Data Structures | Functions
val_sigcrypt.c File Reference

This file contains helper functions for the validator module. More...

#include "config.h"
#include "validator/val_sigcrypt.h"
#include "validator/val_secalgo.h"
#include "validator/validator.h"
#include "util/data/msgreply.h"
#include "util/data/msgparse.h"
#include "util/data/dname.h"
#include "util/rbtree.h"
#include "util/module.h"
#include "util/net_help.h"
#include "util/regional.h"
#include "ldns/keyraw.h"
#include "ldns/sbuffer.h"
#include "ldns/parseutil.h"
#include "ldns/wire2str.h"
#include <ctype.h>

Data Structures

struct  canon_rr
 RR entries in a canonical sorted tree of RRs. More...
 

Functions

static size_t rrset_get_count (struct ub_packed_rrset_key *rrset)
 return number of rrs in an rrset
 
static size_t rrset_get_sigcount (struct ub_packed_rrset_key *k)
 Get RR signature count.
 
static uint16_t rrset_get_sig_keytag (struct ub_packed_rrset_key *k, size_t sig_idx)
 Get signature keytag value. More...
 
static int rrset_get_sig_algo (struct ub_packed_rrset_key *k, size_t sig_idx)
 Get signature signing algorithm value. More...
 
static void rrset_get_rdata (struct ub_packed_rrset_key *k, size_t idx, uint8_t **rdata, size_t *len)
 get rdata pointer and size
 
uint16_t dnskey_get_flags (struct ub_packed_rrset_key *k, size_t idx)
 Get DNSKEY RR flags. More...
 
static int dnskey_get_protocol (struct ub_packed_rrset_key *k, size_t idx)
 Get DNSKEY protocol value from rdata. More...
 
int dnskey_get_algo (struct ub_packed_rrset_key *k, size_t idx)
 Get DNSKEY RR signature algorithm. More...
 
static void dnskey_get_pubkey (struct ub_packed_rrset_key *k, size_t idx, unsigned char **pk, unsigned int *pklen)
 get public key rdata field from a dnskey RR and do some checks
 
int ds_get_key_algo (struct ub_packed_rrset_key *k, size_t idx)
 Get DS RR key algorithm. More...
 
int ds_get_digest_algo (struct ub_packed_rrset_key *k, size_t idx)
 Get DS RR digest algorithm. More...
 
uint16_t ds_get_keytag (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 Get DS keytag, footprint value that matches the DNSKEY keytag it signs. More...
 
static void ds_get_sigdata (struct ub_packed_rrset_key *k, size_t idx, uint8_t **digest, size_t *len)
 Return pointer to the digest in a DS RR. More...
 
static size_t ds_digest_size_algo (struct ub_packed_rrset_key *k, size_t idx)
 Return size of DS digest according to its hash algorithm. More...
 
static int ds_create_dnskey_digest (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx, uint8_t *digest)
 Create a DS digest for a DNSKEY entry. More...
 
int ds_digest_match_dnskey (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest. More...
 
int ds_digest_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 See if DS digest algorithm is supported. More...
 
int ds_key_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 See if DS key algorithm is supported. More...
 
uint16_t dnskey_calc_keytag (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
 Get dnskey keytag, footprint value. More...
 
int dnskey_algo_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
 See if DNSKEY algorithm is supported. More...
 
void algo_needs_init_dnskey_add (struct algo_needs *n, struct ub_packed_rrset_key *dnskey, uint8_t *sigalg)
 Initialize algo needs structure, set algos from rrset as needed. More...
 
void algo_needs_init_list (struct algo_needs *n, uint8_t *sigalg)
 Initialize algo needs structure from a signalled algo list. More...
 
void algo_needs_init_ds (struct algo_needs *n, struct ub_packed_rrset_key *ds, int fav_ds_algo, uint8_t *sigalg)
 Initialize algo needs structure, set algos from rrset as needed. More...
 
int algo_needs_set_secure (struct algo_needs *n, uint8_t algo)
 Mark this algorithm as a success, sec_secure, and see if we are done. More...
 
void algo_needs_set_bogus (struct algo_needs *n, uint8_t algo)
 Mark this algorithm a failure, sec_bogus. More...
 
size_t algo_needs_num_missing (struct algo_needs *n)
 See how many algorithms are missing (not bogus or secure, but not processed) More...
 
int algo_needs_missing (struct algo_needs *n)
 See which algo is missing. More...
 
enum sec_status dnskeyset_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, uint8_t *sigalg, char **reason)
 Verify rrset against dnskey rrset. More...
 
void algo_needs_reason (struct module_env *env, int alg, char **reason, char *s)
 Format error reason for algorithm missing. More...
 
enum sec_status dnskey_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, char **reason)
 verify rrset against one specific dnskey (from rrset) More...
 
enum sec_status dnskeyset_verify_rrset_sig (struct module_env *env, struct val_env *ve, time_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t sig_idx, struct rbtree_t **sortree, char **reason)
 verify rrset, with dnskey rrset, for a specific rrsig in rrset More...
 
static int canonical_compare_byfield (struct packed_rrset_data *d, const sldns_rr_descriptor *desc, size_t i, size_t j)
 Compare two RR for canonical order, in a field-style sweep. More...
 
static int canonical_compare (struct ub_packed_rrset_key *rrset, size_t i, size_t j)
 Compare two RRs in the same RRset and determine their relative canonical order. More...
 
int canonical_tree_compare (const void *k1, const void *k2)
 canonical compare for two tree entries
 
static void canonical_sort (struct ub_packed_rrset_key *rrset, struct packed_rrset_data *d, rbtree_t *sortree, struct canon_rr *rrs)
 Sort RRs for rrset in canonical order. More...
 
static void insert_can_owner (sldns_buffer *buf, struct ub_packed_rrset_key *k, uint8_t *sig, uint8_t **can_owner, size_t *can_owner_len)
 Inser canonical owner name into buffer. More...
 
static void canonicalize_rdata (sldns_buffer *buf, struct ub_packed_rrset_key *rrset, size_t len)
 Canonicalize Rdata in buffer. More...
 
int rrset_canonical_equal (struct regional *region, struct ub_packed_rrset_key *k1, struct ub_packed_rrset_key *k2)
 Compare two rrsets and see if they are the same, canonicalised. More...
 
static int rrset_canonical (struct regional *region, sldns_buffer *buf, struct ub_packed_rrset_key *k, uint8_t *sig, size_t siglen, struct rbtree_t **sortree)
 Create canonical form of rrset in the scratch buffer. More...
 
static void sigdate_error (const char *str, int32_t expi, int32_t incep, int32_t now)
 pretty print rrsig error with dates
 
static int check_dates (struct val_env *ve, uint32_t unow, uint8_t *expi_p, uint8_t *incep_p, char **reason)
 check rrsig dates
 
static void adjust_ttl (struct val_env *ve, uint32_t unow, struct ub_packed_rrset_key *rrset, uint8_t *orig_p, uint8_t *expi_p, uint8_t *incep_p)
 adjust rrset TTL for verified rrset, compare to original TTL and expi
 
enum sec_status dnskey_verify_rrset_sig (struct regional *region, sldns_buffer *buf, struct val_env *ve, time_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_t **sortree, int *buf_canon, char **reason)
 verify rrset, with specific dnskey(from set), for a specific rrsig More...
 

Detailed Description

This file contains helper functions for the validator module.

The functions help with signature verification and checking, the bridging between RR wireformat data and crypto calls.

Function Documentation

static uint16_t rrset_get_sig_keytag ( struct ub_packed_rrset_key k,
size_t  sig_idx 
)
static

Get signature keytag value.

Parameters
krrset (with signatures)
sig_idxsignature index.
Returns
keytag or 0 if malformed rrsig.

References packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_data::rrsig_count.

Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().

static int rrset_get_sig_algo ( struct ub_packed_rrset_key k,
size_t  sig_idx 
)
static

Get signature signing algorithm value.

Parameters
krrset (with signatures)
sig_idxsignature index.
Returns
algo or 0 if malformed rrsig.

References packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_data::rrsig_count.

Referenced by dnskey_verify_rrset(), dnskeyset_verify_rrset(), and dnskeyset_verify_rrset_sig().

uint16_t dnskey_get_flags ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DNSKEY RR flags.

Parameters
kDNSKEY rrset.
idxwhich DNSKEY RR.
Returns
flags or 0 if DNSKEY too short.

References rrset_get_rdata().

Referenced by dnskey_verify_rrset_sig().

static int dnskey_get_protocol ( struct ub_packed_rrset_key k,
size_t  idx 
)
static

Get DNSKEY protocol value from rdata.

Parameters
kDNSKEY rrset.
idxwhich key.
Returns
protocol octet value

References rrset_get_rdata().

Referenced by dnskey_verify_rrset_sig().

int dnskey_get_algo ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DNSKEY RR signature algorithm.

Parameters
kDNSKEY rrset.
idxwhich DNSKEY RR.
Returns
algorithm or 0 if DNSKEY too short.

References rrset_get_rdata().

Referenced by algo_needs_init_dnskey_add(), dnskey_algo_is_supported(), dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_verify_rrset_sig(), key_matches_a_ds(), setup_sigalg(), val_verify_DNSKEY_with_TA(), and verify_dnskeys_with_ds_rr().

int ds_get_key_algo ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DS RR key algorithm.

This value should match with the DNSKEY algo.

Parameters
kDS rrset.
idxwhich DS.
Returns
algorithm or 0 if DS too short.

References rrset_get_rdata().

Referenced by algo_needs_init_ds(), ds_key_algo_is_supported(), key_matches_a_ds(), val_verify_DNSKEY_with_DS(), val_verify_DNSKEY_with_TA(), and verify_dnskeys_with_ds_rr().

int ds_get_digest_algo ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Get DS RR digest algorithm.

Parameters
ds_rrsetDS rrset.
ds_idxwhich DS.
Returns
algorithm or 0 if DS too short.

References rrset_get_rdata().

Referenced by algo_needs_init_ds(), ds_create_dnskey_digest(), ds_digest_size_algo(), key_matches_a_ds(), val_favorite_ds_algo(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().

uint16_t ds_get_keytag ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Get DS keytag, footprint value that matches the DNSKEY keytag it signs.

Parameters
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
Returns
the keytag or 0 for badly formatted DSs.

References rrset_get_rdata().

Referenced by key_matches_a_ds(), and verify_dnskeys_with_ds_rr().

static void ds_get_sigdata ( struct ub_packed_rrset_key k,
size_t  idx,
uint8_t **  digest,
size_t *  len 
)
static

Return pointer to the digest in a DS RR.

Parameters
kDS rrset.
idxwhich DS.
digestdigest data is returned. on error, this is NULL.
lenlength of digest is returned. on error, the length is 0.

References rrset_get_rdata().

Referenced by ds_digest_match_dnskey().

static size_t ds_digest_size_algo ( struct ub_packed_rrset_key k,
size_t  idx 
)
static

Return size of DS digest according to its hash algorithm.

Parameters
kDS rrset.
idxwhich DS.
Returns
size in bytes of digest, or 0 if not supported.

References ds_digest_size_supported(), and ds_get_digest_algo().

Referenced by ds_digest_algo_is_supported(), and ds_digest_match_dnskey().

static int ds_create_dnskey_digest ( struct module_env env,
struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx,
struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx,
uint8_t *  digest 
)
static

Create a DS digest for a DNSKEY entry.

Parameters
envmodule environment. Uses scratch space.
dnskey_rrsetDNSKEY rrset.
dnskey_idxindex of RR in rrset.
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
digestdigest is returned in here (must be correctly sized).
Returns
false on error.

References packed_rrset_key::dname, packed_rrset_key::dname_len, ds_get_digest_algo(), query_dname_tolower(), ub_packed_rrset_key::rk, rrset_get_rdata(), module_env::scratch_buffer, secalgo_ds_digest(), sldns_buffer_begin(), sldns_buffer_clear(), sldns_buffer_flip(), sldns_buffer_limit(), and sldns_buffer_write().

Referenced by ds_digest_match_dnskey().

int ds_digest_match_dnskey ( struct module_env env,
struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx,
struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.

Parameters
envmodule environment. Uses scratch space.
dnskey_rrsetDNSKEY rrset.
dnskey_idxindex of RR in rrset.
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
Returns
true if it matches, false on error, not supported or no match.

References ds_create_dnskey_digest(), ds_digest_size_algo(), ds_get_sigdata(), regional_alloc(), module_env::scratch, VERB_QUERY, and verbose().

Referenced by dstest_entry(), key_matches_a_ds(), and verify_dnskeys_with_ds_rr().

int ds_digest_algo_is_supported ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

See if DS digest algorithm is supported.

Parameters
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
Returns
true if supported.

References ds_digest_size_algo().

Referenced by anchors_ds_unsupported(), key_matches_a_ds(), val_dsset_isusable(), val_favorite_ds_algo(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().

int ds_key_algo_is_supported ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

See if DS key algorithm is supported.

Parameters
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
Returns
true if supported.

References dnskey_algo_id_is_supported(), and ds_get_key_algo().

Referenced by anchors_ds_unsupported(), key_matches_a_ds(), val_dsset_isusable(), val_favorite_ds_algo(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().

uint16_t dnskey_calc_keytag ( struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx 
)

Get dnskey keytag, footprint value.

Parameters
dnskey_rrsetDNSKEY rrset.
dnskey_idxindex of RR in rrset.
Returns
the keytag or 0 for badly formatted DNSKEYs.

References rrset_get_rdata(), and sldns_calc_keytag_raw().

Referenced by check_contains_revoked(), dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_verify_rrset_sig(), key_matches_a_ds(), and verify_dnskeys_with_ds_rr().

int dnskey_algo_is_supported ( struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx 
)

See if DNSKEY algorithm is supported.

Parameters
dnskey_rrsetDNSKEY rrset.
dnskey_idxindex of RR in rrset.
Returns
true if supported.

References dnskey_algo_id_is_supported(), and dnskey_get_algo().

Referenced by anchors_dnskey_unsupported(), update_events(), and val_verify_DNSKEY_with_TA().

void algo_needs_init_dnskey_add ( struct algo_needs n,
struct ub_packed_rrset_key dnskey,
uint8_t *  sigalg 
)

Initialize algo needs structure, set algos from rrset as needed.

Results are added to an existing need structure.

Parameters
nstruct with storage.
dnskeyalgos from this struct set as necessary. DNSKEY set.
sigalgadds to signalled algorithm list too.

References dnskey_algo_id_is_supported(), dnskey_get_algo(), algo_needs::needs, algo_needs::num, and rrset_get_count().

Referenced by val_verify_DNSKEY_with_TA().

void algo_needs_init_list ( struct algo_needs n,
uint8_t *  sigalg 
)

Initialize algo needs structure from a signalled algo list.

Parameters
nstruct with storage.
sigalgsignalled algorithm list, numbers ends with 0.

References ALGO_NEEDS_MAX, dnskey_algo_id_is_supported(), log_assert, algo_needs::needs, and algo_needs::num.

Referenced by dnskeyset_verify_rrset().

void algo_needs_init_ds ( struct algo_needs n,
struct ub_packed_rrset_key ds,
int  fav_ds_algo,
uint8_t *  sigalg 
)

Initialize algo needs structure, set algos from rrset as needed.

Parameters
nstruct with storage.
dsalgos from this struct set as necessary. DS set.
fav_ds_algofilter to use only this DS algo.
sigalglist of signalled algos, constructed as output, provide size ALGO_NEEDS_MAX+1. list of algonumbers, ends with a zero.

References ALGO_NEEDS_MAX, dnskey_algo_id_is_supported(), ds_get_digest_algo(), ds_get_key_algo(), log_assert, algo_needs::needs, algo_needs::num, and rrset_get_count().

Referenced by val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().

int algo_needs_set_secure ( struct algo_needs n,
uint8_t  algo 
)

Mark this algorithm as a success, sec_secure, and see if we are done.

Parameters
nstorage structure processed.
algothe algorithm processed to be secure.
Returns
if true, processing has finished successfully, we are satisfied.

References algo_needs::needs, and algo_needs::num.

Referenced by dnskeyset_verify_rrset(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().

void algo_needs_set_bogus ( struct algo_needs n,
uint8_t  algo 
)

Mark this algorithm a failure, sec_bogus.

It can later be overridden by a success for this algorithm (with a different signature).

Parameters
nstorage structure processed.
algothe algorithm processed to be bogus.

References algo_needs::needs.

Referenced by dnskeyset_verify_rrset(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().

size_t algo_needs_num_missing ( struct algo_needs n)

See how many algorithms are missing (not bogus or secure, but not processed)

Parameters
nstorage structure processed.
Returns
number of algorithms missing after processing.

References algo_needs::num.

Referenced by dnskeyset_verify_rrset().

int algo_needs_missing ( struct algo_needs n)

See which algo is missing.

Parameters
nstruct after processing.
Returns
if 0 an algorithm was bogus, if a number, this algorithm was missing. So on 0, report why that was bogus, on number report a missing algorithm. There could be multiple missing, this reports the first one.

References ALGO_NEEDS_MAX, and algo_needs::needs.

Referenced by dnskeyset_verify_rrset(), val_verify_DNSKEY_with_DS(), and val_verify_DNSKEY_with_TA().

enum sec_status dnskeyset_verify_rrset ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
uint8_t *  sigalg,
char **  reason 
)

Verify rrset against dnskey rrset.

Parameters
envmodule environment, scratch space is used.
vevalidator environment, date settings.
rrsetto be validated.
dnskeyDNSKEY rrset, keyset to try.
sigalgif nonNULL provide downgrade protection otherwise one algorithm is enough.
reasonif bogus, a string returned, fixed or alloced in scratch.
Returns
SECURE if one key in the set verifies one rrsig. UNCHECKED on allocation errors, unsupported algorithms, malformed data, and BOGUS on verification failures (no keys match any signatures).

References algo_needs_init_list(), algo_needs_missing(), algo_needs_num_missing(), algo_needs_reason(), algo_needs_set_bogus(), algo_needs_set_secure(), dnskeyset_verify_rrset_sig(), module_env::now, algo_needs::num, rrset_get_sig_algo(), rrset_get_sigcount(), sec_status_bogus, sec_status_insecure, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().

Referenced by val_verify_rrset(), and verifytest_rrset().

void algo_needs_reason ( struct module_env env,
int  alg,
char **  reason,
char *  s 
)

Format error reason for algorithm missing.

Parameters
envmodule env with scratch for temp storage of string.
algDNSKEY-algorithm missing.
reasondestination.
sstring, appended with 'with algorithm ..'.

References regional_strdup(), module_env::scratch, sldns_algorithms, and sldns_lookup_by_id().

Referenced by dnskeyset_verify_rrset(), val_verify_DNSKEY_with_DS(), val_verify_DNSKEY_with_TA(), and verify_dnskeys_with_ds_rr().

enum sec_status dnskey_verify_rrset ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  dnskey_idx,
char **  reason 
)

verify rrset against one specific dnskey (from rrset)

Parameters
envmodule environment, scratch space is used.
vevalidator environment, date settings.
rrsetto be validated.
dnskeyDNSKEY rrset, keyset.
dnskey_idxwhich key from the rrset to try.
reasonif bogus, a string returned, fixed or alloced in scratch.
Returns
secure if this key signs any of the signatures on rrset. unchecked on error or and bogus on bad signature.

References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), module_env::now, algo_needs::num, rrset_get_sig_algo(), rrset_get_sig_keytag(), rrset_get_sigcount(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().

Referenced by key_matches_a_ds(), rr_is_selfsigned_revoked(), val_verify_DNSKEY_with_TA(), and verify_dnskeys_with_ds_rr().

enum sec_status dnskeyset_verify_rrset_sig ( struct module_env env,
struct val_env ve,
time_t  now,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  sig_idx,
struct rbtree_t **  sortree,
char **  reason 
)

verify rrset, with dnskey rrset, for a specific rrsig in rrset

Parameters
envmodule environment, scratch space is used.
vevalidator environment, date settings.
nowcurrent time for validation (can be overridden).
rrsetto be validated.
dnskeyDNSKEY rrset, keyset to try.
sig_idxwhich signature to try to validate.
sortreereused sorted order. Stored in region. Pass NULL at start, and for a new rrset.
reasonif bogus, a string returned, fixed or alloced in scratch.
Returns
secure if any key signs this signature. bogus if no key signs it, or unchecked on error.

References dnskey_algo_id_is_supported(), dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), algo_needs::num, rrset_get_count(), rrset_get_sig_algo(), rrset_get_sig_keytag(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_insecure, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().

Referenced by dnskeyset_verify_rrset().

static int canonical_compare_byfield ( struct packed_rrset_data d,
const sldns_rr_descriptor desc,
size_t  i,
size_t  j 
)
static

Compare two RR for canonical order, in a field-style sweep.

Parameters
drrset data
descldns wireformat descriptor.
ifirst RR to compare
jfirst RR to compare
Returns
comparison code.

References sldns_struct_rr_descriptor::_dname_count, sldns_struct_rr_descriptor::_wireformat, get_rdf_size(), LDNS_RDF_TYPE_DNAME, LDNS_RDF_TYPE_STR, packed_rrset_data::rr_data, and packed_rrset_data::rr_len.

Referenced by canonical_compare().

static int canonical_compare ( struct ub_packed_rrset_key rrset,
size_t  i,
size_t  j 
)
static
static void canonical_sort ( struct ub_packed_rrset_key rrset,
struct packed_rrset_data d,
rbtree_t sortree,
struct canon_rr rrs 
)
static

Sort RRs for rrset in canonical order.

Does not actually canonicalize the RR rdatas. Does not touch rrsigs.

Parameters
rrsetto sort.
drrset data.
sortreetree to sort into.
rrsrr storage.

References packed_rrset_data::count, rbnode_t::key, canon_rr::node, rbtree_insert(), canon_rr::rr_idx, and canon_rr::rrset.

Referenced by rrset_canonical(), and rrset_canonical_equal().

static void insert_can_owner ( sldns_buffer buf,
struct ub_packed_rrset_key k,
uint8_t *  sig,
uint8_t **  can_owner,
size_t *  can_owner_len 
)
static

Inser canonical owner name into buffer.

Parameters
bufbuffer to insert into at current position.
krrset with its owner name.
sigsignature with signer name and label count. must be length checked, at least 18 bytes long.
can_ownerposition in buffer returned for future use.
can_owner_lenlength of canonical owner name.

References packed_rrset_key::dname, packed_rrset_key::dname_len, dname_remove_label(), dname_signame_label_count(), log_assert, query_dname_tolower(), ub_packed_rrset_key::rk, sldns_buffer_current(), and sldns_buffer_write().

Referenced by rrset_canonical().

static void canonicalize_rdata ( sldns_buffer buf,
struct ub_packed_rrset_key rrset,
size_t  len 
)
static
int rrset_canonical_equal ( struct regional region,
struct ub_packed_rrset_key k1,
struct ub_packed_rrset_key k2 
)
static int rrset_canonical ( struct regional region,
sldns_buffer buf,
struct ub_packed_rrset_key k,
uint8_t *  sig,
size_t  siglen,
struct rbtree_t **  sortree 
)
static

Create canonical form of rrset in the scratch buffer.

Parameters
regiontemporary region.
bufthe buffer to use.
kthe rrset to insert.
sigRRSIG rdata to include.
siglenRRSIG rdata len excluding signature field, but inclusive signer name length.
sortreeif NULL is passed a new sorted rrset tree is built. Otherwise it is reused.
Returns
false on alloc error.

References canonical_sort(), canonical_tree_compare(), canonicalize_rdata(), packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, insert_can_owner(), log_err(), query_dname_tolower(), RBTREE_FOR, rbtree_init(), regional_alloc(), ub_packed_rrset_key::rk, packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_key::rrset_class, sldns_buffer_begin(), sldns_buffer_clear(), sldns_buffer_flip(), sldns_buffer_remaining(), sldns_buffer_write(), and packed_rrset_key::type.

Referenced by dnskey_verify_rrset_sig().

enum sec_status dnskey_verify_rrset_sig ( struct regional region,
struct sldns_buffer buf,
struct val_env ve,
time_t  now,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  dnskey_idx,
size_t  sig_idx,
struct rbtree_t **  sortree,
int *  buf_canon,
char **  reason 
)

verify rrset, with specific dnskey(from set), for a specific rrsig

Parameters
regionscratch region used for temporary allocation.
bufscratch buffer used for canonicalized rrset data.
vevalidator environment, date settings.
nowcurrent time for validation (can be overridden).
rrsetto be validated.
dnskeyDNSKEY rrset, keyset.
dnskey_idxwhich key from the rrset to try.
sig_idxwhich signature to try to validate.
sortreepass NULL at start, the sorted rrset order is returned. pass it again for the same rrset.
buf_canonif true, the buffer is already canonical. pass false at start. pass old value only for same rrset and same signature (but perhaps different key) for reuse.
reasonif bogus, a string returned, fixed or alloced in scratch.
Returns
secure if this key signs this signature. unchecked on error or bogus if it did not validate.

References adjust_ttl(), check_dates(), packed_rrset_key::dname, dname_signame_label_count(), dname_subdomain_c(), dname_valid(), DNSKEY_BIT_ZSK, dnskey_calc_keytag(), dnskey_get_algo(), dnskey_get_flags(), dnskey_get_protocol(), dnskey_get_pubkey(), log_err(), log_nametypeclass(), query_dname_compare(), ub_packed_rrset_key::rk, rrset_canonical(), rrset_get_count(), rrset_get_rdata(), sec_status_bogus, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, VERB_QUERY, verbose(), and verify_canonrrset().

Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().