validator.c 33 KB
Newer Older
Bob Halley's avatar
Bob Halley committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/*
 * Copyright (C) 2000  Internet Software Consortium.
 * 
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 * 
 * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
 * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
 * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
 * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
 * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
 * SOFTWARE.
 */

Bob Halley's avatar
Bob Halley committed
18
19
#include <config.h>

Bob Halley's avatar
Bob Halley committed
20
#include <isc/assertions.h>
Bob Halley's avatar
Bob Halley committed
21
#include <isc/buffer.h>
Bob Halley's avatar
Bob Halley committed
22
#include <isc/magic.h>
23
#include <isc/print.h>
Bob Halley's avatar
Bob Halley committed
24
#include <isc/region.h>
Bob Halley's avatar
Bob Halley committed
25
#include <isc/result.h>
Bob Halley's avatar
Bob Halley committed
26
#include <isc/stdtime.h>
Bob Halley's avatar
Bob Halley committed
27
28
#include <isc/task.h>
#include <isc/util.h>
Bob Halley's avatar
Bob Halley committed
29

Bob Halley's avatar
Bob Halley committed
30
#include <dns/validator.h>
Bob Halley's avatar
Bob Halley committed
31
#include <dns/db.h>
32
#include <dns/dnssec.h>
Bob Halley's avatar
Bob Halley committed
33
#include <dns/events.h>
Bob Halley's avatar
Bob Halley committed
34
#include <dns/keytable.h>
35
#include <dns/keyvalues.h>
Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
36
#include <dns/log.h>
37
#include <dns/message.h>
Bob Halley's avatar
Bob Halley committed
38
#include <dns/name.h>
39
#include <dns/nxt.h>
Bob Halley's avatar
Bob Halley committed
40
#include <dns/rdata.h>
Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
41
#include <dns/rdatatype.h>
Bob Halley's avatar
Bob Halley committed
42
#include <dns/rdataset.h>
43
#include <dns/resolver.h>
Bob Halley's avatar
Bob Halley committed
44
45
#include <dns/view.h>

Bob Halley's avatar
Bob Halley committed
46
47
#include <dst/dst.h>

48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
/*
 * We don't use the SIG RR's _tostruct routine because it copies things.
 */
typedef struct dns_siginfo {
	dns_rdatatype_t			covers;
	dns_secalg_t			algorithm;
	isc_uint8_t			labels;
	dns_ttl_t			original_ttl;
	isc_stdtime_t			expiration;
	isc_stdtime_t			inception;
	dns_keytag_t			tag;
	dns_name_t			signer;
	isc_region_t			signature;
} dns_siginfo_t;

Bob Halley's avatar
Bob Halley committed
63
64
65
66
67
68
69
70
71
struct dns_validator {
	/* Unlocked. */
	unsigned int			magic;
	isc_mutex_t			lock;
	dns_view_t *			view;
	/* Locked by lock. */
	unsigned int			options;
	unsigned int			attributes;
	dns_validatorevent_t *		event;
Bob Halley's avatar
Bob Halley committed
72
73
74
75
76
	dns_fetch_t *			fetch;
	dns_validator_t *		keyvalidator;
	dns_keytable_t *		keytable;
	dns_keynode_t *			keynode;
	dst_key_t *			key;
77
	dns_siginfo_t *			siginfo;
78
79
80
	isc_task_t *			task;
	isc_taskaction_t		action;
	void *				arg;
81
	dns_name_t *			queryname;
82
	unsigned int			labels;
Bob Halley's avatar
Bob Halley committed
83
84
85
86
};

#define VALIDATOR_MAGIC			0x56616c3fU	/* Val?. */
#define VALID_VALIDATOR(v)	 	ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
Bob Halley's avatar
Bob Halley committed
87

Bob Halley's avatar
Bob Halley committed
88
#define VALATTR_SHUTDOWN		0x01
89
#define VALATTR_NEGATIVE		0x02
Bob Halley's avatar
Bob Halley committed
90
91
#define SHUTDOWN(v)		(((v)->attributes & VALATTR_SHUTDOWN) != 0)

92
93
94
static void nullkeyvalidated(isc_task_t *task, isc_event_t *event);
static inline isc_boolean_t containsnullkey(dns_validator_t *val,
					    dns_rdataset_t *rdataset);
95
96
97
98
static inline isc_result_t get_dst_key(dns_validator_t *val,
				       dns_siginfo_t *siginfo,
				       dns_rdataset_t *rdataset);
static inline isc_result_t validate(dns_validator_t *val, isc_boolean_t resume);
99
100
static inline isc_result_t nxtvalidate(dns_validator_t *val,
				       isc_boolean_t resume);
101
102
static inline isc_result_t proveunsecure(dns_validator_t *val,
					 isc_boolean_t resume);
103

Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
104
105
106
static void validator_log(dns_validator_t *val, int level,
			  const char *fmt, ...);

Bob Halley's avatar
Bob Halley committed
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
static void
rdata_to_siginfo(dns_rdata_t *rdata, dns_siginfo_t *siginfo) {
	isc_buffer_t b;
	isc_region_t r;

	REQUIRE(rdata->type == 24);

	isc_buffer_init(&b, rdata->data, rdata->length, ISC_BUFFERTYPE_BINARY);
	isc_buffer_add(&b, rdata->length);
	siginfo->covers = (dns_rdatatype_t)isc_buffer_getuint16(&b);
	siginfo->algorithm = (dns_secalg_t)isc_buffer_getuint8(&b);
	siginfo->labels = isc_buffer_getuint8(&b);
	siginfo->original_ttl = (dns_ttl_t)isc_buffer_getuint32(&b);
	siginfo->expiration = (isc_stdtime_t)isc_buffer_getuint32(&b);
	siginfo->inception = (isc_stdtime_t)isc_buffer_getuint32(&b);
	siginfo->tag = (dns_keytag_t)isc_buffer_getuint16(&b);
	dns_name_init(&siginfo->signer, NULL);
	isc_buffer_remaining(&b, &r);
	dns_name_fromregion(&siginfo->signer, &r);
	isc_buffer_forward(&b, siginfo->signer.length);
	isc_buffer_remaining(&b, &siginfo->signature);
}

static void
validator_done(dns_validator_t *val, isc_result_t result) {
	isc_task_t *task;

	REQUIRE(val->event != NULL);

	/*
	 * Caller must be holding the lock.
	 */

140
	val->event->result = result;
141
142
143
144
145
	task = val->event->ev_sender;
	val->event->ev_sender = val;
	val->event->ev_type = DNS_EVENT_VALIDATORDONE;
	val->event->ev_action = val->action;
	val->event->ev_arg = val->arg;
146
147
148
149
150
151
	if ((val->attributes & VALATTR_NEGATIVE) != 0) {
		val->event->rdataset = NULL;
		val->event->sigrdataset = NULL;
		if (val->queryname != NULL)
			val->event->name = val->queryname;
	}
Bob Halley's avatar
Bob Halley committed
152
153
154
155
	isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
	
}

156
157
158
159
160
161
162
163
static void
fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
	dns_fetchevent_t *devent;
	dns_validator_t *val;
	dns_rdataset_t *rdataset;
	isc_result_t result;

	UNUSED(task);
164
	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
165
	devent = (dns_fetchevent_t *)event;
166
	val = devent->ev_arg;
167
168
	rdataset = devent->rdataset;

Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
169
	validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
170
	if (devent->result == ISC_R_SUCCESS) {
171
		LOCK(&val->lock);
172
173
174
175
		result = get_dst_key(val, val->siginfo, rdataset);
		if (result != ISC_R_SUCCESS) {
			/* No matching key */
			validator_done(val, result);
176
			UNLOCK(&val->lock);
177
			goto free_event;
178
		}
179
180
181
182
		if (val->attributes & VALATTR_NEGATIVE)
			result = nxtvalidate(val, ISC_TRUE);
		else
			result = validate(val, ISC_TRUE);
183
		if (result != DNS_R_WAIT) {
184
			validator_done(val, result);
185
			UNLOCK(&val->lock);
186
187
			goto free_event;
		}
188
		UNLOCK(&val->lock);
189
	} else
Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
190
191
192
		validator_log(val, ISC_LOG_DEBUG(3),
			      "fetch_callback_validator: got %s",
			      dns_result_totext(devent->result));
193
194

 free_event:
195
	dns_resolver_destroyfetch(&val->fetch);
196
	/* free stuff from the event */
197
198
199
	isc_mem_put(val->view->mctx, devent->rdataset, sizeof(dns_rdataset_t));
	isc_mem_put(val->view->mctx, devent->sigrdataset,
		    sizeof(dns_rdataset_t));
200
201
202
	isc_event_free(&event);
}

203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239

static void
fetch_callback_nullkey(isc_task_t *task, isc_event_t *event) {
	dns_fetchevent_t *devent;
	dns_validator_t *val;
	dns_rdataset_t *rdataset, *sigrdataset;
	isc_result_t result;

	UNUSED(task);
	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
	devent = (dns_fetchevent_t *)event;
	val = devent->ev_arg;
	rdataset = devent->rdataset;
	sigrdataset = devent->sigrdataset;

	validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_nullkey");
	if (devent->result == ISC_R_SUCCESS) {
		LOCK(&val->lock);
		if (!containsnullkey(val, rdataset)) {
			/* No null key */
			validator_log(val, ISC_LOG_DEBUG(3),
				      "found a keyset, no null key");
			result = proveunsecure(val, ISC_TRUE);
			if (result != DNS_R_WAIT)
				validator_done(val, ISC_R_SUCCESS);
		} else {
			validator_log(val, ISC_LOG_DEBUG(3),
				      "found a keyset with a null key");
			if (rdataset->trust >= dns_trust_secure)
				validator_done(val, ISC_R_SUCCESS);
			else if (!dns_rdataset_isassociated(sigrdataset))
				validator_done(val, ISC_R_FAILURE);
			else {
				dns_name_t *tname;
				tname = dns_fixedname_name(&devent->foundname);
				result = dns_validator_create(val->view,
							      tname,
240
							      dns_rdatatype_key,
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
							      rdataset,
							      sigrdataset,
							      NULL,
							      0,
							      val->task,
							      nullkeyvalidated,
							      val,
							      &val->keyvalidator);
				if (result != ISC_R_SUCCESS)
					validator_done(val, result);
				/*
				 * don't free these, since they'll be
				 * freed in nullkeyvalidated.
				 */
				devent->rdataset = NULL;
				devent->sigrdataset = NULL;
			}
		}
		UNLOCK(&val->lock);
	} else if (devent->result ==  DNS_R_NCACHENXDOMAIN ||
		   devent->result == DNS_R_NCACHENXRRSET ||
		   devent->result == DNS_R_NXDOMAIN ||
		   devent->result == DNS_R_NXRRSET)
	{
		/* No keys */
		validator_log(val, ISC_LOG_DEBUG(3),
			      "no keys found");
		LOCK(&val->lock);
		result = proveunsecure(val, ISC_TRUE);
		if (result != DNS_R_WAIT)
			validator_done(val, result);
		UNLOCK(&val->lock);
	} else
		validator_log(val, ISC_LOG_DEBUG(3),
			      "fetch_callback_nullkey: got %s",
			      dns_result_totext(devent->result));

	dns_resolver_destroyfetch(&val->fetch);

	/* free stuff from the event */
	if (devent->rdataset != NULL)
		isc_mem_put(val->view->mctx, devent->rdataset,
			    sizeof(dns_rdataset_t));
	if (devent->sigrdataset != NULL)
		isc_mem_put(val->view->mctx, devent->sigrdataset,
			    sizeof(dns_rdataset_t));
	isc_event_free(&event);
}

290
291
292
293
static void
keyvalidated(isc_task_t *task, isc_event_t *event) {
	dns_validatorevent_t *devent;
	dns_validator_t *val;
294
	dns_rdataset_t *rdataset;
295
296
297
	isc_result_t result;

	UNUSED(task);
298
	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
299
	devent = (dns_validatorevent_t *)event;
300
	rdataset = devent->rdataset;
301
	val = devent->ev_arg;
302

Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
303
	validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
304
	if (devent->result == ISC_R_SUCCESS) {
305
		LOCK(&val->lock);
306
307
308
309
		result = get_dst_key(val, val->siginfo, rdataset);
		if (result != ISC_R_SUCCESS) {
			/* No matching key */
			validator_done(val, result);
310
			UNLOCK(&val->lock);
311
312
			goto free_event;
		}
313
314
315
316
		if (val->attributes & VALATTR_NEGATIVE)
			result = nxtvalidate(val, ISC_TRUE);
		else
			result = validate(val, ISC_TRUE);
317
		if (result != DNS_R_WAIT) {
318
			validator_done(val, result);
319
320
321
			UNLOCK(&val->lock);
			goto free_event;
		}
322
		UNLOCK(&val->lock);
323
	} else
Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
324
325
326
		validator_log(val, ISC_LOG_DEBUG(3), 
			      "keyvalidated: got %s",
			      dns_result_totext(devent->result));
327
 free_event:
328
	dns_validator_destroy(&val->keyvalidator);
329
	/* free stuff from the event */
330
331
	isc_mem_put(val->view->mctx, devent->rdataset, sizeof(dns_rdataset_t));
	isc_mem_put(val->view->mctx, devent->sigrdataset,
332
		    sizeof(dns_rdataset_t));
333
334
335
	isc_event_free(&event);
}

336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
static void
nullkeyvalidated(isc_task_t *task, isc_event_t *event) {
	dns_validatorevent_t *devent;
	dns_validator_t *val;
	dns_rdataset_t *rdataset;
	isc_result_t result;

	UNUSED(task);
	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
	devent = (dns_validatorevent_t *)event;
	rdataset = devent->rdataset;
	val = devent->ev_arg;

	validator_log(val, ISC_LOG_DEBUG(3), "in nullkeyvalidated");
	if (devent->result == ISC_R_SUCCESS) {
		validator_log(val, ISC_LOG_DEBUG(3),
			      "proved that name is in an unsecure domain");
353
		LOCK(&val->lock);
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
		validator_done(val, ISC_R_SUCCESS);
		UNLOCK(&val->lock);
	} else {
		LOCK(&val->lock);
		result = proveunsecure(val, ISC_TRUE);
		if (result != DNS_R_WAIT)
			validator_done(val, result);
		UNLOCK(&val->lock);
	}

	dns_validator_destroy(&val->keyvalidator);

	/* free stuff from the event */
	isc_mem_put(val->view->mctx, devent->rdataset, sizeof(dns_rdataset_t));
	isc_mem_put(val->view->mctx, devent->sigrdataset,
		    sizeof(dns_rdataset_t));
	dns_name_free(devent->name, val->view->mctx);
	isc_mem_put(val->view->mctx, devent->name, sizeof(dns_name_t));
	isc_event_free(&event);
}

375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
/*
 * Try to find a null zone key among those in 'rdataset'.  If found, build
 * a dst_key_t for it and point val->key at it.
 */
static inline isc_boolean_t 
containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset) {
	isc_result_t result;
	dst_key_t *key = NULL;
	isc_buffer_t b;
	dns_rdata_t rdata;
	isc_boolean_t found = ISC_FALSE;

	result = dns_rdataset_first(rdataset);
	if (result != ISC_R_SUCCESS)
		return (ISC_FALSE);
	while (result == ISC_R_SUCCESS && !found) {
		dns_rdataset_current(rdataset, &rdata);
		isc_buffer_init(&b, rdata.data, rdata.length,
				ISC_BUFFERTYPE_BINARY);
		isc_buffer_add(&b, rdata.length);
		key = NULL;
		/*
		 * The key name is unimportant, so we can avoid any name/text
		 * conversion.
		 */
		result = dst_key_fromdns("", &b, val->view->mctx, &key);
		if (result != ISC_R_SUCCESS)
			continue;
		if (dst_key_isnullkey(key))
			found = ISC_TRUE;
		dst_key_free(key);
		result = dns_rdataset_next(rdataset);
	}
	return (found);
}

411
412
413
414
415
416
417
/*
 * Try to find a key that could have signed 'siginfo' among those
 * in 'rdataset'.  If found, build a dst_key_t for it and point
 * val->key at it.
 *
 * XXX does not handle key tag collisions.
 */
Bob Halley's avatar
Bob Halley committed
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
static inline isc_result_t 
get_dst_key(dns_validator_t *val, dns_siginfo_t *siginfo,
	    dns_rdataset_t *rdataset)
{
	isc_result_t result;
	isc_buffer_t b;
	dns_rdata_t rdata;
	char ntext[1024];

	result = dns_rdataset_first(rdataset);
	if (result != ISC_R_SUCCESS)
		return (result);
	do {
		dns_rdataset_current(rdataset, &rdata);
		/*
		 * We keep one byte of ntext in reserve so
		 * we're sure we can NUL terminate.
		 */
		isc_buffer_init(&b, ntext, sizeof(ntext) - 1,
				ISC_BUFFERTYPE_TEXT);
		result = dns_name_totext(&siginfo->signer, ISC_FALSE, &b);
		if (result != ISC_R_SUCCESS)
			return (result);

		/*
		 * NUL-terminate the character string.
		 */
		isc_buffer_putuint8(&b, 0);

		isc_buffer_init(&b, rdata.data, rdata.length,
				ISC_BUFFERTYPE_BINARY);
		isc_buffer_add(&b, rdata.length);
		INSIST(val->key == NULL);
		result = dst_key_fromdns(ntext, &b, val->view->mctx,
					 &val->key);
		if (result != ISC_R_SUCCESS)
			return (result);
		if (siginfo->algorithm ==
		    (dns_secalg_t)dst_key_alg(val->key) &&
		    siginfo->tag ==
		    (dns_keytag_t)dst_key_id(val->key) &&
459
460
		    dst_key_iszonekey(val->key))
		{
Bob Halley's avatar
Bob Halley committed
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
			/*
			 * This is the key we're looking for.
			 */
			return (ISC_R_SUCCESS);
		}
		dst_key_free(val->key);
		val->key = NULL;
		result = dns_rdataset_next(rdataset);
	} while (result == ISC_R_SUCCESS);
	if (result == ISC_R_NOMORE)
		result = ISC_R_NOTFOUND;

	return (result);
}

static inline isc_result_t
get_key(dns_validator_t *val, dns_siginfo_t *siginfo) {
	isc_result_t result;
	dns_validatorevent_t *event;
	unsigned int nbits, nlabels;
	int order;
	dns_namereln_t namereln;
	dns_rdataset_t rdataset, sigrdataset;

	event = val->event;

	/*
	 * Is the key used for the signature a security root?
	 */
	INSIST(val->keynode == NULL);
	val->keytable = val->view->secroots;
	result = dns_keytable_findkeynode(val->view->secroots,
					  &siginfo->signer,
					  siginfo->algorithm, siginfo->tag,
					  &val->keynode);
	if (result == ISC_R_NOTFOUND) {
		/*
		 * Is it a trusted key that is not a security root?
		 */
		val->keytable = val->view->trustedkeys;
		result = dns_keytable_findkeynode(val->view->trustedkeys,
						  &siginfo->signer,
						  siginfo->algorithm,
						  siginfo->tag,
						  &val->keynode);
		if (result == ISC_R_SUCCESS) {
			/*
			 * The key is trusted.
			 */
			val->key = dns_keynode_key(val->keynode);
			return (ISC_R_SUCCESS);
		} else if (result != ISC_R_NOTFOUND)
			return (result);
	} else if (result == ISC_R_SUCCESS) {
		/*
		 * The key is a security root.
		 */
		val->key = dns_keynode_key(val->keynode);
		return (ISC_R_SUCCESS);
	} else
		return (result);

	/*
	 * The signature was not made with a security root or trusted key.
	 */

	/*
	 * Is the key name appropriate for this signature?
	 */
	namereln = dns_name_fullcompare(event->name, &siginfo->signer,
					&order, &nlabels, &nbits);
532
	if (event->rdataset->type == dns_rdatatype_key &&
Bob Halley's avatar
Bob Halley committed
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
	    namereln != dns_namereln_subdomain) {
		/*
		 * We don't want a KEY RR to authenticate
		 * itself, so we ignore the signature if it
		 * was not made by an ancestor of the KEY.
		 */
		return (DNS_R_CONTINUE);
	} else if (namereln != dns_namereln_subdomain &&
		   namereln != dns_namereln_equal) {
		/*
		 * The key name is not at the same level
		 * as 'rdataset', nor is it closer to the
		 * DNS root.
		 */
		return (DNS_R_CONTINUE);
	}

	/*
	 * Do we know about this key?
	 */
	dns_rdataset_init(&rdataset);
	dns_rdataset_init(&sigrdataset);
	result = dns_view_simplefind(val->view, &siginfo->signer,
				     dns_rdatatype_key, 0,
				     DNS_DBFIND_PENDINGOK, ISC_FALSE,
				     &rdataset, &sigrdataset);
	if (result == ISC_R_SUCCESS) {
		/*
		 * We have an rrset for the given keyname.
		 */
		if (rdataset.trust == dns_trust_pending) {
			/*
			 * We know the key but haven't validated it yet.
			 */
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
			dns_rdataset_t *frdataset, *fsigrdataset;
			frdataset = isc_mem_get(val->view->mctx,
						sizeof *frdataset);
			if (frdataset == NULL)
				return (ISC_R_NOMEMORY);
			fsigrdataset = isc_mem_get(val->view->mctx,
						   sizeof *fsigrdataset);
			if (fsigrdataset == NULL) {
				isc_mem_put(val->view->mctx, frdataset,
					    sizeof *frdataset);
				return (ISC_R_NOMEMORY);
			}
			dns_rdataset_init(frdataset);
			dns_rdataset_init(fsigrdataset);
			dns_rdataset_clone(&rdataset, frdataset);
			dns_rdataset_clone(&sigrdataset, fsigrdataset);

			result = dns_validator_create(val->view,
						      &siginfo->signer,
586
						      dns_rdatatype_key,
587
588
589
590
591
592
593
594
595
596
597
						      frdataset,
						      fsigrdataset,
						      NULL,
						      0,
						      val->task,
						      keyvalidated,
						      val,
						      &val->keyvalidator);
			if (result != ISC_R_SUCCESS)
				return (result);
			return (DNS_R_WAIT);
Bob Halley's avatar
Bob Halley committed
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
		} else {
			/*
			 * XXXRTH  What should we do if this is an untrusted
			 *         rdataset?
			 */
			/*
			 * See if we've got the key used in the signature.
			 */
			result = get_dst_key(val, siginfo, &rdataset);
			if (result != ISC_R_SUCCESS) {
				/*
				 * Either the key we're looking for is not
				 * in the rrset, or something bad happened.
				 * Give up.
				 */
				result = DNS_R_CONTINUE;
			}
		}
	} else if (result == ISC_R_NOTFOUND) {
		/*
		 * We don't know anything about this key.
		 */
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
		dns_rdataset_t *frdataset, *fsigrdataset;
		frdataset = isc_mem_get(val->view->mctx, sizeof *frdataset);
		if (frdataset == NULL)
			return (ISC_R_NOMEMORY);
		fsigrdataset = isc_mem_get(val->view->mctx,
					   sizeof *fsigrdataset);
		if (fsigrdataset == NULL) {
			isc_mem_put(val->view->mctx, frdataset,
				    sizeof *frdataset);
			return (ISC_R_NOMEMORY);
		}
		dns_rdataset_init(frdataset);
		dns_rdataset_init(fsigrdataset);
		val->fetch = NULL;
		result = dns_resolver_createfetch(val->view->resolver,
						  &siginfo->signer,
						  dns_rdatatype_key,
						  NULL, NULL, NULL, 0,
638
						  val->event->ev_sender,
639
640
641
642
643
644
645
646
						  fetch_callback_validator,
						  val,
						  frdataset,
						  fsigrdataset,
						  &val->fetch);
		if (result != ISC_R_SUCCESS)
			return (result);
		return (DNS_R_WAIT);
Bob Halley's avatar
Bob Halley committed
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
	} else if (result ==  DNS_R_NCACHENXDOMAIN ||
		   result == DNS_R_NCACHENXRRSET ||
		   result == DNS_R_NXDOMAIN ||
		   result == DNS_R_NXRRSET) {
		/*
		 * This key doesn't exist.
		 */
		result = DNS_R_CONTINUE;
	}

	if (dns_rdataset_isassociated(&rdataset))
		dns_rdataset_disassociate(&rdataset);
	if (dns_rdataset_isassociated(&sigrdataset))
		dns_rdataset_disassociate(&sigrdataset);

	return (result);
}

static inline isc_result_t
validate(dns_validator_t *val, isc_boolean_t resume) {
	isc_result_t result;
	dns_validatorevent_t *event;
	dns_rdata_t rdata;

	/*
	 * Caller must be holding the validator lock.
	 */

	event = val->event;

677
678
679
680
	if (resume) {
		/* We alraedy have a sigrdataset. */
		result = ISC_R_SUCCESS;
	} else {
Bob Halley's avatar
Bob Halley committed
681
682
		result = dns_rdataset_first(event->sigrdataset);
	}
683
684
685
686
687

	for (;
	     result == ISC_R_SUCCESS;
	     result = dns_rdataset_next(event->sigrdataset))
	{
Bob Halley's avatar
Bob Halley committed
688
		dns_rdataset_current(event->sigrdataset, &rdata);
689
690
691
		if (val->siginfo != NULL)
			isc_mem_put(val->view->mctx, val->siginfo,
				    sizeof *val->siginfo);
692
693
694
695
696
		val->siginfo = isc_mem_get(val->view->mctx,
					   sizeof *val->siginfo);
		if (val->siginfo == NULL)
			return (ISC_R_NOMEMORY);
		rdata_to_siginfo(&rdata, val->siginfo);
Bob Halley's avatar
Bob Halley committed
697
698
699
700
701
702
703
704
		
		/*
		 * At this point we could check that the signature algorithm
		 * was known and "sufficiently good".  For now, any algorithm
		 * is acceptable.
		 */
		
		if (!resume) {
705
			result = get_key(val, val->siginfo);
706
707
			if (result == DNS_R_CONTINUE)
				continue; /* Try the next SIG RR. */
708
			if (result != ISC_R_SUCCESS)
Bob Halley's avatar
Bob Halley committed
709
710
711
712
				return (result);
		}
		INSIST(val->key != NULL);

713
714
		result = dns_dnssec_verify(event->name, event->rdataset,
					   val->key, val->view->mctx, &rdata);
715
716
717
718
719
720
		if (val->keynode != NULL)
			dns_keytable_detachkeynode(val->keytable,
						   &val->keynode);
		else if (val->key != NULL)
			dst_key_free(val->key);
		val->key = NULL;
721
		if (result == ISC_R_SUCCESS) {
722
723
			event->rdataset->trust = dns_trust_secure;
			event->sigrdataset->trust = dns_trust_secure;
Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
724
725
			validator_log(val, ISC_LOG_DEBUG(3),
				      "marking as secure");
726
			return (result);
727
		}
728
729
730
731
		else
			validator_log(val, ISC_LOG_DEBUG(3),
				      "verify failure: %s",
				      dns_result_totext(result));
732
	}
733
734
	if (result == ISC_R_NOMORE)
		result = ISC_R_NOTFOUND;
Bob Halley's avatar
Bob Halley committed
735
736
737
	return (result);
}

738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754

static inline isc_result_t
nxtvalidate(dns_validator_t *val, isc_boolean_t resume) {
	dns_name_t *name;
	dns_rdata_t rdata;
	dns_message_t *message = val->event->message;
	isc_result_t result;
	int order;
	isc_region_t r;
	dns_name_t nextname;
	isc_boolean_t firstname = ISC_TRUE;

	if (!resume) {
		val->attributes |= VALATTR_NEGATIVE;
		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
		if (result != ISC_R_SUCCESS)
			validator_done(val, ISC_R_NOTFOUND);
755
	} else
756
757
758
759
760
761
		result = ISC_R_SUCCESS;

	for (;
	     result == ISC_R_SUCCESS;
	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
	{
762
		dns_rdataset_t *rdataset, *sigrdataset = NULL;
763
764
765
766
767
768
769
770
771
772

		name = NULL;
		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
		if (!resume || !firstname) {
			for (rdataset = ISC_LIST_HEAD(name->list);
			     rdataset != NULL;
			     rdataset = ISC_LIST_NEXT(rdataset, link))
			{
				if (rdataset->type != dns_rdatatype_nxt)
					continue;
773
774
				if (dns_rdataset_count(rdataset) != 1)
					return (DNS_R_FORMERR);
775
776
777
778
779
780
781
782
783
				for (sigrdataset = ISC_LIST_HEAD(name->list);
				     sigrdataset != NULL;
				     sigrdataset = ISC_LIST_NEXT(sigrdataset,
								 link))
				{
					if (sigrdataset->type ==
					    dns_rdatatype_sig
					    &&
					    sigrdataset->covers ==
784
					    dns_rdatatype_nxt)
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
						break;
				}
				if (sigrdataset != NULL)
					break;
			}
			if (rdataset == NULL)
				continue;
			val->event->rdataset = rdataset;
			val->event->sigrdataset = sigrdataset;
			val->queryname = val->event->name;
			val->event->name = name;
		}
		firstname = ISC_FALSE;
		order = dns_name_compare(val->queryname, val->event->name);
		if (order == 0) {
800
			if (val->event->type >= 128) {
801
				validator_log(val, ISC_LOG_DEBUG(3),
802
803
					      "invalid type %d",
					       val->event->type);
804
805
806
807
808
				continue;
			}
			dns_rdataset_first(val->event->rdataset);
			INSIST(result == ISC_R_SUCCESS);
			dns_rdataset_current(val->event->rdataset, &rdata);
809
			if (dns_nxt_typepresent(&rdata, val->event->type)) {
810
811
812
813
				validator_log(val, ISC_LOG_DEBUG(3),
					      "type should not be present");
				continue;
			}
814
		} else if (order > 0) {
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
			result = dns_rdataset_first(val->event->rdataset);
			INSIST(result == ISC_R_SUCCESS);
			dns_rdataset_current(val->event->rdataset, &rdata);
			dns_rdata_toregion(&rdata, &r);
			dns_name_init(&nextname, NULL);
			dns_name_fromregion(&nextname, &r);
			order = dns_name_compare(val->queryname, &nextname);
			if (order >= 0) {
				INSIST(val->siginfo != NULL);
				if (!dns_name_equal(&val->siginfo->signer,
						    &nextname))
				{
					validator_log(val, ISC_LOG_DEBUG(3),
						"next name is not greater");
					continue;
				}
			}
832
		} else {
833
834
835
836
837
838
			validator_log(val, ISC_LOG_DEBUG(3),
				"nxt owner name is not less");
			continue;
		}
		validator_log(val, ISC_LOG_DEBUG(3),
			"nxt range and/or bitmask is ok");
839
840
841
842
843

		result = validate(val, resume);
		if (result != ISC_R_SUCCESS)
			return (result);

844
845
		return (ISC_R_SUCCESS);
	}
846
847
	validator_log(val, ISC_LOG_DEBUG(3),
		      "no relevant NXT found");
848
849
850
	return (result);
}

851
852
853
static inline isc_result_t
proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
	isc_result_t result;
854
	dns_fixedname_t secroot, tfname;
855
856
857
	dns_name_t *tname;

	dns_fixedname_init(&secroot);
858
	dns_fixedname_init(&tfname);
859
860
861
862
863
	result = dns_keytable_finddeepestmatch(val->view->secroots,
					       val->event->name,
					       dns_fixedname_name(&secroot));
	if (result != ISC_R_SUCCESS)
		return (result);
864
865
	validator_log(val, ISC_LOG_DEBUG(3), "%s proveunsecure",
		      resume ? "resuming" : "in");
866
867
868
869
870
871
872
873
874
875
876
877
878
879

	if (!resume)
		val->labels = dns_name_depth(dns_fixedname_name(&secroot)) + 1;
	else
		val->labels++;
	for (;
	     val->labels <= dns_name_depth(val->event->name);
	     val->labels++)
	{
		dns_rdataset_t rdataset, sigrdataset;

		if (val->labels == dns_name_depth(val->event->name))
			tname = val->event->name;
		else {
880
			tname = dns_fixedname_name(&tfname);
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
			result = dns_name_splitatdepth(val->event->name,
						       val->labels,
						       NULL, tname);
			if (result != ISC_R_SUCCESS)
				return (result);
		}
		dns_rdataset_init(&rdataset);
		dns_rdataset_init(&sigrdataset);
		result = dns_view_simplefind(val->view, tname,
					     dns_rdatatype_key, 0,
					     DNS_DBFIND_PENDINGOK, ISC_FALSE,
					     &rdataset, &sigrdataset);
		if (result == ISC_R_SUCCESS) {
			dns_rdataset_t *frdataset = NULL, *fsigrdataset = NULL;
			dns_name_t *fname = NULL;

897
898
			if (!dns_rdataset_isassociated(&sigrdataset))
				return (ISC_R_FAILURE);
899
900
			validator_log(val, ISC_LOG_DEBUG(3),
				      "found keyset, looking for null key");
901
			if (!containsnullkey(val, &rdataset))
902
903
				continue;
		
904
905
906
			if (rdataset.trust >= dns_trust_secure)
				return (ISC_R_SUCCESS);

907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
			frdataset = isc_mem_get(val->view->mctx,
						sizeof *frdataset);
			if (frdataset == NULL)
				return (ISC_R_NOMEMORY);
			fsigrdataset = isc_mem_get(val->view->mctx,
						  sizeof *fsigrdataset);
			if (fsigrdataset == NULL) {
				isc_mem_put(val->view->mctx, frdataset,
					    sizeof *frdataset);
				return (ISC_R_NOMEMORY);
			}
			fname = isc_mem_get(val->view->mctx, sizeof *fname);
			if (fname == NULL) {
				isc_mem_put(val->view->mctx, fsigrdataset,
					    sizeof *frdataset);
				isc_mem_put(val->view->mctx, frdataset,
					    sizeof *fsigrdataset);
				return (ISC_R_NOMEMORY);
			}
			dns_name_init(fname, NULL);
			result = dns_name_dup(tname, val->view->mctx, fname);
			if (result != ISC_R_SUCCESS) {
				isc_mem_put(val->view->mctx, fsigrdataset,
					    sizeof *frdataset);
				isc_mem_put(val->view->mctx, frdataset,
					    sizeof *fsigrdataset);
				return (ISC_R_NOMEMORY);
			}
			dns_rdataset_init(frdataset);
			dns_rdataset_init(fsigrdataset);
			dns_rdataset_clone(&rdataset, frdataset);
			dns_rdataset_clone(&sigrdataset, fsigrdataset);

			result = dns_validator_create(val->view,
						      fname,
942
						      dns_rdatatype_key,
943
944
945
946
947
948
949
950
951
952
						      frdataset,
						      fsigrdataset,
						      NULL,
						      0,
						      val->task,
						      nullkeyvalidated,
						      val,
						      &val->keyvalidator);
			return (DNS_R_WAIT);
		} else if (result == ISC_R_NOTFOUND) {
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
			dns_rdataset_t *frdataset = NULL, *fsigrdataset = NULL;

			frdataset = isc_mem_get(val->view->mctx,
						sizeof *frdataset);
			if (frdataset == NULL)
				return (ISC_R_NOMEMORY);
			fsigrdataset = isc_mem_get(val->view->mctx,
						  sizeof *fsigrdataset);
			if (fsigrdataset == NULL) {
				isc_mem_put(val->view->mctx, frdataset,
					    sizeof *frdataset);
				return (ISC_R_NOMEMORY);
			}
			dns_rdataset_init(frdataset);
			dns_rdataset_init(fsigrdataset);
			result = dns_resolver_createfetch(val->view->resolver,
							  tname,
							  dns_rdatatype_key,
							  NULL, NULL, NULL, 0,
							  val->event->ev_sender,
							  fetch_callback_nullkey,
							  val,
							  frdataset,
							  fsigrdataset,
							  &val->fetch);
			if (result != ISC_R_SUCCESS)
				return (result);
			return (DNS_R_WAIT);
981
982
983
984
985
986
987
988
989
990
991
992
		} else if (result == DNS_R_NCACHENXDOMAIN ||
			 result == DNS_R_NCACHENXRRSET ||
			 result == DNS_R_NXDOMAIN ||
			 result == DNS_R_NXRRSET)
		{
			continue;
		} else
			return (result);
	}
	return (ISC_R_FAILURE); /* Didn't find a null key */
}

993
994
995
996
static void
validator_start(isc_task_t *task, isc_event_t *event) {
	dns_validator_t *val;
	dns_validatorevent_t *vevent;
Bob Halley's avatar
Bob Halley committed
997
998
	isc_result_t result;

999
	UNUSED(task);
1000
	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
1001
1002
1003
	vevent = (dns_validatorevent_t *) event;
	val = vevent->validator;

Bob Halley's avatar
Bob Halley committed
1004
1005
1006
1007
1008
1009
1010
1011
1012
	LOCK(&val->lock);

	if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) {
		/*
		 * This looks like a simple validation.  We say "looks like"
		 * because we don't know if wildcards are involved yet so it
		 * could still get complicated.
		 */
		result = validate(val, ISC_FALSE);
1013
1014
1015
1016
1017
1018
1019
	} else if (val->event->rdataset != NULL) {
		/*
		 * This is either an unsecure subdomain or a response from
		 * a broken server.
		 */
		result = proveunsecure(val, ISC_FALSE);
	} else if (val->event->rdataset == NULL &&
1020
1021
		 val->event->sigrdataset == NULL)
	{
Bob Halley's avatar
Bob Halley committed
1022
1023
1024
		/*
		 * This is a nonexistence validation.
		 */
1025
		result = nxtvalidate(val, ISC_FALSE);
1026
1027
	} else {
		/* This shouldn't happen */
1028
		result = ISC_R_FAILURE; /* Keep compiler happy. */
1029
		INSIST(0);
Bob Halley's avatar
Bob Halley committed
1030
1031
	}

1032
	if (result != DNS_R_WAIT)
Bob Halley's avatar
Bob Halley committed
1033
1034
1035
1036
1037
		validator_done(val, result);

	UNLOCK(&val->lock);
}

Bob Halley's avatar
Bob Halley committed
1038
isc_result_t
1039
dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
Bob Halley's avatar
Bob Halley committed
1040
1041
1042
1043
1044
		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
		     dns_message_t *message, unsigned int options,
		     isc_task_t *task, isc_taskaction_t action, void *arg,
		     dns_validator_t **validatorp)
{
Bob Halley's avatar
Bob Halley committed
1045
1046
1047
1048
1049
	isc_result_t result;
	dns_validator_t *val;
	isc_task_t *tclone;
	dns_validatorevent_t *event;

1050
1051
1052
	REQUIRE(name != NULL);
	REQUIRE(rdataset != NULL ||
		(rdataset == NULL && sigrdataset == NULL && message != NULL));
1053
	REQUIRE(options == 0);
Bob Halley's avatar
Bob Halley committed
1054
1055
	REQUIRE(validatorp != NULL && *validatorp == NULL);

Bob Halley's avatar
Bob Halley committed
1056
1057
1058
1059
1060
1061
	tclone = NULL;
	result = ISC_R_FAILURE;

	val = isc_mem_get(view->mctx, sizeof *val);
	if (val == NULL)
		return (ISC_R_NOMEMORY);
1062
	val->view = NULL;
Bob Halley's avatar
Bob Halley committed
1063
1064
	dns_view_attach(view, &val->view);
	event = (dns_validatorevent_t *)
1065
1066
1067
1068
		isc_event_allocate(view->mctx, task,
				   DNS_EVENT_VALIDATORSTART,
				   validator_start, NULL,
				   sizeof (dns_validatorevent_t));
Bob Halley's avatar
Bob Halley committed
1069
1070
1071
1072
1073
1074
1075
1076
	if (event == NULL) {
		result = ISC_R_NOMEMORY;
		goto cleanup_val;
	}
	isc_task_attach(task, &tclone);
	event->validator = val;
	event->result = ISC_R_FAILURE;
	event->name = name;
1077
	event->type = type;
Bob Halley's avatar
Bob Halley committed
1078
1079
1080
1081
1082
1083
1084
1085
1086
	event->rdataset = rdataset;
	event->sigrdataset = sigrdataset;
	event->message = message;
	result = isc_mutex_init(&val->lock);
	if (result != ISC_R_SUCCESS)
		goto cleanup_event;
	val->event = event;
	val->options = options;
	val->attributes = 0;
Bob Halley's avatar
Bob Halley committed
1087
1088
1089
	val->fetch = NULL;
	val->keyvalidator = NULL;
	val->keynode = NULL;
1090
	val->key = NULL;
1091
	val->siginfo = NULL;
1092
	val->task = task;
1093
1094
	val->action = action;
	val->arg = arg;
1095
	val->queryname = NULL;
1096
	val->labels = 0;
Bob Halley's avatar
Bob Halley committed
1097
1098
	val->magic = VALIDATOR_MAGIC;

1099
	isc_task_send(task, (isc_event_t **)&event);
Bob Halley's avatar
Bob Halley committed
1100
1101
1102

	*validatorp = val;

Bob Halley's avatar
Bob Halley committed
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
	return (ISC_R_SUCCESS);

 cleanup_event:
	isc_task_detach(&tclone);
	isc_event_free((isc_event_t **)&val->event);

 cleanup_val:
	dns_view_detach(&val->view);
	isc_mem_put(view->mctx, val, sizeof *val);
	
	return (result);
Bob Halley's avatar
Bob Halley committed
1114
1115
1116
1117
}

void
dns_validator_cancel(dns_validator_t *validator) {
Bob Halley's avatar
Bob Halley committed
1118
1119
1120
1121
1122
	isc_task_t *task;

	REQUIRE(VALID_VALIDATOR(validator));

	LOCK(&validator->lock);
1123

Bob Halley's avatar
Bob Halley committed
1124
1125
	if (validator->event != NULL) {
		validator->event->result = ISC_R_CANCELED;
1126
1127
		task = validator->event->ev_sender;
		validator->event->ev_sender = validator;
Bob Halley's avatar
Bob Halley committed
1128
1129
		isc_task_sendanddetach(&task,
				       (isc_event_t **)&validator->event);
1130
1131
1132
1133
1134
1135

		if (validator->fetch != NULL)
			dns_resolver_cancelfetch(validator->fetch);

		if (validator->keyvalidator != NULL)
			dns_validator_cancel(validator->keyvalidator);
Bob Halley's avatar
Bob Halley committed
1136
1137
1138
1139
1140
1141
	}
	UNLOCK(&validator->lock);
}

static void
destroy(dns_validator_t *val) {
Andreas Gustafsson's avatar
Andreas Gustafsson committed
1142
	isc_mem_t *mctx;
Bob Halley's avatar
Bob Halley committed
1143

Bob Halley's avatar
Bob Halley committed
1144
	REQUIRE(SHUTDOWN(val));
Bob Halley's avatar
Bob Halley committed
1145
	REQUIRE(val->event == NULL);
Bob Halley's avatar
Bob Halley committed
1146
	REQUIRE(val->fetch == NULL);
Bob Halley's avatar
Bob Halley committed
1147

Bob Halley's avatar
Bob Halley committed
1148
1149
	if (val->keynode != NULL)
		dns_keytable_detachkeynode(val->keytable, &val->keynode);
1150
1151
	else if (val->key != NULL)
		dst_key_free(val->key);
1152
1153
	if (val->keyvalidator != NULL)
		dns_validator_destroy(&val->keyvalidator);
Andreas Gustafsson's avatar
Andreas Gustafsson committed
1154
	mctx = val->view->mctx;
1155
1156
1157
	if (val->siginfo != NULL)
		isc_mem_put(mctx, val->siginfo, sizeof *val->siginfo);
	isc_mutex_destroy(&val->lock);
Bob Halley's avatar
Bob Halley committed
1158
	dns_view_detach(&val->view);
Andreas Gustafsson's avatar
Andreas Gustafsson committed
1159
1160
	val->magic = 0;
	isc_mem_put(mctx, val, sizeof *val);
Bob Halley's avatar
Bob Halley committed
1161
1162
1163
1164
}

void
dns_validator_destroy(dns_validator_t **validatorp) {
Bob Halley's avatar
Bob Halley committed
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
	dns_validator_t *val;
	isc_boolean_t want_destroy = ISC_FALSE;

	REQUIRE(validatorp != NULL);
	val = *validatorp;
	REQUIRE(VALID_VALIDATOR(val));

	LOCK(&val->lock);

	REQUIRE(val->event == NULL);

	val->attributes |= VALATTR_SHUTDOWN;
	if (val->fetch == NULL)
		want_destroy = ISC_TRUE;

	UNLOCK(&val->lock);

	if (want_destroy)
		destroy(val);

Bob Halley's avatar
Bob Halley committed
1185
	*validatorp = NULL;
Bob Halley's avatar
Bob Halley committed
1186
}
Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203



static void
validator_logv(dns_validator_t *val, isc_logcategory_t *category,
	   isc_logmodule_t *module, int level, const char *fmt, va_list ap)
{
	char msgbuf[2048];

	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);

	if (val->event != NULL && val->event->name != NULL &&
	    val->event->rdataset != NULL)
	{
		char namebuf[1024];
		char typebuf[256];
		isc_buffer_t b;
1204
		isc_region_t r;
Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
1205
1206
1207
1208
1209
		
		dns_name_format(val->event->name, namebuf, sizeof(namebuf));

		isc_buffer_init(&b, (unsigned char *) typebuf, sizeof(typebuf),
				ISC_BUFFERTYPE_TEXT);
1210
		if (dns_rdatatype_totext(val->event->type, &b)
Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
1211
1212
1213
		    != ISC_R_SUCCESS)
		{
			isc_buffer_clear(&b);
1214
			isc_buffer_putstr(&b, "<bad type>");
Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
1215
		}
1216
		isc_buffer_used(&b, &r);
Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
1217
1218
		isc_log_write(dns_lctx, category, module, level,
			      "validating %s %.*s: %s", namebuf,
1219
			      (int) r.length, (char *) r.base, msgbuf);
Andreas Gustafsson's avatar
logging    
Andreas Gustafsson committed
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
	} else {
		isc_log_write(dns_lctx, category, module, level,
			      "validator @%p: %s", val, msgbuf);
		
	}
}

static void
validator_log(dns_validator_t *val, int level, const char *fmt, ...)
{
        va_list ap;
	va_start(ap, fmt);
	validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
		       DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
	va_end(ap);
}