2000-02-23 23:31:33 +00:00
|
|
|
/*
|
|
|
|
|
* Copyright (C) 2000 Internet Software Consortium.
|
2000-08-01 01:33:37 +00:00
|
|
|
*
|
2000-02-23 23:31:33 +00:00
|
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
2000-08-01 01:33:37 +00:00
|
|
|
*
|
2000-07-27 09:55:03 +00:00
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
|
|
|
|
|
* DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
|
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
|
|
|
|
|
* INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
|
|
|
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
|
|
|
|
|
* FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
|
|
|
|
|
* NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
|
|
|
|
|
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
2000-02-23 23:31:33 +00:00
|
|
|
*/
|
|
|
|
|
|
2000-08-26 01:37:00 +00:00
|
|
|
/* $Id: validator.c,v 1.76 2000/08/26 01:36:58 bwelling Exp $ */
|
2000-06-22 22:00:42 +00:00
|
|
|
|
2000-02-24 22:40:55 +00:00
|
|
|
#include <config.h>
|
|
|
|
|
|
2000-05-08 14:38:29 +00:00
|
|
|
#include <isc/mem.h>
|
2000-04-12 19:07:12 +00:00
|
|
|
#include <isc/print.h>
|
2000-02-24 22:40:55 +00:00
|
|
|
#include <isc/task.h>
|
|
|
|
|
#include <isc/util.h>
|
2000-02-24 21:05:28 +00:00
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
#include <dns/db.h>
|
2000-04-05 22:30:57 +00:00
|
|
|
#include <dns/dnssec.h>
|
2000-02-24 22:40:55 +00:00
|
|
|
#include <dns/events.h>
|
2000-03-17 00:01:28 +00:00
|
|
|
#include <dns/keytable.h>
|
2000-04-11 20:35:37 +00:00
|
|
|
#include <dns/log.h>
|
2000-04-13 18:10:07 +00:00
|
|
|
#include <dns/message.h>
|
|
|
|
|
#include <dns/nxt.h>
|
2000-03-17 00:01:28 +00:00
|
|
|
#include <dns/rdata.h>
|
2000-05-26 21:45:53 +00:00
|
|
|
#include <dns/rdatastruct.h>
|
2000-03-17 00:01:28 +00:00
|
|
|
#include <dns/rdataset.h>
|
2000-05-02 03:54:17 +00:00
|
|
|
#include <dns/rdatatype.h>
|
2000-04-07 17:36:40 +00:00
|
|
|
#include <dns/resolver.h>
|
2000-05-02 03:54:17 +00:00
|
|
|
#include <dns/result.h>
|
|
|
|
|
#include <dns/validator.h>
|
2000-02-24 22:40:55 +00:00
|
|
|
#include <dns/view.h>
|
|
|
|
|
|
|
|
|
|
#define VALIDATOR_MAGIC 0x56616c3fU /* Val?. */
|
|
|
|
|
#define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
|
2000-02-23 23:31:33 +00:00
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
#define VALATTR_SHUTDOWN 0x01
|
2000-05-18 02:02:05 +00:00
|
|
|
#define VALATTR_FOUNDNONEXISTENCE 0x02
|
2000-07-13 23:52:04 +00:00
|
|
|
#define VALATTR_TRIEDVERIFY 0x04
|
2000-03-17 00:01:28 +00:00
|
|
|
#define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
|
|
|
|
|
|
2000-05-24 05:10:00 +00:00
|
|
|
static void
|
|
|
|
|
nullkeyvalidated(isc_task_t *task, isc_event_t *event);
|
|
|
|
|
|
|
|
|
|
static inline isc_boolean_t
|
|
|
|
|
containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset);
|
|
|
|
|
|
|
|
|
|
static inline isc_result_t
|
2000-05-26 21:45:53 +00:00
|
|
|
get_dst_key(dns_validator_t *val, dns_rdata_sig_t *siginfo,
|
2000-05-24 05:10:00 +00:00
|
|
|
dns_rdataset_t *rdataset);
|
2000-05-26 21:45:53 +00:00
|
|
|
|
2000-05-24 05:10:00 +00:00
|
|
|
static inline isc_result_t
|
|
|
|
|
validate(dns_validator_t *val, isc_boolean_t resume);
|
|
|
|
|
|
|
|
|
|
static inline isc_result_t
|
|
|
|
|
nxtvalidate(dns_validator_t *val, isc_boolean_t resume);
|
|
|
|
|
|
|
|
|
|
static inline isc_result_t
|
|
|
|
|
proveunsecure(dns_validator_t *val, isc_boolean_t resume);
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
validator_log(dns_validator_t *val, int level, const char *fmt, ...);
|
2000-04-11 20:35:37 +00:00
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
static void
|
|
|
|
|
validator_done(dns_validator_t *val, isc_result_t result) {
|
|
|
|
|
isc_task_t *task;
|
|
|
|
|
|
2000-08-15 00:21:05 +00:00
|
|
|
if (val->event == NULL)
|
|
|
|
|
return;
|
2000-03-17 00:01:28 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Caller must be holding the lock.
|
|
|
|
|
*/
|
|
|
|
|
|
2000-04-07 17:36:40 +00:00
|
|
|
val->event->result = result;
|
2000-04-17 19:22:44 +00:00
|
|
|
task = val->event->ev_sender;
|
|
|
|
|
val->event->ev_sender = val;
|
|
|
|
|
val->event->ev_type = DNS_EVENT_VALIDATORDONE;
|
|
|
|
|
val->event->ev_action = val->action;
|
|
|
|
|
val->event->ev_arg = val->arg;
|
2000-03-17 00:01:28 +00:00
|
|
|
isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
}
|
|
|
|
|
|
2000-07-27 01:26:15 +00:00
|
|
|
static void
|
|
|
|
|
auth_nonpending(dns_message_t *message) {
|
|
|
|
|
isc_result_t result;
|
|
|
|
|
dns_name_t *name;
|
|
|
|
|
dns_rdataset_t *rdataset;
|
|
|
|
|
|
|
|
|
|
for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
|
|
|
|
|
result == ISC_R_SUCCESS;
|
|
|
|
|
result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
|
|
|
|
|
{
|
|
|
|
|
name = NULL;
|
|
|
|
|
dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
|
|
|
|
|
for (rdataset = ISC_LIST_HEAD(name->list);
|
|
|
|
|
rdataset != NULL;
|
|
|
|
|
rdataset = ISC_LIST_NEXT(rdataset, link))
|
|
|
|
|
{
|
|
|
|
|
if (rdataset->trust == dns_trust_pending)
|
|
|
|
|
rdataset->trust = dns_trust_authauthority;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2000-04-07 17:36:40 +00:00
|
|
|
static void
|
|
|
|
|
fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
|
|
|
|
|
dns_fetchevent_t *devent;
|
|
|
|
|
dns_validator_t *val;
|
|
|
|
|
dns_rdataset_t *rdataset;
|
|
|
|
|
isc_result_t result;
|
2000-05-26 21:45:53 +00:00
|
|
|
isc_result_t eresult;
|
2000-04-07 17:36:40 +00:00
|
|
|
|
|
|
|
|
UNUSED(task);
|
2000-04-17 19:22:44 +00:00
|
|
|
INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
|
2000-04-07 17:36:40 +00:00
|
|
|
devent = (dns_fetchevent_t *)event;
|
2000-04-17 19:22:44 +00:00
|
|
|
val = devent->ev_arg;
|
2000-05-26 21:45:53 +00:00
|
|
|
rdataset = &val->frdataset;
|
|
|
|
|
eresult = devent->result;
|
|
|
|
|
|
|
|
|
|
isc_event_free(&event);
|
|
|
|
|
dns_resolver_destroyfetch(&val->fetch);
|
2000-04-07 17:36:40 +00:00
|
|
|
|
2000-08-15 00:21:05 +00:00
|
|
|
if (SHUTDOWN(val)) {
|
|
|
|
|
dns_validator_destroy(&val);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (val->event == NULL) {
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"fetch_callback_validator: event == NULL");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2000-04-11 20:35:37 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
|
2000-05-26 21:45:53 +00:00
|
|
|
LOCK(&val->lock);
|
|
|
|
|
if (eresult == ISC_R_SUCCESS) {
|
2000-05-18 02:02:05 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"keyset with trust %d", rdataset->trust);
|
2000-05-26 21:45:53 +00:00
|
|
|
/*
|
|
|
|
|
* Only extract the dst key if the keyset is secure.
|
|
|
|
|
*/
|
|
|
|
|
if (rdataset->trust >= dns_trust_secure) {
|
|
|
|
|
result = get_dst_key(val, val->siginfo, rdataset);
|
|
|
|
|
if (result == ISC_R_SUCCESS)
|
|
|
|
|
val->keyset = &val->frdataset;
|
2000-04-07 17:36:40 +00:00
|
|
|
}
|
2000-05-17 18:24:59 +00:00
|
|
|
result = validate(val, ISC_TRUE);
|
2000-04-14 02:30:12 +00:00
|
|
|
if (result != DNS_R_WAIT) {
|
2000-04-07 17:36:40 +00:00
|
|
|
validator_done(val, result);
|
2000-05-26 21:45:53 +00:00
|
|
|
goto out;
|
2000-04-07 21:44:47 +00:00
|
|
|
}
|
2000-05-19 23:04:14 +00:00
|
|
|
} else {
|
2000-04-11 20:35:37 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"fetch_callback_validator: got %s",
|
2000-05-26 21:45:53 +00:00
|
|
|
dns_result_totext(eresult));
|
|
|
|
|
validator_done(val, eresult);
|
2000-05-19 23:04:14 +00:00
|
|
|
}
|
2000-04-07 21:44:47 +00:00
|
|
|
|
2000-05-26 21:45:53 +00:00
|
|
|
out:
|
|
|
|
|
UNLOCK(&val->lock);
|
2000-05-08 14:38:29 +00:00
|
|
|
/*
|
|
|
|
|
* Free stuff from the event.
|
|
|
|
|
*/
|
2000-05-26 21:45:53 +00:00
|
|
|
if (dns_rdataset_isassociated(&val->frdataset) &&
|
|
|
|
|
val->keyset != &val->frdataset)
|
|
|
|
|
dns_rdataset_disassociate(&val->frdataset);
|
|
|
|
|
if (dns_rdataset_isassociated(&val->fsigrdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->fsigrdataset);
|
2000-04-07 21:44:47 +00:00
|
|
|
}
|
|
|
|
|
|
2000-04-19 18:08:27 +00:00
|
|
|
static void
|
|
|
|
|
fetch_callback_nullkey(isc_task_t *task, isc_event_t *event) {
|
|
|
|
|
dns_fetchevent_t *devent;
|
|
|
|
|
dns_validator_t *val;
|
|
|
|
|
dns_rdataset_t *rdataset, *sigrdataset;
|
|
|
|
|
isc_result_t result;
|
2000-05-26 21:45:53 +00:00
|
|
|
isc_result_t eresult;
|
2000-04-19 18:08:27 +00:00
|
|
|
|
|
|
|
|
UNUSED(task);
|
|
|
|
|
INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
|
|
|
|
|
devent = (dns_fetchevent_t *)event;
|
|
|
|
|
val = devent->ev_arg;
|
2000-05-26 21:45:53 +00:00
|
|
|
rdataset = &val->frdataset;
|
|
|
|
|
sigrdataset = &val->fsigrdataset;
|
|
|
|
|
eresult = devent->result;
|
2000-04-19 18:08:27 +00:00
|
|
|
|
2000-08-15 00:21:05 +00:00
|
|
|
dns_resolver_destroyfetch(&val->fetch);
|
|
|
|
|
|
|
|
|
|
if (SHUTDOWN(val)) {
|
|
|
|
|
dns_validator_destroy(&val);
|
|
|
|
|
isc_event_free(&event);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (val->event == NULL) {
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"fetch_callback_nullkey: event == NULL");
|
|
|
|
|
isc_event_free(&event);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2000-04-19 18:08:27 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_nullkey");
|
2000-08-15 00:21:05 +00:00
|
|
|
|
2000-05-26 21:45:53 +00:00
|
|
|
LOCK(&val->lock);
|
|
|
|
|
if (eresult == ISC_R_SUCCESS) {
|
2000-04-19 18:08:27 +00:00
|
|
|
if (!containsnullkey(val, rdataset)) {
|
2000-05-08 14:38:29 +00:00
|
|
|
/*
|
|
|
|
|
* No null key.
|
|
|
|
|
*/
|
2000-04-19 18:08:27 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"found a keyset, no null key");
|
|
|
|
|
result = proveunsecure(val, ISC_TRUE);
|
|
|
|
|
if (result != DNS_R_WAIT)
|
2000-05-18 18:29:29 +00:00
|
|
|
validator_done(val, result);
|
2000-04-19 18:08:27 +00:00
|
|
|
} else {
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"found a keyset with a null key");
|
2000-05-18 02:02:05 +00:00
|
|
|
if (rdataset->trust >= dns_trust_secure) {
|
2000-05-18 18:29:29 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"insecurity proof succeeded");
|
|
|
|
|
val->event->rdataset->trust = dns_trust_answer;
|
2000-04-19 18:08:27 +00:00
|
|
|
validator_done(val, ISC_R_SUCCESS);
|
2000-05-18 18:29:29 +00:00
|
|
|
} else if (!dns_rdataset_isassociated(sigrdataset)) {
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"insecurity proof failed");
|
2000-05-18 02:02:05 +00:00
|
|
|
validator_done(val, DNS_R_NOTINSECURE);
|
2000-05-18 18:29:29 +00:00
|
|
|
} else {
|
2000-04-19 18:08:27 +00:00
|
|
|
dns_name_t *tname;
|
|
|
|
|
tname = dns_fixedname_name(&devent->foundname);
|
2000-05-08 14:38:29 +00:00
|
|
|
result = dns_validator_create(val->view, tname,
|
|
|
|
|
dns_rdatatype_key,
|
|
|
|
|
rdataset,
|
|
|
|
|
sigrdataset, NULL,
|
|
|
|
|
0, val->task,
|
|
|
|
|
nullkeyvalidated,
|
|
|
|
|
val,
|
|
|
|
|
&val->keyvalidator);
|
2000-04-19 18:08:27 +00:00
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
validator_done(val, result);
|
|
|
|
|
/*
|
2000-08-15 00:21:05 +00:00
|
|
|
* Don't free rdataset & sigrdataset, since
|
|
|
|
|
* they'll be freed in nullkeyvalidated.
|
2000-04-19 18:08:27 +00:00
|
|
|
*/
|
2000-05-26 21:45:53 +00:00
|
|
|
isc_event_free(&event);
|
|
|
|
|
UNLOCK(&val->lock);
|
|
|
|
|
return;
|
2000-04-19 18:08:27 +00:00
|
|
|
}
|
|
|
|
|
}
|
2000-05-26 21:45:53 +00:00
|
|
|
} else if (eresult == DNS_R_NCACHENXDOMAIN ||
|
|
|
|
|
eresult == DNS_R_NCACHENXRRSET ||
|
|
|
|
|
eresult == DNS_R_NXDOMAIN ||
|
|
|
|
|
eresult == DNS_R_NXRRSET)
|
2000-04-19 18:08:27 +00:00
|
|
|
{
|
2000-05-08 14:38:29 +00:00
|
|
|
/*
|
|
|
|
|
* No keys.
|
|
|
|
|
*/
|
2000-04-19 18:08:27 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"no keys found");
|
|
|
|
|
result = proveunsecure(val, ISC_TRUE);
|
|
|
|
|
if (result != DNS_R_WAIT)
|
|
|
|
|
validator_done(val, result);
|
2000-05-19 23:04:14 +00:00
|
|
|
} else {
|
2000-04-19 18:08:27 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"fetch_callback_nullkey: got %s",
|
2000-05-26 21:45:53 +00:00
|
|
|
dns_result_totext(eresult));
|
|
|
|
|
validator_done(val, eresult);
|
2000-05-19 23:04:14 +00:00
|
|
|
}
|
2000-05-26 21:45:53 +00:00
|
|
|
UNLOCK(&val->lock);
|
2000-04-19 18:08:27 +00:00
|
|
|
|
2000-05-08 14:38:29 +00:00
|
|
|
/*
|
|
|
|
|
* Free stuff from the event.
|
|
|
|
|
*/
|
2000-05-26 21:45:53 +00:00
|
|
|
if (dns_rdataset_isassociated(&val->frdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->frdataset);
|
|
|
|
|
if (dns_rdataset_isassociated(&val->fsigrdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->fsigrdataset);
|
2000-04-19 18:08:27 +00:00
|
|
|
isc_event_free(&event);
|
|
|
|
|
}
|
|
|
|
|
|
2000-04-07 21:44:47 +00:00
|
|
|
static void
|
|
|
|
|
keyvalidated(isc_task_t *task, isc_event_t *event) {
|
|
|
|
|
dns_validatorevent_t *devent;
|
|
|
|
|
dns_validator_t *val;
|
|
|
|
|
isc_result_t result;
|
2000-05-26 21:45:53 +00:00
|
|
|
isc_result_t eresult;
|
2000-04-07 21:44:47 +00:00
|
|
|
|
|
|
|
|
UNUSED(task);
|
2000-04-17 19:22:44 +00:00
|
|
|
INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
|
2000-08-15 00:21:05 +00:00
|
|
|
|
2000-08-15 01:22:33 +00:00
|
|
|
devent = (dns_validatorevent_t *)event;
|
|
|
|
|
val = devent->ev_arg;
|
|
|
|
|
eresult = devent->result;
|
|
|
|
|
|
|
|
|
|
isc_event_free(&event);
|
|
|
|
|
|
2000-08-15 00:21:05 +00:00
|
|
|
if (SHUTDOWN(val)) {
|
|
|
|
|
dns_validator_destroy(&val);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (val->event == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
2000-04-11 20:35:37 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
|
2000-05-26 21:45:53 +00:00
|
|
|
LOCK(&val->lock);
|
|
|
|
|
if (eresult == ISC_R_SUCCESS) {
|
2000-05-18 02:02:05 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
2000-05-26 21:45:53 +00:00
|
|
|
"keyset with trust %d", &val->frdataset.trust);
|
|
|
|
|
/*
|
|
|
|
|
* Only extract the dst key if the keyset is secure.
|
|
|
|
|
*/
|
|
|
|
|
if (val->frdataset.trust >= dns_trust_secure)
|
|
|
|
|
(void) get_dst_key(val, val->siginfo, &val->frdataset);
|
2000-05-17 18:24:59 +00:00
|
|
|
result = validate(val, ISC_TRUE);
|
2000-04-14 02:30:12 +00:00
|
|
|
if (result != DNS_R_WAIT) {
|
2000-04-07 21:44:47 +00:00
|
|
|
validator_done(val, result);
|
2000-05-26 21:45:53 +00:00
|
|
|
goto out;
|
2000-04-14 02:30:12 +00:00
|
|
|
}
|
2000-05-19 23:04:14 +00:00
|
|
|
} else {
|
2000-08-01 01:33:37 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
2000-04-11 20:35:37 +00:00
|
|
|
"keyvalidated: got %s",
|
2000-05-26 21:45:53 +00:00
|
|
|
dns_result_totext(eresult));
|
|
|
|
|
validator_done(val, eresult);
|
2000-05-19 23:04:14 +00:00
|
|
|
}
|
2000-05-26 21:45:53 +00:00
|
|
|
out:
|
2000-05-19 23:04:14 +00:00
|
|
|
|
2000-05-26 21:45:53 +00:00
|
|
|
UNLOCK(&val->lock);
|
2000-04-14 16:00:33 +00:00
|
|
|
dns_validator_destroy(&val->keyvalidator);
|
2000-05-08 14:38:29 +00:00
|
|
|
/*
|
2000-05-26 21:45:53 +00:00
|
|
|
* Free stuff from the event.
|
2000-05-08 14:38:29 +00:00
|
|
|
*/
|
2000-05-26 21:45:53 +00:00
|
|
|
if (dns_rdataset_isassociated(&val->frdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->frdataset);
|
|
|
|
|
if (dns_rdataset_isassociated(&val->fsigrdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->fsigrdataset);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static isc_boolean_t
|
|
|
|
|
nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
|
2000-06-03 00:18:43 +00:00
|
|
|
dns_rdataset_t *nxtset, dns_rdataset_t *signxtset)
|
2000-05-26 21:45:53 +00:00
|
|
|
{
|
|
|
|
|
int order;
|
|
|
|
|
dns_rdata_t rdata;
|
|
|
|
|
isc_region_t r;
|
|
|
|
|
dns_name_t nextname;
|
|
|
|
|
isc_result_t result;
|
|
|
|
|
|
|
|
|
|
result = dns_rdataset_first(nxtset);
|
|
|
|
|
INSIST(result == ISC_R_SUCCESS);
|
|
|
|
|
dns_rdataset_current(nxtset, &rdata);
|
|
|
|
|
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"looking for relevant nxt");
|
|
|
|
|
order = dns_name_compare(val->event->name, nxtname);
|
|
|
|
|
if (order == 0) {
|
|
|
|
|
/*
|
|
|
|
|
* The names are the same, so look for the type present bit.
|
|
|
|
|
*/
|
|
|
|
|
if (val->event->type >= 128) {
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "invalid type %d",
|
|
|
|
|
val->event->type);
|
|
|
|
|
return (ISC_FALSE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (dns_nxt_typepresent(&rdata, val->event->type)) {
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"type should not be present");
|
|
|
|
|
return (ISC_FALSE);
|
|
|
|
|
}
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "nxt bitmask ok");
|
|
|
|
|
} else if (order > 0) {
|
|
|
|
|
/*
|
|
|
|
|
* The NXT owner name is less than the nonexistent name.
|
|
|
|
|
*/
|
|
|
|
|
dns_rdata_toregion(&rdata, &r);
|
|
|
|
|
dns_name_init(&nextname, NULL);
|
|
|
|
|
dns_name_fromregion(&nextname, &r);
|
|
|
|
|
order = dns_name_compare(val->event->name, &nextname);
|
|
|
|
|
if (order >= 0) {
|
|
|
|
|
/*
|
|
|
|
|
* The NXT next name is less than the nonexistent
|
|
|
|
|
* name. This is only ok if the next name is the zone
|
|
|
|
|
* name.
|
|
|
|
|
*/
|
2000-06-03 00:18:43 +00:00
|
|
|
dns_rdata_sig_t siginfo;
|
|
|
|
|
result = dns_rdataset_first(signxtset);
|
|
|
|
|
INSIST (result == ISC_R_SUCCESS);
|
|
|
|
|
dns_rdataset_current(signxtset, &rdata);
|
|
|
|
|
result = dns_rdata_tostruct(&rdata, &siginfo, NULL);
|
|
|
|
|
INSIST (result == ISC_R_SUCCESS);
|
|
|
|
|
if (!dns_name_equal(&siginfo.signer, &nextname)) {
|
2000-05-26 21:45:53 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"next name is not greater");
|
|
|
|
|
return (ISC_FALSE);
|
|
|
|
|
}
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"nxt points to zone apex, ok");
|
|
|
|
|
}
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"nxt range ok");
|
|
|
|
|
} else {
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"nxt owner name is not less");
|
|
|
|
|
/*
|
|
|
|
|
* The NXT owner name is greater than the supposedly
|
|
|
|
|
* nonexistent name. This NXT is irrelevant.
|
|
|
|
|
*/
|
|
|
|
|
return (ISC_FALSE);
|
|
|
|
|
}
|
|
|
|
|
return (ISC_TRUE);
|
2000-04-07 17:36:40 +00:00
|
|
|
}
|
|
|
|
|
|
2000-05-17 18:24:59 +00:00
|
|
|
static void
|
|
|
|
|
authvalidated(isc_task_t *task, isc_event_t *event) {
|
|
|
|
|
dns_validatorevent_t *devent;
|
|
|
|
|
dns_validator_t *val;
|
2000-06-03 00:18:43 +00:00
|
|
|
dns_rdataset_t *rdataset, *sigrdataset;
|
2000-05-17 18:24:59 +00:00
|
|
|
isc_result_t result;
|
2000-05-26 21:45:53 +00:00
|
|
|
isc_result_t eresult;
|
2000-05-17 18:24:59 +00:00
|
|
|
|
|
|
|
|
UNUSED(task);
|
|
|
|
|
INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
|
2000-08-15 00:21:05 +00:00
|
|
|
|
2000-08-15 01:22:33 +00:00
|
|
|
devent = (dns_validatorevent_t *)event;
|
|
|
|
|
rdataset = devent->rdataset;
|
|
|
|
|
sigrdataset = devent->sigrdataset;
|
|
|
|
|
val = devent->ev_arg;
|
|
|
|
|
eresult = devent->result;
|
|
|
|
|
dns_validator_destroy(&val->authvalidator);
|
|
|
|
|
|
2000-08-15 00:21:05 +00:00
|
|
|
if (SHUTDOWN(val)) {
|
|
|
|
|
dns_validator_destroy(&val);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (val->event == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
2000-05-17 18:24:59 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
|
2000-05-26 21:45:53 +00:00
|
|
|
LOCK(&val->lock);
|
|
|
|
|
if (eresult != ISC_R_SUCCESS) {
|
2000-08-01 01:33:37 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
2000-05-17 18:24:59 +00:00
|
|
|
"authvalidated: got %s",
|
2000-05-26 21:45:53 +00:00
|
|
|
dns_result_totext(eresult));
|
2000-07-27 18:42:08 +00:00
|
|
|
result = nxtvalidate(val, ISC_TRUE);
|
|
|
|
|
if (result != DNS_R_WAIT)
|
|
|
|
|
validator_done(val, result);
|
2000-05-26 21:45:53 +00:00
|
|
|
} else {
|
|
|
|
|
if (rdataset->type == dns_rdatatype_nxt &&
|
2000-06-03 00:18:43 +00:00
|
|
|
nxtprovesnonexistence(val, devent->name, rdataset,
|
|
|
|
|
sigrdataset))
|
2000-05-26 21:45:53 +00:00
|
|
|
val->attributes |= VALATTR_FOUNDNONEXISTENCE;
|
2000-05-17 18:24:59 +00:00
|
|
|
|
2000-05-26 21:45:53 +00:00
|
|
|
result = nxtvalidate(val, ISC_TRUE);
|
|
|
|
|
if (result != DNS_R_WAIT)
|
|
|
|
|
validator_done(val, result);
|
2000-05-17 18:24:59 +00:00
|
|
|
}
|
|
|
|
|
UNLOCK(&val->lock);
|
|
|
|
|
|
|
|
|
|
/*
|
2000-05-26 21:45:53 +00:00
|
|
|
* Free stuff from the event.
|
2000-05-17 18:24:59 +00:00
|
|
|
*/
|
2000-05-18 02:02:05 +00:00
|
|
|
isc_event_free(&event);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
negauthvalidated(isc_task_t *task, isc_event_t *event) {
|
|
|
|
|
dns_validatorevent_t *devent;
|
|
|
|
|
dns_validator_t *val;
|
2000-05-26 21:45:53 +00:00
|
|
|
isc_result_t eresult;
|
2000-05-18 02:02:05 +00:00
|
|
|
|
|
|
|
|
UNUSED(task);
|
|
|
|
|
INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
|
2000-08-15 00:21:05 +00:00
|
|
|
|
2000-08-15 01:22:33 +00:00
|
|
|
devent = (dns_validatorevent_t *)event;
|
|
|
|
|
val = devent->ev_arg;
|
|
|
|
|
eresult = devent->result;
|
|
|
|
|
isc_event_free(&event);
|
|
|
|
|
dns_validator_destroy(&val->authvalidator);
|
|
|
|
|
|
2000-08-15 00:21:05 +00:00
|
|
|
if (SHUTDOWN(val)) {
|
|
|
|
|
dns_validator_destroy(&val);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (val->event == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
2000-05-18 02:02:05 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "in negauthvalidated");
|
2000-05-26 21:45:53 +00:00
|
|
|
LOCK(&val->lock);
|
|
|
|
|
if (eresult == ISC_R_SUCCESS) {
|
|
|
|
|
val->attributes |= VALATTR_FOUNDNONEXISTENCE;
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"nonexistence proof found");
|
2000-07-27 01:26:15 +00:00
|
|
|
auth_nonpending(val->event->message);
|
2000-05-26 21:45:53 +00:00
|
|
|
validator_done(val, ISC_R_SUCCESS);
|
|
|
|
|
} else {
|
2000-08-01 01:33:37 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
2000-05-18 02:02:05 +00:00
|
|
|
"negauthvalidated: got %s",
|
2000-05-26 21:45:53 +00:00
|
|
|
dns_result_totext(eresult));
|
|
|
|
|
validator_done(val, eresult);
|
2000-05-18 02:02:05 +00:00
|
|
|
}
|
|
|
|
|
UNLOCK(&val->lock);
|
|
|
|
|
|
|
|
|
|
/*
|
2000-05-26 21:45:53 +00:00
|
|
|
* Free stuff from the event.
|
2000-05-18 02:02:05 +00:00
|
|
|
*/
|
2000-05-26 21:45:53 +00:00
|
|
|
if (dns_rdataset_isassociated(&val->frdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->frdataset);
|
2000-05-17 18:24:59 +00:00
|
|
|
}
|
|
|
|
|
|
2000-04-18 17:50:38 +00:00
|
|
|
static void
|
|
|
|
|
nullkeyvalidated(isc_task_t *task, isc_event_t *event) {
|
|
|
|
|
dns_validatorevent_t *devent;
|
|
|
|
|
dns_validator_t *val;
|
|
|
|
|
isc_result_t result;
|
2000-05-26 21:45:53 +00:00
|
|
|
isc_result_t eresult;
|
2000-04-18 17:50:38 +00:00
|
|
|
|
|
|
|
|
UNUSED(task);
|
|
|
|
|
INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
|
2000-08-15 00:21:05 +00:00
|
|
|
|
2000-04-18 17:50:38 +00:00
|
|
|
devent = (dns_validatorevent_t *)event;
|
|
|
|
|
val = devent->ev_arg;
|
2000-05-26 21:45:53 +00:00
|
|
|
eresult = devent->result;
|
|
|
|
|
|
|
|
|
|
dns_name_free(devent->name, val->view->mctx);
|
|
|
|
|
isc_mem_put(val->view->mctx, devent->name, sizeof(dns_name_t));
|
2000-08-15 01:22:33 +00:00
|
|
|
dns_validator_destroy(&val->keyvalidator);
|
2000-05-26 21:45:53 +00:00
|
|
|
isc_event_free(&event);
|
2000-04-18 17:50:38 +00:00
|
|
|
|
2000-08-15 01:22:33 +00:00
|
|
|
if (SHUTDOWN(val)) {
|
|
|
|
|
dns_validator_destroy(&val);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (val->event == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
2000-04-18 17:50:38 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "in nullkeyvalidated");
|
2000-05-26 21:45:53 +00:00
|
|
|
if (eresult == ISC_R_SUCCESS) {
|
2000-04-18 17:50:38 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"proved that name is in an unsecure domain");
|
2000-04-19 18:08:27 +00:00
|
|
|
LOCK(&val->lock);
|
2000-04-18 17:50:38 +00:00
|
|
|
validator_done(val, ISC_R_SUCCESS);
|
|
|
|
|
UNLOCK(&val->lock);
|
|
|
|
|
} else {
|
|
|
|
|
LOCK(&val->lock);
|
|
|
|
|
result = proveunsecure(val, ISC_TRUE);
|
|
|
|
|
if (result != DNS_R_WAIT)
|
|
|
|
|
validator_done(val, result);
|
|
|
|
|
UNLOCK(&val->lock);
|
|
|
|
|
}
|
|
|
|
|
|
2000-05-08 14:38:29 +00:00
|
|
|
/*
|
2000-05-26 21:45:53 +00:00
|
|
|
* Free stuff from the event.
|
2000-05-08 14:38:29 +00:00
|
|
|
*/
|
2000-05-26 21:45:53 +00:00
|
|
|
if (dns_rdataset_isassociated(&val->frdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->frdataset);
|
|
|
|
|
if (dns_rdataset_isassociated(&val->fsigrdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->fsigrdataset);
|
2000-04-18 17:50:38 +00:00
|
|
|
}
|
|
|
|
|
|
2000-04-19 18:08:27 +00:00
|
|
|
/*
|
|
|
|
|
* Try to find a null zone key among those in 'rdataset'. If found, build
|
|
|
|
|
* a dst_key_t for it and point val->key at it.
|
|
|
|
|
*/
|
2000-08-01 01:33:37 +00:00
|
|
|
static inline isc_boolean_t
|
2000-04-19 18:08:27 +00:00
|
|
|
containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset) {
|
|
|
|
|
isc_result_t result;
|
|
|
|
|
dst_key_t *key = NULL;
|
|
|
|
|
isc_buffer_t b;
|
|
|
|
|
dns_rdata_t rdata;
|
|
|
|
|
isc_boolean_t found = ISC_FALSE;
|
|
|
|
|
|
|
|
|
|
result = dns_rdataset_first(rdataset);
|
|
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
return (ISC_FALSE);
|
|
|
|
|
while (result == ISC_R_SUCCESS && !found) {
|
|
|
|
|
dns_rdataset_current(rdataset, &rdata);
|
103. [func] libisc buffer API changes for <isc/buffer.h>:
Added:
isc_buffer_base(b) (pointer)
isc_buffer_current(b) (pointer)
isc_buffer_active(b) (pointer)
isc_buffer_used(b) (pointer)
isc_buffer_length(b) (int)
isc_buffer_usedlength(b) (int)
isc_buffer_consumedlength(b) (int)
isc_buffer_remaininglength(b) (int)
isc_buffer_activelength(b) (int)
isc_buffer_availablelength(b) (int)
Removed:
ISC_BUFFER_USEDCOUNT(b)
ISC_BUFFER_AVAILABLECOUNT(b)
isc_buffer_type(b)
Changed names:
isc_buffer_used(b, r) ->
isc_buffer_usedregion(b, r)
isc_buffer_available(b, r) ->
isc_buffer_available_region(b, r)
isc_buffer_consumed(b, r) ->
isc_buffer_consumedregion(b, r)
isc_buffer_active(b, r) ->
isc_buffer_activeregion(b, r)
isc_buffer_remaining(b, r) ->
isc_buffer_remainingregion(b, r)
Buffer types were removed, so the ISC_BUFFERTYPE_*
macros are no more, and the type argument to
isc_buffer_init and isc_buffer_allocate were removed.
isc_buffer_putstr is now void (instead of isc_result_t)
and requires that the caller ensure that there
is enough available buffer space for the string.
2000-04-27 00:03:12 +00:00
|
|
|
isc_buffer_init(&b, rdata.data, rdata.length);
|
2000-04-19 18:08:27 +00:00
|
|
|
isc_buffer_add(&b, rdata.length);
|
|
|
|
|
key = NULL;
|
|
|
|
|
/*
|
|
|
|
|
* The key name is unimportant, so we can avoid any name/text
|
|
|
|
|
* conversion.
|
|
|
|
|
*/
|
2000-05-24 23:13:32 +00:00
|
|
|
result = dst_key_fromdns(dns_rootname, &b, val->view->mctx,
|
|
|
|
|
&key);
|
2000-04-19 18:08:27 +00:00
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
continue;
|
|
|
|
|
if (dst_key_isnullkey(key))
|
|
|
|
|
found = ISC_TRUE;
|
2000-05-19 00:20:59 +00:00
|
|
|
dst_key_free(&key);
|
2000-04-19 18:08:27 +00:00
|
|
|
result = dns_rdataset_next(rdataset);
|
|
|
|
|
}
|
|
|
|
|
return (found);
|
|
|
|
|
}
|
|
|
|
|
|
2000-04-06 23:09:01 +00:00
|
|
|
/*
|
|
|
|
|
* Try to find a key that could have signed 'siginfo' among those
|
|
|
|
|
* in 'rdataset'. If found, build a dst_key_t for it and point
|
|
|
|
|
* val->key at it.
|
|
|
|
|
*
|
2000-05-18 23:22:14 +00:00
|
|
|
* If val->key is non-NULL, this returns the next matching key.
|
2000-04-06 23:09:01 +00:00
|
|
|
*/
|
2000-08-01 01:33:37 +00:00
|
|
|
static inline isc_result_t
|
2000-05-26 21:45:53 +00:00
|
|
|
get_dst_key(dns_validator_t *val, dns_rdata_sig_t *siginfo,
|
2000-03-17 00:01:28 +00:00
|
|
|
dns_rdataset_t *rdataset)
|
|
|
|
|
{
|
|
|
|
|
isc_result_t result;
|
|
|
|
|
isc_buffer_t b;
|
|
|
|
|
dns_rdata_t rdata;
|
2000-05-18 23:22:14 +00:00
|
|
|
dst_key_t *oldkey = val->key;
|
|
|
|
|
isc_boolean_t foundold;
|
|
|
|
|
|
|
|
|
|
if (oldkey == NULL)
|
|
|
|
|
foundold = ISC_TRUE;
|
|
|
|
|
else {
|
|
|
|
|
foundold = ISC_FALSE;
|
|
|
|
|
val->key = NULL;
|
|
|
|
|
}
|
2000-03-17 00:01:28 +00:00
|
|
|
|
|
|
|
|
result = dns_rdataset_first(rdataset);
|
|
|
|
|
if (result != ISC_R_SUCCESS)
|
2000-05-22 21:17:05 +00:00
|
|
|
goto failure;
|
2000-03-17 00:01:28 +00:00
|
|
|
do {
|
|
|
|
|
dns_rdataset_current(rdataset, &rdata);
|
|
|
|
|
|
103. [func] libisc buffer API changes for <isc/buffer.h>:
Added:
isc_buffer_base(b) (pointer)
isc_buffer_current(b) (pointer)
isc_buffer_active(b) (pointer)
isc_buffer_used(b) (pointer)
isc_buffer_length(b) (int)
isc_buffer_usedlength(b) (int)
isc_buffer_consumedlength(b) (int)
isc_buffer_remaininglength(b) (int)
isc_buffer_activelength(b) (int)
isc_buffer_availablelength(b) (int)
Removed:
ISC_BUFFER_USEDCOUNT(b)
ISC_BUFFER_AVAILABLECOUNT(b)
isc_buffer_type(b)
Changed names:
isc_buffer_used(b, r) ->
isc_buffer_usedregion(b, r)
isc_buffer_available(b, r) ->
isc_buffer_available_region(b, r)
isc_buffer_consumed(b, r) ->
isc_buffer_consumedregion(b, r)
isc_buffer_active(b, r) ->
isc_buffer_activeregion(b, r)
isc_buffer_remaining(b, r) ->
isc_buffer_remainingregion(b, r)
Buffer types were removed, so the ISC_BUFFERTYPE_*
macros are no more, and the type argument to
isc_buffer_init and isc_buffer_allocate were removed.
isc_buffer_putstr is now void (instead of isc_result_t)
and requires that the caller ensure that there
is enough available buffer space for the string.
2000-04-27 00:03:12 +00:00
|
|
|
isc_buffer_init(&b, rdata.data, rdata.length);
|
2000-03-17 00:01:28 +00:00
|
|
|
isc_buffer_add(&b, rdata.length);
|
|
|
|
|
INSIST(val->key == NULL);
|
2000-05-24 23:13:32 +00:00
|
|
|
result = dst_key_fromdns(&siginfo->signer, &b, val->view->mctx,
|
2000-03-17 00:01:28 +00:00
|
|
|
&val->key);
|
|
|
|
|
if (result != ISC_R_SUCCESS)
|
2000-05-22 21:17:05 +00:00
|
|
|
goto failure;
|
2000-03-17 00:01:28 +00:00
|
|
|
if (siginfo->algorithm ==
|
|
|
|
|
(dns_secalg_t)dst_key_alg(val->key) &&
|
2000-05-26 21:45:53 +00:00
|
|
|
siginfo->keyid ==
|
2000-03-17 00:01:28 +00:00
|
|
|
(dns_keytag_t)dst_key_id(val->key) &&
|
2000-04-12 15:52:12 +00:00
|
|
|
dst_key_iszonekey(val->key))
|
|
|
|
|
{
|
2000-05-18 23:22:14 +00:00
|
|
|
if (foundold)
|
|
|
|
|
/*
|
|
|
|
|
* This is the key we're looking for.
|
|
|
|
|
*/
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
|
|
|
|
|
{
|
|
|
|
|
foundold = ISC_TRUE;
|
2000-05-19 00:20:59 +00:00
|
|
|
dst_key_free(&oldkey);
|
2000-05-18 23:22:14 +00:00
|
|
|
}
|
2000-03-17 00:01:28 +00:00
|
|
|
}
|
2000-05-19 00:20:59 +00:00
|
|
|
dst_key_free(&val->key);
|
2000-03-17 00:01:28 +00:00
|
|
|
result = dns_rdataset_next(rdataset);
|
|
|
|
|
} while (result == ISC_R_SUCCESS);
|
|
|
|
|
if (result == ISC_R_NOMORE)
|
|
|
|
|
result = ISC_R_NOTFOUND;
|
|
|
|
|
|
2000-05-22 21:17:05 +00:00
|
|
|
failure:
|
2000-05-18 23:22:14 +00:00
|
|
|
if (oldkey != NULL)
|
2000-05-19 00:20:59 +00:00
|
|
|
dst_key_free(&oldkey);
|
2000-05-18 23:22:14 +00:00
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
return (result);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline isc_result_t
|
2000-05-26 21:45:53 +00:00
|
|
|
get_key(dns_validator_t *val, dns_rdata_sig_t *siginfo) {
|
2000-03-17 00:01:28 +00:00
|
|
|
isc_result_t result;
|
|
|
|
|
dns_validatorevent_t *event;
|
|
|
|
|
unsigned int nbits, nlabels;
|
|
|
|
|
int order;
|
|
|
|
|
dns_namereln_t namereln;
|
|
|
|
|
|
|
|
|
|
event = val->event;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Is the key name appropriate for this signature?
|
|
|
|
|
*/
|
|
|
|
|
namereln = dns_name_fullcompare(event->name, &siginfo->signer,
|
|
|
|
|
&order, &nlabels, &nbits);
|
2000-03-23 22:52:22 +00:00
|
|
|
if (event->rdataset->type == dns_rdatatype_key &&
|
2000-03-17 00:01:28 +00:00
|
|
|
namereln != dns_namereln_subdomain) {
|
|
|
|
|
/*
|
|
|
|
|
* We don't want a KEY RR to authenticate
|
|
|
|
|
* itself, so we ignore the signature if it
|
|
|
|
|
* was not made by an ancestor of the KEY.
|
|
|
|
|
*/
|
|
|
|
|
return (DNS_R_CONTINUE);
|
|
|
|
|
} else if (namereln != dns_namereln_subdomain &&
|
|
|
|
|
namereln != dns_namereln_equal) {
|
|
|
|
|
/*
|
|
|
|
|
* The key name is not at the same level
|
|
|
|
|
* as 'rdataset', nor is it closer to the
|
|
|
|
|
* DNS root.
|
|
|
|
|
*/
|
|
|
|
|
return (DNS_R_CONTINUE);
|
|
|
|
|
}
|
|
|
|
|
|
2000-05-12 17:41:30 +00:00
|
|
|
/*
|
|
|
|
|
* Is the key used for the signature a security root?
|
|
|
|
|
*/
|
|
|
|
|
INSIST(val->keynode == NULL);
|
|
|
|
|
val->keytable = val->view->secroots;
|
|
|
|
|
result = dns_keytable_findkeynode(val->view->secroots,
|
|
|
|
|
&siginfo->signer,
|
2000-05-26 21:45:53 +00:00
|
|
|
siginfo->algorithm, siginfo->keyid,
|
2000-05-12 17:41:30 +00:00
|
|
|
&val->keynode);
|
|
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
/*
|
|
|
|
|
* The key is a security root.
|
|
|
|
|
*/
|
|
|
|
|
val->key = dns_keynode_key(val->keynode);
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
/*
|
|
|
|
|
* Do we know about this key?
|
|
|
|
|
*/
|
2000-05-26 21:45:53 +00:00
|
|
|
if (dns_rdataset_isassociated(&val->frdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->frdataset);
|
|
|
|
|
if (dns_rdataset_isassociated(&val->fsigrdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->fsigrdataset);
|
2000-03-17 00:01:28 +00:00
|
|
|
result = dns_view_simplefind(val->view, &siginfo->signer,
|
|
|
|
|
dns_rdatatype_key, 0,
|
|
|
|
|
DNS_DBFIND_PENDINGOK, ISC_FALSE,
|
2000-05-26 21:45:53 +00:00
|
|
|
&val->frdataset, &val->fsigrdataset);
|
2000-03-17 00:01:28 +00:00
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
/*
|
|
|
|
|
* We have an rrset for the given keyname.
|
|
|
|
|
*/
|
2000-06-07 01:32:47 +00:00
|
|
|
val->keyset = &val->frdataset;
|
2000-05-26 21:45:53 +00:00
|
|
|
if (val->frdataset.trust == dns_trust_pending &&
|
|
|
|
|
dns_rdataset_isassociated(&val->fsigrdataset))
|
2000-05-18 23:22:14 +00:00
|
|
|
{
|
2000-03-17 00:01:28 +00:00
|
|
|
/*
|
|
|
|
|
* We know the key but haven't validated it yet.
|
|
|
|
|
*/
|
2000-04-07 21:44:47 +00:00
|
|
|
result = dns_validator_create(val->view,
|
|
|
|
|
&siginfo->signer,
|
2000-04-20 20:43:52 +00:00
|
|
|
dns_rdatatype_key,
|
2000-05-26 21:45:53 +00:00
|
|
|
&val->frdataset,
|
|
|
|
|
&val->fsigrdataset,
|
2000-04-07 21:44:47 +00:00
|
|
|
NULL,
|
|
|
|
|
0,
|
|
|
|
|
val->task,
|
|
|
|
|
keyvalidated,
|
|
|
|
|
val,
|
|
|
|
|
&val->keyvalidator);
|
|
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
return (result);
|
|
|
|
|
return (DNS_R_WAIT);
|
2000-05-26 21:45:53 +00:00
|
|
|
} else if (val->frdataset.trust == dns_trust_pending) {
|
2000-03-17 00:01:28 +00:00
|
|
|
/*
|
2000-05-18 23:22:14 +00:00
|
|
|
* Having a pending key with no signature means that
|
|
|
|
|
* something is broken.
|
2000-03-17 00:01:28 +00:00
|
|
|
*/
|
2000-05-18 23:22:14 +00:00
|
|
|
result = DNS_R_CONTINUE;
|
2000-05-26 21:45:53 +00:00
|
|
|
} else if (val->frdataset.trust < dns_trust_secure) {
|
2000-05-18 23:22:14 +00:00
|
|
|
/*
|
|
|
|
|
* The key is legitimately insecure. There's no
|
|
|
|
|
* point in even attempting verification.
|
|
|
|
|
*/
|
|
|
|
|
val->key = NULL;
|
|
|
|
|
result = ISC_R_SUCCESS;
|
|
|
|
|
} else {
|
2000-03-17 00:01:28 +00:00
|
|
|
/*
|
|
|
|
|
* See if we've got the key used in the signature.
|
|
|
|
|
*/
|
2000-05-18 02:02:05 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
2000-05-26 21:45:53 +00:00
|
|
|
"keyset with trust %d",
|
|
|
|
|
val->frdataset.trust);
|
2000-06-07 01:32:47 +00:00
|
|
|
result = get_dst_key(val, siginfo, val->keyset);
|
2000-03-17 00:01:28 +00:00
|
|
|
if (result != ISC_R_SUCCESS) {
|
|
|
|
|
/*
|
|
|
|
|
* Either the key we're looking for is not
|
|
|
|
|
* in the rrset, or something bad happened.
|
|
|
|
|
* Give up.
|
|
|
|
|
*/
|
|
|
|
|
result = DNS_R_CONTINUE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else if (result == ISC_R_NOTFOUND) {
|
|
|
|
|
/*
|
|
|
|
|
* We don't know anything about this key.
|
|
|
|
|
*/
|
2000-04-07 17:36:40 +00:00
|
|
|
val->fetch = NULL;
|
|
|
|
|
result = dns_resolver_createfetch(val->view->resolver,
|
|
|
|
|
&siginfo->signer,
|
|
|
|
|
dns_rdatatype_key,
|
|
|
|
|
NULL, NULL, NULL, 0,
|
2000-04-17 19:22:44 +00:00
|
|
|
val->event->ev_sender,
|
2000-04-07 17:36:40 +00:00
|
|
|
fetch_callback_validator,
|
|
|
|
|
val,
|
2000-05-26 21:45:53 +00:00
|
|
|
&val->frdataset,
|
|
|
|
|
&val->fsigrdataset,
|
2000-04-07 17:36:40 +00:00
|
|
|
&val->fetch);
|
|
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
return (result);
|
|
|
|
|
return (DNS_R_WAIT);
|
2000-03-17 00:01:28 +00:00
|
|
|
} else if (result == DNS_R_NCACHENXDOMAIN ||
|
|
|
|
|
result == DNS_R_NCACHENXRRSET ||
|
|
|
|
|
result == DNS_R_NXDOMAIN ||
|
2000-05-18 23:22:14 +00:00
|
|
|
result == DNS_R_NXRRSET)
|
|
|
|
|
{
|
2000-03-17 00:01:28 +00:00
|
|
|
/*
|
|
|
|
|
* This key doesn't exist.
|
|
|
|
|
*/
|
|
|
|
|
result = DNS_R_CONTINUE;
|
|
|
|
|
}
|
|
|
|
|
|
2000-06-07 01:32:47 +00:00
|
|
|
if (dns_rdataset_isassociated(&val->frdataset) &&
|
|
|
|
|
val->keyset != &val->frdataset)
|
2000-05-26 21:45:53 +00:00
|
|
|
dns_rdataset_disassociate(&val->frdataset);
|
|
|
|
|
if (dns_rdataset_isassociated(&val->fsigrdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->fsigrdataset);
|
2000-03-17 00:01:28 +00:00
|
|
|
|
|
|
|
|
return (result);
|
|
|
|
|
}
|
|
|
|
|
|
2000-07-07 00:44:01 +00:00
|
|
|
/*
|
|
|
|
|
* If the rdataset being validated is a key set, is each key a security root?
|
|
|
|
|
*/
|
|
|
|
|
static isc_boolean_t
|
|
|
|
|
issecurityroot(dns_validator_t *val) {
|
|
|
|
|
dns_name_t *name;
|
|
|
|
|
dns_rdataset_t *rdataset;
|
|
|
|
|
isc_mem_t *mctx;
|
|
|
|
|
dns_keytable_t *secroots;
|
|
|
|
|
dns_rdata_t rdata;
|
|
|
|
|
isc_result_t result;
|
|
|
|
|
dns_keynode_t *keynode, *nextnode;
|
|
|
|
|
dst_key_t *key, *secrootkey;
|
|
|
|
|
isc_boolean_t match = ISC_FALSE;
|
|
|
|
|
|
|
|
|
|
name = val->event->name;
|
|
|
|
|
rdataset = val->event->rdataset;
|
|
|
|
|
mctx = val->view->mctx;
|
|
|
|
|
secroots = val->view->secroots;
|
|
|
|
|
|
|
|
|
|
for (result = dns_rdataset_first(rdataset);
|
|
|
|
|
result == ISC_R_SUCCESS;
|
|
|
|
|
result = dns_rdataset_next(rdataset))
|
|
|
|
|
{
|
|
|
|
|
dns_rdataset_current(rdataset, &rdata);
|
|
|
|
|
key = NULL;
|
|
|
|
|
result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &key);
|
|
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
continue;
|
|
|
|
|
keynode = NULL;
|
|
|
|
|
result = dns_keytable_findkeynode(secroots, name,
|
|
|
|
|
dst_key_alg(key),
|
|
|
|
|
dst_key_id(key),
|
|
|
|
|
&keynode);
|
|
|
|
|
|
|
|
|
|
match = ISC_FALSE;
|
|
|
|
|
while (result == ISC_R_SUCCESS) {
|
|
|
|
|
secrootkey = dns_keynode_key(keynode);
|
|
|
|
|
if (dst_key_compare(key, secrootkey)) {
|
|
|
|
|
match = ISC_TRUE;
|
|
|
|
|
dns_keytable_detachkeynode(secroots, &keynode);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
nextnode = NULL;
|
|
|
|
|
result = dns_keytable_findnextkeynode(secroots,
|
|
|
|
|
keynode,
|
|
|
|
|
&nextnode);
|
|
|
|
|
dns_keytable_detachkeynode(secroots, &keynode);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dst_key_free(&key);
|
|
|
|
|
if (!match)
|
|
|
|
|
return (ISC_FALSE);
|
|
|
|
|
}
|
|
|
|
|
return (match);
|
|
|
|
|
}
|
|
|
|
|
|
2000-05-11 22:58:17 +00:00
|
|
|
/*
|
|
|
|
|
* Attempts positive response validation.
|
|
|
|
|
*
|
|
|
|
|
* Returns:
|
|
|
|
|
* ISC_R_SUCCESS Validation completed successfully
|
|
|
|
|
* DNS_R_WAIT Validation has started but is waiting
|
|
|
|
|
* for an event.
|
|
|
|
|
* Other return codes are possible and all indicate failure.
|
|
|
|
|
*/
|
2000-03-17 00:01:28 +00:00
|
|
|
static inline isc_result_t
|
|
|
|
|
validate(dns_validator_t *val, isc_boolean_t resume) {
|
|
|
|
|
isc_result_t result;
|
|
|
|
|
dns_validatorevent_t *event;
|
|
|
|
|
dns_rdata_t rdata;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Caller must be holding the validator lock.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
event = val->event;
|
|
|
|
|
|
2000-07-07 00:44:01 +00:00
|
|
|
/*
|
|
|
|
|
* If this is a security root, it's ok.
|
|
|
|
|
*/
|
|
|
|
|
if (!resume) {
|
|
|
|
|
dns_fixedname_t fsecroot;
|
|
|
|
|
dns_name_t *secroot;
|
|
|
|
|
|
|
|
|
|
dns_fixedname_init(&fsecroot);
|
|
|
|
|
secroot = dns_fixedname_name(&fsecroot);
|
|
|
|
|
result = dns_keytable_finddeepestmatch(val->view->secroots,
|
|
|
|
|
val->event->name,
|
|
|
|
|
secroot);
|
|
|
|
|
if (result == ISC_R_SUCCESS &&
|
|
|
|
|
val->event->type == dns_rdatatype_key &&
|
|
|
|
|
dns_name_equal(val->event->name, secroot) &&
|
|
|
|
|
issecurityroot(val))
|
|
|
|
|
{
|
|
|
|
|
val->event->rdataset->trust = dns_trust_secure;
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2000-04-06 23:09:01 +00:00
|
|
|
if (resume) {
|
2000-05-08 14:38:29 +00:00
|
|
|
/*
|
2000-05-12 17:41:30 +00:00
|
|
|
* We already have a sigrdataset.
|
2000-05-08 14:38:29 +00:00
|
|
|
*/
|
2000-04-06 23:09:01 +00:00
|
|
|
result = ISC_R_SUCCESS;
|
2000-05-18 23:22:14 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
|
2000-04-06 23:09:01 +00:00
|
|
|
} else {
|
2000-03-17 00:01:28 +00:00
|
|
|
result = dns_rdataset_first(event->sigrdataset);
|
|
|
|
|
}
|
2000-04-06 23:09:01 +00:00
|
|
|
|
|
|
|
|
for (;
|
|
|
|
|
result == ISC_R_SUCCESS;
|
|
|
|
|
result = dns_rdataset_next(event->sigrdataset))
|
|
|
|
|
{
|
2000-03-17 00:01:28 +00:00
|
|
|
dns_rdataset_current(event->sigrdataset, &rdata);
|
2000-04-14 16:00:33 +00:00
|
|
|
if (val->siginfo != NULL)
|
|
|
|
|
isc_mem_put(val->view->mctx, val->siginfo,
|
|
|
|
|
sizeof *val->siginfo);
|
2000-04-07 17:36:40 +00:00
|
|
|
val->siginfo = isc_mem_get(val->view->mctx,
|
|
|
|
|
sizeof *val->siginfo);
|
|
|
|
|
if (val->siginfo == NULL)
|
|
|
|
|
return (ISC_R_NOMEMORY);
|
2000-05-26 21:45:53 +00:00
|
|
|
dns_rdata_tostruct(&rdata, val->siginfo, NULL);
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
/*
|
|
|
|
|
* At this point we could check that the signature algorithm
|
|
|
|
|
* was known and "sufficiently good". For now, any algorithm
|
|
|
|
|
* is acceptable.
|
|
|
|
|
*/
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
if (!resume) {
|
2000-04-07 17:36:40 +00:00
|
|
|
result = get_key(val, val->siginfo);
|
2000-04-06 23:09:01 +00:00
|
|
|
if (result == DNS_R_CONTINUE)
|
|
|
|
|
continue; /* Try the next SIG RR. */
|
2000-04-05 22:29:47 +00:00
|
|
|
if (result != ISC_R_SUCCESS)
|
2000-03-17 00:01:28 +00:00
|
|
|
return (result);
|
|
|
|
|
}
|
|
|
|
|
|
2000-05-18 23:22:14 +00:00
|
|
|
if (val->key == NULL) {
|
|
|
|
|
event->rdataset->trust = dns_trust_answer;
|
|
|
|
|
event->sigrdataset->trust = dns_trust_answer;
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"marking as answer");
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2000-05-19 18:39:49 +00:00
|
|
|
do {
|
2000-07-13 23:52:04 +00:00
|
|
|
val->attributes |= VALATTR_TRIEDVERIFY;
|
2000-05-18 23:22:14 +00:00
|
|
|
result = dns_dnssec_verify(event->name,
|
|
|
|
|
event->rdataset,
|
|
|
|
|
val->key, ISC_FALSE,
|
|
|
|
|
val->view->mctx, &rdata);
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
2000-05-19 18:39:49 +00:00
|
|
|
"verify rdataset: %s",
|
|
|
|
|
isc_result_totext(result));
|
|
|
|
|
if (result == ISC_R_SUCCESS)
|
|
|
|
|
break;
|
|
|
|
|
if (val->keynode != NULL) {
|
2000-05-19 20:25:55 +00:00
|
|
|
dns_keynode_t *nextnode = NULL;
|
|
|
|
|
result = dns_keytable_findnextkeynode(
|
|
|
|
|
val->keytable,
|
|
|
|
|
val->keynode,
|
|
|
|
|
&nextnode);
|
|
|
|
|
dns_keytable_detachkeynode(val->keytable,
|
|
|
|
|
&val->keynode);
|
|
|
|
|
val->keynode = nextnode;
|
|
|
|
|
if (result != ISC_R_SUCCESS) {
|
|
|
|
|
val->key = NULL;
|
2000-05-19 18:39:49 +00:00
|
|
|
break;
|
2000-05-19 20:25:55 +00:00
|
|
|
}
|
2000-05-19 18:39:49 +00:00
|
|
|
val->key = dns_keynode_key(val->keynode);
|
2000-05-22 21:17:05 +00:00
|
|
|
} else {
|
|
|
|
|
if (get_dst_key(val, val->siginfo, val->keyset)
|
2000-05-19 18:39:49 +00:00
|
|
|
!= ISC_R_SUCCESS)
|
|
|
|
|
break;
|
2000-05-22 21:17:05 +00:00
|
|
|
}
|
2000-05-19 18:39:49 +00:00
|
|
|
} while (1);
|
2000-05-18 23:22:14 +00:00
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"failed to verify rdataset");
|
2000-05-31 22:01:39 +00:00
|
|
|
else {
|
|
|
|
|
isc_uint32_t ttl;
|
|
|
|
|
isc_stdtime_t now;
|
|
|
|
|
|
|
|
|
|
isc_stdtime_get(&now);
|
|
|
|
|
ttl = ISC_MIN(event->rdataset->ttl,
|
|
|
|
|
val->siginfo->timeexpire - now);
|
|
|
|
|
if (val->keyset != NULL)
|
|
|
|
|
ttl = ISC_MIN(ttl, val->keyset->ttl);
|
|
|
|
|
event->rdataset->ttl = ttl;
|
|
|
|
|
event->sigrdataset->ttl = ttl;
|
|
|
|
|
}
|
|
|
|
|
|
2000-04-13 18:10:07 +00:00
|
|
|
if (val->keynode != NULL)
|
|
|
|
|
dns_keytable_detachkeynode(val->keytable,
|
|
|
|
|
&val->keynode);
|
2000-05-22 21:17:05 +00:00
|
|
|
else {
|
|
|
|
|
if (val->key != NULL)
|
|
|
|
|
dst_key_free(&val->key);
|
2000-05-26 21:45:53 +00:00
|
|
|
if (val->keyset != NULL) {
|
|
|
|
|
dns_rdataset_disassociate(val->keyset);
|
2000-05-22 21:17:05 +00:00
|
|
|
val->keyset = NULL;
|
2000-05-26 21:45:53 +00:00
|
|
|
}
|
2000-05-22 21:17:05 +00:00
|
|
|
}
|
2000-05-19 01:23:12 +00:00
|
|
|
val->key = NULL;
|
2000-04-07 17:36:40 +00:00
|
|
|
if (result == ISC_R_SUCCESS) {
|
2000-04-11 20:59:37 +00:00
|
|
|
event->rdataset->trust = dns_trust_secure;
|
|
|
|
|
event->sigrdataset->trust = dns_trust_secure;
|
2000-04-11 20:35:37 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
2000-05-18 02:02:05 +00:00
|
|
|
"marking as secure");
|
2000-04-11 20:59:37 +00:00
|
|
|
return (result);
|
2000-04-07 17:36:40 +00:00
|
|
|
}
|
2000-04-14 02:30:12 +00:00
|
|
|
else
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"verify failure: %s",
|
2000-05-19 20:25:55 +00:00
|
|
|
isc_result_totext(result));
|
2000-04-06 23:09:01 +00:00
|
|
|
}
|
2000-05-12 21:25:17 +00:00
|
|
|
INSIST(result == ISC_R_NOMORE);
|
|
|
|
|
|
|
|
|
|
validator_log(val, ISC_LOG_INFO, "no valid signature found");
|
|
|
|
|
return (DNS_R_NOVALIDSIG);
|
2000-03-17 00:01:28 +00:00
|
|
|
}
|
|
|
|
|
|
2000-04-13 18:10:07 +00:00
|
|
|
|
|
|
|
|
static inline isc_result_t
|
|
|
|
|
nxtvalidate(dns_validator_t *val, isc_boolean_t resume) {
|
|
|
|
|
dns_name_t *name;
|
|
|
|
|
dns_message_t *message = val->event->message;
|
|
|
|
|
isc_result_t result;
|
|
|
|
|
|
|
|
|
|
if (!resume) {
|
|
|
|
|
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
|
|
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
validator_done(val, ISC_R_NOTFOUND);
|
2000-05-17 18:24:59 +00:00
|
|
|
} else {
|
2000-04-13 18:10:07 +00:00
|
|
|
result = ISC_R_SUCCESS;
|
2000-05-17 18:24:59 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "resuming nxtvalidate");
|
|
|
|
|
}
|
2000-04-13 18:10:07 +00:00
|
|
|
|
|
|
|
|
for (;
|
|
|
|
|
result == ISC_R_SUCCESS;
|
|
|
|
|
result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
|
|
|
|
|
{
|
2000-05-17 18:24:59 +00:00
|
|
|
dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
|
2000-04-13 18:10:07 +00:00
|
|
|
|
|
|
|
|
name = NULL;
|
|
|
|
|
dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
|
2000-05-17 18:24:59 +00:00
|
|
|
if (resume) {
|
|
|
|
|
rdataset = ISC_LIST_NEXT(val->currentset, link);
|
|
|
|
|
val->currentset = NULL;
|
|
|
|
|
resume = ISC_FALSE;
|
2000-04-13 18:10:07 +00:00
|
|
|
}
|
2000-07-27 18:42:08 +00:00
|
|
|
else
|
2000-05-17 18:24:59 +00:00
|
|
|
rdataset = ISC_LIST_HEAD(name->list);
|
|
|
|
|
|
|
|
|
|
for (;
|
|
|
|
|
rdataset != NULL;
|
|
|
|
|
rdataset = ISC_LIST_NEXT(rdataset, link))
|
|
|
|
|
{
|
|
|
|
|
if (rdataset->type == dns_rdatatype_sig)
|
2000-04-13 18:10:07 +00:00
|
|
|
continue;
|
2000-05-17 18:24:59 +00:00
|
|
|
|
|
|
|
|
for (sigrdataset = ISC_LIST_HEAD(name->list);
|
|
|
|
|
sigrdataset != NULL;
|
|
|
|
|
sigrdataset = ISC_LIST_NEXT(sigrdataset,
|
|
|
|
|
link))
|
|
|
|
|
{
|
|
|
|
|
if (sigrdataset->type == dns_rdatatype_sig &&
|
|
|
|
|
sigrdataset->covers == rdataset->type)
|
|
|
|
|
break;
|
2000-04-13 18:10:07 +00:00
|
|
|
}
|
2000-05-17 18:24:59 +00:00
|
|
|
if (sigrdataset == NULL)
|
2000-05-18 02:02:05 +00:00
|
|
|
continue;
|
|
|
|
|
val->seensig = ISC_TRUE;
|
2000-05-17 18:24:59 +00:00
|
|
|
val->authvalidator = NULL;
|
|
|
|
|
val->currentset = rdataset;
|
|
|
|
|
result = dns_validator_create(val->view, name,
|
|
|
|
|
rdataset->type,
|
|
|
|
|
rdataset,
|
|
|
|
|
sigrdataset,
|
|
|
|
|
NULL, 0,
|
|
|
|
|
val->task,
|
|
|
|
|
authvalidated,
|
|
|
|
|
val,
|
|
|
|
|
&val->authvalidator);
|
|
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
return (result);
|
|
|
|
|
return (DNS_R_WAIT);
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2000-04-13 18:10:07 +00:00
|
|
|
}
|
2000-05-17 18:24:59 +00:00
|
|
|
}
|
|
|
|
|
if (result == ISC_R_NOMORE)
|
|
|
|
|
result = ISC_R_SUCCESS;
|
|
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
validator_done(val, result);
|
2000-04-14 02:30:12 +00:00
|
|
|
|
2000-05-18 02:02:05 +00:00
|
|
|
if ((val->attributes & VALATTR_FOUNDNONEXISTENCE) == 0) {
|
|
|
|
|
if (!val->seensig) {
|
|
|
|
|
result = dns_validator_create(val->view, name,
|
|
|
|
|
dns_rdatatype_soa,
|
2000-05-26 21:45:53 +00:00
|
|
|
&val->frdataset,
|
2000-05-18 02:02:05 +00:00
|
|
|
NULL, NULL, 0,
|
|
|
|
|
val->task,
|
|
|
|
|
negauthvalidated,
|
|
|
|
|
val,
|
|
|
|
|
&val->authvalidator);
|
|
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
return (result);
|
|
|
|
|
return (DNS_R_WAIT);
|
|
|
|
|
}
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"nonexistence proof not found");
|
2000-05-17 18:24:59 +00:00
|
|
|
return (DNS_R_NOVALIDNXT);
|
|
|
|
|
} else {
|
2000-05-18 02:02:05 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"nonexistence proof found");
|
2000-04-13 18:10:07 +00:00
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2000-04-18 17:50:38 +00:00
|
|
|
static inline isc_result_t
|
|
|
|
|
proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
|
|
|
|
|
isc_result_t result;
|
2000-04-19 18:08:27 +00:00
|
|
|
dns_fixedname_t secroot, tfname;
|
2000-04-18 17:50:38 +00:00
|
|
|
dns_name_t *tname;
|
|
|
|
|
|
|
|
|
|
dns_fixedname_init(&secroot);
|
2000-04-19 18:08:27 +00:00
|
|
|
dns_fixedname_init(&tfname);
|
2000-04-18 17:50:38 +00:00
|
|
|
result = dns_keytable_finddeepestmatch(val->view->secroots,
|
|
|
|
|
val->event->name,
|
|
|
|
|
dns_fixedname_name(&secroot));
|
2000-06-03 00:18:43 +00:00
|
|
|
/*
|
|
|
|
|
* If the name is not under a security root, it must be insecure.
|
|
|
|
|
*/
|
|
|
|
|
if (result == ISC_R_NOTFOUND)
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
|
|
|
|
|
else if (result != ISC_R_SUCCESS)
|
2000-04-18 17:50:38 +00:00
|
|
|
return (result);
|
|
|
|
|
|
2000-07-07 00:44:01 +00:00
|
|
|
/*
|
|
|
|
|
* If this is a security root, it's ok.
|
|
|
|
|
*/
|
|
|
|
|
if (val->event->type == dns_rdatatype_key &&
|
|
|
|
|
dns_name_equal(val->event->name, dns_fixedname_name(&secroot)) &&
|
|
|
|
|
issecurityroot(val))
|
|
|
|
|
{
|
|
|
|
|
val->event->rdataset->trust = dns_trust_secure;
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
2000-04-18 17:50:38 +00:00
|
|
|
if (!resume)
|
|
|
|
|
val->labels = dns_name_depth(dns_fixedname_name(&secroot)) + 1;
|
2000-05-17 18:24:59 +00:00
|
|
|
else {
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
|
2000-04-18 17:50:38 +00:00
|
|
|
val->labels++;
|
2000-05-17 18:24:59 +00:00
|
|
|
}
|
|
|
|
|
|
2000-04-18 17:50:38 +00:00
|
|
|
for (;
|
|
|
|
|
val->labels <= dns_name_depth(val->event->name);
|
|
|
|
|
val->labels++)
|
|
|
|
|
{
|
2000-06-22 21:14:48 +00:00
|
|
|
char namebuf[1024];
|
|
|
|
|
|
2000-05-18 02:02:05 +00:00
|
|
|
if (val->labels == dns_name_depth(val->event->name)) {
|
|
|
|
|
if (val->event->type == dns_rdatatype_key)
|
|
|
|
|
break;
|
2000-04-18 17:50:38 +00:00
|
|
|
tname = val->event->name;
|
2000-05-18 02:02:05 +00:00
|
|
|
} else {
|
2000-04-19 18:08:27 +00:00
|
|
|
tname = dns_fixedname_name(&tfname);
|
2000-04-18 17:50:38 +00:00
|
|
|
result = dns_name_splitatdepth(val->event->name,
|
|
|
|
|
val->labels,
|
|
|
|
|
NULL, tname);
|
|
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
return (result);
|
|
|
|
|
}
|
2000-05-26 21:45:53 +00:00
|
|
|
|
2000-06-22 21:14:48 +00:00
|
|
|
dns_name_format(tname, namebuf, sizeof(namebuf));
|
|
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"looking for null keyset at '%s'",
|
|
|
|
|
namebuf);
|
|
|
|
|
|
2000-05-26 21:45:53 +00:00
|
|
|
if (dns_rdataset_isassociated(&val->frdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->frdataset);
|
|
|
|
|
if (dns_rdataset_isassociated(&val->fsigrdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->fsigrdataset);
|
|
|
|
|
|
2000-04-18 17:50:38 +00:00
|
|
|
result = dns_view_simplefind(val->view, tname,
|
|
|
|
|
dns_rdatatype_key, 0,
|
|
|
|
|
DNS_DBFIND_PENDINGOK, ISC_FALSE,
|
2000-05-26 21:45:53 +00:00
|
|
|
&val->frdataset,
|
|
|
|
|
&val->fsigrdataset);
|
2000-04-18 17:50:38 +00:00
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
dns_name_t *fname = NULL;
|
|
|
|
|
|
2000-05-26 21:45:53 +00:00
|
|
|
if (!dns_rdataset_isassociated(&val->fsigrdataset)) {
|
|
|
|
|
result = DNS_R_NOTINSECURE;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2000-04-18 17:50:38 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"found keyset, looking for null key");
|
2000-05-26 21:45:53 +00:00
|
|
|
if (!containsnullkey(val, &val->frdataset))
|
2000-04-18 17:50:38 +00:00
|
|
|
continue;
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2000-05-26 21:45:53 +00:00
|
|
|
if (val->frdataset.trust >= dns_trust_secure) {
|
2000-05-18 02:02:05 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"insecurity proof succeeded");
|
|
|
|
|
val->event->rdataset->trust = dns_trust_answer;
|
2000-05-26 21:45:53 +00:00
|
|
|
result = ISC_R_SUCCESS;
|
|
|
|
|
goto out;
|
2000-05-18 02:02:05 +00:00
|
|
|
}
|
2000-04-19 18:08:27 +00:00
|
|
|
|
2000-04-18 17:50:38 +00:00
|
|
|
fname = isc_mem_get(val->view->mctx, sizeof *fname);
|
2000-05-26 21:45:53 +00:00
|
|
|
if (fname == NULL)
|
2000-04-18 17:50:38 +00:00
|
|
|
return (ISC_R_NOMEMORY);
|
|
|
|
|
dns_name_init(fname, NULL);
|
|
|
|
|
result = dns_name_dup(tname, val->view->mctx, fname);
|
|
|
|
|
if (result != ISC_R_SUCCESS) {
|
2000-05-18 02:02:05 +00:00
|
|
|
isc_mem_put(val->view->mctx, fname,
|
|
|
|
|
sizeof *fname);
|
2000-05-26 21:45:53 +00:00
|
|
|
result = ISC_R_NOMEMORY;
|
|
|
|
|
goto out;
|
2000-04-18 17:50:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = dns_validator_create(val->view,
|
|
|
|
|
fname,
|
2000-04-20 20:43:52 +00:00
|
|
|
dns_rdatatype_key,
|
2000-05-26 21:45:53 +00:00
|
|
|
&val->frdataset,
|
|
|
|
|
&val->fsigrdataset,
|
2000-04-18 17:50:38 +00:00
|
|
|
NULL,
|
|
|
|
|
0,
|
|
|
|
|
val->task,
|
|
|
|
|
nullkeyvalidated,
|
|
|
|
|
val,
|
|
|
|
|
&val->keyvalidator);
|
2000-05-26 21:45:53 +00:00
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
goto out;
|
2000-04-18 17:50:38 +00:00
|
|
|
return (DNS_R_WAIT);
|
|
|
|
|
} else if (result == ISC_R_NOTFOUND) {
|
2000-05-18 02:02:05 +00:00
|
|
|
val->fetch = NULL;
|
2000-04-19 18:08:27 +00:00
|
|
|
result = dns_resolver_createfetch(val->view->resolver,
|
2000-05-08 14:38:29 +00:00
|
|
|
tname,
|
|
|
|
|
dns_rdatatype_key,
|
|
|
|
|
NULL, NULL, NULL, 0,
|
|
|
|
|
val->event->ev_sender,
|
|
|
|
|
fetch_callback_nullkey,
|
2000-05-26 21:45:53 +00:00
|
|
|
val,
|
|
|
|
|
&val->frdataset,
|
|
|
|
|
&val->fsigrdataset,
|
2000-05-08 14:38:29 +00:00
|
|
|
&val->fetch);
|
2000-04-19 18:08:27 +00:00
|
|
|
if (result != ISC_R_SUCCESS)
|
2000-05-26 21:45:53 +00:00
|
|
|
goto out;
|
2000-04-19 18:08:27 +00:00
|
|
|
return (DNS_R_WAIT);
|
2000-04-18 17:50:38 +00:00
|
|
|
} else if (result == DNS_R_NCACHENXDOMAIN ||
|
|
|
|
|
result == DNS_R_NCACHENXRRSET ||
|
|
|
|
|
result == DNS_R_NXDOMAIN ||
|
|
|
|
|
result == DNS_R_NXRRSET)
|
|
|
|
|
{
|
|
|
|
|
continue;
|
|
|
|
|
} else
|
2000-05-26 21:45:53 +00:00
|
|
|
goto out;
|
2000-04-18 17:50:38 +00:00
|
|
|
}
|
2000-05-18 02:02:05 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
|
|
|
|
|
return (DNS_R_NOTINSECURE); /* Didn't find a null key */
|
2000-05-26 21:45:53 +00:00
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
if (dns_rdataset_isassociated(&val->frdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->frdataset);
|
|
|
|
|
if (dns_rdataset_isassociated(&val->fsigrdataset))
|
|
|
|
|
dns_rdataset_disassociate(&val->fsigrdataset);
|
|
|
|
|
return (result);
|
2000-04-18 17:50:38 +00:00
|
|
|
}
|
|
|
|
|
|
2000-04-07 17:36:40 +00:00
|
|
|
static void
|
|
|
|
|
validator_start(isc_task_t *task, isc_event_t *event) {
|
|
|
|
|
dns_validator_t *val;
|
|
|
|
|
dns_validatorevent_t *vevent;
|
2000-05-18 02:02:05 +00:00
|
|
|
isc_result_t result = ISC_R_FAILURE;
|
2000-03-17 00:01:28 +00:00
|
|
|
|
2000-04-07 17:36:40 +00:00
|
|
|
UNUSED(task);
|
2000-04-17 19:22:44 +00:00
|
|
|
REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
|
2000-05-26 17:46:16 +00:00
|
|
|
vevent = (dns_validatorevent_t *)event;
|
2000-04-07 17:36:40 +00:00
|
|
|
val = vevent->validator;
|
|
|
|
|
|
2000-08-15 00:21:05 +00:00
|
|
|
/* If the validator has been cancelled, val->event == NULL */
|
|
|
|
|
if (val->event == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
2000-05-12 17:41:30 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "starting");
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
LOCK(&val->lock);
|
|
|
|
|
|
|
|
|
|
if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) {
|
2000-07-25 01:24:18 +00:00
|
|
|
isc_result_t saved_result;
|
|
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
/*
|
|
|
|
|
* This looks like a simple validation. We say "looks like"
|
|
|
|
|
* because we don't know if wildcards are involved yet so it
|
|
|
|
|
* could still get complicated.
|
|
|
|
|
*/
|
2000-05-17 18:24:59 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"attempting positive response validation");
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
result = validate(val, ISC_FALSE);
|
2000-07-13 23:52:04 +00:00
|
|
|
if (result == DNS_R_NOVALIDSIG &&
|
|
|
|
|
(val->attributes & VALATTR_TRIEDVERIFY) == 0)
|
|
|
|
|
{
|
2000-07-25 01:24:18 +00:00
|
|
|
saved_result = result;
|
2000-07-13 23:52:04 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"falling back to insecurity proof");
|
|
|
|
|
result = proveunsecure(val, ISC_FALSE);
|
2000-07-25 01:24:18 +00:00
|
|
|
if (result == DNS_R_NOTINSECURE)
|
|
|
|
|
result = saved_result;
|
2000-07-13 23:52:04 +00:00
|
|
|
}
|
2000-04-18 17:50:38 +00:00
|
|
|
} else if (val->event->rdataset != NULL) {
|
|
|
|
|
/*
|
|
|
|
|
* This is either an unsecure subdomain or a response from
|
|
|
|
|
* a broken server.
|
|
|
|
|
*/
|
2000-05-17 18:24:59 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"attempting insecurity proof");
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2000-04-18 17:50:38 +00:00
|
|
|
result = proveunsecure(val, ISC_FALSE);
|
|
|
|
|
} else if (val->event->rdataset == NULL &&
|
2000-04-13 18:10:07 +00:00
|
|
|
val->event->sigrdataset == NULL)
|
|
|
|
|
{
|
2000-03-17 00:01:28 +00:00
|
|
|
/*
|
|
|
|
|
* This is a nonexistence validation.
|
|
|
|
|
*/
|
2000-05-17 18:24:59 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3),
|
|
|
|
|
"attempting negative response validation");
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2000-04-13 18:10:07 +00:00
|
|
|
result = nxtvalidate(val, ISC_FALSE);
|
2000-04-18 17:50:38 +00:00
|
|
|
} else {
|
2000-05-08 14:38:29 +00:00
|
|
|
/*
|
|
|
|
|
* This shouldn't happen.
|
|
|
|
|
*/
|
2000-04-18 17:50:38 +00:00
|
|
|
INSIST(0);
|
2000-03-17 00:01:28 +00:00
|
|
|
}
|
|
|
|
|
|
2000-04-06 23:09:01 +00:00
|
|
|
if (result != DNS_R_WAIT)
|
2000-03-17 00:01:28 +00:00
|
|
|
validator_done(val, result);
|
|
|
|
|
|
|
|
|
|
UNLOCK(&val->lock);
|
|
|
|
|
}
|
|
|
|
|
|
2000-02-23 23:31:33 +00:00
|
|
|
isc_result_t
|
2000-04-20 20:43:52 +00:00
|
|
|
dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
|
2000-02-23 23:31:33 +00:00
|
|
|
dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
|
|
|
|
|
dns_message_t *message, unsigned int options,
|
|
|
|
|
isc_task_t *task, isc_taskaction_t action, void *arg,
|
|
|
|
|
dns_validator_t **validatorp)
|
|
|
|
|
{
|
2000-02-24 22:40:55 +00:00
|
|
|
isc_result_t result;
|
|
|
|
|
dns_validator_t *val;
|
|
|
|
|
isc_task_t *tclone;
|
|
|
|
|
dns_validatorevent_t *event;
|
|
|
|
|
|
2000-04-20 20:43:52 +00:00
|
|
|
REQUIRE(name != NULL);
|
2000-05-05 00:18:36 +00:00
|
|
|
REQUIRE(type != 0);
|
2000-04-20 20:43:52 +00:00
|
|
|
REQUIRE(rdataset != NULL ||
|
|
|
|
|
(rdataset == NULL && sigrdataset == NULL && message != NULL));
|
2000-04-20 18:03:12 +00:00
|
|
|
REQUIRE(options == 0);
|
2000-02-23 23:31:33 +00:00
|
|
|
REQUIRE(validatorp != NULL && *validatorp == NULL);
|
|
|
|
|
|
2000-02-24 22:40:55 +00:00
|
|
|
tclone = NULL;
|
|
|
|
|
result = ISC_R_FAILURE;
|
|
|
|
|
|
|
|
|
|
val = isc_mem_get(view->mctx, sizeof *val);
|
|
|
|
|
if (val == NULL)
|
|
|
|
|
return (ISC_R_NOMEMORY);
|
2000-03-23 20:24:28 +00:00
|
|
|
val->view = NULL;
|
2000-08-14 22:17:40 +00:00
|
|
|
dns_view_weakattach(view, &val->view);
|
2000-02-24 22:40:55 +00:00
|
|
|
event = (dns_validatorevent_t *)
|
2000-04-07 17:36:40 +00:00
|
|
|
isc_event_allocate(view->mctx, task,
|
|
|
|
|
DNS_EVENT_VALIDATORSTART,
|
|
|
|
|
validator_start, NULL,
|
|
|
|
|
sizeof (dns_validatorevent_t));
|
2000-02-24 22:40:55 +00:00
|
|
|
if (event == NULL) {
|
|
|
|
|
result = ISC_R_NOMEMORY;
|
|
|
|
|
goto cleanup_val;
|
|
|
|
|
}
|
|
|
|
|
isc_task_attach(task, &tclone);
|
|
|
|
|
event->validator = val;
|
|
|
|
|
event->result = ISC_R_FAILURE;
|
|
|
|
|
event->name = name;
|
2000-04-20 20:43:52 +00:00
|
|
|
event->type = type;
|
2000-02-24 22:40:55 +00:00
|
|
|
event->rdataset = rdataset;
|
|
|
|
|
event->sigrdataset = sigrdataset;
|
|
|
|
|
event->message = message;
|
|
|
|
|
result = isc_mutex_init(&val->lock);
|
|
|
|
|
if (result != ISC_R_SUCCESS)
|
|
|
|
|
goto cleanup_event;
|
|
|
|
|
val->event = event;
|
|
|
|
|
val->options = options;
|
|
|
|
|
val->attributes = 0;
|
2000-03-17 00:01:28 +00:00
|
|
|
val->fetch = NULL;
|
|
|
|
|
val->keyvalidator = NULL;
|
2000-05-17 18:24:59 +00:00
|
|
|
val->authvalidator = NULL;
|
2000-03-17 00:01:28 +00:00
|
|
|
val->keynode = NULL;
|
2000-04-07 21:44:47 +00:00
|
|
|
val->key = NULL;
|
2000-04-14 16:00:33 +00:00
|
|
|
val->siginfo = NULL;
|
2000-04-07 21:44:47 +00:00
|
|
|
val->task = task;
|
2000-04-07 17:36:40 +00:00
|
|
|
val->action = action;
|
|
|
|
|
val->arg = arg;
|
2000-04-18 17:50:38 +00:00
|
|
|
val->labels = 0;
|
2000-05-17 18:24:59 +00:00
|
|
|
val->currentset = NULL;
|
2000-05-22 21:17:05 +00:00
|
|
|
val->keyset = NULL;
|
2000-05-18 02:02:05 +00:00
|
|
|
val->seensig = ISC_FALSE;
|
2000-05-26 21:45:53 +00:00
|
|
|
dns_rdataset_init(&val->frdataset);
|
|
|
|
|
dns_rdataset_init(&val->fsigrdataset);
|
2000-08-15 00:21:05 +00:00
|
|
|
ISC_LINK_INIT(val, link);
|
2000-02-24 22:40:55 +00:00
|
|
|
val->magic = VALIDATOR_MAGIC;
|
|
|
|
|
|
2000-04-07 17:36:40 +00:00
|
|
|
isc_task_send(task, (isc_event_t **)&event);
|
2000-03-17 00:01:28 +00:00
|
|
|
|
|
|
|
|
*validatorp = val;
|
|
|
|
|
|
2000-02-24 22:40:55 +00:00
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
|
|
|
|
|
cleanup_event:
|
|
|
|
|
isc_task_detach(&tclone);
|
|
|
|
|
isc_event_free((isc_event_t **)&val->event);
|
|
|
|
|
|
|
|
|
|
cleanup_val:
|
2000-08-14 22:17:40 +00:00
|
|
|
dns_view_weakdetach(&val->view);
|
2000-02-24 22:40:55 +00:00
|
|
|
isc_mem_put(view->mctx, val, sizeof *val);
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2000-02-24 22:40:55 +00:00
|
|
|
return (result);
|
2000-02-23 23:31:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
dns_validator_cancel(dns_validator_t *validator) {
|
2000-02-24 22:40:55 +00:00
|
|
|
REQUIRE(VALID_VALIDATOR(validator));
|
|
|
|
|
|
|
|
|
|
LOCK(&validator->lock);
|
2000-04-20 18:03:12 +00:00
|
|
|
|
2000-08-15 00:21:05 +00:00
|
|
|
validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
|
|
|
|
|
|
2000-02-24 22:40:55 +00:00
|
|
|
if (validator->event != NULL) {
|
2000-08-15 00:21:05 +00:00
|
|
|
validator_done(validator, ISC_R_CANCELED);
|
2000-04-20 18:03:12 +00:00
|
|
|
|
|
|
|
|
if (validator->fetch != NULL)
|
|
|
|
|
dns_resolver_cancelfetch(validator->fetch);
|
|
|
|
|
|
|
|
|
|
if (validator->keyvalidator != NULL)
|
|
|
|
|
dns_validator_cancel(validator->keyvalidator);
|
2000-08-15 00:21:05 +00:00
|
|
|
|
|
|
|
|
if (validator->authvalidator != NULL)
|
|
|
|
|
dns_validator_cancel(validator->authvalidator);
|
2000-02-24 22:40:55 +00:00
|
|
|
}
|
|
|
|
|
UNLOCK(&validator->lock);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
destroy(dns_validator_t *val) {
|
2000-03-23 20:33:15 +00:00
|
|
|
isc_mem_t *mctx;
|
2000-02-24 22:40:55 +00:00
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
REQUIRE(SHUTDOWN(val));
|
2000-02-24 22:40:55 +00:00
|
|
|
REQUIRE(val->event == NULL);
|
2000-03-17 00:01:28 +00:00
|
|
|
REQUIRE(val->fetch == NULL);
|
2000-02-24 22:40:55 +00:00
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
if (val->keynode != NULL)
|
|
|
|
|
dns_keytable_detachkeynode(val->keytable, &val->keynode);
|
2000-04-13 18:10:07 +00:00
|
|
|
else if (val->key != NULL)
|
2000-05-19 00:20:59 +00:00
|
|
|
dst_key_free(&val->key);
|
2000-04-14 16:00:33 +00:00
|
|
|
if (val->keyvalidator != NULL)
|
|
|
|
|
dns_validator_destroy(&val->keyvalidator);
|
2000-06-03 00:18:43 +00:00
|
|
|
if (val->authvalidator != NULL)
|
|
|
|
|
dns_validator_destroy(&val->authvalidator);
|
2000-03-23 20:33:15 +00:00
|
|
|
mctx = val->view->mctx;
|
2000-04-14 16:00:33 +00:00
|
|
|
if (val->siginfo != NULL)
|
|
|
|
|
isc_mem_put(mctx, val->siginfo, sizeof *val->siginfo);
|
2000-08-26 01:37:00 +00:00
|
|
|
DESTROYLOCK(&val->lock);
|
2000-08-14 22:17:40 +00:00
|
|
|
dns_view_weakdetach(&val->view);
|
2000-03-23 20:33:15 +00:00
|
|
|
val->magic = 0;
|
|
|
|
|
isc_mem_put(mctx, val, sizeof *val);
|
2000-02-23 23:31:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
dns_validator_destroy(dns_validator_t **validatorp) {
|
2000-03-17 00:01:28 +00:00
|
|
|
dns_validator_t *val;
|
|
|
|
|
isc_boolean_t want_destroy = ISC_FALSE;
|
|
|
|
|
|
|
|
|
|
REQUIRE(validatorp != NULL);
|
|
|
|
|
val = *validatorp;
|
|
|
|
|
REQUIRE(VALID_VALIDATOR(val));
|
|
|
|
|
|
|
|
|
|
LOCK(&val->lock);
|
|
|
|
|
|
|
|
|
|
REQUIRE(val->event == NULL);
|
|
|
|
|
|
2000-08-15 00:21:05 +00:00
|
|
|
validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
|
|
|
|
|
|
2000-03-17 00:01:28 +00:00
|
|
|
val->attributes |= VALATTR_SHUTDOWN;
|
2000-08-15 00:21:05 +00:00
|
|
|
if (val->fetch == NULL && val->keyvalidator == NULL &&
|
|
|
|
|
val->authvalidator == NULL)
|
2000-03-17 00:01:28 +00:00
|
|
|
want_destroy = ISC_TRUE;
|
|
|
|
|
|
|
|
|
|
UNLOCK(&val->lock);
|
|
|
|
|
|
|
|
|
|
if (want_destroy)
|
|
|
|
|
destroy(val);
|
|
|
|
|
|
2000-02-24 22:40:55 +00:00
|
|
|
*validatorp = NULL;
|
2000-02-23 23:31:33 +00:00
|
|
|
}
|
2000-04-11 20:35:37 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
validator_logv(dns_validator_t *val, isc_logcategory_t *category,
|
2000-08-15 00:21:05 +00:00
|
|
|
isc_logmodule_t *module, int level, const char *fmt, va_list ap)
|
2000-04-11 20:35:37 +00:00
|
|
|
{
|
|
|
|
|
char msgbuf[2048];
|
|
|
|
|
|
|
|
|
|
vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
|
|
|
|
|
|
2000-05-17 18:24:59 +00:00
|
|
|
if (val->event != NULL && val->event->name != NULL) {
|
2000-04-11 20:35:37 +00:00
|
|
|
char namebuf[1024];
|
|
|
|
|
char typebuf[256];
|
|
|
|
|
isc_buffer_t b;
|
2000-04-11 22:17:49 +00:00
|
|
|
isc_region_t r;
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2000-04-11 20:35:37 +00:00
|
|
|
dns_name_format(val->event->name, namebuf, sizeof(namebuf));
|
|
|
|
|
|
103. [func] libisc buffer API changes for <isc/buffer.h>:
Added:
isc_buffer_base(b) (pointer)
isc_buffer_current(b) (pointer)
isc_buffer_active(b) (pointer)
isc_buffer_used(b) (pointer)
isc_buffer_length(b) (int)
isc_buffer_usedlength(b) (int)
isc_buffer_consumedlength(b) (int)
isc_buffer_remaininglength(b) (int)
isc_buffer_activelength(b) (int)
isc_buffer_availablelength(b) (int)
Removed:
ISC_BUFFER_USEDCOUNT(b)
ISC_BUFFER_AVAILABLECOUNT(b)
isc_buffer_type(b)
Changed names:
isc_buffer_used(b, r) ->
isc_buffer_usedregion(b, r)
isc_buffer_available(b, r) ->
isc_buffer_available_region(b, r)
isc_buffer_consumed(b, r) ->
isc_buffer_consumedregion(b, r)
isc_buffer_active(b, r) ->
isc_buffer_activeregion(b, r)
isc_buffer_remaining(b, r) ->
isc_buffer_remainingregion(b, r)
Buffer types were removed, so the ISC_BUFFERTYPE_*
macros are no more, and the type argument to
isc_buffer_init and isc_buffer_allocate were removed.
isc_buffer_putstr is now void (instead of isc_result_t)
and requires that the caller ensure that there
is enough available buffer space for the string.
2000-04-27 00:03:12 +00:00
|
|
|
isc_buffer_init(&b, (unsigned char *)typebuf, sizeof(typebuf));
|
2000-04-20 20:43:52 +00:00
|
|
|
if (dns_rdatatype_totext(val->event->type, &b)
|
2000-04-11 20:35:37 +00:00
|
|
|
!= ISC_R_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
isc_buffer_clear(&b);
|
2000-04-26 18:24:15 +00:00
|
|
|
isc_buffer_putstr(&b, "<bad type>");
|
2000-04-11 20:35:37 +00:00
|
|
|
}
|
103. [func] libisc buffer API changes for <isc/buffer.h>:
Added:
isc_buffer_base(b) (pointer)
isc_buffer_current(b) (pointer)
isc_buffer_active(b) (pointer)
isc_buffer_used(b) (pointer)
isc_buffer_length(b) (int)
isc_buffer_usedlength(b) (int)
isc_buffer_consumedlength(b) (int)
isc_buffer_remaininglength(b) (int)
isc_buffer_activelength(b) (int)
isc_buffer_availablelength(b) (int)
Removed:
ISC_BUFFER_USEDCOUNT(b)
ISC_BUFFER_AVAILABLECOUNT(b)
isc_buffer_type(b)
Changed names:
isc_buffer_used(b, r) ->
isc_buffer_usedregion(b, r)
isc_buffer_available(b, r) ->
isc_buffer_available_region(b, r)
isc_buffer_consumed(b, r) ->
isc_buffer_consumedregion(b, r)
isc_buffer_active(b, r) ->
isc_buffer_activeregion(b, r)
isc_buffer_remaining(b, r) ->
isc_buffer_remainingregion(b, r)
Buffer types were removed, so the ISC_BUFFERTYPE_*
macros are no more, and the type argument to
isc_buffer_init and isc_buffer_allocate were removed.
isc_buffer_putstr is now void (instead of isc_result_t)
and requires that the caller ensure that there
is enough available buffer space for the string.
2000-04-27 00:03:12 +00:00
|
|
|
isc_buffer_usedregion(&b, &r);
|
2000-04-11 20:35:37 +00:00
|
|
|
isc_log_write(dns_lctx, category, module, level,
|
|
|
|
|
"validating %s %.*s: %s", namebuf,
|
2000-05-26 17:46:16 +00:00
|
|
|
(int)r.length, (char *)r.base, msgbuf);
|
2000-04-11 20:35:37 +00:00
|
|
|
} else {
|
|
|
|
|
isc_log_write(dns_lctx, category, module, level,
|
|
|
|
|
"validator @%p: %s", val, msgbuf);
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2000-04-11 20:35:37 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
validator_log(dns_validator_t *val, int level, const char *fmt, ...)
|
|
|
|
|
{
|
|
|
|
|
va_list ap;
|
2000-07-26 00:50:02 +00:00
|
|
|
|
|
|
|
|
if (! isc_log_wouldlog(dns_lctx, level))
|
|
|
|
|
return;
|
|
|
|
|
|
2000-04-11 20:35:37 +00:00
|
|
|
va_start(ap, fmt);
|
|
|
|
|
validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
|
|
|
|
|
DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
|
|
|
|
|
va_end(ap);
|
|
|
|
|
}
|
|
|
|
|
|
