/*! \file
* \brief
- * Basic processing sequences.
+ * Basic processing sequences:
*
* \li When called with rdataset and sigrdataset:
- * validator_start -> validate -> proveunsecure
- *
- * validator_start -> validate -> nsecvalidate (secure wildcard answer)
+ * validator_start -> validate -> proveunsecure
+ * validator_start -> validate -> nsecvalidate (secure wildcard answer)
*
* \li When called with rdataset:
- * validator_start -> proveunsecure
+ * validator_start -> proveunsecure
*
* \li When called without a rdataset:
- * validator_start -> nsecvalidate -> proveunsecure
+ * validator_start -> nsecvalidate -> proveunsecure
*
* validator_start: determines what type of validation to do.
- * validate: attempts to perform a positive validation.
- * proveunsecure: attempts to prove the answer comes from a unsecure zone.
- * nsecvalidate: attempts to prove a negative response.
+ * validate: attempts to perform a positive validation.
+ * proveunsecure:: attempts to prove the answer comes from a unsecure zone.
+ * nsecvalidate: attempts to prove a negative response.
*/
-#define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?')
-#define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
+#define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?')
+#define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
-#define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */
-#define VALATTR_CANCELED 0x0002 /*%< Canceled. */
-#define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and
+#define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */
+#define VALATTR_CANCELED 0x0002 /*%< Canceled. */
+#define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and
* have attempted a verify. */
-#define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */
+#define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */
/*!
* NSEC proofs to be looked for.
*/
-#define VALATTR_NEEDNOQNAME 0x00000100
-#define VALATTR_NEEDNOWILDCARD 0x00000200
-#define VALATTR_NEEDNODATA 0x00000400
+#define VALATTR_NEEDNOQNAME 0x00000100
+#define VALATTR_NEEDNOWILDCARD 0x00000200
+#define VALATTR_NEEDNODATA 0x00000400
/*!
* NSEC proofs that have been found.
*/
-#define VALATTR_FOUNDNOQNAME 0x00001000
-#define VALATTR_FOUNDNOWILDCARD 0x00002000
-#define VALATTR_FOUNDNODATA 0x00004000
-#define VALATTR_FOUNDCLOSEST 0x00008000
-
-/*
- *
- */
-#define VALATTR_FOUNDOPTOUT 0x00010000
-#define VALATTR_FOUNDUNKNOWN 0x00020000
-
-#define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
-#define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
-#define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
-#define FOUNDNODATA(val) ((val->attributes & VALATTR_FOUNDNODATA) != 0)
-#define FOUNDNOQNAME(val) ((val->attributes & VALATTR_FOUNDNOQNAME) != 0)
+#define VALATTR_FOUNDNOQNAME 0x00001000
+#define VALATTR_FOUNDNOWILDCARD 0x00002000
+#define VALATTR_FOUNDNODATA 0x00004000
+#define VALATTR_FOUNDCLOSEST 0x00008000
+#define VALATTR_FOUNDOPTOUT 0x00010000
+#define VALATTR_FOUNDUNKNOWN 0x00020000
+
+#define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
+#define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
+#define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
+#define FOUNDNODATA(val) ((val->attributes & VALATTR_FOUNDNODATA) != 0)
+#define FOUNDNOQNAME(val) ((val->attributes & VALATTR_FOUNDNOQNAME) != 0)
#define FOUNDNOWILDCARD(val) ((val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)
-#define FOUNDCLOSEST(val) ((val->attributes & VALATTR_FOUNDCLOSEST) != 0)
-#define FOUNDOPTOUT(val) ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
+#define FOUNDCLOSEST(val) ((val->attributes & VALATTR_FOUNDCLOSEST) != 0)
+#define FOUNDOPTOUT(val) ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
-#define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
-#define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0)
+#define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
+#define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0)
-#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
static void
destroy(dns_validator_t *val);
nsecvalidate(dns_validator_t *val, bool resume);
static isc_result_t
-proveunsecure(dns_validator_t *val, bool have_ds,
- bool resume);
+proveunsecure(dns_validator_t *val, bool have_ds, bool resume);
static void
validator_logv(dns_validator_t *val, isc_logcategory_t *category,
isc_logmodule_t *module, int level, const char *fmt, va_list ap)
- ISC_FORMAT_PRINTF(5, 0);
+ ISC_FORMAT_PRINTF(5, 0);
static void
validator_log(void *val, int level, const char *fmt, ...)
- ISC_FORMAT_PRINTF(3, 4);
+ ISC_FORMAT_PRINTF(3, 4);
static void
validator_logcreate(dns_validator_t *val,
static inline void
markanswer(dns_validator_t *val, const char *where) {
validator_log(val, ISC_LOG_DEBUG(3), "marking as answer (%s)", where);
- if (val->event->rdataset != NULL)
+ if (val->event->rdataset != NULL) {
dns_rdataset_settrust(val->event->rdataset, dns_trust_answer);
- if (val->event->sigrdataset != NULL)
+ }
+ if (val->event->sigrdataset != NULL) {
dns_rdataset_settrust(val->event->sigrdataset,
dns_trust_answer);
+ }
}
static inline void
marksecure(dns_validatorevent_t *event) {
dns_rdataset_settrust(event->rdataset, dns_trust_secure);
- if (event->sigrdataset != NULL)
+ if (event->sigrdataset != NULL) {
dns_rdataset_settrust(event->sigrdataset, dns_trust_secure);
+ }
event->secure = true;
}
validator_done(dns_validator_t *val, isc_result_t result) {
isc_task_t *task;
- if (val->event == NULL)
+ if (val->event == NULL) {
return;
+ }
/*
* Caller must be holding the lock.
/*
* Caller must be holding the lock.
*/
- if (!SHUTDOWN(val))
+ if (!SHUTDOWN(val)) {
return (false);
+ }
INSIST(val->event == NULL);
- if (val->fetch != NULL || val->subvalidator != NULL)
+ if (val->fetch != NULL || val->subvalidator != NULL) {
return (false);
+ }
return (true);
}
REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
dns_rdataset_init(&set);
- if (dbresult == DNS_R_NXRRSET)
+ if (dbresult == DNS_R_NXRRSET) {
dns_rdataset_clone(rdataset, &set);
- else {
+ } else {
result = dns_ncache_getrdataset(rdataset, name,
dns_rdatatype_nsec, &set);
- if (result == ISC_R_NOTFOUND)
+ if (result == ISC_R_NOTFOUND) {
goto trynsec3;
- if (result != ISC_R_SUCCESS)
+ }
+ if (result != ISC_R_SUCCESS) {
return (false);
+ }
}
INSIST(set.type == dns_rdatatype_nsec);
dns_rdata_reset(&rdata);
dns_rdataset_current(&set, &rdata);
(void)dns_rdata_tostruct(&rdata, &nsec3, NULL);
- if (nsec3.hash != 1)
+ if (nsec3.hash != 1) {
continue;
+ }
length = isc_iterated_hash(hash, nsec3.hash,
nsec3.iterations, nsec3.salt,
nsec3.salt_length,
name->ndata, name->length);
- if (length != isc_buffer_usedlength(&buffer))
+ if (length != isc_buffer_usedlength(&buffer)) {
continue;
+ }
order = memcmp(hash, owner, length);
if (order == 0) {
found = dns_nsec3_typepresent(&rdata,
dns_rdataset_disassociate(&set);
return (found);
}
- if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0)
+ if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0) {
continue;
+ }
/*
* Does this optout span cover the name?
*/
if ((scope < 0 && order > 0 &&
memcmp(hash, nsec3.next, length) < 0) ||
(scope >= 0 && (order > 0 ||
- memcmp(hash, nsec3.next, length) < 0)))
+ memcmp(hash, nsec3.next,
+ length) < 0)))
{
dns_rdataset_disassociate(&set);
return (true);
eresult = devent->result;
/* Free resources which are not of interest. */
- if (devent->node != NULL)
+ if (devent->node != NULL) {
dns_db_detachnode(devent->db, &devent->node);
- if (devent->db != NULL)
+ }
+ if (devent->db != NULL) {
dns_db_detach(&devent->db);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_disassociate(&val->fsigrdataset);
+ }
isc_event_free(&event);
INSIST(val->event != NULL);
*/
if (rdataset->trust >= dns_trust_secure) {
result = get_dst_key(val, val->siginfo, rdataset);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
val->keyset = &val->frdataset;
+ }
}
result = validate(val, true);
if (result == DNS_R_NOVALIDSIG &&
"falling back to insecurity proof");
val->attributes |= VALATTR_INSECURITY;
result = proveunsecure(val, false, false);
- if (result == DNS_R_NOTINSECURE)
+ if (result == DNS_R_NOTINSECURE) {
result = saved_result;
+ }
}
- if (result != DNS_R_WAIT)
+ if (result != DNS_R_WAIT) {
validator_done(val, result);
+ }
} else {
validator_log(val, ISC_LOG_DEBUG(3),
"fetch_callback_validator: got %s",
isc_result_totext(eresult));
- if (eresult == ISC_R_CANCELED)
+ if (eresult == ISC_R_CANCELED) {
validator_done(val, eresult);
- else
+ } else {
validator_done(val, DNS_R_BROKENCHAIN);
+ }
}
want_destroy = exit_check(val);
UNLOCK(&val->lock);
- if (fetch != NULL)
+ if (fetch != NULL) {
dns_resolver_destroyfetch(&fetch);
- if (want_destroy)
+ }
+ if (want_destroy) {
destroy(val);
+ }
}
/*%
eresult = devent->result;
/* Free resources which are not of interest. */
- if (devent->node != NULL)
+ if (devent->node != NULL) {
dns_db_detachnode(devent->db, &devent->node);
- if (devent->db != NULL)
+ }
+ if (devent->db != NULL) {
dns_db_detach(&devent->db);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_disassociate(&val->fsigrdataset);
+ }
isc_event_free(&event);
INSIST(val->event != NULL);
} else if (eresult == ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
"dsset with trust %s",
- dns_trust_totext(rdataset->trust));
+ dns_trust_totext(rdataset->trust));
val->dsset = &val->frdataset;
result = validatezonekey(val);
- if (result != DNS_R_WAIT)
+ if (result != DNS_R_WAIT) {
validator_done(val, result);
+ }
} else if (eresult == DNS_R_CNAME ||
eresult == DNS_R_NXRRSET ||
eresult == DNS_R_NCACHENXRRSET ||
- eresult == DNS_R_SERVFAIL) /* RFC 1034 parent? */
+ eresult == DNS_R_SERVFAIL) /* RFC 1034 parent? */
{
validator_log(val, ISC_LOG_DEBUG(3),
"falling back to insecurity proof (%s)",
dns_result_totext(eresult));
val->attributes |= VALATTR_INSECURITY;
result = proveunsecure(val, false, false);
- if (result != DNS_R_WAIT)
+ if (result != DNS_R_WAIT) {
validator_done(val, result);
+ }
} else {
validator_log(val, ISC_LOG_DEBUG(3),
"dsfetched: got %s",
isc_result_totext(eresult));
- if (eresult == ISC_R_CANCELED)
+ if (eresult == ISC_R_CANCELED) {
validator_done(val, eresult);
- else
+ } else {
validator_done(val, DNS_R_BROKENCHAIN);
+ }
}
want_destroy = exit_check(val);
UNLOCK(&val->lock);
- if (fetch != NULL)
+ if (fetch != NULL) {
dns_resolver_destroyfetch(&fetch);
- if (want_destroy)
+ }
+ if (want_destroy) {
destroy(val);
+ }
}
/*%
eresult = devent->result;
/* Free resources which are not of interest. */
- if (devent->node != NULL)
+ if (devent->node != NULL) {
dns_db_detachnode(devent->db, &devent->node);
- if (devent->db != NULL)
+ }
+ if (devent->db != NULL) {
dns_db_detach(&devent->db);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_disassociate(&val->fsigrdataset);
+ }
INSIST(val->event != NULL);
}
} else {
result = proveunsecure(val, false, true);
- if (result != DNS_R_WAIT)
+ if (result != DNS_R_WAIT) {
validator_done(val, result);
+ }
}
} else if (eresult == ISC_R_SUCCESS ||
eresult == DNS_R_NXDOMAIN ||
*/
result = proveunsecure(val, (eresult == ISC_R_SUCCESS),
true);
- if (result != DNS_R_WAIT)
+ if (result != DNS_R_WAIT) {
validator_done(val, result);
+ }
} else {
- if (eresult == ISC_R_CANCELED)
+ if (eresult == ISC_R_CANCELED) {
validator_done(val, eresult);
- else
+ } else {
validator_done(val, DNS_R_NOVALIDDS);
+ }
}
isc_event_free(&event);
want_destroy = exit_check(val);
UNLOCK(&val->lock);
- if (fetch != NULL)
+ if (fetch != NULL) {
dns_resolver_destroyfetch(&fetch);
- if (want_destroy)
+ }
+ if (want_destroy) {
destroy(val);
+ }
}
/*%
/*
* Only extract the dst key if the keyset is secure.
*/
- if (val->frdataset.trust >= dns_trust_secure)
+ if (val->frdataset.trust >= dns_trust_secure) {
(void) get_dst_key(val, val->siginfo, &val->frdataset);
+ }
result = validate(val, true);
if (result == DNS_R_NOVALIDSIG &&
(val->attributes & VALATTR_TRIEDVERIFY) == 0)
"falling back to insecurity proof");
val->attributes |= VALATTR_INSECURITY;
result = proveunsecure(val, false, false);
- if (result == DNS_R_NOTINSECURE)
+ if (result == DNS_R_NOTINSECURE) {
result = saved_result;
+ }
}
- if (result != DNS_R_WAIT)
+ if (result != DNS_R_WAIT) {
validator_done(val, result);
+ }
} else {
if (eresult != DNS_R_BROKENCHAIN) {
- if (dns_rdataset_isassociated(&val->frdataset))
+ if (dns_rdataset_isassociated(&val->frdataset)) {
dns_rdataset_expire(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_expire(&val->fsigrdataset);
+ }
}
validator_log(val, ISC_LOG_DEBUG(3),
"keyvalidated: got %s",
}
want_destroy = exit_check(val);
UNLOCK(&val->lock);
- if (want_destroy)
+ if (want_destroy) {
destroy(val);
+ }
}
/*%
if ((val->attributes & VALATTR_INSECURITY) != 0 &&
val->frdataset.covers == dns_rdatatype_ds &&
NEGATIVE(&val->frdataset) &&
- isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) {
+ isdelegation(name, &val->frdataset,
+ DNS_R_NCACHENXRRSET)) {
if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
"must be secure failure, no DS "
result = DNS_R_MUSTBESECURE;
} else {
markanswer(val, "dsvalidated");
- result = ISC_R_SUCCESS;;
+ result = ISC_R_SUCCESS;
}
} else if ((val->attributes & VALATTR_INSECURITY) != 0) {
result = proveunsecure(val, have_dsset, true);
- } else
+ } else {
result = validatezonekey(val);
- if (result != DNS_R_WAIT)
+ }
+ if (result != DNS_R_WAIT) {
validator_done(val, result);
+ }
} else {
if (eresult != DNS_R_BROKENCHAIN) {
- if (dns_rdataset_isassociated(&val->frdataset))
+ if (dns_rdataset_isassociated(&val->frdataset)) {
dns_rdataset_expire(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_expire(&val->fsigrdataset);
+ }
}
validator_log(val, ISC_LOG_DEBUG(3),
"dsvalidated: got %s",
}
want_destroy = exit_check(val);
UNLOCK(&val->lock);
- if (want_destroy)
+ if (want_destroy) {
destroy(val);
+ }
}
/*%
validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %s",
dns_trust_totext(val->frdataset.trust));
result = proveunsecure(val, false, true);
- if (result != DNS_R_WAIT)
+ if (result != DNS_R_WAIT) {
validator_done(val, result);
+ }
} else {
if (eresult != DNS_R_BROKENCHAIN) {
- if (dns_rdataset_isassociated(&val->frdataset))
+ if (dns_rdataset_isassociated(&val->frdataset)) {
dns_rdataset_expire(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_expire(&val->fsigrdataset);
+ }
}
validator_log(val, ISC_LOG_DEBUG(3),
"cnamevalidated: got %s",
}
want_destroy = exit_check(val);
UNLOCK(&val->lock);
- if (want_destroy)
+ if (want_destroy) {
destroy(val);
+ }
}
/*%
validator_log(val, ISC_LOG_DEBUG(3),
"authvalidated: got %s",
isc_result_totext(result));
- if (result == DNS_R_BROKENCHAIN)
+ if (result == DNS_R_BROKENCHAIN) {
val->authfail++;
- if (result == ISC_R_CANCELED)
+ }
+ if (result == ISC_R_CANCELED) {
validator_done(val, result);
- else {
+ } else {
result = nsecvalidate(val, true);
- if (result != DNS_R_WAIT)
+ if (result != DNS_R_WAIT) {
validator_done(val, result);
+ }
}
} else {
dns_name_t **proofs = val->event->proofs;
dns_name_t *wild = dns_fixedname_name(&val->wild);
- if (rdataset->trust == dns_trust_secure)
+ if (rdataset->trust == dns_trust_secure) {
val->seensig = true;
+ }
if (rdataset->type == dns_rdatatype_nsec &&
rdataset->trust == dns_trust_secure &&
dns_nsec_noexistnodata(val->event->type, val->event->name,
devent->name, rdataset, &exists,
&data, wild, validator_log, val)
- == ISC_R_SUCCESS)
+ == ISC_R_SUCCESS)
{
if (exists && !data) {
val->attributes |= VALATTR_FOUNDNODATA;
- if (NEEDNODATA(val))
+ if (NEEDNODATA(val)) {
proofs[DNS_VALIDATOR_NODATAPROOF] =
devent->name;
+ }
}
if (!exists) {
dns_name_t *closest;
*/
if (clabels == 0 ||
dns_name_countlabels(wild) == clabels + 1)
+ {
val->attributes |= VALATTR_FOUNDCLOSEST;
+ }
/*
* The NSEC noqname proof also contains
* the closest encloser.
*/
- if (NEEDNOQNAME(val))
+ if (NEEDNOQNAME(val)) {
proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
devent->name;
+ }
}
}
result = nsecvalidate(val, true);
- if (result != DNS_R_WAIT)
+ if (result != DNS_R_WAIT) {
validator_done(val, result);
+ }
}
want_destroy = exit_check(val);
UNLOCK(&val->lock);
- if (want_destroy)
+ if (want_destroy) {
destroy(val);
+ }
/*
* Free stuff from the event.
char namebuf[DNS_NAME_FORMATSIZE];
char typebuf[DNS_RDATATYPE_FORMATSIZE];
- if (dns_rdataset_isassociated(&val->frdataset))
+ if (dns_rdataset_isassociated(&val->frdataset)) {
dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_disassociate(&val->fsigrdataset);
+ }
if (isc_time_now(&now) == ISC_R_SUCCESS &&
dns_resolver_getbadcache(val->view->resolver, name, type, &now)) {
&val->frdataset, &val->fsigrdataset);
if (result == DNS_R_NXDOMAIN) {
- if (dns_rdataset_isassociated(&val->frdataset))
+ if (dns_rdataset_isassociated(&val->frdataset)) {
dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_disassociate(&val->fsigrdataset);
+ }
} else if (result != ISC_R_SUCCESS &&
result != DNS_R_NCACHENXDOMAIN &&
result != DNS_R_NCACHENXRRSET &&
result != DNS_R_EMPTYNAME &&
result != DNS_R_NXRRSET &&
- result != ISC_R_NOTFOUND) {
+ result != ISC_R_NOTFOUND)
+ {
goto notfound;
}
return (result);
notfound:
- if (dns_rdataset_isassociated(&val->frdataset))
+ if (dns_rdataset_isassociated(&val->frdataset)) {
dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_disassociate(&val->fsigrdataset);
+ }
return (ISC_R_NOTFOUND);
}
{
unsigned int fopts = 0;
- if (dns_rdataset_isassociated(&val->frdataset))
+ if (dns_rdataset_isassociated(&val->frdataset)) {
dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_disassociate(&val->fsigrdataset);
+ }
if (check_deadlock(val, name, type, NULL, NULL)) {
validator_log(val, ISC_LOG_DEBUG(3),
return (DNS_R_NOVALIDSIG);
}
- if ((val->options & DNS_VALIDATOR_NOCDFLAG) != 0)
+ if ((val->options & DNS_VALIDATOR_NOCDFLAG) != 0) {
fopts |= DNS_FETCHOPT_NOCDFLAG;
+ }
- if ((val->options & DNS_VALIDATOR_NONTA) != 0)
+ if ((val->options & DNS_VALIDATOR_NONTA) != 0) {
fopts |= DNS_FETCHOPT_NONTA;
+ }
validator_logcreate(val, name, type, caller, "fetch");
return (dns_resolver_createfetch(val->view->resolver, name, type,
}
/* OK to clear other options, but preserve NOCDFLAG and NONTA. */
- vopts |= (val->options & (DNS_VALIDATOR_NOCDFLAG|DNS_VALIDATOR_NONTA));
+ vopts |= (val->options & (DNS_VALIDATOR_NOCDFLAG |
+ DNS_VALIDATOR_NONTA));
validator_logcreate(val, name, type, caller, "validator");
result = dns_validator_create(val->view, name, type,
dst_key_t *oldkey = val->key;
bool foundold;
- if (oldkey == NULL)
+ if (oldkey == NULL) {
foundold = true;
- else {
+ } else {
foundold = false;
val->key = NULL;
}
result = dns_rdataset_first(rdataset);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto failure;
+ }
do {
dns_rdataset_current(rdataset, &rdata);
INSIST(val->key == NULL);
result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
val->view->mctx, &val->key);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto failure;
+ }
if (siginfo->algorithm ==
(dns_secalg_t)dst_key_alg(val->key) &&
siginfo->keyid ==
(dns_keytag_t)dst_key_id(val->key) &&
dst_key_iszonekey(val->key))
{
- if (foundold)
+ if (foundold) {
/*
* This is the key we're looking for.
*/
return (ISC_R_SUCCESS);
- else if (dst_key_compare(oldkey, val->key) == true)
- {
+ } else if (dst_key_compare(oldkey,
+ val->key) == true) {
foundold = true;
dst_key_free(&oldkey);
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(rdataset);
} while (result == ISC_R_SUCCESS);
- if (result == ISC_R_NOMORE)
+ if (result == ISC_R_NOMORE) {
result = ISC_R_NOTFOUND;
+ }
failure:
- if (oldkey != NULL)
+ if (oldkey != NULL) {
dst_key_free(&oldkey);
+ }
return (result);
}
namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
&order, &nlabels);
if (namereln != dns_namereln_subdomain &&
- namereln != dns_namereln_equal)
+ namereln != dns_namereln_equal) {
return (DNS_R_CONTINUE);
+ }
if (namereln == dns_namereln_equal) {
/*
* If this is a self-signed keyset, it must not be a zone key
* (since get_key is not called from validatezonekey).
*/
- if (val->event->rdataset->type == dns_rdatatype_dnskey)
+ if (val->event->rdataset->type == dns_rdatatype_dnskey) {
return (DNS_R_CONTINUE);
+ }
/*
* Records appearing in the parent zone at delegation
* points cannot be self-signed.
*/
- if (dns_rdatatype_atparent(val->event->rdataset->type))
+ if (dns_rdatatype_atparent(val->event->rdataset->type)) {
return (DNS_R_CONTINUE);
+ }
} else {
/*
* SOA and NS RRsets can only be signed by a key with
{
const char *type;
- if (val->event->rdataset->type == dns_rdatatype_soa)
+ if (val->event->rdataset->type == dns_rdatatype_soa) {
type = "SOA";
- else
+ } else {
type = "NS";
+ }
validator_log(val, ISC_LOG_DEBUG(3),
"%s signer mismatch", type);
return (DNS_R_CONTINUE);
&val->fsigrdataset,
keyvalidated,
"get_key");
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
return (DNS_R_WAIT);
} else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
/*
result = create_fetch(val, &siginfo->signer,
dns_rdatatype_dnskey,
fetch_callback_validator, "get_key");
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
return (DNS_R_WAIT);
} else if (result == DNS_R_NCACHENXDOMAIN ||
result == DNS_R_NCACHENXRRSET ||
* This key doesn't exist.
*/
result = DNS_R_CONTINUE;
- } else if (result == DNS_R_BROKENCHAIN)
+ } else if (result == DNS_R_BROKENCHAIN) {
return (result);
+ }
if (dns_rdataset_isassociated(&val->frdataset) &&
- val->keyset != &val->frdataset)
+ val->keyset != &val->frdataset) {
dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_disassociate(&val->fsigrdataset);
+ }
return (result);
}
if (rdataset->type == dns_rdatatype_cname ||
rdataset->type == dns_rdatatype_dname)
+ {
return (answer);
+ }
INSIST(rdataset->type == dns_rdatatype_dnskey);
if (sig.algorithm != key.algorithm ||
sig.keyid != keytag ||
!dns_name_equal(name, &sig.signer))
+ {
continue;
+ }
dstkey = NULL;
result = dns_dnssec_keyfromrdata(name, &rdata, mctx,
&dstkey);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
continue;
+ }
result = dns_dnssec_verify(name, rdataset, dstkey,
true,
val->view->maxbits,
mctx, &sigrdata, NULL);
dst_key_free(&dstkey);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
continue;
+ }
if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
answer = true;
continue;
ignore = true;
goto again;
}
- if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD))
+
+ if (ignore &&
+ (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD))
+ {
validator_log(val, ISC_LOG_INFO,
"accepted expired %sRRSIG (keyid=%u)",
(result == DNS_R_FROMWILDCARD) ?
"wildcard " : "", keyid);
- else if (result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE)
+ } else if (result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) {
validator_log(val, ISC_LOG_INFO,
"verify failed due to bad signature (keyid=%u): "
"%s", keyid, isc_result_totext(result));
- else
+ } else {
validator_log(val, ISC_LOG_DEBUG(3),
"verify rdataset (keyid=%u): %s",
keyid, isc_result_totext(result));
+ }
if (result == DNS_R_FROMWILDCARD) {
if (!dns_name_equal(val->event->name, wild)) {
dns_name_t *closest;
sizeof(*val->siginfo));
}
result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
/*
* At this point we could check that the signature algorithm
* was known and "sufficiently good".
*/
if (!dns_resolver_algorithm_supported(val->view->resolver,
- event->name,
- val->siginfo->algorithm)) {
+ event->name,
+ val->siginfo->algorithm))
+ {
resume = false;
continue;
}
if (!resume) {
result = get_key(val, val->siginfo);
- if (result == DNS_R_CONTINUE)
+ if (result == DNS_R_CONTINUE) {
continue; /* Try the next SIG RR. */
- if (result != ISC_R_SUCCESS)
+ }
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
}
/*
do {
vresult = verify(val, val->key, &rdata,
- val->siginfo->keyid);
- if (vresult == ISC_R_SUCCESS)
+ val->siginfo->keyid);
+ if (vresult == ISC_R_SUCCESS) {
break;
+ }
if (val->keynode != NULL) {
dns_keynode_t *nextnode = NULL;
result = dns_keytable_findnextkeynode(
- val->keytable,
- val->keynode,
- &nextnode);
+ val->keytable,
+ val->keynode,
+ &nextnode);
dns_keytable_detachkeynode(val->keytable,
&val->keynode);
val->keynode = nextnode;
break;
}
val->key = dns_keynode_key(val->keynode);
- if (val->key == NULL)
+ if (val->key == NULL) {
break;
+ }
} else {
if (get_dst_key(val, val->siginfo, val->keyset)
- != ISC_R_SUCCESS)
+ != ISC_R_SUCCESS) {
break;
+ }
}
} while (1);
- if (vresult != ISC_R_SUCCESS)
+ if (vresult != ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
"failed to verify rdataset");
- else {
+ } else {
dns_rdataset_trimttl(event->rdataset,
event->sigrdataset,
val->siginfo, val->start,
val->view->acceptexpired);
}
- if (val->keynode != NULL)
+ if (val->keynode != NULL) {
dns_keytable_detachkeynode(val->keytable,
&val->keynode);
- else {
- if (val->key != NULL)
+ } else {
+ if (val->key != NULL) {
dst_key_free(&val->key);
+ }
if (val->keyset != NULL) {
dns_rdataset_disassociate(val->keyset);
val->keyset = NULL;
if (NEEDNOQNAME(val)) {
if (val->event->message == NULL) {
validator_log(val, ISC_LOG_DEBUG(3),
- "no message available for noqname proof");
+ "no message available "
+ "for noqname proof");
return (DNS_R_NOVALIDSIG);
}
validator_log(val, ISC_LOG_DEBUG(3),
dns_rdataset_current(val->event->sigrdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (keyid != sig.keyid || algorithm != sig.algorithm)
+ if (keyid != sig.keyid || algorithm != sig.algorithm) {
continue;
+ }
if (dstkey == NULL) {
result = dns_dnssec_keyfromrdata(val->event->name,
keyrdata,
val->view->mctx,
&dstkey);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
/*
* This really shouldn't happen, but...
*/
continue;
+ }
}
result = verify(val, dstkey, &rdata, sig.keyid);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
break;
+ }
}
- if (dstkey != NULL)
+ if (dstkey != NULL) {
dst_key_free(&dstkey);
+ }
return (result);
}
result = dns_rdata_tostruct(keyrdata, &key, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
keytag = compute_keytag(keyrdata);
- if (keyid != keytag || algorithm != key.algorithm)
+ if (keyid != keytag || algorithm != key.algorithm) {
continue;
+ }
dns_rdata_reset(&newdsrdata);
result = dns_ds_buildrdata(val->event->name, keyrdata, digest,
dsbuf, &newdsrdata);
dns_result_totext(result));
continue;
}
- if (dns_rdata_compare(dsrdata, &newdsrdata) == 0)
+ if (dns_rdata_compare(dsrdata, &newdsrdata) == 0) {
break;
+ }
}
return (result);
}
result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (!dns_name_equal(val->event->name, &sig.signer))
+ if (!dns_name_equal(val->event->name, &sig.signer)) {
continue;
+ }
result = dns_keytable_findkeynode(val->keytable,
val->event->name,
sig.keyid, &keynode);
if (result == ISC_R_NOTFOUND &&
dns_keytable_finddeepestmatch(val->keytable,
- val->event->name, found) != ISC_R_SUCCESS) {
+ val->event->name,
+ found)
+ != ISC_R_SUCCESS)
+ {
if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, "
- "not beneath secure root");
+ "must be secure "
+ "failure, not beneath "
+ "secure root");
return (DNS_R_MUSTBESECURE);
}
validator_log(val, ISC_LOG_DEBUG(3),
}
if (result == DNS_R_PARTIALMATCH ||
result == ISC_R_SUCCESS)
+ {
atsep = true;
+ }
while (result == ISC_R_SUCCESS) {
dns_keynode_t *nextnode = NULL;
dstkey = dns_keynode_key(keynode);
if (dstkey == NULL) {
dns_keytable_detachkeynode(
- val->keytable,
- &keynode);
+ val->keytable,
+ &keynode);
break;
}
result = verify(val, dstkey, &sigrdata,
validator_log(val, ISC_LOG_NOTICE,
"unable to find a DNSKEY which verifies "
"the DNSKEY RRset and also matches a "
- "trusted key for '%s'",
- namebuf);
+ "trusted key for '%s'", namebuf);
return (DNS_R_NOVALIDKEY);
}
&val->fsigrdataset,
dsvalidated,
"validatezonekey");
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
return (DNS_R_WAIT);
} else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
/*
result = create_fetch(val, val->event->name,
dns_rdatatype_ds, dsfetched,
"validatezonekey");
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
return (DNS_R_WAIT);
} else if (result == DNS_R_NCACHENXDOMAIN ||
result == DNS_R_NCACHENXRRSET ||
/*
* The DS does not exist.
*/
- if (dns_rdataset_isassociated(&val->frdataset))
+ if (dns_rdataset_isassociated(&val->frdataset)) {
dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_disassociate(&val->fsigrdataset);
+ }
validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
return (DNS_R_NOVALIDSIG);
- } else if (result == DNS_R_BROKENCHAIN)
+ } else if (result == DNS_R_BROKENCHAIN) {
return (result);
+ }
}
/*
memset(digest_types, 1, sizeof(digest_types));
for (result = dns_rdataset_first(val->dsset);
result == ISC_R_SUCCESS;
- result = dns_rdataset_next(val->dsset)) {
+ result = dns_rdataset_next(val->dsset))
+ {
dns_rdata_reset(&dsrdata);
dns_rdataset_current(val->dsset, &dsrdata);
result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
if (!dns_resolver_ds_digest_supported(val->view->resolver,
val->event->name,
ds.digest_type))
+ {
continue;
+ }
if (!dns_resolver_algorithm_supported(val->view->resolver,
val->event->name,
ds.algorithm))
+ {
continue;
+ }
if ((ds.digest_type == DNS_DSDIGEST_SHA256 &&
ds.length == ISC_SHA256_DIGESTLENGTH) ||
result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (digest_types[ds.digest_type] == 0)
+ if (digest_types[ds.digest_type] == 0) {
continue;
+ }
if (!dns_resolver_ds_digest_supported(val->view->resolver,
val->event->name,
ds.digest_type))
+ {
continue;
+ }
if (!dns_resolver_algorithm_supported(val->view->resolver,
val->event->name,
ds.algorithm))
+ {
continue;
+ }
supported_algorithm = true;
result = checkkey(val, &keyrdata, ds.key_tag, ds.algorithm);
dns_rdataset_disassociate(&trdataset);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
break;
+ }
validator_log(val, ISC_LOG_DEBUG(3),
"no RRSIG matching DS key");
}
/*
* If this is not a key, go straight into validate().
*/
- if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
+ if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val)) {
return (validate(val, false));
+ }
return (validatezonekey(val));
}
if (message != NULL) {
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
dns_message_currentname(message, DNS_SECTION_AUTHORITY, namep);
*rdatasetp = ISC_LIST_HEAD((*namep)->list);
INSIST(*rdatasetp != NULL);
} else {
result = dns_rdataset_first(val->event->rdataset);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
dns_ncache_current(val->event->rdataset, *namep,
*rdatasetp);
+ }
}
return (result);
}
} else {
dns_rdataset_disassociate(*rdatasetp);
result = dns_rdataset_next(val->event->rdataset);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
dns_ncache_current(val->event->rdataset, *namep,
*rdatasetp);
+ }
}
return (result);
}
* \li ISC_R_SUCCESS
*/
static isc_result_t
-checkwildcard(dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename)
+checkwildcard(dns_validator_t *val, dns_rdatatype_t type,
+ dns_name_t *zonename)
{
dns_name_t *name, *wild, tname;
isc_result_t result;
{
if (rdataset->type != type ||
rdataset->trust != dns_trust_secure)
+ {
continue;
+ }
if (rdataset->type == dns_rdatatype_nsec &&
(NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
dns_nsec_noexistnodata(val->event->type, wild, name,
rdataset, &exists, &data, NULL,
validator_log, val)
- == ISC_R_SUCCESS)
+ == ISC_R_SUCCESS)
{
dns_name_t **proofs = val->event->proofs;
- if (exists && !data)
+ if (exists && !data) {
val->attributes |= VALATTR_FOUNDNODATA;
- if (exists && !data && NEEDNODATA(val))
+ }
+ if (exists && !data && NEEDNODATA(val)) {
proofs[DNS_VALIDATOR_NODATAPROOF] =
- name;
- if (!exists)
+ name;
+ }
+ if (!exists) {
val->attributes |=
- VALATTR_FOUNDNOWILDCARD;
- if (!exists && NEEDNOQNAME(val))
- proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
- name;
- if (dns_rdataset_isassociated(&trdataset))
+ VALATTR_FOUNDNOWILDCARD;
+ }
+ if (!exists && NEEDNOQNAME(val)) {
+ proofs[DNS_VALIDATOR_NOWILDCARDPROOF] = name;
+ }
+ if (dns_rdataset_isassociated(&trdataset)) {
dns_rdataset_disassociate(&trdataset);
+ }
return (ISC_R_SUCCESS);
}
rdataset, zonename, &exists, &data,
NULL, NULL, NULL, NULL, NULL, NULL,
validator_log, val)
- == ISC_R_SUCCESS)
+ == ISC_R_SUCCESS)
{
dns_name_t **proofs = val->event->proofs;
- if (exists && !data)
+ if (exists && !data) {
val->attributes |= VALATTR_FOUNDNODATA;
- if (exists && !data && NEEDNODATA(val))
- proofs[DNS_VALIDATOR_NODATAPROOF] =
- name;
- if (!exists)
- val->attributes |=
- VALATTR_FOUNDNOWILDCARD;
- if (!exists && NEEDNOQNAME(val))
- proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
- name;
- if (dns_rdataset_isassociated(&trdataset))
+ }
+ if (exists && !data && NEEDNODATA(val)) {
+ proofs[DNS_VALIDATOR_NODATAPROOF] = name;
+ }
+ if (!exists) {
+ val->attributes |= VALATTR_FOUNDNOWILDCARD;
+ }
+ if (!exists && NEEDNOQNAME(val)) {
+ proofs[DNS_VALIDATOR_NOWILDCARDPROOF] = name;
+ }
+ if (dns_rdataset_isassociated(&trdataset)) {
dns_rdataset_disassociate(&trdataset);
+ }
return (ISC_R_SUCCESS);
}
}
- if (result == ISC_R_NOMORE)
+ if (result == ISC_R_NOMORE) {
result = ISC_R_SUCCESS;
- if (dns_rdataset_isassociated(&trdataset))
+ }
+ if (dns_rdataset_isassociated(&trdataset)) {
dns_rdataset_disassociate(&trdataset);
+ }
return (result);
}
{
if (rdataset->type != dns_rdatatype_nsec3 ||
rdataset->trust != dns_trust_secure)
+ {
continue;
+ }
result = dns_nsec3_noexistnodata(val->event->type,
val->event->name, name,
NULL, NULL, validator_log,
val);
if (result != ISC_R_IGNORE && result != ISC_R_SUCCESS) {
- if (dns_rdataset_isassociated(&trdataset))
+ if (dns_rdataset_isassociated(&trdataset)) {
dns_rdataset_disassociate(&trdataset);
+ }
return (result);
}
}
- if (result != ISC_R_NOMORE)
+ if (result != ISC_R_NOMORE) {
result = ISC_R_SUCCESS;
+ }
POST(result);
- if (dns_name_countlabels(zonename) == 0)
+ if (dns_name_countlabels(zonename) == 0) {
return (ISC_R_SUCCESS);
+ }
/*
* If the val->closest is set then we want to use it otherwise
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(dns_fixedname_name(&val->closest),
- namebuf, sizeof(namebuf));
- validator_log(val, ISC_LOG_DEBUG(3), "closest encloser from "
- "wildcard signature '%s'", namebuf);
+ namebuf, sizeof(namebuf));
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "closest encloser from wildcard signature '%s'",
+ namebuf);
dns_name_copynf(dns_fixedname_name(&val->closest), closest);
closestp = NULL;
setclosestp = NULL;
{
if (rdataset->type != dns_rdatatype_nsec3 ||
rdataset->trust != dns_trust_secure)
+ {
continue;
+ }
/*
* We process all NSEC3 records to find the closest
&unknown, setclosestp,
&setnearest, closestp,
nearest, validator_log, val);
- if (unknown)
+ if (unknown) {
val->attributes |= VALATTR_FOUNDUNKNOWN;
- if (result != ISC_R_SUCCESS)
+ }
+ if (result != ISC_R_SUCCESS) {
continue;
- if (setclosest)
+ }
+ if (setclosest) {
proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name;
+ }
if (exists && !data && NEEDNODATA(val)) {
val->attributes |= VALATTR_FOUNDNODATA;
proofs[DNS_VALIDATOR_NODATAPROOF] = name;
if (!exists && setnearest) {
val->attributes |= VALATTR_FOUNDNOQNAME;
proofs[DNS_VALIDATOR_NOQNAMEPROOF] = name;
- if (optout)
+ if (optout) {
val->attributes |= VALATTR_FOUNDOPTOUT;
+ }
}
}
- if (result == ISC_R_NOMORE)
+ if (result == ISC_R_NOMORE) {
result = ISC_R_SUCCESS;
+ }
/*
* To know we have a valid noqname and optout proofs we need to also
* Do we need to check for the wildcard?
*/
if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
- ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) {
+ ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val)))
+ {
result = checkwildcard(val, dns_rdatatype_nsec3, zonename);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
}
return (result);
}
dns_message_t *message = val->event->message;
isc_result_t result;
- if (!resume)
+ if (!resume) {
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
- else
+ } else {
result = ISC_R_SUCCESS;
+ }
for (;
result == ISC_R_SUCCESS;
rdataset = ISC_LIST_NEXT(val->currentset, link);
val->currentset = NULL;
resume = false;
- } else
+ } else {
rdataset = ISC_LIST_HEAD(name->list);
+ }
for (;
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
{
- if (rdataset->type == dns_rdatatype_rrsig)
+ if (rdataset->type == dns_rdatatype_rrsig) {
continue;
+ }
for (sigrdataset = ISC_LIST_HEAD(name->list);
sigrdataset != NULL;
- sigrdataset = ISC_LIST_NEXT(sigrdataset,
- link))
+ sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
{
if (sigrdataset->type == dns_rdatatype_rrsig &&
sigrdataset->covers == rdataset->type)
+ {
break;
+ }
}
/*
* If a signed zone is missing the zone key, bad
dns_rdata_t nsec = DNS_RDATA_INIT;
result = dns_rdataset_first(rdataset);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
dns_rdataset_current(rdataset, &nsec);
if (dns_nsec_typepresent(&nsec,
- dns_rdatatype_soa))
+ dns_rdatatype_soa))
+ {
continue;
+ }
}
val->currentset = rdataset;
result = create_validator(val, name, rdataset->type,
rdataset, sigrdataset,
authvalidated,
"validate_authority");
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
val->authcount++;
return (DNS_R_WAIT);
}
}
- if (result == ISC_R_NOMORE)
+ if (result == ISC_R_NOMORE) {
result = ISC_R_SUCCESS;
+ }
return (result);
}
dns_name_t *name;
isc_result_t result;
- if (!resume)
+ if (!resume) {
result = dns_rdataset_first(val->event->rdataset);
- else
+ } else {
result = dns_rdataset_next(val->event->rdataset);
+ }
for (;
result == ISC_R_SUCCESS;
{
dns_rdataset_t *rdataset, *sigrdataset = NULL;
- if (dns_rdataset_isassociated(&val->frdataset))
+ if (dns_rdataset_isassociated(&val->frdataset)) {
dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_disassociate(&val->fsigrdataset);
+ }
name = dns_fixedname_initname(&val->fname);
rdataset = &val->frdataset;
dns_ncache_current(val->event->rdataset, name, rdataset);
- if (val->frdataset.type == dns_rdatatype_rrsig)
+ if (val->frdataset.type == dns_rdatatype_rrsig) {
continue;
+ }
result = dns_ncache_getsigrdataset(val->event->rdataset, name,
rdataset->type,
&val->fsigrdataset);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
sigrdataset = &val->fsigrdataset;
+ }
/*
* If a signed zone is missing the zone key, bad
dns_rdata_t nsec = DNS_RDATA_INIT;
result = dns_rdataset_first(rdataset);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
dns_rdataset_current(rdataset, &nsec);
- if (dns_nsec_typepresent(&nsec,
- dns_rdatatype_soa))
+ if (dns_nsec_typepresent(&nsec, dns_rdatatype_soa)) {
continue;
+ }
}
val->currentset = rdataset;
result = create_validator(val, name, rdataset->type,
rdataset, sigrdataset,
- authvalidated,
- "validate_ncache");
- if (result != ISC_R_SUCCESS)
+ authvalidated, "validate_ncache");
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
val->authcount++;
return (DNS_R_WAIT);
}
- if (result == ISC_R_NOMORE)
+ if (result == ISC_R_NOMORE) {
result = ISC_R_SUCCESS;
+ }
return (result);
}
nsecvalidate(dns_validator_t *val, bool resume) {
isc_result_t result;
- if (resume)
+ if (resume) {
validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
+ }
- if (val->event->message == NULL)
+ if (val->event->message == NULL) {
result = validate_ncache(val, resume);
- else
+ } else {
result = validate_authority(val, resume);
+ }
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
/*
* Do we only need to check for NOQNAME? To get here we must have
* had a secure wildcard answer.
*/
if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
- if (!FOUNDNOQNAME(val))
+ if (!FOUNDNOQNAME(val)) {
findnsec3proofs(val);
+ }
if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
!FOUNDOPTOUT(val)) {
validator_log(val, ISC_LOG_DEBUG(3),
return (ISC_R_SUCCESS);
} else if (FOUNDOPTOUT(val) &&
dns_name_countlabels(dns_fixedname_name(&val->wild))
- != 0) {
+ != 0)
+ {
validator_log(val, ISC_LOG_DEBUG(3),
"optout proof found");
val->event->optout = true;
return (DNS_R_NOVALIDNSEC);
}
- if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val))
+ if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val)) {
findnsec3proofs(val);
+ }
/*
* Do we need to check for the wildcard?
*/
if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
- ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) {
+ ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val)))
+ {
result = checkwildcard(val, dns_rdatatype_nsec, NULL);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
}
if ((NEEDNODATA(val) && (FOUNDNODATA(val) || FOUNDOPTOUT(val))) ||
(NEEDNOQNAME(val) && FOUNDNOQNAME(val) &&
NEEDNOWILDCARD(val) && FOUNDNOWILDCARD(val) &&
- FOUNDCLOSEST(val))) {
- if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
+ FOUNDCLOSEST(val)))
+ {
+ if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0) {
val->event->optout = true;
+ }
validator_log(val, ISC_LOG_DEBUG(3),
"nonexistence proof(s) found");
- if (val->event->message == NULL)
+ if (val->event->message == NULL) {
marksecure(val->event);
- else
+ } else {
val->event->secure = true;
+ }
return (ISC_R_SUCCESS);
}
- if (val->authfail != 0 && val->authcount == val->authfail)
+ if (val->authfail != 0 && val->authcount == val->authfail) {
return (DNS_R_BROKENCHAIN);
+ }
validator_log(val, ISC_LOG_DEBUG(3),
"nonexistence proof(s) not found");
val->attributes |= VALATTR_INSECURITY;
for (result = dns_rdataset_first(rdataset);
result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdataset)) {
+ result = dns_rdataset_next(rdataset))
+ {
dns_rdataset_current(rdataset, &dsrdata);
result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (dns_resolver_ds_digest_supported(val->view->resolver,
name, ds.digest_type) &&
dns_resolver_algorithm_supported(val->view->resolver,
- name, ds.algorithm)) {
+ name, ds.algorithm))
+ {
dns_rdata_reset(&dsrdata);
return (true);
}
static isc_result_t
proveunsecure(dns_validator_t *val, bool have_ds, bool resume) {
isc_result_t result;
- dns_fixedname_t fixedsecroot;
- dns_name_t *secroot;
- dns_name_t *tname;
char namebuf[DNS_NAME_FORMATSIZE];
- dns_name_t *found;
+ dns_fixedname_t fixedsecroot;
+ dns_name_t *secroot = dns_fixedname_initname(&fixedsecroot);
dns_fixedname_t fixedfound;
+ dns_name_t *found = dns_fixedname_initname(&fixedfound);
+ dns_name_t *tname = NULL;
unsigned int labels;
- secroot = dns_fixedname_initname(&fixedsecroot);
- found = dns_fixedname_initname(&fixedfound);
dns_name_copynf(val->event->name, secroot);
+
/*
* If this is a response to a DS query, we need to look in
* the parent zone for the trust anchor.
*/
-
labels = dns_name_countlabels(secroot);
- if (val->event->type == dns_rdatatype_ds && labels > 1U)
- dns_name_getlabelsequence(secroot, 1, labels - 1,
- secroot);
- result = dns_keytable_finddeepestmatch(val->keytable,
- secroot, secroot);
+ if (val->event->type == dns_rdatatype_ds && labels > 1U) {
+ dns_name_getlabelsequence(secroot, 1, labels - 1, secroot);
+ }
+
+ result = dns_keytable_finddeepestmatch(val->keytable, secroot, secroot);
if (result == ISC_R_NOTFOUND) {
if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
val->labels <= dns_name_countlabels(val->event->name);
val->labels++)
{
-
tname = dns_fixedname_initname(&val->fname);
- if (val->labels == dns_name_countlabels(val->event->name))
+ if (val->labels == dns_name_countlabels(val->event->name)) {
dns_name_copynf(val->event->name, tname);
- else
+ } else {
dns_name_split(val->event->name, val->labels,
NULL, tname);
+ }
dns_name_format(tname, namebuf, sizeof(namebuf));
validator_log(val, ISC_LOG_DEBUG(3),
/*
* There is no DS. If this is a delegation,
* we may be done.
- */
- /*
+ *
* If we have "trust == answer" then this namespace
* has switched from insecure to should be secure.
*/
if (DNS_TRUST_PENDING(val->frdataset.trust) ||
- DNS_TRUST_ANSWER(val->frdataset.trust)) {
+ DNS_TRUST_ANSWER(val->frdataset.trust))
+ {
result = create_validator(val, tname,
dns_rdatatype_ds,
&val->frdataset,
NULL, dsvalidated,
"proveunsecure");
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto out;
+ }
return (DNS_R_WAIT);
}
/*
*/
if (result == DNS_R_NXRRSET &&
!dns_rdataset_isassociated(&val->frdataset) &&
- dns_view_findzonecut(val->view, tname, found, NULL,
- 0, 0, false, false,
- NULL, NULL) == ISC_R_SUCCESS &&
- dns_name_equal(tname, found)) {
+ dns_view_findzonecut(val->view, tname, found, NULL,
+ 0, 0, false, false,
+ NULL, NULL) == ISC_R_SUCCESS &&
+ dns_name_equal(tname, found))
+ {
if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
"must be secure failure, "
continue;
} else if (result == DNS_R_CNAME) {
if (DNS_TRUST_PENDING(val->frdataset.trust) ||
- DNS_TRUST_ANSWER(val->frdataset.trust)) {
+ DNS_TRUST_ANSWER(val->frdataset.trust))
+ {
result = create_validator(val, tname,
dns_rdatatype_cname,
&val->frdataset,
NULL, cnamevalidated,
"proveunsecure "
"(cname)");
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto out;
+ }
return (DNS_R_WAIT);
}
continue;
if (val->frdataset.trust >= dns_trust_secure) {
if (!check_ds(val, tname, &val->frdataset)) {
validator_log(val, ISC_LOG_DEBUG(3),
- "no supported algorithm/"
- "digest (%s/DS)", namebuf);
+ "no supported algorithm/"
+ "digest (%s/DS)",
+ namebuf);
if (val->mustbesecure) {
validator_log(val,
- ISC_LOG_WARNING,
+ ISC_LOG_WARNING,
"must be secure failure, "
"no supported algorithm/"
"digest (%s/DS)",
goto out;
}
continue;
- }
- else if (!dns_rdataset_isassociated(&val->fsigrdataset))
+ } else if (!dns_rdataset_isassociated(&val->
+ fsigrdataset))
{
validator_log(val, ISC_LOG_DEBUG(3),
"DS is unsigned");
&val->fsigrdataset,
dsvalidated,
"proveunsecure");
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto out;
+ }
return (DNS_R_WAIT);
} else if (result == DNS_R_NXDOMAIN ||
- result == DNS_R_NCACHENXDOMAIN) {
+ result == DNS_R_NCACHENXDOMAIN)
+ {
/*
- * This is not a zone cut. Assuming things are
+ * This is not a zone cut. Assuming things are
* as expected, continue.
*/
if (!dns_rdataset_isassociated(&val->frdataset)) {
result = DNS_R_NOVALIDNSEC;
goto out;
} else if (DNS_TRUST_PENDING(val->frdataset.trust) ||
- DNS_TRUST_ANSWER(val->frdataset.trust)) {
+ DNS_TRUST_ANSWER(val->frdataset.trust))
+ {
/*
* If we have "trust == answer" then this
* namespace has switched from insecure to
&val->frdataset,
NULL, dsvalidated,
"proveunsecure");
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto out;
+ }
return (DNS_R_WAIT);
} else if (val->frdataset.trust < dns_trust_secure) {
/*
*/
result = create_fetch(val, tname, dns_rdatatype_ds,
dsfetched2, "proveunsecure");
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto out;
+ }
return (DNS_R_WAIT);
- } else if (result == DNS_R_BROKENCHAIN)
+ } else if (result == DNS_R_BROKENCHAIN) {
return (result);
+ }
}
/* Couldn't complete insecurity proof */
return (DNS_R_NOTINSECURE);
out:
- if (dns_rdataset_isassociated(&val->frdataset))
+ if (dns_rdataset_isassociated(&val->frdataset)) {
dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_disassociate(&val->fsigrdataset);
+ }
return (result);
}
val = vevent->validator;
/* If the validator has been canceled, val->event == NULL */
- if (val->event == NULL)
+ if (val->event == NULL) {
return;
+ }
validator_log(val, ISC_LOG_DEBUG(3), "starting");
"falling back to insecurity proof");
val->attributes |= VALATTR_INSECURITY;
result = proveunsecure(val, false, false);
- if (result == DNS_R_NOTINSECURE)
+ if (result == DNS_R_NOTINSECURE) {
result = saved_result;
+ }
}
} else if (val->event->rdataset != NULL &&
- val->event->rdataset->type != 0) {
+ val->event->rdataset->type != 0)
+ {
/*
* This is either an unsecure subdomain or a response from
* a broken server.
val->attributes |= VALATTR_INSECURITY;
result = proveunsecure(val, false, false);
- if (result == DNS_R_NOTINSECURE)
+ if (result == DNS_R_NOTINSECURE) {
validator_log(val, ISC_LOG_INFO,
"got insecure response; "
"parent indicates it should be secure");
+ }
} else if (val->event->rdataset == NULL &&
val->event->sigrdataset == NULL)
{
if (val->event->message->rcode == dns_rcode_nxdomain) {
val->attributes |= VALATTR_NEEDNOQNAME;
val->attributes |= VALATTR_NEEDNOWILDCARD;
- } else
+ } else {
val->attributes |= VALATTR_NEEDNODATA;
+ }
result = nsecvalidate(val, false);
} else if (val->event->rdataset != NULL &&
- NEGATIVE(val->event->rdataset))
+ NEGATIVE(val->event->rdataset))
{
/*
* This is a nonexistence validation.
if (val->event->rdataset->covers == dns_rdatatype_any) {
val->attributes |= VALATTR_NEEDNOQNAME;
val->attributes |= VALATTR_NEEDNOWILDCARD;
- } else
+ } else {
val->attributes |= VALATTR_NEEDNODATA;
+ }
result = nsecvalidate(val, false);
} else {
INSIST(0);
}
UNLOCK(&val->lock);
- if (want_destroy)
+ if (want_destroy) {
destroy(val);
+ }
}
isc_result_t
val->keytable = NULL;
result = dns_view_getsecroots(val->view, &val->keytable);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto cleanup_mutex;
+ }
val->keynode = NULL;
val->key = NULL;
val->siginfo = NULL;
ISC_LINK_INIT(val, link);
val->magic = VALIDATOR_MAGIC;
- if ((options & DNS_VALIDATOR_DEFER) == 0)
+ if ((options & DNS_VALIDATOR_DEFER) == 0) {
isc_task_send(task, ISC_EVENT_PTR(&event));
+ }
*validatorp = val;
fetch = validator->fetch;
validator->fetch = NULL;
- if (validator->subvalidator != NULL)
+ if (validator->subvalidator != NULL) {
dns_validator_cancel(validator->subvalidator);
+ }
if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
validator->options &= ~DNS_VALIDATOR_DEFER;
validator_done(validator, ISC_R_CANCELED);
REQUIRE(val->event == NULL);
REQUIRE(val->fetch == NULL);
- if (val->keynode != NULL)
+ if (val->keynode != NULL) {
dns_keytable_detachkeynode(val->keytable, &val->keynode);
- else if (val->key != NULL)
+ } else if (val->key != NULL) {
dst_key_free(&val->key);
- if (val->keytable != NULL)
+ }
+ if (val->keytable != NULL) {
dns_keytable_detach(&val->keytable);
- if (val->subvalidator != NULL)
+ }
+ if (val->subvalidator != NULL) {
dns_validator_destroy(&val->subvalidator);
- if (dns_rdataset_isassociated(&val->frdataset))
+ }
+ if (dns_rdataset_isassociated(&val->frdataset)) {
dns_rdataset_disassociate(&val->frdataset);
- if (dns_rdataset_isassociated(&val->fsigrdataset))
+ }
+ if (dns_rdataset_isassociated(&val->fsigrdataset)) {
dns_rdataset_disassociate(&val->fsigrdataset);
+ }
mctx = val->view->mctx;
- if (val->siginfo != NULL)
+ if (val->siginfo != NULL) {
isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
+ }
isc_mutex_destroy(&val->lock);
dns_view_weakdetach(&val->view);
val->magic = 0;
UNLOCK(&val->lock);
- if (want_destroy)
+ if (want_destroy) {
destroy(val);
+ }
*validatorp = NULL;
}
vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
- if ((unsigned int) depth >= sizeof spaces)
+ if ((unsigned int) depth >= sizeof spaces) {
depth = sizeof spaces - 1;
+ }
/*
* Log the view name unless it's:
validator_log(void *val, int level, const char *fmt, ...) {
va_list ap;
- if (! isc_log_wouldlog(dns_lctx, level))
+ if (!isc_log_wouldlog(dns_lctx, level)) {
return;
+ }
va_start(ap, fmt);
}
static void
-validator_logcreate(dns_validator_t *val,
- dns_name_t *name, dns_rdatatype_t type,
- const char *caller, const char *operation)
+validator_logcreate(dns_validator_t *val, dns_name_t *name,
+ dns_rdatatype_t type, const char *caller,
+ const char *operation)
{
char namestr[DNS_NAME_FORMATSIZE];
char typestr[DNS_RDATATYPE_FORMATSIZE];
projects / thirdparty / bind9.git / commitdiff
