upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-24 00:29:58 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

security status.

Browse source 
git-svn-id: file:///svn/unbound/trunk@495 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2007-08-07 08:27:23 +00:00
parent b24aac895f
commit ff4f04de2a
5 changed files with 87 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/Changelog
View file

@ -1,3 +1,6 @@
7 August 2007: Wouter
- security status type.
6 August 2007: Wouter 6 August 2007: Wouter
- key cache for validator. - key cache for validator.
- moved isroot and dellabel to own dname routines, with unit test. - moved isroot and dellabel to own dname routines, with unit test.

10
util/data/msgreply.c
View file

@ -73,7 +73,8 @@ parse_create_qinfo(ldns_buffer* pkt, struct msg_parse* msg,
/** constructor for replyinfo */ /** constructor for replyinfo */
static struct reply_info* static struct reply_info*
construct_reply_info_base(struct region* region, uint16_t flags, size_t qd, construct_reply_info_base(struct region* region, uint16_t flags, size_t qd,
uint32_t ttl, size_t an, size_t ns, size_t ar, size_t total) uint32_t ttl, size_t an, size_t ns, size_t ar, size_t total,
enum sec_status sec)
{ {
struct reply_info* rep; struct reply_info* rep;
/* rrset_count-1 because the first ref is part of the struct. */ /* rrset_count-1 because the first ref is part of the struct. */
@ -92,6 +93,7 @@ construct_reply_info_base(struct region* region, uint16_t flags, size_t qd,
rep->ns_numrrsets = ns; rep->ns_numrrsets = ns;
rep->ar_numrrsets = ar; rep->ar_numrrsets = ar;
rep->rrset_count = total; rep->rrset_count = total;
rep->security = sec;
/* array starts after the refs */ /* array starts after the refs */
if(region) if(region)
rep->rrsets = (struct ub_packed_rrset_key**)&(rep->ref[0]); rep->rrsets = (struct ub_packed_rrset_key**)&(rep->ref[0]);
@ -110,7 +112,7 @@ parse_create_repinfo(struct msg_parse* msg, struct reply_info** rep,
{ {
*rep = construct_reply_info_base(region, msg->flags, msg->qdcount, 0, *rep = construct_reply_info_base(region, msg->flags, msg->qdcount, 0,
msg->an_rrsets, msg->ns_rrsets, msg->ar_rrsets, msg->an_rrsets, msg->ns_rrsets, msg->ar_rrsets,
msg->rrset_count); msg->rrset_count, sec_status_unchecked);
if(!*rep) if(!*rep)
return 0; return 0;
return 1; return 1;
@ -229,6 +231,7 @@ parse_rr_copy(ldns_buffer* pkt, struct rrset_parse* pset,
data->count = pset->rr_count; data->count = pset->rr_count;
data->rrsig_count = pset->rrsig_count; data->rrsig_count = pset->rrsig_count;
data->trust = rrset_trust_none; data->trust = rrset_trust_none;
data->security = sec_status_unchecked;
/* layout: struct - rr_len - rr_data - rr_ttl - rdata - rrsig */ /* layout: struct - rr_len - rr_data - rr_ttl - rdata - rrsig */
data->rr_len = (size_t*)((uint8_t*)data + data->rr_len = (size_t*)((uint8_t*)data +
sizeof(struct packed_rrset_data)); sizeof(struct packed_rrset_data));
@ -345,6 +348,7 @@ parse_copy_decompress(ldns_buffer* pkt, struct msg_parse* msg,
struct packed_rrset_data* data; struct packed_rrset_data* data;
log_assert(rep); log_assert(rep);
rep->ttl = MAX_TTL; rep->ttl = MAX_TTL;
rep->security = sec_status_unchecked;
if(rep->rrset_count == 0) if(rep->rrset_count == 0)
rep->ttl = NORR_TTL; rep->ttl = NORR_TTL;
@ -623,7 +627,7 @@ reply_info_copy(struct reply_info* rep, struct alloc_cache* alloc,
struct reply_info* cp; struct reply_info* cp;
cp = construct_reply_info_base(region, rep->flags, rep->qdcount, cp = construct_reply_info_base(region, rep->flags, rep->qdcount,
rep->ttl, rep->an_numrrsets, rep->ns_numrrsets, rep->ttl, rep->an_numrrsets, rep->ns_numrrsets,
rep->ar_numrrsets, rep->rrset_count); rep->ar_numrrsets, rep->rrset_count, rep->security);
if(!cp) if(!cp)
return NULL; return NULL;
/* allocate ub_key structures special or not */ /* allocate ub_key structures special or not */

5
util/data/msgreply.h
View file

@ -109,6 +109,11 @@ struct reply_info {
*/ */
uint32_t ttl; uint32_t ttl;
/**
* The security status from DNSSEC validation of this message.
*/
enum sec_status security;
/** /**
* Number of RRsets in each section. * Number of RRsets in each section.
* The answer section. Add up the RRs in every RRset to calculate * The answer section. Add up the RRs in every RRset to calculate

34
util/data/packed_rrset.c
View file

@ -223,3 +223,37 @@ packed_rrset_ttl_add(struct packed_rrset_data* data, uint32_t add)
for(i=0; i<total; i++) for(i=0; i<total; i++)
data->rr_ttl[i] += add; data->rr_ttl[i] += add;
} }
const char*
rrset_trust_to_string(enum rrset_trust s)
{
switch(s) {
case rrset_trust_none: return "rrset_trust_none";
case rrset_trust_add_noAA: return "rrset_trust_add_noAA";
case rrset_trust_auth_noAA: return "rrset_trust_auth_noAA";
case rrset_trust_add_AA: return "rrset_trust_add_AA";
case rrset_trust_nonauth_ans_AA:return "rrset_trust_nonauth_ans_AA";
case rrset_trust_ans_noAA: return "rrset_trust_ans_noAA";
case rrset_trust_glue: return "rrset_trust_glue";
case rrset_trust_auth_AA: return "rrset_trust_auth_AA";
case rrset_trust_ans_AA: return "rrset_trust_ans_AA";
case rrset_trust_sec_noglue: return "rrset_trust_sec_noglue";
case rrset_trust_prim_noglue: return "rrset_trust_prim_noglue";
case rrset_trust_validated: return "rrset_trust_validated";
case rrset_trust_ultimate: return "rrset_trust_ultimate";
}
return "unknown_rrset_trust_value";
}
const char*
sec_status_to_string(enum sec_status s)
{
switch(s) {
case sec_status_unchecked: return "sec_status_unchecked";
case sec_status_bogus: return "sec_status_bogus";
case sec_status_indeterminate: return "sec_status_indeterminate";
case sec_status_insecure: return "sec_status_insecure";
case sec_status_secure: return "sec_status_secure";
}
return "unknown_sec_status_value";
}

38
util/data/packed_rrset.h
View file

@ -149,6 +149,28 @@ enum rrset_trust {
rrset_trust_ultimate rrset_trust_ultimate
}; };
/**
* Security status from validation for data.
*/
enum sec_status {
/** UNCHECKED means that object has yet to be validated. */
sec_status_unchecked = 0,
/** BOGUS means that the object (RRset or message) failed to validate
* (according to local policy), but should have validated. */
sec_status_bogus,
/** INDETERMINATE means that the object is insecure, but not
* authoritatively so. Generally this means that the RRset is not
* below a configured trust anchor. */
sec_status_indeterminate,
/** INSECURE means that the object is authoritatively known to be
* insecure. Generally this means that this RRset is below a trust
* anchor, but also below a verified, insecure delegation. */
sec_status_insecure,
/** SECURE means that the object (RRset or message) validated
* according to local policy. */
sec_status_secure
};
/** /**
* RRset data. * RRset data.
* *
@ -189,6 +211,8 @@ struct packed_rrset_data {
size_t rrsig_count; size_t rrsig_count;
/** the trustworthiness of the rrset data */ /** the trustworthiness of the rrset data */
enum rrset_trust trust; enum rrset_trust trust;
/** security status of the rrset data */
enum sec_status security;
/** length of every rr's rdata, rr_len[i] is size of rr_data[i]. */ /** length of every rr's rdata, rr_len[i] is size of rr_data[i]. */
size_t* rr_len; size_t* rr_len;
/** ttl of every rr. rr_ttl[i] ttl of rr i. */ /** ttl of every rr. rr_ttl[i] ttl of rr i. */
@ -318,4 +342,18 @@ void packed_rrset_ttl_add(struct packed_rrset_data* data, uint32_t add);
void get_cname_target(struct ub_packed_rrset_key* rrset, uint8_t** dname, void get_cname_target(struct ub_packed_rrset_key* rrset, uint8_t** dname,
size_t* dname_len); size_t* dname_len);
/**
* Get a printable string for a rrset trust value
* @param s: rrset trust value
* @return printable string.
*/
const char* rrset_trust_to_string(enum rrset_trust s);
/**
* Get a printable string for a security status value
* @param s: security status
* @return printable string.
*/
const char* sec_status_to_string(enum sec_status s);
#endif /* UTIL_DATA_PACKED_RRSET_H */ #endif /* UTIL_DATA_PACKED_RRSET_H */