}
result = dns_dnssec_verify(name, rdataset, ki->dst,
- ISC_FALSE, mctx, &sigrdata);
- if (result != ISC_R_SUCCESS) {
+ ISC_FALSE, 0, mctx,
+ &sigrdata, NULL);
+
+ if (result != ISC_R_SUCCESS &&
+ result != DNS_R_FROMWILDCARD) {
vbprintf(1, "skip RRSIG by key %d:"
" verification failed: %s\n",
sig.keyid, isc_result_totext(result));
if (tryverify) {
result = dns_dnssec_verify(name, rdataset, key,
- ISC_TRUE, mctx, &trdata);
- if (result == ISC_R_SUCCESS) {
+ ISC_TRUE, 0, mctx, &trdata, NULL);
+ if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
vbprintf(3, "\tsignature verified\n");
INCSTAT(nverified);
} else {
dns_rdata_t *rrsig)
{
isc_result_t result;
- result = dns_dnssec_verify(name, set, key, ISC_FALSE, mctx, rrsig);
- if (result == ISC_R_SUCCESS) {
+ result = dns_dnssec_verify(name, set, key, ISC_FALSE, 0, mctx, rrsig,
+ NULL);
+ if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
INCSTAT(nverified);
return (ISC_TRUE);
} else {
* Find keys that match this zone in the key repository.
*/
result = dns_dnssec_findmatchingkeys(gorigin, directory,
- mctx, &matchkeys);
+ now, mctx, &matchkeys);
if (result == ISC_R_NOTFOUND) {
result = ISC_R_SUCCESS;
}
dns_secalg_t alg;
char filename[ISC_DIR_NAMEMAX];
isc_buffer_t fileb;
+ isc_stdtime_t now;
if (exact != NULL)
*exact = ISC_FALSE;
}
ISC_LIST_INIT(matchkeys);
- result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
+ isc_stdtime_get(&now);
+ result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys);
if (result == ISC_R_NOTFOUND)
return (ISC_FALSE);
continue;
}
result = dns_dnssec_verify(name, rdataset, dstkey, ISC_FALSE,
- mctx, sigrdata);
+ 0, mctx, sigrdata, NULL);
dst_key_free(&dstkey);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
return(ISC_TRUE);
+ }
}
return (ISC_FALSE);
}
}
isc_result_t
-dns_dnssec_verify2(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
- isc_boolean_t ignoretime, isc_mem_t *mctx,
- dns_rdata_t *sigrdata, dns_name_t *wild)
-{
- return (dns_dnssec_verify3(name, set, key, ignoretime, 0, mctx,
- sigrdata, wild));
-}
-
-isc_result_t
-dns_dnssec_verify3(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
- isc_boolean_t ignoretime, unsigned int maxbits,
- isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild)
+dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+ isc_boolean_t ignoretime, unsigned int maxbits,
+ isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild)
{
dns_rdata_rrsig_t sig;
dns_fixedname_t fnewname;
return (ret);
}
-isc_result_t
-dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
- isc_boolean_t ignoretime, isc_mem_t *mctx,
- dns_rdata_t *sigrdata)
-{
- isc_result_t result;
-
- result = dns_dnssec_verify2(name, set, key, ignoretime, mctx,
- sigrdata, NULL);
- if (result == DNS_R_FROMWILDCARD)
- result = ISC_R_SUCCESS;
- return (result);
-}
-
isc_boolean_t
dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now) {
isc_result_t result;
== DNS_KEYOWNER_ZONE)
isc_result_t
-dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver,
- dns_dbnode_t *node, const dns_name_t *name,
- const char *directory, isc_stdtime_t now,
- isc_mem_t *mctx, unsigned int maxkeys,
- dst_key_t **keys, unsigned int *nkeys)
+dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
+ dns_dbnode_t *node, const dns_name_t *name,
+ const char *directory, isc_stdtime_t now,
+ isc_mem_t *mctx, unsigned int maxkeys,
+ dst_key_t **keys, unsigned int *nkeys)
{
dns_rdataset_t rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
return (result);
}
-isc_result_t
-dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
- dns_dbnode_t *node, const dns_name_t *name,
- const char *directory, isc_mem_t *mctx,
- unsigned int maxkeys, dst_key_t **keys,
- unsigned int *nkeys)
-{
- isc_stdtime_t now;
-
- isc_stdtime_get(&now);
- return (dns_dnssec_findzonekeys3(db, ver, node, name, directory, now,
- mctx, maxkeys, keys, nkeys));
-}
-
-isc_result_t
-dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
- dns_dbnode_t *node, const dns_name_t *name,
- isc_mem_t *mctx, unsigned int maxkeys,
- dst_key_t **keys, unsigned int *nkeys)
-{
- isc_stdtime_t now;
-
- isc_stdtime_get(&now);
- return (dns_dnssec_findzonekeys3(db, ver, node, name, NULL, now,
- mctx, maxkeys, keys, nkeys));
-}
-
isc_result_t
dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
dns_rdata_sig_t sig; /* SIG(0) */
if (sig.algorithm == key.algorithm &&
sig.keyid == keytag) {
- result = dns_dnssec_verify2(name, rdataset, dstkey,
- ignoretime, mctx,
- &sigrdata, NULL);
+ result = dns_dnssec_verify(name, rdataset, dstkey,
+ ignoretime, 0, mctx,
+ &sigrdata, NULL);
if (result == ISC_R_SUCCESS) {
dst_key_free(&dstkey);
return (ISC_TRUE);
* Get a list of DNSSEC keys from the key repository
*/
isc_result_t
-dns_dnssec_findmatchingkeys2(const dns_name_t *origin, const char *directory,
- isc_stdtime_t now, isc_mem_t *mctx,
- dns_dnsseckeylist_t *keylist)
+dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
+ isc_stdtime_t now, isc_mem_t *mctx,
+ dns_dnsseckeylist_t *keylist)
{
isc_result_t result = ISC_R_SUCCESS;
isc_boolean_t dir_open = ISC_FALSE;
return (result);
}
-isc_result_t
-dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
- isc_mem_t *mctx, dns_dnsseckeylist_t *keylist)
-{
- isc_stdtime_t now;
-
- isc_stdtime_get(&now);
- return (dns_dnssec_findmatchingkeys2(origin, directory, now, mctx,
- keylist));
-}
-
/*%
* Add 'newkey' to 'keylist' if it's not already there.
*
isc_result_t
dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
- isc_boolean_t ignoretime, isc_mem_t *mctx,
- dns_rdata_t *sigrdata);
-
-isc_result_t
-dns_dnssec_verify2(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
- isc_boolean_t ignoretime, isc_mem_t *mctx,
- dns_rdata_t *sigrdata, dns_name_t *wild);
-
-isc_result_t
-dns_dnssec_verify3(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
- isc_boolean_t ignoretime, unsigned int maxbits,
- isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild);
+ isc_boolean_t ignoretime, unsigned int maxbits,
+ isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild);
/*%<
* Verifies the RRSIG record covering this rdataset signed by a specific
* key. This does not determine if the key's owner is authorized to sign
/*@{*/
isc_result_t
-dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
- const dns_name_t *name, isc_mem_t *mctx,
- unsigned int maxkeys, dst_key_t **keys,
- unsigned int *nkeys);
-
-isc_result_t
-dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
- dns_dbnode_t *node, const dns_name_t *name,
- const char *directory, isc_mem_t *mctx,
- unsigned int maxkeys, dst_key_t **keys,
- unsigned int *nkeys);
-
-isc_result_t
-dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver,
- dns_dbnode_t *node, const dns_name_t *name,
- const char *directory, isc_stdtime_t now,
- isc_mem_t *mctx, unsigned int maxkeys,
- dst_key_t **keys, unsigned int *nkeys);
+dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
+ dns_dbnode_t *node, const dns_name_t *name,
+ const char *directory, isc_stdtime_t now,
+ isc_mem_t *mctx, unsigned int maxkeys,
+ dst_key_t **keys, unsigned int *nkeys);
/*%<
* Finds a set of zone keys.
isc_result_t
dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
- isc_mem_t *mctx, dns_dnsseckeylist_t *keylist);
-
-isc_result_t
-dns_dnssec_findmatchingkeys2(const dns_name_t *origin, const char *directory,
- isc_stdtime_t now, isc_mem_t *mctx,
- dns_dnsseckeylist_t *keylist);
+ isc_stdtime_t now, isc_mem_t *mctx,
+ dns_dnsseckeylist_t *keylist);
/*%<
* Search 'directory' for K* key files matching the name in 'origin'.
* Append all such keys, along with use hints gleaned from their
dst_key_t **keys, unsigned int *nkeys)
{
isc_result_t result;
+ isc_stdtime_t now;
dns_dbnode_t *node = NULL;
const char *directory = dns_zone_getkeydirectory(zone);
CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
- CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
- directory, mctx, maxkeys, keys, nkeys));
+ isc_stdtime_get(&now);
+ CHECK(dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db),
+ directory, now, mctx, maxkeys, keys,
+ nkeys));
failure:
if (node != NULL)
dns_db_detachnode(db, &node);
if (result != ISC_R_SUCCESS)
continue;
- result = dns_dnssec_verify3(name, rdataset, dstkey,
- ISC_TRUE,
- val->view->maxbits,
- mctx, &sigrdata, NULL);
+ result = dns_dnssec_verify(name, rdataset, dstkey,
+ ISC_TRUE,
+ val->view->maxbits,
+ mctx, &sigrdata, NULL);
dst_key_free(&dstkey);
if (result != ISC_R_SUCCESS)
continue;
dns_fixedname_init(&fixed);
wild = dns_fixedname_name(&fixed);
again:
- result = dns_dnssec_verify3(val->event->name, val->event->rdataset,
- key, ignore, val->view->maxbits,
- val->view->mctx, rdata, wild);
+ result = dns_dnssec_verify(val->event->name, val->event->rdataset,
+ key, ignore, val->view->maxbits,
+ val->view->mctx, rdata, wild);
if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
val->view->acceptexpired)
{
dns_dns64_next
dns_dns64_unlink
dns_dnssec_findmatchingkeys
-dns_dnssec_findmatchingkeys2
dns_dnssec_findzonekeys
-dns_dnssec_findzonekeys2
-dns_dnssec_findzonekeys3
dns_dnssec_keyactive
dns_dnssec_keyfromrdata
dns_dnssec_keylistfromrdataset
dns_dnssec_syncupdate
dns_dnssec_updatekeys
dns_dnssec_verify
-dns_dnssec_verify2
-dns_dnssec_verify3
dns_dnssec_verifymessage
dns_dnsseckey_create
dns_dnsseckey_destroy
CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
memset(keys, 0, sizeof(*keys) * maxkeys);
- result = dns_dnssec_findzonekeys3(db, ver, node, dns_db_origin(db),
- directory, now, mctx, maxkeys, keys,
- nkeys);
+ result = dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db),
+ directory, now, mctx, maxkeys, keys,
+ nkeys);
if (result == ISC_R_NOTFOUND)
result = ISC_R_SUCCESS;
failure:
if (dst_key_alg(dstkey) == sig.algorithm &&
dst_key_rid(dstkey) == sig.keyid)
{
- result = dns_dnssec_verify2(keyname,
- &kfetch->dnskeyset,
- dstkey, ISC_FALSE, mctx, &sigrr,
- dns_fixedname_name(&fixed));
+ result = dns_dnssec_verify(keyname,
+ &kfetch->dnskeyset,
+ dstkey, ISC_FALSE, 0, mctx,
+ &sigrr,
+ dns_fixedname_name(&fixed));
dns_zone_log(kfetch->zone, ISC_LOG_DEBUG(3),
"Confirm revoked DNSKEY is self-signed: "
if (dst_key_alg(dstkey) == sig.algorithm &&
dst_key_id(dstkey) == sig.keyid)
{
- result = dns_dnssec_verify2(keyname,
- &kfetch->dnskeyset,
- dstkey, ISC_FALSE,
- zone->view->mctx, &sigrr,
- dns_fixedname_name(&fixed));
+ result = dns_dnssec_verify(keyname,
+ &kfetch->dnskeyset,
+ dstkey, ISC_FALSE,
+ 0,
+ zone->view->mctx,
+ &sigrr,
+ dns_fixedname_name(
+ &fixed));
dns_zone_log(zone, ISC_LOG_DEBUG(3),
"Verifying DNSKEY set for zone "
*/
fullsign = ISC_TF(DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN) != 0);
- result = dns_dnssec_findmatchingkeys2(&zone->origin, dir, now, mctx,
- &keys);
+ result = dns_dnssec_findmatchingkeys(&zone->origin, dir, now, mctx,
+ &keys);
if (result == ISC_R_SUCCESS) {
isc_boolean_t check_ksk;
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
dns_fixedname_init(&fixed);
again:
- result = dns_dnssec_verify3(name, rdataset, key, ignore,
- client->view->maxbits, client->mctx,
- rdata, NULL);
+ result = dns_dnssec_verify(name, rdataset, key, ignore,
+ client->view->maxbits, client->mctx,
+ rdata, NULL);
if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) {
ignore = ISC_TRUE;
goto again;
projects / thirdparty / bind9.git / commitdiff
