Commit 7fdf4077 authored by Evan Hunt's avatar Evan Hunt

remove all code that uses non-DS trust anchors

as initial-key and static-key trust anchors will now be stored as a
DS rrset, code referencing keynodes storing DNSKEY trust anchors will
no longer be reached.
parent 21d3f66f
......@@ -6835,11 +6835,7 @@ struct dotat_arg {
* reported in the TAT query.
*/
static isc_result_t
get_tat_qname(dns_name_t *target, dns_name_t *keyname,
dns_keytable_t *keytable, dns_keynode_t *keynode)
{
dns_keynode_t *firstnode = keynode;
dns_keynode_t *nextnode = NULL;
get_tat_qname(dns_name_t *target, dns_name_t *keyname, dns_keynode_t *keynode) {
dns_rdataset_t *dsset = NULL;
unsigned int i, n = 0;
uint16_t ids[12];
......@@ -6866,23 +6862,6 @@ get_tat_qname(dns_name_t *target, dns_name_t *keyname,
n++;
}
}
} else {
do {
dst_key_t *key = dns_keynode_key(keynode);
if (key != NULL) {
if (n < (sizeof(ids)/sizeof(ids[0]))) {
ids[n] = dst_key_id(key);
n++;
}
}
nextnode = NULL;
(void)dns_keytable_nextkeynode(keytable, keynode,
&nextnode);
if (keynode != firstnode) {
dns_keytable_detachkeynode(keytable, &keynode);
}
keynode = nextnode;
} while (keynode != NULL);
}
if (n == 0) {
......@@ -6938,7 +6917,7 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode,
task = dotat_arg->task;
tatname = dns_fixedname_initname(&fixed);
result = get_tat_qname(tatname, keyname, keytable, keynode);
result = get_tat_qname(tatname, keyname, keynode);
if (result != ISC_R_SUCCESS) {
return;
}
......
......@@ -223,9 +223,8 @@ isc_result_t
dns_keytable_find(dns_keytable_t *keytable, const dns_name_t *keyname,
dns_keynode_t **keynodep);
/*%<
* Search for the first instance of a key named 'name' in 'keytable',
* without regard to keyid and algorithm. Use dns_keytable_nextkeynode()
* to find subsequent instances.
* Search for the first instance of a trust anchor named 'name' in
* 'keytable', without regard to keyid and algorithm.
*
* Requires:
*
......@@ -243,78 +242,6 @@ dns_keytable_find(dns_keytable_t *keytable, const dns_name_t *keyname,
*\li Any other result indicates an error.
*/
isc_result_t
dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
dns_keynode_t **nextnodep);
/*%<
* Return for the next key after 'keynode' in 'keytable', without regard to
* keyid and algorithm.
*
* Requires:
*
*\li 'keytable' is a valid keytable.
*
*\li 'keynode' is a valid keynode.
*
*\li nextnodep != NULL && *nextnodep == NULL
*
* Returns:
*
*\li ISC_R_SUCCESS
*\li ISC_R_NOTFOUND
*
*\li Any other result indicates an error.
*/
isc_result_t
dns_keytable_findkeynode(dns_keytable_t *keytable, const dns_name_t *name,
dns_secalg_t algorithm, dns_keytag_t tag,
dns_keynode_t **keynodep);
/*%<
* Search for a key named 'name', matching 'algorithm' and 'tag' in
* 'keytable'. This finds the first instance which matches. Use
* dns_keytable_findnextkeynode() to find other instances.
*
* Requires:
*
*\li 'keytable' is a valid keytable.
*
*\li 'name' is a valid absolute name.
*
*\li keynodep != NULL && *keynodep == NULL
*
* Returns:
*
*\li ISC_R_SUCCESS
*\li DNS_R_PARTIALMATCH the name existed in the keytable.
*\li ISC_R_NOTFOUND
*
*\li Any other result indicates an error.
*/
isc_result_t
dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
dns_keynode_t **nextnodep);
/*%<
* Search for the next key with the same properties as 'keynode' in
* 'keytable' as found by dns_keytable_findkeynode().
*
* Requires:
*
*\li 'keytable' is a valid keytable.
*
*\li 'keynode' is a valid keynode.
*
*\li nextnodep != NULL && *nextnodep == NULL
*
* Returns:
*
*\li ISC_R_SUCCESS
*\li ISC_R_NOTFOUND
*
*\li Any other result indicates an error.
*/
isc_result_t
dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name,
dns_name_t *foundname);
......@@ -413,12 +340,6 @@ dns_keytable_totext(dns_keytable_t *keytable, isc_buffer_t **buf);
* Dump the keytable to buffer at 'buf'
*/
dst_key_t *
dns_keynode_key(dns_keynode_t *keynode);
/*%<
* Get the DST key associated with keynode.
*/
dns_rdataset_t *
dns_keynode_dsset(dns_keynode_t *keynode);
/*%<
......@@ -466,8 +387,7 @@ dns_keynode_attach(dns_keynode_t *source, dns_keynode_t **target);
void
dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **target);
/*%<
* Detach a single keynode, without touching any keynodes that
* may be pointed to by its 'next' pointer
* Detach a keynode.
*/
void
......
......@@ -516,123 +516,6 @@ dns_keytable_find(dns_keytable_t *keytable, const dns_name_t *keyname,
return (result);
}
isc_result_t
dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
dns_keynode_t **nextnodep)
{
/*
* Return the next key after 'keynode', regardless of
* properties.
*/
REQUIRE(VALID_KEYTABLE(keytable));
REQUIRE(VALID_KEYNODE(keynode));
REQUIRE(nextnodep != NULL && *nextnodep == NULL);
if (keynode->next == NULL) {
return (ISC_R_NOTFOUND);
}
dns_keytable_attachkeynode(keytable, keynode->next, nextnodep);
return (ISC_R_SUCCESS);
}
isc_result_t
dns_keytable_findkeynode(dns_keytable_t *keytable, const dns_name_t *name,
dns_secalg_t algorithm, dns_keytag_t tag,
dns_keynode_t **keynodep)
{
isc_result_t result;
dns_keynode_t *knode;
void *data;
/*
* Search for a key named 'name', matching 'algorithm' and 'tag' in
* 'keytable'.
*/
REQUIRE(VALID_KEYTABLE(keytable));
REQUIRE(dns_name_isabsolute(name));
REQUIRE(keynodep != NULL && *keynodep == NULL);
RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
/*
* Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname()
* as that indicates that 'name' was not found.
*
* DNS_R_PARTIALMATCH indicates that the name was found but we
* didn't get a match on algorithm and key id arguments.
*/
knode = NULL;
data = NULL;
result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
if (result == ISC_R_SUCCESS) {
INSIST(data != NULL);
for (knode = data; knode != NULL; knode = knode->next) {
if (knode->key == NULL) {
knode = NULL;
break;
}
if (algorithm == dst_key_alg(knode->key) &&
tag == dst_key_id(knode->key))
{
break;
}
}
if (knode != NULL) {
dns_keytable_attachkeynode(keytable, knode, keynodep);
} else {
result = DNS_R_PARTIALMATCH;
}
} else if (result == DNS_R_PARTIALMATCH) {
result = ISC_R_NOTFOUND;
}
RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
return (result);
}
isc_result_t
dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
dns_keynode_t **nextnodep)
{
isc_result_t result;
dns_keynode_t *knode;
/*
* Search for the next key with the same properties as 'keynode' in
* 'keytable'.
*/
REQUIRE(VALID_KEYTABLE(keytable));
REQUIRE(VALID_KEYNODE(keynode));
REQUIRE(nextnodep != NULL && *nextnodep == NULL);
for (knode = keynode->next; knode != NULL; knode = knode->next) {
if (knode->key == NULL) {
knode = NULL;
break;
}
if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) &&
dst_key_id(keynode->key) == dst_key_id(knode->key))
{
break;
}
}
if (knode != NULL) {
dns_keytable_attachkeynode(keytable, knode, nextnodep);
result = ISC_R_SUCCESS;
} else {
result = ISC_R_NOTFOUND;
}
return (result);
}
isc_result_t
dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name,
dns_name_t *foundname)
......@@ -674,7 +557,8 @@ dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source,
REQUIRE(VALID_KEYNODE(source));
REQUIRE(target != NULL && *target == NULL);
REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes, 1) < UINT32_MAX);
REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes,
1) < UINT32_MAX);
dns_keynode_attach(source, target);
}
......@@ -913,8 +797,8 @@ dns_keytable_forall(dns_keytable_t *keytable,
}
goto cleanup;
}
REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes, 1)
< UINT32_MAX);
REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes,
1) < UINT32_MAX);
for (;;) {
dns_rbtnodechain_current(&chain, foundname, origin, &node);
if (node->data != NULL) {
......@@ -939,13 +823,6 @@ dns_keytable_forall(dns_keytable_t *keytable,
return (result);
}
dst_key_t *
dns_keynode_key(dns_keynode_t *keynode) {
REQUIRE(VALID_KEYNODE(keynode));
return (keynode->key);
}
dns_rdataset_t *
dns_keynode_dsset(dns_keynode_t *keynode) {
REQUIRE(VALID_KEYNODE(keynode));
......
......@@ -219,7 +219,6 @@ static void
add_test(void **state) {
dst_key_t *key = NULL;
dns_keynode_t *keynode = NULL;
dns_keynode_t *next_keynode = NULL;
dns_keynode_t *null_keynode = NULL;
UNUSED(state);
......@@ -227,27 +226,24 @@ add_test(void **state) {
create_tables();
/*
* Get the keynode for the example.com key. There's no other key for
* the name, so nextkeynode() should return NOTFOUND.
* Getting the keynode for the example.com key should succeed.
*/
assert_int_equal(dns_keytable_find(keytable, str2name("example.com"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
/*
* Try to add the same key. This should have no effect, so
* nextkeynode() should still return NOTFOUND.
* Try to add the same key. This should have no effect but
* report success.
*/
create_key(257, 3, 5, "example.com", keystr1, &key);
assert_int_equal(dns_keytable_add(keytable, false, false,
dst_key_name(key), &key, NULL),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
dns_keytable_detachkeynode(keytable, &keynode);
assert_int_equal(dns_keytable_find(keytable, str2name("example.com"),
&keynode),
ISC_R_SUCCESS);
/* Add another key (different keydata) */
dns_keytable_detachkeynode(keytable, &keynode);
......@@ -258,24 +254,16 @@ add_test(void **state) {
assert_int_equal(dns_keytable_find(keytable, str2name("example.com"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_SUCCESS);
dns_keytable_detachkeynode(keytable, &next_keynode);
dns_keytable_detachkeynode(keytable, &keynode);
/*
* Get the keynode for the managed.com key. There's no other key for
* the name, so nextkeynode() should return NOTFOUND. Ensure the
* Get the keynode for the managed.com key. Ensure the
* retrieved key is an initializing key, then mark it as trusted using
* dns_keynode_trust() and ensure the latter works as expected.
*/
assert_int_equal(dns_keytable_find(keytable, str2name("managed.com"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
assert_int_equal(dns_keynode_initial(keynode), true);
dns_keynode_trust(keynode);
assert_int_equal(dns_keynode_initial(keynode), false);
......@@ -283,8 +271,7 @@ add_test(void **state) {
/*
* Add a different managed key for managed.com, marking it as an
* initializing key. Ensure nextkeynode() no longer returns
* ISC_R_NOTFOUND and that the added key is an initializing key.
* initializing key.
*/
create_key(257, 3, 5, "managed.com", keystr2, &key);
assert_int_equal(dns_keytable_add(keytable, true, true,
......@@ -293,11 +280,7 @@ add_test(void **state) {
assert_int_equal(dns_keytable_find(keytable, str2name("managed.com"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keynode_initial(keynode), true);
dns_keytable_detachkeynode(keytable, &next_keynode);
dns_keytable_detachkeynode(keytable, &keynode);
/*
......@@ -314,22 +297,11 @@ add_test(void **state) {
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keynode_initial(keynode), false);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_SUCCESS);
dns_keytable_detachkeynode(keytable, &keynode);
keynode = next_keynode;
next_keynode = NULL;
assert_int_equal(dns_keynode_initial(keynode), false);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
dns_keytable_detachkeynode(keytable, &keynode);
/*
* Add a managed key at a new node, two.com, marking it as an
* initializing key. Ensure nextkeynode() returns ISC_R_NOTFOUND and
* that the added key is an initializing key.
* initializing key.
*/
create_key(257, 3, 5, "two.com", keystr1, &key);
assert_int_equal(dns_keytable_add(keytable, true, true,
......@@ -338,16 +310,12 @@ add_test(void **state) {
assert_int_equal(dns_keytable_find(keytable, str2name("two.com"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
assert_int_equal(dns_keynode_initial(keynode), true);
dns_keytable_detachkeynode(keytable, &keynode);
/*
* Add a different managed key for two.com, marking it as a
* non-initializing key. Ensure nextkeynode() no longer returns
* ISC_R_NOTFOUND and that the added key is not an initializing key.
* non-initializing key.
*/
create_key(257, 3, 5, "two.com", keystr2, &key);
assert_int_equal(dns_keytable_add(keytable, true, false,
......@@ -356,10 +324,7 @@ add_test(void **state) {
assert_int_equal(dns_keytable_find(keytable, str2name("two.com"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode), ISC_R_SUCCESS);
assert_int_equal(dns_keynode_initial(keynode), false);
dns_keytable_detachkeynode(keytable, &next_keynode);
dns_keytable_detachkeynode(keytable, &keynode);
/*
......@@ -376,16 +341,6 @@ add_test(void **state) {
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keynode_initial(keynode), false);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_SUCCESS);
dns_keytable_detachkeynode(keytable, &keynode);
keynode = next_keynode;
next_keynode = NULL;
assert_int_equal(dns_keynode_initial(keynode), false);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
dns_keytable_detachkeynode(keytable, &keynode);
/*
......@@ -403,13 +358,11 @@ add_test(void **state) {
&keynode),
ISC_R_SUCCESS);
assert_int_equal(keynode, null_keynode); /* should be the same node */
assert_non_null(dns_keynode_key(keynode)); /* now have a key */
dns_keytable_detachkeynode(keytable, &null_keynode);
/*
* Try to add a null key to a name that already has a key. It's
* effectively no-op, so the same key node is still there, with no
* no next node.
* effectively no-op, so the same key node is still there.
* (Note: this and above checks confirm that if a name has a null key
* that's the only key for the name).
*/
......@@ -420,10 +373,6 @@ add_test(void **state) {
&null_keynode),
ISC_R_SUCCESS);
assert_int_equal(keynode, null_keynode);
assert_non_null(dns_keynode_key(keynode));
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
dns_keytable_detachkeynode(keytable, &null_keynode);
dns_keytable_detachkeynode(keytable, &keynode);
......@@ -553,7 +502,6 @@ find_test(void **state) {
str2name("null.example"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keynode_key(keynode), NULL);
dns_keytable_detachkeynode(keytable, &keynode);
/*
......@@ -581,37 +529,6 @@ find_test(void **state) {
ISC_R_SUCCESS);
assert_true(dns_name_equal(name, str2name("null.example")));
/*
* dns_keytable_findkeynode() requires exact name, algorithm, keytag
* match. If algorithm or keytag doesn't match, should result in
* PARTIALMATCH. Same for a node with a null key.
*/
assert_int_equal(dns_keytable_findkeynode(keytable,
str2name("example.org"),
5, keytag1, &keynode),
ISC_R_NOTFOUND);
assert_int_equal(dns_keytable_findkeynode(keytable,
str2name("sub.example.com"),
5, keytag1, &keynode),
ISC_R_NOTFOUND);
assert_int_equal(dns_keytable_findkeynode(keytable,
str2name("example.com"),
4, keytag1, &keynode),
DNS_R_PARTIALMATCH); /* different algorithm */
assert_int_equal(dns_keytable_findkeynode(keytable,
str2name("example.com"),
5, keytag1 + 1, &keynode),
DNS_R_PARTIALMATCH); /* different keytag */
assert_int_equal(dns_keytable_findkeynode(keytable,
str2name("null.example"),
5, 0, &keynode),
DNS_R_PARTIALMATCH); /* null key */
assert_int_equal(dns_keytable_findkeynode(keytable,
str2name("example.com"),
5, keytag1, &keynode),
ISC_R_SUCCESS); /* complete match */
dns_keytable_detachkeynode(keytable, &keynode);
destroy_tables();
}
......
......@@ -1684,110 +1684,6 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata,
return (result);
}
static isc_result_t
anchor_signed(dns_validator_t *val, isc_result_t *resp) {
isc_result_t result;
bool atsep = false;
/*
* First, see if this key was signed by a trust anchor.
*/
for (result = dns_rdataset_first(val->event->sigrdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(val->event->sigrdataset))
{
dns_keynode_t *keynode = NULL;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
dns_fixedname_t fixed;
dns_name_t *found;
dst_key_t *dstkey;
dns_rdata_rrsig_t sig;
found = dns_fixedname_initname(&fixed);
dns_rdata_reset(&sigrdata);
dns_rdataset_current(val->event->sigrdataset, &sigrdata);
result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (!dns_name_equal(val->event->name, &sig.signer)) {
continue;
}
result = dns_keytable_findkeynode(val->keytable,
val->event->name,
sig.algorithm, sig.keyid,
&keynode);
if (result == ISC_R_NOTFOUND) {
result = dns_keytable_finddeepestmatch(val->keytable,
val->event->name,
found);
if (result != ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
"not beneath secure root");
*resp = markanswer(val, "validate_dnskey (1)",
"not beneath secure root");
return (ISC_R_COMPLETE);
}
continue;
}
if (result == DNS_R_PARTIALMATCH || result == ISC_R_SUCCESS) {
atsep = true;
}
while (result == ISC_R_SUCCESS) {
dns_keynode_t *nextnode = NULL;
dstkey = dns_keynode_key(keynode);
if (dstkey == NULL) {
dns_keytable_detachkeynode(val->keytable,
&keynode);
break;
}
result = verify(val, dstkey, &sigrdata, sig.keyid);
if (result == ISC_R_SUCCESS) {
dns_keytable_detachkeynode(val->keytable,
&keynode);
break;
}
result = dns_keytable_findnextkeynode(val->keytable,
keynode,
&nextnode);
dns_keytable_detachkeynode(val->keytable, &keynode);
keynode = nextnode;
}
if (result == ISC_R_SUCCESS) {
marksecure(val->event);
validator_log(val, ISC_LOG_DEBUG(3),
"signed by trusted key; "
"marking as secure");
*resp = result;
return (ISC_R_COMPLETE);
}
}
if (atsep) {
/*
* We have not found a key to verify this DNSKEY
* RRset, but there is a trust anchor defined for this
* name, so we have to assume that the RRset is invalid.
*/
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(val->event->name, namebuf, sizeof(namebuf));
validator_log(val, ISC_LOG_NOTICE,
"unable to find a DNSKEY which verifies "
"the DNSKEY RRset and also matches a "
"trusted key for '%s'", namebuf);
*resp = DNS_R_NOVALIDKEY;
return (ISC_R_COMPLETE);
}
return (result);
}
/*
* get_dsset is called to look up a DS RRset corresponding to the name
* of a DNSKEY record, either in the cache or, if necessary, by starting a
......@@ -1924,15 +1820,6 @@ validate_dnskey(dns_validator_t *val) {