This file contains helper functions for the validator module. More...
#include "config.h"
#include "validator/val_sigcrypt.h"
#include "validator/validator.h"
#include "util/data/msgreply.h"
#include "util/data/msgparse.h"
#include "util/data/dname.h"
#include "util/rbtree.h"
#include "util/module.h"
#include "util/net_help.h"
#include "util/regional.h"
Data Structures | |
struct | canon_rr |
RR entries in a canonical sorted tree of RRs. More... | |
Functions | |
static size_t | rrset_get_count (struct ub_packed_rrset_key *rrset) |
return number of rrs in an rrset | |
static size_t | rrset_get_sigcount (struct ub_packed_rrset_key *k) |
Get RR signature count. | |
static uint16_t | rrset_get_sig_keytag (struct ub_packed_rrset_key *k, size_t sig_idx) |
Get signature keytag value. | |
static int | rrset_get_sig_algo (struct ub_packed_rrset_key *k, size_t sig_idx) |
Get signature signing algorithm value. | |
static void | rrset_get_rdata (struct ub_packed_rrset_key *k, size_t idx, uint8_t **rdata, size_t *len) |
get rdata pointer and size | |
uint16_t | dnskey_get_flags (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY RR flags. | |
static int | dnskey_get_protocol (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY protocol value from rdata. | |
int | dnskey_get_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY RR signature algorithm. | |
static void | dnskey_get_pubkey (struct ub_packed_rrset_key *k, size_t idx, unsigned char **pk, unsigned int *pklen) |
get public key rdata field from a dnskey RR and do some checks | |
int | ds_get_key_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DS RR key algorithm. | |
int | ds_get_digest_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DS RR digest algorithm. | |
uint16_t | ds_get_keytag (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
Get DS keytag, footprint value that matches the DNSKEY keytag it signs. | |
static void | ds_get_sigdata (struct ub_packed_rrset_key *k, size_t idx, uint8_t **digest, size_t *len) |
Return pointer to the digest in a DS RR. | |
static size_t | ds_digest_size_algo (struct ub_packed_rrset_key *k, size_t idx) |
Return size of DS digest according to its hash algorithm. | |
static int | ds_create_dnskey_digest (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx, uint8_t *digest) |
Create a DS digest for a DNSKEY entry. | |
int | ds_digest_match_dnskey (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest. | |
int | ds_digest_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
See if DS digest algorithm is supported. | |
static int | dnskey_algo_id_is_supported (int id) |
return true if DNSKEY algorithm id is supported | |
int | ds_key_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
See if DS key algorithm is supported. | |
uint16_t | dnskey_calc_keytag (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx) |
Get dnskey keytag, footprint value. | |
int | dnskey_algo_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx) |
See if DNSKEY algorithm is supported. | |
static size_t | dnskeyset_needs (struct ub_packed_rrset_key *dnskey, uint8_t needs[]) |
Fillup needed algorithm array for DNSKEY set. | |
static int | any_needed_bogus (uint8_t needs[]) |
see which algo needed | |
enum sec_status | dnskeyset_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, char **reason) |
Verify rrset against dnskey rrset. | |
enum sec_status | dnskey_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, char **reason) |
verify rrset against one specific dnskey (from rrset) | |
enum sec_status | dnskeyset_verify_rrset_sig (struct module_env *env, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t sig_idx, struct rbtree_t **sortree, char **reason) |
verify rrset, with dnskey rrset, for a specific rrsig in rrset | |
static int | canonical_compare_byfield (struct packed_rrset_data *d, const ldns_rr_descriptor *desc, size_t i, size_t j) |
Compare two RR for canonical order, in a field-style sweep. | |
static int | canonical_compare (struct ub_packed_rrset_key *rrset, size_t i, size_t j) |
Compare two RRs in the same RRset and determine their relative canonical order. | |
int | canonical_tree_compare (const void *k1, const void *k2) |
canonical compare for two tree entries | |
static void | canonical_sort (struct ub_packed_rrset_key *rrset, struct packed_rrset_data *d, rbtree_t *sortree, struct canon_rr *rrs) |
Sort RRs for rrset in canonical order. | |
static void | insert_can_owner (ldns_buffer *buf, struct ub_packed_rrset_key *k, uint8_t *sig, uint8_t **can_owner, size_t *can_owner_len) |
Inser canonical owner name into buffer. | |
static void | canonicalize_rdata (ldns_buffer *buf, struct ub_packed_rrset_key *rrset, size_t len) |
Canonicalize Rdata in buffer. | |
static int | rrset_canonical (struct regional *region, ldns_buffer *buf, struct ub_packed_rrset_key *k, uint8_t *sig, size_t siglen, struct rbtree_t **sortree) |
Create canonical form of rrset in the scratch buffer. | |
static void | sigdate_error (const char *str, int32_t expi, int32_t incep, int32_t now) |
pretty print rrsig error with dates | |
static int | check_dates (struct val_env *ve, uint32_t unow, uint8_t *expi_p, uint8_t *incep_p, char **reason) |
check rrsig dates | |
static void | adjust_ttl (struct val_env *ve, uint32_t unow, struct ub_packed_rrset_key *rrset, uint8_t *orig_p, uint8_t *expi_p, uint8_t *incep_p) |
adjust rrset TTL for verified rrset, compare to original TTL and expi | |
static void | log_crypto_error (const char *str, unsigned long e) |
Output a libcrypto openssl error to the logfile. | |
static int | setup_dsa_sig (unsigned char **sig, unsigned int *len) |
Setup DSA key digest in DER encoding . | |
static int | setup_key_digest (int algo, EVP_PKEY **evp_key, const EVP_MD **digest_type, unsigned char *key, size_t keylen) |
Setup key and digest for verification. | |
static enum sec_status | verify_canonrrset (ldns_buffer *buf, int algo, unsigned char *sigblock, unsigned int sigblock_len, unsigned char *key, unsigned int keylen, char **reason) |
Check a canonical sig+rrset and signature against a dnskey. | |
enum sec_status | dnskey_verify_rrset_sig (struct regional *region, ldns_buffer *buf, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_t **sortree, int *buf_canon, char **reason) |
verify rrset, with specific dnskey(from set), for a specific rrsig |
This file contains helper functions for the validator module.
The functions help with signature verification and checking, the bridging between RR wireformat data and crypto calls.
static uint16_t rrset_get_sig_keytag | ( | struct ub_packed_rrset_key * | k, | |
size_t | sig_idx | |||
) | [static] |
Get signature keytag value.
k,: | rrset (with signatures) | |
sig_idx,: | signature index. |
References packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_data::rrsig_count.
Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().
static int rrset_get_sig_algo | ( | struct ub_packed_rrset_key * | k, | |
size_t | sig_idx | |||
) | [static] |
Get signature signing algorithm value.
k,: | rrset (with signatures) | |
sig_idx,: | signature index. |
References packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_data::rrsig_count.
Referenced by dnskey_verify_rrset(), dnskeyset_verify_rrset(), and dnskeyset_verify_rrset_sig().
uint16_t dnskey_get_flags | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) |
Get DNSKEY RR flags.
k,: | DNSKEY rrset. | |
idx,: | which DNSKEY RR. |
References rrset_get_rdata().
Referenced by dnskey_verify_rrset_sig().
static int dnskey_get_protocol | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) | [static] |
Get DNSKEY protocol value from rdata.
k,: | DNSKEY rrset. | |
idx,: | which key. |
References rrset_get_rdata().
Referenced by dnskey_verify_rrset_sig().
int dnskey_get_algo | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) |
Get DNSKEY RR signature algorithm.
k,: | DNSKEY rrset. | |
idx,: | which DNSKEY RR. |
References rrset_get_rdata().
Referenced by dnskey_algo_is_supported(), dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_needs(), dnskeyset_verify_rrset_sig(), key_matches_a_ds(), and verify_dnskeys_with_ds_rr().
int ds_get_key_algo | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) |
Get DS RR key algorithm.
This value should match with the DNSKEY algo.
k,: | DS rrset. | |
idx,: | which DS. |
References rrset_get_rdata().
Referenced by ds_key_algo_is_supported(), key_matches_a_ds(), and verify_dnskeys_with_ds_rr().
int ds_get_digest_algo | ( | struct ub_packed_rrset_key * | ds_rrset, | |
size_t | ds_idx | |||
) |
Get DS RR digest algorithm.
ds_rrset,: | DS rrset. | |
ds_idx,: | which DS. |
References rrset_get_rdata().
Referenced by ds_create_dnskey_digest(), ds_digest_size_algo(), key_matches_a_ds(), val_favorite_ds_algo(), and val_verify_DNSKEY_with_DS().
uint16_t ds_get_keytag | ( | struct ub_packed_rrset_key * | ds_rrset, | |
size_t | ds_idx | |||
) |
Get DS keytag, footprint value that matches the DNSKEY keytag it signs.
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. |
References rrset_get_rdata().
Referenced by key_matches_a_ds(), and verify_dnskeys_with_ds_rr().
static void ds_get_sigdata | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx, | |||
uint8_t ** | digest, | |||
size_t * | len | |||
) | [static] |
Return pointer to the digest in a DS RR.
k,: | DS rrset. | |
idx,: | which DS. | |
digest,: | digest data is returned. on error, this is NULL. | |
len,: | length of digest is returned. on error, the length is 0. |
References rrset_get_rdata().
Referenced by ds_digest_match_dnskey().
static size_t ds_digest_size_algo | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) | [static] |
Return size of DS digest according to its hash algorithm.
k,: | DS rrset. | |
idx,: | which DS. |
References ds_get_digest_algo().
Referenced by ds_digest_algo_is_supported(), and ds_digest_match_dnskey().
static int ds_create_dnskey_digest | ( | struct module_env * | env, | |
struct ub_packed_rrset_key * | dnskey_rrset, | |||
size_t | dnskey_idx, | |||
struct ub_packed_rrset_key * | ds_rrset, | |||
size_t | ds_idx, | |||
uint8_t * | digest | |||
) | [static] |
Create a DS digest for a DNSKEY entry.
env,: | module environment. Uses scratch space. | |
dnskey_rrset,: | DNSKEY rrset. | |
dnskey_idx,: | index of RR in rrset. | |
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. | |
digest,: | digest is returned in here (must be correctly sized). |
References packed_rrset_key::dname, packed_rrset_key::dname_len, ds_get_digest_algo(), query_dname_tolower(), ub_packed_rrset_key::rk, rrset_get_rdata(), module_env::scratch_buffer, VERB_QUERY, and verbose().
Referenced by ds_digest_match_dnskey().
int ds_digest_match_dnskey | ( | struct module_env * | env, | |
struct ub_packed_rrset_key * | dnskey_rrset, | |||
size_t | dnskey_idx, | |||
struct ub_packed_rrset_key * | ds_rrset, | |||
size_t | ds_idx | |||
) |
Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.
env,: | module environment. Uses scratch space. | |
dnskey_rrset,: | DNSKEY rrset. | |
dnskey_idx,: | index of RR in rrset. | |
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. |
References ds_create_dnskey_digest(), ds_digest_size_algo(), ds_get_sigdata(), regional_alloc(), module_env::scratch, VERB_QUERY, and verbose().
Referenced by dstest_entry(), key_matches_a_ds(), and verify_dnskeys_with_ds_rr().
int ds_digest_algo_is_supported | ( | struct ub_packed_rrset_key * | ds_rrset, | |
size_t | ds_idx | |||
) |
See if DS digest algorithm is supported.
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. |
References ds_digest_size_algo().
Referenced by anchors_ds_unsupported(), key_matches_a_ds(), val_dsset_isusable(), val_favorite_ds_algo(), and val_verify_DNSKEY_with_DS().
int ds_key_algo_is_supported | ( | struct ub_packed_rrset_key * | ds_rrset, | |
size_t | ds_idx | |||
) |
See if DS key algorithm is supported.
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. |
References dnskey_algo_id_is_supported(), and ds_get_key_algo().
Referenced by anchors_ds_unsupported(), key_matches_a_ds(), val_dsset_isusable(), val_favorite_ds_algo(), and val_verify_DNSKEY_with_DS().
uint16_t dnskey_calc_keytag | ( | struct ub_packed_rrset_key * | dnskey_rrset, | |
size_t | dnskey_idx | |||
) |
Get dnskey keytag, footprint value.
dnskey_rrset,: | DNSKEY rrset. | |
dnskey_idx,: | index of RR in rrset. |
References rrset_get_rdata().
Referenced by check_contains_revoked(), dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_verify_rrset_sig(), key_matches_a_ds(), and verify_dnskeys_with_ds_rr().
int dnskey_algo_is_supported | ( | struct ub_packed_rrset_key * | dnskey_rrset, | |
size_t | dnskey_idx | |||
) |
See if DNSKEY algorithm is supported.
dnskey_rrset,: | DNSKEY rrset. | |
dnskey_idx,: | index of RR in rrset. |
References dnskey_algo_id_is_supported(), and dnskey_get_algo().
Referenced by anchors_dnskey_unsupported(), and update_events().
static size_t dnskeyset_needs | ( | struct ub_packed_rrset_key * | dnskey, | |
uint8_t | needs[] | |||
) | [static] |
Fillup needed algorithm array for DNSKEY set.
dnskey,: | the key | |
needs,: | array per algorithm. |
References dnskey_get_algo(), and rrset_get_count().
Referenced by dnskeyset_verify_rrset().
enum sec_status dnskeyset_verify_rrset | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | dnskey, | |||
char ** | reason | |||
) |
Verify rrset against dnskey rrset.
env,: | module environment, scratch space is used. | |
ve,: | validator environment, date settings. | |
rrset,: | to be validated. | |
dnskey,: | DNSKEY rrset, keyset to try. | |
reason,: | if bogus, a string returned, fixed or alloced in scratch. |
References any_needed_bogus(), dnskeyset_needs(), dnskeyset_verify_rrset_sig(), module_env::now, regional_strdup(), rrset_get_sig_algo(), rrset_get_sigcount(), module_env::scratch, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by val_verify_rrset(), and verifytest_rrset().
enum sec_status dnskey_verify_rrset | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | dnskey, | |||
size_t | dnskey_idx, | |||
char ** | reason | |||
) |
verify rrset against one specific dnskey (from rrset)
env,: | module environment, scratch space is used. | |
ve,: | validator environment, date settings. | |
rrset,: | to be validated. | |
dnskey,: | DNSKEY rrset, keyset. | |
dnskey_idx,: | which key from the rrset to try. | |
reason,: | if bogus, a string returned, fixed or alloced in scratch. |
References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), module_env::now, rrset_get_sig_algo(), rrset_get_sig_keytag(), rrset_get_sigcount(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by key_matches_a_ds(), rr_is_selfsigned_revoked(), and verify_dnskeys_with_ds_rr().
enum sec_status dnskeyset_verify_rrset_sig | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
uint32_t | now, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | dnskey, | |||
size_t | sig_idx, | |||
struct rbtree_t ** | sortree, | |||
char ** | reason | |||
) |
verify rrset, with dnskey rrset, for a specific rrsig in rrset
env,: | module environment, scratch space is used. | |
ve,: | validator environment, date settings. | |
now,: | current time for validation (can be overridden). | |
rrset,: | to be validated. | |
dnskey,: | DNSKEY rrset, keyset to try. | |
sig_idx,: | which signature to try to validate. | |
sortree,: | reused sorted order. Stored in region. Pass NULL at start, and for a new rrset. | |
reason,: | if bogus, a string returned, fixed or alloced in scratch. |
References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), rrset_get_count(), rrset_get_sig_algo(), rrset_get_sig_keytag(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by dnskeyset_verify_rrset().
static int canonical_compare_byfield | ( | struct packed_rrset_data * | d, | |
const ldns_rr_descriptor * | desc, | |||
size_t | i, | |||
size_t | j | |||
) | [static] |
Compare two RR for canonical order, in a field-style sweep.
d,: | rrset data | |
desc,: | ldns wireformat descriptor. | |
i,: | first RR to compare | |
j,: | first RR to compare |
References get_rdf_size(), packed_rrset_data::rr_data, and packed_rrset_data::rr_len.
Referenced by canonical_compare().
static int canonical_compare | ( | struct ub_packed_rrset_key * | rrset, | |
size_t | i, | |||
size_t | j | |||
) | [static] |
Compare two RRs in the same RRset and determine their relative canonical order.
rrset,: | the rrset in which to perform compares. | |
i,: | first RR to compare | |
j,: | first RR to compare |
References canonical_compare_byfield(), lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, query_dname_compare(), ub_packed_rrset_key::rk, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_key::type.
Referenced by canonical_tree_compare().
static void canonical_sort | ( | struct ub_packed_rrset_key * | rrset, | |
struct packed_rrset_data * | d, | |||
rbtree_t * | sortree, | |||
struct canon_rr * | rrs | |||
) | [static] |
Sort RRs for rrset in canonical order.
Does not actually canonicalize the RR rdatas. Does not touch rrsigs.
rrset,: | to sort. | |
d,: | rrset data. | |
sortree,: | tree to sort into. | |
rrs,: | rr storage. |
References packed_rrset_data::count, rbnode_t::key, canon_rr::node, rbtree_insert(), canon_rr::rr_idx, and canon_rr::rrset.
Referenced by rrset_canonical().
static void insert_can_owner | ( | ldns_buffer * | buf, | |
struct ub_packed_rrset_key * | k, | |||
uint8_t * | sig, | |||
uint8_t ** | can_owner, | |||
size_t * | can_owner_len | |||
) | [static] |
Inser canonical owner name into buffer.
buf,: | buffer to insert into at current position. | |
k,: | rrset with its owner name. | |
sig,: | signature with signer name and label count. must be length checked, at least 18 bytes long. | |
can_owner,: | position in buffer returned for future use. | |
can_owner_len,: | length of canonical owner name. |
References packed_rrset_key::dname, packed_rrset_key::dname_len, dname_remove_label(), dname_signame_label_count(), log_assert, query_dname_tolower(), and ub_packed_rrset_key::rk.
Referenced by rrset_canonical().
static void canonicalize_rdata | ( | ldns_buffer * | buf, | |
struct ub_packed_rrset_key * | rrset, | |||
size_t | len | |||
) | [static] |
Canonicalize Rdata in buffer.
buf,: | buffer at position just after the rdata. | |
rrset,: | rrset with type. | |
len,: | length of the rdata (including rdatalen uint16). |
References dname_valid(), query_dname_tolower(), ub_packed_rrset_key::rk, and packed_rrset_key::type.
Referenced by rrset_canonical().
static int rrset_canonical | ( | struct regional * | region, | |
ldns_buffer * | buf, | |||
struct ub_packed_rrset_key * | k, | |||
uint8_t * | sig, | |||
size_t | siglen, | |||
struct rbtree_t ** | sortree | |||
) | [static] |
Create canonical form of rrset in the scratch buffer.
region,: | temporary region. | |
buf,: | the buffer to use. | |
k,: | the rrset to insert. | |
sig,: | RRSIG rdata to include. | |
siglen,: | RRSIG rdata len excluding signature field, but inclusive signer name length. | |
sortree,: | if NULL is passed a new sorted rrset tree is built. Otherwise it is reused. |
References canonical_sort(), canonical_tree_compare(), canonicalize_rdata(), packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, insert_can_owner(), log_err(), query_dname_tolower(), RBTREE_FOR, rbtree_init(), regional_alloc(), ub_packed_rrset_key::rk, packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_key::rrset_class, and packed_rrset_key::type.
Referenced by dnskey_verify_rrset_sig().
static void log_crypto_error | ( | const char * | str, | |
unsigned long | e | |||
) | [static] |
Output a libcrypto openssl error to the logfile.
str,: | string to add to it. | |
e,: | the error to output, error number from ERR_get_error(). |
References log_err().
Referenced by verify_canonrrset().
static int setup_dsa_sig | ( | unsigned char ** | sig, | |
unsigned int * | len | |||
) | [static] |
Setup DSA key digest in DER encoding .
..
sig,: | input is signature output alloced ptr (unless failure). caller must free alloced ptr if this routine returns true. | |
len,: | intput is initial siglen, output is output len. |
Referenced by verify_canonrrset().
static int setup_key_digest | ( | int | algo, | |
EVP_PKEY ** | evp_key, | |||
const EVP_MD ** | digest_type, | |||
unsigned char * | key, | |||
size_t | keylen | |||
) | [static] |
Setup key and digest for verification.
Adjust sig if necessary.
algo,: | key algorithm | |
evp_key,: | EVP PKEY public key to create. | |
digest_type,: | digest type to use | |
key,: | key to setup for. | |
keylen,: | length of key. |
References log_err(), sec_status_unchecked, VERB_QUERY, and verbose().
Referenced by verify_canonrrset().
static enum sec_status verify_canonrrset | ( | ldns_buffer * | buf, | |
int | algo, | |||
unsigned char * | sigblock, | |||
unsigned int | sigblock_len, | |||
unsigned char * | key, | |||
unsigned int | keylen, | |||
char ** | reason | |||
) | [static] |
Check a canonical sig+rrset and signature against a dnskey.
buf,: | buffer with data to verify, the first rrsig part and the canonicalized rrset. | |
algo,: | DNSKEY algorithm. | |
sigblock,: | signature rdata field from RRSIG | |
sigblock_len,: | length of sigblock data. | |
key,: | public key data from DNSKEY RR. | |
keylen,: | length of keydata. | |
reason,: | bogus reason in more detail. |
References log_crypto_error(), sec_status_bogus, sec_status_secure, sec_status_unchecked, setup_dsa_sig(), setup_key_digest(), VERB_QUERY, and verbose().
Referenced by dnskey_verify_rrset_sig().
enum sec_status dnskey_verify_rrset_sig | ( | struct regional * | region, | |
ldns_buffer * | buf, | |||
struct val_env * | ve, | |||
uint32_t | now, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | dnskey, | |||
size_t | dnskey_idx, | |||
size_t | sig_idx, | |||
struct rbtree_t ** | sortree, | |||
int * | buf_canon, | |||
char ** | reason | |||
) |
verify rrset, with specific dnskey(from set), for a specific rrsig
region,: | scratch region used for temporary allocation. | |
buf,: | scratch buffer used for canonicalized rrset data. | |
ve,: | validator environment, date settings. | |
now,: | current time for validation (can be overridden). | |
rrset,: | to be validated. | |
dnskey,: | DNSKEY rrset, keyset. | |
dnskey_idx,: | which key from the rrset to try. | |
sig_idx,: | which signature to try to validate. | |
sortree,: | pass NULL at start, the sorted rrset order is returned. pass it again for the same rrset. | |
buf_canon,: | if true, the buffer is already canonical. pass false at start. pass old value only for same rrset and same signature (but perhaps different key) for reuse. | |
reason,: | if bogus, a string returned, fixed or alloced in scratch. |
References adjust_ttl(), check_dates(), packed_rrset_key::dname, dname_signame_label_count(), dname_subdomain_c(), dname_valid(), DNSKEY_BIT_ZSK, dnskey_calc_keytag(), dnskey_get_algo(), dnskey_get_flags(), dnskey_get_protocol(), dnskey_get_pubkey(), log_err(), log_nametypeclass(), query_dname_compare(), ub_packed_rrset_key::rk, rrset_canonical(), rrset_get_count(), rrset_get_rdata(), sec_status_bogus, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, VERB_QUERY, verbose(), and verify_canonrrset().
Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().