9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews#include <config.h>

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews#include <isc/mem.h>

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews#include <isc/print.h>

a26ad011f382d12058478704cb5e90e6f4366d01Andreas Gustafsson#include <isc/task.h>

a26ad011f382d12058478704cb5e90e6f4366d01Andreas Gustafsson#include <isc/util.h>

c2bc56dc65b4b103a5600565680eb5f33fa4c90bMark Andrews

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews#include <dns/db.h>

c2bc56dc65b4b103a5600565680eb5f33fa4c90bMark Andrews#include <dns/dnssec.h>

c2bc56dc65b4b103a5600565680eb5f33fa4c90bMark Andrews#include <dns/events.h>

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews#include <dns/keytable.h>

12178c86525332bb0ab66155feb61fbf32eca6acEvan Hunt#include <dns/log.h>

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews#include <dns/message.h>

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews#include <dns/nxt.h>

0e40083fdd5445703bd30e46e5bfe7d047bced12Brian Wellington#include <dns/rdata.h>

8d0ee7a153381d98f6c1e6e9bfe6b73659433666Brian Wellington#include <dns/rdataset.h>

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews#include <dns/rdatatype.h>

a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉#include <dns/resolver.h>

c2bc56dc65b4b103a5600565680eb5f33fa4c90bMark Andrews#include <dns/result.h>

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews#include <dns/validator.h>

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews#include <dns/view.h>

8d0ee7a153381d98f6c1e6e9bfe6b73659433666Brian Wellington

a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉typedef struct dns_siginfo {

a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉 dns_rdatatype_t covers;

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews dns_secalg_t algorithm;

e99691e566c10f8901b3f66a6b6629705cf78c52Mark Andrews isc_uint8_t labels;

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews dns_ttl_t original_ttl;

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews isc_stdtime_t expiration;

f4cbe536b11da614fe05aeaeff41e324854cda7bMark Andrews isc_stdtime_t inception;

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews dns_keytag_t tag;

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews dns_name_t signer;

bb1cf189bb9fd9059cf13b785d15b0e50c0be8fbAndreas Gustafsson isc_region_t signature;

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews} dns_siginfo_t;

01b8865b1462ba219c90cf6c00f1bf0fdf780d9bBrian Wellington

01b8865b1462ba219c90cf6c00f1bf0fdf780d9bBrian Wellingtonstruct dns_validator {

c40265eba0c99708887d68e67901924065ba2514Brian Wellington /* Unlocked. */

c40265eba0c99708887d68e67901924065ba2514Brian Wellington unsigned int magic;

c40265eba0c99708887d68e67901924065ba2514Brian Wellington isc_mutex_t lock;

c40265eba0c99708887d68e67901924065ba2514Brian Wellington dns_view_t * view;

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews /* Locked by lock. */

9e77d51069a97a21c68184134a0c9847e95490ffMark Andrews unsigned int options;

a26ad011f382d12058478704cb5e90e6f4366d01Andreas Gustafsson unsigned int attributes;

74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews dns_validatorevent_t * event;

74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews dns_fetch_t * fetch;

a26ad011f382d12058478704cb5e90e6f4366d01Andreas Gustafsson dns_validator_t * keyvalidator;

a26ad011f382d12058478704cb5e90e6f4366d01Andreas Gustafsson dns_keytable_t * keytable;

a26ad011f382d12058478704cb5e90e6f4366d01Andreas Gustafsson dns_keynode_t * keynode;

74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews dst_key_t * key;

74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews dns_siginfo_t * siginfo;

a26ad011f382d12058478704cb5e90e6f4366d01Andreas Gustafsson isc_task_t * task;

a26ad011f382d12058478704cb5e90e6f4366d01Andreas Gustafsson isc_taskaction_t action;

fcb54ce0a4f7377486df5bec83b3aa4711bf4131Mark Andrews void * arg;

fcb54ce0a4f7377486df5bec83b3aa4711bf4131Mark Andrews dns_name_t * queryname;

a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉 unsigned int labels;

a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉};

a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉

e99691e566c10f8901b3f66a6b6629705cf78c52Mark Andrews#define VALIDATOR_MAGIC 0x56616c3fU /* Val?. */

f4cbe536b11da614fe05aeaeff41e324854cda7bMark Andrews#define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)

a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉

a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉#define VALATTR_SHUTDOWN 0x01

a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉#define VALATTR_NEGATIVE 0x02

bb01a40e659564bcb9571eca0319762eb20b7a01Andreas Gustafsson#define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)

c40265eba0c99708887d68e67901924065ba2514Brian Wellington

c40265eba0c99708887d68e67901924065ba2514Brian Wellingtonstatic void nullkeyvalidated(isc_task_t *task, isc_event_t *event);

c40265eba0c99708887d68e67901924065ba2514Brian Wellingtonstatic inline isc_boolean_t containsnullkey(dns_validator_t *val,

c40265eba0c99708887d68e67901924065ba2514Brian Wellington dns_rdataset_t *rdataset);

bb01a40e659564bcb9571eca0319762eb20b7a01Andreas Gustafssonstatic inline isc_result_t get_dst_key(dns_validator_t *val,

bb01a40e659564bcb9571eca0319762eb20b7a01Andreas Gustafsson dns_siginfo_t *siginfo,

4137fd1295f3c6242a1c641352c8811378912820Andreas Gustafsson dns_rdataset_t *rdataset);

01b8865b1462ba219c90cf6c00f1bf0fdf780d9bBrian Wellingtonstatic inline isc_result_t validate(dns_validator_t *val, isc_boolean_t resume);

bb01a40e659564bcb9571eca0319762eb20b7a01Andreas Gustafssonstatic inline isc_result_t nxtvalidate(dns_validator_t *val,

f4cbe536b11da614fe05aeaeff41e324854cda7bMark Andrews isc_boolean_t resume);

74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrewsstatic inline isc_result_t proveunsecure(dns_validator_t *val,

74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews isc_boolean_t resume);

47c2e9924ef9f9c20287642e4f0a13a5f2cb2574Mark Andrews

53aba5065d2ee3c103912ecfe865418bad6fa576Brian Wellingtonstatic void validator_log(dns_validator_t *val, int level,

47c2e9924ef9f9c20287642e4f0a13a5f2cb2574Mark Andrews const char *fmt, ...);

c40265eba0c99708887d68e67901924065ba2514Brian Wellington

c40265eba0c99708887d68e67901924065ba2514Brian Wellingtonstatic void

d03d2dbfe9cebf4dbbd2c8807afe5703862cc721Mark Andrewsrdata_to_siginfo(dns_rdata_t *rdata, dns_siginfo_t *siginfo) {

isc_buffer_t b;

isc_region_t r;

REQUIRE(rdata->type == 24);

isc_buffer_init(&b, rdata->data, rdata->length);

isc_buffer_add(&b, rdata->length);

siginfo->covers = (dns_rdatatype_t)isc_buffer_getuint16(&b);

siginfo->algorithm = (dns_secalg_t)isc_buffer_getuint8(&b);

siginfo->labels = isc_buffer_getuint8(&b);

siginfo->original_ttl = (dns_ttl_t)isc_buffer_getuint32(&b);

siginfo->expiration = (isc_stdtime_t)isc_buffer_getuint32(&b);

siginfo->inception = (isc_stdtime_t)isc_buffer_getuint32(&b);

siginfo->tag = (dns_keytag_t)isc_buffer_getuint16(&b);

dns_name_init(&siginfo->signer, NULL);

isc_buffer_remainingregion(&b, &r);

dns_name_fromregion(&siginfo->signer, &r);

isc_buffer_forward(&b, siginfo->signer.length);

isc_buffer_remainingregion(&b, &siginfo->signature);

}

static void

validator_done(dns_validator_t *val, isc_result_t result) {

isc_task_t *task;

REQUIRE(val->event != NULL);

/*

val->event->result = result;

task = val->event->ev_sender;

val->event->ev_sender = val;

val->event->ev_type = DNS_EVENT_VALIDATORDONE;

val->event->ev_action = val->action;

val->event->ev_arg = val->arg;

if ((val->attributes & VALATTR_NEGATIVE) != 0) {

val->event->rdataset = NULL;

val->event->sigrdataset = NULL;

if (val->queryname != NULL)

val->event->name = val->queryname;

}

isc_task_sendanddetach(&task, (isc_event_t **)&val->event);

}

static void

fetch_callback_validator(isc_task_t *task, isc_event_t *event) {

dns_fetchevent_t *devent;

dns_validator_t *val;

dns_rdataset_t *rdataset;

isc_result_t result;

UNUSED(task);

INSIST(event->ev_type == DNS_EVENT_FETCHDONE);

devent = (dns_fetchevent_t *)event;

val = devent->ev_arg;

rdataset = devent->rdataset;

validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");

if (devent->result == ISC_R_SUCCESS) {

LOCK(&val->lock);

result = get_dst_key(val, val->siginfo, rdataset);

if (result != ISC_R_SUCCESS) {

/*

validator_done(val, result);

UNLOCK(&val->lock);

goto free_event;

}

if (val->attributes & VALATTR_NEGATIVE)

result = nxtvalidate(val, ISC_TRUE);

else

result = validate(val, ISC_TRUE);

if (result != DNS_R_WAIT) {

validator_done(val, result);

UNLOCK(&val->lock);

goto free_event;

}

UNLOCK(&val->lock);

} else

validator_log(val, ISC_LOG_DEBUG(3),

"fetch_callback_validator: got %s",

dns_result_totext(devent->result));

free_event:

dns_resolver_destroyfetch(&val->fetch);

/*

isc_mem_put(val->view->mctx, devent->rdataset, sizeof(dns_rdataset_t));

isc_mem_put(val->view->mctx, devent->sigrdataset,

sizeof(dns_rdataset_t));

isc_event_free(&event);

}

static void

fetch_callback_nullkey(isc_task_t *task, isc_event_t *event) {

dns_fetchevent_t *devent;

dns_validator_t *val;

dns_rdataset_t *rdataset, *sigrdataset;

isc_result_t result;

UNUSED(task);

INSIST(event->ev_type == DNS_EVENT_FETCHDONE);

devent = (dns_fetchevent_t *)event;

val = devent->ev_arg;

rdataset = devent->rdataset;

sigrdataset = devent->sigrdataset;

validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_nullkey");

if (devent->result == ISC_R_SUCCESS) {

LOCK(&val->lock);

if (!containsnullkey(val, rdataset)) {

/*

validator_log(val, ISC_LOG_DEBUG(3),

"found a keyset, no null key");

result = proveunsecure(val, ISC_TRUE);

if (result != DNS_R_WAIT)

validator_done(val, ISC_R_SUCCESS);

} else {

validator_log(val, ISC_LOG_DEBUG(3),

"found a keyset with a null key");

if (rdataset->trust >= dns_trust_secure)

validator_done(val, ISC_R_SUCCESS);

else if (!dns_rdataset_isassociated(sigrdataset))

validator_done(val, ISC_R_FAILURE);

else {

dns_name_t *tname;

tname = dns_fixedname_name(&devent->foundname);

result = dns_validator_create(val->view, tname,

dns_rdatatype_key,

rdataset,

sigrdataset, NULL,

0, val->task,

nullkeyvalidated,

val,

&val->keyvalidator);

if (result != ISC_R_SUCCESS)

validator_done(val, result);

/*

devent->rdataset = NULL;

devent->sigrdataset = NULL;

}

}

UNLOCK(&val->lock);

} else if (devent->result == DNS_R_NCACHENXDOMAIN ||

devent->result == DNS_R_NCACHENXRRSET ||

devent->result == DNS_R_NXDOMAIN ||

devent->result == DNS_R_NXRRSET)

{

/*

validator_log(val, ISC_LOG_DEBUG(3),

"no keys found");

LOCK(&val->lock);

result = proveunsecure(val, ISC_TRUE);

if (result != DNS_R_WAIT)

validator_done(val, result);

UNLOCK(&val->lock);

} else

validator_log(val, ISC_LOG_DEBUG(3),

"fetch_callback_nullkey: got %s",

dns_result_totext(devent->result));

dns_resolver_destroyfetch(&val->fetch);

/*

if (devent->rdataset != NULL)

isc_mem_put(val->view->mctx, devent->rdataset,

sizeof(dns_rdataset_t));

if (devent->sigrdataset != NULL)

isc_mem_put(val->view->mctx, devent->sigrdataset,

sizeof(dns_rdataset_t));

isc_event_free(&event);

}

static void

keyvalidated(isc_task_t *task, isc_event_t *event) {

dns_validatorevent_t *devent;

dns_validator_t *val;

dns_rdataset_t *rdataset;

isc_result_t result;

UNUSED(task);

INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);

devent = (dns_validatorevent_t *)event;

rdataset = devent->rdataset;

val = devent->ev_arg;

validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");

if (devent->result == ISC_R_SUCCESS) {

LOCK(&val->lock);

result = get_dst_key(val, val->siginfo, rdataset);

if (result != ISC_R_SUCCESS) {

/*

validator_done(val, result);

UNLOCK(&val->lock);

goto free_event;

}

if (val->attributes & VALATTR_NEGATIVE)

result = nxtvalidate(val, ISC_TRUE);

else

result = validate(val, ISC_TRUE);

if (result != DNS_R_WAIT) {

validator_done(val, result);

UNLOCK(&val->lock);

goto free_event;

}

UNLOCK(&val->lock);

} else

validator_log(val, ISC_LOG_DEBUG(3),

"keyvalidated: got %s",

dns_result_totext(devent->result));

free_event:

dns_validator_destroy(&val->keyvalidator);

/*

isc_mem_put(val->view->mctx, devent->rdataset, sizeof(dns_rdataset_t));

isc_mem_put(val->view->mctx, devent->sigrdataset,

sizeof(dns_rdataset_t));

isc_event_free(&event);

}

static void

nullkeyvalidated(isc_task_t *task, isc_event_t *event) {

dns_validatorevent_t *devent;

dns_validator_t *val;

dns_rdataset_t *rdataset;

isc_result_t result;

UNUSED(task);

INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);

devent = (dns_validatorevent_t *)event;

rdataset = devent->rdataset;

val = devent->ev_arg;

validator_log(val, ISC_LOG_DEBUG(3), "in nullkeyvalidated");

if (devent->result == ISC_R_SUCCESS) {

validator_log(val, ISC_LOG_DEBUG(3),

"proved that name is in an unsecure domain");

LOCK(&val->lock);

validator_done(val, ISC_R_SUCCESS);

UNLOCK(&val->lock);

} else {

LOCK(&val->lock);

result = proveunsecure(val, ISC_TRUE);

if (result != DNS_R_WAIT)

validator_done(val, result);

UNLOCK(&val->lock);

}

dns_validator_destroy(&val->keyvalidator);

/*

isc_mem_put(val->view->mctx, devent->rdataset, sizeof(dns_rdataset_t));

isc_mem_put(val->view->mctx, devent->sigrdataset,

sizeof(dns_rdataset_t));

dns_name_free(devent->name, val->view->mctx);

isc_mem_put(val->view->mctx, devent->name, sizeof(dns_name_t));

isc_event_free(&event);

}

static inline isc_boolean_t

containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset) {

isc_result_t result;

dst_key_t *key = NULL;

isc_buffer_t b;

dns_rdata_t rdata;

isc_boolean_t found = ISC_FALSE;

result = dns_rdataset_first(rdataset);

if (result != ISC_R_SUCCESS)

return (ISC_FALSE);

while (result == ISC_R_SUCCESS && !found) {

dns_rdataset_current(rdataset, &rdata);

isc_buffer_init(&b, rdata.data, rdata.length);

isc_buffer_add(&b, rdata.length);

key = NULL;

/*

result = dst_key_fromdns("", &b, val->view->mctx, &key);

if (result != ISC_R_SUCCESS)

continue;

if (dst_key_isnullkey(key))

found = ISC_TRUE;

dst_key_free(key);

result = dns_rdataset_next(rdataset);

}

return (found);

}

static inline isc_result_t

get_dst_key(dns_validator_t *val, dns_siginfo_t *siginfo,

dns_rdataset_t *rdataset)

{

isc_result_t result;

isc_buffer_t b;

dns_rdata_t rdata;

char ntext[1024];

result = dns_rdataset_first(rdataset);

if (result != ISC_R_SUCCESS)

return (result);

do {

dns_rdataset_current(rdataset, &rdata);

/*

isc_buffer_init(&b, ntext, sizeof(ntext) - 1);

result = dns_name_totext(&siginfo->signer, ISC_FALSE, &b);

if (result != ISC_R_SUCCESS)

return (result);

/*

isc_buffer_putuint8(&b, 0);

isc_buffer_init(&b, rdata.data, rdata.length);

isc_buffer_add(&b, rdata.length);

INSIST(val->key == NULL);

result = dst_key_fromdns(ntext, &b, val->view->mctx,

&val->key);

if (result != ISC_R_SUCCESS)

return (result);

if (siginfo->algorithm ==

(dns_secalg_t)dst_key_alg(val->key) &&

siginfo->tag ==

(dns_keytag_t)dst_key_id(val->key) &&

dst_key_iszonekey(val->key))

{

/*

return (ISC_R_SUCCESS);

}

dst_key_free(val->key);

val->key = NULL;

result = dns_rdataset_next(rdataset);

} while (result == ISC_R_SUCCESS);

if (result == ISC_R_NOMORE)

result = ISC_R_NOTFOUND;

return (result);

}

static inline isc_result_t

get_key(dns_validator_t *val, dns_siginfo_t *siginfo) {

isc_result_t result;

dns_validatorevent_t *event;

unsigned int nbits, nlabels;

int order;

dns_namereln_t namereln;

dns_rdataset_t rdataset, sigrdataset;

event = val->event;

/*

INSIST(val->keynode == NULL);

val->keytable = val->view->secroots;

result = dns_keytable_findkeynode(val->view->secroots,

&siginfo->signer,

siginfo->algorithm, siginfo->tag,

&val->keynode);

if (result == ISC_R_NOTFOUND) {

/*

val->keytable = val->view->trustedkeys;

result = dns_keytable_findkeynode(val->view->trustedkeys,

&siginfo->signer,

siginfo->algorithm,

siginfo->tag,

&val->keynode);

if (result == ISC_R_SUCCESS) {

/*

val->key = dns_keynode_key(val->keynode);

return (ISC_R_SUCCESS);

} else if (result != ISC_R_NOTFOUND)

return (result);

} else if (result == ISC_R_SUCCESS) {

/*

val->key = dns_keynode_key(val->keynode);

return (ISC_R_SUCCESS);

} else

return (result);

/*

/*

namereln = dns_name_fullcompare(event->name, &siginfo->signer,

&order, &nlabels, &nbits);

if (event->rdataset->type == dns_rdatatype_key &&

namereln != dns_namereln_subdomain) {

/*

return (DNS_R_CONTINUE);

} else if (namereln != dns_namereln_subdomain &&

namereln != dns_namereln_equal) {

/*

return (DNS_R_CONTINUE);

}

/*

dns_rdataset_init(&rdataset);

dns_rdataset_init(&sigrdataset);

result = dns_view_simplefind(val->view, &siginfo->signer,

dns_rdatatype_key, 0,

DNS_DBFIND_PENDINGOK, ISC_FALSE,

&rdataset, &sigrdataset);

if (result == ISC_R_SUCCESS) {

/*

if (rdataset.trust == dns_trust_pending) {

/*

dns_rdataset_t *frdataset, *fsigrdataset;

frdataset = isc_mem_get(val->view->mctx,

sizeof *frdataset);

if (frdataset == NULL)

return (ISC_R_NOMEMORY);

fsigrdataset = isc_mem_get(val->view->mctx,

sizeof *fsigrdataset);

if (fsigrdataset == NULL) {

isc_mem_put(val->view->mctx, frdataset,

sizeof *frdataset);

return (ISC_R_NOMEMORY);

}

dns_rdataset_init(frdataset);

dns_rdataset_init(fsigrdataset);

dns_rdataset_clone(&rdataset, frdataset);

dns_rdataset_clone(&sigrdataset, fsigrdataset);

result = dns_validator_create(val->view,

&siginfo->signer,

dns_rdatatype_key,

frdataset,

fsigrdataset,

NULL,

0,

val->task,

keyvalidated,

val,

&val->keyvalidator);

if (result != ISC_R_SUCCESS)

return (result);

return (DNS_R_WAIT);

} else {

/*

/*

result = get_dst_key(val, siginfo, &rdataset);

if (result != ISC_R_SUCCESS) {

/*

result = DNS_R_CONTINUE;

}

}

} else if (result == ISC_R_NOTFOUND) {

/*

dns_rdataset_t *frdataset, *fsigrdataset;

frdataset = isc_mem_get(val->view->mctx, sizeof *frdataset);

if (frdataset == NULL)

return (ISC_R_NOMEMORY);

fsigrdataset = isc_mem_get(val->view->mctx,

sizeof *fsigrdataset);

if (fsigrdataset == NULL) {

isc_mem_put(val->view->mctx, frdataset,

sizeof *frdataset);

return (ISC_R_NOMEMORY);

}

dns_rdataset_init(frdataset);

dns_rdataset_init(fsigrdataset);

val->fetch = NULL;

result = dns_resolver_createfetch(val->view->resolver,

&siginfo->signer,

dns_rdatatype_key,

NULL, NULL, NULL, 0,

val->event->ev_sender,

fetch_callback_validator,

val,

frdataset,

fsigrdataset,

&val->fetch);

if (result != ISC_R_SUCCESS)

return (result);

return (DNS_R_WAIT);

} else if (result == DNS_R_NCACHENXDOMAIN ||

result == DNS_R_NCACHENXRRSET ||

result == DNS_R_NXDOMAIN ||

result == DNS_R_NXRRSET) {

/*

result = DNS_R_CONTINUE;

}

if (dns_rdataset_isassociated(&rdataset))

dns_rdataset_disassociate(&rdataset);

if (dns_rdataset_isassociated(&sigrdataset))

dns_rdataset_disassociate(&sigrdataset);

return (result);

}

static inline isc_result_t

validate(dns_validator_t *val, isc_boolean_t resume) {

isc_result_t result;

dns_validatorevent_t *event;

dns_rdata_t rdata;

/*

event = val->event;

if (resume) {

/*

result = ISC_R_SUCCESS;

} else {

result = dns_rdataset_first(event->sigrdataset);

}

for (;

result == ISC_R_SUCCESS;

result = dns_rdataset_next(event->sigrdataset))

{

dns_rdataset_current(event->sigrdataset, &rdata);

if (val->siginfo != NULL)

isc_mem_put(val->view->mctx, val->siginfo,

sizeof *val->siginfo);

val->siginfo = isc_mem_get(val->view->mctx,

sizeof *val->siginfo);

if (val->siginfo == NULL)

return (ISC_R_NOMEMORY);

rdata_to_siginfo(&rdata, val->siginfo);

/*

if (!resume) {

result = get_key(val, val->siginfo);

if (result == DNS_R_CONTINUE)

continue; /* Try the next SIG RR. */

if (result != ISC_R_SUCCESS)

return (result);

}

INSIST(val->key != NULL);

result = dns_dnssec_verify(event->name, event->rdataset,

val->key, ISC_FALSE, val->view->mctx,

&rdata);

if (val->keynode != NULL)

dns_keytable_detachkeynode(val->keytable,

&val->keynode);

else if (val->key != NULL)

dst_key_free(val->key);

val->key = NULL;

if (result == ISC_R_SUCCESS) {

event->rdataset->trust = dns_trust_secure;

event->sigrdataset->trust = dns_trust_secure;

validator_log(val, ISC_LOG_DEBUG(3),

"marking as secure");

return (result);

}

else

validator_log(val, ISC_LOG_DEBUG(3),

"verify failure: %s",

dns_result_totext(result));

}

if (result == ISC_R_NOMORE)

result = ISC_R_NOTFOUND;

return (result);

}

static inline isc_result_t

nxtvalidate(dns_validator_t *val, isc_boolean_t resume) {

dns_name_t *name;

dns_rdata_t rdata;

dns_message_t *message = val->event->message;

isc_result_t result;

int order;

isc_region_t r;

dns_name_t nextname;

isc_boolean_t firstname = ISC_TRUE;

validator_log(val, ISC_LOG_DEBUG(3), "in nxtvalidate()");

if (!resume) {

val->attributes |= VALATTR_NEGATIVE;

result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);

if (result != ISC_R_SUCCESS)

validator_done(val, ISC_R_NOTFOUND);

} else

result = ISC_R_SUCCESS;

for (;

result == ISC_R_SUCCESS;

result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))

{

dns_rdataset_t *rdataset, *sigrdataset = NULL;

name = NULL;

dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);

if (!resume || !firstname) {

for (rdataset = ISC_LIST_HEAD(name->list);

rdataset != NULL;

rdataset = ISC_LIST_NEXT(rdataset, link))

{

if (rdataset->type != dns_rdatatype_nxt)

continue;

if (dns_rdataset_count(rdataset) != 1)

return (DNS_R_FORMERR);

for (sigrdataset = ISC_LIST_HEAD(name->list);

sigrdataset != NULL;

sigrdataset = ISC_LIST_NEXT(sigrdataset,

link))

{

if (sigrdataset->type ==

dns_rdatatype_sig

&&

sigrdataset->covers ==

dns_rdatatype_nxt)

break;

}

if (sigrdataset != NULL)

break;

}

if (rdataset == NULL)

continue;

val->event->rdataset = rdataset;

val->event->sigrdataset = sigrdataset;

val->queryname = val->event->name;

val->event->name = name;

}

firstname = ISC_FALSE;

order = dns_name_compare(val->queryname, val->event->name);

if (order == 0) {

if (val->event->type >= 128) {

validator_log(val, ISC_LOG_DEBUG(3),

"invalid type %d",

val->event->type);

continue;

}

result = dns_rdataset_first(val->event->rdataset);

INSIST(result == ISC_R_SUCCESS);

dns_rdataset_current(val->event->rdataset, &rdata);

if (dns_nxt_typepresent(&rdata, val->event->type)) {

validator_log(val, ISC_LOG_DEBUG(3),

"type should not be present");

continue;

}

validator_log(val, ISC_LOG_DEBUG(3),

"nxt bitmask ok");

} else if (order > 0) {

result = dns_rdataset_first(val->event->rdataset);

INSIST(result == ISC_R_SUCCESS);

dns_rdataset_current(val->event->rdataset, &rdata);

dns_rdata_toregion(&rdata, &r);

dns_name_init(&nextname, NULL);

dns_name_fromregion(&nextname, &r);

order = dns_name_compare(val->queryname, &nextname);

if (order >= 0) {

if (val->siginfo == NULL) {

dns_rdataset_t *sigset;

dns_rdata_t sigrdata;

sigset = val->event->sigrdataset;

result = dns_rdataset_first(sigset);

INSIST(result == ISC_R_SUCCESS);

dns_rdata_init(&sigrdata);

dns_rdataset_current(sigset,

&sigrdata);

val->siginfo =

isc_mem_get(val->view->mctx,

sizeof(*val->siginfo));

if (val->siginfo == NULL)

return (ISC_R_NOMEMORY);

rdata_to_siginfo(&sigrdata,

val->siginfo);

}

if (!dns_name_equal(&val->siginfo->signer,

&nextname))

{

validator_log(val, ISC_LOG_DEBUG(3),

"next name is not greater");

continue;

}

validator_log(val, ISC_LOG_DEBUG(3),

"nxt points to zone apex, ok");

}

validator_log(val, ISC_LOG_DEBUG(3),

"nxt range ok");

} else {

validator_log(val, ISC_LOG_DEBUG(3),

"nxt owner name is not less");

continue;

}

/*

result = validate(val, resume);

if (result != ISC_R_SUCCESS)

return (result);

return (ISC_R_SUCCESS);

}

validator_log(val, ISC_LOG_DEBUG(3),

"no relevant NXT found");

return (result);

}

static inline isc_result_t

proveunsecure(dns_validator_t *val, isc_boolean_t resume) {

isc_result_t result;

dns_fixedname_t secroot, tfname;

dns_name_t *tname;

dns_fixedname_init(&secroot);

dns_fixedname_init(&tfname);

result = dns_keytable_finddeepestmatch(val->view->secroots,

val->event->name,

dns_fixedname_name(&secroot));

if (result != ISC_R_SUCCESS)

return (result);

validator_log(val, ISC_LOG_DEBUG(3), "%s proveunsecure",

resume ? "resuming" : "in");

if (!resume)

val->labels = dns_name_depth(dns_fixedname_name(&secroot)) + 1;

else

val->labels++;

for (;

val->labels <= dns_name_depth(val->event->name);

val->labels++)

{

dns_rdataset_t rdataset, sigrdataset;

if (val->labels == dns_name_depth(val->event->name))

tname = val->event->name;

else {

tname = dns_fixedname_name(&tfname);

result = dns_name_splitatdepth(val->event->name,

val->labels,

NULL, tname);

if (result != ISC_R_SUCCESS)

return (result);

}

dns_rdataset_init(&rdataset);

dns_rdataset_init(&sigrdataset);

result = dns_view_simplefind(val->view, tname,

dns_rdatatype_key, 0,

DNS_DBFIND_PENDINGOK, ISC_FALSE,

&rdataset, &sigrdataset);

if (result == ISC_R_SUCCESS) {

dns_rdataset_t *frdataset = NULL, *fsigrdataset = NULL;

dns_name_t *fname = NULL;

if (!dns_rdataset_isassociated(&sigrdataset))

return (ISC_R_FAILURE);

validator_log(val, ISC_LOG_DEBUG(3),

"found keyset, looking for null key");

if (!containsnullkey(val, &rdataset))

continue;

if (rdataset.trust >= dns_trust_secure)

return (ISC_R_SUCCESS);

frdataset = isc_mem_get(val->view->mctx,

sizeof *frdataset);

if (frdataset == NULL)

return (ISC_R_NOMEMORY);

fsigrdataset = isc_mem_get(val->view->mctx,

sizeof *fsigrdataset);

if (fsigrdataset == NULL) {

isc_mem_put(val->view->mctx, frdataset,

sizeof *frdataset);

return (ISC_R_NOMEMORY);

}

fname = isc_mem_get(val->view->mctx, sizeof *fname);

if (fname == NULL) {

isc_mem_put(val->view->mctx, fsigrdataset,

sizeof *frdataset);

isc_mem_put(val->view->mctx, frdataset,

sizeof *fsigrdataset);

return (ISC_R_NOMEMORY);

}

dns_name_init(fname, NULL);

result = dns_name_dup(tname, val->view->mctx, fname);

if (result != ISC_R_SUCCESS) {

isc_mem_put(val->view->mctx, fsigrdataset,

sizeof *frdataset);

isc_mem_put(val->view->mctx, frdataset,

sizeof *fsigrdataset);

return (ISC_R_NOMEMORY);

}

dns_rdataset_init(frdataset);

dns_rdataset_init(fsigrdataset);

dns_rdataset_clone(&rdataset, frdataset);

dns_rdataset_clone(&sigrdataset, fsigrdataset);

result = dns_validator_create(val->view,

fname,

dns_rdatatype_key,

frdataset,

fsigrdataset,

NULL,

0,

val->task,

nullkeyvalidated,

val,

&val->keyvalidator);

return (DNS_R_WAIT);

} else if (result == ISC_R_NOTFOUND) {

dns_rdataset_t *frdataset = NULL, *fsigrdataset = NULL;

frdataset = isc_mem_get(val->view->mctx,

sizeof *frdataset);

if (frdataset == NULL)

return (ISC_R_NOMEMORY);

fsigrdataset = isc_mem_get(val->view->mctx,

sizeof *fsigrdataset);

if (fsigrdataset == NULL) {

isc_mem_put(val->view->mctx, frdataset,

sizeof *frdataset);

return (ISC_R_NOMEMORY);

}

dns_rdataset_init(frdataset);

dns_rdataset_init(fsigrdataset);

result = dns_resolver_createfetch(val->view->resolver,

tname,

dns_rdatatype_key,

NULL, NULL, NULL, 0,

val->event->ev_sender,

fetch_callback_nullkey,

val, frdataset,

fsigrdataset,

&val->fetch);

if (result != ISC_R_SUCCESS)

return (result);

return (DNS_R_WAIT);

} else if (result == DNS_R_NCACHENXDOMAIN ||

result == DNS_R_NCACHENXRRSET ||

result == DNS_R_NXDOMAIN ||

result == DNS_R_NXRRSET)

{

continue;

} else

return (result);

}

return (ISC_R_FAILURE); /* Didn't find a null key */

}

static void

validator_start(isc_task_t *task, isc_event_t *event) {

dns_validator_t *val;

dns_validatorevent_t *vevent;

isc_result_t result;

UNUSED(task);

REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);

vevent = (dns_validatorevent_t *) event;

val = vevent->validator;

LOCK(&val->lock);

if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) {

/*

result = validate(val, ISC_FALSE);

} else if (val->event->rdataset != NULL) {

/*

result = proveunsecure(val, ISC_FALSE);

} else if (val->event->rdataset == NULL &&

val->event->sigrdataset == NULL)

{

/*

result = nxtvalidate(val, ISC_FALSE);

} else {

/*

result = ISC_R_FAILURE; /* Keep compiler happy. */

INSIST(0);

}

if (result != DNS_R_WAIT)

validator_done(val, result);

UNLOCK(&val->lock);

}

dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,

dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,

dns_message_t *message, unsigned int options,

isc_task_t *task, isc_taskaction_t action, void *arg,

dns_validator_t **validatorp)

{

isc_result_t result;

dns_validator_t *val;

isc_task_t *tclone;

dns_validatorevent_t *event;

REQUIRE(name != NULL);

REQUIRE(type != 0);

REQUIRE(rdataset != NULL ||

(rdataset == NULL && sigrdataset == NULL && message != NULL));

REQUIRE(options == 0);

REQUIRE(validatorp != NULL && *validatorp == NULL);

tclone = NULL;

result = ISC_R_FAILURE;

val = isc_mem_get(view->mctx, sizeof *val);

if (val == NULL)

return (ISC_R_NOMEMORY);

val->view = NULL;

dns_view_attach(view, &val->view);

event = (dns_validatorevent_t *)

isc_event_allocate(view->mctx, task,

DNS_EVENT_VALIDATORSTART,

validator_start, NULL,

sizeof (dns_validatorevent_t));

if (event == NULL) {

result = ISC_R_NOMEMORY;

goto cleanup_val;

}

isc_task_attach(task, &tclone);

event->validator = val;

event->result = ISC_R_FAILURE;

event->name = name;

event->type = type;

event->rdataset = rdataset;

event->sigrdataset = sigrdataset;

event->message = message;

result = isc_mutex_init(&val->lock);

if (result != ISC_R_SUCCESS)

goto cleanup_event;

val->event = event;

val->options = options;

val->attributes = 0;

val->fetch = NULL;

val->keyvalidator = NULL;

val->keynode = NULL;

val->key = NULL;

val->siginfo = NULL;

val->task = task;

val->action = action;

val->arg = arg;

val->queryname = NULL;

val->labels = 0;

val->magic = VALIDATOR_MAGIC;

isc_task_send(task, (isc_event_t **)&event);

*validatorp = val;

return (ISC_R_SUCCESS);

cleanup_event:

isc_task_detach(&tclone);

isc_event_free((isc_event_t **)&val->event);

cleanup_val:

dns_view_detach(&val->view);

isc_mem_put(view->mctx, val, sizeof *val);

return (result);

}

dns_validator_cancel(dns_validator_t *validator) {

isc_task_t *task;

REQUIRE(VALID_VALIDATOR(validator));

LOCK(&validator->lock);

if (validator->event != NULL) {

validator->event->result = ISC_R_CANCELED;

task = validator->event->ev_sender;

validator->event->ev_sender = validator;

isc_task_sendanddetach(&task,

(isc_event_t **)&validator->event);

if (validator->fetch != NULL)

dns_resolver_cancelfetch(validator->fetch);

if (validator->keyvalidator != NULL)

dns_validator_cancel(validator->keyvalidator);

}

UNLOCK(&validator->lock);

}

static void

destroy(dns_validator_t *val) {

isc_mem_t *mctx;

REQUIRE(SHUTDOWN(val));

REQUIRE(val->event == NULL);

REQUIRE(val->fetch == NULL);

if (val->keynode != NULL)

dns_keytable_detachkeynode(val->keytable, &val->keynode);

else if (val->key != NULL)

dst_key_free(val->key);

if (val->keyvalidator != NULL)

dns_validator_destroy(&val->keyvalidator);

mctx = val->view->mctx;

if (val->siginfo != NULL)

isc_mem_put(mctx, val->siginfo, sizeof *val->siginfo);

isc_mutex_destroy(&val->lock);

dns_view_detach(&val->view);

val->magic = 0;

isc_mem_put(mctx, val, sizeof *val);

}

dns_validator_destroy(dns_validator_t **validatorp) {

dns_validator_t *val;

isc_boolean_t want_destroy = ISC_FALSE;

REQUIRE(validatorp != NULL);

val = *validatorp;

REQUIRE(VALID_VALIDATOR(val));

LOCK(&val->lock);

REQUIRE(val->event == NULL);

val->attributes |= VALATTR_SHUTDOWN;

if (val->fetch == NULL)

want_destroy = ISC_TRUE;

UNLOCK(&val->lock);

if (want_destroy)

destroy(val);

*validatorp = NULL;

}

static void

validator_logv(dns_validator_t *val, isc_logcategory_t *category,

isc_logmodule_t *module, int level, const char *fmt, va_list ap)

{

char msgbuf[2048];

vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);

if (val->event != NULL && val->event->name != NULL &&

val->event->rdataset != NULL)

{

char namebuf[1024];

char typebuf[256];

isc_buffer_t b;

isc_region_t r;

dns_name_format(val->event->name, namebuf, sizeof(namebuf));

isc_buffer_init(&b, (unsigned char *)typebuf, sizeof(typebuf));

if (dns_rdatatype_totext(val->event->type, &b)

!= ISC_R_SUCCESS)

{

isc_buffer_clear(&b);

isc_buffer_putstr(&b, "<bad type>");

}

isc_buffer_usedregion(&b, &r);

isc_log_write(dns_lctx, category, module, level,

"validating %s %.*s: %s", namebuf,

(int) r.length, (char *) r.base, msgbuf);

} else {

isc_log_write(dns_lctx, category, module, level,

"validator @%p: %s", val, msgbuf);

}

}

static void

validator_log(dns_validator_t *val, int level, const char *fmt, ...)

{

va_list ap;

va_start(ap, fmt);

validator_logv(val, DNS_LOGCATEGORY_DNSSEC,

DNS_LOGMODULE_VALIDATOR, level, fmt, ap);

va_end(ap);

}