From: Roland van Rijswijk-Deij <roland@nlnetlabs.nl>
Date: Sat, 12 Jul 2025 14:29:38 +0000 (+0200)
Subject: Add extra statistic to track the number of signature validation operations (#1289)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44ac818f873b915cbd8376a494f2b1c0260f1fbc;p=thirdparty%2Funbound.git

Add extra statistic to track the number of signature validation operations (#1289)

* Add extra statistic to track the number of signature validation operations performed by the validator module

* Move validation operation statistic to mesh as suggested

* Fix NULL pointer dereference in case the mesh is not used (and is `NULL`)

Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>

* Fix NULL pointer dereference on qstate and qstate->env in unit test situation

---------

Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
---

diff --git a/daemon/remote.c b/daemon/remote.c
index 3b9f803a2..c17254bb5 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -1148,6 +1148,8 @@ print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero)
 		(unsigned long)s->svr.ans_bogus)) return 0;
 	if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n",
 		(unsigned long)s->svr.rrset_bogus)) return 0;
+	if(!ssl_printf(ssl, "num.valops"SQ"%lu\n",
+		(unsigned long)s->svr.val_ops)) return 0;
 	if(!ssl_printf(ssl, "num.query.aggressive.NOERROR"SQ"%lu\n",
 		(unsigned long)s->svr.num_neg_cache_noerror)) return 0;
 	if(!ssl_printf(ssl, "num.query.aggressive.NXDOMAIN"SQ"%lu\n",
diff --git a/daemon/stats.c b/daemon/stats.c
index 7efb83a0b..41c4656aa 100644
--- a/daemon/stats.c
+++ b/daemon/stats.c
@@ -273,6 +273,7 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 	/* add in the values from the mesh */
 	s->svr.ans_secure += (long long)worker->env.mesh->ans_secure;
 	s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus;
+	s->svr.val_ops += (long long)worker->env.mesh->val_ops;
 	s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata;
 	s->svr.ans_expired += (long long)worker->env.mesh->ans_expired;
 	for(i=0; i<UB_STATS_RCODE_NUM; i++)
@@ -495,6 +496,7 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
 		total->svr.ans_rcode_nodata += a->svr.ans_rcode_nodata;
 		total->svr.ans_secure += a->svr.ans_secure;
 		total->svr.ans_bogus += a->svr.ans_bogus;
+		total->svr.val_ops += a->svr.val_ops;
 		total->svr.unwanted_replies += a->svr.unwanted_replies;
 		total->svr.unwanted_queries += a->svr.unwanted_queries;
 		total->svr.tcp_accept_usage += a->svr.tcp_accept_usage;
diff --git a/libunbound/unbound.h b/libunbound/unbound.h
index bdcf4edec..c274f80ab 100644
--- a/libunbound/unbound.h
+++ b/libunbound/unbound.h
@@ -772,6 +772,8 @@ struct ub_server_stats {
 	long long ans_bogus;
 	/** rrsets marked bogus by validator */
 	long long rrset_bogus;
+	/** number of signature validation operations performed by validator */
+	long long val_ops;
 	/** number of queries that have been ratelimited by domain recursion. */
 	long long queries_ratelimited;
 	/** unwanted traffic received on server-facing ports */
diff --git a/services/mesh.c b/services/mesh.c
index 8a52fe4a6..3212a6abf 100644
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -2265,6 +2265,7 @@ mesh_stats_clear(struct mesh_area* mesh)
 	timehist_clear(mesh->histogram);
 	mesh->ans_secure = 0;
 	mesh->ans_bogus = 0;
+	mesh->val_ops = 0;
 	mesh->ans_expired = 0;
 	mesh->ans_cachedb = 0;
 	memset(&mesh->ans_rcode[0], 0, sizeof(size_t)*UB_STATS_RCODE_NUM);
diff --git a/services/mesh.h b/services/mesh.h
index fd17c05da..f19f423a8 100644
--- a/services/mesh.h
+++ b/services/mesh.h
@@ -131,6 +131,8 @@ struct mesh_area {
 	size_t ans_secure;
 	/** (extended stats) bogus replies */
 	size_t ans_bogus;
+	/** (extended stats) number of validation operations */
+	size_t val_ops;
 	/** (extended stats) rcodes in replies */
 	size_t ans_rcode[UB_STATS_RCODE_NUM];
 	/** (extended stats) rcode nodata in replies */
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index 0136b5e4e..994a42870 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -409,6 +409,7 @@ static void print_extended(struct ub_stats_info* s, int inhibit_zero)
 	PR_UL("num.answer.secure", s->svr.ans_secure);
 	PR_UL("num.answer.bogus", s->svr.ans_bogus);
 	PR_UL("num.rrset.bogus", s->svr.rrset_bogus);
+	PR_UL("num.valops", s->svr.val_ops);
 	PR_UL("num.query.aggressive.NOERROR", s->svr.num_neg_cache_noerror);
 	PR_UL("num.query.aggressive.NXDOMAIN", s->svr.num_neg_cache_nxdomain);
 	/* threat detection */
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 9251d2b1f..86de6fb8e 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -57,6 +57,7 @@
 #include "sldns/sbuffer.h"
 #include "sldns/parseutil.h"
 #include "sldns/wire2str.h"
+#include "services/mesh.h"
 
 #include <ctype.h>
 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
@@ -1677,6 +1678,10 @@ dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
 	/* verify */
 	sec = verify_canonrrset(buf, (int)sig[2+2],
 		sigblock, sigblock_len, key, keylen, reason);
+
+	/* count validation operation */
+	if(qstate && qstate->env && qstate->env->mesh)
+		qstate->env->mesh->val_ops++;
 	
 	if(sec == sec_status_secure) {
 		/* check if TTL is too high - reduce if so */