Add extra statistic to track the number of signature validation operations (#1289)

* Add extra statistic to track the number of signature validation operations performed by the validator module

* Move validation operation statistic to mesh as suggested

* Fix NULL pointer dereference in case the mesh is not used (and is `NULL`)

Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
* Fix NULL pointer dereference on qstate and qstate->env in unit test situation

---------

Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>

diff --git a/daemon/remote.c b/daemon/remote.c
index 3b9f803a29db69ca991166b5e8d6e1670a17fac2..c17254bb5e21ae4665a01638b7fa04104c85db81 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -1148,6 +1148,8 @@ print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero)
                (unsigned long)s->svr.ans_bogus)) return 0;
        if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n",
                (unsigned long)s->svr.rrset_bogus)) return 0;
+       if(!ssl_printf(ssl, "num.valops"SQ"%lu\n",
+               (unsigned long)s->svr.val_ops)) return 0;
        if(!ssl_printf(ssl, "num.query.aggressive.NOERROR"SQ"%lu\n",
                (unsigned long)s->svr.num_neg_cache_noerror)) return 0;
        if(!ssl_printf(ssl, "num.query.aggressive.NXDOMAIN"SQ"%lu\n",

diff --git a/daemon/stats.c b/daemon/stats.c
index 7efb83a0bc3f6fb71dd96f4420b904da16899978..41c4656aaec5d25c1a06b8cd73229625643ca4cf 100644 (file)
--- a/daemon/stats.c
+++ b/daemon/stats.c
@@ -273,6 +273,7 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
        /* add in the values from the mesh */
        s->svr.ans_secure += (long long)worker->env.mesh->ans_secure;
        s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus;
+       s->svr.val_ops += (long long)worker->env.mesh->val_ops;
        s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata;
        s->svr.ans_expired += (long long)worker->env.mesh->ans_expired;
        for(i=0; i<UB_STATS_RCODE_NUM; i++)
@@ -495,6 +496,7 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
                total->svr.ans_rcode_nodata += a->svr.ans_rcode_nodata;
                total->svr.ans_secure += a->svr.ans_secure;
                total->svr.ans_bogus += a->svr.ans_bogus;
+               total->svr.val_ops += a->svr.val_ops;
                total->svr.unwanted_replies += a->svr.unwanted_replies;
                total->svr.unwanted_queries += a->svr.unwanted_queries;
                total->svr.tcp_accept_usage += a->svr.tcp_accept_usage;

diff --git a/libunbound/unbound.h b/libunbound/unbound.h
index bdcf4edeca5f42cba335aae5e77d90b8a8d3fc94..c274f80ab897be11aeffb6930c557afd3fd4a344 100644 (file)
--- a/libunbound/unbound.h
+++ b/libunbound/unbound.h
@@ -772,6 +772,8 @@ struct ub_server_stats {
        long long ans_bogus;
        /** rrsets marked bogus by validator */
        long long rrset_bogus;
+       /** number of signature validation operations performed by validator */
+       long long val_ops;
        /** number of queries that have been ratelimited by domain recursion. */
        long long queries_ratelimited;
        /** unwanted traffic received on server-facing ports */

diff --git a/services/mesh.c b/services/mesh.c
index 8a52fe4a6466ee17efeb3a0fe0ae8cd34d185da7..3212a6abf4c6cfc70bbfb5862dc4c727aa097d4f 100644 (file)
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -2265,6 +2265,7 @@ mesh_stats_clear(struct mesh_area* mesh)
        timehist_clear(mesh->histogram);
        mesh->ans_secure = 0;
        mesh->ans_bogus = 0;
+       mesh->val_ops = 0;
        mesh->ans_expired = 0;
        mesh->ans_cachedb = 0;
        memset(&mesh->ans_rcode[0], 0, sizeof(size_t)*UB_STATS_RCODE_NUM);

diff --git a/services/mesh.h b/services/mesh.h
index fd17c05da6d424dfa9a52144431af461985b1fb0..f19f423a8cd3adfa3e75d7ca08f8420a3dc41d32 100644 (file)
--- a/services/mesh.h
+++ b/services/mesh.h
@@ -131,6 +131,8 @@ struct mesh_area {
        size_t ans_secure;
        /** (extended stats) bogus replies */
        size_t ans_bogus;
+       /** (extended stats) number of validation operations */
+       size_t val_ops;
        /** (extended stats) rcodes in replies */
        size_t ans_rcode[UB_STATS_RCODE_NUM];
        /** (extended stats) rcode nodata in replies */

diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index 0136b5e4eb67c5d0bdb538afac2fe4f29d61f2de..994a4287097607a13147ebf378d5f7d22f418218 100644 (file)
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -409,6 +409,7 @@ static void print_extended(struct ub_stats_info* s, int inhibit_zero)
        PR_UL("num.answer.secure", s->svr.ans_secure);
        PR_UL("num.answer.bogus", s->svr.ans_bogus);
        PR_UL("num.rrset.bogus", s->svr.rrset_bogus);
+       PR_UL("num.valops", s->svr.val_ops);
        PR_UL("num.query.aggressive.NOERROR", s->svr.num_neg_cache_noerror);
        PR_UL("num.query.aggressive.NXDOMAIN", s->svr.num_neg_cache_nxdomain);
        /* threat detection */

diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 9251d2b1f38a59881557ae962bb82597c3a74ba8..86de6fb8e80f73886e5c9f3c2df1e83ef8450119 100644 (file)
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -57,6 +57,7 @@
 #include "sldns/sbuffer.h"
 #include "sldns/parseutil.h"
 #include "sldns/wire2str.h"
+#include "services/mesh.h"
 
 #include <ctype.h>
 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
@@ -1677,6 +1678,10 @@ dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
        /* verify */
        sec = verify_canonrrset(buf, (int)sig[2+2],
                sigblock, sigblock_len, key, keylen, reason);
+
+       /* count validation operation */
+       if(qstate && qstate->env && qstate->env->mesh)
+               qstate->env->mesh->val_ops++;
        
        if(sec == sec_status_secure) {
                /* check if TTL is too high - reduce if so */