val_sigcrypt.h File Reference

This file contains helper functions for the validator module. More...

#include "util/data/packed_rrset.h"
#include "sldns/pkthdr.h"
#include "sldns/rrdef.h"

Data Structures

struct  algo_needs
 Storage for algorithm needs. More...
 

Macros

#define ALGO_NEEDS_MAX   256
 number of entries in algorithm needs array
 

Functions

void algo_needs_init_dnskey_add (struct algo_needs *n, struct ub_packed_rrset_key *dnskey, uint8_t *sigalg)
 Initialize algo needs structure, set algos from rrset as needed. More...
 
void algo_needs_init_list (struct algo_needs *n, uint8_t *sigalg)
 Initialize algo needs structure from a signalled algo list. More...
 
void algo_needs_init_ds (struct algo_needs *n, struct ub_packed_rrset_key *ds, int fav_ds_algo, uint8_t *sigalg)
 Initialize algo needs structure, set algos from rrset as needed. More...
 
int algo_needs_set_secure (struct algo_needs *n, uint8_t algo)
 Mark this algorithm as a success, sec_secure, and see if we are done. More...
 
void algo_needs_set_bogus (struct algo_needs *n, uint8_t algo)
 Mark this algorithm a failure, sec_bogus. More...
 
size_t algo_needs_num_missing (struct algo_needs *n)
 See how many algorithms are missing (not bogus or secure, but not processed) More...
 
int algo_needs_missing (struct algo_needs *n)
 See which algo is missing. More...
 
void algo_needs_reason (int alg, char **reason, char *s, char *reasonbuf, size_t reasonlen)
 Format error reason for algorithm missing. More...
 
int ds_digest_match_dnskey (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest. More...
 
uint16_t dnskey_calc_keytag (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
 Get dnskey keytag, footprint value. More...
 
uint16_t ds_get_keytag (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 Get DS keytag, footprint value that matches the DNSKEY keytag it signs. More...
 
int dnskey_algo_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
 See if DNSKEY algorithm is supported. More...
 
int dnskey_size_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
 See if the DNSKEY size at that algorithm is supported. More...
 
int dnskeyset_size_is_supported (struct ub_packed_rrset_key *dnskey_rrset)
 See if the DNSKEY size at that algorithm is supported for all the RRs in the DNSKEY RRset. More...
 
int ds_digest_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 See if DS digest algorithm is supported. More...
 
int ds_get_digest_algo (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 Get DS RR digest algorithm. More...
 
int ds_key_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 See if DS key algorithm is supported. More...
 
int ds_get_key_algo (struct ub_packed_rrset_key *k, size_t idx)
 Get DS RR key algorithm. More...
 
int dnskey_get_algo (struct ub_packed_rrset_key *k, size_t idx)
 Get DNSKEY RR signature algorithm. More...
 
uint16_t dnskey_get_flags (struct ub_packed_rrset_key *k, size_t idx)
 Get DNSKEY RR flags. More...
 
enum sec_status dnskeyset_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, uint8_t *sigalg, char **reason, sldns_ede_code *reason_bogus, sldns_pkt_section section, struct module_qstate *qstate, int *verified, char *reasonbuf, size_t reasonlen)
 Verify rrset against dnskey rrset. More...
 
enum sec_status dnskey_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, char **reason, sldns_ede_code *reason_bogus, sldns_pkt_section section, struct module_qstate *qstate)
 verify rrset against one specific dnskey (from rrset) More...
 
enum sec_status dnskey_verify_rrset_sig (struct regional *region, struct sldns_buffer *buf, struct val_env *ve, time_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_type **sortree, int *buf_canon, char **reason, sldns_ede_code *reason_bogus, sldns_pkt_section section, struct module_qstate *qstate)
 verify rrset, with specific dnskey(from set), for a specific rrsig More...
 
int canonical_tree_compare (const void *k1, const void *k2)
 canonical compare for two tree entries
 
int rrset_canonical_equal (struct regional *region, struct ub_packed_rrset_key *k1, struct ub_packed_rrset_key *k2)
 Compare two rrsets and see if they are the same, canonicalised. More...
 
int rrset_canonicalize_to_buffer (struct regional *region, struct sldns_buffer *buf, struct ub_packed_rrset_key *k)
 Canonicalize an rrset into the buffer. More...
 

Detailed Description

This file contains helper functions for the validator module.

The functions help with signature verification and checking, the bridging between RR wireformat data and crypto calls.

Function Documentation

◆ algo_needs_init_dnskey_add()

void algo_needs_init_dnskey_add ( struct algo_needs n,
struct ub_packed_rrset_key dnskey,
uint8_t *  sigalg 
)

Initialize algo needs structure, set algos from rrset as needed.

Results are added to an existing need structure.

Parameters
nstruct with storage.
dnskeyalgos from this struct set as necessary. DNSKEY set.
sigalgadds to signalled algorithm list too.

References dnskey_algo_id_is_supported(), dnskey_get_algo(), algo_needs::needs, algo_needs::num, and rrset_get_count().

◆ algo_needs_init_list()

void algo_needs_init_list ( struct algo_needs n,
uint8_t *  sigalg 
)

Initialize algo needs structure from a signalled algo list.

Parameters
nstruct with storage.
sigalgsignalled algorithm list, numbers ends with 0.

References ALGO_NEEDS_MAX, dnskey_algo_id_is_supported(), log_assert, algo_needs::needs, and algo_needs::num.

◆ algo_needs_init_ds()

void algo_needs_init_ds ( struct algo_needs n,
struct ub_packed_rrset_key ds,
int  fav_ds_algo,
uint8_t *  sigalg 
)

Initialize algo needs structure, set algos from rrset as needed.

Parameters
nstruct with storage.
dsalgos from this struct set as necessary. DS set.
fav_ds_algofilter to use only this DS algo.
sigalglist of signalled algos, constructed as output, provide size ALGO_NEEDS_MAX+1. list of algonumbers, ends with a zero.

References ALGO_NEEDS_MAX, dnskey_algo_id_is_supported(), ds_get_digest_algo(), ds_get_key_algo(), log_assert, algo_needs::needs, algo_needs::num, and rrset_get_count().

◆ algo_needs_set_secure()

int algo_needs_set_secure ( struct algo_needs n,
uint8_t  algo 
)

Mark this algorithm as a success, sec_secure, and see if we are done.

Parameters
nstorage structure processed.
algothe algorithm processed to be secure.
Returns
if true, processing has finished successfully, we are satisfied.

References algo_needs::needs, and algo_needs::num.

◆ algo_needs_set_bogus()

void algo_needs_set_bogus ( struct algo_needs n,
uint8_t  algo 
)

Mark this algorithm a failure, sec_bogus.

It can later be overridden by a success for this algorithm (with a different signature).

Parameters
nstorage structure processed.
algothe algorithm processed to be bogus.

References algo_needs::needs.

◆ algo_needs_num_missing()

size_t algo_needs_num_missing ( struct algo_needs n)

See how many algorithms are missing (not bogus or secure, but not processed)

Parameters
nstorage structure processed.
Returns
number of algorithms missing after processing.

References algo_needs::num.

◆ algo_needs_missing()

int algo_needs_missing ( struct algo_needs n)

See which algo is missing.

Parameters
nstruct after processing.
Returns
if 0 an algorithm was bogus, if a number, this algorithm was missing. So on 0, report why that was bogus, on number report a missing algorithm. There could be multiple missing, this reports the first one.

References ALGO_NEEDS_MAX, and algo_needs::needs.

◆ algo_needs_reason()

void algo_needs_reason ( int  alg,
char **  reason,
char *  s,
char *  reasonbuf,
size_t  reasonlen 
)

Format error reason for algorithm missing.

Parameters
algDNSKEY-algorithm missing.
reasondestination.
sstring, appended with 'with algorithm ..'.
reasonbufbuffer to use for fail reason string print.
reasonlenlength of reasonbuf.

References sldns_algorithms, and sldns_lookup_by_id().

◆ ds_digest_match_dnskey()

int ds_digest_match_dnskey ( struct module_env env,
struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx,
struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.

Parameters
envmodule environment. Uses scratch space.
dnskey_rrsetDNSKEY rrset.
dnskey_idxindex of RR in rrset.
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
Returns
true if it matches, false on error, not supported or no match.

References ds_digest_size_algo(), ds_get_digest_algo(), fake_sha1, VERB_QUERY, and verbose().

Referenced by key_matches_a_ds().

◆ dnskey_calc_keytag()

uint16_t dnskey_calc_keytag ( struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx 
)

Get dnskey keytag, footprint value.

Parameters
dnskey_rrsetDNSKEY rrset.
dnskey_idxindex of RR in rrset.
Returns
the keytag or 0 for badly formatted DNSKEYs.

References rrset_get_rdata(), and sldns_calc_keytag_raw().

Referenced by anchor_list_keytags(), and key_matches_a_ds().

◆ ds_get_keytag()

uint16_t ds_get_keytag ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Get DS keytag, footprint value that matches the DNSKEY keytag it signs.

Parameters
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
Returns
the keytag or 0 for badly formatted DSs.

References rrset_get_rdata().

Referenced by anchor_list_keytags(), and key_matches_a_ds().

◆ dnskey_algo_is_supported()

int dnskey_algo_is_supported ( struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx 
)

See if DNSKEY algorithm is supported.

Parameters
dnskey_rrsetDNSKEY rrset.
dnskey_idxindex of RR in rrset.
Returns
true if supported.

References dnskey_algo_id_is_supported(), and dnskey_get_algo().

Referenced by anchors_dnskey_unsupported().

◆ dnskey_size_is_supported()

int dnskey_size_is_supported ( struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx 
)

See if the DNSKEY size at that algorithm is supported.

Parameters
dnskey_rrsetDNSKEY rrset.
dnskey_idxindex of RR in rrset.
Returns
true if supported.

References dnskey_get_algo(), rrset_get_rdata(), and sldns_rr_dnskey_key_size_raw().

Referenced by anchors_dnskey_unsupported(), dnskeyset_size_is_supported(), and key_matches_a_ds().

◆ dnskeyset_size_is_supported()

int dnskeyset_size_is_supported ( struct ub_packed_rrset_key dnskey_rrset)

See if the DNSKEY size at that algorithm is supported for all the RRs in the DNSKEY RRset.

Parameters
dnskey_rrsetDNSKEY rrset.
Returns
true if supported.

References dnskey_size_is_supported(), and rrset_get_count().

◆ ds_digest_algo_is_supported()

int ds_digest_algo_is_supported ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

See if DS digest algorithm is supported.

Parameters
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
Returns
true if supported.

References ds_digest_size_algo().

Referenced by anchors_ds_unsupported(), key_matches_a_ds(), val_dsset_isusable(), and val_favorite_ds_algo().

◆ ds_get_digest_algo()

int ds_get_digest_algo ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Get DS RR digest algorithm.

Parameters
ds_rrsetDS rrset.
ds_idxwhich DS.
Returns
algorithm or 0 if DS too short.

References rrset_get_rdata().

Referenced by algo_needs_init_ds(), ds_create_dnskey_digest(), ds_digest_match_dnskey(), ds_digest_size_algo(), key_matches_a_ds(), val_dsset_isusable(), and val_favorite_ds_algo().

◆ ds_key_algo_is_supported()

int ds_key_algo_is_supported ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

See if DS key algorithm is supported.

Parameters
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
Returns
true if supported.

References dnskey_algo_id_is_supported(), and ds_get_key_algo().

Referenced by anchors_ds_unsupported(), key_matches_a_ds(), val_dsset_isusable(), and val_favorite_ds_algo().

◆ ds_get_key_algo()

int ds_get_key_algo ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DS RR key algorithm.

This value should match with the DNSKEY algo.

Parameters
kDS rrset.
idxwhich DS.
Returns
algorithm or 0 if DS too short.

References rrset_get_rdata().

Referenced by algo_needs_init_ds(), ds_key_algo_is_supported(), key_matches_a_ds(), and val_dsset_isusable().

◆ dnskey_get_algo()

int dnskey_get_algo ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DNSKEY RR signature algorithm.

Parameters
kDNSKEY rrset.
idxwhich DNSKEY RR.
Returns
algorithm or 0 if DNSKEY too short.

References rrset_get_rdata().

Referenced by algo_needs_init_dnskey_add(), dnskey_algo_is_supported(), dnskey_size_is_supported(), key_matches_a_ds(), and setup_sigalg().

◆ dnskey_get_flags()

uint16_t dnskey_get_flags ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DNSKEY RR flags.

Parameters
kDNSKEY rrset.
idxwhich DNSKEY RR.
Returns
flags or 0 if DNSKEY too short.

References rrset_get_rdata().

◆ dnskeyset_verify_rrset()

enum sec_status dnskeyset_verify_rrset ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
uint8_t *  sigalg,
char **  reason,
sldns_ede_code *  reason_bogus,
sldns_pkt_section  section,
struct module_qstate qstate,
int *  verified,
char *  reasonbuf,
size_t  reasonlen 
)

Verify rrset against dnskey rrset.

Parameters
envmodule environment, scratch space is used.
vevalidator environment, date settings.
rrsetto be validated.
dnskeyDNSKEY rrset, keyset to try.
sigalgif nonNULL provide downgrade protection otherwise one algorithm is enough.
reasonif bogus, a string returned, fixed or alloced in scratch.
reason_bogusEDE (RFC8914) code paired with the reason of failure.
sectionsection of packet where this rrset comes from.
qstateqstate with region.
verifiedif not NULL the number of RRSIG validations is returned.
reasonbufbuffer to use for fail reason string print.
reasonlenlength of reasonbuf.
Returns
SECURE if one key in the set verifies one rrsig. UNCHECKED on allocation errors, unsupported algorithms, malformed data, and BOGUS on verification failures (no keys match any signatures).

Referenced by verifytest_rrset(), and zonemd_dnssec_verify_rrset().

◆ dnskey_verify_rrset()

enum sec_status dnskey_verify_rrset ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  dnskey_idx,
char **  reason,
sldns_ede_code *  reason_bogus,
sldns_pkt_section  section,
struct module_qstate qstate 
)

verify rrset against one specific dnskey (from rrset)

Parameters
envmodule environment, scratch space is used.
vevalidator environment, date settings.
rrsetto be validated.
dnskeyDNSKEY rrset, keyset.
dnskey_idxwhich key from the rrset to try.
reasonif bogus, a string returned, fixed or alloced in scratch.
reason_bogusEDE (RFC8914) code paired with the reason of failure.
sectionsection of packet where this rrset comes from.
qstateqstate with region.
Returns
secure if this key signs any of the signatures on rrset. unchecked on error or and bogus on bad signature.

Referenced by rr_is_selfsigned_revoked().

◆ dnskey_verify_rrset_sig()

enum sec_status dnskey_verify_rrset_sig ( struct regional region,
struct sldns_buffer buf,
struct val_env ve,
time_t  now,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  dnskey_idx,
size_t  sig_idx,
struct rbtree_type **  sortree,
int *  buf_canon,
char **  reason,
sldns_ede_code *  reason_bogus,
sldns_pkt_section  section,
struct module_qstate qstate 
)

verify rrset, with specific dnskey(from set), for a specific rrsig

Parameters
regionscratch region used for temporary allocation.
bufscratch buffer used for canonicalized rrset data.
vevalidator environment, date settings.
nowcurrent time for validation (can be overridden).
rrsetto be validated.
dnskeyDNSKEY rrset, keyset.
dnskey_idxwhich key from the rrset to try.
sig_idxwhich signature to try to validate.
sortreepass NULL at start, the sorted rrset order is returned. pass it again for the same rrset.
buf_canonif true, the buffer is already canonical. pass false at start. pass old value only for same rrset and same signature (but perhaps different key) for reuse.
reasonif bogus, a string returned, fixed or alloced in scratch.
reason_bogusEDE (8914) code paired with the reason of failure.
sectionsection of packet where this rrset comes from.
qstateqstate with region.
Returns
secure if this key signs this signature. unchecked on error or bogus if it did not validate.

◆ rrset_canonical_equal()

◆ rrset_canonicalize_to_buffer()

int rrset_canonicalize_to_buffer ( struct regional region,
struct sldns_buffer buf,
struct ub_packed_rrset_key k 
)