unbound
0.1
|
This file contains helper functions for the validator module. More...
#include "util/data/packed_rrset.h"
Data Structures | |
struct | algo_needs |
Storage for algorithm needs. More... |
Macros | |
#define | ALGO_NEEDS_MAX 256 |
number of entries in algorithm needs array |
Functions | |
void | algo_needs_init_dnskey_add (struct algo_needs *n, struct ub_packed_rrset_key *dnskey, uint8_t *sigalg) |
Initialize algo needs structure, set algos from rrset as needed. | |
void | algo_needs_init_list (struct algo_needs *n, uint8_t *sigalg) |
Initialize algo needs structure from a signalled algo list. | |
void | algo_needs_init_ds (struct algo_needs *n, struct ub_packed_rrset_key *ds, int fav_ds_algo, uint8_t *sigalg) |
Initialize algo needs structure, set algos from rrset as needed. | |
int | algo_needs_set_secure (struct algo_needs *n, uint8_t algo) |
Mark this algorithm as a success, sec_secure, and see if we are done. | |
void | algo_needs_set_bogus (struct algo_needs *n, uint8_t algo) |
Mark this algorithm a failure, sec_bogus. | |
size_t | algo_needs_num_missing (struct algo_needs *n) |
See how many algorithms are missing (not bogus or secure, but not processed) | |
int | algo_needs_missing (struct algo_needs *n) |
See which algo is missing. | |
void | algo_needs_reason (struct module_env *env, int alg, char **reason, char *s) |
Format error reason for algorithm missing. | |
int | ds_digest_match_dnskey (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest. | |
uint16_t | dnskey_calc_keytag (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx) |
Get dnskey keytag, footprint value. | |
uint16_t | ds_get_keytag (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
Get DS keytag, footprint value that matches the DNSKEY keytag it signs. | |
int | dnskey_algo_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx) |
See if DNSKEY algorithm is supported. | |
int | ds_digest_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
See if DS digest algorithm is supported. | |
int | ds_get_digest_algo (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
Get DS RR digest algorithm. | |
int | ds_key_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
See if DS key algorithm is supported. | |
int | ds_get_key_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DS RR key algorithm. | |
int | dnskey_get_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY RR signature algorithm. | |
uint16_t | dnskey_get_flags (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY RR flags. | |
enum sec_status | dnskeyset_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, uint8_t *sigalg, char **reason) |
Verify rrset against dnskey rrset. | |
enum sec_status | dnskey_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, char **reason) |
verify rrset against one specific dnskey (from rrset) | |
enum sec_status | dnskeyset_verify_rrset_sig (struct module_env *env, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t sig_idx, struct rbtree_t **sortree, char **reason) |
verify rrset, with dnskey rrset, for a specific rrsig in rrset | |
enum sec_status | dnskey_verify_rrset_sig (struct regional *region, ldns_buffer *buf, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_t **sortree, int *buf_canon, char **reason) |
verify rrset, with specific dnskey(from set), for a specific rrsig | |
int | canonical_tree_compare (const void *k1, const void *k2) |
canonical compare for two tree entries |
This file contains helper functions for the validator module.
The functions help with signature verification and checking, the bridging between RR wireformat data and crypto calls.
void algo_needs_init_dnskey_add | ( | struct algo_needs * | n, |
struct ub_packed_rrset_key * | dnskey, | ||
uint8_t * | sigalg | ||
) |
Initialize algo needs structure, set algos from rrset as needed.
Results are added to an existing need structure.
n,: | struct with storage. |
dnskey,: | algos from this struct set as necessary. DNSKEY set. |
sigalg,: | adds to signalled algorithm list too. |
References dnskey_algo_id_is_supported(), dnskey_get_algo(), algo_needs::needs, algo_needs::num, and rrset_get_count().
Referenced by val_verify_DNSKEY_with_TA().
void algo_needs_init_list | ( | struct algo_needs * | n, |
uint8_t * | sigalg | ||
) |
Initialize algo needs structure from a signalled algo list.
n,: | struct with storage. |
sigalg,: | signalled algorithm list, numbers ends with 0. |
References ALGO_NEEDS_MAX, dnskey_algo_id_is_supported(), log_assert, algo_needs::needs, and algo_needs::num.
Referenced by dnskeyset_verify_rrset().
void algo_needs_init_ds | ( | struct algo_needs * | n, |
struct ub_packed_rrset_key * | ds, | ||
int | fav_ds_algo, | ||
uint8_t * | sigalg | ||
) |
Initialize algo needs structure, set algos from rrset as needed.
n,: | struct with storage. |
ds,: | algos from this struct set as necessary. DS set. |
fav_ds_algo,: | filter to use only this DS algo. |
sigalg,: | list of signalled algos, constructed as output, provide size ALGO_NEEDS_MAX+1. list of algonumbers, ends with a zero. |
References ALGO_NEEDS_MAX, dnskey_algo_id_is_supported(), ds_get_digest_algo(), ds_get_key_algo(), log_assert, algo_needs::needs, algo_needs::num, and rrset_get_count().
Referenced by val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
int algo_needs_set_secure | ( | struct algo_needs * | n, |
uint8_t | algo | ||
) |
Mark this algorithm as a success, sec_secure, and see if we are done.
n,: | storage structure processed. |
algo,: | the algorithm processed to be secure. |
References algo_needs::needs, and algo_needs::num.
Referenced by dnskeyset_verify_rrset(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
void algo_needs_set_bogus | ( | struct algo_needs * | n, |
uint8_t | algo | ||
) |
Mark this algorithm a failure, sec_bogus.
It can later be overridden by a success for this algorithm (with a different signature).
n,: | storage structure processed. |
algo,: | the algorithm processed to be bogus. |
References algo_needs::needs.
Referenced by dnskeyset_verify_rrset(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
size_t algo_needs_num_missing | ( | struct algo_needs * | n | ) |
See how many algorithms are missing (not bogus or secure, but not processed)
n,: | storage structure processed. |
References algo_needs::num.
Referenced by dnskeyset_verify_rrset().
int algo_needs_missing | ( | struct algo_needs * | n | ) |
See which algo is missing.
n,: | struct after processing. |
References ALGO_NEEDS_MAX, and algo_needs::needs.
Referenced by dnskeyset_verify_rrset(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
void algo_needs_reason | ( | struct module_env * | env, |
int | alg, | ||
char ** | reason, | ||
char * | s | ||
) |
Format error reason for algorithm missing.
env,: | module env with scratch for temp storage of string. |
alg,: | DNSKEY-algorithm missing. |
reason,: | destination. |
s,: | string, appended with 'with algorithm ..'. |
References regional_strdup(), and module_env::scratch.
Referenced by dnskeyset_verify_rrset(), val_verify_DNSKEY_with_DS(), val_verify_DNSKEY_with_TA(), and verify_dnskeys_with_ds_rr().
int ds_digest_match_dnskey | ( | struct module_env * | env, |
struct ub_packed_rrset_key * | dnskey_rrset, | ||
size_t | dnskey_idx, | ||
struct ub_packed_rrset_key * | ds_rrset, | ||
size_t | ds_idx | ||
) |
Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.
env,: | module environment. Uses scratch space. |
dnskey_rrset,: | DNSKEY rrset. |
dnskey_idx,: | index of RR in rrset. |
ds_rrset,: | DS rrset |
ds_idx,: | index of RR in DS rrset. |
References ds_create_dnskey_digest(), ds_digest_size_algo(), ds_get_sigdata(), regional_alloc(), module_env::scratch, VERB_QUERY, and verbose().
Referenced by dstest_entry(), key_matches_a_ds(), and verify_dnskeys_with_ds_rr().
uint16_t dnskey_calc_keytag | ( | struct ub_packed_rrset_key * | dnskey_rrset, |
size_t | dnskey_idx | ||
) |
Get dnskey keytag, footprint value.
dnskey_rrset,: | DNSKEY rrset. |
dnskey_idx,: | index of RR in rrset. |
References rrset_get_rdata().
Referenced by check_contains_revoked(), dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_verify_rrset_sig(), key_matches_a_ds(), and verify_dnskeys_with_ds_rr().
uint16_t ds_get_keytag | ( | struct ub_packed_rrset_key * | ds_rrset, |
size_t | ds_idx | ||
) |
Get DS keytag, footprint value that matches the DNSKEY keytag it signs.
ds_rrset,: | DS rrset |
ds_idx,: | index of RR in DS rrset. |
References rrset_get_rdata().
Referenced by key_matches_a_ds(), and verify_dnskeys_with_ds_rr().
int dnskey_algo_is_supported | ( | struct ub_packed_rrset_key * | dnskey_rrset, |
size_t | dnskey_idx | ||
) |
See if DNSKEY algorithm is supported.
dnskey_rrset,: | DNSKEY rrset. |
dnskey_idx,: | index of RR in rrset. |
References dnskey_algo_id_is_supported(), and dnskey_get_algo().
Referenced by anchors_dnskey_unsupported(), update_events(), and val_verify_DNSKEY_with_TA().
int ds_digest_algo_is_supported | ( | struct ub_packed_rrset_key * | ds_rrset, |
size_t | ds_idx | ||
) |
See if DS digest algorithm is supported.
ds_rrset,: | DS rrset |
ds_idx,: | index of RR in DS rrset. |
References ds_digest_size_algo().
Referenced by anchors_ds_unsupported(), key_matches_a_ds(), val_dsset_isusable(), val_favorite_ds_algo(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
int ds_get_digest_algo | ( | struct ub_packed_rrset_key * | ds_rrset, |
size_t | ds_idx | ||
) |
Get DS RR digest algorithm.
ds_rrset,: | DS rrset. |
ds_idx,: | which DS. |
References rrset_get_rdata().
Referenced by algo_needs_init_ds(), ds_create_dnskey_digest(), ds_digest_size_algo(), key_matches_a_ds(), val_favorite_ds_algo(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
int ds_key_algo_is_supported | ( | struct ub_packed_rrset_key * | ds_rrset, |
size_t | ds_idx | ||
) |
See if DS key algorithm is supported.
ds_rrset,: | DS rrset |
ds_idx,: | index of RR in DS rrset. |
References dnskey_algo_id_is_supported(), and ds_get_key_algo().
Referenced by anchors_ds_unsupported(), key_matches_a_ds(), val_dsset_isusable(), val_favorite_ds_algo(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
int ds_get_key_algo | ( | struct ub_packed_rrset_key * | k, |
size_t | idx | ||
) |
Get DS RR key algorithm.
This value should match with the DNSKEY algo.
k,: | DS rrset. |
idx,: | which DS. |
References rrset_get_rdata().
Referenced by algo_needs_init_ds(), ds_key_algo_is_supported(), key_matches_a_ds(), val_verify_DNSKEY_with_DS(), val_verify_DNSKEY_with_TA(), and verify_dnskeys_with_ds_rr().
int dnskey_get_algo | ( | struct ub_packed_rrset_key * | k, |
size_t | idx | ||
) |
Get DNSKEY RR signature algorithm.
k,: | DNSKEY rrset. |
idx,: | which DNSKEY RR. |
References rrset_get_rdata().
Referenced by algo_needs_init_dnskey_add(), dnskey_algo_is_supported(), dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_verify_rrset_sig(), key_matches_a_ds(), setup_sigalg(), val_verify_DNSKEY_with_TA(), and verify_dnskeys_with_ds_rr().
uint16_t dnskey_get_flags | ( | struct ub_packed_rrset_key * | k, |
size_t | idx | ||
) |
Get DNSKEY RR flags.
k,: | DNSKEY rrset. |
idx,: | which DNSKEY RR. |
References rrset_get_rdata().
Referenced by dnskey_verify_rrset_sig().
enum sec_status dnskeyset_verify_rrset | ( | struct module_env * | env, |
struct val_env * | ve, | ||
struct ub_packed_rrset_key * | rrset, | ||
struct ub_packed_rrset_key * | dnskey, | ||
uint8_t * | sigalg, | ||
char ** | reason | ||
) |
Verify rrset against dnskey rrset.
env,: | module environment, scratch space is used. |
ve,: | validator environment, date settings. |
rrset,: | to be validated. |
dnskey,: | DNSKEY rrset, keyset to try. |
sigalg,: | if nonNULL provide downgrade protection otherwise one algorithm is enough. |
reason,: | if bogus, a string returned, fixed or alloced in scratch. |
References algo_needs_init_list(), algo_needs_missing(), algo_needs_num_missing(), algo_needs_reason(), algo_needs_set_bogus(), algo_needs_set_secure(), dnskeyset_verify_rrset_sig(), module_env::now, algo_needs::num, rrset_get_sig_algo(), rrset_get_sigcount(), sec_status_bogus, sec_status_insecure, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by val_verify_rrset(), and verifytest_rrset().
enum sec_status dnskey_verify_rrset | ( | struct module_env * | env, |
struct val_env * | ve, | ||
struct ub_packed_rrset_key * | rrset, | ||
struct ub_packed_rrset_key * | dnskey, | ||
size_t | dnskey_idx, | ||
char ** | reason | ||
) |
verify rrset against one specific dnskey (from rrset)
env,: | module environment, scratch space is used. |
ve,: | validator environment, date settings. |
rrset,: | to be validated. |
dnskey,: | DNSKEY rrset, keyset. |
dnskey_idx,: | which key from the rrset to try. |
reason,: | if bogus, a string returned, fixed or alloced in scratch. |
References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), module_env::now, algo_needs::num, rrset_get_sig_algo(), rrset_get_sig_keytag(), rrset_get_sigcount(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by key_matches_a_ds(), rr_is_selfsigned_revoked(), val_verify_DNSKEY_with_TA(), and verify_dnskeys_with_ds_rr().
enum sec_status dnskeyset_verify_rrset_sig | ( | struct module_env * | env, |
struct val_env * | ve, | ||
uint32_t | now, | ||
struct ub_packed_rrset_key * | rrset, | ||
struct ub_packed_rrset_key * | dnskey, | ||
size_t | sig_idx, | ||
struct rbtree_t ** | sortree, | ||
char ** | reason | ||
) |
verify rrset, with dnskey rrset, for a specific rrsig in rrset
env,: | module environment, scratch space is used. |
ve,: | validator environment, date settings. |
now,: | current time for validation (can be overridden). |
rrset,: | to be validated. |
dnskey,: | DNSKEY rrset, keyset to try. |
sig_idx,: | which signature to try to validate. |
sortree,: | reused sorted order. Stored in region. Pass NULL at start, and for a new rrset. |
reason,: | if bogus, a string returned, fixed or alloced in scratch. |
References dnskey_algo_id_is_supported(), dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), algo_needs::num, rrset_get_count(), rrset_get_sig_algo(), rrset_get_sig_keytag(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_insecure, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by dnskeyset_verify_rrset().
enum sec_status dnskey_verify_rrset_sig | ( | struct regional * | region, |
ldns_buffer * | buf, | ||
struct val_env * | ve, | ||
uint32_t | now, | ||
struct ub_packed_rrset_key * | rrset, | ||
struct ub_packed_rrset_key * | dnskey, | ||
size_t | dnskey_idx, | ||
size_t | sig_idx, | ||
struct rbtree_t ** | sortree, | ||
int * | buf_canon, | ||
char ** | reason | ||
) |
verify rrset, with specific dnskey(from set), for a specific rrsig
region,: | scratch region used for temporary allocation. |
buf,: | scratch buffer used for canonicalized rrset data. |
ve,: | validator environment, date settings. |
now,: | current time for validation (can be overridden). |
rrset,: | to be validated. |
dnskey,: | DNSKEY rrset, keyset. |
dnskey_idx,: | which key from the rrset to try. |
sig_idx,: | which signature to try to validate. |
sortree,: | pass NULL at start, the sorted rrset order is returned. pass it again for the same rrset. |
buf_canon,: | if true, the buffer is already canonical. pass false at start. pass old value only for same rrset and same signature (but perhaps different key) for reuse. |
reason,: | if bogus, a string returned, fixed or alloced in scratch. |
References adjust_ttl(), check_dates(), packed_rrset_key::dname, dname_signame_label_count(), dname_subdomain_c(), dname_valid(), DNSKEY_BIT_ZSK, dnskey_calc_keytag(), dnskey_get_algo(), dnskey_get_flags(), dnskey_get_protocol(), dnskey_get_pubkey(), log_err(), log_nametypeclass(), query_dname_compare(), ub_packed_rrset_key::rk, rrset_canonical(), rrset_get_count(), rrset_get_rdata(), sec_status_bogus, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, VERB_QUERY, verbose(), and verify_canonrrset().
Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().