Add extra statistic to track the number of signature validation operations (#1289)

* Add extra statistic to track the number of signature validation operations performed by the validator module * Move validation operation statistic to mesh as suggested * Fix NULL pointer dereference in case the mesh is not used (and is `NULL`) Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com> * Fix NULL pointer dereference on qstate and qstate->env in unit test situation --------- Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
2025-12-18 23:06:06 -05:00 · 2025-07-12 16:29:38 +02:00 · 2025-07-12 16:29:38 +02:00 · 44ac818f87
commit 44ac818f87
parent b4e12030e7
7 changed files with 15 additions and 0 deletions
--- a/daemon/remote.c
+++ b/daemon/remote.c
@ -1148,6 +1148,8 @@ print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero)
 		(unsigned long)s->svr.ans_bogus)) return 0;
 	if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n",
 		(unsigned long)s->svr.rrset_bogus)) return 0;
+	if(!ssl_printf(ssl, "num.valops"SQ"%lu\n",
+		(unsigned long)s->svr.val_ops)) return 0;
 	if(!ssl_printf(ssl, "num.query.aggressive.NOERROR"SQ"%lu\n",
 		(unsigned long)s->svr.num_neg_cache_noerror)) return 0;
 	if(!ssl_printf(ssl, "num.query.aggressive.NXDOMAIN"SQ"%lu\n",
--- a/daemon/stats.c
+++ b/daemon/stats.c
@ -273,6 +273,7 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 	/* add in the values from the mesh */
 	s->svr.ans_secure += (long long)worker->env.mesh->ans_secure;
 	s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus;
+	s->svr.val_ops += (long long)worker->env.mesh->val_ops;
 	s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata;
 	s->svr.ans_expired += (long long)worker->env.mesh->ans_expired;
 	for(i=0; i<UB_STATS_RCODE_NUM; i++)
@ -495,6 +496,7 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
 		total->svr.ans_rcode_nodata += a->svr.ans_rcode_nodata;
 		total->svr.ans_secure += a->svr.ans_secure;
 		total->svr.ans_bogus += a->svr.ans_bogus;
+		total->svr.val_ops += a->svr.val_ops;
 		total->svr.unwanted_replies += a->svr.unwanted_replies;
 		total->svr.unwanted_queries += a->svr.unwanted_queries;
 		total->svr.tcp_accept_usage += a->svr.tcp_accept_usage;
--- a/libunbound/unbound.h
+++ b/libunbound/unbound.h
@ -772,6 +772,8 @@ struct ub_server_stats {
 	long long ans_bogus;
 	/** rrsets marked bogus by validator */
 	long long rrset_bogus;
+	/** number of signature validation operations performed by validator */
+	long long val_ops;
 	/** number of queries that have been ratelimited by domain recursion. */
 	long long queries_ratelimited;
 	/** unwanted traffic received on server-facing ports */
--- a/services/mesh.c
+++ b/services/mesh.c
@ -2265,6 +2265,7 @@ mesh_stats_clear(struct mesh_area* mesh)
 	timehist_clear(mesh->histogram);
 	mesh->ans_secure = 0;
 	mesh->ans_bogus = 0;
+	mesh->val_ops = 0;
 	mesh->ans_expired = 0;
 	mesh->ans_cachedb = 0;
 	memset(&mesh->ans_rcode[0], 0, sizeof(size_t)*UB_STATS_RCODE_NUM);
--- a/services/mesh.h
+++ b/services/mesh.h
@ -131,6 +131,8 @@ struct mesh_area {
 	size_t ans_secure;
 	/** (extended stats) bogus replies */
 	size_t ans_bogus;
+	/** (extended stats) number of validation operations */
+	size_t val_ops;
 	/** (extended stats) rcodes in replies */
 	size_t ans_rcode[UB_STATS_RCODE_NUM];
 	/** (extended stats) rcode nodata in replies */
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@ -409,6 +409,7 @@ static void print_extended(struct ub_stats_info* s, int inhibit_zero)
 	PR_UL("num.answer.secure", s->svr.ans_secure);
 	PR_UL("num.answer.bogus", s->svr.ans_bogus);
 	PR_UL("num.rrset.bogus", s->svr.rrset_bogus);
+	PR_UL("num.valops", s->svr.val_ops);
 	PR_UL("num.query.aggressive.NOERROR", s->svr.num_neg_cache_noerror);
 	PR_UL("num.query.aggressive.NXDOMAIN", s->svr.num_neg_cache_nxdomain);
 	/* threat detection */
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@ -57,6 +57,7 @@
 #include "sldns/sbuffer.h"
 #include "sldns/parseutil.h"
 #include "sldns/wire2str.h"
+#include "services/mesh.h"

 #include <ctype.h>
 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
@ -1677,6 +1678,10 @@ dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
 	/* verify */
 	sec = verify_canonrrset(buf, (int)sig[2+2],
 		sigblock, sigblock_len, key, keylen, reason);
+
+	/* count validation operation */
+	if(qstate && qstate->env && qstate->env->mesh)
+		qstate->env->mesh->val_ops++;
 	
 	if(sec == sec_status_secure) {
 		/* check if TTL is too high - reduce if so */