val_sigcrypt.h File Reference

This file contains helper functions for the validator module. More...

#include "util/data/packed_rrset.h"

Functions

int ds_digest_match_dnskey (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.
uint16_t dnskey_calc_keytag (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
 Get dnskey keytag, footprint value.
uint16_t ds_get_keytag (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 Get DS keytag, footprint value that matches the DNSKEY keytag it signs.
int dnskey_algo_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
 See if DNSKEY algorithm is supported.
int ds_digest_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 See if DS digest algorithm is supported.
int ds_get_digest_algo (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 Get DS RR digest algorithm.
int ds_key_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 See if DS key algorithm is supported.
int ds_get_key_algo (struct ub_packed_rrset_key *k, size_t idx)
 Get DS RR key algorithm.
int dnskey_get_algo (struct ub_packed_rrset_key *k, size_t idx)
 Get DNSKEY RR signature algorithm.
uint16_t dnskey_get_flags (struct ub_packed_rrset_key *k, size_t idx)
 Get DNSKEY RR flags.
enum sec_status dnskeyset_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey)
 Verify rrset against dnskey rrset.
enum sec_status dnskey_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx)
 verify rrset against one specific dnskey (from rrset)
enum sec_status dnskeyset_verify_rrset_sig (struct module_env *env, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t sig_idx, struct rbtree_t **sortree)
 verify rrset, with dnskey rrset, for a specific rrsig in rrset
enum sec_status dnskey_verify_rrset_sig (struct regional *region, ldns_buffer *buf, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_t **sortree, int *buf_canon)
 verify rrset, with specific dnskey(from set), for a specific rrsig
int canonical_tree_compare (const void *k1, const void *k2)
 canonical compare for two tree entries


Detailed Description

This file contains helper functions for the validator module.

The functions help with signature verification and checking, the bridging between RR wireformat data and crypto calls.


Function Documentation

int ds_digest_match_dnskey ( struct module_env env,
struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx,
struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.

Parameters:
env,: module environment. Uses scratch space.
dnskey_rrset,: DNSKEY rrset.
dnskey_idx,: index of RR in rrset.
ds_rrset,: DS rrset
ds_idx,: index of RR in DS rrset.
Returns:
true if it matches, false on error, not supported or no match.

References ds_create_dnskey_digest(), ds_digest_size_algo(), ds_get_sigdata(), regional_alloc(), module_env::scratch, VERB_QUERY, and verbose().

Referenced by dstest_entry(), and verify_dnskeys_with_ds_rr().

uint16_t dnskey_calc_keytag ( struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx 
)

Get dnskey keytag, footprint value.

Parameters:
dnskey_rrset,: DNSKEY rrset.
dnskey_idx,: index of RR in rrset.
Returns:
the keytag or 0 for badly formatted DNSKEYs.

References rrset_get_rdata().

Referenced by dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_verify_rrset_sig(), and verify_dnskeys_with_ds_rr().

uint16_t ds_get_keytag ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Get DS keytag, footprint value that matches the DNSKEY keytag it signs.

Parameters:
ds_rrset,: DS rrset
ds_idx,: index of RR in DS rrset.
Returns:
the keytag or 0 for badly formatted DSs.

References rrset_get_rdata().

Referenced by verify_dnskeys_with_ds_rr().

int dnskey_algo_is_supported ( struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx 
)

See if DNSKEY algorithm is supported.

Parameters:
dnskey_rrset,: DNSKEY rrset.
dnskey_idx,: index of RR in rrset.
Returns:
true if supported.

References dnskey_algo_id_is_supported(), and dnskey_get_algo().

int ds_digest_algo_is_supported ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

See if DS digest algorithm is supported.

Parameters:
ds_rrset,: DS rrset
ds_idx,: index of RR in DS rrset.
Returns:
true if supported.

References ds_digest_size_algo().

Referenced by val_dsset_isusable(), and val_verify_new_DNSKEYs().

int ds_get_digest_algo ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Get DS RR digest algorithm.

Parameters:
ds_rrset,: DS rrset.
ds_idx,: which DS.
Returns:
algorithm or 0 if DS too short.

References rrset_get_rdata().

Referenced by ds_create_dnskey_digest(), ds_digest_size_algo(), and val_verify_new_DNSKEYs().

int ds_key_algo_is_supported ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

See if DS key algorithm is supported.

Parameters:
ds_rrset,: DS rrset
ds_idx,: index of RR in DS rrset.
Returns:
true if supported.

References dnskey_algo_id_is_supported(), and ds_get_key_algo().

Referenced by val_dsset_isusable(), and val_verify_new_DNSKEYs().

int ds_get_key_algo ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DS RR key algorithm.

This value should match with the DNSKEY algo.

Parameters:
k,: DS rrset.
idx,: which DS.
Returns:
algorithm or 0 if DS too short.

References rrset_get_rdata().

Referenced by ds_key_algo_is_supported(), and verify_dnskeys_with_ds_rr().

int dnskey_get_algo ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DNSKEY RR signature algorithm.

Parameters:
k,: DNSKEY rrset.
idx,: which DNSKEY RR.
Returns:
algorithm or 0 if DNSKEY too short.

References rrset_get_rdata().

Referenced by dnskey_algo_is_supported(), dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_needs(), dnskeyset_verify_rrset_sig(), and verify_dnskeys_with_ds_rr().

uint16_t dnskey_get_flags ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DNSKEY RR flags.

Parameters:
k,: DNSKEY rrset.
idx,: which DNSKEY RR.
Returns:
flags or 0 if DNSKEY too short.

References rrset_get_rdata().

Referenced by dnskey_verify_rrset_sig().

enum sec_status dnskeyset_verify_rrset ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey 
)

Verify rrset against dnskey rrset.

Parameters:
env,: module environment, scratch space is used.
ve,: validator environment, date settings.
rrset,: to be validated.
dnskey,: DNSKEY rrset, keyset to try.
Returns:
SECURE if one key in the set verifies one rrsig. UNCHECKED on allocation errors, unsupported algorithms, malformed data, and BOGUS on verification failures (no keys match any signatures).

References dnskeyset_needs(), dnskeyset_verify_rrset_sig(), module_env::now, rrset_get_sig_algo(), rrset_get_sigcount(), sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().

Referenced by val_verify_rrset(), and verifytest_rrset().

enum sec_status dnskey_verify_rrset ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  dnskey_idx 
)

verify rrset against one specific dnskey (from rrset)

Parameters:
env,: module environment, scratch space is used.
ve,: validator environment, date settings.
rrset,: to be validated.
dnskey,: DNSKEY rrset, keyset.
dnskey_idx,: which key from the rrset to try.
Returns:
secure if *this* key signs any of the signatures on rrset. unchecked on error or and bogus on bad signature.

References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), module_env::now, rrset_get_sig_algo(), rrset_get_sig_keytag(), rrset_get_sigcount(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().

Referenced by verify_dnskeys_with_ds_rr().

enum sec_status dnskeyset_verify_rrset_sig ( struct module_env env,
struct val_env ve,
uint32_t  now,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  sig_idx,
struct rbtree_t **  sortree 
)

verify rrset, with dnskey rrset, for a specific rrsig in rrset

Parameters:
env,: module environment, scratch space is used.
ve,: validator environment, date settings.
now,: current time for validation (can be overridden).
rrset,: to be validated.
dnskey,: DNSKEY rrset, keyset to try.
sig_idx,: which signature to try to validate.
sortree,: reused sorted order. Stored in region. Pass NULL at start, and for a new rrset.
Returns:
secure if any key signs *this* signature. bogus if no key signs it, or unchecked on error.

References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), rrset_get_count(), rrset_get_sig_algo(), rrset_get_sig_keytag(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().

Referenced by dnskeyset_verify_rrset().

enum sec_status dnskey_verify_rrset_sig ( struct regional region,
ldns_buffer *  buf,
struct val_env ve,
uint32_t  now,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  dnskey_idx,
size_t  sig_idx,
struct rbtree_t **  sortree,
int *  buf_canon 
)

verify rrset, with specific dnskey(from set), for a specific rrsig

Parameters:
region,: scratch region used for temporary allocation.
buf,: scratch buffer used for canonicalized rrset data.
ve,: validator environment, date settings.
now,: current time for validation (can be overridden).
rrset,: to be validated.
dnskey,: DNSKEY rrset, keyset.
dnskey_idx,: which key from the rrset to try.
sig_idx,: which signature to try to validate.
sortree,: pass NULL at start, the sorted rrset order is returned. pass it again for the same rrset.
buf_canon,: if true, the buffer is already canonical. pass false at start. pass old value only for same rrset and same signature (but perhaps different key) for reuse.
Returns:
secure if this key signs this signature. unchecked on error or bogus if it did not validate.

References adjust_ttl(), check_dates(), packed_rrset_key::dname, dname_signame_label_count(), dname_subdomain_c(), dname_valid(), DNSKEY_BIT_ZSK, dnskey_calc_keytag(), dnskey_get_algo(), dnskey_get_flags(), dnskey_get_protocol(), dnskey_get_pubkey(), log_err(), log_nametypeclass(), query_dname_compare(), ub_packed_rrset_key::rk, rrset_canonical(), rrset_get_count(), rrset_get_rdata(), sec_status_bogus, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, VERB_QUERY, verbose(), and verify_canonrrset().

Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().


Generated on Thu Mar 26 10:03:54 2009 for unbound by  doxygen 1.5.8