This file contains helper functions for the validator module. More...

#include "util/data/packed_rrset.h"
#include "sldns/pkthdr.h"
#include "sldns/rrdef.h"

Data Structures
struct	algo_needs
	Storage for algorithm needs. More...

Macros
#define	ALGO_NEEDS_MAX 256
	number of entries in algorithm needs array

Functions
void	algo_needs_init_dnskey_add (struct algo_needs n, struct ub_packed_rrset_key dnskey, uint8_t *sigalg)
	Initialize algo needs structure, set algos from rrset as needed. More...

void	algo_needs_init_list (struct algo_needs n, uint8_t sigalg)
	Initialize algo needs structure from a signalled algo list. More...

void	algo_needs_init_ds (struct algo_needs n, struct ub_packed_rrset_key ds, int fav_ds_algo, uint8_t *sigalg)
	Initialize algo needs structure, set algos from rrset as needed. More...

int	algo_needs_set_secure (struct algo_needs *n, uint8_t algo)
	Mark this algorithm as a success, sec_secure, and see if we are done. More...

void	algo_needs_set_bogus (struct algo_needs *n, uint8_t algo)
	Mark this algorithm a failure, sec_bogus. More...

size_t	algo_needs_num_missing (struct algo_needs *n)
	See how many algorithms are missing (not bogus or secure, but not processed) More...

int	algo_needs_missing (struct algo_needs *n)
	See which algo is missing. More...

void	algo_needs_reason (struct module_env env, int alg, char reason, char s)
	Format error reason for algorithm missing. More...

int	ds_digest_match_dnskey (struct module_env env, struct ub_packed_rrset_key dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
	Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest. More...

uint16_t	dnskey_calc_keytag (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
	Get dnskey keytag, footprint value. More...

uint16_t	ds_get_keytag (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
	Get DS keytag, footprint value that matches the DNSKEY keytag it signs. More...

int	dnskey_algo_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
	See if DNSKEY algorithm is supported. More...

int	dnskey_size_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
	See if the DNSKEY size at that algorithm is supported. More...

int	dnskeyset_size_is_supported (struct ub_packed_rrset_key *dnskey_rrset)
	See if the DNSKEY size at that algorithm is supported for all the RRs in the DNSKEY RRset. More...

int	ds_digest_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
	See if DS digest algorithm is supported. More...

int	ds_get_digest_algo (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
	Get DS RR digest algorithm. More...

int	ds_key_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
	See if DS key algorithm is supported. More...

int	ds_get_key_algo (struct ub_packed_rrset_key *k, size_t idx)
	Get DS RR key algorithm. More...

int	dnskey_get_algo (struct ub_packed_rrset_key *k, size_t idx)
	Get DNSKEY RR signature algorithm. More...

uint16_t	dnskey_get_flags (struct ub_packed_rrset_key *k, size_t idx)
	Get DNSKEY RR flags. More...

enum sec_status	dnskeyset_verify_rrset (struct module_env env, struct val_env ve, struct ub_packed_rrset_key rrset, struct ub_packed_rrset_key dnskey, uint8_t sigalg, char reason, sldns_ede_code reason_bogus, sldns_pkt_section section, struct module_qstate qstate, int verified)
	Verify rrset against dnskey rrset. More...

enum sec_status	dnskey_verify_rrset (struct module_env env, struct val_env ve, struct ub_packed_rrset_key rrset, struct ub_packed_rrset_key dnskey, size_t dnskey_idx, char *reason, sldns_ede_code reason_bogus, sldns_pkt_section section, struct module_qstate *qstate)
	verify rrset against one specific dnskey (from rrset) More...

enum sec_status	dnskey_verify_rrset_sig (struct regional region, struct sldns_buffer buf, struct val_env ve, time_t now, struct ub_packed_rrset_key rrset, struct ub_packed_rrset_key dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_type sortree, int buf_canon, char *reason, sldns_ede_code reason_bogus, sldns_pkt_section section, struct module_qstate *qstate)
	verify rrset, with specific dnskey(from set), for a specific rrsig More...

int	canonical_tree_compare (const void k1, const void k2)
	canonical compare for two tree entries

int	rrset_canonical_equal (struct regional region, struct ub_packed_rrset_key k1, struct ub_packed_rrset_key *k2)
	Compare two rrsets and see if they are the same, canonicalised. More...

int	rrset_canonicalize_to_buffer (struct regional region, struct sldns_buffer buf, struct ub_packed_rrset_key *k)
	Canonicalize an rrset into the buffer. More...

Detailed Description

This file contains helper functions for the validator module.

The functions help with signature verification and checking, the bridging between RR wireformat data and crypto calls.

Function Documentation

◆ algo_needs_init_dnskey_add()

void algo_needs_init_dnskey_add	(	struct algo_needs *	n,
		struct ub_packed_rrset_key *	dnskey,
		uint8_t *	sigalg
	)

Initialize algo needs structure, set algos from rrset as needed.

Results are added to an existing need structure.

Parameters

n	struct with storage.
dnskey	algos from this struct set as necessary. DNSKEY set.
sigalg	adds to signalled algorithm list too.

References dnskey_algo_id_is_supported(), dnskey_get_algo(), algo_needs::needs, algo_needs::num, and rrset_get_count().

◆ algo_needs_init_list()

void algo_needs_init_list	(	struct algo_needs *	n,
		uint8_t *	sigalg
	)

Initialize algo needs structure from a signalled algo list.

Parameters

n	struct with storage.
sigalg	signalled algorithm list, numbers ends with 0.

References ALGO_NEEDS_MAX, dnskey_algo_id_is_supported(), log_assert, algo_needs::needs, and algo_needs::num.

◆ algo_needs_init_ds()

void algo_needs_init_ds	(	struct algo_needs *	n,
		struct ub_packed_rrset_key *	ds,
		int	fav_ds_algo,
		uint8_t *	sigalg
	)

Initialize algo needs structure, set algos from rrset as needed.

Parameters

n	struct with storage.
ds	algos from this struct set as necessary. DS set.
fav_ds_algo	filter to use only this DS algo.
sigalg	list of signalled algos, constructed as output, provide size ALGO_NEEDS_MAX+1. list of algonumbers, ends with a zero.

References ALGO_NEEDS_MAX, dnskey_algo_id_is_supported(), ds_get_digest_algo(), ds_get_key_algo(), log_assert, algo_needs::needs, algo_needs::num, and rrset_get_count().

◆ algo_needs_set_secure()

int algo_needs_set_secure	(	struct algo_needs *	n,
		uint8_t	algo
	)

Mark this algorithm as a success, sec_secure, and see if we are done.

Parameters

n	storage structure processed.
algo	the algorithm processed to be secure.

Returns: if true, processing has finished successfully, we are satisfied.

References algo_needs::needs, and algo_needs::num.

◆ algo_needs_set_bogus()

void algo_needs_set_bogus	(	struct algo_needs *	n,
		uint8_t	algo
	)

Mark this algorithm a failure, sec_bogus.

It can later be overridden by a success for this algorithm (with a different signature).

Parameters

n	storage structure processed.
algo	the algorithm processed to be bogus.

References algo_needs::needs.

◆ algo_needs_num_missing()

size_t algo_needs_num_missing ( struct algo_needs * n )

See how many algorithms are missing (not bogus or secure, but not processed)

Parameters

n	storage structure processed.

Returns: number of algorithms missing after processing.

References algo_needs::num.

◆ algo_needs_missing()

int algo_needs_missing ( struct algo_needs * n )

See which algo is missing.

Parameters

n	struct after processing.

Returns: if 0 an algorithm was bogus, if a number, this algorithm was missing. So on 0, report why that was bogus, on number report a missing algorithm. There could be multiple missing, this reports the first one.

References ALGO_NEEDS_MAX, and algo_needs::needs.

◆ algo_needs_reason()

void algo_needs_reason	(	struct module_env *	env,
		int	alg,
		char **	reason,
		char *	s
	)

Format error reason for algorithm missing.

Parameters

env	module env with scratch for temp storage of string.
alg	DNSKEY-algorithm missing.
reason	destination.
s	string, appended with 'with algorithm ..'.

References regional_strdup(), module_env::scratch, sldns_algorithms, and sldns_lookup_by_id().

◆ ds_digest_match_dnskey()

int ds_digest_match_dnskey	(	struct module_env *	env,
		struct ub_packed_rrset_key *	dnskey_rrset,
		size_t	dnskey_idx,
		struct ub_packed_rrset_key *	ds_rrset,
		size_t	ds_idx
	)

Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.

Parameters

env	module environment. Uses scratch space.
dnskey_rrset	DNSKEY rrset.
dnskey_idx	index of RR in rrset.
ds_rrset	DS rrset
ds_idx	index of RR in DS rrset.

Returns: true if it matches, false on error, not supported or no match.

References ds_digest_size_algo(), ds_get_digest_algo(), fake_sha1, VERB_QUERY, and verbose().

Referenced by key_matches_a_ds().

◆ dnskey_calc_keytag()

uint16_t dnskey_calc_keytag	(	struct ub_packed_rrset_key *	dnskey_rrset,
		size_t	dnskey_idx
	)

Get dnskey keytag, footprint value.

Parameters

dnskey_rrset	DNSKEY rrset.
dnskey_idx	index of RR in rrset.

Returns: the keytag or 0 for badly formatted DNSKEYs.

References rrset_get_rdata(), and sldns_calc_keytag_raw().

Referenced by anchor_list_keytags(), and key_matches_a_ds().

◆ ds_get_keytag()

uint16_t ds_get_keytag	(	struct ub_packed_rrset_key *	ds_rrset,
		size_t	ds_idx
	)

Get DS keytag, footprint value that matches the DNSKEY keytag it signs.

Parameters

ds_rrset	DS rrset
ds_idx	index of RR in DS rrset.

Returns: the keytag or 0 for badly formatted DSs.

References rrset_get_rdata().

Referenced by anchor_list_keytags(), and key_matches_a_ds().

◆ dnskey_algo_is_supported()

int dnskey_algo_is_supported	(	struct ub_packed_rrset_key *	dnskey_rrset,
		size_t	dnskey_idx
	)

See if DNSKEY algorithm is supported.

Parameters

dnskey_rrset	DNSKEY rrset.
dnskey_idx	index of RR in rrset.

Returns: true if supported.

References dnskey_algo_id_is_supported(), and dnskey_get_algo().

Referenced by anchors_dnskey_unsupported().

◆ dnskey_size_is_supported()

int dnskey_size_is_supported	(	struct ub_packed_rrset_key *	dnskey_rrset,
		size_t	dnskey_idx
	)

See if the DNSKEY size at that algorithm is supported.

Parameters

dnskey_rrset	DNSKEY rrset.
dnskey_idx	index of RR in rrset.

Returns: true if supported.

References dnskey_get_algo(), rrset_get_rdata(), and sldns_rr_dnskey_key_size_raw().

Referenced by anchors_dnskey_unsupported(), dnskeyset_size_is_supported(), and key_matches_a_ds().

◆ dnskeyset_size_is_supported()

int dnskeyset_size_is_supported ( struct ub_packed_rrset_key * dnskey_rrset )

See if the DNSKEY size at that algorithm is supported for all the RRs in the DNSKEY RRset.

Parameters

dnskey_rrset DNSKEY rrset.

Returns: true if supported.

References dnskey_size_is_supported(), and rrset_get_count().

◆ ds_digest_algo_is_supported()

int ds_digest_algo_is_supported	(	struct ub_packed_rrset_key *	ds_rrset,
		size_t	ds_idx
	)

See if DS digest algorithm is supported.

Parameters

ds_rrset	DS rrset
ds_idx	index of RR in DS rrset.

Returns: true if supported.

References ds_digest_size_algo().

Referenced by anchors_ds_unsupported(), key_matches_a_ds(), val_dsset_isusable(), and val_favorite_ds_algo().

◆ ds_get_digest_algo()

int ds_get_digest_algo	(	struct ub_packed_rrset_key *	ds_rrset,
		size_t	ds_idx
	)

Get DS RR digest algorithm.

Parameters

ds_rrset	DS rrset.
ds_idx	which DS.

Returns: algorithm or 0 if DS too short.

References rrset_get_rdata().

Referenced by algo_needs_init_ds(), ds_create_dnskey_digest(), ds_digest_match_dnskey(), ds_digest_size_algo(), key_matches_a_ds(), val_dsset_isusable(), and val_favorite_ds_algo().

◆ ds_key_algo_is_supported()

int ds_key_algo_is_supported	(	struct ub_packed_rrset_key *	ds_rrset,
		size_t	ds_idx
	)

See if DS key algorithm is supported.

Parameters

ds_rrset	DS rrset
ds_idx	index of RR in DS rrset.

Returns: true if supported.

References dnskey_algo_id_is_supported(), and ds_get_key_algo().

Referenced by anchors_ds_unsupported(), key_matches_a_ds(), val_dsset_isusable(), and val_favorite_ds_algo().

◆ ds_get_key_algo()

int ds_get_key_algo	(	struct ub_packed_rrset_key *	k,
		size_t	idx
	)

Get DS RR key algorithm.

This value should match with the DNSKEY algo.

Parameters

k	DS rrset.
idx	which DS.

Returns: algorithm or 0 if DS too short.

References rrset_get_rdata().

Referenced by algo_needs_init_ds(), ds_key_algo_is_supported(), key_matches_a_ds(), and val_dsset_isusable().

◆ dnskey_get_algo()

int dnskey_get_algo	(	struct ub_packed_rrset_key *	k,
		size_t	idx
	)

Get DNSKEY RR signature algorithm.

Parameters

k	DNSKEY rrset.
idx	which DNSKEY RR.

Returns: algorithm or 0 if DNSKEY too short.

References rrset_get_rdata().

Referenced by algo_needs_init_dnskey_add(), dnskey_algo_is_supported(), dnskey_size_is_supported(), key_matches_a_ds(), and setup_sigalg().

◆ dnskey_get_flags()

uint16_t dnskey_get_flags	(	struct ub_packed_rrset_key *	k,
		size_t	idx
	)

Get DNSKEY RR flags.

Parameters

k	DNSKEY rrset.
idx	which DNSKEY RR.

Returns: flags or 0 if DNSKEY too short.

References rrset_get_rdata().

◆ dnskeyset_verify_rrset()

enum sec_status dnskeyset_verify_rrset	(	struct module_env *	env,
		struct val_env *	ve,
		struct ub_packed_rrset_key *	rrset,
		struct ub_packed_rrset_key *	dnskey,
		uint8_t *	sigalg,
		char **	reason,
		sldns_ede_code *	reason_bogus,
		sldns_pkt_section	section,
		struct module_qstate *	qstate,
		int *	verified
	)

Verify rrset against dnskey rrset.

Parameters

env	module environment, scratch space is used.
ve	validator environment, date settings.
rrset	to be validated.
dnskey	DNSKEY rrset, keyset to try.
sigalg	if nonNULL provide downgrade protection otherwise one algorithm is enough.
reason	if bogus, a string returned, fixed or alloced in scratch.
reason_bogus	EDE (RFC8914) code paired with the reason of failure.
section	section of packet where this rrset comes from.
qstate	qstate with region.
verified	if not NULL the number of RRSIG validations is returned.

Returns: SECURE if one key in the set verifies one rrsig. UNCHECKED on allocation errors, unsupported algorithms, malformed data, and BOGUS on verification failures (no keys match any signatures).

Referenced by verifytest_rrset(), and zonemd_dnssec_verify_rrset().

◆ dnskey_verify_rrset()

enum sec_status dnskey_verify_rrset	(	struct module_env *	env,
		struct val_env *	ve,
		struct ub_packed_rrset_key *	rrset,
		struct ub_packed_rrset_key *	dnskey,
		size_t	dnskey_idx,
		char **	reason,
		sldns_ede_code *	reason_bogus,
		sldns_pkt_section	section,
		struct module_qstate *	qstate
	)

verify rrset against one specific dnskey (from rrset)

Parameters

env	module environment, scratch space is used.
ve	validator environment, date settings.
rrset	to be validated.
dnskey	DNSKEY rrset, keyset.
dnskey_idx	which key from the rrset to try.
reason	if bogus, a string returned, fixed or alloced in scratch.
reason_bogus	EDE (RFC8914) code paired with the reason of failure.
section	section of packet where this rrset comes from.
qstate	qstate with region.

Returns: secure if this key signs any of the signatures on rrset. unchecked on error or and bogus on bad signature.

Referenced by rr_is_selfsigned_revoked().

◆ dnskey_verify_rrset_sig()

enum sec_status dnskey_verify_rrset_sig	(	struct regional *	region,
		struct sldns_buffer *	buf,
		struct val_env *	ve,
		time_t	now,
		struct ub_packed_rrset_key *	rrset,
		struct ub_packed_rrset_key *	dnskey,
		size_t	dnskey_idx,
		size_t	sig_idx,
		struct rbtree_type **	sortree,
		int *	buf_canon,
		char **	reason,
		sldns_ede_code *	reason_bogus,
		sldns_pkt_section	section,
		struct module_qstate *	qstate
	)

verify rrset, with specific dnskey(from set), for a specific rrsig

Parameters

region	scratch region used for temporary allocation.
buf	scratch buffer used for canonicalized rrset data.
ve	validator environment, date settings.
now	current time for validation (can be overridden).
rrset	to be validated.
dnskey	DNSKEY rrset, keyset.
dnskey_idx	which key from the rrset to try.
sig_idx	which signature to try to validate.
sortree	pass NULL at start, the sorted rrset order is returned. pass it again for the same rrset.
buf_canon	if true, the buffer is already canonical. pass false at start. pass old value only for same rrset and same signature (but perhaps different key) for reuse.
reason	if bogus, a string returned, fixed or alloced in scratch.
reason_bogus	EDE (8914) code paired with the reason of failure.
section	section of packet where this rrset comes from.
qstate	qstate with region.

Returns: secure if this key signs this signature. unchecked on error or bogus if it did not validate.

◆ rrset_canonical_equal()

int rrset_canonical_equal	(	struct regional *	region,
		struct ub_packed_rrset_key *	k1,
		struct ub_packed_rrset_key *	k2
	)

Compare two rrsets and see if they are the same, canonicalised.

The rrsets are not altered.

Parameters

region	temporary region.
k1	rrset1
k2	rrset2

Returns: true if equal.

References canonical_compare(), canonical_sort(), canonical_tree_compare(), packed_rrset_data::count, rbtree_type::count, lruhash_entry::data, packed_rrset_key::dname, packed_rrset_key::dname_len, ub_packed_rrset_key::entry, packed_rrset_key::flags, canon_rr::node, query_dname_compare(), rbtree_first(), rbtree_init(), rbtree_next(), RBTREE_NULL, regional_alloc(), ub_packed_rrset_key::rk, RR_COUNT_MAX, packed_rrset_data::rr_data, canon_rr::rr_idx, packed_rrset_data::rr_len, packed_rrset_key::rrset_class, packed_rrset_data::rrsig_count, packed_rrset_data::security, packed_rrset_data::trust, packed_rrset_data::ttl, and packed_rrset_key::type.

Referenced by reply_equal().

◆ rrset_canonicalize_to_buffer()

int rrset_canonicalize_to_buffer	(	struct regional *	region,
		struct sldns_buffer *	buf,
		struct ub_packed_rrset_key *	k
	)

Canonicalize an rrset into the buffer.

For an auth zone record, so this does not use a signature, or the RRSIG TTL or the wildcard label count from the RRSIG.

Parameters

region	temporary region.
buf	the buffer to use.
k	the rrset to insert.

Returns: false on alloc error.

References canonical_sort(), canonical_tree_compare(), canonicalize_rdata(), packed_rrset_data::count, lruhash_entry::data, packed_rrset_key::dname, packed_rrset_key::dname_len, ub_packed_rrset_key::entry, log_err(), query_dname_tolower(), RBTREE_FOR, rbtree_init(), regional_alloc(), ub_packed_rrset_key::rk, RR_COUNT_MAX, packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_data::rr_ttl, packed_rrset_key::rrset_class, sldns_buffer_clear(), sldns_buffer_current(), sldns_buffer_flip(), sldns_buffer_remaining(), sldns_buffer_write(), sldns_buffer_write_u32(), and packed_rrset_key::type.

Referenced by zonemd_simple_rrset().

Data Structures

Macros

Functions

Detailed Description

Function Documentation

◆ algo_needs_init_dnskey_add()

◆ algo_needs_init_list()

◆ algo_needs_init_ds()

◆ algo_needs_set_secure()

◆ algo_needs_set_bogus()

◆ algo_needs_num_missing()

◆ algo_needs_missing()

◆ algo_needs_reason()

◆ ds_digest_match_dnskey()

◆ dnskey_calc_keytag()

◆ ds_get_keytag()

◆ dnskey_algo_is_supported()

◆ dnskey_size_is_supported()

◆ dnskeyset_size_is_supported()

◆ ds_digest_algo_is_supported()

◆ ds_get_digest_algo()

◆ ds_key_algo_is_supported()

◆ ds_get_key_algo()

◆ dnskey_get_algo()

◆ dnskey_get_flags()

◆ dnskeyset_verify_rrset()

◆ dnskey_verify_rrset()

◆ dnskey_verify_rrset_sig()

◆ rrset_canonical_equal()

◆ rrset_canonicalize_to_buffer()