Lines Matching +full:resolver +full:- +full:to +full:- +full:digital
2 * validator/val_sigcrypt.c - validator signature crypto functions.
20 * be used to endorse or promote products derived from this software without
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
63 #error "Need crypto library to do digital signature cryptography"
90 rrset->entry.data; in rrset_get_count()
92 return d->count; in rrset_get_count()
101 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; in rrset_get_sigcount()
102 return d->rrsig_count; in rrset_get_sigcount()
115 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; in rrset_get_sig_keytag()
116 log_assert(sig_idx < d->rrsig_count); in rrset_get_sig_keytag()
117 if(d->rr_len[d->count + sig_idx] < 2+18) in rrset_get_sig_keytag()
119 memmove(&t, d->rr_data[d->count + sig_idx]+2+16, 2); in rrset_get_sig_keytag()
132 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; in rrset_get_sig_algo()
133 log_assert(sig_idx < d->rrsig_count); in rrset_get_sig_algo()
134 if(d->rr_len[d->count + sig_idx] < 2+3) in rrset_get_sig_algo()
136 return (int)d->rr_data[d->count + sig_idx][2+2]; in rrset_get_sig_algo()
144 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; in rrset_get_rdata()
145 log_assert(d && idx < (d->count + d->rrsig_count)); in rrset_get_rdata()
146 *rdata = d->rr_data[idx]; in rrset_get_rdata()
147 *len = d->rr_len[idx]; in rrset_get_rdata()
206 *pklen = (unsigned)len-2-4; in dnskey_get_pubkey()
245 * Return pointer to the digest in a DS RR.
266 *len = rdlen - 2 - 4; in ds_get_sigdata()
270 * Return size of DS digest according to its hash algorithm.
298 sldns_buffer* b = env->scratch_buffer; in ds_create_dnskey_digest()
307 sldns_buffer_write(b, dnskey_rrset->rk.dname, in ds_create_dnskey_digest()
308 dnskey_rrset->rk.dname_len); in ds_create_dnskey_digest()
310 sldns_buffer_write(b, dnskey_rdata+2, dnskey_len-2); /* skip rdatalen*/ in ds_create_dnskey_digest()
345 digest = regional_alloc(env->scratch, digestlen); in ds_digest_match_dnskey()
382 /* do not pass rdatalen to ldns */ in dnskey_calc_keytag()
383 return sldns_calc_keytag_raw(data+2, len-2); in dnskey_calc_keytag()
405 keysize = sldns_rr_dnskey_key_size_raw(rdata+2+4, len-2-4, alg); in dnskey_size_is_supported()
440 size_t i, total = n->num; in algo_needs_init_dnskey_add()
447 if(n->needs[algo] == 0) { in algo_needs_init_dnskey_add()
448 n->needs[algo] = 1; in algo_needs_init_dnskey_add()
454 n->num = total; in algo_needs_init_dnskey_add()
462 memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX); in algo_needs_init_list()
465 log_assert(n->needs[algo] == 0); in algo_needs_init_list()
466 n->needs[algo] = 1; in algo_needs_init_list()
469 n->num = total; in algo_needs_init_list()
479 memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX); in algo_needs_init_ds()
487 if(n->needs[algo] == 0) { in algo_needs_init_ds()
488 n->needs[algo] = 1; in algo_needs_init_ds()
494 n->num = total; in algo_needs_init_ds()
499 if(n->needs[algo]) { in algo_needs_set_secure()
500 n->needs[algo] = 0; in algo_needs_set_secure()
501 n->num --; in algo_needs_set_secure()
502 if(n->num == 0) /* done! */ in algo_needs_set_secure()
510 if(n->needs[algo]) n->needs[algo] = 2; /* need it, but bogus */ in algo_needs_set_bogus()
515 return n->num; in algo_needs_num_missing()
520 int i, miss = -1; in algo_needs_missing()
521 /* check if a needed algo was bogus - report that; in algo_needs_missing()
522 * check the first missing algo - report that; in algo_needs_missing()
525 if(n->needs[i] == 2) in algo_needs_missing()
527 if(n->needs[i] == 1 && miss == -1) in algo_needs_missing()
530 if(miss != -1) return miss; in algo_needs_missing()
539 * @param rrset: to be validated.
540 * @param dnskey: DNSKEY rrset, keyset to try.
541 * @param sig_idx: which signature to try to validate.
588 sec = dnskey_verify_rrset_sig(env->scratch, in dnskeyset_verify_rrset_sig()
589 env->scratch_buffer, ve, now, rrset, dnskey, i, in dnskeyset_verify_rrset_sig()
639 verbose(VERB_QUERY, "rrset failed to verify due to a lack of " in dnskeyset_verify_rrset()
658 sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset, in dnskeyset_verify_rrset()
673 verbose(VERB_QUERY, "rrset failed to verify, too many RRSIG validations"); in dnskeyset_verify_rrset()
681 verbose(VERB_ALGO, "rrset failed to verify: " in dnskeyset_verify_rrset()
687 verbose(VERB_ALGO, "rrset failed to verify: " in dnskeyset_verify_rrset()
697 if(t&&t->name) in algo_needs_reason()
699 t->name); in algo_needs_reason()
721 verbose(VERB_QUERY, "rrset failed to verify due to a lack of " in dnskey_verify_rrset()
734 sec = dnskey_verify_rrset_sig(env->scratch, in dnskey_verify_rrset()
735 env->scratch_buffer, ve, *env->now, rrset, in dnskey_verify_rrset()
745 verbose(VERB_QUERY, "rrset failed to verify, too many RRSIG validations"); in dnskey_verify_rrset()
757 verbose(VERB_ALGO, "rrset failed to verify due to algorithm " in dnskey_verify_rrset()
764 verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus"); in dnskey_verify_rrset()
781 * Compare two RR for canonical order, in a field-style sweep.
784 * @param i: first RR to compare
785 * @param j: first RR to compare
797 int wfi = -1; /* current wireformat rdata field (rdf) */ in canonical_compare_byfield()
798 int wfj = -1; in canonical_compare_byfield()
799 uint8_t* di = d->rr_data[i]+2; /* ptr to current rdata byte */ in canonical_compare_byfield()
800 uint8_t* dj = d->rr_data[j]+2; in canonical_compare_byfield()
801 size_t ilen = d->rr_len[i]-2; /* length left in rdata */ in canonical_compare_byfield()
802 size_t jlen = d->rr_len[j]-2; in canonical_compare_byfield()
807 int dname_num_i = (int)desc->_dname_count; /* decreased at root label */ in canonical_compare_byfield()
808 int dname_num_j = (int)desc->_dname_count; in canonical_compare_byfield()
811 * and still some lowercasing needs to be done; either the dnames in canonical_compare_byfield()
821 return -1; in canonical_compare_byfield()
824 ilen--; in canonical_compare_byfield()
825 jlen--; in canonical_compare_byfield()
831 * to process the rest of this rdata field. in canonical_compare_byfield()
832 * The reason to first read the byte, then setup the rdf, in canonical_compare_byfield()
838 /* capture length to lowercase */ in canonical_compare_byfield()
843 dname_num_i--; in canonical_compare_byfield()
852 if(desc->_wireformat[wfi] in canonical_compare_byfield()
858 dname_num_i--; in canonical_compare_byfield()
862 } else if(desc->_wireformat[wfi] in canonical_compare_byfield()
866 desc->_wireformat[wfi]) - 1; in canonical_compare_byfield()
868 } else lablen_i--; in canonical_compare_byfield()
876 dname_num_j--; in canonical_compare_byfield()
882 if(desc->_wireformat[wfj] in canonical_compare_byfield()
888 dname_num_j--; in canonical_compare_byfield()
892 } else if(desc->_wireformat[wfj] in canonical_compare_byfield()
896 desc->_wireformat[wfj]) - 1; in canonical_compare_byfield()
898 } else lablen_j--; in canonical_compare_byfield()
908 return -1; in canonical_compare_byfield()
915 return -1; in canonical_compare_byfield()
924 * @param rrset: the rrset in which to perform compares.
925 * @param i: first RR to compare
926 * @param j: first RR to compare
927 * @return 0 if RR i== RR j, -1 if <, +1 if >.
933 rrset->entry.data; in canonical_compare()
935 uint16_t type = ntohs(rrset->rk.type); in canonical_compare()
944 * This name has to be canonicalized.*/ in canonical_compare()
956 if(!dname_valid(d->rr_data[i]+2, d->rr_len[i]-2) || in canonical_compare()
957 !dname_valid(d->rr_data[j]+2, d->rr_len[j]-2)) in canonical_compare()
959 return query_dname_compare(d->rr_data[i]+2, in canonical_compare()
960 d->rr_data[j]+2); in canonical_compare()
964 * and after that a byte-for byte remainder can be compared. in canonical_compare()
977 /* RRSIG signer name has to be downcased */ in canonical_compare()
985 log_assert(desc->_minimum == desc->_maximum); in canonical_compare()
994 minlen = d->rr_len[i]-2; in canonical_compare()
995 if(minlen > d->rr_len[j]-2) in canonical_compare()
996 minlen = d->rr_len[j]-2; in canonical_compare()
997 c = memcmp(d->rr_data[i]+2, d->rr_data[j]+2, minlen); in canonical_compare()
1001 if(d->rr_len[i] < d->rr_len[j]) in canonical_compare()
1002 return -1; in canonical_compare()
1003 if(d->rr_len[i] > d->rr_len[j]) in canonical_compare()
1016 log_assert(r1->rrset == r2->rrset); in canonical_tree_compare()
1017 return canonical_compare(r1->rrset, r1->rr_idx, r2->rr_idx); in canonical_tree_compare()
1024 * @param rrset: to sort.
1026 * @param sortree: tree to sort into.
1034 /* insert into rbtree to sort and detect duplicates */ in canonical_sort()
1035 for(i=0; i<d->count; i++) { in canonical_sort()
1047 * @param buf: buffer to insert into at current position.
1059 int fqdn_labels = dname_signame_label_count(k->rk.dname); in insert_can_owner()
1063 sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len); in insert_can_owner()
1065 *can_owner_len = k->rk.dname_len; in insert_can_owner()
1072 uint8_t* nm = k->rk.dname; in insert_can_owner()
1073 size_t len = k->rk.dname_len; in insert_can_owner()
1074 /* so skip fqdn_labels-rrsig_labels */ in insert_can_owner()
1075 for(i=0; i<fqdn_labels-rrsig_labels; i++) { in insert_can_owner()
1095 uint8_t* datstart = sldns_buffer_current(buf)-len+2; in canonicalize_rdata()
1096 switch(ntohs(rrset->rk.type)) { in canonicalize_rdata()
1116 dname_valid(datstart, len-2)); in canonicalize_rdata()
1144 dname_valid(datstart, len-2-2)); in canonicalize_rdata()
1149 len -= 2+4; in canonicalize_rdata()
1153 len -= (size_t)datstart[0]+1; in canonicalize_rdata()
1157 len -= (size_t)datstart[0]+1; in canonicalize_rdata()
1161 len -= (size_t)datstart[0]+1; in canonicalize_rdata()
1181 /* nothing to do for unknown types */ in canonicalize_rdata()
1191 struct packed_rrset_data* d1=(struct packed_rrset_data*)k1->entry.data; in rrset_canonical_equal()
1192 struct packed_rrset_data* d2=(struct packed_rrset_data*)k2->entry.data; in rrset_canonical_equal()
1199 if(k1->rk.dname_len != k2->rk.dname_len || in rrset_canonical_equal()
1200 k1->rk.flags != k2->rk.flags || in rrset_canonical_equal()
1201 k1->rk.type != k2->rk.type || in rrset_canonical_equal()
1202 k1->rk.rrset_class != k2->rk.rrset_class || in rrset_canonical_equal()
1203 query_dname_compare(k1->rk.dname, k2->rk.dname) != 0) in rrset_canonical_equal()
1205 if(d1->ttl != d2->ttl || in rrset_canonical_equal()
1206 d1->count != d2->count || in rrset_canonical_equal()
1207 d1->rrsig_count != d2->rrsig_count || in rrset_canonical_equal()
1208 d1->trust != d2->trust || in rrset_canonical_equal()
1209 d1->security != d2->security) in rrset_canonical_equal()
1221 if(d1->count > RR_COUNT_MAX || d2->count > RR_COUNT_MAX) in rrset_canonical_equal()
1223 rrs1 = regional_alloc(region, sizeof(struct canon_rr)*d1->count); in rrset_canonical_equal()
1224 rrs2 = regional_alloc(region, sizeof(struct canon_rr)*d2->count); in rrset_canonical_equal()
1231 /* compare canonical-sorted RRs for canonical-equality */ in rrset_canonical_equal()
1238 flen[0] = d1->rr_len[p1->rr_idx]; in rrset_canonical_equal()
1239 flen[1] = d2->rr_len[p2->rr_idx]; in rrset_canonical_equal()
1240 fdata[0] = d1->rr_data[p1->rr_idx]; in rrset_canonical_equal()
1241 fdata[1] = d2->rr_data[p2->rr_idx]; in rrset_canonical_equal()
1245 p1 = (struct canon_rr*)rbtree_next(&p1->node); in rrset_canonical_equal()
1246 p2 = (struct canon_rr*)rbtree_next(&p2->node); in rrset_canonical_equal()
1254 * @param buf: the buffer to use.
1255 * @param k: the rrset to insert.
1256 * @param sig: RRSIG rdata to include.
1271 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; in rrset_canonical()
1282 if(d->count > RR_COUNT_MAX) in rrset_canonical()
1284 rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count); in rrset_canonical()
1300 + d->rr_len[walk->rr_idx]) { in rrset_canonical()
1301 log_err("verify: failed to canonicalize, " in rrset_canonical()
1310 sldns_buffer_write(buf, &k->rk.type, 2); in rrset_canonical()
1311 sldns_buffer_write(buf, &k->rk.rrset_class, 2); in rrset_canonical()
1313 sldns_buffer_write(buf, d->rr_data[walk->rr_idx], in rrset_canonical()
1314 d->rr_len[walk->rr_idx]); in rrset_canonical()
1315 canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]); in rrset_canonical()
1320 * section, to prevent that a wildcard synthesized NSEC can be used in in rrset_canonical()
1321 * the non-existence proves. */ in rrset_canonical()
1322 if(ntohs(k->rk.type) == LDNS_RR_TYPE_NSEC && in rrset_canonical()
1324 k->rk.dname = regional_alloc_init(qstate->region, can_owner, in rrset_canonical()
1326 if(!k->rk.dname) in rrset_canonical()
1328 k->rk.dname_len = can_owner_len; in rrset_canonical()
1340 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; in rrset_canonicalize_to_buffer()
1350 if(d->count > RR_COUNT_MAX) in rrset_canonicalize_to_buffer()
1352 rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count); in rrset_canonicalize_to_buffer()
1363 + d->rr_len[walk->rr_idx]) { in rrset_canonicalize_to_buffer()
1364 log_err("verify: failed to canonicalize, " in rrset_canonicalize_to_buffer()
1373 sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len); in rrset_canonicalize_to_buffer()
1375 can_owner_len = k->rk.dname_len; in rrset_canonicalize_to_buffer()
1377 sldns_buffer_write(buf, &k->rk.type, 2); in rrset_canonicalize_to_buffer()
1378 sldns_buffer_write(buf, &k->rk.rrset_class, 2); in rrset_canonicalize_to_buffer()
1379 sldns_buffer_write_u32(buf, d->rr_ttl[walk->rr_idx]); in rrset_canonicalize_to_buffer()
1380 sldns_buffer_write(buf, d->rr_data[walk->rr_idx], in rrset_canonicalize_to_buffer()
1381 d->rr_len[walk->rr_idx]); in rrset_canonicalize_to_buffer()
1382 canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]); in rrset_canonicalize_to_buffer()
1427 if(ve->date_override) { in check_dates()
1428 if(ve->date_override == -1) { in check_dates()
1432 now = ve->date_override; in check_dates()
1442 /* from RFC8914 on Signature Not Yet Valid: The resolver in check_dates()
1443 * attempted to perform DNSSEC validation, but no in check_dates()
1452 /* within skew ? (calc here to avoid calculation normally) */ in check_dates()
1454 if(skew < (uint32_t)ve->skew_min) skew = ve->skew_min; in check_dates()
1455 if(skew > (uint32_t)ve->skew_max) skew = ve->skew_max; in check_dates()
1469 if(skew < (uint32_t)ve->skew_min) skew = ve->skew_min; in check_dates()
1470 if(skew > (uint32_t)ve->skew_max) skew = ve->skew_max; in check_dates()
1485 /** adjust rrset TTL for verified rrset, compare to original TTL and expi */
1492 (struct packed_rrset_data*)rrset->entry.data; in adjust_ttl()
1503 if(ve->date_override) { in adjust_ttl()
1504 now = ve->date_override; in adjust_ttl()
1506 expittl = (int32_t)((uint32_t)expi - (uint32_t)now); in adjust_ttl()
1509 * d->ttl: rrset ttl read from message or cache. May be reduced in adjust_ttl()
1517 if(MIN_TTL > (time_t)origttl && d->ttl > MIN_TTL) { in adjust_ttl()
1519 " TTL, adjusting TTL downwards to minimum ttl"); in adjust_ttl()
1520 d->ttl = MIN_TTL; in adjust_ttl()
1522 else if(MIN_TTL <= origttl && d->ttl > (time_t)origttl) { in adjust_ttl()
1524 "adjusting TTL downwards to original ttl"); in adjust_ttl()
1525 d->ttl = origttl; in adjust_ttl()
1528 if(expittl > 0 && d->ttl > (time_t)expittl) { in adjust_ttl()
1531 d->ttl = expittl; in adjust_ttl()
1584 signer_len = dname_valid(signer, siglen-2-18); in dnskey_verify_rrset_sig()
1592 if(!dname_subdomain_c(rrset->rk.dname, signer)) { in dnskey_verify_rrset_sig()
1593 verbose(VERB_QUERY, "verify: signer name is off-tree"); in dnskey_verify_rrset_sig()
1594 *reason = "signer name off-tree"; in dnskey_verify_rrset_sig()
1607 sigblock_len = (unsigned int)(siglen - 2 - 18 - signer_len); in dnskey_verify_rrset_sig()
1610 if(query_dname_compare(signer, dnskey->rk.dname) != 0) { in dnskey_verify_rrset_sig()
1615 dnskey->rk.dname, 0, 0); in dnskey_verify_rrset_sig()
1624 if(memcmp(sig+2, &rrset->rk.type, 2) != 0) { in dnskey_verify_rrset_sig()
1649 if((int)sig[2+3] > dname_signame_label_count(rrset->rk.dname)) { in dnskey_verify_rrset_sig()
1664 log_err("verify: failed due to alloc error"); in dnskey_verify_rrset_sig()
1682 /* check if TTL is too high - reduce if so */ in dnskey_verify_rrset_sig()
1686 * Do this last so that if you ignore expired-sigs the in dnskey_verify_rrset_sig()
1687 * rest is sure to be OK. */ in dnskey_verify_rrset_sig()