9.13.0~70^2~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=25cd3168a7aa82829e96ea710b57403d7257bfb8;p=thirdparty%2Fbind9.git libdns refactoring: get rid of multiple versions of dns_dnssec_findmatchingkeys and dns_dnssec_findzonekeys --- diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c index b9e44be02c5..c7ab16ace03 100644 --- a/bin/dnssec/dnssec-cds.c +++ b/bin/dnssec/dnssec-cds.c @@ -671,8 +671,11 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset, } result = dns_dnssec_verify(name, rdataset, ki->dst, - ISC_FALSE, mctx, &sigrdata); - if (result != ISC_R_SUCCESS) { + ISC_FALSE, 0, mctx, + &sigrdata, NULL); + + if (result != ISC_R_SUCCESS && + result != DNS_R_FROMWILDCARD) { vbprintf(1, "skip RRSIG by key %d:" " verification failed: %s\n", sig.keyid, isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index ee0be4f9f2d..7e504c2bcd5 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -295,8 +295,8 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key, if (tryverify) { result = dns_dnssec_verify(name, rdataset, key, - ISC_TRUE, mctx, &trdata); - if (result == ISC_R_SUCCESS) { + ISC_TRUE, 0, mctx, &trdata, NULL); + if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) { vbprintf(3, "\tsignature verified\n"); INCSTAT(nverified); } else { @@ -456,8 +456,9 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, dns_rdata_t *rrsig) { isc_result_t result; - result = dns_dnssec_verify(name, set, key, ISC_FALSE, mctx, rrsig); - if (result == ISC_R_SUCCESS) { + result = dns_dnssec_verify(name, set, key, ISC_FALSE, 0, mctx, rrsig, + NULL); + if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) { INCSTAT(nverified); return (ISC_TRUE); } else { @@ -2636,7 +2637,7 @@ build_final_keylist(void) { * Find keys that match this zone in the key repository. */ result = dns_dnssec_findmatchingkeys(gorigin, directory, - mctx, &matchkeys); + now, mctx, &matchkeys); if (result == ISC_R_NOTFOUND) { result = ISC_R_SUCCESS; } diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index d7c3ccabb03..2a7f0d00c7e 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -506,6 +506,7 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir, dns_secalg_t alg; char filename[ISC_DIR_NAMEMAX]; isc_buffer_t fileb; + isc_stdtime_t now; if (exact != NULL) *exact = ISC_FALSE; @@ -529,7 +530,8 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir, } ISC_LIST_INIT(matchkeys); - result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys); + isc_stdtime_get(&now); + result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys); if (result == ISC_R_NOTFOUND) return (ISC_FALSE); @@ -624,10 +626,11 @@ goodsig(dns_name_t *origin, dns_rdata_t *sigrdata, dns_name_t *name, continue; } result = dns_dnssec_verify(name, rdataset, dstkey, ISC_FALSE, - mctx, sigrdata); + 0, mctx, sigrdata, NULL); dst_key_free(&dstkey); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) { return(ISC_TRUE); + } } return (ISC_FALSE); } diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index d07057031e5..dd1e75bdef2 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -363,18 +363,9 @@ cleanup_signature: } isc_result_t -dns_dnssec_verify2(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, - isc_boolean_t ignoretime, isc_mem_t *mctx, - dns_rdata_t *sigrdata, dns_name_t *wild) -{ - return (dns_dnssec_verify3(name, set, key, ignoretime, 0, mctx, - sigrdata, wild)); -} - -isc_result_t -dns_dnssec_verify3(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, - isc_boolean_t ignoretime, unsigned int maxbits, - isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild) +dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, + isc_boolean_t ignoretime, unsigned int maxbits, + isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild) { dns_rdata_rrsig_t sig; dns_fixedname_t fnewname; @@ -590,20 +581,6 @@ cleanup_struct: return (ret); } -isc_result_t -dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, - isc_boolean_t ignoretime, isc_mem_t *mctx, - dns_rdata_t *sigrdata) -{ - isc_result_t result; - - result = dns_dnssec_verify2(name, set, key, ignoretime, mctx, - sigrdata, NULL); - if (result == DNS_R_FROMWILDCARD) - result = ISC_R_SUCCESS; - return (result); -} - isc_boolean_t dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now) { isc_result_t result; @@ -730,11 +707,11 @@ syncdelete(dst_key_t *key, isc_stdtime_t now) { == DNS_KEYOWNER_ZONE) isc_result_t -dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver, - dns_dbnode_t *node, const dns_name_t *name, - const char *directory, isc_stdtime_t now, - isc_mem_t *mctx, unsigned int maxkeys, - dst_key_t **keys, unsigned int *nkeys) +dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, + dns_dbnode_t *node, const dns_name_t *name, + const char *directory, isc_stdtime_t now, + isc_mem_t *mctx, unsigned int maxkeys, + dst_key_t **keys, unsigned int *nkeys) { dns_rdataset_t rdataset; dns_rdata_t rdata = DNS_RDATA_INIT; @@ -890,33 +867,6 @@ dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver, return (result); } -isc_result_t -dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, - dns_dbnode_t *node, const dns_name_t *name, - const char *directory, isc_mem_t *mctx, - unsigned int maxkeys, dst_key_t **keys, - unsigned int *nkeys) -{ - isc_stdtime_t now; - - isc_stdtime_get(&now); - return (dns_dnssec_findzonekeys3(db, ver, node, name, directory, now, - mctx, maxkeys, keys, nkeys)); -} - -isc_result_t -dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, - dns_dbnode_t *node, const dns_name_t *name, - isc_mem_t *mctx, unsigned int maxkeys, - dst_key_t **keys, unsigned int *nkeys) -{ - isc_stdtime_t now; - - isc_stdtime_get(&now); - return (dns_dnssec_findzonekeys3(db, ver, node, name, NULL, now, - mctx, maxkeys, keys, nkeys)); -} - isc_result_t dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) { dns_rdata_sig_t sig; /* SIG(0) */ @@ -1243,9 +1193,9 @@ dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name, if (sig.algorithm == key.algorithm && sig.keyid == keytag) { - result = dns_dnssec_verify2(name, rdataset, dstkey, - ignoretime, mctx, - &sigrdata, NULL); + result = dns_dnssec_verify(name, rdataset, dstkey, + ignoretime, 0, mctx, + &sigrdata, NULL); if (result == ISC_R_SUCCESS) { dst_key_free(&dstkey); return (ISC_TRUE); @@ -1406,9 +1356,9 @@ get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) { * Get a list of DNSSEC keys from the key repository */ isc_result_t -dns_dnssec_findmatchingkeys2(const dns_name_t *origin, const char *directory, - isc_stdtime_t now, isc_mem_t *mctx, - dns_dnsseckeylist_t *keylist) +dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, + isc_stdtime_t now, isc_mem_t *mctx, + dns_dnsseckeylist_t *keylist) { isc_result_t result = ISC_R_SUCCESS; isc_boolean_t dir_open = ISC_FALSE; @@ -1536,17 +1486,6 @@ dns_dnssec_findmatchingkeys2(const dns_name_t *origin, const char *directory, return (result); } -isc_result_t -dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, - isc_mem_t *mctx, dns_dnsseckeylist_t *keylist) -{ - isc_stdtime_t now; - - isc_stdtime_get(&now); - return (dns_dnssec_findmatchingkeys2(origin, directory, now, mctx, - keylist)); -} - /*% * Add 'newkey' to 'keylist' if it's not already there. * diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index b3c59c384ec..a6f54c9b61c 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -119,18 +119,8 @@ dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_result_t dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, - isc_boolean_t ignoretime, isc_mem_t *mctx, - dns_rdata_t *sigrdata); - -isc_result_t -dns_dnssec_verify2(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, - isc_boolean_t ignoretime, isc_mem_t *mctx, - dns_rdata_t *sigrdata, dns_name_t *wild); - -isc_result_t -dns_dnssec_verify3(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, - isc_boolean_t ignoretime, unsigned int maxbits, - isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild); + isc_boolean_t ignoretime, unsigned int maxbits, + isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild); /*%< * Verifies the RRSIG record covering this rdataset signed by a specific * key. This does not determine if the key's owner is authorized to sign @@ -164,24 +154,11 @@ dns_dnssec_verify3(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, /*@{*/ isc_result_t -dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, - const dns_name_t *name, isc_mem_t *mctx, - unsigned int maxkeys, dst_key_t **keys, - unsigned int *nkeys); - -isc_result_t -dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, - dns_dbnode_t *node, const dns_name_t *name, - const char *directory, isc_mem_t *mctx, - unsigned int maxkeys, dst_key_t **keys, - unsigned int *nkeys); - -isc_result_t -dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver, - dns_dbnode_t *node, const dns_name_t *name, - const char *directory, isc_stdtime_t now, - isc_mem_t *mctx, unsigned int maxkeys, - dst_key_t **keys, unsigned int *nkeys); +dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, + dns_dbnode_t *node, const dns_name_t *name, + const char *directory, isc_stdtime_t now, + isc_mem_t *mctx, unsigned int maxkeys, + dst_key_t **keys, unsigned int *nkeys); /*%< * Finds a set of zone keys. @@ -291,12 +268,8 @@ dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp); isc_result_t dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, - isc_mem_t *mctx, dns_dnsseckeylist_t *keylist); - -isc_result_t -dns_dnssec_findmatchingkeys2(const dns_name_t *origin, const char *directory, - isc_stdtime_t now, isc_mem_t *mctx, - dns_dnsseckeylist_t *keylist); + isc_stdtime_t now, isc_mem_t *mctx, + dns_dnsseckeylist_t *keylist); /*%< * Search 'directory' for K* key files matching the name in 'origin'. * Append all such keys, along with use hints gleaned from their diff --git a/lib/dns/update.c b/lib/dns/update.c index c7e7be0db85..5cfa0434e67 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -1051,11 +1051,14 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dst_key_t **keys, unsigned int *nkeys) { isc_result_t result; + isc_stdtime_t now; dns_dbnode_t *node = NULL; const char *directory = dns_zone_getkeydirectory(zone); CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); - CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db), - directory, mctx, maxkeys, keys, nkeys)); + isc_stdtime_get(&now); + CHECK(dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db), + directory, now, mctx, maxkeys, keys, + nkeys)); failure: if (node != NULL) dns_db_detachnode(db, &node); diff --git a/lib/dns/validator.c b/lib/dns/validator.c index e898576d387..c6c0e20adc2 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1470,10 +1470,10 @@ isselfsigned(dns_validator_t *val) { if (result != ISC_R_SUCCESS) continue; - result = dns_dnssec_verify3(name, rdataset, dstkey, - ISC_TRUE, - val->view->maxbits, - mctx, &sigrdata, NULL); + result = dns_dnssec_verify(name, rdataset, dstkey, + ISC_TRUE, + val->view->maxbits, + mctx, &sigrdata, NULL); dst_key_free(&dstkey); if (result != ISC_R_SUCCESS) continue; @@ -1509,9 +1509,9 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata, dns_fixedname_init(&fixed); wild = dns_fixedname_name(&fixed); again: - result = dns_dnssec_verify3(val->event->name, val->event->rdataset, - key, ignore, val->view->maxbits, - val->view->mctx, rdata, wild); + result = dns_dnssec_verify(val->event->name, val->event->rdataset, + key, ignore, val->view->maxbits, + val->view->mctx, rdata, wild); if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) && val->view->acceptexpired) { diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index c8d0037f7a4..1e4aa54b719 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -316,10 +316,7 @@ dns_dns64_destroy dns_dns64_next dns_dns64_unlink dns_dnssec_findmatchingkeys -dns_dnssec_findmatchingkeys2 dns_dnssec_findzonekeys -dns_dnssec_findzonekeys2 -dns_dnssec_findzonekeys3 dns_dnssec_keyactive dns_dnssec_keyfromrdata dns_dnssec_keylistfromrdataset @@ -331,8 +328,6 @@ dns_dnssec_syncupdate dns_dnssec_syncupdate dns_dnssec_updatekeys dns_dnssec_verify -dns_dnssec_verify2 -dns_dnssec_verify3 dns_dnssec_verifymessage dns_dnsseckey_create dns_dnsseckey_destroy diff --git a/lib/dns/zone.c b/lib/dns/zone.c index ddd63ff4a8d..0642c932ba1 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6043,9 +6043,9 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); memset(keys, 0, sizeof(*keys) * maxkeys); - result = dns_dnssec_findzonekeys3(db, ver, node, dns_db_origin(db), - directory, now, mctx, maxkeys, keys, - nkeys); + result = dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db), + directory, now, mctx, maxkeys, keys, + nkeys); if (result == ISC_R_NOTFOUND) result = ISC_R_SUCCESS; failure: @@ -9036,10 +9036,11 @@ revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) { if (dst_key_alg(dstkey) == sig.algorithm && dst_key_rid(dstkey) == sig.keyid) { - result = dns_dnssec_verify2(keyname, - &kfetch->dnskeyset, - dstkey, ISC_FALSE, mctx, &sigrr, - dns_fixedname_name(&fixed)); + result = dns_dnssec_verify(keyname, + &kfetch->dnskeyset, + dstkey, ISC_FALSE, 0, mctx, + &sigrr, + dns_fixedname_name(&fixed)); dns_zone_log(kfetch->zone, ISC_LOG_DEBUG(3), "Confirm revoked DNSKEY is self-signed: " @@ -9186,11 +9187,14 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { if (dst_key_alg(dstkey) == sig.algorithm && dst_key_id(dstkey) == sig.keyid) { - result = dns_dnssec_verify2(keyname, - &kfetch->dnskeyset, - dstkey, ISC_FALSE, - zone->view->mctx, &sigrr, - dns_fixedname_name(&fixed)); + result = dns_dnssec_verify(keyname, + &kfetch->dnskeyset, + dstkey, ISC_FALSE, + 0, + zone->view->mctx, + &sigrr, + dns_fixedname_name( + &fixed)); dns_zone_log(zone, ISC_LOG_DEBUG(3), "Verifying DNSKEY set for zone " @@ -17860,8 +17864,8 @@ zone_rekey(dns_zone_t *zone) { */ fullsign = ISC_TF(DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN) != 0); - result = dns_dnssec_findmatchingkeys2(&zone->origin, dir, now, mctx, - &keys); + result = dns_dnssec_findmatchingkeys(&zone->origin, dir, now, mctx, + &keys); if (result == ISC_R_SUCCESS) { isc_boolean_t check_ksk; check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); diff --git a/lib/ns/query.c b/lib/ns/query.c index 7cea53515d5..990323aeea1 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -2280,9 +2280,9 @@ verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset, dns_fixedname_init(&fixed); again: - result = dns_dnssec_verify3(name, rdataset, key, ignore, - client->view->maxbits, client->mctx, - rdata, NULL); + result = dns_dnssec_verify(name, rdataset, key, ignore, + client->view->maxbits, client->mctx, + rdata, NULL); if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) { ignore = ISC_TRUE; goto again;