mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-09-03 08:05:21 +00:00
Move algorithm tables to the verification context structure
Tables representing algorithm use in the verified zone are commonly accessed throughout dns_zoneverify_dnssec(). Move them into the structure representing a verification context. While this does not really simplify currently existing code, it will facilitate passing data around between smaller functions that dns_zoneverify_dnssec() is about to get split into.
This commit is contained in:
Michał Kępień
@@ -66,6 +66,14 @@ typedef struct vctx {
|
|||||||
dns_rdataset_t nsecsigs;
|
dns_rdataset_t nsecsigs;
|
||||||
dns_rdataset_t nsec3paramset;
|
dns_rdataset_t nsec3paramset;
|
||||||
dns_rdataset_t nsec3paramsigs;
|
dns_rdataset_t nsec3paramsigs;
|
||||||
|
unsigned char revoked_ksk[256];
|
||||||
|
unsigned char revoked_zsk[256];
|
||||||
|
unsigned char standby_ksk[256];
|
||||||
|
unsigned char standby_zsk[256];
|
||||||
|
unsigned char ksk_algorithms[256];
|
||||||
|
unsigned char zsk_algorithms[256];
|
||||||
|
unsigned char bad_algorithms[256];
|
||||||
|
unsigned char act_algorithms[256];
|
||||||
isc_heap_t * expected_chains;
|
isc_heap_t * expected_chains;
|
||||||
isc_heap_t * found_chains;
|
isc_heap_t * found_chains;
|
||||||
} vctx_t;
|
} vctx_t;
|
||||||
@@ -680,9 +688,8 @@ verifynsec3s(const vctx_t *vctx, dns_name_t *name,
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
verifyset(const vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
|
verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
|
||||||
dns_dbnode_t *node, dns_rdataset_t *keyrdataset,
|
dns_dbnode_t *node, dns_rdataset_t *keyrdataset)
|
||||||
unsigned char *act_algorithms, unsigned char *bad_algorithms)
|
|
||||||
{
|
{
|
||||||
unsigned char set_algorithms[256];
|
unsigned char set_algorithms[256];
|
||||||
char namebuf[DNS_NAME_FORMATSIZE];
|
char namebuf[DNS_NAME_FORMATSIZE];
|
||||||
@@ -710,8 +717,8 @@ verifyset(const vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
|
|||||||
dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
|
dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
|
||||||
fprintf(stderr, "No signatures for %s/%s\n", namebuf, typebuf);
|
fprintf(stderr, "No signatures for %s/%s\n", namebuf, typebuf);
|
||||||
for (i = 0; i < 256; i++)
|
for (i = 0; i < 256; i++)
|
||||||
if (act_algorithms[i] != 0)
|
if (vctx->act_algorithms[i] != 0)
|
||||||
bad_algorithms[i] = 1;
|
vctx->bad_algorithms[i] = 1;
|
||||||
dns_rdatasetiter_destroy(&rdsiter);
|
dns_rdatasetiter_destroy(&rdsiter);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@@ -735,31 +742,31 @@ verifyset(const vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if ((set_algorithms[sig.algorithm] != 0) ||
|
if ((set_algorithms[sig.algorithm] != 0) ||
|
||||||
(act_algorithms[sig.algorithm] == 0))
|
(vctx->act_algorithms[sig.algorithm] == 0))
|
||||||
continue;
|
continue;
|
||||||
if (goodsig(vctx, &rdata, name, keyrdataset, rdataset))
|
if (goodsig(vctx, &rdata, name, keyrdataset, rdataset))
|
||||||
set_algorithms[sig.algorithm] = 1;
|
set_algorithms[sig.algorithm] = 1;
|
||||||
}
|
}
|
||||||
dns_rdatasetiter_destroy(&rdsiter);
|
dns_rdatasetiter_destroy(&rdsiter);
|
||||||
if (memcmp(set_algorithms, act_algorithms, sizeof(set_algorithms))) {
|
if (memcmp(set_algorithms, vctx->act_algorithms,
|
||||||
|
sizeof(set_algorithms))) {
|
||||||
dns_name_format(name, namebuf, sizeof(namebuf));
|
dns_name_format(name, namebuf, sizeof(namebuf));
|
||||||
dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
|
dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
|
||||||
for (i = 0; i < 256; i++)
|
for (i = 0; i < 256; i++)
|
||||||
if ((act_algorithms[i] != 0) &&
|
if ((vctx->act_algorithms[i] != 0) &&
|
||||||
(set_algorithms[i] == 0)) {
|
(set_algorithms[i] == 0)) {
|
||||||
dns_secalg_format(i, algbuf, sizeof(algbuf));
|
dns_secalg_format(i, algbuf, sizeof(algbuf));
|
||||||
fprintf(stderr, "No correct %s signature for "
|
fprintf(stderr, "No correct %s signature for "
|
||||||
"%s %s\n", algbuf, namebuf, typebuf);
|
"%s %s\n", algbuf, namebuf, typebuf);
|
||||||
bad_algorithms[i] = 1;
|
vctx->bad_algorithms[i] = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
dns_rdataset_disassociate(&sigrdataset);
|
dns_rdataset_disassociate(&sigrdataset);
|
||||||
}
|
}
|
||||||
|
|
||||||
static isc_result_t
|
static isc_result_t
|
||||||
verifynode(const vctx_t *vctx, dns_name_t *name, dns_dbnode_t *node,
|
verifynode(vctx_t *vctx, dns_name_t *name, dns_dbnode_t *node,
|
||||||
isc_boolean_t delegation, dns_rdataset_t *keyrdataset,
|
isc_boolean_t delegation, dns_rdataset_t *keyrdataset,
|
||||||
unsigned char *act_algorithms, unsigned char *bad_algorithms,
|
|
||||||
dns_rdataset_t *nsecset, dns_rdataset_t *nsec3paramset,
|
dns_rdataset_t *nsecset, dns_rdataset_t *nsec3paramset,
|
||||||
dns_name_t *nextname)
|
dns_name_t *nextname)
|
||||||
{
|
{
|
||||||
@@ -786,8 +793,7 @@ verifynode(const vctx_t *vctx, dns_name_t *name, dns_dbnode_t *node,
|
|||||||
rdataset.type != dns_rdatatype_dnskey &&
|
rdataset.type != dns_rdatatype_dnskey &&
|
||||||
(!delegation || rdataset.type == dns_rdatatype_ds ||
|
(!delegation || rdataset.type == dns_rdatatype_ds ||
|
||||||
rdataset.type == dns_rdatatype_nsec)) {
|
rdataset.type == dns_rdatatype_nsec)) {
|
||||||
verifyset(vctx, &rdataset, name, node, keyrdataset,
|
verifyset(vctx, &rdataset, name, node, keyrdataset);
|
||||||
act_algorithms, bad_algorithms);
|
|
||||||
dns_nsec_setbit(types, rdataset.type, 1);
|
dns_nsec_setbit(types, rdataset.type, 1);
|
||||||
if (rdataset.type > maxtype)
|
if (rdataset.type > maxtype)
|
||||||
maxtype = rdataset.type;
|
maxtype = rdataset.type;
|
||||||
@@ -1042,6 +1048,8 @@ vctx_init(vctx_t *vctx, isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
|
|||||||
{
|
{
|
||||||
isc_result_t result;
|
isc_result_t result;
|
||||||
|
|
||||||
|
memset(vctx, 0, sizeof(*vctx));
|
||||||
|
|
||||||
vctx->mctx = mctx;
|
vctx->mctx = mctx;
|
||||||
vctx->db = db;
|
vctx->db = db;
|
||||||
vctx->ver = ver;
|
vctx->ver = ver;
|
||||||
@@ -1122,14 +1130,6 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
|
|||||||
isc_boolean_t done = ISC_FALSE;
|
isc_boolean_t done = ISC_FALSE;
|
||||||
isc_boolean_t first = ISC_TRUE;
|
isc_boolean_t first = ISC_TRUE;
|
||||||
isc_result_t result, vresult = ISC_R_UNSET;
|
isc_result_t result, vresult = ISC_R_UNSET;
|
||||||
unsigned char revoked_ksk[256];
|
|
||||||
unsigned char revoked_zsk[256];
|
|
||||||
unsigned char standby_ksk[256];
|
|
||||||
unsigned char standby_zsk[256];
|
|
||||||
unsigned char ksk_algorithms[256];
|
|
||||||
unsigned char zsk_algorithms[256];
|
|
||||||
unsigned char bad_algorithms[256];
|
|
||||||
unsigned char act_algorithms[256];
|
|
||||||
vctx_t vctx;
|
vctx_t vctx;
|
||||||
|
|
||||||
result = vctx_init(&vctx, mctx, db, ver, origin);
|
result = vctx_init(&vctx, mctx, db, ver, origin);
|
||||||
@@ -1187,15 +1187,6 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
|
|||||||
|
|
||||||
dns_db_detachnode(vctx.db, &node);
|
dns_db_detachnode(vctx.db, &node);
|
||||||
|
|
||||||
memset(revoked_ksk, 0, sizeof(revoked_ksk));
|
|
||||||
memset(revoked_zsk, 0, sizeof(revoked_zsk));
|
|
||||||
memset(standby_ksk, 0, sizeof(standby_ksk));
|
|
||||||
memset(standby_zsk, 0, sizeof(standby_zsk));
|
|
||||||
memset(ksk_algorithms, 0, sizeof(ksk_algorithms));
|
|
||||||
memset(zsk_algorithms, 0, sizeof(zsk_algorithms));
|
|
||||||
memset(bad_algorithms, 0, sizeof(bad_algorithms));
|
|
||||||
memset(act_algorithms, 0, sizeof(act_algorithms));
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Check that the DNSKEY RR has at least one self signing KSK
|
* Check that the DNSKEY RR has at least one self signing KSK
|
||||||
* and one ZSK per algorithm in it (or, if -x was used, one
|
* and one ZSK per algorithm in it (or, if -x was used, one
|
||||||
@@ -1229,36 +1220,36 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
|
|||||||
(int)isc_buffer_usedlength(&buf), buffer);
|
(int)isc_buffer_usedlength(&buf), buffer);
|
||||||
}
|
}
|
||||||
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
|
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
|
||||||
revoked_ksk[dnskey.algorithm] != 255)
|
vctx.revoked_ksk[dnskey.algorithm] != 255)
|
||||||
revoked_ksk[dnskey.algorithm]++;
|
vctx.revoked_ksk[dnskey.algorithm]++;
|
||||||
else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
|
else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
|
||||||
revoked_zsk[dnskey.algorithm] != 255)
|
vctx.revoked_zsk[dnskey.algorithm] != 255)
|
||||||
revoked_zsk[dnskey.algorithm]++;
|
vctx.revoked_zsk[dnskey.algorithm]++;
|
||||||
} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
|
} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
|
||||||
if (dns_dnssec_selfsigns(&rdata, vctx.origin,
|
if (dns_dnssec_selfsigns(&rdata, vctx.origin,
|
||||||
&vctx.keyset, &vctx.keysigs,
|
&vctx.keyset, &vctx.keysigs,
|
||||||
ISC_FALSE, vctx.mctx)) {
|
ISC_FALSE, vctx.mctx)) {
|
||||||
if (ksk_algorithms[dnskey.algorithm] != 255)
|
if (vctx.ksk_algorithms[dnskey.algorithm] != 255)
|
||||||
ksk_algorithms[dnskey.algorithm]++;
|
vctx.ksk_algorithms[dnskey.algorithm]++;
|
||||||
vctx.goodksk = ISC_TRUE;
|
vctx.goodksk = ISC_TRUE;
|
||||||
} else {
|
} else {
|
||||||
if (standby_ksk[dnskey.algorithm] != 255)
|
if (vctx.standby_ksk[dnskey.algorithm] != 255)
|
||||||
standby_ksk[dnskey.algorithm]++;
|
vctx.standby_ksk[dnskey.algorithm]++;
|
||||||
}
|
}
|
||||||
} else if (dns_dnssec_selfsigns(&rdata, vctx.origin,
|
} else if (dns_dnssec_selfsigns(&rdata, vctx.origin,
|
||||||
&vctx.keyset, &vctx.keysigs,
|
&vctx.keyset, &vctx.keysigs,
|
||||||
ISC_FALSE, vctx.mctx)) {
|
ISC_FALSE, vctx.mctx)) {
|
||||||
if (zsk_algorithms[dnskey.algorithm] != 255)
|
if (vctx.zsk_algorithms[dnskey.algorithm] != 255)
|
||||||
zsk_algorithms[dnskey.algorithm]++;
|
vctx.zsk_algorithms[dnskey.algorithm]++;
|
||||||
vctx.goodzsk = ISC_TRUE;
|
vctx.goodzsk = ISC_TRUE;
|
||||||
} else if (dns_dnssec_signs(&rdata, vctx.origin, &vctx.soaset,
|
} else if (dns_dnssec_signs(&rdata, vctx.origin, &vctx.soaset,
|
||||||
&vctx.soasigs, ISC_FALSE,
|
&vctx.soasigs, ISC_FALSE,
|
||||||
vctx.mctx)) {
|
vctx.mctx)) {
|
||||||
if (zsk_algorithms[dnskey.algorithm] != 255)
|
if (vctx.zsk_algorithms[dnskey.algorithm] != 255)
|
||||||
zsk_algorithms[dnskey.algorithm]++;
|
vctx.zsk_algorithms[dnskey.algorithm]++;
|
||||||
} else {
|
} else {
|
||||||
if (standby_zsk[dnskey.algorithm] != 255)
|
if (vctx.standby_zsk[dnskey.algorithm] != 255)
|
||||||
standby_zsk[dnskey.algorithm]++;
|
vctx.standby_zsk[dnskey.algorithm]++;
|
||||||
}
|
}
|
||||||
dns_rdata_freestruct(&dnskey);
|
dns_rdata_freestruct(&dnskey);
|
||||||
dns_rdata_reset(&rdata);
|
dns_rdata_reset(&rdata);
|
||||||
@@ -1274,11 +1265,13 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
|
|||||||
fprintf(stderr, "Verifying the zone using the following algorithms:");
|
fprintf(stderr, "Verifying the zone using the following algorithms:");
|
||||||
for (i = 0; i < 256; i++) {
|
for (i = 0; i < 256; i++) {
|
||||||
if (ignore_kskflag)
|
if (ignore_kskflag)
|
||||||
act_algorithms[i] = (ksk_algorithms[i] != 0 ||
|
vctx.act_algorithms[i] =
|
||||||
zsk_algorithms[i] != 0) ? 1 : 0;
|
(vctx.ksk_algorithms[i] != 0 ||
|
||||||
|
vctx.zsk_algorithms[i] != 0) ? 1 : 0;
|
||||||
else
|
else
|
||||||
act_algorithms[i] = ksk_algorithms[i] != 0 ? 1 : 0;
|
vctx.act_algorithms[i] =
|
||||||
if (act_algorithms[i] != 0) {
|
vctx.ksk_algorithms[i] != 0 ? 1 : 0;
|
||||||
|
if (vctx.act_algorithms[i] != 0) {
|
||||||
dns_secalg_format(i, algbuf, sizeof(algbuf));
|
dns_secalg_format(i, algbuf, sizeof(algbuf));
|
||||||
fprintf(stderr, " %s", algbuf);
|
fprintf(stderr, " %s", algbuf);
|
||||||
}
|
}
|
||||||
@@ -1291,16 +1284,16 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
|
|||||||
* The counts should both be zero or both be non-zero.
|
* The counts should both be zero or both be non-zero.
|
||||||
* Mark the algorithm as bad if this is not met.
|
* Mark the algorithm as bad if this is not met.
|
||||||
*/
|
*/
|
||||||
if ((ksk_algorithms[i] != 0) ==
|
if ((vctx.ksk_algorithms[i] != 0) ==
|
||||||
(zsk_algorithms[i] != 0))
|
(vctx.zsk_algorithms[i] != 0))
|
||||||
continue;
|
continue;
|
||||||
dns_secalg_format(i, algbuf, sizeof(algbuf));
|
dns_secalg_format(i, algbuf, sizeof(algbuf));
|
||||||
fprintf(stderr, "Missing %s for algorithm %s\n",
|
fprintf(stderr, "Missing %s for algorithm %s\n",
|
||||||
(ksk_algorithms[i] != 0)
|
(vctx.ksk_algorithms[i] != 0)
|
||||||
? "ZSK"
|
? "ZSK"
|
||||||
: "self-signed KSK",
|
: "self-signed KSK",
|
||||||
algbuf);
|
algbuf);
|
||||||
bad_algorithms[i] = 1;
|
vctx.bad_algorithms[i] = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1375,8 +1368,7 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
|
|||||||
fatal("iterating through the database failed: %s",
|
fatal("iterating through the database failed: %s",
|
||||||
isc_result_totext(result));
|
isc_result_totext(result));
|
||||||
result = verifynode(&vctx, name, node, isdelegation,
|
result = verifynode(&vctx, name, node, isdelegation,
|
||||||
&vctx.keyset, act_algorithms,
|
&vctx.keyset, &vctx.nsecset,
|
||||||
bad_algorithms, &vctx.nsecset,
|
|
||||||
&vctx.nsec3paramset, nextname);
|
&vctx.nsec3paramset, nextname);
|
||||||
if (vresult == ISC_R_UNSET)
|
if (vresult == ISC_R_UNSET)
|
||||||
vresult = ISC_R_SUCCESS;
|
vresult = ISC_R_SUCCESS;
|
||||||
@@ -1405,8 +1397,7 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
|
|||||||
result = dns_dbiterator_current(dbiter, &node, name);
|
result = dns_dbiterator_current(dbiter, &node, name);
|
||||||
check_dns_dbiterator_current(result);
|
check_dns_dbiterator_current(result);
|
||||||
result = verifynode(&vctx, name, node, ISC_FALSE, &vctx.keyset,
|
result = verifynode(&vctx, name, node, ISC_FALSE, &vctx.keyset,
|
||||||
act_algorithms, bad_algorithms, NULL, NULL,
|
NULL, NULL, NULL);
|
||||||
NULL);
|
|
||||||
check_result(result, "verifynode");
|
check_result(result, "verifynode");
|
||||||
record_found(&vctx, name, node, &vctx.nsec3paramset);
|
record_found(&vctx, name, node, &vctx.nsec3paramset);
|
||||||
dns_db_detachnode(vctx.db, &node);
|
dns_db_detachnode(vctx.db, &node);
|
||||||
@@ -1424,7 +1415,7 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
|
|||||||
* zone. Set the good flag.
|
* zone. Set the good flag.
|
||||||
*/
|
*/
|
||||||
for (i = 0; i < 256; i++) {
|
for (i = 0; i < 256; i++) {
|
||||||
if (bad_algorithms[i] != 0) {
|
if (vctx.bad_algorithms[i] != 0) {
|
||||||
if (first)
|
if (first)
|
||||||
fprintf(stderr, "The zone is not fully signed "
|
fprintf(stderr, "The zone is not fully signed "
|
||||||
"for the following algorithms:");
|
"for the following algorithms:");
|
||||||
@@ -1448,24 +1439,25 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
|
|||||||
*/
|
*/
|
||||||
fprintf(stderr, "Zone fully signed:\n");
|
fprintf(stderr, "Zone fully signed:\n");
|
||||||
for (i = 0; i < 256; i++) {
|
for (i = 0; i < 256; i++) {
|
||||||
if ((ksk_algorithms[i] != 0) ||
|
if ((vctx.ksk_algorithms[i] != 0) ||
|
||||||
(standby_ksk[i] != 0) ||
|
(vctx.standby_ksk[i] != 0) ||
|
||||||
(revoked_ksk[i] != 0) ||
|
(vctx.revoked_ksk[i] != 0) ||
|
||||||
(zsk_algorithms[i] != 0) ||
|
(vctx.zsk_algorithms[i] != 0) ||
|
||||||
(standby_zsk[i] != 0) ||
|
(vctx.standby_zsk[i] != 0) ||
|
||||||
(revoked_zsk[i] != 0)) {
|
(vctx.revoked_zsk[i] != 0)) {
|
||||||
dns_secalg_format(i, algbuf, sizeof(algbuf));
|
dns_secalg_format(i, algbuf, sizeof(algbuf));
|
||||||
fprintf(stderr, "Algorithm: %s: KSKs: "
|
fprintf(stderr, "Algorithm: %s: KSKs: "
|
||||||
"%u active, %u stand-by, %u revoked\n",
|
"%u active, %u stand-by, %u revoked\n",
|
||||||
algbuf, ksk_algorithms[i],
|
algbuf, vctx.ksk_algorithms[i],
|
||||||
standby_ksk[i], revoked_ksk[i]);
|
vctx.standby_ksk[i],
|
||||||
|
vctx.revoked_ksk[i]);
|
||||||
fprintf(stderr, "%*sZSKs: "
|
fprintf(stderr, "%*sZSKs: "
|
||||||
"%u active, %u %s, %u revoked\n",
|
"%u active, %u %s, %u revoked\n",
|
||||||
(int) strlen(algbuf) + 13, "",
|
(int) strlen(algbuf) + 13, "",
|
||||||
zsk_algorithms[i],
|
vctx.zsk_algorithms[i],
|
||||||
standby_zsk[i],
|
vctx.standby_zsk[i],
|
||||||
keyset_kskonly ? "present" : "stand-by",
|
keyset_kskonly ? "present" : "stand-by",
|
||||||
revoked_zsk[i]);
|
vctx.revoked_zsk[i]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user