#include "util/data/packed_rrset.h"
Functions | |
int | ds_digest_match_dnskey (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest. | |
uint16_t | dnskey_calc_keytag (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx) |
Get dnskey keytag, footprint value. | |
uint16_t | ds_get_keytag (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
Get DS keytag, footprint value that matches the DNSKEY keytag it signs. | |
int | dnskey_algo_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx) |
See if DNSKEY algorithm is supported. | |
int | ds_digest_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
See if DS digest algorithm is supported. | |
int | ds_get_digest_algo (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
Get DS RR digest algorithm. | |
int | ds_key_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx) |
See if DS key algorithm is supported. | |
int | ds_get_key_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DS RR key algorithm. | |
int | dnskey_get_algo (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY RR signature algorithm. | |
uint16_t | dnskey_get_flags (struct ub_packed_rrset_key *k, size_t idx) |
Get DNSKEY RR flags. | |
enum sec_status | dnskeyset_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey) |
Verify rrset against dnskey rrset. | |
enum sec_status | dnskey_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx) |
verify rrset against one specific dnskey (from rrset) | |
enum sec_status | dnskeyset_verify_rrset_sig (struct module_env *env, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t sig_idx, struct rbtree_t **sortree) |
verify rrset, with dnskey rrset, for a specific rrsig in rrset | |
enum sec_status | dnskey_verify_rrset_sig (struct regional *region, ldns_buffer *buf, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_t **sortree, int *buf_canon) |
verify rrset, with specific dnskey(from set), for a specific rrsig | |
int | canonical_tree_compare (const void *k1, const void *k2) |
canonical compare for two tree entries |
The functions help with signature verification and checking, the bridging between RR wireformat data and crypto calls.
int ds_digest_match_dnskey | ( | struct module_env * | env, | |
struct ub_packed_rrset_key * | dnskey_rrset, | |||
size_t | dnskey_idx, | |||
struct ub_packed_rrset_key * | ds_rrset, | |||
size_t | ds_idx | |||
) |
Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.
env,: | module environment. Uses scratch space. | |
dnskey_rrset,: | DNSKEY rrset. | |
dnskey_idx,: | index of RR in rrset. | |
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. |
References ds_create_dnskey_digest(), ds_digest_size_algo(), ds_get_sigdata(), regional_alloc(), module_env::scratch, VERB_QUERY, and verbose().
Referenced by dstest_entry(), and verify_dnskeys_with_ds_rr().
uint16_t dnskey_calc_keytag | ( | struct ub_packed_rrset_key * | dnskey_rrset, | |
size_t | dnskey_idx | |||
) |
Get dnskey keytag, footprint value.
dnskey_rrset,: | DNSKEY rrset. | |
dnskey_idx,: | index of RR in rrset. |
References rrset_get_rdata().
Referenced by dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_verify_rrset_sig(), and verify_dnskeys_with_ds_rr().
uint16_t ds_get_keytag | ( | struct ub_packed_rrset_key * | ds_rrset, | |
size_t | ds_idx | |||
) |
Get DS keytag, footprint value that matches the DNSKEY keytag it signs.
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. |
References rrset_get_rdata().
Referenced by verify_dnskeys_with_ds_rr().
int dnskey_algo_is_supported | ( | struct ub_packed_rrset_key * | dnskey_rrset, | |
size_t | dnskey_idx | |||
) |
See if DNSKEY algorithm is supported.
dnskey_rrset,: | DNSKEY rrset. | |
dnskey_idx,: | index of RR in rrset. |
References dnskey_algo_id_is_supported(), and dnskey_get_algo().
int ds_digest_algo_is_supported | ( | struct ub_packed_rrset_key * | ds_rrset, | |
size_t | ds_idx | |||
) |
See if DS digest algorithm is supported.
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. |
References ds_digest_size_algo().
Referenced by val_dsset_isusable(), and val_verify_new_DNSKEYs().
int ds_get_digest_algo | ( | struct ub_packed_rrset_key * | ds_rrset, | |
size_t | ds_idx | |||
) |
Get DS RR digest algorithm.
ds_rrset,: | DS rrset. | |
ds_idx,: | which DS. |
References rrset_get_rdata().
Referenced by ds_create_dnskey_digest(), ds_digest_size_algo(), and val_verify_new_DNSKEYs().
int ds_key_algo_is_supported | ( | struct ub_packed_rrset_key * | ds_rrset, | |
size_t | ds_idx | |||
) |
See if DS key algorithm is supported.
ds_rrset,: | DS rrset | |
ds_idx,: | index of RR in DS rrset. |
References dnskey_algo_id_is_supported(), and ds_get_key_algo().
Referenced by val_dsset_isusable(), and val_verify_new_DNSKEYs().
int ds_get_key_algo | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) |
Get DS RR key algorithm.
This value should match with the DNSKEY algo.
k,: | DS rrset. | |
idx,: | which DS. |
References rrset_get_rdata().
Referenced by ds_key_algo_is_supported(), and verify_dnskeys_with_ds_rr().
int dnskey_get_algo | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) |
Get DNSKEY RR signature algorithm.
k,: | DNSKEY rrset. | |
idx,: | which DNSKEY RR. |
References rrset_get_rdata().
Referenced by dnskey_algo_is_supported(), dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_needs(), dnskeyset_verify_rrset_sig(), and verify_dnskeys_with_ds_rr().
uint16_t dnskey_get_flags | ( | struct ub_packed_rrset_key * | k, | |
size_t | idx | |||
) |
Get DNSKEY RR flags.
k,: | DNSKEY rrset. | |
idx,: | which DNSKEY RR. |
References rrset_get_rdata().
Referenced by dnskey_verify_rrset_sig().
enum sec_status dnskeyset_verify_rrset | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | dnskey | |||
) |
Verify rrset against dnskey rrset.
env,: | module environment, scratch space is used. | |
ve,: | validator environment, date settings. | |
rrset,: | to be validated. | |
dnskey,: | DNSKEY rrset, keyset to try. |
References dnskeyset_needs(), dnskeyset_verify_rrset_sig(), module_env::now, rrset_get_sig_algo(), rrset_get_sigcount(), sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by val_verify_rrset(), and verifytest_rrset().
enum sec_status dnskey_verify_rrset | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | dnskey, | |||
size_t | dnskey_idx | |||
) |
verify rrset against one specific dnskey (from rrset)
env,: | module environment, scratch space is used. | |
ve,: | validator environment, date settings. | |
rrset,: | to be validated. | |
dnskey,: | DNSKEY rrset, keyset. | |
dnskey_idx,: | which key from the rrset to try. |
References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), module_env::now, rrset_get_sig_algo(), rrset_get_sig_keytag(), rrset_get_sigcount(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by verify_dnskeys_with_ds_rr().
enum sec_status dnskeyset_verify_rrset_sig | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
uint32_t | now, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | dnskey, | |||
size_t | sig_idx, | |||
struct rbtree_t ** | sortree | |||
) |
verify rrset, with dnskey rrset, for a specific rrsig in rrset
env,: | module environment, scratch space is used. | |
ve,: | validator environment, date settings. | |
now,: | current time for validation (can be overridden). | |
rrset,: | to be validated. | |
dnskey,: | DNSKEY rrset, keyset to try. | |
sig_idx,: | which signature to try to validate. | |
sortree,: | reused sorted order. Stored in region. Pass NULL at start, and for a new rrset. |
References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), rrset_get_count(), rrset_get_sig_algo(), rrset_get_sig_keytag(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().
Referenced by dnskeyset_verify_rrset().
enum sec_status dnskey_verify_rrset_sig | ( | struct regional * | region, | |
ldns_buffer * | buf, | |||
struct val_env * | ve, | |||
uint32_t | now, | |||
struct ub_packed_rrset_key * | rrset, | |||
struct ub_packed_rrset_key * | dnskey, | |||
size_t | dnskey_idx, | |||
size_t | sig_idx, | |||
struct rbtree_t ** | sortree, | |||
int * | buf_canon | |||
) |
verify rrset, with specific dnskey(from set), for a specific rrsig
region,: | scratch region used for temporary allocation. | |
buf,: | scratch buffer used for canonicalized rrset data. | |
ve,: | validator environment, date settings. | |
now,: | current time for validation (can be overridden). | |
rrset,: | to be validated. | |
dnskey,: | DNSKEY rrset, keyset. | |
dnskey_idx,: | which key from the rrset to try. | |
sig_idx,: | which signature to try to validate. | |
sortree,: | pass NULL at start, the sorted rrset order is returned. pass it again for the same rrset. | |
buf_canon,: | if true, the buffer is already canonical. pass false at start. pass old value only for same rrset and same signature (but perhaps different key) for reuse. |
References adjust_ttl(), check_dates(), packed_rrset_key::dname, dname_signame_label_count(), dname_subdomain_c(), dname_valid(), DNSKEY_BIT_ZSK, dnskey_calc_keytag(), dnskey_get_algo(), dnskey_get_flags(), dnskey_get_protocol(), dnskey_get_pubkey(), log_err(), log_nametypeclass(), query_dname_compare(), ub_packed_rrset_key::rk, rrset_canonical(), rrset_get_count(), rrset_get_rdata(), sec_status_bogus, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, VERB_QUERY, verbose(), and verify_canonrrset().
Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().