mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-15 22:09:31 -04:00
libdns refactoring: get rid of multiple versions of dns_dnssec_findmatchingkeys and dns_dnssec_findzonekeys
This commit is contained in:
Witold Kręcicki
parent
8c12e488f7
commit
25cd3168a7
10 changed files with 73 additions and 152 deletions
|
|
@ -671,8 +671,11 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
|
|||
}
|
||||
|
||||
result = dns_dnssec_verify(name, rdataset, ki->dst,
|
||||
ISC_FALSE, mctx, &sigrdata);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
ISC_FALSE, 0, mctx,
|
||||
&sigrdata, NULL);
|
||||
|
||||
if (result != ISC_R_SUCCESS &&
|
||||
result != DNS_R_FROMWILDCARD) {
|
||||
vbprintf(1, "skip RRSIG by key %d:"
|
||||
" verification failed: %s\n",
|
||||
sig.keyid, isc_result_totext(result));
|
||||
|
|
|
|||
|
|
@ -295,8 +295,8 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
|
|||
|
||||
if (tryverify) {
|
||||
result = dns_dnssec_verify(name, rdataset, key,
|
||||
ISC_TRUE, mctx, &trdata);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
ISC_TRUE, 0, mctx, &trdata, NULL);
|
||||
if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
|
||||
vbprintf(3, "\tsignature verified\n");
|
||||
INCSTAT(nverified);
|
||||
} else {
|
||||
|
|
@ -456,8 +456,9 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
|||
dns_rdata_t *rrsig)
|
||||
{
|
||||
isc_result_t result;
|
||||
result = dns_dnssec_verify(name, set, key, ISC_FALSE, mctx, rrsig);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
result = dns_dnssec_verify(name, set, key, ISC_FALSE, 0, mctx, rrsig,
|
||||
NULL);
|
||||
if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
|
||||
INCSTAT(nverified);
|
||||
return (ISC_TRUE);
|
||||
} else {
|
||||
|
|
@ -2636,7 +2637,7 @@ build_final_keylist(void) {
|
|||
* Find keys that match this zone in the key repository.
|
||||
*/
|
||||
result = dns_dnssec_findmatchingkeys(gorigin, directory,
|
||||
mctx, &matchkeys);
|
||||
now, mctx, &matchkeys);
|
||||
if (result == ISC_R_NOTFOUND) {
|
||||
result = ISC_R_SUCCESS;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -506,6 +506,7 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
|
|||
dns_secalg_t alg;
|
||||
char filename[ISC_DIR_NAMEMAX];
|
||||
isc_buffer_t fileb;
|
||||
isc_stdtime_t now;
|
||||
|
||||
if (exact != NULL)
|
||||
*exact = ISC_FALSE;
|
||||
|
|
@ -529,7 +530,8 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
|
|||
}
|
||||
|
||||
ISC_LIST_INIT(matchkeys);
|
||||
result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
|
||||
isc_stdtime_get(&now);
|
||||
result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys);
|
||||
if (result == ISC_R_NOTFOUND)
|
||||
return (ISC_FALSE);
|
||||
|
||||
|
|
@ -624,10 +626,11 @@ goodsig(dns_name_t *origin, dns_rdata_t *sigrdata, dns_name_t *name,
|
|||
continue;
|
||||
}
|
||||
result = dns_dnssec_verify(name, rdataset, dstkey, ISC_FALSE,
|
||||
mctx, sigrdata);
|
||||
0, mctx, sigrdata, NULL);
|
||||
dst_key_free(&dstkey);
|
||||
if (result == ISC_R_SUCCESS)
|
||||
if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
|
||||
return(ISC_TRUE);
|
||||
}
|
||||
}
|
||||
return (ISC_FALSE);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -363,18 +363,9 @@ cleanup_signature:
|
|||
}
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_verify2(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
||||
isc_boolean_t ignoretime, isc_mem_t *mctx,
|
||||
dns_rdata_t *sigrdata, dns_name_t *wild)
|
||||
{
|
||||
return (dns_dnssec_verify3(name, set, key, ignoretime, 0, mctx,
|
||||
sigrdata, wild));
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_verify3(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
||||
isc_boolean_t ignoretime, unsigned int maxbits,
|
||||
isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild)
|
||||
dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
||||
isc_boolean_t ignoretime, unsigned int maxbits,
|
||||
isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild)
|
||||
{
|
||||
dns_rdata_rrsig_t sig;
|
||||
dns_fixedname_t fnewname;
|
||||
|
|
@ -590,20 +581,6 @@ cleanup_struct:
|
|||
return (ret);
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
||||
isc_boolean_t ignoretime, isc_mem_t *mctx,
|
||||
dns_rdata_t *sigrdata)
|
||||
{
|
||||
isc_result_t result;
|
||||
|
||||
result = dns_dnssec_verify2(name, set, key, ignoretime, mctx,
|
||||
sigrdata, NULL);
|
||||
if (result == DNS_R_FROMWILDCARD)
|
||||
result = ISC_R_SUCCESS;
|
||||
return (result);
|
||||
}
|
||||
|
||||
isc_boolean_t
|
||||
dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now) {
|
||||
isc_result_t result;
|
||||
|
|
@ -730,11 +707,11 @@ syncdelete(dst_key_t *key, isc_stdtime_t now) {
|
|||
== DNS_KEYOWNER_ZONE)
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_dbnode_t *node, const dns_name_t *name,
|
||||
const char *directory, isc_stdtime_t now,
|
||||
isc_mem_t *mctx, unsigned int maxkeys,
|
||||
dst_key_t **keys, unsigned int *nkeys)
|
||||
dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_dbnode_t *node, const dns_name_t *name,
|
||||
const char *directory, isc_stdtime_t now,
|
||||
isc_mem_t *mctx, unsigned int maxkeys,
|
||||
dst_key_t **keys, unsigned int *nkeys)
|
||||
{
|
||||
dns_rdataset_t rdataset;
|
||||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
|
|
@ -890,33 +867,6 @@ dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver,
|
|||
return (result);
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_dbnode_t *node, const dns_name_t *name,
|
||||
const char *directory, isc_mem_t *mctx,
|
||||
unsigned int maxkeys, dst_key_t **keys,
|
||||
unsigned int *nkeys)
|
||||
{
|
||||
isc_stdtime_t now;
|
||||
|
||||
isc_stdtime_get(&now);
|
||||
return (dns_dnssec_findzonekeys3(db, ver, node, name, directory, now,
|
||||
mctx, maxkeys, keys, nkeys));
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_dbnode_t *node, const dns_name_t *name,
|
||||
isc_mem_t *mctx, unsigned int maxkeys,
|
||||
dst_key_t **keys, unsigned int *nkeys)
|
||||
{
|
||||
isc_stdtime_t now;
|
||||
|
||||
isc_stdtime_get(&now);
|
||||
return (dns_dnssec_findzonekeys3(db, ver, node, name, NULL, now,
|
||||
mctx, maxkeys, keys, nkeys));
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
|
||||
dns_rdata_sig_t sig; /* SIG(0) */
|
||||
|
|
@ -1243,9 +1193,9 @@ dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name,
|
|||
|
||||
if (sig.algorithm == key.algorithm &&
|
||||
sig.keyid == keytag) {
|
||||
result = dns_dnssec_verify2(name, rdataset, dstkey,
|
||||
ignoretime, mctx,
|
||||
&sigrdata, NULL);
|
||||
result = dns_dnssec_verify(name, rdataset, dstkey,
|
||||
ignoretime, 0, mctx,
|
||||
&sigrdata, NULL);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
dst_key_free(&dstkey);
|
||||
return (ISC_TRUE);
|
||||
|
|
@ -1406,9 +1356,9 @@ get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) {
|
|||
* Get a list of DNSSEC keys from the key repository
|
||||
*/
|
||||
isc_result_t
|
||||
dns_dnssec_findmatchingkeys2(const dns_name_t *origin, const char *directory,
|
||||
isc_stdtime_t now, isc_mem_t *mctx,
|
||||
dns_dnsseckeylist_t *keylist)
|
||||
dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
|
||||
isc_stdtime_t now, isc_mem_t *mctx,
|
||||
dns_dnsseckeylist_t *keylist)
|
||||
{
|
||||
isc_result_t result = ISC_R_SUCCESS;
|
||||
isc_boolean_t dir_open = ISC_FALSE;
|
||||
|
|
@ -1536,17 +1486,6 @@ dns_dnssec_findmatchingkeys2(const dns_name_t *origin, const char *directory,
|
|||
return (result);
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
|
||||
isc_mem_t *mctx, dns_dnsseckeylist_t *keylist)
|
||||
{
|
||||
isc_stdtime_t now;
|
||||
|
||||
isc_stdtime_get(&now);
|
||||
return (dns_dnssec_findmatchingkeys2(origin, directory, now, mctx,
|
||||
keylist));
|
||||
}
|
||||
|
||||
/*%
|
||||
* Add 'newkey' to 'keylist' if it's not already there.
|
||||
*
|
||||
|
|
|
|||
|
|
@ -119,18 +119,8 @@ dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
|||
|
||||
isc_result_t
|
||||
dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
||||
isc_boolean_t ignoretime, isc_mem_t *mctx,
|
||||
dns_rdata_t *sigrdata);
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_verify2(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
||||
isc_boolean_t ignoretime, isc_mem_t *mctx,
|
||||
dns_rdata_t *sigrdata, dns_name_t *wild);
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_verify3(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
||||
isc_boolean_t ignoretime, unsigned int maxbits,
|
||||
isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild);
|
||||
isc_boolean_t ignoretime, unsigned int maxbits,
|
||||
isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild);
|
||||
/*%<
|
||||
* Verifies the RRSIG record covering this rdataset signed by a specific
|
||||
* key. This does not determine if the key's owner is authorized to sign
|
||||
|
|
@ -164,24 +154,11 @@ dns_dnssec_verify3(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
|||
|
||||
/*@{*/
|
||||
isc_result_t
|
||||
dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
|
||||
const dns_name_t *name, isc_mem_t *mctx,
|
||||
unsigned int maxkeys, dst_key_t **keys,
|
||||
unsigned int *nkeys);
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_dbnode_t *node, const dns_name_t *name,
|
||||
const char *directory, isc_mem_t *mctx,
|
||||
unsigned int maxkeys, dst_key_t **keys,
|
||||
unsigned int *nkeys);
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_dbnode_t *node, const dns_name_t *name,
|
||||
const char *directory, isc_stdtime_t now,
|
||||
isc_mem_t *mctx, unsigned int maxkeys,
|
||||
dst_key_t **keys, unsigned int *nkeys);
|
||||
dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_dbnode_t *node, const dns_name_t *name,
|
||||
const char *directory, isc_stdtime_t now,
|
||||
isc_mem_t *mctx, unsigned int maxkeys,
|
||||
dst_key_t **keys, unsigned int *nkeys);
|
||||
|
||||
/*%<
|
||||
* Finds a set of zone keys.
|
||||
|
|
@ -291,12 +268,8 @@ dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp);
|
|||
|
||||
isc_result_t
|
||||
dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
|
||||
isc_mem_t *mctx, dns_dnsseckeylist_t *keylist);
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_findmatchingkeys2(const dns_name_t *origin, const char *directory,
|
||||
isc_stdtime_t now, isc_mem_t *mctx,
|
||||
dns_dnsseckeylist_t *keylist);
|
||||
isc_stdtime_t now, isc_mem_t *mctx,
|
||||
dns_dnsseckeylist_t *keylist);
|
||||
/*%<
|
||||
* Search 'directory' for K* key files matching the name in 'origin'.
|
||||
* Append all such keys, along with use hints gleaned from their
|
||||
|
|
|
|||
|
|
@ -1051,11 +1051,14 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
|||
dst_key_t **keys, unsigned int *nkeys)
|
||||
{
|
||||
isc_result_t result;
|
||||
isc_stdtime_t now;
|
||||
dns_dbnode_t *node = NULL;
|
||||
const char *directory = dns_zone_getkeydirectory(zone);
|
||||
CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
|
||||
CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
|
||||
directory, mctx, maxkeys, keys, nkeys));
|
||||
isc_stdtime_get(&now);
|
||||
CHECK(dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db),
|
||||
directory, now, mctx, maxkeys, keys,
|
||||
nkeys));
|
||||
failure:
|
||||
if (node != NULL)
|
||||
dns_db_detachnode(db, &node);
|
||||
|
|
|
|||
|
|
@ -1470,10 +1470,10 @@ isselfsigned(dns_validator_t *val) {
|
|||
if (result != ISC_R_SUCCESS)
|
||||
continue;
|
||||
|
||||
result = dns_dnssec_verify3(name, rdataset, dstkey,
|
||||
ISC_TRUE,
|
||||
val->view->maxbits,
|
||||
mctx, &sigrdata, NULL);
|
||||
result = dns_dnssec_verify(name, rdataset, dstkey,
|
||||
ISC_TRUE,
|
||||
val->view->maxbits,
|
||||
mctx, &sigrdata, NULL);
|
||||
dst_key_free(&dstkey);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
continue;
|
||||
|
|
@ -1509,9 +1509,9 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
|
|||
dns_fixedname_init(&fixed);
|
||||
wild = dns_fixedname_name(&fixed);
|
||||
again:
|
||||
result = dns_dnssec_verify3(val->event->name, val->event->rdataset,
|
||||
key, ignore, val->view->maxbits,
|
||||
val->view->mctx, rdata, wild);
|
||||
result = dns_dnssec_verify(val->event->name, val->event->rdataset,
|
||||
key, ignore, val->view->maxbits,
|
||||
val->view->mctx, rdata, wild);
|
||||
if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
|
||||
val->view->acceptexpired)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -316,10 +316,7 @@ dns_dns64_destroy
|
|||
dns_dns64_next
|
||||
dns_dns64_unlink
|
||||
dns_dnssec_findmatchingkeys
|
||||
dns_dnssec_findmatchingkeys2
|
||||
dns_dnssec_findzonekeys
|
||||
dns_dnssec_findzonekeys2
|
||||
dns_dnssec_findzonekeys3
|
||||
dns_dnssec_keyactive
|
||||
dns_dnssec_keyfromrdata
|
||||
dns_dnssec_keylistfromrdataset
|
||||
|
|
@ -331,8 +328,6 @@ dns_dnssec_syncupdate
|
|||
dns_dnssec_syncupdate
|
||||
dns_dnssec_updatekeys
|
||||
dns_dnssec_verify
|
||||
dns_dnssec_verify2
|
||||
dns_dnssec_verify3
|
||||
dns_dnssec_verifymessage
|
||||
dns_dnsseckey_create
|
||||
dns_dnsseckey_destroy
|
||||
|
|
|
|||
|
|
@ -6043,9 +6043,9 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
|||
|
||||
CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
|
||||
memset(keys, 0, sizeof(*keys) * maxkeys);
|
||||
result = dns_dnssec_findzonekeys3(db, ver, node, dns_db_origin(db),
|
||||
directory, now, mctx, maxkeys, keys,
|
||||
nkeys);
|
||||
result = dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db),
|
||||
directory, now, mctx, maxkeys, keys,
|
||||
nkeys);
|
||||
if (result == ISC_R_NOTFOUND)
|
||||
result = ISC_R_SUCCESS;
|
||||
failure:
|
||||
|
|
@ -9036,10 +9036,11 @@ revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) {
|
|||
if (dst_key_alg(dstkey) == sig.algorithm &&
|
||||
dst_key_rid(dstkey) == sig.keyid)
|
||||
{
|
||||
result = dns_dnssec_verify2(keyname,
|
||||
&kfetch->dnskeyset,
|
||||
dstkey, ISC_FALSE, mctx, &sigrr,
|
||||
dns_fixedname_name(&fixed));
|
||||
result = dns_dnssec_verify(keyname,
|
||||
&kfetch->dnskeyset,
|
||||
dstkey, ISC_FALSE, 0, mctx,
|
||||
&sigrr,
|
||||
dns_fixedname_name(&fixed));
|
||||
|
||||
dns_zone_log(kfetch->zone, ISC_LOG_DEBUG(3),
|
||||
"Confirm revoked DNSKEY is self-signed: "
|
||||
|
|
@ -9186,11 +9187,14 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
|
|||
if (dst_key_alg(dstkey) == sig.algorithm &&
|
||||
dst_key_id(dstkey) == sig.keyid)
|
||||
{
|
||||
result = dns_dnssec_verify2(keyname,
|
||||
&kfetch->dnskeyset,
|
||||
dstkey, ISC_FALSE,
|
||||
zone->view->mctx, &sigrr,
|
||||
dns_fixedname_name(&fixed));
|
||||
result = dns_dnssec_verify(keyname,
|
||||
&kfetch->dnskeyset,
|
||||
dstkey, ISC_FALSE,
|
||||
0,
|
||||
zone->view->mctx,
|
||||
&sigrr,
|
||||
dns_fixedname_name(
|
||||
&fixed));
|
||||
|
||||
dns_zone_log(zone, ISC_LOG_DEBUG(3),
|
||||
"Verifying DNSKEY set for zone "
|
||||
|
|
@ -17860,8 +17864,8 @@ zone_rekey(dns_zone_t *zone) {
|
|||
*/
|
||||
fullsign = ISC_TF(DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN) != 0);
|
||||
|
||||
result = dns_dnssec_findmatchingkeys2(&zone->origin, dir, now, mctx,
|
||||
&keys);
|
||||
result = dns_dnssec_findmatchingkeys(&zone->origin, dir, now, mctx,
|
||||
&keys);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
isc_boolean_t check_ksk;
|
||||
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
|
||||
|
|
|
|||
|
|
@ -2280,9 +2280,9 @@ verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset,
|
|||
dns_fixedname_init(&fixed);
|
||||
|
||||
again:
|
||||
result = dns_dnssec_verify3(name, rdataset, key, ignore,
|
||||
client->view->maxbits, client->mctx,
|
||||
rdata, NULL);
|
||||
result = dns_dnssec_verify(name, rdataset, key, ignore,
|
||||
client->view->maxbits, client->mctx,
|
||||
rdata, NULL);
|
||||
if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) {
|
||||
ignore = ISC_TRUE;
|
||||
goto again;
|
||||
|
|
|
|||
Loading…
Reference in a new issue