#include "config.h"
#include "validator/val_sigcrypt.h"
#include "validator/validator.h"
#include "util/data/msgreply.h"
#include "util/data/msgparse.h"
#include "util/data/dname.h"
#include "util/rbtree.h"
#include "util/module.h"
#include "util/net_help.h"
#include "util/regional.h"
Data Structures | |
struct | canon_rr |
RR entries in a canonical sorted tree of RRs. More... | |
Functions | |
static size_t | rrset_get_count (struct ub_packed_rrset_key *rrset) |
return number of rrs in an rrset | |
static size_t | rrset_get_sigcount (struct ub_packed_rrset_key *k) |
Get RR signature count. | |
static uint16_t | rrset_get_sig_keytag (struct ub_packed_rrset_key *k, size_t sig_idx) |
Get signature keytag value. | |
static int | rrset_get_sig_algo (struct ub_packed_rrset_key *k, size_t sig_idx) |
Get signature signing algorithm value. | |
static void | rrset_get_rdata (struct ub_packed_rrset_key *k, size_t idx, uint8_t **rdata, size_t *len) |
get rdata pointer and size | |
uint16_t | dnskey_get_flags (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY RR flags. | |
static int | dnskey_get_protocol (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY protocol value from rdata. | |
int | dnskey_get_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY RR signature algorithm. | |
static void | dnskey_get_pubkey (struct ub_packed_rrset_key *k, size_t idx, unsigned char **pk, unsigned int *pklen) |
get public key rdata field from a dnskey RR and do some checks | |
int | ds_get_key_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DS RR key algorithm. | |
static int | ds_get_digest_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DS RR digest algorithm. | |
uint16_t | ds_get_keytag (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
Get DS keytag, footprint value that matches the DNSKEY keytag it signs. | |
static void | ds_get_sigdata (struct ub_packed_rrset_key *k, size_t idx, uint8_t **digest, size_t *len) |
Return pointer to the digest in a DS RR. | |
static size_t | ds_digest_size_algo (struct ub_packed_rrset_key *k, size_t idx) |
Return size of DS digest according to its hash algorithm. | |
static int | ds_create_dnskey_digest (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx, uint8_t *digest) |
Create a DS digest for a DNSKEY entry. | |
int | ds_digest_match_dnskey (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest. | |
int | ds_digest_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
See if DS digest algorithm is supported. | |
static int | dnskey_algo_id_is_supported (int id) |
return true if DNSKEY algorithm id is supported | |
int | ds_key_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
See if DS key algorithm is supported. | |
uint16_t | dnskey_calc_keytag (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx) |
Get dnskey keytag, footprint value. | |
int | dnskey_algo_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx) |
See if DNSKEY algorithm is supported. | |
enum sec_status | dnskeyset_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey) |
Verify rrset against dnskey rrset. | |
enum sec_status | dnskey_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx) |
verify rrset against one specific dnskey (from rrset) | |
enum sec_status | dnskeyset_verify_rrset_sig (struct module_env *env, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t sig_idx, struct rbtree_t **sortree) |
verify rrset, with dnskey rrset, for a specific rrsig in rrset | |
static int | canonical_compare_hinfo (struct packed_rrset_data *d, size_t i, size_t j) |
Compare HINFO rrsets. | |
static int | canonical_compare_byfield (struct packed_rrset_data *d, const ldns_rr_descriptor *desc, size_t i, size_t j) |
Compare two RR for canonical order, in a field-style sweep. | |
static int | canonical_compare (struct ub_packed_rrset_key *rrset, size_t i, size_t j) |
Compare two RRs in the same RRset and determine their relative canonical order. | |
int | canonical_tree_compare (const void *k1, const void *k2) |
canonical compare for two tree entries | |
static void | canonical_sort (struct ub_packed_rrset_key *rrset, struct packed_rrset_data *d, rbtree_t *sortree, struct canon_rr *rrs) |
Sort RRs for rrset in canonical order. | |
static void | insert_can_owner (ldns_buffer *buf, struct ub_packed_rrset_key *k, uint8_t *sig, uint8_t **can_owner, size_t *can_owner_len) |
Inser canonical owner name into buffer. | |
static void | lowercase_text_field (uint8_t *p) |
Lowercase a text rdata field in a buffer. | |
static void | canonicalize_rdata (ldns_buffer *buf, struct ub_packed_rrset_key *rrset, size_t len) |
Canonicalize Rdata in buffer. | |
static int | rrset_canonical (struct regional *region, ldns_buffer *buf, struct ub_packed_rrset_key *k, uint8_t *sig, size_t siglen, struct rbtree_t **sortree) |
Create canonical form of rrset in the scratch buffer. | |
static void | sigdate_error (const char *str, int32_t expi, int32_t incep, int32_t now) |
pretty print rrsig error with dates | |
static int | check_dates (struct val_env *ve, uint32_t unow, uint8_t *expi_p, uint8_t *incep_p) |
check rrsig dates | |
static void | adjust_ttl (struct val_env *ve, uint32_t unow, struct ub_packed_rrset_key *rrset, uint8_t *orig_p, uint8_t *expi_p, uint8_t *incep_p) |
adjust rrset TTL for verified rrset, compare to original TTL and expi | |
static void | log_crypto_error (const char *str, unsigned long e) |
Output a libcrypto openssl error to the logfile. | |
static int | setup_dsa_sig (unsigned char **sig, unsigned int *len) |
Setup DSA key digest in DER encoding . | |
static int | setup_key_digest (int algo, EVP_PKEY *evp_key, const EVP_MD **digest_type, unsigned char *key, size_t keylen) |
Setup key and digest for verification. | |
static enum sec_status | verify_canonrrset (ldns_buffer *buf, int algo, unsigned char *sigblock, unsigned int sigblock_len, unsigned char *key, unsigned int keylen) |
Check a canonical sig+rrset and signature against a dnskey. | |
enum sec_status | dnskey_verify_rrset_sig (struct regional *region, ldns_buffer *buf, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_t **sortree, int *buf_canon) |
verify rrset, with specific dnskey(from set), for a specific rrsig |
The functions help with signature verification and checking, the bridging between RR wireformat data and crypto calls.
static uint16_t rrset_get_sig_keytag | ( | struct ub_packed_rrset_key * | k, | |
size_t | sig_idx | |||
) | [static] |
Get signature keytag value.
k,: | rrset (with signatures) | |
sig_idx,: | signature index. |
References packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_data::rrsig_count.
Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().
static int rrset_get_sig_algo | ( | struct ub_packed_rrset_key * | k, | |
size_t | sig_idx | |||
) | [static] |
Get signature signing algorithm value.
k,: | rrset (with signatures) | |
sig_idx,: | signature index. |
References packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_data::rrsig_count.
Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().
uint16_t dnskey_get_flags | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) |
Get DNSKEY RR flags.
k,: | DNSKEY rrset. | |
idx,: | which DNSKEY RR. |
References rrset_get_rdata().
Referenced by dnskey_verify_rrset_sig().
static int dnskey_get_protocol | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) | [static] |
Get DNSKEY protocol value from rdata.
k,: | DNSKEY rrset. | |
idx,: | which key. |
References rrset_get_rdata().
Referenced by dnskey_verify_rrset_sig().
int dnskey_get_algo | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) |
Get DNSKEY RR signature algorithm.
k,: | DNSKEY rrset. | |
idx,: | which DNSKEY RR. |
References rrset_get_rdata().
Referenced by dnskey_algo_is_supported(), dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_verify_rrset_sig(), and verify_dnskeys_with_ds_rr().
int ds_get_key_algo | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) |
Get DS RR key algorithm.
This value should match with the DNSKEY algo.
k,: | DS rrset. | |
idx,: | which DS. |
References rrset_get_rdata().
Referenced by ds_key_algo_is_supported(), and verify_dnskeys_with_ds_rr().
static int ds_get_digest_algo | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) | [static] |
Get DS RR digest algorithm.
k,: | DS rrset. | |
idx,: | which DS. |
References rrset_get_rdata().
Referenced by ds_create_dnskey_digest(), and ds_digest_size_algo().
uint16_t ds_get_keytag | ( | struct ub_packed_rrset_key * | ds_rrset, | |
size_t | ds_idx | |||
) |
Get DS keytag, footprint value that matches the DNSKEY keytag it signs.
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. |
References rrset_get_rdata().
Referenced by verify_dnskeys_with_ds_rr().
static void ds_get_sigdata | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx, | |||
uint8_t ** | digest, | |||
size_t * | len | |||
) | [static] |
Return pointer to the digest in a DS RR.
k,: | DS rrset. | |
idx,: | which DS. | |
digest,: | digest data is returned. on error, this is NULL. | |
len,: | length of digest is returned. on error, the length is 0. |
References rrset_get_rdata().
Referenced by ds_digest_match_dnskey().
static size_t ds_digest_size_algo | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) | [static] |
Return size of DS digest according to its hash algorithm.
k,: | DS rrset. | |
idx,: | which DS. |
References ds_get_digest_algo().
Referenced by ds_digest_algo_is_supported(), and ds_digest_match_dnskey().
static int ds_create_dnskey_digest | ( | struct module_env * | env, | |
struct ub_packed_rrset_key * | dnskey_rrset, | |||
size_t | dnskey_idx, | |||
struct ub_packed_rrset_key * | ds_rrset, | |||
size_t | ds_idx, | |||
uint8_t * | digest | |||
) | [static] |
Create a DS digest for a DNSKEY entry.
env,: | module environment. Uses scratch space. | |
dnskey_rrset,: | DNSKEY rrset. | |
dnskey_idx,: | index of RR in rrset. | |
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. | |
digest,: | digest is returned in here (must be correctly sized). |
References packed_rrset_key::dname, packed_rrset_key::dname_len, ds_get_digest_algo(), query_dname_tolower(), ub_packed_rrset_key::rk, rrset_get_rdata(), module_env::scratch_buffer, VERB_QUERY, and verbose().
Referenced by ds_digest_match_dnskey().
int ds_digest_match_dnskey | ( | struct module_env * | env, | |
struct ub_packed_rrset_key * | dnskey_rrset, | |||
size_t | dnskey_idx, | |||
struct ub_packed_rrset_key * | ds_rrset, | |||
size_t | ds_idx | |||
) |
Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.
env,: | module environment. Uses scratch space. | |
dnskey_rrset,: | DNSKEY rrset. | |
dnskey_idx,: | index of RR in rrset. | |
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. |
References ds_create_dnskey_digest(), ds_digest_size_algo(), ds_get_sigdata(), regional_alloc(), module_env::scratch, VERB_QUERY, and verbose().
Referenced by dstest_entry(), and verify_dnskeys_with_ds_rr().
int ds_digest_algo_is_supported | ( | struct ub_packed_rrset_key * | ds_rrset, | |
size_t | ds_idx | |||
) |
See if DS digest algorithm is supported.
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. |
References ds_digest_size_algo().
Referenced by val_dsset_isusable(), and val_verify_new_DNSKEYs().
int ds_key_algo_is_supported | ( | struct ub_packed_rrset_key * | ds_rrset, | |
size_t | ds_idx | |||
) |
See if DS key algorithm is supported.
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. |
References dnskey_algo_id_is_supported(), and ds_get_key_algo().
Referenced by val_dsset_isusable(), and val_verify_new_DNSKEYs().
uint16_t dnskey_calc_keytag | ( | struct ub_packed_rrset_key * | dnskey_rrset, | |
size_t | dnskey_idx | |||
) |
Get dnskey keytag, footprint value.
dnskey_rrset,: | DNSKEY rrset. | |
dnskey_idx,: | index of RR in rrset. |
References rrset_get_rdata().
Referenced by dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_verify_rrset_sig(), and verify_dnskeys_with_ds_rr().
int dnskey_algo_is_supported | ( | struct ub_packed_rrset_key * | dnskey_rrset, | |
size_t | dnskey_idx | |||
) |
See if DNSKEY algorithm is supported.
dnskey_rrset,: | DNSKEY rrset. | |
dnskey_idx,: | index of RR in rrset. |
References dnskey_algo_id_is_supported(), and dnskey_get_algo().
enum sec_status dnskeyset_verify_rrset | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | dnskey | |||
) |
Verify rrset against dnskey rrset.
env,: | module environment, scratch space is used. | |
ve,: | validator environment, date settings. | |
rrset,: | to be validated. | |
dnskey,: | DNSKEY rrset, keyset to try. |
References dnskeyset_verify_rrset_sig(), module_env::now, rrset_get_sigcount(), sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by val_verify_rrset(), and verifytest_rrset().
enum sec_status dnskey_verify_rrset | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | dnskey, | |||
size_t | dnskey_idx | |||
) |
verify rrset against one specific dnskey (from rrset)
env,: | module environment, scratch space is used. | |
ve,: | validator environment, date settings. | |
rrset,: | to be validated. | |
dnskey,: | DNSKEY rrset, keyset. | |
dnskey_idx,: | which key from the rrset to try. |
References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), module_env::now, rrset_get_sig_algo(), rrset_get_sig_keytag(), rrset_get_sigcount(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by verify_dnskeys_with_ds_rr().
enum sec_status dnskeyset_verify_rrset_sig | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
uint32_t | now, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | dnskey, | |||
size_t | sig_idx, | |||
struct rbtree_t ** | sortree | |||
) |
verify rrset, with dnskey rrset, for a specific rrsig in rrset
env,: | module environment, scratch space is used. | |
ve,: | validator environment, date settings. | |
now,: | current time for validation (can be overridden). | |
rrset,: | to be validated. | |
dnskey,: | DNSKEY rrset, keyset to try. | |
sig_idx,: | which signature to try to validate. | |
sortree,: | reused sorted order. Stored in region. Pass NULL at start, and for a new rrset. |
References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), rrset_get_count(), rrset_get_sig_algo(), rrset_get_sig_keytag(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by dnskeyset_verify_rrset().
static int canonical_compare_hinfo | ( | struct packed_rrset_data * | d, | |
size_t | i, | |||
size_t | j | |||
) | [static] |
Compare HINFO rrsets.
For them, the string length bytes are not lowercased, but the string contents are lowercased.
This routine works for any 'all STR' RR type. It works similar to the compare_byfield routine, but stripped down, and modified to lowercase STR fields.
d,: | rrset data | |
i,: | first RR to compare | |
j,: | first RR to compare |
References packed_rrset_data::rr_data, and packed_rrset_data::rr_len.
Referenced by canonical_compare().
static int canonical_compare_byfield | ( | struct packed_rrset_data * | d, | |
const ldns_rr_descriptor * | desc, | |||
size_t | i, | |||
size_t | j | |||
) | [static] |
Compare two RR for canonical order, in a field-style sweep.
d,: | rrset data | |
desc,: | ldns wireformat descriptor. | |
i,: | first RR to compare | |
j,: | first RR to compare |
References get_rdf_size(), packed_rrset_data::rr_data, and packed_rrset_data::rr_len.
Referenced by canonical_compare().
static int canonical_compare | ( | struct ub_packed_rrset_key * | rrset, | |
size_t | i, | |||
size_t | j | |||
) | [static] |
Compare two RRs in the same RRset and determine their relative canonical order.
rrset,: | the rrset in which to perform compares. | |
i,: | first RR to compare | |
j,: | first RR to compare |
References canonical_compare_byfield(), canonical_compare_hinfo(), lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, query_dname_compare(), ub_packed_rrset_key::rk, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_key::type.
Referenced by canonical_tree_compare().
static void canonical_sort | ( | struct ub_packed_rrset_key * | rrset, | |
struct packed_rrset_data * | d, | |||
rbtree_t * | sortree, | |||
struct canon_rr * | rrs | |||
) | [static] |
Sort RRs for rrset in canonical order.
Does not actually canonicalize the RR rdatas. Does not touch rrsigs.
rrset,: | to sort. | |
d,: | rrset data. | |
sortree,: | tree to sort into. | |
rrs,: | rr storage. |
References packed_rrset_data::count, rbnode_t::key, canon_rr::node, rbtree_insert(), canon_rr::rr_idx, and canon_rr::rrset.
Referenced by rrset_canonical().
static void insert_can_owner | ( | ldns_buffer * | buf, | |
struct ub_packed_rrset_key * | k, | |||
uint8_t * | sig, | |||
uint8_t ** | can_owner, | |||
size_t * | can_owner_len | |||
) | [static] |
Inser canonical owner name into buffer.
buf,: | buffer to insert into at current position. | |
k,: | rrset with its owner name. | |
sig,: | signature with signer name and label count. must be length checked, at least 18 bytes long. | |
can_owner,: | position in buffer returned for future use. | |
can_owner_len,: | length of canonical owner name. |
References packed_rrset_key::dname, packed_rrset_key::dname_len, dname_remove_label(), dname_signame_label_count(), log_assert, query_dname_tolower(), and ub_packed_rrset_key::rk.
Referenced by rrset_canonical().
static void lowercase_text_field | ( | uint8_t * | p | ) | [static] |
Lowercase a text rdata field in a buffer.
p,: | pointer to start of text field (length byte). |
Referenced by canonicalize_rdata().
static void canonicalize_rdata | ( | ldns_buffer * | buf, | |
struct ub_packed_rrset_key * | rrset, | |||
size_t | len | |||
) | [static] |
Canonicalize Rdata in buffer.
buf,: | buffer at position just after the rdata. | |
rrset,: | rrset with type. | |
len,: | length of the rdata (including rdatalen uint16). |
References dname_valid(), lowercase_text_field(), query_dname_tolower(), ub_packed_rrset_key::rk, and packed_rrset_key::type.
Referenced by rrset_canonical().
static int rrset_canonical | ( | struct regional * | region, | |
ldns_buffer * | buf, | |||
struct ub_packed_rrset_key * | k, | |||
uint8_t * | sig, | |||
size_t | siglen, | |||
struct rbtree_t ** | sortree | |||
) | [static] |
Create canonical form of rrset in the scratch buffer.
region,: | temporary region. | |
buf,: | the buffer to use. | |
k,: | the rrset to insert. | |
sig,: | RRSIG rdata to include. | |
siglen,: | RRSIG rdata len excluding signature field, but inclusive signer name length. | |
sortree,: | if NULL is passed a new sorted rrset tree is built. Otherwise it is reused. |
References canonical_sort(), canonical_tree_compare(), canonicalize_rdata(), packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, insert_can_owner(), log_err(), query_dname_tolower(), RBTREE_FOR, rbtree_init(), regional_alloc(), ub_packed_rrset_key::rk, packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_key::rrset_class, and packed_rrset_key::type.
Referenced by dnskey_verify_rrset_sig().
static void log_crypto_error | ( | const char * | str, | |
unsigned long | e | |||
) | [static] |
Output a libcrypto openssl error to the logfile.
str,: | string to add to it. | |
e,: | the error to output, error number from ERR_get_error(). |
References log_err().
Referenced by verify_canonrrset().
static int setup_dsa_sig | ( | unsigned char ** | sig, | |
unsigned int * | len | |||
) | [static] |
Setup DSA key digest in DER encoding .
..
sig,: | input is signature output alloced ptr (unless failure). caller must free alloced ptr if this routine returns true. | |
len,: | intput is initial siglen, output is output len. |
Referenced by verify_canonrrset().
static int setup_key_digest | ( | int | algo, | |
EVP_PKEY * | evp_key, | |||
const EVP_MD ** | digest_type, | |||
unsigned char * | key, | |||
size_t | keylen | |||
) | [static] |
Setup key and digest for verification.
Adjust sig if necessary.
algo,: | key algorithm | |
evp_key,: | EVP PKEY public key to update. | |
digest_type,: | digest type to use | |
key,: | key to setup for. | |
keylen,: | length of key. |
References VERB_QUERY, and verbose().
Referenced by verify_canonrrset().
static enum sec_status verify_canonrrset | ( | ldns_buffer * | buf, | |
int | algo, | |||
unsigned char * | sigblock, | |||
unsigned int | sigblock_len, | |||
unsigned char * | key, | |||
unsigned int | keylen | |||
) | [static] |
Check a canonical sig+rrset and signature against a dnskey.
buf,: | buffer with data to verify, the first rrsig part and the canonicalized rrset. | |
algo,: | DNSKEY algorithm. | |
sigblock,: | signature rdata field from RRSIG | |
sigblock_len,: | length of sigblock data. | |
key,: | public key data from DNSKEY RR. | |
keylen,: | length of keydata. |
References log_crypto_error(), log_err(), sec_status_bogus, sec_status_secure, sec_status_unchecked, setup_dsa_sig(), setup_key_digest(), VERB_QUERY, and verbose().
Referenced by dnskey_verify_rrset_sig().
enum sec_status dnskey_verify_rrset_sig | ( | struct regional * | region, | |
ldns_buffer * | buf, | |||
struct val_env * | ve, | |||
uint32_t | now, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | dnskey, | |||
size_t | dnskey_idx, | |||
size_t | sig_idx, | |||
struct rbtree_t ** | sortree, | |||
int * | buf_canon | |||
) |
verify rrset, with specific dnskey(from set), for a specific rrsig
region,: | scratch region used for temporary allocation. | |
buf,: | scratch buffer used for canonicalized rrset data. | |
ve,: | validator environment, date settings. | |
now,: | current time for validation (can be overridden). | |
rrset,: | to be validated. | |
dnskey,: | DNSKEY rrset, keyset. | |
dnskey_idx,: | which key from the rrset to try. | |
sig_idx,: | which signature to try to validate. | |
sortree,: | pass NULL at start, the sorted rrset order is returned. pass it again for the same rrset. | |
buf_canon,: | if true, the buffer is already canonical. pass false at start. pass old value only for same rrset and same signature (but perhaps different key) for reuse. |
References adjust_ttl(), check_dates(), packed_rrset_key::dname, dname_signame_label_count(), dname_subdomain_c(), dname_valid(), DNSKEY_BIT_ZSK, dnskey_calc_keytag(), dnskey_get_algo(), dnskey_get_flags(), dnskey_get_protocol(), dnskey_get_pubkey(), log_err(), query_dname_compare(), ub_packed_rrset_key::rk, rrset_canonical(), rrset_get_count(), rrset_get_rdata(), sec_status_bogus, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, VERB_QUERY, verbose(), and verify_canonrrset().
Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().