← Back to branch summary

~kernevil/ubuntu/trusty/bind9/sdlz-hmac-keys

« back to all changes in this revision

Viewing changes to lib/dns/validator.c

  • Committer: Package Import Robot
  • Author(s): LaMont Jones, Matthew Grant, LaMont Jones
  • Date: 2012-10-29 08:37:49 UTC
  • mfrom: (1.9.2)
  • Revision ID: package-import@ubuntu.com-20121029083749-r9inpzl0yuj9xdlu
Tags: 1:9.8.4.dfsg-1
[Matthew Grant]

* Turn off dlopen as it was causing test compile failures.
* Add missing library .postrm files for debhelper

[LaMont Jones]

* New upstream version
* soname fixup
* Ack NMUs

Show diffs side-by-side

added added

removed removed

Lines of Context:
lib/dns/validator.c
1
1
/*
2
 
 * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
 
2
 * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
3
3
 * Copyright (C) 2000-2003  Internet Software Consortium.
4
4
 *
5
5
 * Permission to use, copy, modify, and/or distribute this software for any
15
15
 * PERFORMANCE OF THIS SOFTWARE.
16
16
 */
17
17
 
18
 
/* $Id: validator.c,v 1.197.14.7 2011-06-08 23:02:43 each Exp $ */
 
18
/* $Id$ */
19
19
 
20
20
#include <config.h>
21
21
 
843
843
 * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
844
844
 */
845
845
static isc_result_t
846
 
nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 
846
nsecnoexistnodata(dns_validator_t *val, dns_name_t *name, dns_name_t *nsecname,
847
847
                  dns_rdataset_t *nsecset, isc_boolean_t *exists,
848
848
                  isc_boolean_t *data, dns_name_t *wild)
849
849
{
884
884
 
885
885
        if (order == 0) {
886
886
                /*
887
 
                 * The names are the same.
 
887
                 * The names are the same.   If we are validating "."
 
888
                 * then atparent should not be set as there is no parent.
888
889
                 */
889
 
                atparent = dns_rdatatype_atparent(val->event->type);
 
890
                atparent = (olabels != 1) &&
 
891
                           dns_rdatatype_atparent(val->event->type);
890
892
                ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
891
893
                soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
892
894
                if (ns && !soa) {
1917
1919
        isc_result_t result;
1918
1920
        dns_fixedname_t fixed;
1919
1921
        isc_boolean_t ignore = ISC_FALSE;
 
1922
        dns_name_t *wild;
1920
1923
 
1921
1924
        val->attributes |= VALATTR_TRIEDVERIFY;
1922
1925
        dns_fixedname_init(&fixed);
 
1926
        wild = dns_fixedname_name(&fixed);
1923
1927
 again:
1924
1928
        result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
1925
 
                                    key, ignore, val->view->mctx, rdata,
1926
 
                                    dns_fixedname_name(&fixed));
1927
 
        if (result == DNS_R_SIGEXPIRED && val->view->acceptexpired) {
 
1929
                                    key, ignore, val->view->mctx, rdata, wild);
 
1930
        if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
 
1931
            val->view->acceptexpired)
 
1932
        {
1928
1933
                ignore = ISC_TRUE;
1929
1934
                goto again;
1930
1935
        }
1933
1938
                              "accepted expired %sRRSIG (keyid=%u)",
1934
1939
                              (result == DNS_R_FROMWILDCARD) ?
1935
1940
                              "wildcard " : "", keyid);
 
1941
        else if (result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE)
 
1942
                validator_log(val, ISC_LOG_INFO,
 
1943
                              "verify failed due to bad signature (keyid=%u): "
 
1944
                              "%s", keyid, isc_result_totext(result));
1936
1945
        else
1937
1946
                validator_log(val, ISC_LOG_DEBUG(3),
1938
1947
                              "verify rdataset (keyid=%u): %s",
1939
1948
                              keyid, isc_result_totext(result));
1940
1949
        if (result == DNS_R_FROMWILDCARD) {
1941
 
                if (!dns_name_equal(val->event->name,
1942
 
                                    dns_fixedname_name(&fixed)))
 
1950
                if (!dns_name_equal(val->event->name, wild)) {
 
1951
                        dns_name_t *closest;
 
1952
                        unsigned int labels;
 
1953
 
 
1954
                        /*
 
1955
                         * Compute the closest encloser in case we need it
 
1956
                         * for the NSEC3 NOQNAME proof.
 
1957
                         */
 
1958
                        closest = dns_fixedname_name(&val->closest);
 
1959
                        dns_name_copy(wild, closest, NULL);
 
1960
                        labels = dns_name_countlabels(closest) - 1;
 
1961
                        dns_name_getlabelsequence(closest, 1, labels, closest);
1943
1962
                        val->attributes |= VALATTR_NEEDNOQNAME;
 
1963
                }
1944
1964
                result = ISC_R_SUCCESS;
1945
1965
        }
1946
1966
        return (result);
2052
2072
                        validator_log(val, ISC_LOG_DEBUG(3),
2053
2073
                                      "failed to verify rdataset");
2054
2074
                else {
2055
 
                        isc_uint32_t ttl;
2056
2075
                        isc_stdtime_t now;
2057
2076
 
2058
2077
                        isc_stdtime_get(&now);
2059
 
                        ttl = ISC_MIN(event->rdataset->ttl,
2060
 
                                      ISC_MIN(val->siginfo->originalttl,
2061
 
                                              val->siginfo->timeexpire - now));
2062
 
                        event->rdataset->ttl = ttl;
2063
 
                        event->sigrdataset->ttl = ttl;
 
2078
                        dns_rdataset_trimttl(event->rdataset,
 
2079
                                             event->sigrdataset,
 
2080
                                             val->siginfo, now,
 
2081
                                             val->view->acceptexpired);
2064
2082
                }
2065
2083
 
2066
2084
                if (val->keynode != NULL)
2865
2883
        dns_name_t *name, tname;
2866
2884
        isc_result_t result;
2867
2885
        isc_boolean_t exists, data, optout, unknown;
2868
 
        isc_boolean_t setclosest, setnearest;
 
2886
        isc_boolean_t setclosest, setnearest, *setclosestp;
2869
2887
        dns_fixedname_t fclosest, fnearest, fzonename;
2870
 
        dns_name_t *closest, *nearest, *zonename;
 
2888
        dns_name_t *closest, *nearest, *zonename, *closestp;
2871
2889
        dns_name_t **proofs = val->event->proofs;
2872
2890
        dns_rdataset_t *rdataset, trdataset;
2873
2891
 
2914
2932
        if (dns_name_countlabels(zonename) == 0)
2915
2933
                return (ISC_R_SUCCESS);
2916
2934
 
 
2935
        /*
 
2936
         * If the val->closest is set then we want to use it otherwise
 
2937
         * we need to discover it.
 
2938
         */
 
2939
        if (dns_name_countlabels(dns_fixedname_name(&val->closest)) != 0) {
 
2940
                char namebuf[DNS_NAME_FORMATSIZE];
 
2941
 
 
2942
                dns_name_format(dns_fixedname_name(&val->closest),
 
2943
                                 namebuf, sizeof(namebuf));
 
2944
                validator_log(val, ISC_LOG_DEBUG(3), "closest encloser from "
 
2945
                              "wildcard signature '%s'", namebuf);
 
2946
                dns_name_copy(dns_fixedname_name(&val->closest), closest, NULL);
 
2947
                closestp = NULL;
 
2948
                setclosestp = NULL;
 
2949
        } else {
 
2950
                closestp = closest;
 
2951
                setclosestp = &setclosest;
 
2952
        }
 
2953
 
2917
2954
        for (result = val_rdataset_first(val, &name, &rdataset);
2918
2955
             result == ISC_R_SUCCESS;
2919
2956
             result = val_rdataset_next(val, &name, &rdataset))
2931
2968
                unknown = ISC_FALSE;
2932
2969
                (void)nsec3noexistnodata(val, val->event->name, name, rdataset,
2933
2970
                                         zonename, &exists, &data, &optout,
2934
 
                                         &unknown, &setclosest, &setnearest,
2935
 
                                         closest, nearest);
 
2971
                                         &unknown, setclosestp, &setnearest,
 
2972
                                         closestp, nearest);
2936
2973
                if (setclosest)
2937
2974
                        proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name;
2938
2975
                if (unknown)
3697
3734
                                result = ISC_R_SUCCESS;
3698
3735
                                goto out;
3699
3736
                        }
3700
 
                        result = startfinddlvsep(val,
3701
 
                                              dns_fixedname_name(&val->fname));
3702
 
                        goto out;
 
3737
                        return(startfinddlvsep(val,
 
3738
                                              dns_fixedname_name(&val->fname)));
3703
3739
                }
3704
3740
                val->labels++;
3705
3741
        }
3835
3871
                                                result = ISC_R_SUCCESS;
3836
3872
                                                goto out;
3837
3873
                                        }
3838
 
                                        result = startfinddlvsep(val, tname);
3839
 
                                        goto out;
 
3874
                                        return(startfinddlvsep(val, tname));
3840
3875
                                }
3841
3876
                                continue;
3842
3877
                        }