diff options
Diffstat (limited to 'validator/val_utils.c')
| -rw-r--r-- | validator/val_utils.c | 37 |
1 files changed, 22 insertions, 15 deletions
diff --git a/validator/val_utils.c b/validator/val_utils.c index 973473f9dc85e..0eabb7f33ba47 100644 --- a/validator/val_utils.c +++ b/validator/val_utils.c @@ -335,7 +335,8 @@ rrset_get_ttl(struct ub_packed_rrset_key* rrset) enum sec_status val_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys, - uint8_t* sigalg, char** reason) + uint8_t* sigalg, char** reason, sldns_pkt_section section, + struct module_qstate* qstate) { enum sec_status sec; struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> @@ -357,7 +358,8 @@ val_verify_rrset(struct module_env* env, struct val_env* ve, } log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname, ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class)); - sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason); + sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason, + section, qstate); verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec)); regional_free_all(env->scratch); @@ -390,7 +392,7 @@ val_verify_rrset(struct module_env* env, struct val_env* ve, enum sec_status val_verify_rrset_entry(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey, - char** reason) + char** reason, sldns_pkt_section section, struct module_qstate* qstate) { /* temporary dnskey rrset-key */ struct ub_packed_rrset_key dnskey; @@ -403,7 +405,8 @@ val_verify_rrset_entry(struct module_env* env, struct val_env* ve, dnskey.rk.dname_len = kkey->namelen; dnskey.entry.key = &dnskey; dnskey.entry.data = kd->rrset_data; - sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason); + sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason, + section, qstate); return sec; } @@ -411,7 +414,8 @@ val_verify_rrset_entry(struct module_env* env, struct val_env* ve, static enum sec_status verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, - struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason) + struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason, + struct module_qstate* qstate) { enum sec_status sec = sec_status_bogus; size_t i, num, numchecked = 0, numhashok = 0; @@ -442,7 +446,7 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve, /* Otherwise, we have a match! Make sure that the DNSKEY * verifies *with this key* */ sec = dnskey_verify_rrset(env, ve, dnskey_rrset, - dnskey_rrset, i, reason); + dnskey_rrset, i, reason, LDNS_SECTION_ANSWER, qstate); if(sec == sec_status_secure) { return sec; } @@ -478,7 +482,8 @@ int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset) enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, - struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason) + struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason, + struct module_qstate* qstate) { /* as long as this is false, we can consider this DS rrset to be * equivalent to no DS rrset. */ @@ -520,7 +525,7 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, has_useful_ds = 1; sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, - ds_rrset, i, reason); + ds_rrset, i, reason, qstate); if(sec == sec_status_secure) { if(!sigalg || algo_needs_set_secure(&needs, (uint8_t)ds_get_key_algo(ds_rrset, i))) { @@ -553,11 +558,12 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region, struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, - struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason) + struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason, + struct module_qstate* qstate) { uint8_t sigalg[ALGO_NEEDS_MAX+1]; enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve, - dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason); + dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason, qstate); if(sec == sec_status_secure) { return key_entry_create_rrset(region, @@ -579,7 +585,8 @@ enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, struct ub_packed_rrset_key* ta_ds, - struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason) + struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason, + struct module_qstate* qstate) { /* as long as this is false, we can consider this anchor to be * equivalent to no anchor. */ @@ -630,7 +637,7 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, has_useful_ta = 1; sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, - ta_ds, i, reason); + ta_ds, i, reason, qstate); if(sec == sec_status_secure) { if(!sigalg || algo_needs_set_secure(&needs, (uint8_t)ds_get_key_algo(ta_ds, i))) { @@ -656,7 +663,7 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, has_useful_ta = 1; sec = dnskey_verify_rrset(env, ve, dnskey_rrset, - ta_dnskey, i, reason); + ta_dnskey, i, reason, LDNS_SECTION_ANSWER, qstate); if(sec == sec_status_secure) { if(!sigalg || algo_needs_set_secure(&needs, (uint8_t)dnskey_get_algo(ta_dnskey, i))) { @@ -690,12 +697,12 @@ val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, struct ub_packed_rrset_key* ta_ds_rrset, struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot, - char** reason) + char** reason, struct module_qstate* qstate) { uint8_t sigalg[ALGO_NEEDS_MAX+1]; enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset, - downprot?sigalg:NULL, reason); + downprot?sigalg:NULL, reason, qstate); if(sec == sec_status_secure) { return key_entry_create_rrset(region, |