From: Evan Hunt Date: Tue, 6 Aug 2019 20:44:30 +0000 (-0700) Subject: style, braces, whitespace X-Git-Tag: v9.15.6~8^2~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=32d1cc1562f51dae332877672869bfa7b91b7700;p=thirdparty%2Fbind9.git style, braces, whitespace --- diff --git a/lib/dns/validator.c b/lib/dns/validator.c index ceb45260ede..8e996429b22 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -42,68 +42,63 @@ /*! \file * \brief - * Basic processing sequences. + * Basic processing sequences: * * \li When called with rdataset and sigrdataset: - * validator_start -> validate -> proveunsecure - * - * validator_start -> validate -> nsecvalidate (secure wildcard answer) + * validator_start -> validate -> proveunsecure + * validator_start -> validate -> nsecvalidate (secure wildcard answer) * * \li When called with rdataset: - * validator_start -> proveunsecure + * validator_start -> proveunsecure * * \li When called without a rdataset: - * validator_start -> nsecvalidate -> proveunsecure + * validator_start -> nsecvalidate -> proveunsecure * * validator_start: determines what type of validation to do. - * validate: attempts to perform a positive validation. - * proveunsecure: attempts to prove the answer comes from a unsecure zone. - * nsecvalidate: attempts to prove a negative response. + * validate: attempts to perform a positive validation. + * proveunsecure:: attempts to prove the answer comes from a unsecure zone. + * nsecvalidate: attempts to prove a negative response. */ -#define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?') -#define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC) +#define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?') +#define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC) -#define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */ -#define VALATTR_CANCELED 0x0002 /*%< Canceled. */ -#define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and +#define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */ +#define VALATTR_CANCELED 0x0002 /*%< Canceled. */ +#define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and * have attempted a verify. */ -#define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */ +#define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */ /*! * NSEC proofs to be looked for. */ -#define VALATTR_NEEDNOQNAME 0x00000100 -#define VALATTR_NEEDNOWILDCARD 0x00000200 -#define VALATTR_NEEDNODATA 0x00000400 +#define VALATTR_NEEDNOQNAME 0x00000100 +#define VALATTR_NEEDNOWILDCARD 0x00000200 +#define VALATTR_NEEDNODATA 0x00000400 /*! * NSEC proofs that have been found. */ -#define VALATTR_FOUNDNOQNAME 0x00001000 -#define VALATTR_FOUNDNOWILDCARD 0x00002000 -#define VALATTR_FOUNDNODATA 0x00004000 -#define VALATTR_FOUNDCLOSEST 0x00008000 - -/* - * - */ -#define VALATTR_FOUNDOPTOUT 0x00010000 -#define VALATTR_FOUNDUNKNOWN 0x00020000 - -#define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0) -#define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0) -#define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0) -#define FOUNDNODATA(val) ((val->attributes & VALATTR_FOUNDNODATA) != 0) -#define FOUNDNOQNAME(val) ((val->attributes & VALATTR_FOUNDNOQNAME) != 0) +#define VALATTR_FOUNDNOQNAME 0x00001000 +#define VALATTR_FOUNDNOWILDCARD 0x00002000 +#define VALATTR_FOUNDNODATA 0x00004000 +#define VALATTR_FOUNDCLOSEST 0x00008000 +#define VALATTR_FOUNDOPTOUT 0x00010000 +#define VALATTR_FOUNDUNKNOWN 0x00020000 + +#define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0) +#define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0) +#define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0) +#define FOUNDNODATA(val) ((val->attributes & VALATTR_FOUNDNODATA) != 0) +#define FOUNDNOQNAME(val) ((val->attributes & VALATTR_FOUNDNOQNAME) != 0) #define FOUNDNOWILDCARD(val) ((val->attributes & VALATTR_FOUNDNOWILDCARD) != 0) -#define FOUNDCLOSEST(val) ((val->attributes & VALATTR_FOUNDCLOSEST) != 0) -#define FOUNDOPTOUT(val) ((val->attributes & VALATTR_FOUNDOPTOUT) != 0) +#define FOUNDCLOSEST(val) ((val->attributes & VALATTR_FOUNDCLOSEST) != 0) +#define FOUNDOPTOUT(val) ((val->attributes & VALATTR_FOUNDOPTOUT) != 0) -#define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0) -#define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0) +#define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0) +#define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0) -#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) +#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) static void destroy(dns_validator_t *val); @@ -122,17 +117,16 @@ static isc_result_t nsecvalidate(dns_validator_t *val, bool resume); static isc_result_t -proveunsecure(dns_validator_t *val, bool have_ds, - bool resume); +proveunsecure(dns_validator_t *val, bool have_ds, bool resume); static void validator_logv(dns_validator_t *val, isc_logcategory_t *category, isc_logmodule_t *module, int level, const char *fmt, va_list ap) - ISC_FORMAT_PRINTF(5, 0); + ISC_FORMAT_PRINTF(5, 0); static void validator_log(void *val, int level, const char *fmt, ...) - ISC_FORMAT_PRINTF(3, 4); + ISC_FORMAT_PRINTF(3, 4); static void validator_logcreate(dns_validator_t *val, @@ -145,18 +139,21 @@ validator_logcreate(dns_validator_t *val, static inline void markanswer(dns_validator_t *val, const char *where) { validator_log(val, ISC_LOG_DEBUG(3), "marking as answer (%s)", where); - if (val->event->rdataset != NULL) + if (val->event->rdataset != NULL) { dns_rdataset_settrust(val->event->rdataset, dns_trust_answer); - if (val->event->sigrdataset != NULL) + } + if (val->event->sigrdataset != NULL) { dns_rdataset_settrust(val->event->sigrdataset, dns_trust_answer); + } } static inline void marksecure(dns_validatorevent_t *event) { dns_rdataset_settrust(event->rdataset, dns_trust_secure); - if (event->sigrdataset != NULL) + if (event->sigrdataset != NULL) { dns_rdataset_settrust(event->sigrdataset, dns_trust_secure); + } event->secure = true; } @@ -164,8 +161,9 @@ static void validator_done(dns_validator_t *val, isc_result_t result) { isc_task_t *task; - if (val->event == NULL) + if (val->event == NULL) { return; + } /* * Caller must be holding the lock. @@ -185,13 +183,15 @@ exit_check(dns_validator_t *val) { /* * Caller must be holding the lock. */ - if (!SHUTDOWN(val)) + if (!SHUTDOWN(val)) { return (false); + } INSIST(val->event == NULL); - if (val->fetch != NULL || val->subvalidator != NULL) + if (val->fetch != NULL || val->subvalidator != NULL) { return (false); + } return (true); } @@ -222,15 +222,17 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset, REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET); dns_rdataset_init(&set); - if (dbresult == DNS_R_NXRRSET) + if (dbresult == DNS_R_NXRRSET) { dns_rdataset_clone(rdataset, &set); - else { + } else { result = dns_ncache_getrdataset(rdataset, name, dns_rdatatype_nsec, &set); - if (result == ISC_R_NOTFOUND) + if (result == ISC_R_NOTFOUND) { goto trynsec3; - if (result != ISC_R_SUCCESS) + } + if (result != ISC_R_SUCCESS) { return (false); + } } INSIST(set.type == dns_rdatatype_nsec); @@ -278,14 +280,16 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_reset(&rdata); dns_rdataset_current(&set, &rdata); (void)dns_rdata_tostruct(&rdata, &nsec3, NULL); - if (nsec3.hash != 1) + if (nsec3.hash != 1) { continue; + } length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations, nsec3.salt, nsec3.salt_length, name->ndata, name->length); - if (length != isc_buffer_usedlength(&buffer)) + if (length != isc_buffer_usedlength(&buffer)) { continue; + } order = memcmp(hash, owner, length); if (order == 0) { found = dns_nsec3_typepresent(&rdata, @@ -293,8 +297,9 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_disassociate(&set); return (found); } - if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0) + if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0) { continue; + } /* * Does this optout span cover the name? */ @@ -302,7 +307,8 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset, if ((scope < 0 && order > 0 && memcmp(hash, nsec3.next, length) < 0) || (scope >= 0 && (order > 0 || - memcmp(hash, nsec3.next, length) < 0))) + memcmp(hash, nsec3.next, + length) < 0))) { dns_rdataset_disassociate(&set); return (true); @@ -337,12 +343,15 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { eresult = devent->result; /* Free resources which are not of interest. */ - if (devent->node != NULL) + if (devent->node != NULL) { dns_db_detachnode(devent->db, &devent->node); - if (devent->db != NULL) + } + if (devent->db != NULL) { dns_db_detach(&devent->db); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_disassociate(&val->fsigrdataset); + } isc_event_free(&event); INSIST(val->event != NULL); @@ -362,8 +371,9 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { */ if (rdataset->trust >= dns_trust_secure) { result = get_dst_key(val, val->siginfo, rdataset); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { val->keyset = &val->frdataset; + } } result = validate(val, true); if (result == DNS_R_NOVALIDSIG && @@ -374,26 +384,31 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { "falling back to insecurity proof"); val->attributes |= VALATTR_INSECURITY; result = proveunsecure(val, false, false); - if (result == DNS_R_NOTINSECURE) + if (result == DNS_R_NOTINSECURE) { result = saved_result; + } } - if (result != DNS_R_WAIT) + if (result != DNS_R_WAIT) { validator_done(val, result); + } } else { validator_log(val, ISC_LOG_DEBUG(3), "fetch_callback_validator: got %s", isc_result_totext(eresult)); - if (eresult == ISC_R_CANCELED) + if (eresult == ISC_R_CANCELED) { validator_done(val, eresult); - else + } else { validator_done(val, DNS_R_BROKENCHAIN); + } } want_destroy = exit_check(val); UNLOCK(&val->lock); - if (fetch != NULL) + if (fetch != NULL) { dns_resolver_destroyfetch(&fetch); - if (want_destroy) + } + if (want_destroy) { destroy(val); + } } /*% @@ -419,12 +434,15 @@ dsfetched(isc_task_t *task, isc_event_t *event) { eresult = devent->result; /* Free resources which are not of interest. */ - if (devent->node != NULL) + if (devent->node != NULL) { dns_db_detachnode(devent->db, &devent->node); - if (devent->db != NULL) + } + if (devent->db != NULL) { dns_db_detach(&devent->db); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_disassociate(&val->fsigrdataset); + } isc_event_free(&event); INSIST(val->event != NULL); @@ -438,38 +456,43 @@ dsfetched(isc_task_t *task, isc_event_t *event) { } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "dsset with trust %s", - dns_trust_totext(rdataset->trust)); + dns_trust_totext(rdataset->trust)); val->dsset = &val->frdataset; result = validatezonekey(val); - if (result != DNS_R_WAIT) + if (result != DNS_R_WAIT) { validator_done(val, result); + } } else if (eresult == DNS_R_CNAME || eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET || - eresult == DNS_R_SERVFAIL) /* RFC 1034 parent? */ + eresult == DNS_R_SERVFAIL) /* RFC 1034 parent? */ { validator_log(val, ISC_LOG_DEBUG(3), "falling back to insecurity proof (%s)", dns_result_totext(eresult)); val->attributes |= VALATTR_INSECURITY; result = proveunsecure(val, false, false); - if (result != DNS_R_WAIT) + if (result != DNS_R_WAIT) { validator_done(val, result); + } } else { validator_log(val, ISC_LOG_DEBUG(3), "dsfetched: got %s", isc_result_totext(eresult)); - if (eresult == ISC_R_CANCELED) + if (eresult == ISC_R_CANCELED) { validator_done(val, eresult); - else + } else { validator_done(val, DNS_R_BROKENCHAIN); + } } want_destroy = exit_check(val); UNLOCK(&val->lock); - if (fetch != NULL) + if (fetch != NULL) { dns_resolver_destroyfetch(&fetch); - if (want_destroy) + } + if (want_destroy) { destroy(val); + } } /*% @@ -500,12 +523,15 @@ dsfetched2(isc_task_t *task, isc_event_t *event) { eresult = devent->result; /* Free resources which are not of interest. */ - if (devent->node != NULL) + if (devent->node != NULL) { dns_db_detachnode(devent->db, &devent->node); - if (devent->db != NULL) + } + if (devent->db != NULL) { dns_db_detach(&devent->db); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_disassociate(&val->fsigrdataset); + } INSIST(val->event != NULL); @@ -537,8 +563,9 @@ dsfetched2(isc_task_t *task, isc_event_t *event) { } } else { result = proveunsecure(val, false, true); - if (result != DNS_R_WAIT) + if (result != DNS_R_WAIT) { validator_done(val, result); + } } } else if (eresult == ISC_R_SUCCESS || eresult == DNS_R_NXDOMAIN || @@ -551,21 +578,25 @@ dsfetched2(isc_task_t *task, isc_event_t *event) { */ result = proveunsecure(val, (eresult == ISC_R_SUCCESS), true); - if (result != DNS_R_WAIT) + if (result != DNS_R_WAIT) { validator_done(val, result); + } } else { - if (eresult == ISC_R_CANCELED) + if (eresult == ISC_R_CANCELED) { validator_done(val, eresult); - else + } else { validator_done(val, DNS_R_NOVALIDDS); + } } isc_event_free(&event); want_destroy = exit_check(val); UNLOCK(&val->lock); - if (fetch != NULL) + if (fetch != NULL) { dns_resolver_destroyfetch(&fetch); - if (want_destroy) + } + if (want_destroy) { destroy(val); + } } /*% @@ -605,8 +636,9 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { /* * Only extract the dst key if the keyset is secure. */ - if (val->frdataset.trust >= dns_trust_secure) + if (val->frdataset.trust >= dns_trust_secure) { (void) get_dst_key(val, val->siginfo, &val->frdataset); + } result = validate(val, true); if (result == DNS_R_NOVALIDSIG && (val->attributes & VALATTR_TRIEDVERIFY) == 0) @@ -616,17 +648,21 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { "falling back to insecurity proof"); val->attributes |= VALATTR_INSECURITY; result = proveunsecure(val, false, false); - if (result == DNS_R_NOTINSECURE) + if (result == DNS_R_NOTINSECURE) { result = saved_result; + } } - if (result != DNS_R_WAIT) + if (result != DNS_R_WAIT) { validator_done(val, result); + } } else { if (eresult != DNS_R_BROKENCHAIN) { - if (dns_rdataset_isassociated(&val->frdataset)) + if (dns_rdataset_isassociated(&val->frdataset)) { dns_rdataset_expire(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_expire(&val->fsigrdataset); + } } validator_log(val, ISC_LOG_DEBUG(3), "keyvalidated: got %s", @@ -635,8 +671,9 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { } want_destroy = exit_check(val); UNLOCK(&val->lock); - if (want_destroy) + if (want_destroy) { destroy(val); + } } /*% @@ -681,7 +718,8 @@ dsvalidated(isc_task_t *task, isc_event_t *event) { if ((val->attributes & VALATTR_INSECURITY) != 0 && val->frdataset.covers == dns_rdatatype_ds && NEGATIVE(&val->frdataset) && - isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) { + isdelegation(name, &val->frdataset, + DNS_R_NCACHENXRRSET)) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure, no DS " @@ -689,20 +727,24 @@ dsvalidated(isc_task_t *task, isc_event_t *event) { result = DNS_R_MUSTBESECURE; } else { markanswer(val, "dsvalidated"); - result = ISC_R_SUCCESS;; + result = ISC_R_SUCCESS; } } else if ((val->attributes & VALATTR_INSECURITY) != 0) { result = proveunsecure(val, have_dsset, true); - } else + } else { result = validatezonekey(val); - if (result != DNS_R_WAIT) + } + if (result != DNS_R_WAIT) { validator_done(val, result); + } } else { if (eresult != DNS_R_BROKENCHAIN) { - if (dns_rdataset_isassociated(&val->frdataset)) + if (dns_rdataset_isassociated(&val->frdataset)) { dns_rdataset_expire(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_expire(&val->fsigrdataset); + } } validator_log(val, ISC_LOG_DEBUG(3), "dsvalidated: got %s", @@ -711,8 +753,9 @@ dsvalidated(isc_task_t *task, isc_event_t *event) { } want_destroy = exit_check(val); UNLOCK(&val->lock); - if (want_destroy) + if (want_destroy) { destroy(val); + } } /*% @@ -749,14 +792,17 @@ cnamevalidated(isc_task_t *task, isc_event_t *event) { validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %s", dns_trust_totext(val->frdataset.trust)); result = proveunsecure(val, false, true); - if (result != DNS_R_WAIT) + if (result != DNS_R_WAIT) { validator_done(val, result); + } } else { if (eresult != DNS_R_BROKENCHAIN) { - if (dns_rdataset_isassociated(&val->frdataset)) + if (dns_rdataset_isassociated(&val->frdataset)) { dns_rdataset_expire(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_expire(&val->fsigrdataset); + } } validator_log(val, ISC_LOG_DEBUG(3), "cnamevalidated: got %s", @@ -765,8 +811,9 @@ cnamevalidated(isc_task_t *task, isc_event_t *event) { } want_destroy = exit_check(val); UNLOCK(&val->lock); - if (want_destroy) + if (want_destroy) { destroy(val); + } } /*% @@ -804,21 +851,24 @@ authvalidated(isc_task_t *task, isc_event_t *event) { validator_log(val, ISC_LOG_DEBUG(3), "authvalidated: got %s", isc_result_totext(result)); - if (result == DNS_R_BROKENCHAIN) + if (result == DNS_R_BROKENCHAIN) { val->authfail++; - if (result == ISC_R_CANCELED) + } + if (result == ISC_R_CANCELED) { validator_done(val, result); - else { + } else { result = nsecvalidate(val, true); - if (result != DNS_R_WAIT) + if (result != DNS_R_WAIT) { validator_done(val, result); + } } } else { dns_name_t **proofs = val->event->proofs; dns_name_t *wild = dns_fixedname_name(&val->wild); - if (rdataset->trust == dns_trust_secure) + if (rdataset->trust == dns_trust_secure) { val->seensig = true; + } if (rdataset->type == dns_rdatatype_nsec && rdataset->trust == dns_trust_secure && @@ -827,13 +877,14 @@ authvalidated(isc_task_t *task, isc_event_t *event) { dns_nsec_noexistnodata(val->event->type, val->event->name, devent->name, rdataset, &exists, &data, wild, validator_log, val) - == ISC_R_SUCCESS) + == ISC_R_SUCCESS) { if (exists && !data) { val->attributes |= VALATTR_FOUNDNODATA; - if (NEEDNODATA(val)) + if (NEEDNODATA(val)) { proofs[DNS_VALIDATOR_NODATAPROOF] = devent->name; + } } if (!exists) { dns_name_t *closest; @@ -852,25 +903,30 @@ authvalidated(isc_task_t *task, isc_event_t *event) { */ if (clabels == 0 || dns_name_countlabels(wild) == clabels + 1) + { val->attributes |= VALATTR_FOUNDCLOSEST; + } /* * The NSEC noqname proof also contains * the closest encloser. */ - if (NEEDNOQNAME(val)) + if (NEEDNOQNAME(val)) { proofs[DNS_VALIDATOR_NOQNAMEPROOF] = devent->name; + } } } result = nsecvalidate(val, true); - if (result != DNS_R_WAIT) + if (result != DNS_R_WAIT) { validator_done(val, result); + } } want_destroy = exit_check(val); UNLOCK(&val->lock); - if (want_destroy) + if (want_destroy) { destroy(val); + } /* * Free stuff from the event. @@ -900,10 +956,12 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; - if (dns_rdataset_isassociated(&val->frdataset)) + if (dns_rdataset_isassociated(&val->frdataset)) { dns_rdataset_disassociate(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_disassociate(&val->fsigrdataset); + } if (isc_time_now(&now) == ISC_R_SUCCESS && dns_resolver_getbadcache(val->view->resolver, name, type, &now)) { @@ -922,25 +980,30 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { &val->frdataset, &val->fsigrdataset); if (result == DNS_R_NXDOMAIN) { - if (dns_rdataset_isassociated(&val->frdataset)) + if (dns_rdataset_isassociated(&val->frdataset)) { dns_rdataset_disassociate(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_disassociate(&val->fsigrdataset); + } } else if (result != ISC_R_SUCCESS && result != DNS_R_NCACHENXDOMAIN && result != DNS_R_NCACHENXRRSET && result != DNS_R_EMPTYNAME && result != DNS_R_NXRRSET && - result != ISC_R_NOTFOUND) { + result != ISC_R_NOTFOUND) + { goto notfound; } return (result); notfound: - if (dns_rdataset_isassociated(&val->frdataset)) + if (dns_rdataset_isassociated(&val->frdataset)) { dns_rdataset_disassociate(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_disassociate(&val->fsigrdataset); + } return (ISC_R_NOTFOUND); } @@ -987,10 +1050,12 @@ create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, { unsigned int fopts = 0; - if (dns_rdataset_isassociated(&val->frdataset)) + if (dns_rdataset_isassociated(&val->frdataset)) { dns_rdataset_disassociate(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_disassociate(&val->fsigrdataset); + } if (check_deadlock(val, name, type, NULL, NULL)) { validator_log(val, ISC_LOG_DEBUG(3), @@ -998,11 +1063,13 @@ create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, return (DNS_R_NOVALIDSIG); } - if ((val->options & DNS_VALIDATOR_NOCDFLAG) != 0) + if ((val->options & DNS_VALIDATOR_NOCDFLAG) != 0) { fopts |= DNS_FETCHOPT_NOCDFLAG; + } - if ((val->options & DNS_VALIDATOR_NONTA) != 0) + if ((val->options & DNS_VALIDATOR_NONTA) != 0) { fopts |= DNS_FETCHOPT_NONTA; + } validator_logcreate(val, name, type, caller, "fetch"); return (dns_resolver_createfetch(val->view->resolver, name, type, @@ -1032,7 +1099,8 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, } /* OK to clear other options, but preserve NOCDFLAG and NONTA. */ - vopts |= (val->options & (DNS_VALIDATOR_NOCDFLAG|DNS_VALIDATOR_NONTA)); + vopts |= (val->options & (DNS_VALIDATOR_NOCDFLAG | + DNS_VALIDATOR_NONTA)); validator_logcreate(val, name, type, caller, "validator"); result = dns_validator_create(val->view, name, type, @@ -1063,16 +1131,17 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo, dst_key_t *oldkey = val->key; bool foundold; - if (oldkey == NULL) + if (oldkey == NULL) { foundold = true; - else { + } else { foundold = false; val->key = NULL; } result = dns_rdataset_first(rdataset); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto failure; + } do { dns_rdataset_current(rdataset, &rdata); @@ -1081,21 +1150,22 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo, INSIST(val->key == NULL); result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b, val->view->mctx, &val->key); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto failure; + } if (siginfo->algorithm == (dns_secalg_t)dst_key_alg(val->key) && siginfo->keyid == (dns_keytag_t)dst_key_id(val->key) && dst_key_iszonekey(val->key)) { - if (foundold) + if (foundold) { /* * This is the key we're looking for. */ return (ISC_R_SUCCESS); - else if (dst_key_compare(oldkey, val->key) == true) - { + } else if (dst_key_compare(oldkey, + val->key) == true) { foundold = true; dst_key_free(&oldkey); } @@ -1104,12 +1174,14 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo, dns_rdata_reset(&rdata); result = dns_rdataset_next(rdataset); } while (result == ISC_R_SUCCESS); - if (result == ISC_R_NOMORE) + if (result == ISC_R_NOMORE) { result = ISC_R_NOTFOUND; + } failure: - if (oldkey != NULL) + if (oldkey != NULL) { dst_key_free(&oldkey); + } return (result); } @@ -1133,23 +1205,26 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { namereln = dns_name_fullcompare(val->event->name, &siginfo->signer, &order, &nlabels); if (namereln != dns_namereln_subdomain && - namereln != dns_namereln_equal) + namereln != dns_namereln_equal) { return (DNS_R_CONTINUE); + } if (namereln == dns_namereln_equal) { /* * If this is a self-signed keyset, it must not be a zone key * (since get_key is not called from validatezonekey). */ - if (val->event->rdataset->type == dns_rdatatype_dnskey) + if (val->event->rdataset->type == dns_rdatatype_dnskey) { return (DNS_R_CONTINUE); + } /* * Records appearing in the parent zone at delegation * points cannot be self-signed. */ - if (dns_rdatatype_atparent(val->event->rdataset->type)) + if (dns_rdatatype_atparent(val->event->rdataset->type)) { return (DNS_R_CONTINUE); + } } else { /* * SOA and NS RRsets can only be signed by a key with @@ -1160,10 +1235,11 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { { const char *type; - if (val->event->rdataset->type == dns_rdatatype_soa) + if (val->event->rdataset->type == dns_rdatatype_soa) { type = "SOA"; - else + } else { type = "NS"; + } validator_log(val, ISC_LOG_DEBUG(3), "%s signer mismatch", type); return (DNS_R_CONTINUE); @@ -1194,8 +1270,9 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { &val->fsigrdataset, keyvalidated, "get_key"); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (result); + } return (DNS_R_WAIT); } else if (DNS_TRUST_PENDING(val->frdataset.trust)) { /* @@ -1234,8 +1311,9 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { result = create_fetch(val, &siginfo->signer, dns_rdatatype_dnskey, fetch_callback_validator, "get_key"); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (result); + } return (DNS_R_WAIT); } else if (result == DNS_R_NCACHENXDOMAIN || result == DNS_R_NCACHENXRRSET || @@ -1247,14 +1325,17 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { * This key doesn't exist. */ result = DNS_R_CONTINUE; - } else if (result == DNS_R_BROKENCHAIN) + } else if (result == DNS_R_BROKENCHAIN) { return (result); + } if (dns_rdataset_isassociated(&val->frdataset) && - val->keyset != &val->frdataset) + val->keyset != &val->frdataset) { dns_rdataset_disassociate(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_disassociate(&val->fsigrdataset); + } return (result); } @@ -1291,7 +1372,9 @@ isselfsigned(dns_validator_t *val) { if (rdataset->type == dns_rdatatype_cname || rdataset->type == dns_rdatatype_dname) + { return (answer); + } INSIST(rdataset->type == dns_rdatatype_dnskey); @@ -1316,21 +1399,25 @@ isselfsigned(dns_validator_t *val) { if (sig.algorithm != key.algorithm || sig.keyid != keytag || !dns_name_equal(name, &sig.signer)) + { continue; + } dstkey = NULL; result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { continue; + } result = dns_dnssec_verify(name, rdataset, dstkey, true, val->view->maxbits, mctx, &sigrdata, NULL); dst_key_free(&dstkey); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { continue; + } if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) { answer = true; continue; @@ -1371,19 +1458,23 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata, ignore = true; goto again; } - if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD)) + + if (ignore && + (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD)) + { validator_log(val, ISC_LOG_INFO, "accepted expired %sRRSIG (keyid=%u)", (result == DNS_R_FROMWILDCARD) ? "wildcard " : "", keyid); - else if (result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) + } else if (result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) { validator_log(val, ISC_LOG_INFO, "verify failed due to bad signature (keyid=%u): " "%s", keyid, isc_result_totext(result)); - else + } else { validator_log(val, ISC_LOG_DEBUG(3), "verify rdataset (keyid=%u): %s", keyid, isc_result_totext(result)); + } if (result == DNS_R_FROMWILDCARD) { if (!dns_name_equal(val->event->name, wild)) { dns_name_t *closest; @@ -1446,26 +1537,30 @@ validate(dns_validator_t *val, bool resume) { sizeof(*val->siginfo)); } result = dns_rdata_tostruct(&rdata, val->siginfo, NULL); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (result); + } /* * At this point we could check that the signature algorithm * was known and "sufficiently good". */ if (!dns_resolver_algorithm_supported(val->view->resolver, - event->name, - val->siginfo->algorithm)) { + event->name, + val->siginfo->algorithm)) + { resume = false; continue; } if (!resume) { result = get_key(val, val->siginfo); - if (result == DNS_R_CONTINUE) + if (result == DNS_R_CONTINUE) { continue; /* Try the next SIG RR. */ - if (result != ISC_R_SUCCESS) + } + if (result != ISC_R_SUCCESS) { return (result); + } } /* @@ -1479,15 +1574,16 @@ validate(dns_validator_t *val, bool resume) { do { vresult = verify(val, val->key, &rdata, - val->siginfo->keyid); - if (vresult == ISC_R_SUCCESS) + val->siginfo->keyid); + if (vresult == ISC_R_SUCCESS) { break; + } if (val->keynode != NULL) { dns_keynode_t *nextnode = NULL; result = dns_keytable_findnextkeynode( - val->keytable, - val->keynode, - &nextnode); + val->keytable, + val->keynode, + &nextnode); dns_keytable_detachkeynode(val->keytable, &val->keynode); val->keynode = nextnode; @@ -1496,30 +1592,33 @@ validate(dns_validator_t *val, bool resume) { break; } val->key = dns_keynode_key(val->keynode); - if (val->key == NULL) + if (val->key == NULL) { break; + } } else { if (get_dst_key(val, val->siginfo, val->keyset) - != ISC_R_SUCCESS) + != ISC_R_SUCCESS) { break; + } } } while (1); - if (vresult != ISC_R_SUCCESS) + if (vresult != ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "failed to verify rdataset"); - else { + } else { dns_rdataset_trimttl(event->rdataset, event->sigrdataset, val->siginfo, val->start, val->view->acceptexpired); } - if (val->keynode != NULL) + if (val->keynode != NULL) { dns_keytable_detachkeynode(val->keytable, &val->keynode); - else { - if (val->key != NULL) + } else { + if (val->key != NULL) { dst_key_free(&val->key); + } if (val->keyset != NULL) { dns_rdataset_disassociate(val->keyset); val->keyset = NULL; @@ -1529,7 +1628,8 @@ validate(dns_validator_t *val, bool resume) { if (NEEDNOQNAME(val)) { if (val->event->message == NULL) { validator_log(val, ISC_LOG_DEBUG(3), - "no message available for noqname proof"); + "no message available " + "for noqname proof"); return (DNS_R_NOVALIDSIG); } validator_log(val, ISC_LOG_DEBUG(3), @@ -1580,25 +1680,29 @@ checkkey(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid, dns_rdataset_current(val->event->sigrdataset, &rdata); result = dns_rdata_tostruct(&rdata, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if (keyid != sig.keyid || algorithm != sig.algorithm) + if (keyid != sig.keyid || algorithm != sig.algorithm) { continue; + } if (dstkey == NULL) { result = dns_dnssec_keyfromrdata(val->event->name, keyrdata, val->view->mctx, &dstkey); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { /* * This really shouldn't happen, but... */ continue; + } } result = verify(val, dstkey, &rdata, sig.keyid); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { break; + } } - if (dstkey != NULL) + if (dstkey != NULL) { dst_key_free(&dstkey); + } return (result); } @@ -1626,8 +1730,9 @@ keyfromds(dns_validator_t *val, dns_rdataset_t *rdataset, dns_rdata_t *dsrdata, result = dns_rdata_tostruct(keyrdata, &key, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); keytag = compute_keytag(keyrdata); - if (keyid != keytag || algorithm != key.algorithm) + if (keyid != keytag || algorithm != key.algorithm) { continue; + } dns_rdata_reset(&newdsrdata); result = dns_ds_buildrdata(val->event->name, keyrdata, digest, dsbuf, &newdsrdata); @@ -1637,8 +1742,9 @@ keyfromds(dns_validator_t *val, dns_rdataset_t *rdataset, dns_rdata_t *dsrdata, dns_result_totext(result)); continue; } - if (dns_rdata_compare(dsrdata, &newdsrdata) == 0) + if (dns_rdata_compare(dsrdata, &newdsrdata) == 0) { break; + } } return (result); } @@ -1694,8 +1800,9 @@ validatezonekey(dns_validator_t *val) { result = dns_rdata_tostruct(&sigrdata, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if (!dns_name_equal(val->event->name, &sig.signer)) + if (!dns_name_equal(val->event->name, &sig.signer)) { continue; + } result = dns_keytable_findkeynode(val->keytable, val->event->name, @@ -1703,11 +1810,15 @@ validatezonekey(dns_validator_t *val) { sig.keyid, &keynode); if (result == ISC_R_NOTFOUND && dns_keytable_finddeepestmatch(val->keytable, - val->event->name, found) != ISC_R_SUCCESS) { + val->event->name, + found) + != ISC_R_SUCCESS) + { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, - "must be secure failure, " - "not beneath secure root"); + "must be secure " + "failure, not beneath " + "secure root"); return (DNS_R_MUSTBESECURE); } validator_log(val, ISC_LOG_DEBUG(3), @@ -1717,14 +1828,16 @@ validatezonekey(dns_validator_t *val) { } if (result == DNS_R_PARTIALMATCH || result == ISC_R_SUCCESS) + { atsep = true; + } while (result == ISC_R_SUCCESS) { dns_keynode_t *nextnode = NULL; dstkey = dns_keynode_key(keynode); if (dstkey == NULL) { dns_keytable_detachkeynode( - val->keytable, - &keynode); + val->keytable, + &keynode); break; } result = verify(val, dstkey, &sigrdata, @@ -1763,8 +1876,7 @@ validatezonekey(dns_validator_t *val) { validator_log(val, ISC_LOG_NOTICE, "unable to find a DNSKEY which verifies " "the DNSKEY RRset and also matches a " - "trusted key for '%s'", - namebuf); + "trusted key for '%s'", namebuf); return (DNS_R_NOVALIDKEY); } @@ -1804,8 +1916,9 @@ validatezonekey(dns_validator_t *val) { &val->fsigrdataset, dsvalidated, "validatezonekey"); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (result); + } return (DNS_R_WAIT); } else if (DNS_TRUST_PENDING(val->frdataset.trust)) { /* @@ -1826,8 +1939,9 @@ validatezonekey(dns_validator_t *val) { result = create_fetch(val, val->event->name, dns_rdatatype_ds, dsfetched, "validatezonekey"); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (result); + } return (DNS_R_WAIT); } else if (result == DNS_R_NCACHENXDOMAIN || result == DNS_R_NCACHENXRRSET || @@ -1839,14 +1953,17 @@ validatezonekey(dns_validator_t *val) { /* * The DS does not exist. */ - if (dns_rdataset_isassociated(&val->frdataset)) + if (dns_rdataset_isassociated(&val->frdataset)) { dns_rdataset_disassociate(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_disassociate(&val->fsigrdataset); + } validator_log(val, ISC_LOG_DEBUG(2), "no DS record"); return (DNS_R_NOVALIDSIG); - } else if (result == DNS_R_BROKENCHAIN) + } else if (result == DNS_R_BROKENCHAIN) { return (result); + } } /* @@ -1882,7 +1999,8 @@ validatezonekey(dns_validator_t *val) { memset(digest_types, 1, sizeof(digest_types)); for (result = dns_rdataset_first(val->dsset); result == ISC_R_SUCCESS; - result = dns_rdataset_next(val->dsset)) { + result = dns_rdataset_next(val->dsset)) + { dns_rdata_reset(&dsrdata); dns_rdataset_current(val->dsset, &dsrdata); result = dns_rdata_tostruct(&dsrdata, &ds, NULL); @@ -1891,12 +2009,16 @@ validatezonekey(dns_validator_t *val) { if (!dns_resolver_ds_digest_supported(val->view->resolver, val->event->name, ds.digest_type)) + { continue; + } if (!dns_resolver_algorithm_supported(val->view->resolver, val->event->name, ds.algorithm)) + { continue; + } if ((ds.digest_type == DNS_DSDIGEST_SHA256 && ds.length == ISC_SHA256_DIGESTLENGTH) || @@ -1917,18 +2039,23 @@ validatezonekey(dns_validator_t *val) { result = dns_rdata_tostruct(&dsrdata, &ds, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if (digest_types[ds.digest_type] == 0) + if (digest_types[ds.digest_type] == 0) { continue; + } if (!dns_resolver_ds_digest_supported(val->view->resolver, val->event->name, ds.digest_type)) + { continue; + } if (!dns_resolver_algorithm_supported(val->view->resolver, val->event->name, ds.algorithm)) + { continue; + } supported_algorithm = true; @@ -1953,8 +2080,9 @@ validatezonekey(dns_validator_t *val) { result = checkkey(val, &keyrdata, ds.key_tag, ds.algorithm); dns_rdataset_disassociate(&trdataset); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { break; + } validator_log(val, ISC_LOG_DEBUG(3), "no RRSIG matching DS key"); } @@ -1994,8 +2122,9 @@ start_positive_validation(dns_validator_t *val) { /* * If this is not a key, go straight into validate(). */ - if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val)) + if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val)) { return (validate(val, false)); + } return (validatezonekey(val)); } @@ -2024,16 +2153,18 @@ val_rdataset_first(dns_validator_t *val, dns_name_t **namep, if (message != NULL) { result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (result); + } dns_message_currentname(message, DNS_SECTION_AUTHORITY, namep); *rdatasetp = ISC_LIST_HEAD((*namep)->list); INSIST(*rdatasetp != NULL); } else { result = dns_rdataset_first(val->event->rdataset); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { dns_ncache_current(val->event->rdataset, *namep, *rdatasetp); + } } return (result); } @@ -2067,9 +2198,10 @@ val_rdataset_next(dns_validator_t *val, dns_name_t **namep, } else { dns_rdataset_disassociate(*rdatasetp); result = dns_rdataset_next(val->event->rdataset); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { dns_ncache_current(val->event->rdataset, *namep, *rdatasetp); + } } return (result); } @@ -2083,7 +2215,8 @@ val_rdataset_next(dns_validator_t *val, dns_name_t **namep, * \li ISC_R_SUCCESS */ static isc_result_t -checkwildcard(dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename) +checkwildcard(dns_validator_t *val, dns_rdatatype_t type, + dns_name_t *zonename) { dns_name_t *name, *wild, tname; isc_result_t result; @@ -2118,7 +2251,9 @@ checkwildcard(dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename) { if (rdataset->type != type || rdataset->trust != dns_trust_secure) + { continue; + } if (rdataset->type == dns_rdatatype_nsec && (NEEDNODATA(val) || NEEDNOWILDCARD(val)) && @@ -2126,22 +2261,26 @@ checkwildcard(dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename) dns_nsec_noexistnodata(val->event->type, wild, name, rdataset, &exists, &data, NULL, validator_log, val) - == ISC_R_SUCCESS) + == ISC_R_SUCCESS) { dns_name_t **proofs = val->event->proofs; - if (exists && !data) + if (exists && !data) { val->attributes |= VALATTR_FOUNDNODATA; - if (exists && !data && NEEDNODATA(val)) + } + if (exists && !data && NEEDNODATA(val)) { proofs[DNS_VALIDATOR_NODATAPROOF] = - name; - if (!exists) + name; + } + if (!exists) { val->attributes |= - VALATTR_FOUNDNOWILDCARD; - if (!exists && NEEDNOQNAME(val)) - proofs[DNS_VALIDATOR_NOWILDCARDPROOF] = - name; - if (dns_rdataset_isassociated(&trdataset)) + VALATTR_FOUNDNOWILDCARD; + } + if (!exists && NEEDNOQNAME(val)) { + proofs[DNS_VALIDATOR_NOWILDCARDPROOF] = name; + } + if (dns_rdataset_isassociated(&trdataset)) { dns_rdataset_disassociate(&trdataset); + } return (ISC_R_SUCCESS); } @@ -2152,29 +2291,33 @@ checkwildcard(dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename) rdataset, zonename, &exists, &data, NULL, NULL, NULL, NULL, NULL, NULL, validator_log, val) - == ISC_R_SUCCESS) + == ISC_R_SUCCESS) { dns_name_t **proofs = val->event->proofs; - if (exists && !data) + if (exists && !data) { val->attributes |= VALATTR_FOUNDNODATA; - if (exists && !data && NEEDNODATA(val)) - proofs[DNS_VALIDATOR_NODATAPROOF] = - name; - if (!exists) - val->attributes |= - VALATTR_FOUNDNOWILDCARD; - if (!exists && NEEDNOQNAME(val)) - proofs[DNS_VALIDATOR_NOWILDCARDPROOF] = - name; - if (dns_rdataset_isassociated(&trdataset)) + } + if (exists && !data && NEEDNODATA(val)) { + proofs[DNS_VALIDATOR_NODATAPROOF] = name; + } + if (!exists) { + val->attributes |= VALATTR_FOUNDNOWILDCARD; + } + if (!exists && NEEDNOQNAME(val)) { + proofs[DNS_VALIDATOR_NOWILDCARDPROOF] = name; + } + if (dns_rdataset_isassociated(&trdataset)) { dns_rdataset_disassociate(&trdataset); + } return (ISC_R_SUCCESS); } } - if (result == ISC_R_NOMORE) + if (result == ISC_R_NOMORE) { result = ISC_R_SUCCESS; - if (dns_rdataset_isassociated(&trdataset)) + } + if (dns_rdataset_isassociated(&trdataset)) { dns_rdataset_disassociate(&trdataset); + } return (result); } @@ -2209,7 +2352,9 @@ findnsec3proofs(dns_validator_t *val) { { if (rdataset->type != dns_rdatatype_nsec3 || rdataset->trust != dns_trust_secure) + { continue; + } result = dns_nsec3_noexistnodata(val->event->type, val->event->name, name, @@ -2218,17 +2363,20 @@ findnsec3proofs(dns_validator_t *val) { NULL, NULL, validator_log, val); if (result != ISC_R_IGNORE && result != ISC_R_SUCCESS) { - if (dns_rdataset_isassociated(&trdataset)) + if (dns_rdataset_isassociated(&trdataset)) { dns_rdataset_disassociate(&trdataset); + } return (result); } } - if (result != ISC_R_NOMORE) + if (result != ISC_R_NOMORE) { result = ISC_R_SUCCESS; + } POST(result); - if (dns_name_countlabels(zonename) == 0) + if (dns_name_countlabels(zonename) == 0) { return (ISC_R_SUCCESS); + } /* * If the val->closest is set then we want to use it otherwise @@ -2238,9 +2386,10 @@ findnsec3proofs(dns_validator_t *val) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(dns_fixedname_name(&val->closest), - namebuf, sizeof(namebuf)); - validator_log(val, ISC_LOG_DEBUG(3), "closest encloser from " - "wildcard signature '%s'", namebuf); + namebuf, sizeof(namebuf)); + validator_log(val, ISC_LOG_DEBUG(3), + "closest encloser from wildcard signature '%s'", + namebuf); dns_name_copynf(dns_fixedname_name(&val->closest), closest); closestp = NULL; setclosestp = NULL; @@ -2255,7 +2404,9 @@ findnsec3proofs(dns_validator_t *val) { { if (rdataset->type != dns_rdatatype_nsec3 || rdataset->trust != dns_trust_secure) + { continue; + } /* * We process all NSEC3 records to find the closest @@ -2271,12 +2422,15 @@ findnsec3proofs(dns_validator_t *val) { &unknown, setclosestp, &setnearest, closestp, nearest, validator_log, val); - if (unknown) + if (unknown) { val->attributes |= VALATTR_FOUNDUNKNOWN; - if (result != ISC_R_SUCCESS) + } + if (result != ISC_R_SUCCESS) { continue; - if (setclosest) + } + if (setclosest) { proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name; + } if (exists && !data && NEEDNODATA(val)) { val->attributes |= VALATTR_FOUNDNODATA; proofs[DNS_VALIDATOR_NODATAPROOF] = name; @@ -2284,12 +2438,14 @@ findnsec3proofs(dns_validator_t *val) { if (!exists && setnearest) { val->attributes |= VALATTR_FOUNDNOQNAME; proofs[DNS_VALIDATOR_NOQNAMEPROOF] = name; - if (optout) + if (optout) { val->attributes |= VALATTR_FOUNDOPTOUT; + } } } - if (result == ISC_R_NOMORE) + if (result == ISC_R_NOMORE) { result = ISC_R_SUCCESS; + } /* * To know we have a valid noqname and optout proofs we need to also @@ -2316,10 +2472,12 @@ findnsec3proofs(dns_validator_t *val) { * Do we need to check for the wildcard? */ if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && - ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) { + ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) + { result = checkwildcard(val, dns_rdatatype_nsec3, zonename); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (result); + } } return (result); } @@ -2333,10 +2491,11 @@ validate_authority(dns_validator_t *val, bool resume) { dns_message_t *message = val->event->message; isc_result_t result; - if (!resume) + if (!resume) { result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); - else + } else { result = ISC_R_SUCCESS; + } for (; result == ISC_R_SUCCESS; @@ -2350,24 +2509,27 @@ validate_authority(dns_validator_t *val, bool resume) { rdataset = ISC_LIST_NEXT(val->currentset, link); val->currentset = NULL; resume = false; - } else + } else { rdataset = ISC_LIST_HEAD(name->list); + } for (; rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { - if (rdataset->type == dns_rdatatype_rrsig) + if (rdataset->type == dns_rdatatype_rrsig) { continue; + } for (sigrdataset = ISC_LIST_HEAD(name->list); sigrdataset != NULL; - sigrdataset = ISC_LIST_NEXT(sigrdataset, - link)) + sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { if (sigrdataset->type == dns_rdatatype_rrsig && sigrdataset->covers == rdataset->type) + { break; + } } /* * If a signed zone is missing the zone key, bad @@ -2386,26 +2548,31 @@ validate_authority(dns_validator_t *val, bool resume) { dns_rdata_t nsec = DNS_RDATA_INIT; result = dns_rdataset_first(rdataset); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (result); + } dns_rdataset_current(rdataset, &nsec); if (dns_nsec_typepresent(&nsec, - dns_rdatatype_soa)) + dns_rdatatype_soa)) + { continue; + } } val->currentset = rdataset; result = create_validator(val, name, rdataset->type, rdataset, sigrdataset, authvalidated, "validate_authority"); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (result); + } val->authcount++; return (DNS_R_WAIT); } } - if (result == ISC_R_NOMORE) + if (result == ISC_R_NOMORE) { result = ISC_R_SUCCESS; + } return (result); } @@ -2417,10 +2584,11 @@ validate_ncache(dns_validator_t *val, bool resume) { dns_name_t *name; isc_result_t result; - if (!resume) + if (!resume) { result = dns_rdataset_first(val->event->rdataset); - else + } else { result = dns_rdataset_next(val->event->rdataset); + } for (; result == ISC_R_SUCCESS; @@ -2428,23 +2596,27 @@ validate_ncache(dns_validator_t *val, bool resume) { { dns_rdataset_t *rdataset, *sigrdataset = NULL; - if (dns_rdataset_isassociated(&val->frdataset)) + if (dns_rdataset_isassociated(&val->frdataset)) { dns_rdataset_disassociate(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_disassociate(&val->fsigrdataset); + } name = dns_fixedname_initname(&val->fname); rdataset = &val->frdataset; dns_ncache_current(val->event->rdataset, name, rdataset); - if (val->frdataset.type == dns_rdatatype_rrsig) + if (val->frdataset.type == dns_rdatatype_rrsig) { continue; + } result = dns_ncache_getsigrdataset(val->event->rdataset, name, rdataset->type, &val->fsigrdataset); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { sigrdataset = &val->fsigrdataset; + } /* * If a signed zone is missing the zone key, bad @@ -2463,25 +2635,27 @@ validate_ncache(dns_validator_t *val, bool resume) { dns_rdata_t nsec = DNS_RDATA_INIT; result = dns_rdataset_first(rdataset); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (result); + } dns_rdataset_current(rdataset, &nsec); - if (dns_nsec_typepresent(&nsec, - dns_rdatatype_soa)) + if (dns_nsec_typepresent(&nsec, dns_rdatatype_soa)) { continue; + } } val->currentset = rdataset; result = create_validator(val, name, rdataset->type, rdataset, sigrdataset, - authvalidated, - "validate_ncache"); - if (result != ISC_R_SUCCESS) + authvalidated, "validate_ncache"); + if (result != ISC_R_SUCCESS) { return (result); + } val->authcount++; return (DNS_R_WAIT); } - if (result == ISC_R_NOMORE) + if (result == ISC_R_NOMORE) { result = ISC_R_SUCCESS; + } return (result); } @@ -2501,24 +2675,28 @@ static isc_result_t nsecvalidate(dns_validator_t *val, bool resume) { isc_result_t result; - if (resume) + if (resume) { validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate"); + } - if (val->event->message == NULL) + if (val->event->message == NULL) { result = validate_ncache(val, resume); - else + } else { result = validate_authority(val, resume); + } - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (result); + } /* * Do we only need to check for NOQNAME? To get here we must have * had a secure wildcard answer. */ if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) { - if (!FOUNDNOQNAME(val)) + if (!FOUNDNOQNAME(val)) { findnsec3proofs(val); + } if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val)) { validator_log(val, ISC_LOG_DEBUG(3), @@ -2527,7 +2705,8 @@ nsecvalidate(dns_validator_t *val, bool resume) { return (ISC_R_SUCCESS); } else if (FOUNDOPTOUT(val) && dns_name_countlabels(dns_fixedname_name(&val->wild)) - != 0) { + != 0) + { validator_log(val, ISC_LOG_DEBUG(3), "optout proof found"); val->event->optout = true; @@ -2544,36 +2723,43 @@ nsecvalidate(dns_validator_t *val, bool resume) { return (DNS_R_NOVALIDNSEC); } - if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val)) + if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val)) { findnsec3proofs(val); + } /* * Do we need to check for the wildcard? */ if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && - ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) { + ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) + { result = checkwildcard(val, dns_rdatatype_nsec, NULL); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (result); + } } if ((NEEDNODATA(val) && (FOUNDNODATA(val) || FOUNDOPTOUT(val))) || (NEEDNOQNAME(val) && FOUNDNOQNAME(val) && NEEDNOWILDCARD(val) && FOUNDNOWILDCARD(val) && - FOUNDCLOSEST(val))) { - if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0) + FOUNDCLOSEST(val))) + { + if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0) { val->event->optout = true; + } validator_log(val, ISC_LOG_DEBUG(3), "nonexistence proof(s) found"); - if (val->event->message == NULL) + if (val->event->message == NULL) { marksecure(val->event); - else + } else { val->event->secure = true; + } return (ISC_R_SUCCESS); } - if (val->authfail != 0 && val->authcount == val->authfail) + if (val->authfail != 0 && val->authcount == val->authfail) { return (DNS_R_BROKENCHAIN); + } validator_log(val, ISC_LOG_DEBUG(3), "nonexistence proof(s) not found"); val->attributes |= VALATTR_INSECURITY; @@ -2588,7 +2774,8 @@ check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) { for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; - result = dns_rdataset_next(rdataset)) { + result = dns_rdataset_next(rdataset)) + { dns_rdataset_current(rdataset, &dsrdata); result = dns_rdata_tostruct(&dsrdata, &ds, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); @@ -2596,7 +2783,8 @@ check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) { if (dns_resolver_ds_digest_supported(val->view->resolver, name, ds.digest_type) && dns_resolver_algorithm_supported(val->view->resolver, - name, ds.algorithm)) { + name, ds.algorithm)) + { dns_rdata_reset(&dsrdata); return (true); } @@ -2624,28 +2812,26 @@ check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) { static isc_result_t proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { isc_result_t result; - dns_fixedname_t fixedsecroot; - dns_name_t *secroot; - dns_name_t *tname; char namebuf[DNS_NAME_FORMATSIZE]; - dns_name_t *found; + dns_fixedname_t fixedsecroot; + dns_name_t *secroot = dns_fixedname_initname(&fixedsecroot); dns_fixedname_t fixedfound; + dns_name_t *found = dns_fixedname_initname(&fixedfound); + dns_name_t *tname = NULL; unsigned int labels; - secroot = dns_fixedname_initname(&fixedsecroot); - found = dns_fixedname_initname(&fixedfound); dns_name_copynf(val->event->name, secroot); + /* * If this is a response to a DS query, we need to look in * the parent zone for the trust anchor. */ - labels = dns_name_countlabels(secroot); - if (val->event->type == dns_rdatatype_ds && labels > 1U) - dns_name_getlabelsequence(secroot, 1, labels - 1, - secroot); - result = dns_keytable_finddeepestmatch(val->keytable, - secroot, secroot); + if (val->event->type == dns_rdatatype_ds && labels > 1U) { + dns_name_getlabelsequence(secroot, 1, labels - 1, secroot); + } + + result = dns_keytable_finddeepestmatch(val->keytable, secroot, secroot); if (result == ISC_R_NOTFOUND) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, @@ -2702,13 +2888,13 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { val->labels <= dns_name_countlabels(val->event->name); val->labels++) { - tname = dns_fixedname_initname(&val->fname); - if (val->labels == dns_name_countlabels(val->event->name)) + if (val->labels == dns_name_countlabels(val->event->name)) { dns_name_copynf(val->event->name, tname); - else + } else { dns_name_split(val->event->name, val->labels, NULL, tname); + } dns_name_format(tname, namebuf, sizeof(namebuf)); validator_log(val, ISC_LOG_DEBUG(3), @@ -2720,20 +2906,21 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { /* * There is no DS. If this is a delegation, * we may be done. - */ - /* + * * If we have "trust == answer" then this namespace * has switched from insecure to should be secure. */ if (DNS_TRUST_PENDING(val->frdataset.trust) || - DNS_TRUST_ANSWER(val->frdataset.trust)) { + DNS_TRUST_ANSWER(val->frdataset.trust)) + { result = create_validator(val, tname, dns_rdatatype_ds, &val->frdataset, NULL, dsvalidated, "proveunsecure"); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto out; + } return (DNS_R_WAIT); } /* @@ -2743,10 +2930,11 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { */ if (result == DNS_R_NXRRSET && !dns_rdataset_isassociated(&val->frdataset) && - dns_view_findzonecut(val->view, tname, found, NULL, - 0, 0, false, false, - NULL, NULL) == ISC_R_SUCCESS && - dns_name_equal(tname, found)) { + dns_view_findzonecut(val->view, tname, found, NULL, + 0, 0, false, false, + NULL, NULL) == ISC_R_SUCCESS && + dns_name_equal(tname, found)) + { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure, " @@ -2783,15 +2971,17 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { continue; } else if (result == DNS_R_CNAME) { if (DNS_TRUST_PENDING(val->frdataset.trust) || - DNS_TRUST_ANSWER(val->frdataset.trust)) { + DNS_TRUST_ANSWER(val->frdataset.trust)) + { result = create_validator(val, tname, dns_rdatatype_cname, &val->frdataset, NULL, cnamevalidated, "proveunsecure " "(cname)"); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto out; + } return (DNS_R_WAIT); } continue; @@ -2803,11 +2993,12 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { if (val->frdataset.trust >= dns_trust_secure) { if (!check_ds(val, tname, &val->frdataset)) { validator_log(val, ISC_LOG_DEBUG(3), - "no supported algorithm/" - "digest (%s/DS)", namebuf); + "no supported algorithm/" + "digest (%s/DS)", + namebuf); if (val->mustbesecure) { validator_log(val, - ISC_LOG_WARNING, + ISC_LOG_WARNING, "must be secure failure, " "no supported algorithm/" "digest (%s/DS)", @@ -2820,8 +3011,8 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { goto out; } continue; - } - else if (!dns_rdataset_isassociated(&val->fsigrdataset)) + } else if (!dns_rdataset_isassociated(&val-> + fsigrdataset)) { validator_log(val, ISC_LOG_DEBUG(3), "DS is unsigned"); @@ -2836,13 +3027,15 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { &val->fsigrdataset, dsvalidated, "proveunsecure"); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto out; + } return (DNS_R_WAIT); } else if (result == DNS_R_NXDOMAIN || - result == DNS_R_NCACHENXDOMAIN) { + result == DNS_R_NCACHENXDOMAIN) + { /* - * This is not a zone cut. Assuming things are + * This is not a zone cut. Assuming things are * as expected, continue. */ if (!dns_rdataset_isassociated(&val->frdataset)) { @@ -2853,7 +3046,8 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { result = DNS_R_NOVALIDNSEC; goto out; } else if (DNS_TRUST_PENDING(val->frdataset.trust) || - DNS_TRUST_ANSWER(val->frdataset.trust)) { + DNS_TRUST_ANSWER(val->frdataset.trust)) + { /* * If we have "trust == answer" then this * namespace has switched from insecure to @@ -2864,8 +3058,9 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { &val->frdataset, NULL, dsvalidated, "proveunsecure"); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto out; + } return (DNS_R_WAIT); } else if (val->frdataset.trust < dns_trust_secure) { /* @@ -2888,11 +3083,13 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { */ result = create_fetch(val, tname, dns_rdatatype_ds, dsfetched2, "proveunsecure"); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto out; + } return (DNS_R_WAIT); - } else if (result == DNS_R_BROKENCHAIN) + } else if (result == DNS_R_BROKENCHAIN) { return (result); + } } /* Couldn't complete insecurity proof */ @@ -2900,10 +3097,12 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) { return (DNS_R_NOTINSECURE); out: - if (dns_rdataset_isassociated(&val->frdataset)) + if (dns_rdataset_isassociated(&val->frdataset)) { dns_rdataset_disassociate(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_disassociate(&val->fsigrdataset); + } return (result); } @@ -2932,8 +3131,9 @@ validator_start(isc_task_t *task, isc_event_t *event) { val = vevent->validator; /* If the validator has been canceled, val->event == NULL */ - if (val->event == NULL) + if (val->event == NULL) { return; + } validator_log(val, ISC_LOG_DEBUG(3), "starting"); @@ -2960,11 +3160,13 @@ validator_start(isc_task_t *task, isc_event_t *event) { "falling back to insecurity proof"); val->attributes |= VALATTR_INSECURITY; result = proveunsecure(val, false, false); - if (result == DNS_R_NOTINSECURE) + if (result == DNS_R_NOTINSECURE) { result = saved_result; + } } } else if (val->event->rdataset != NULL && - val->event->rdataset->type != 0) { + val->event->rdataset->type != 0) + { /* * This is either an unsecure subdomain or a response from * a broken server. @@ -2975,10 +3177,11 @@ validator_start(isc_task_t *task, isc_event_t *event) { val->attributes |= VALATTR_INSECURITY; result = proveunsecure(val, false, false); - if (result == DNS_R_NOTINSECURE) + if (result == DNS_R_NOTINSECURE) { validator_log(val, ISC_LOG_INFO, "got insecure response; " "parent indicates it should be secure"); + } } else if (val->event->rdataset == NULL && val->event->sigrdataset == NULL) { @@ -2991,11 +3194,12 @@ validator_start(isc_task_t *task, isc_event_t *event) { if (val->event->message->rcode == dns_rcode_nxdomain) { val->attributes |= VALATTR_NEEDNOQNAME; val->attributes |= VALATTR_NEEDNOWILDCARD; - } else + } else { val->attributes |= VALATTR_NEEDNODATA; + } result = nsecvalidate(val, false); } else if (val->event->rdataset != NULL && - NEGATIVE(val->event->rdataset)) + NEGATIVE(val->event->rdataset)) { /* * This is a nonexistence validation. @@ -3006,8 +3210,9 @@ validator_start(isc_task_t *task, isc_event_t *event) { if (val->event->rdataset->covers == dns_rdatatype_any) { val->attributes |= VALATTR_NEEDNOQNAME; val->attributes |= VALATTR_NEEDNOWILDCARD; - } else + } else { val->attributes |= VALATTR_NEEDNODATA; + } result = nsecvalidate(val, false); } else { INSIST(0); @@ -3020,8 +3225,9 @@ validator_start(isc_task_t *task, isc_event_t *event) { } UNLOCK(&val->lock); - if (want_destroy) + if (want_destroy) { destroy(val); + } } isc_result_t @@ -3073,8 +3279,9 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, val->keytable = NULL; result = dns_view_getsecroots(val->view, &val->keytable); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto cleanup_mutex; + } val->keynode = NULL; val->key = NULL; val->siginfo = NULL; @@ -3099,8 +3306,9 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, ISC_LINK_INIT(val, link); val->magic = VALIDATOR_MAGIC; - if ((options & DNS_VALIDATOR_DEFER) == 0) + if ((options & DNS_VALIDATOR_DEFER) == 0) { isc_task_send(task, ISC_EVENT_PTR(&event)); + } *validatorp = val; @@ -3149,8 +3357,9 @@ dns_validator_cancel(dns_validator_t *validator) { fetch = validator->fetch; validator->fetch = NULL; - if (validator->subvalidator != NULL) + if (validator->subvalidator != NULL) { dns_validator_cancel(validator->subvalidator); + } if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { validator->options &= ~DNS_VALIDATOR_DEFER; validator_done(validator, ISC_R_CANCELED); @@ -3174,21 +3383,27 @@ destroy(dns_validator_t *val) { REQUIRE(val->event == NULL); REQUIRE(val->fetch == NULL); - if (val->keynode != NULL) + if (val->keynode != NULL) { dns_keytable_detachkeynode(val->keytable, &val->keynode); - else if (val->key != NULL) + } else if (val->key != NULL) { dst_key_free(&val->key); - if (val->keytable != NULL) + } + if (val->keytable != NULL) { dns_keytable_detach(&val->keytable); - if (val->subvalidator != NULL) + } + if (val->subvalidator != NULL) { dns_validator_destroy(&val->subvalidator); - if (dns_rdataset_isassociated(&val->frdataset)) + } + if (dns_rdataset_isassociated(&val->frdataset)) { dns_rdataset_disassociate(&val->frdataset); - if (dns_rdataset_isassociated(&val->fsigrdataset)) + } + if (dns_rdataset_isassociated(&val->fsigrdataset)) { dns_rdataset_disassociate(&val->fsigrdataset); + } mctx = val->view->mctx; - if (val->siginfo != NULL) + if (val->siginfo != NULL) { isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo)); + } isc_mutex_destroy(&val->lock); dns_view_weakdetach(&val->view); val->magic = 0; @@ -3213,8 +3428,9 @@ dns_validator_destroy(dns_validator_t **validatorp) { UNLOCK(&val->lock); - if (want_destroy) + if (want_destroy) { destroy(val); + } *validatorp = NULL; } @@ -3230,8 +3446,9 @@ validator_logv(dns_validator_t *val, isc_logcategory_t *category, vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap); - if ((unsigned int) depth >= sizeof spaces) + if ((unsigned int) depth >= sizeof spaces) { depth = sizeof spaces - 1; + } /* * Log the view name unless it's: @@ -3274,8 +3491,9 @@ static void validator_log(void *val, int level, const char *fmt, ...) { va_list ap; - if (! isc_log_wouldlog(dns_lctx, level)) + if (!isc_log_wouldlog(dns_lctx, level)) { return; + } va_start(ap, fmt); @@ -3285,9 +3503,9 @@ validator_log(void *val, int level, const char *fmt, ...) { } static void -validator_logcreate(dns_validator_t *val, - dns_name_t *name, dns_rdatatype_t type, - const char *caller, const char *operation) +validator_logcreate(dns_validator_t *val, dns_name_t *name, + dns_rdatatype_t type, const char *caller, + const char *operation) { char namestr[DNS_NAME_FORMATSIZE]; char typestr[DNS_RDATATYPE_FORMATSIZE];