unbound
0.1
|
This file contains helper functions for the validator module. More...
#include "config.h"
#include <ldns/ldns.h>
#include "validator/val_sigcrypt.h"
#include "validator/validator.h"
#include "util/data/msgreply.h"
#include "util/data/msgparse.h"
#include "util/data/dname.h"
#include "util/rbtree.h"
#include "util/module.h"
#include "util/net_help.h"
#include "util/regional.h"
Data Structures | |
struct | canon_rr |
RR entries in a canonical sorted tree of RRs. More... |
Functions | |
static size_t | rrset_get_count (struct ub_packed_rrset_key *rrset) |
return number of rrs in an rrset | |
static size_t | rrset_get_sigcount (struct ub_packed_rrset_key *k) |
Get RR signature count. | |
static uint16_t | rrset_get_sig_keytag (struct ub_packed_rrset_key *k, size_t sig_idx) |
Get signature keytag value. | |
static int | rrset_get_sig_algo (struct ub_packed_rrset_key *k, size_t sig_idx) |
Get signature signing algorithm value. | |
static void | rrset_get_rdata (struct ub_packed_rrset_key *k, size_t idx, uint8_t **rdata, size_t *len) |
get rdata pointer and size | |
uint16_t | dnskey_get_flags (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY RR flags. | |
static int | dnskey_get_protocol (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY protocol value from rdata. | |
int | dnskey_get_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY RR signature algorithm. | |
static void | dnskey_get_pubkey (struct ub_packed_rrset_key *k, size_t idx, unsigned char **pk, unsigned int *pklen) |
get public key rdata field from a dnskey RR and do some checks | |
int | ds_get_key_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DS RR key algorithm. | |
int | ds_get_digest_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DS RR digest algorithm. | |
uint16_t | ds_get_keytag (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
Get DS keytag, footprint value that matches the DNSKEY keytag it signs. | |
static void | ds_get_sigdata (struct ub_packed_rrset_key *k, size_t idx, uint8_t **digest, size_t *len) |
Return pointer to the digest in a DS RR. | |
static size_t | ds_digest_size_algo (struct ub_packed_rrset_key *k, size_t idx) |
Return size of DS digest according to its hash algorithm. | |
static int | ds_create_dnskey_digest (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx, uint8_t *digest) |
Create a DS digest for a DNSKEY entry. | |
int | ds_digest_match_dnskey (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest. | |
int | ds_digest_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
See if DS digest algorithm is supported. | |
static int | dnskey_algo_id_is_supported (int id) |
return true if DNSKEY algorithm id is supported | |
int | ds_key_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
See if DS key algorithm is supported. | |
uint16_t | dnskey_calc_keytag (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx) |
Get dnskey keytag, footprint value. | |
int | dnskey_algo_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx) |
See if DNSKEY algorithm is supported. | |
void | algo_needs_init_dnskey_add (struct algo_needs *n, struct ub_packed_rrset_key *dnskey, uint8_t *sigalg) |
Initialize algo needs structure, set algos from rrset as needed. | |
void | algo_needs_init_list (struct algo_needs *n, uint8_t *sigalg) |
Initialize algo needs structure from a signalled algo list. | |
void | algo_needs_init_ds (struct algo_needs *n, struct ub_packed_rrset_key *ds, int fav_ds_algo, uint8_t *sigalg) |
Initialize algo needs structure, set algos from rrset as needed. | |
int | algo_needs_set_secure (struct algo_needs *n, uint8_t algo) |
Mark this algorithm as a success, sec_secure, and see if we are done. | |
void | algo_needs_set_bogus (struct algo_needs *n, uint8_t algo) |
Mark this algorithm a failure, sec_bogus. | |
size_t | algo_needs_num_missing (struct algo_needs *n) |
See how many algorithms are missing (not bogus or secure, but not processed) | |
int | algo_needs_missing (struct algo_needs *n) |
See which algo is missing. | |
enum sec_status | dnskeyset_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, uint8_t *sigalg, char **reason) |
Verify rrset against dnskey rrset. | |
void | algo_needs_reason (struct module_env *env, int alg, char **reason, char *s) |
Format error reason for algorithm missing. | |
enum sec_status | dnskey_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, char **reason) |
verify rrset against one specific dnskey (from rrset) | |
enum sec_status | dnskeyset_verify_rrset_sig (struct module_env *env, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t sig_idx, struct rbtree_t **sortree, char **reason) |
verify rrset, with dnskey rrset, for a specific rrsig in rrset | |
static int | canonical_compare_byfield (struct packed_rrset_data *d, const ldns_rr_descriptor *desc, size_t i, size_t j) |
Compare two RR for canonical order, in a field-style sweep. | |
static int | canonical_compare (struct ub_packed_rrset_key *rrset, size_t i, size_t j) |
Compare two RRs in the same RRset and determine their relative canonical order. | |
int | canonical_tree_compare (const void *k1, const void *k2) |
canonical compare for two tree entries | |
static void | canonical_sort (struct ub_packed_rrset_key *rrset, struct packed_rrset_data *d, rbtree_t *sortree, struct canon_rr *rrs) |
Sort RRs for rrset in canonical order. | |
static void | insert_can_owner (ldns_buffer *buf, struct ub_packed_rrset_key *k, uint8_t *sig, uint8_t **can_owner, size_t *can_owner_len) |
Inser canonical owner name into buffer. | |
static void | canonicalize_rdata (ldns_buffer *buf, struct ub_packed_rrset_key *rrset, size_t len) |
Canonicalize Rdata in buffer. | |
static int | rrset_canonical (struct regional *region, ldns_buffer *buf, struct ub_packed_rrset_key *k, uint8_t *sig, size_t siglen, struct rbtree_t **sortree) |
Create canonical form of rrset in the scratch buffer. | |
static void | sigdate_error (const char *str, int32_t expi, int32_t incep, int32_t now) |
pretty print rrsig error with dates | |
static int | check_dates (struct val_env *ve, uint32_t unow, uint8_t *expi_p, uint8_t *incep_p, char **reason) |
check rrsig dates | |
static void | adjust_ttl (struct val_env *ve, uint32_t unow, struct ub_packed_rrset_key *rrset, uint8_t *orig_p, uint8_t *expi_p, uint8_t *incep_p) |
adjust rrset TTL for verified rrset, compare to original TTL and expi | |
static void | log_crypto_error (const char *str, unsigned long e) |
Output a libcrypto openssl error to the logfile. | |
static int | setup_dsa_sig (unsigned char **sig, unsigned int *len) |
Setup DSA key digest in DER encoding ... | |
static int | setup_key_digest (int algo, EVP_PKEY **evp_key, const EVP_MD **digest_type, unsigned char *key, size_t keylen) |
Setup key and digest for verification. | |
static enum sec_status | verify_canonrrset (ldns_buffer *buf, int algo, unsigned char *sigblock, unsigned int sigblock_len, unsigned char *key, unsigned int keylen, char **reason) |
Check a canonical sig+rrset and signature against a dnskey. | |
enum sec_status | dnskey_verify_rrset_sig (struct regional *region, ldns_buffer *buf, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_t **sortree, int *buf_canon, char **reason) |
verify rrset, with specific dnskey(from set), for a specific rrsig |
This file contains helper functions for the validator module.
The functions help with signature verification and checking, the bridging between RR wireformat data and crypto calls.
|
static |
Get signature keytag value.
k,: | rrset (with signatures) |
sig_idx,: | signature index. |
References packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_data::rrsig_count.
Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().
|
static |
Get signature signing algorithm value.
k,: | rrset (with signatures) |
sig_idx,: | signature index. |
References packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_data::rrsig_count.
Referenced by dnskey_verify_rrset(), dnskeyset_verify_rrset(), and dnskeyset_verify_rrset_sig().
uint16_t dnskey_get_flags | ( | struct ub_packed_rrset_key * | k, |
size_t | idx | ||
) |
Get DNSKEY RR flags.
k,: | DNSKEY rrset. |
idx,: | which DNSKEY RR. |
References rrset_get_rdata().
Referenced by dnskey_verify_rrset_sig().
|
static |
Get DNSKEY protocol value from rdata.
k,: | DNSKEY rrset. |
idx,: | which key. |
References rrset_get_rdata().
Referenced by dnskey_verify_rrset_sig().
int dnskey_get_algo | ( | struct ub_packed_rrset_key * | k, |
size_t | idx | ||
) |
Get DNSKEY RR signature algorithm.
k,: | DNSKEY rrset. |
idx,: | which DNSKEY RR. |
References rrset_get_rdata().
Referenced by algo_needs_init_dnskey_add(), dnskey_algo_is_supported(), dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_verify_rrset_sig(), key_matches_a_ds(), setup_sigalg(), val_verify_DNSKEY_with_TA(), and verify_dnskeys_with_ds_rr().
int ds_get_key_algo | ( | struct ub_packed_rrset_key * | k, |
size_t | idx | ||
) |
Get DS RR key algorithm.
This value should match with the DNSKEY algo.
k,: | DS rrset. |
idx,: | which DS. |
References rrset_get_rdata().
Referenced by algo_needs_init_ds(), ds_key_algo_is_supported(), key_matches_a_ds(), val_verify_DNSKEY_with_DS(), val_verify_DNSKEY_with_TA(), and verify_dnskeys_with_ds_rr().
int ds_get_digest_algo | ( | struct ub_packed_rrset_key * | ds_rrset, |
size_t | ds_idx | ||
) |
Get DS RR digest algorithm.
ds_rrset,: | DS rrset. |
ds_idx,: | which DS. |
References rrset_get_rdata().
Referenced by algo_needs_init_ds(), ds_create_dnskey_digest(), ds_digest_size_algo(), key_matches_a_ds(), val_favorite_ds_algo(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
uint16_t ds_get_keytag | ( | struct ub_packed_rrset_key * | ds_rrset, |
size_t | ds_idx | ||
) |
Get DS keytag, footprint value that matches the DNSKEY keytag it signs.
ds_rrset,: | DS rrset |
ds_idx,: | index of RR in DS rrset. |
References rrset_get_rdata().
Referenced by key_matches_a_ds(), and verify_dnskeys_with_ds_rr().
|
static |
Return pointer to the digest in a DS RR.
k,: | DS rrset. |
idx,: | which DS. |
digest,: | digest data is returned. on error, this is NULL. |
len,: | length of digest is returned. on error, the length is 0. |
References rrset_get_rdata().
Referenced by ds_digest_match_dnskey().
|
static |
Return size of DS digest according to its hash algorithm.
k,: | DS rrset. |
idx,: | which DS. |
References ds_get_digest_algo().
Referenced by ds_digest_algo_is_supported(), and ds_digest_match_dnskey().
|
static |
Create a DS digest for a DNSKEY entry.
env,: | module environment. Uses scratch space. |
dnskey_rrset,: | DNSKEY rrset. |
dnskey_idx,: | index of RR in rrset. |
ds_rrset,: | DS rrset |
ds_idx,: | index of RR in DS rrset. |
digest,: | digest is returned in here (must be correctly sized). |
References packed_rrset_key::dname, packed_rrset_key::dname_len, ds_get_digest_algo(), query_dname_tolower(), ub_packed_rrset_key::rk, rrset_get_rdata(), module_env::scratch_buffer, VERB_QUERY, and verbose().
Referenced by ds_digest_match_dnskey().
int ds_digest_match_dnskey | ( | struct module_env * | env, |
struct ub_packed_rrset_key * | dnskey_rrset, | ||
size_t | dnskey_idx, | ||
struct ub_packed_rrset_key * | ds_rrset, | ||
size_t | ds_idx | ||
) |
Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.
env,: | module environment. Uses scratch space. |
dnskey_rrset,: | DNSKEY rrset. |
dnskey_idx,: | index of RR in rrset. |
ds_rrset,: | DS rrset |
ds_idx,: | index of RR in DS rrset. |
References ds_create_dnskey_digest(), ds_digest_size_algo(), ds_get_sigdata(), regional_alloc(), module_env::scratch, VERB_QUERY, and verbose().
Referenced by dstest_entry(), key_matches_a_ds(), and verify_dnskeys_with_ds_rr().
int ds_digest_algo_is_supported | ( | struct ub_packed_rrset_key * | ds_rrset, |
size_t | ds_idx | ||
) |
See if DS digest algorithm is supported.
ds_rrset,: | DS rrset |
ds_idx,: | index of RR in DS rrset. |
References ds_digest_size_algo().
Referenced by anchors_ds_unsupported(), key_matches_a_ds(), val_dsset_isusable(), val_favorite_ds_algo(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
int ds_key_algo_is_supported | ( | struct ub_packed_rrset_key * | ds_rrset, |
size_t | ds_idx | ||
) |
See if DS key algorithm is supported.
ds_rrset,: | DS rrset |
ds_idx,: | index of RR in DS rrset. |
References dnskey_algo_id_is_supported(), and ds_get_key_algo().
Referenced by anchors_ds_unsupported(), key_matches_a_ds(), val_dsset_isusable(), val_favorite_ds_algo(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
uint16_t dnskey_calc_keytag | ( | struct ub_packed_rrset_key * | dnskey_rrset, |
size_t | dnskey_idx | ||
) |
Get dnskey keytag, footprint value.
dnskey_rrset,: | DNSKEY rrset. |
dnskey_idx,: | index of RR in rrset. |
References rrset_get_rdata().
Referenced by check_contains_revoked(), dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_verify_rrset_sig(), key_matches_a_ds(), and verify_dnskeys_with_ds_rr().
int dnskey_algo_is_supported | ( | struct ub_packed_rrset_key * | dnskey_rrset, |
size_t | dnskey_idx | ||
) |
See if DNSKEY algorithm is supported.
dnskey_rrset,: | DNSKEY rrset. |
dnskey_idx,: | index of RR in rrset. |
References dnskey_algo_id_is_supported(), and dnskey_get_algo().
Referenced by anchors_dnskey_unsupported(), update_events(), and val_verify_DNSKEY_with_TA().
void algo_needs_init_dnskey_add | ( | struct algo_needs * | n, |
struct ub_packed_rrset_key * | dnskey, | ||
uint8_t * | sigalg | ||
) |
Initialize algo needs structure, set algos from rrset as needed.
Results are added to an existing need structure.
n,: | struct with storage. |
dnskey,: | algos from this struct set as necessary. DNSKEY set. |
sigalg,: | adds to signalled algorithm list too. |
References dnskey_algo_id_is_supported(), dnskey_get_algo(), algo_needs::needs, algo_needs::num, and rrset_get_count().
Referenced by val_verify_DNSKEY_with_TA().
void algo_needs_init_list | ( | struct algo_needs * | n, |
uint8_t * | sigalg | ||
) |
Initialize algo needs structure from a signalled algo list.
n,: | struct with storage. |
sigalg,: | signalled algorithm list, numbers ends with 0. |
References ALGO_NEEDS_MAX, dnskey_algo_id_is_supported(), log_assert, algo_needs::needs, and algo_needs::num.
Referenced by dnskeyset_verify_rrset().
void algo_needs_init_ds | ( | struct algo_needs * | n, |
struct ub_packed_rrset_key * | ds, | ||
int | fav_ds_algo, | ||
uint8_t * | sigalg | ||
) |
Initialize algo needs structure, set algos from rrset as needed.
n,: | struct with storage. |
ds,: | algos from this struct set as necessary. DS set. |
fav_ds_algo,: | filter to use only this DS algo. |
sigalg,: | list of signalled algos, constructed as output, provide size ALGO_NEEDS_MAX+1. list of algonumbers, ends with a zero. |
References ALGO_NEEDS_MAX, dnskey_algo_id_is_supported(), ds_get_digest_algo(), ds_get_key_algo(), log_assert, algo_needs::needs, algo_needs::num, and rrset_get_count().
Referenced by val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
int algo_needs_set_secure | ( | struct algo_needs * | n, |
uint8_t | algo | ||
) |
Mark this algorithm as a success, sec_secure, and see if we are done.
n,: | storage structure processed. |
algo,: | the algorithm processed to be secure. |
References algo_needs::needs, and algo_needs::num.
Referenced by dnskeyset_verify_rrset(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
void algo_needs_set_bogus | ( | struct algo_needs * | n, |
uint8_t | algo | ||
) |
Mark this algorithm a failure, sec_bogus.
It can later be overridden by a success for this algorithm (with a different signature).
n,: | storage structure processed. |
algo,: | the algorithm processed to be bogus. |
References algo_needs::needs.
Referenced by dnskeyset_verify_rrset(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
size_t algo_needs_num_missing | ( | struct algo_needs * | n | ) |
See how many algorithms are missing (not bogus or secure, but not processed)
n,: | storage structure processed. |
References algo_needs::num.
Referenced by dnskeyset_verify_rrset().
int algo_needs_missing | ( | struct algo_needs * | n | ) |
See which algo is missing.
n,: | struct after processing. |
References ALGO_NEEDS_MAX, and algo_needs::needs.
Referenced by dnskeyset_verify_rrset(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().
enum sec_status dnskeyset_verify_rrset | ( | struct module_env * | env, |
struct val_env * | ve, | ||
struct ub_packed_rrset_key * | rrset, | ||
struct ub_packed_rrset_key * | dnskey, | ||
uint8_t * | sigalg, | ||
char ** | reason | ||
) |
Verify rrset against dnskey rrset.
env,: | module environment, scratch space is used. |
ve,: | validator environment, date settings. |
rrset,: | to be validated. |
dnskey,: | DNSKEY rrset, keyset to try. |
sigalg,: | if nonNULL provide downgrade protection otherwise one algorithm is enough. |
reason,: | if bogus, a string returned, fixed or alloced in scratch. |
References algo_needs_init_list(), algo_needs_missing(), algo_needs_num_missing(), algo_needs_reason(), algo_needs_set_bogus(), algo_needs_set_secure(), dnskeyset_verify_rrset_sig(), module_env::now, algo_needs::num, rrset_get_sig_algo(), rrset_get_sigcount(), sec_status_bogus, sec_status_insecure, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by val_verify_rrset(), and verifytest_rrset().
void algo_needs_reason | ( | struct module_env * | env, |
int | alg, | ||
char ** | reason, | ||
char * | s | ||
) |
Format error reason for algorithm missing.
env,: | module env with scratch for temp storage of string. |
alg,: | DNSKEY-algorithm missing. |
reason,: | destination. |
s,: | string, appended with 'with algorithm ..'. |
References regional_strdup(), and module_env::scratch.
Referenced by dnskeyset_verify_rrset(), val_verify_DNSKEY_with_DS(), val_verify_DNSKEY_with_TA(), and verify_dnskeys_with_ds_rr().
enum sec_status dnskey_verify_rrset | ( | struct module_env * | env, |
struct val_env * | ve, | ||
struct ub_packed_rrset_key * | rrset, | ||
struct ub_packed_rrset_key * | dnskey, | ||
size_t | dnskey_idx, | ||
char ** | reason | ||
) |
verify rrset against one specific dnskey (from rrset)
env,: | module environment, scratch space is used. |
ve,: | validator environment, date settings. |
rrset,: | to be validated. |
dnskey,: | DNSKEY rrset, keyset. |
dnskey_idx,: | which key from the rrset to try. |
reason,: | if bogus, a string returned, fixed or alloced in scratch. |
References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), module_env::now, algo_needs::num, rrset_get_sig_algo(), rrset_get_sig_keytag(), rrset_get_sigcount(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by key_matches_a_ds(), rr_is_selfsigned_revoked(), val_verify_DNSKEY_with_TA(), and verify_dnskeys_with_ds_rr().
enum sec_status dnskeyset_verify_rrset_sig | ( | struct module_env * | env, |
struct val_env * | ve, | ||
uint32_t | now, | ||
struct ub_packed_rrset_key * | rrset, | ||
struct ub_packed_rrset_key * | dnskey, | ||
size_t | sig_idx, | ||
struct rbtree_t ** | sortree, | ||
char ** | reason | ||
) |
verify rrset, with dnskey rrset, for a specific rrsig in rrset
env,: | module environment, scratch space is used. |
ve,: | validator environment, date settings. |
now,: | current time for validation (can be overridden). |
rrset,: | to be validated. |
dnskey,: | DNSKEY rrset, keyset to try. |
sig_idx,: | which signature to try to validate. |
sortree,: | reused sorted order. Stored in region. Pass NULL at start, and for a new rrset. |
reason,: | if bogus, a string returned, fixed or alloced in scratch. |
References dnskey_algo_id_is_supported(), dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), algo_needs::num, rrset_get_count(), rrset_get_sig_algo(), rrset_get_sig_keytag(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_insecure, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by dnskeyset_verify_rrset().
|
static |
Compare two RR for canonical order, in a field-style sweep.
d,: | rrset data |
desc,: | ldns wireformat descriptor. |
i,: | first RR to compare |
j,: | first RR to compare |
References get_rdf_size(), packed_rrset_data::rr_data, and packed_rrset_data::rr_len.
Referenced by canonical_compare().
|
static |
Compare two RRs in the same RRset and determine their relative canonical order.
rrset,: | the rrset in which to perform compares. |
i,: | first RR to compare |
j,: | first RR to compare |
References canonical_compare_byfield(), lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, query_dname_compare(), ub_packed_rrset_key::rk, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_key::type.
Referenced by canonical_tree_compare().
|
static |
Sort RRs for rrset in canonical order.
Does not actually canonicalize the RR rdatas. Does not touch rrsigs.
rrset,: | to sort. |
d,: | rrset data. |
sortree,: | tree to sort into. |
rrs,: | rr storage. |
References packed_rrset_data::count, rbnode_t::key, canon_rr::node, rbtree_insert(), canon_rr::rr_idx, and canon_rr::rrset.
Referenced by rrset_canonical().
|
static |
Inser canonical owner name into buffer.
buf,: | buffer to insert into at current position. |
k,: | rrset with its owner name. |
sig,: | signature with signer name and label count. must be length checked, at least 18 bytes long. |
can_owner,: | position in buffer returned for future use. |
can_owner_len,: | length of canonical owner name. |
References packed_rrset_key::dname, packed_rrset_key::dname_len, dname_remove_label(), dname_signame_label_count(), log_assert, query_dname_tolower(), and ub_packed_rrset_key::rk.
Referenced by rrset_canonical().
|
static |
Canonicalize Rdata in buffer.
buf,: | buffer at position just after the rdata. |
rrset,: | rrset with type. |
len,: | length of the rdata (including rdatalen uint16). |
References dname_valid(), query_dname_tolower(), ub_packed_rrset_key::rk, and packed_rrset_key::type.
Referenced by rrset_canonical().
|
static |
Create canonical form of rrset in the scratch buffer.
region,: | temporary region. |
buf,: | the buffer to use. |
k,: | the rrset to insert. |
sig,: | RRSIG rdata to include. |
siglen,: | RRSIG rdata len excluding signature field, but inclusive signer name length. |
sortree,: | if NULL is passed a new sorted rrset tree is built. Otherwise it is reused. |
References canonical_sort(), canonical_tree_compare(), canonicalize_rdata(), packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, insert_can_owner(), log_err(), query_dname_tolower(), RBTREE_FOR, rbtree_init(), regional_alloc(), ub_packed_rrset_key::rk, packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_key::rrset_class, and packed_rrset_key::type.
Referenced by dnskey_verify_rrset_sig().
|
static |
Output a libcrypto openssl error to the logfile.
str,: | string to add to it. |
e,: | the error to output, error number from ERR_get_error(). |
References log_err().
Referenced by verify_canonrrset().
|
static |
Setup DSA key digest in DER encoding ...
sig,: | input is signature output alloced ptr (unless failure). caller must free alloced ptr if this routine returns true. |
len,: | input is initial siglen, output is output len. |
Referenced by verify_canonrrset().
|
static |
Setup key and digest for verification.
Adjust sig if necessary.
algo,: | key algorithm |
evp_key,: | EVP PKEY public key to create. |
digest_type,: | digest type to use |
key,: | key to setup for. |
keylen,: | length of key. |
References log_err(), sec_status_unchecked, VERB_QUERY, and verbose().
Referenced by verify_canonrrset().
|
static |
Check a canonical sig+rrset and signature against a dnskey.
buf,: | buffer with data to verify, the first rrsig part and the canonicalized rrset. |
algo,: | DNSKEY algorithm. |
sigblock,: | signature rdata field from RRSIG |
sigblock_len,: | length of sigblock data. |
key,: | public key data from DNSKEY RR. |
keylen,: | length of keydata. |
reason,: | bogus reason in more detail. |
References log_crypto_error(), sec_status_bogus, sec_status_secure, sec_status_unchecked, setup_dsa_sig(), setup_key_digest(), VERB_QUERY, and verbose().
Referenced by dnskey_verify_rrset_sig().
enum sec_status dnskey_verify_rrset_sig | ( | struct regional * | region, |
ldns_buffer * | buf, | ||
struct val_env * | ve, | ||
uint32_t | now, | ||
struct ub_packed_rrset_key * | rrset, | ||
struct ub_packed_rrset_key * | dnskey, | ||
size_t | dnskey_idx, | ||
size_t | sig_idx, | ||
struct rbtree_t ** | sortree, | ||
int * | buf_canon, | ||
char ** | reason | ||
) |
verify rrset, with specific dnskey(from set), for a specific rrsig
region,: | scratch region used for temporary allocation. |
buf,: | scratch buffer used for canonicalized rrset data. |
ve,: | validator environment, date settings. |
now,: | current time for validation (can be overridden). |
rrset,: | to be validated. |
dnskey,: | DNSKEY rrset, keyset. |
dnskey_idx,: | which key from the rrset to try. |
sig_idx,: | which signature to try to validate. |
sortree,: | pass NULL at start, the sorted rrset order is returned. pass it again for the same rrset. |
buf_canon,: | if true, the buffer is already canonical. pass false at start. pass old value only for same rrset and same signature (but perhaps different key) for reuse. |
reason,: | if bogus, a string returned, fixed or alloced in scratch. |
References adjust_ttl(), check_dates(), packed_rrset_key::dname, dname_signame_label_count(), dname_subdomain_c(), dname_valid(), DNSKEY_BIT_ZSK, dnskey_calc_keytag(), dnskey_get_algo(), dnskey_get_flags(), dnskey_get_protocol(), dnskey_get_pubkey(), log_err(), log_nametypeclass(), query_dname_compare(), ub_packed_rrset_key::rk, rrset_canonical(), rrset_get_count(), rrset_get_rdata(), sec_status_bogus, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, VERB_QUERY, verbose(), and verify_canonrrset().
Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().