val_sigcrypt.c File Reference

This file contains helper functions for the validator module. More...

#include "config.h"
#include "validator/val_sigcrypt.h"
#include "validator/validator.h"
#include "util/data/msgreply.h"
#include "util/data/msgparse.h"
#include "util/data/dname.h"
#include "util/rbtree.h"
#include "util/module.h"
#include "util/net_help.h"
#include "util/regional.h"

Data Structures

struct  canon_rr
 RR entries in a canonical sorted tree of RRs. More...

Functions

static size_t rrset_get_count (struct ub_packed_rrset_key *rrset)
 return number of rrs in an rrset
static size_t rrset_get_sigcount (struct ub_packed_rrset_key *k)
 Get RR signature count.
static uint16_t rrset_get_sig_keytag (struct ub_packed_rrset_key *k, size_t sig_idx)
 Get signature keytag value.
static int rrset_get_sig_algo (struct ub_packed_rrset_key *k, size_t sig_idx)
 Get signature signing algorithm value.
static void rrset_get_rdata (struct ub_packed_rrset_key *k, size_t idx, uint8_t **rdata, size_t *len)
 get rdata pointer and size
uint16_t dnskey_get_flags (struct ub_packed_rrset_key *k, size_t idx)
 Get DNSKEY RR flags.
static int dnskey_get_protocol (struct ub_packed_rrset_key *k, size_t idx)
 Get DNSKEY protocol value from rdata.
int dnskey_get_algo (struct ub_packed_rrset_key *k, size_t idx)
 Get DNSKEY RR signature algorithm.
static void dnskey_get_pubkey (struct ub_packed_rrset_key *k, size_t idx, unsigned char **pk, unsigned int *pklen)
 get public key rdata field from a dnskey RR and do some checks
int ds_get_key_algo (struct ub_packed_rrset_key *k, size_t idx)
 Get DS RR key algorithm.
int ds_get_digest_algo (struct ub_packed_rrset_key *k, size_t idx)
 Get DS RR digest algorithm.
uint16_t ds_get_keytag (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 Get DS keytag, footprint value that matches the DNSKEY keytag it signs.
static void ds_get_sigdata (struct ub_packed_rrset_key *k, size_t idx, uint8_t **digest, size_t *len)
 Return pointer to the digest in a DS RR.
static size_t ds_digest_size_algo (struct ub_packed_rrset_key *k, size_t idx)
 Return size of DS digest according to its hash algorithm.
static int ds_create_dnskey_digest (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx, uint8_t *digest)
 Create a DS digest for a DNSKEY entry.
int ds_digest_match_dnskey (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.
int ds_digest_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 See if DS digest algorithm is supported.
static int dnskey_algo_id_is_supported (int id)
 return true if DNSKEY algorithm id is supported
int ds_key_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 See if DS key algorithm is supported.
uint16_t dnskey_calc_keytag (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
 Get dnskey keytag, footprint value.
int dnskey_algo_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
 See if DNSKEY algorithm is supported.
static size_t dnskeyset_needs (struct ub_packed_rrset_key *dnskey, uint8_t needs[])
 Fillup needed algorithm array for DNSKEY set.
enum sec_status dnskeyset_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey)
 Verify rrset against dnskey rrset.
enum sec_status dnskey_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx)
 verify rrset against one specific dnskey (from rrset)
enum sec_status dnskeyset_verify_rrset_sig (struct module_env *env, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t sig_idx, struct rbtree_t **sortree)
 verify rrset, with dnskey rrset, for a specific rrsig in rrset
static int canonical_compare_byfield (struct packed_rrset_data *d, const ldns_rr_descriptor *desc, size_t i, size_t j)
 Compare two RR for canonical order, in a field-style sweep.
static int canonical_compare (struct ub_packed_rrset_key *rrset, size_t i, size_t j)
 Compare two RRs in the same RRset and determine their relative canonical order.
int canonical_tree_compare (const void *k1, const void *k2)
 canonical compare for two tree entries
static void canonical_sort (struct ub_packed_rrset_key *rrset, struct packed_rrset_data *d, rbtree_t *sortree, struct canon_rr *rrs)
 Sort RRs for rrset in canonical order.
static void insert_can_owner (ldns_buffer *buf, struct ub_packed_rrset_key *k, uint8_t *sig, uint8_t **can_owner, size_t *can_owner_len)
 Inser canonical owner name into buffer.
static void canonicalize_rdata (ldns_buffer *buf, struct ub_packed_rrset_key *rrset, size_t len)
 Canonicalize Rdata in buffer.
static int rrset_canonical (struct regional *region, ldns_buffer *buf, struct ub_packed_rrset_key *k, uint8_t *sig, size_t siglen, struct rbtree_t **sortree)
 Create canonical form of rrset in the scratch buffer.
static void sigdate_error (const char *str, int32_t expi, int32_t incep, int32_t now)
 pretty print rrsig error with dates
static int check_dates (struct val_env *ve, uint32_t unow, uint8_t *expi_p, uint8_t *incep_p)
 check rrsig dates
static void adjust_ttl (struct val_env *ve, uint32_t unow, struct ub_packed_rrset_key *rrset, uint8_t *orig_p, uint8_t *expi_p, uint8_t *incep_p)
 adjust rrset TTL for verified rrset, compare to original TTL and expi
static void log_crypto_error (const char *str, unsigned long e)
 Output a libcrypto openssl error to the logfile.
static int setup_dsa_sig (unsigned char **sig, unsigned int *len)
 Setup DSA key digest in DER encoding .
static int setup_key_digest (int algo, EVP_PKEY *evp_key, const EVP_MD **digest_type, unsigned char *key, size_t keylen)
 Setup key and digest for verification.
static enum sec_status verify_canonrrset (ldns_buffer *buf, int algo, unsigned char *sigblock, unsigned int sigblock_len, unsigned char *key, unsigned int keylen)
 Check a canonical sig+rrset and signature against a dnskey.
enum sec_status dnskey_verify_rrset_sig (struct regional *region, ldns_buffer *buf, struct val_env *ve, uint32_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_t **sortree, int *buf_canon)
 verify rrset, with specific dnskey(from set), for a specific rrsig


Detailed Description

This file contains helper functions for the validator module.

The functions help with signature verification and checking, the bridging between RR wireformat data and crypto calls.


Function Documentation

static uint16_t rrset_get_sig_keytag ( struct ub_packed_rrset_key k,
size_t  sig_idx 
) [static]

Get signature keytag value.

Parameters:
k,: rrset (with signatures)
sig_idx,: signature index.
Returns:
keytag or 0 if malformed rrsig.

References packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_data::rrsig_count.

Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().

static int rrset_get_sig_algo ( struct ub_packed_rrset_key k,
size_t  sig_idx 
) [static]

Get signature signing algorithm value.

Parameters:
k,: rrset (with signatures)
sig_idx,: signature index.
Returns:
algo or 0 if malformed rrsig.

References packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_data::rrsig_count.

Referenced by dnskey_verify_rrset(), dnskeyset_verify_rrset(), and dnskeyset_verify_rrset_sig().

uint16_t dnskey_get_flags ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DNSKEY RR flags.

Parameters:
k,: DNSKEY rrset.
idx,: which DNSKEY RR.
Returns:
flags or 0 if DNSKEY too short.

References rrset_get_rdata().

Referenced by dnskey_verify_rrset_sig().

static int dnskey_get_protocol ( struct ub_packed_rrset_key k,
size_t  idx 
) [static]

Get DNSKEY protocol value from rdata.

Parameters:
k,: DNSKEY rrset.
idx,: which key.

References rrset_get_rdata().

Referenced by dnskey_verify_rrset_sig().

int dnskey_get_algo ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DNSKEY RR signature algorithm.

Parameters:
k,: DNSKEY rrset.
idx,: which DNSKEY RR.
Returns:
algorithm or 0 if DNSKEY too short.

References rrset_get_rdata().

Referenced by dnskey_algo_is_supported(), dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_needs(), dnskeyset_verify_rrset_sig(), and verify_dnskeys_with_ds_rr().

int ds_get_key_algo ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DS RR key algorithm.

This value should match with the DNSKEY algo.

Parameters:
k,: DS rrset.
idx,: which DS.
Returns:
algorithm or 0 if DS too short.

References rrset_get_rdata().

Referenced by ds_key_algo_is_supported(), and verify_dnskeys_with_ds_rr().

int ds_get_digest_algo ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Get DS RR digest algorithm.

Parameters:
ds_rrset,: DS rrset.
ds_idx,: which DS.
Returns:
algorithm or 0 if DS too short.

References rrset_get_rdata().

Referenced by ds_create_dnskey_digest(), ds_digest_size_algo(), and val_verify_new_DNSKEYs().

uint16_t ds_get_keytag ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Get DS keytag, footprint value that matches the DNSKEY keytag it signs.

Parameters:
ds_rrset,: DS rrset
ds_idx,: index of RR in DS rrset.
Returns:
the keytag or 0 for badly formatted DSs.

References rrset_get_rdata().

Referenced by verify_dnskeys_with_ds_rr().

static void ds_get_sigdata ( struct ub_packed_rrset_key k,
size_t  idx,
uint8_t **  digest,
size_t *  len 
) [static]

Return pointer to the digest in a DS RR.

Parameters:
k,: DS rrset.
idx,: which DS.
digest,: digest data is returned. on error, this is NULL.
len,: length of digest is returned. on error, the length is 0.

References rrset_get_rdata().

Referenced by ds_digest_match_dnskey().

static size_t ds_digest_size_algo ( struct ub_packed_rrset_key k,
size_t  idx 
) [static]

Return size of DS digest according to its hash algorithm.

Parameters:
k,: DS rrset.
idx,: which DS.
Returns:
size in bytes of digest, or 0 if not supported.

References ds_get_digest_algo().

Referenced by ds_digest_algo_is_supported(), and ds_digest_match_dnskey().

static int ds_create_dnskey_digest ( struct module_env env,
struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx,
struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx,
uint8_t *  digest 
) [static]

Create a DS digest for a DNSKEY entry.

Parameters:
env,: module environment. Uses scratch space.
dnskey_rrset,: DNSKEY rrset.
dnskey_idx,: index of RR in rrset.
ds_rrset,: DS rrset
ds_idx,: index of RR in DS rrset.
digest,: digest is returned in here (must be correctly sized).
Returns:
false on error.

References packed_rrset_key::dname, packed_rrset_key::dname_len, ds_get_digest_algo(), query_dname_tolower(), ub_packed_rrset_key::rk, rrset_get_rdata(), module_env::scratch_buffer, VERB_QUERY, and verbose().

Referenced by ds_digest_match_dnskey().

int ds_digest_match_dnskey ( struct module_env env,
struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx,
struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.

Parameters:
env,: module environment. Uses scratch space.
dnskey_rrset,: DNSKEY rrset.
dnskey_idx,: index of RR in rrset.
ds_rrset,: DS rrset
ds_idx,: index of RR in DS rrset.
Returns:
true if it matches, false on error, not supported or no match.

References ds_create_dnskey_digest(), ds_digest_size_algo(), ds_get_sigdata(), regional_alloc(), module_env::scratch, VERB_QUERY, and verbose().

Referenced by dstest_entry(), and verify_dnskeys_with_ds_rr().

int ds_digest_algo_is_supported ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

See if DS digest algorithm is supported.

Parameters:
ds_rrset,: DS rrset
ds_idx,: index of RR in DS rrset.
Returns:
true if supported.

References ds_digest_size_algo().

Referenced by val_dsset_isusable(), and val_verify_new_DNSKEYs().

int ds_key_algo_is_supported ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

See if DS key algorithm is supported.

Parameters:
ds_rrset,: DS rrset
ds_idx,: index of RR in DS rrset.
Returns:
true if supported.

References dnskey_algo_id_is_supported(), and ds_get_key_algo().

Referenced by val_dsset_isusable(), and val_verify_new_DNSKEYs().

uint16_t dnskey_calc_keytag ( struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx 
)

Get dnskey keytag, footprint value.

Parameters:
dnskey_rrset,: DNSKEY rrset.
dnskey_idx,: index of RR in rrset.
Returns:
the keytag or 0 for badly formatted DNSKEYs.

References rrset_get_rdata().

Referenced by dnskey_verify_rrset(), dnskey_verify_rrset_sig(), dnskeyset_verify_rrset_sig(), and verify_dnskeys_with_ds_rr().

int dnskey_algo_is_supported ( struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx 
)

See if DNSKEY algorithm is supported.

Parameters:
dnskey_rrset,: DNSKEY rrset.
dnskey_idx,: index of RR in rrset.
Returns:
true if supported.

References dnskey_algo_id_is_supported(), and dnskey_get_algo().

static size_t dnskeyset_needs ( struct ub_packed_rrset_key dnskey,
uint8_t  needs[] 
) [static]

Fillup needed algorithm array for DNSKEY set.

Parameters:
dnskey,: the key
needs,: array per algorithm.
Returns:
the number of algorithms that need valid signatures

References dnskey_get_algo(), and rrset_get_count().

Referenced by dnskeyset_verify_rrset().

enum sec_status dnskeyset_verify_rrset ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey 
)

Verify rrset against dnskey rrset.

Parameters:
env,: module environment, scratch space is used.
ve,: validator environment, date settings.
rrset,: to be validated.
dnskey,: DNSKEY rrset, keyset to try.
Returns:
SECURE if one key in the set verifies one rrsig. UNCHECKED on allocation errors, unsupported algorithms, malformed data, and BOGUS on verification failures (no keys match any signatures).

References dnskeyset_needs(), dnskeyset_verify_rrset_sig(), module_env::now, rrset_get_sig_algo(), rrset_get_sigcount(), sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().

Referenced by val_verify_rrset(), and verifytest_rrset().

enum sec_status dnskey_verify_rrset ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  dnskey_idx 
)

verify rrset against one specific dnskey (from rrset)

Parameters:
env,: module environment, scratch space is used.
ve,: validator environment, date settings.
rrset,: to be validated.
dnskey,: DNSKEY rrset, keyset.
dnskey_idx,: which key from the rrset to try.
Returns:
secure if *this* key signs any of the signatures on rrset. unchecked on error or and bogus on bad signature.

References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), module_env::now, rrset_get_sig_algo(), rrset_get_sig_keytag(), rrset_get_sigcount(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().

Referenced by verify_dnskeys_with_ds_rr().

enum sec_status dnskeyset_verify_rrset_sig ( struct module_env env,
struct val_env ve,
uint32_t  now,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  sig_idx,
struct rbtree_t **  sortree 
)

verify rrset, with dnskey rrset, for a specific rrsig in rrset

Parameters:
env,: module environment, scratch space is used.
ve,: validator environment, date settings.
now,: current time for validation (can be overridden).
rrset,: to be validated.
dnskey,: DNSKEY rrset, keyset to try.
sig_idx,: which signature to try to validate.
sortree,: reused sorted order. Stored in region. Pass NULL at start, and for a new rrset.
Returns:
secure if any key signs *this* signature. bogus if no key signs it, or unchecked on error.

References dnskey_calc_keytag(), dnskey_get_algo(), dnskey_verify_rrset_sig(), rrset_get_count(), rrset_get_sig_algo(), rrset_get_sig_keytag(), module_env::scratch, module_env::scratch_buffer, sec_status_bogus, sec_status_secure, VERB_ALGO, VERB_QUERY, and verbose().

Referenced by dnskeyset_verify_rrset().

static int canonical_compare_byfield ( struct packed_rrset_data d,
const ldns_rr_descriptor *  desc,
size_t  i,
size_t  j 
) [static]

Compare two RR for canonical order, in a field-style sweep.

Parameters:
d,: rrset data
desc,: ldns wireformat descriptor.
i,: first RR to compare
j,: first RR to compare
Returns:
comparison code.

References get_rdf_size(), packed_rrset_data::rr_data, and packed_rrset_data::rr_len.

Referenced by canonical_compare().

static int canonical_compare ( struct ub_packed_rrset_key rrset,
size_t  i,
size_t  j 
) [static]

Compare two RRs in the same RRset and determine their relative canonical order.

Parameters:
rrset,: the rrset in which to perform compares.
i,: first RR to compare
j,: first RR to compare
Returns:
0 if RR i== RR j, -1 if <, +1 if >.

References canonical_compare_byfield(), lruhash_entry::data, ub_packed_rrset_key::entry, log_assert, query_dname_compare(), ub_packed_rrset_key::rk, packed_rrset_data::rr_data, packed_rrset_data::rr_len, and packed_rrset_key::type.

Referenced by canonical_tree_compare().

static void canonical_sort ( struct ub_packed_rrset_key rrset,
struct packed_rrset_data d,
rbtree_t sortree,
struct canon_rr rrs 
) [static]

Sort RRs for rrset in canonical order.

Does not actually canonicalize the RR rdatas. Does not touch rrsigs.

Parameters:
rrset,: to sort.
d,: rrset data.
sortree,: tree to sort into.
rrs,: rr storage.

References packed_rrset_data::count, rbnode_t::key, canon_rr::node, rbtree_insert(), canon_rr::rr_idx, and canon_rr::rrset.

Referenced by rrset_canonical().

static void insert_can_owner ( ldns_buffer *  buf,
struct ub_packed_rrset_key k,
uint8_t *  sig,
uint8_t **  can_owner,
size_t *  can_owner_len 
) [static]

Inser canonical owner name into buffer.

Parameters:
buf,: buffer to insert into at current position.
k,: rrset with its owner name.
sig,: signature with signer name and label count. must be length checked, at least 18 bytes long.
can_owner,: position in buffer returned for future use.
can_owner_len,: length of canonical owner name.

References packed_rrset_key::dname, packed_rrset_key::dname_len, dname_remove_label(), dname_signame_label_count(), log_assert, query_dname_tolower(), and ub_packed_rrset_key::rk.

Referenced by rrset_canonical().

static void canonicalize_rdata ( ldns_buffer *  buf,
struct ub_packed_rrset_key rrset,
size_t  len 
) [static]

Canonicalize Rdata in buffer.

Parameters:
buf,: buffer at position just after the rdata.
rrset,: rrset with type.
len,: length of the rdata (including rdatalen uint16).

References dname_valid(), query_dname_tolower(), ub_packed_rrset_key::rk, and packed_rrset_key::type.

Referenced by rrset_canonical().

static int rrset_canonical ( struct regional region,
ldns_buffer *  buf,
struct ub_packed_rrset_key k,
uint8_t *  sig,
size_t  siglen,
struct rbtree_t **  sortree 
) [static]

Create canonical form of rrset in the scratch buffer.

Parameters:
region,: temporary region.
buf,: the buffer to use.
k,: the rrset to insert.
sig,: RRSIG rdata to include.
siglen,: RRSIG rdata len excluding signature field, but inclusive signer name length.
sortree,: if NULL is passed a new sorted rrset tree is built. Otherwise it is reused.
Returns:
false on alloc error.

References canonical_sort(), canonical_tree_compare(), canonicalize_rdata(), packed_rrset_data::count, lruhash_entry::data, ub_packed_rrset_key::entry, insert_can_owner(), log_err(), query_dname_tolower(), RBTREE_FOR, rbtree_init(), regional_alloc(), ub_packed_rrset_key::rk, packed_rrset_data::rr_data, packed_rrset_data::rr_len, packed_rrset_key::rrset_class, and packed_rrset_key::type.

Referenced by dnskey_verify_rrset_sig().

static void log_crypto_error ( const char *  str,
unsigned long  e 
) [static]

Output a libcrypto openssl error to the logfile.

Parameters:
str,: string to add to it.
e,: the error to output, error number from ERR_get_error().

References log_err().

Referenced by verify_canonrrset().

static int setup_dsa_sig ( unsigned char **  sig,
unsigned int *  len 
) [static]

Setup DSA key digest in DER encoding .

..

Parameters:
sig,: input is signature output alloced ptr (unless failure). caller must free alloced ptr if this routine returns true.
len,: intput is initial siglen, output is output len.
Returns:
false on failure.

Referenced by verify_canonrrset().

static int setup_key_digest ( int  algo,
EVP_PKEY *  evp_key,
const EVP_MD **  digest_type,
unsigned char *  key,
size_t  keylen 
) [static]

Setup key and digest for verification.

Adjust sig if necessary.

Parameters:
algo,: key algorithm
evp_key,: EVP PKEY public key to update.
digest_type,: digest type to use
key,: key to setup for.
keylen,: length of key.
Returns:
false on failure.

References VERB_QUERY, and verbose().

Referenced by verify_canonrrset().

static enum sec_status verify_canonrrset ( ldns_buffer *  buf,
int  algo,
unsigned char *  sigblock,
unsigned int  sigblock_len,
unsigned char *  key,
unsigned int  keylen 
) [static]

Check a canonical sig+rrset and signature against a dnskey.

Parameters:
buf,: buffer with data to verify, the first rrsig part and the canonicalized rrset.
algo,: DNSKEY algorithm.
sigblock,: signature rdata field from RRSIG
sigblock_len,: length of sigblock data.
key,: public key data from DNSKEY RR.
keylen,: length of keydata.
Returns:
secure if verification succeeded, bogus on crypto failure, unchecked on format errors and alloc failures.

References log_crypto_error(), log_err(), sec_status_bogus, sec_status_secure, sec_status_unchecked, setup_dsa_sig(), setup_key_digest(), VERB_QUERY, and verbose().

Referenced by dnskey_verify_rrset_sig().

enum sec_status dnskey_verify_rrset_sig ( struct regional region,
ldns_buffer *  buf,
struct val_env ve,
uint32_t  now,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  dnskey_idx,
size_t  sig_idx,
struct rbtree_t **  sortree,
int *  buf_canon 
)

verify rrset, with specific dnskey(from set), for a specific rrsig

Parameters:
region,: scratch region used for temporary allocation.
buf,: scratch buffer used for canonicalized rrset data.
ve,: validator environment, date settings.
now,: current time for validation (can be overridden).
rrset,: to be validated.
dnskey,: DNSKEY rrset, keyset.
dnskey_idx,: which key from the rrset to try.
sig_idx,: which signature to try to validate.
sortree,: pass NULL at start, the sorted rrset order is returned. pass it again for the same rrset.
buf_canon,: if true, the buffer is already canonical. pass false at start. pass old value only for same rrset and same signature (but perhaps different key) for reuse.
Returns:
secure if this key signs this signature. unchecked on error or bogus if it did not validate.

References adjust_ttl(), check_dates(), packed_rrset_key::dname, dname_signame_label_count(), dname_subdomain_c(), dname_valid(), DNSKEY_BIT_ZSK, dnskey_calc_keytag(), dnskey_get_algo(), dnskey_get_flags(), dnskey_get_protocol(), dnskey_get_pubkey(), log_err(), log_nametypeclass(), query_dname_compare(), ub_packed_rrset_key::rk, rrset_canonical(), rrset_get_count(), rrset_get_rdata(), sec_status_bogus, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, VERB_QUERY, verbose(), and verify_canonrrset().

Referenced by dnskey_verify_rrset(), and dnskeyset_verify_rrset_sig().


Generated on Thu Mar 26 09:45:02 2009 for unbound by  doxygen 1.5.8