Commit 5d666f53 authored by Michał Kępień's avatar Michał Kępień

Move commonly used dns_rdataset_t structures to the verification context structure

Eight structures representing four RRsets and their signatures are
commonly accessed throughout dns_zoneverify_dnssec().  Move them into
the structure representing a verification context.  While this does not
really simplify currently existing code, it will facilitate passing data
around between smaller functions that dns_zoneverify_dnssec() is about
to get split into.
parent 43d0fb84
......@@ -58,6 +58,14 @@ typedef struct vctx {
dns_name_t * origin;
isc_boolean_t goodksk;
isc_boolean_t goodzsk;
dns_rdataset_t keyset;
dns_rdataset_t keysigs;
dns_rdataset_t soaset;
dns_rdataset_t soasigs;
dns_rdataset_t nsecset;
dns_rdataset_t nsecsigs;
dns_rdataset_t nsec3paramset;
dns_rdataset_t nsec3paramsigs;
isc_heap_t * expected_chains;
isc_heap_t * found_chains;
} vctx_t;
......@@ -1041,6 +1049,15 @@ vctx_init(vctx_t *vctx, isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
vctx->goodksk = ISC_FALSE;
vctx->goodzsk = ISC_FALSE;
dns_rdataset_init(&vctx->keyset);
dns_rdataset_init(&vctx->keysigs);
dns_rdataset_init(&vctx->soaset);
dns_rdataset_init(&vctx->soasigs);
dns_rdataset_init(&vctx->nsecset);
dns_rdataset_init(&vctx->nsecsigs);
dns_rdataset_init(&vctx->nsec3paramset);
dns_rdataset_init(&vctx->nsec3paramsigs);
vctx->expected_chains = NULL;
result = isc_heap_create(mctx, chain_compare, NULL, 1024,
&vctx->expected_chains);
......@@ -1061,6 +1078,30 @@ vctx_init(vctx_t *vctx, isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
static void
vctx_destroy(vctx_t *vctx) {
if (dns_rdataset_isassociated(&vctx->keyset)) {
dns_rdataset_disassociate(&vctx->keyset);
}
if (dns_rdataset_isassociated(&vctx->keysigs)) {
dns_rdataset_disassociate(&vctx->keysigs);
}
if (dns_rdataset_isassociated(&vctx->soaset)) {
dns_rdataset_disassociate(&vctx->soaset);
}
if (dns_rdataset_isassociated(&vctx->soasigs)) {
dns_rdataset_disassociate(&vctx->soasigs);
}
if (dns_rdataset_isassociated(&vctx->nsecset)) {
dns_rdataset_disassociate(&vctx->nsecset);
}
if (dns_rdataset_isassociated(&vctx->nsecsigs)) {
dns_rdataset_disassociate(&vctx->nsecsigs);
}
if (dns_rdataset_isassociated(&vctx->nsec3paramset)) {
dns_rdataset_disassociate(&vctx->nsec3paramset);
}
if (dns_rdataset_isassociated(&vctx->nsec3paramsigs)) {
dns_rdataset_disassociate(&vctx->nsec3paramsigs);
}
isc_heap_destroy(&vctx->expected_chains);
isc_heap_destroy(&vctx->found_chains);
}
......@@ -1077,10 +1118,6 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
dns_name_t *name, *nextname, *prevname, *zonecut;
dns_rdata_dnskey_t dnskey;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t keyset, soaset;
dns_rdataset_t keysigs, soasigs;
dns_rdataset_t nsecset, nsecsigs;
dns_rdataset_t nsec3paramset, nsec3paramsigs;
int i;
isc_boolean_t done = ISC_FALSE;
isc_boolean_t first = ISC_TRUE;
......@@ -1105,54 +1142,47 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
fatal("failed to find the zone's origin: %s",
isc_result_totext(result));
dns_rdataset_init(&keyset);
dns_rdataset_init(&keysigs);
dns_rdataset_init(&soaset);
dns_rdataset_init(&soasigs);
dns_rdataset_init(&nsecset);
dns_rdataset_init(&nsecsigs);
dns_rdataset_init(&nsec3paramset);
dns_rdataset_init(&nsec3paramsigs);
result = dns_db_findrdataset(vctx.db, node, vctx.ver,
dns_rdatatype_dnskey, 0, 0, &keyset,
&keysigs);
dns_rdatatype_dnskey, 0, 0, &vctx.keyset,
&vctx.keysigs);
if (result != ISC_R_SUCCESS)
fatal("Zone contains no DNSSEC keys\n");
result = dns_db_findrdataset(vctx.db, node, vctx.ver,
dns_rdatatype_soa, 0, 0, &soaset,
&soasigs);
dns_rdatatype_soa, 0, 0, &vctx.soaset,
&vctx.soasigs);
if (result != ISC_R_SUCCESS)
fatal("Zone contains no SOA record\n");
result = dns_db_findrdataset(vctx.db, node, vctx.ver,
dns_rdatatype_nsec, 0, 0, &nsecset,
&nsecsigs);
dns_rdatatype_nsec, 0, 0, &vctx.nsecset,
&vctx.nsecsigs);
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
fatal("NSEC lookup failed\n");
result = dns_db_findrdataset(vctx.db, node, vctx.ver,
dns_rdatatype_nsec3param, 0, 0,
&nsec3paramset, &nsec3paramsigs);
&vctx.nsec3paramset,
&vctx.nsec3paramsigs);
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
fatal("NSEC3PARAM lookup failed\n");
if (!dns_rdataset_isassociated(&keysigs))
if (!dns_rdataset_isassociated(&vctx.keysigs))
fatal("DNSKEY is not signed (keys offline or inactive?)\n");
if (!dns_rdataset_isassociated(&soasigs))
if (!dns_rdataset_isassociated(&vctx.soasigs))
fatal("SOA is not signed (keys offline or inactive?)\n");
if (dns_rdataset_isassociated(&nsecset) &&
!dns_rdataset_isassociated(&nsecsigs))
if (dns_rdataset_isassociated(&vctx.nsecset) &&
!dns_rdataset_isassociated(&vctx.nsecsigs))
fatal("NSEC is not signed (keys offline or inactive?)\n");
if (dns_rdataset_isassociated(&nsec3paramset) &&
!dns_rdataset_isassociated(&nsec3paramsigs))
if (dns_rdataset_isassociated(&vctx.nsec3paramset) &&
!dns_rdataset_isassociated(&vctx.nsec3paramsigs))
fatal("NSEC3PARAM is not signed (keys offline or inactive?)\n");
if (!dns_rdataset_isassociated(&nsecset) &&
!dns_rdataset_isassociated(&nsec3paramset))
if (!dns_rdataset_isassociated(&vctx.nsecset) &&
!dns_rdataset_isassociated(&vctx.nsec3paramset))
fatal("No valid NSEC/NSEC3 chain for testing\n");
dns_db_detachnode(vctx.db, &node);
......@@ -1171,10 +1201,10 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
* and one ZSK per algorithm in it (or, if -x was used, one
* self-signing KSK).
*/
for (result = dns_rdataset_first(&keyset);
for (result = dns_rdataset_first(&vctx.keyset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&keyset)) {
dns_rdataset_current(&keyset, &rdata);
result = dns_rdataset_next(&vctx.keyset)) {
dns_rdataset_current(&vctx.keyset, &rdata);
result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
check_result(result, "dns_rdata_tostruct");
......@@ -1182,9 +1212,9 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
;
else if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
!dns_dnssec_selfsigns(&rdata, vctx.origin, &keyset,
&keysigs, ISC_FALSE,
vctx.mctx)) {
!dns_dnssec_selfsigns(&rdata, vctx.origin,
&vctx.keyset, &vctx.keysigs,
ISC_FALSE, vctx.mctx)) {
char namebuf[DNS_NAME_FORMATSIZE];
char buffer[1024];
isc_buffer_t buf;
......@@ -1205,9 +1235,9 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
revoked_zsk[dnskey.algorithm] != 255)
revoked_zsk[dnskey.algorithm]++;
} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
if (dns_dnssec_selfsigns(&rdata, vctx.origin, &keyset,
&keysigs, ISC_FALSE,
vctx.mctx)) {
if (dns_dnssec_selfsigns(&rdata, vctx.origin,
&vctx.keyset, &vctx.keysigs,
ISC_FALSE, vctx.mctx)) {
if (ksk_algorithms[dnskey.algorithm] != 255)
ksk_algorithms[dnskey.algorithm]++;
vctx.goodksk = ISC_TRUE;
......@@ -1215,14 +1245,15 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
if (standby_ksk[dnskey.algorithm] != 255)
standby_ksk[dnskey.algorithm]++;
}
} else if (dns_dnssec_selfsigns(&rdata, vctx.origin, &keyset,
&keysigs, ISC_FALSE,
vctx.mctx)) {
} else if (dns_dnssec_selfsigns(&rdata, vctx.origin,
&vctx.keyset, &vctx.keysigs,
ISC_FALSE, vctx.mctx)) {
if (zsk_algorithms[dnskey.algorithm] != 255)
zsk_algorithms[dnskey.algorithm]++;
vctx.goodzsk = ISC_TRUE;
} else if (dns_dnssec_signs(&rdata, vctx.origin, &soaset,
&soasigs, ISC_FALSE, vctx.mctx)) {
} else if (dns_dnssec_signs(&rdata, vctx.origin, &vctx.soaset,
&vctx.soasigs, ISC_FALSE,
vctx.mctx)) {
if (zsk_algorithms[dnskey.algorithm] != 255)
zsk_algorithms[dnskey.algorithm]++;
} else {
......@@ -1232,13 +1263,6 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
dns_rdata_freestruct(&dnskey);
dns_rdata_reset(&rdata);
}
dns_rdataset_disassociate(&keysigs);
dns_rdataset_disassociate(&soaset);
dns_rdataset_disassociate(&soasigs);
if (dns_rdataset_isassociated(&nsecsigs))
dns_rdataset_disassociate(&nsecsigs);
if (dns_rdataset_isassociated(&nsec3paramsigs))
dns_rdataset_disassociate(&nsec3paramsigs);
if (ignore_kskflag ) {
if (!vctx.goodksk && !vctx.goodzsk)
......@@ -1350,9 +1374,10 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
} else if (result != ISC_R_SUCCESS)
fatal("iterating through the database failed: %s",
isc_result_totext(result));
result = verifynode(&vctx, name, node, isdelegation, &keyset,
act_algorithms, bad_algorithms, &nsecset,
&nsec3paramset, nextname);
result = verifynode(&vctx, name, node, isdelegation,
&vctx.keyset, act_algorithms,
bad_algorithms, &vctx.nsecset,
&vctx.nsec3paramset, nextname);
if (vresult == ISC_R_UNSET)
vresult = ISC_R_SUCCESS;
if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
......@@ -1360,7 +1385,7 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
if (prevname != NULL) {
result = verifyemptynodes(&vctx, name, prevname,
isdelegation,
&nsec3paramset);
&vctx.nsec3paramset);
} else
prevname = dns_fixedname_name(&fprevname);
dns_name_copy(name, prevname, NULL);
......@@ -1379,21 +1404,15 @@ dns_zoneverify_dnssec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
result = dns_dbiterator_next(dbiter) ) {
result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result);
result = verifynode(&vctx, name, node, ISC_FALSE, &keyset,
result = verifynode(&vctx, name, node, ISC_FALSE, &vctx.keyset,
act_algorithms, bad_algorithms, NULL, NULL,
NULL);
check_result(result, "verifynode");
record_found(&vctx, name, node, &nsec3paramset);
record_found(&vctx, name, node, &vctx.nsec3paramset);
dns_db_detachnode(vctx.db, &node);
}
dns_dbiterator_destroy(&dbiter);
dns_rdataset_disassociate(&keyset);
if (dns_rdataset_isassociated(&nsecset))
dns_rdataset_disassociate(&nsecset);
if (dns_rdataset_isassociated(&nsec3paramset))
dns_rdataset_disassociate(&nsec3paramset);
result = verify_nsec3_chains(&vctx, mctx);
if (vresult == ISC_R_UNSET)
vresult = ISC_R_SUCCESS;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment