#include "util/data/packed_rrset.h"
Enumerations | |
enum | val_classification { VAL_CLASS_UNTYPED = 0, VAL_CLASS_UNKNOWN, VAL_CLASS_POSITIVE, VAL_CLASS_CNAME, VAL_CLASS_NODATA, VAL_CLASS_NAMEERROR, VAL_CLASS_CNAMENOANSWER, VAL_CLASS_REFERRAL, VAL_CLASS_ANY } |
Response classifications for the validator. More... | |
Functions | |
enum val_classification | val_classify_response (uint16_t query_flags, struct query_info *origqinf, struct query_info *qinf, struct reply_info *rep, size_t skip) |
Given a response, classify ANSWER responses into a subtype. | |
void | val_find_signer (enum val_classification subtype, struct query_info *qinf, struct reply_info *rep, size_t cname_skip, uint8_t **signer_name, size_t *signer_len) |
Given a response, determine the name of the "signer". | |
enum sec_status | val_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *keys) |
Verify RRset with keys. | |
enum sec_status | val_verify_rrset_entry (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct key_entry_key *kkey) |
Verify RRset with keys from a keyset. | |
struct key_entry_key * | val_verify_new_DNSKEYs (struct regional *region, struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *dnskey_rrset, struct ub_packed_rrset_key *ds_rrset) |
Verify new DNSKEYs with DS rrset. | |
int | val_dsset_isusable (struct ub_packed_rrset_key *ds_rrset) |
Determine if DS rrset is usable for validator or not. | |
int | val_rrset_wildcard (struct ub_packed_rrset_key *rrset, uint8_t **wc) |
Determine by looking at a signed RRset whether or not the RRset name was the result of a wildcard expansion. | |
int | val_chase_cname (struct query_info *qchase, struct reply_info *rep, size_t *cname_skip) |
Chase the cname to the next query name. | |
void | val_fill_reply (struct reply_info *chase, struct reply_info *orig, size_t cname_skip, uint8_t *name, size_t len, uint8_t *signer) |
Fill up the chased reply with the content from the original reply; as pointers to those rrsets. | |
void | val_check_nonsecure (struct val_env *ve, struct reply_info *rep) |
Remove all unsigned or non-secure status rrsets from NS and AR sections. | |
void | val_mark_indeterminate (struct reply_info *rep, struct val_anchors *anchors, struct rrset_cache *r, struct module_env *env) |
Mark all unchecked rrset entries not below a trust anchor as indeterminate. | |
void | val_mark_insecure (struct reply_info *rep, struct key_entry_key *kkey, struct rrset_cache *r, struct module_env *env) |
Mark all unchecked rrset entries below a NULL key entry as insecure. | |
size_t | val_next_unchecked (struct reply_info *rep, size_t skip) |
Find next unchecked rrset position, return it for skip. | |
void | val_find_rrset_signer (struct ub_packed_rrset_key *rrset, uint8_t **sname, size_t *slen) |
Find the signer name for an RRset. | |
const char * | val_classification_to_string (enum val_classification subtype) |
Get string to denote the classification result. |
enum val_classification |
Response classifications for the validator.
The different types of proofs.
enum val_classification val_classify_response | ( | uint16_t | query_flags, | |
struct query_info * | origqinf, | |||
struct query_info * | qinf, | |||
struct reply_info * | rep, | |||
size_t | skip | |||
) |
Given a response, classify ANSWER responses into a subtype.
query_flags,: | query flags for the original query. | |
origqinf,: | query info. The original query name. | |
qinf,: | query info. The chased query name. | |
rep,: | response. The original response. | |
skip,: | offset into the original response answer section. |
References reply_info::an_numrrsets, BIT_RD, packed_rrset_key::dname, reply_info::flags, FLAGS_GET_RCODE, log_assert, log_dns_msg(), reply_info::ns_numrrsets, query_info::qname, query_info::qtype, query_dname_compare(), ub_packed_rrset_key::rk, reply_info::rrsets, packed_rrset_key::type, VAL_CLASS_ANY, VAL_CLASS_CNAME, VAL_CLASS_CNAMENOANSWER, VAL_CLASS_NAMEERROR, VAL_CLASS_NODATA, VAL_CLASS_POSITIVE, VAL_CLASS_REFERRAL, and VAL_CLASS_UNKNOWN.
Referenced by ds_response_to_ke(), processFinished(), processInit(), and processValidate().
void val_find_signer | ( | enum val_classification | subtype, | |
struct query_info * | qinf, | |||
struct reply_info * | rep, | |||
size_t | cname_skip, | |||
uint8_t ** | signer_name, | |||
size_t * | signer_len | |||
) |
Given a response, determine the name of the "signer".
This is primarily to determine if the response is, in fact, signed at all, and, if so, what is the name of the most pertinent keyset.
subtype,: | the type from classify. | |
qinf,: | query, the chased query name. | |
rep,: | response to that, original response. | |
cname_skip,: | how many answer rrsets have been skipped due to CNAME chains being chased around. | |
signer_name,: | signer name, if the response is signed (even partially), or null if the response isn't signed. | |
signer_len,: | length of signer_name of 0 if signer_name is NULL. |
References reply_info::an_numrrsets, packed_rrset_key::dname, reply_info::ns_numrrsets, query_info::qname, query_dname_compare(), ub_packed_rrset_key::rk, reply_info::rrsets, packed_rrset_key::type, VAL_CLASS_ANY, VAL_CLASS_CNAME, VAL_CLASS_CNAMENOANSWER, VAL_CLASS_NAMEERROR, VAL_CLASS_NODATA, VAL_CLASS_POSITIVE, VAL_CLASS_REFERRAL, val_find_best_signer(), val_find_rrset_signer(), VERB_QUERY, and verbose().
Referenced by processInit().
enum sec_status val_verify_rrset | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | keys | |||
) |
Verify RRset with keys.
env,: | module environment (scratch buffer) | |
ve,: | validator environment (verification settings) | |
rrset,: | what to verify | |
keys,: | dnskey rrset to verify with. |
References val_env::bogus_lock, val_env::bogus_ttl, packed_rrset_data::count, packed_rrset_key::dname, dnskeyset_verify_rrset(), log_nametypeclass(), module_env::now, val_env::num_rrset_bogus, regional_free_all(), ub_packed_rrset_key::rk, packed_rrset_data::rr_ttl, module_env::rrset_cache, rrset_check_sec_status(), packed_rrset_key::rrset_class, rrset_trust_validated, rrset_update_sec_status(), packed_rrset_data::rrsig_count, module_env::scratch, sec_status_bogus, sec_status_secure, sec_status_to_string(), packed_rrset_data::security, packed_rrset_data::trust, packed_rrset_data::ttl, packed_rrset_key::type, VERB_ALGO, and verbose().
Referenced by primeResponseToKE(), and val_verify_rrset_entry().
enum sec_status val_verify_rrset_entry | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct key_entry_key * | kkey | |||
) |
Verify RRset with keys from a keyset.
env,: | module environment (scratch buffer) | |
ve,: | validator environment (verification settings) | |
rrset,: | what to verify | |
kkey,: | key_entry to verify with. |
References lruhash_entry::data, packed_rrset_key::dname, packed_rrset_key::dname_len, ub_packed_rrset_key::entry, key_entry_key::entry, packed_rrset_key::flags, lruhash_entry::key, key_entry_key::key_class, key_entry_key::name, key_entry_key::namelen, ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, key_entry_data::rrset_data, key_entry_data::rrset_type, packed_rrset_key::type, and val_verify_rrset().
Referenced by ds_response_to_ke(), val_nsec_prove_nodata_dsreply(), and validate_msg_signatures().
struct key_entry_key* val_verify_new_DNSKEYs | ( | struct regional * | region, | |
struct module_env * | env, | |||
struct val_env * | ve, | |||
struct ub_packed_rrset_key * | dnskey_rrset, | |||
struct ub_packed_rrset_key * | ds_rrset | |||
) | [read] |
Verify new DNSKEYs with DS rrset.
The DS contains hash values that should match the DNSKEY keys. match the DS to a DNSKEY and verify the DNSKEY rrset with that key.
region,: | where to allocate key entry result. | |
env,: | module environment (scratch buffer) | |
ve,: | validator environment (verification settings) | |
dnskey_rrset,: | DNSKEY rrset to verify | |
ds_rrset,: | DS rrset to verify with. |
References packed_rrset_key::dname, packed_rrset_key::dname_len, ds_digest_algo_is_supported(), ds_get_digest_algo(), ds_key_algo_is_supported(), key_entry_create_bad(), key_entry_create_null(), key_entry_create_rrset(), module_env::now, query_dname_compare(), ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, rrset_get_count(), rrset_get_ttl(), sec_status_secure, VERB_ALGO, VERB_QUERY, verbose(), and verify_dnskeys_with_ds_rr().
Referenced by primeResponseToKE(), and process_dnskey_response().
int val_dsset_isusable | ( | struct ub_packed_rrset_key * | ds_rrset | ) |
Determine if DS rrset is usable for validator or not.
Returns true if the algorithms for key and DShash are supported, for at least one RR.
ds_rrset,: | the newly received DS rrset. |
References ds_digest_algo_is_supported(), ds_key_algo_is_supported(), and rrset_get_count().
Referenced by ds_response_to_ke().
int val_rrset_wildcard | ( | struct ub_packed_rrset_key * | rrset, | |
uint8_t ** | wc | |||
) |
Determine by looking at a signed RRset whether or not the RRset name was the result of a wildcard expansion.
If so, return the name of the generating wildcard.
rrset | The rrset to chedck. | |
wc,: | the wildcard name, if the rrset was synthesized from a wildcard. unchanged if not. The wildcard name, without "*." in front, is returned. This is a pointer into the rrset owner name. |
References packed_rrset_data::count, packed_rrset_key::dname, dname_count_labels(), packed_rrset_key::dname_len, dname_remove_labels(), ub_packed_rrset_key::rk, packed_rrset_data::rrsig_count, and rrsig_get_labcount().
Referenced by validate_any_response(), validate_cname_response(), and validate_positive_response().
int val_chase_cname | ( | struct query_info * | qchase, | |
struct reply_info * | rep, | |||
size_t * | cname_skip | |||
) |
Chase the cname to the next query name.
qchase,: | the current query name, updated to next target. | |
rep,: | original message reply to look at CNAMEs. | |
cname_skip,: | the skip into the answer section. Updated to skip DNAME and CNAME to the next part of the answer. |
References reply_info::an_numrrsets, get_cname_target(), query_info::qname, query_info::qname_len, query_dname_compare(), ub_packed_rrset_key::rk, reply_info::rrsets, and packed_rrset_key::type.
Referenced by processFinished().
void val_fill_reply | ( | struct reply_info * | chase, | |
struct reply_info * | orig, | |||
size_t | cname_skip, | |||
uint8_t * | name, | |||
size_t | len, | |||
uint8_t * | signer | |||
) |
Fill up the chased reply with the content from the original reply; as pointers to those rrsets.
Select the part after the cname_skip into the answer section, NS and AR sections that are signed with same signer.
chase,: | chased reply, filled up. | |
orig,: | original reply. | |
cname_skip,: | which part of the answer section to skip. The skipped part contains CNAME(and DNAME)s that have been chased. | |
name,: | the signer name to look for. | |
len,: | length of name. | |
signer,: | signer name or NULL if an unsigned RRset is considered. If NULL, rrsets with the lookup name are copied over. |
References reply_info::an_numrrsets, reply_info::ar_numrrsets, packed_rrset_key::dname, reply_info::ns_numrrsets, query_dname_compare(), ub_packed_rrset_key::rk, reply_info::rrset_count, rrset_has_signer(), reply_info::rrsets, and packed_rrset_key::type.
Referenced by processInit().
void val_check_nonsecure | ( | struct val_env * | ve, | |
struct reply_info * | rep | |||
) |
Remove all unsigned or non-secure status rrsets from NS and AR sections.
So that unsigned data does not get let through to clients, when we have found the data to be secure.
ve,: | validator environment with cleaning options. | |
rep,: | reply to dump all nonsecure stuff out of. |
References reply_info::an_numrrsets, reply_info::ar_numrrsets, val_env::clean_additional, lruhash_entry::data, packed_rrset_key::dname, ub_packed_rrset_key::entry, log_nametypeclass(), reply_info::ns_numrrsets, ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, reply_info::rrset_count, reply_info::rrsets, sec_status_bogus, sec_status_secure, reply_info::security, packed_rrset_key::type, and VERB_QUERY.
Referenced by processFinished().
void val_mark_indeterminate | ( | struct reply_info * | rep, | |
struct val_anchors * | anchors, | |||
struct rrset_cache * | r, | |||
struct module_env * | env | |||
) |
Mark all unchecked rrset entries not below a trust anchor as indeterminate.
Only security==unchecked rrsets are updated.
rep,: | the reply with rrsets. | |
anchors,: | the trust anchors. | |
r,: | rrset cache to store updated security status into. | |
env,: | module environment |
References anchors_lookup(), lruhash_entry::data, packed_rrset_key::dname, packed_rrset_key::dname_len, ub_packed_rrset_key::entry, module_env::now, ub_packed_rrset_key::rk, packed_rrset_key::rrset_class, reply_info::rrset_count, rrset_update_sec_status(), reply_info::rrsets, sec_status_indeterminate, sec_status_unchecked, and packed_rrset_data::security.
Referenced by processInit().
void val_mark_insecure | ( | struct reply_info * | rep, | |
struct key_entry_key * | kkey, | |||
struct rrset_cache * | r, | |||
struct module_env * | env | |||
) |
Mark all unchecked rrset entries below a NULL key entry as insecure.
Only security==unchecked rrsets are updated.
rep,: | the reply with rrsets. | |
kkey,: | key entry, key_entry_isnull() for it. A key entry that marks the end of secure space into insecure space. | |
r,: | rrset cache to store updated security status into. | |
env,: | module environment |
References lruhash_entry::data, packed_rrset_key::dname, dname_subdomain_c(), ub_packed_rrset_key::entry, key_entry_isnull(), log_assert, key_entry_key::name, module_env::now, ub_packed_rrset_key::rk, reply_info::rrset_count, rrset_update_sec_status(), reply_info::rrsets, sec_status_insecure, sec_status_unchecked, and packed_rrset_data::security.
Referenced by processInit(), and processValidate().
size_t val_next_unchecked | ( | struct reply_info * | rep, | |
size_t | skip | |||
) |
Find next unchecked rrset position, return it for skip.
rep,: | the original reply to look into. | |
skip,: | the skip now. |
References lruhash_entry::data, ub_packed_rrset_key::entry, reply_info::rrset_count, reply_info::rrsets, sec_status_unchecked, and packed_rrset_data::security.
Referenced by processFinished().
void val_find_rrset_signer | ( | struct ub_packed_rrset_key * | rrset, | |
uint8_t ** | sname, | |||
size_t * | slen | |||
) |
Find the signer name for an RRset.
rrset,: | the rrset. | |
sname,: | signer name is returned or NULL if not signed. | |
slen,: | length of sname (or 0). |
References packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_data::rrsig_count, and rrsig_get_signer().
Referenced by reply_nsec_signer(), val_find_signer(), and validate_msg_signatures().
const char* val_classification_to_string | ( | enum val_classification | subtype | ) |
Get string to denote the classification result.
subtype,: | from classification function. |
References VAL_CLASS_ANY, VAL_CLASS_CNAME, VAL_CLASS_CNAMENOANSWER, VAL_CLASS_NAMEERROR, VAL_CLASS_NODATA, VAL_CLASS_POSITIVE, VAL_CLASS_REFERRAL, VAL_CLASS_UNKNOWN, and VAL_CLASS_UNTYPED.
Referenced by ds_response_to_ke(), and processInit().