Electroneum
val_sigcrypt.h File Reference
Include dependency graph for val_sigcrypt.h:

Go to the source code of this file.

Classes

struct  algo_needs
 

Macros

#define ALGO_NEEDS_MAX   256
 

Functions

void algo_needs_init_dnskey_add (struct algo_needs *n, struct ub_packed_rrset_key *dnskey, uint8_t *sigalg)
 
void algo_needs_init_list (struct algo_needs *n, uint8_t *sigalg)
 
void algo_needs_init_ds (struct algo_needs *n, struct ub_packed_rrset_key *ds, int fav_ds_algo, uint8_t *sigalg)
 
int algo_needs_set_secure (struct algo_needs *n, uint8_t algo)
 
void algo_needs_set_bogus (struct algo_needs *n, uint8_t algo)
 
size_t algo_needs_num_missing (struct algo_needs *n)
 
int algo_needs_missing (struct algo_needs *n)
 
void algo_needs_reason (struct module_env *env, int alg, char **reason, char *s)
 
int ds_digest_match_dnskey (struct module_env *env, struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 
uint16_t dnskey_calc_keytag (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
 
uint16_t ds_get_keytag (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 
int dnskey_algo_is_supported (struct ub_packed_rrset_key *dnskey_rrset, size_t dnskey_idx)
 
int ds_digest_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 
int ds_get_digest_algo (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 
int ds_key_algo_is_supported (struct ub_packed_rrset_key *ds_rrset, size_t ds_idx)
 
int ds_get_key_algo (struct ub_packed_rrset_key *k, size_t idx)
 
int dnskey_get_algo (struct ub_packed_rrset_key *k, size_t idx)
 
uint16_t dnskey_get_flags (struct ub_packed_rrset_key *k, size_t idx)
 
enum sec_status dnskeyset_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, uint8_t *sigalg, char **reason, sldns_pkt_section section, struct module_qstate *qstate)
 
enum sec_status dnskey_verify_rrset (struct module_env *env, struct val_env *ve, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, char **reason, sldns_pkt_section section, struct module_qstate *qstate)
 
enum sec_status dnskeyset_verify_rrset_sig (struct module_env *env, struct val_env *ve, time_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t sig_idx, struct rbtree_type **sortree, char **reason, sldns_pkt_section section, struct module_qstate *qstate)
 
enum sec_status dnskey_verify_rrset_sig (struct regional *region, struct sldns_buffer *buf, struct val_env *ve, time_t now, struct ub_packed_rrset_key *rrset, struct ub_packed_rrset_key *dnskey, size_t dnskey_idx, size_t sig_idx, struct rbtree_type **sortree, int *buf_canon, char **reason, sldns_pkt_section section, struct module_qstate *qstate)
 
int canonical_tree_compare (const void *k1, const void *k2)
 
int rrset_canonical_equal (struct regional *region, struct ub_packed_rrset_key *k1, struct ub_packed_rrset_key *k2)
 

Detailed Description

This file contains helper functions for the validator module. The functions help with signature verification and checking, the bridging between RR wireformat data and crypto calls.

Definition in file val_sigcrypt.h.

Macro Definition Documentation

◆ ALGO_NEEDS_MAX

#define ALGO_NEEDS_MAX   256

number of entries in algorithm needs array

Definition at line 57 of file val_sigcrypt.h.

Function Documentation

◆ algo_needs_init_dnskey_add()

void algo_needs_init_dnskey_add ( struct algo_needs n,
struct ub_packed_rrset_key dnskey,
uint8_t sigalg 
)

Initialize algo needs structure, set algos from rrset as needed. Results are added to an existing need structure.

Parameters
nstruct with storage.
dnskeyalgos from this struct set as necessary. DNSKEY set.
sigalgadds to signalled algorithm list too.

◆ algo_needs_init_ds()

void algo_needs_init_ds ( struct algo_needs n,
struct ub_packed_rrset_key ds,
int  fav_ds_algo,
uint8_t sigalg 
)

Initialize algo needs structure, set algos from rrset as needed.

Parameters
nstruct with storage.
dsalgos from this struct set as necessary. DS set.
fav_ds_algofilter to use only this DS algo.
sigalglist of signalled algos, constructed as output, provide size ALGO_NEEDS_MAX+1. list of algonumbers, ends with a zero.

◆ algo_needs_init_list()

void algo_needs_init_list ( struct algo_needs n,
uint8_t sigalg 
)

Initialize algo needs structure from a signalled algo list.

Parameters
nstruct with storage.
sigalgsignalled algorithm list, numbers ends with 0.

◆ algo_needs_missing()

int algo_needs_missing ( struct algo_needs n)

See which algo is missing.

Parameters
nstruct after processing.
Returns
if 0 an algorithm was bogus, if a number, this algorithm was missing. So on 0, report why that was bogus, on number report a missing algorithm. There could be multiple missing, this reports the first one.

◆ algo_needs_num_missing()

size_t algo_needs_num_missing ( struct algo_needs n)

See how many algorithms are missing (not bogus or secure, but not processed)

Parameters
nstorage structure processed.
Returns
number of algorithms missing after processing.

◆ algo_needs_reason()

void algo_needs_reason ( struct module_env env,
int  alg,
char **  reason,
char *  s 
)

Format error reason for algorithm missing.

Parameters
envmodule env with scratch for temp storage of string.
algDNSKEY-algorithm missing.
reasondestination.
sstring, appended with 'with algorithm ..'.

◆ algo_needs_set_bogus()

void algo_needs_set_bogus ( struct algo_needs n,
uint8_t  algo 
)

Mark this algorithm a failure, sec_bogus. It can later be overridden by a success for this algorithm (with a different signature).

Parameters
nstorage structure processed.
algothe algorithm processed to be bogus.

◆ algo_needs_set_secure()

int algo_needs_set_secure ( struct algo_needs n,
uint8_t  algo 
)

Mark this algorithm as a success, sec_secure, and see if we are done.

Parameters
nstorage structure processed.
algothe algorithm processed to be secure.
Returns
if true, processing has finished successfully, we are satisfied.

◆ canonical_tree_compare()

int canonical_tree_compare ( const void *  k1,
const void *  k2 
)

canonical compare for two tree entries

◆ dnskey_algo_is_supported()

int dnskey_algo_is_supported ( struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx 
)

See if DNSKEY algorithm is supported

Parameters
dnskey_rrsetDNSKEY rrset.
dnskey_idxindex of RR in rrset.
Returns
true if supported.

◆ dnskey_calc_keytag()

uint16_t dnskey_calc_keytag ( struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx 
)

Get dnskey keytag, footprint value

Parameters
dnskey_rrsetDNSKEY rrset.
dnskey_idxindex of RR in rrset.
Returns
the keytag or 0 for badly formatted DNSKEYs.

◆ dnskey_get_algo()

int dnskey_get_algo ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DNSKEY RR signature algorithm

Parameters
kDNSKEY rrset.
idxwhich DNSKEY RR.
Returns
algorithm or 0 if DNSKEY too short.

◆ dnskey_get_flags()

uint16_t dnskey_get_flags ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DNSKEY RR flags

Parameters
kDNSKEY rrset.
idxwhich DNSKEY RR.
Returns
flags or 0 if DNSKEY too short.

◆ dnskey_verify_rrset()

enum sec_status dnskey_verify_rrset ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  dnskey_idx,
char **  reason,
sldns_pkt_section  section,
struct module_qstate qstate 
)

verify rrset against one specific dnskey (from rrset)

Parameters
envmodule environment, scratch space is used.
vevalidator environment, date settings.
rrsetto be validated.
dnskeyDNSKEY rrset, keyset.
dnskey_idxwhich key from the rrset to try.
reasonif bogus, a string returned, fixed or alloced in scratch.
sectionsection of packet where this rrset comes from.
qstateqstate with region.
Returns
secure if this key signs any of the signatures on rrset. unchecked on error or and bogus on bad signature.

◆ dnskey_verify_rrset_sig()

enum sec_status dnskey_verify_rrset_sig ( struct regional region,
struct sldns_buffer buf,
struct val_env ve,
time_t  now,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  dnskey_idx,
size_t  sig_idx,
struct rbtree_type **  sortree,
int *  buf_canon,
char **  reason,
sldns_pkt_section  section,
struct module_qstate qstate 
)

verify rrset, with specific dnskey(from set), for a specific rrsig

Parameters
regionscratch region used for temporary allocation.
bufscratch buffer used for canonicalized rrset data.
vevalidator environment, date settings.
nowcurrent time for validation (can be overridden).
rrsetto be validated.
dnskeyDNSKEY rrset, keyset.
dnskey_idxwhich key from the rrset to try.
sig_idxwhich signature to try to validate.
sortreepass NULL at start, the sorted rrset order is returned. pass it again for the same rrset.
buf_canonif true, the buffer is already canonical. pass false at start. pass old value only for same rrset and same signature (but perhaps different key) for reuse.
reasonif bogus, a string returned, fixed or alloced in scratch.
sectionsection of packet where this rrset comes from.
qstateqstate with region.
Returns
secure if this key signs this signature. unchecked on error or bogus if it did not validate.

◆ dnskeyset_verify_rrset()

enum sec_status dnskeyset_verify_rrset ( struct module_env env,
struct val_env ve,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
uint8_t sigalg,
char **  reason,
sldns_pkt_section  section,
struct module_qstate qstate 
)

Verify rrset against dnskey rrset.

Parameters
envmodule environment, scratch space is used.
vevalidator environment, date settings.
rrsetto be validated.
dnskeyDNSKEY rrset, keyset to try.
sigalgif nonNULL provide downgrade protection otherwise one algorithm is enough.
reasonif bogus, a string returned, fixed or alloced in scratch.
sectionsection of packet where this rrset comes from.
qstateqstate with region.
Returns
SECURE if one key in the set verifies one rrsig. UNCHECKED on allocation errors, unsupported algorithms, malformed data, and BOGUS on verification failures (no keys match any signatures).

◆ dnskeyset_verify_rrset_sig()

enum sec_status dnskeyset_verify_rrset_sig ( struct module_env env,
struct val_env ve,
time_t  now,
struct ub_packed_rrset_key rrset,
struct ub_packed_rrset_key dnskey,
size_t  sig_idx,
struct rbtree_type **  sortree,
char **  reason,
sldns_pkt_section  section,
struct module_qstate qstate 
)

verify rrset, with dnskey rrset, for a specific rrsig in rrset

Parameters
envmodule environment, scratch space is used.
vevalidator environment, date settings.
nowcurrent time for validation (can be overridden).
rrsetto be validated.
dnskeyDNSKEY rrset, keyset to try.
sig_idxwhich signature to try to validate.
sortreereused sorted order. Stored in region. Pass NULL at start, and for a new rrset.
reasonif bogus, a string returned, fixed or alloced in scratch.
sectionsection of packet where this rrset comes from.
qstateqstate with region.
Returns
secure if any key signs this signature. bogus if no key signs it, or unchecked on error.

◆ ds_digest_algo_is_supported()

int ds_digest_algo_is_supported ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

See if DS digest algorithm is supported

Parameters
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
Returns
true if supported.

◆ ds_digest_match_dnskey()

int ds_digest_match_dnskey ( struct module_env env,
struct ub_packed_rrset_key dnskey_rrset,
size_t  dnskey_idx,
struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Check if dnskey matches a DS digest Does not check dnskey-keyid footprint, just the digest.

Parameters
envmodule environment. Uses scratch space.
dnskey_rrsetDNSKEY rrset.
dnskey_idxindex of RR in rrset.
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
Returns
true if it matches, false on error, not supported or no match.

◆ ds_get_digest_algo()

int ds_get_digest_algo ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Get DS RR digest algorithm

Parameters
ds_rrsetDS rrset.
ds_idxwhich DS.
Returns
algorithm or 0 if DS too short.

◆ ds_get_key_algo()

int ds_get_key_algo ( struct ub_packed_rrset_key k,
size_t  idx 
)

Get DS RR key algorithm. This value should match with the DNSKEY algo.

Parameters
kDS rrset.
idxwhich DS.
Returns
algorithm or 0 if DS too short.

◆ ds_get_keytag()

uint16_t ds_get_keytag ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

Get DS keytag, footprint value that matches the DNSKEY keytag it signs.

Parameters
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
Returns
the keytag or 0 for badly formatted DSs.

◆ ds_key_algo_is_supported()

int ds_key_algo_is_supported ( struct ub_packed_rrset_key ds_rrset,
size_t  ds_idx 
)

See if DS key algorithm is supported

Parameters
ds_rrsetDS rrset
ds_idxindex of RR in DS rrset.
Returns
true if supported.

◆ rrset_canonical_equal()

int rrset_canonical_equal ( struct regional region,
struct ub_packed_rrset_key k1,
struct ub_packed_rrset_key k2 
)

Compare two rrsets and see if they are the same, canonicalised. The rrsets are not altered.

Parameters
regiontemporary region.
k1rrset1
k2rrset2
Returns
true if equal.