1 /* 2 * validator/val_secalgo.h - validator security algorithm functions. 3 * 4 * Copyright (c) 2012, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions take buffers with raw data and convert to library calls. 41 */ 42 43 #ifndef VALIDATOR_VAL_SECALGO_H 44 #define VALIDATOR_VAL_SECALGO_H 45 struct sldns_buffer; 46 struct secalgo_hash; 47 48 /** Return size of nsec3 hash algorithm, 0 if not supported */ 49 size_t nsec3_hash_algo_size_supported(int id); 50 51 /** 52 * Hash a single hash call of an NSEC3 hash algorithm. 53 * Iterations and salt are done by the caller. 54 * @param algo: nsec3 hash algorithm. 55 * @param buf: the buffer to digest 56 * @param len: length of buffer to digest. 57 * @param res: result stored here (must have sufficient space). 58 * @return false on failure. 59 */ 60 int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 61 unsigned char* res); 62 63 /** 64 * Calculate the sha256 hash for the data buffer into the result. 65 * @param buf: buffer to digest. 66 * @param len: length of the buffer to digest. 67 * @param res: result is stored here (space 256/8 bytes). 68 */ 69 void secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res); 70 71 /** 72 * Start a hash of type sha384. Allocates structure, then inits it, 73 * so that a series of updates can be performed, before the final result. 74 * @return hash structure. NULL on malloc failure or no support. 75 */ 76 struct secalgo_hash* secalgo_hash_create_sha384(void); 77 78 /** 79 * Start a hash of type sha512. Allocates structure, then inits it, 80 * so that a series of updates can be performed, before the final result. 81 * @return hash structure. NULL on malloc failure or no support. 82 */ 83 struct secalgo_hash* secalgo_hash_create_sha512(void); 84 85 /** 86 * Update a hash with more information to add to it. 87 * @param hash: the hash that is updated. 88 * @param data: data to add. 89 * @param len: length of data. 90 * @return false on failure. 91 */ 92 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len); 93 94 /** 95 * Get the final result of the hash. 96 * @param hash: the hash that has had updates to it. 97 * @param result: where to store the result. 98 * @param maxlen: length of the result buffer, eg. size of the allocation. 99 * If not large enough the routine fails. 100 * @param resultlen: the length of the result, returned to the caller. 101 * How much of maxlen is used. 102 * @return false on failure. 103 */ 104 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result, 105 size_t maxlen, size_t* resultlen); 106 107 /** 108 * Delete the hash structure. 109 * @param hash: the hash to delete. 110 */ 111 void secalgo_hash_delete(struct secalgo_hash* hash); 112 113 /** 114 * Return size of DS digest according to its hash algorithm. 115 * @param algo: DS digest algo. 116 * @return size in bytes of digest, or 0 if not supported. 117 */ 118 size_t ds_digest_size_supported(int algo); 119 120 /** 121 * @param algo: the DS digest algo 122 * @param buf: the buffer to digest 123 * @param len: length of buffer to digest. 124 * @param res: result stored here (must have sufficient space). 125 * @return false on failure. 126 */ 127 int secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 128 unsigned char* res); 129 130 /** return true if DNSKEY algorithm id is supported */ 131 int dnskey_algo_id_is_supported(int id); 132 133 /** 134 * Check a canonical sig+rrset and signature against a dnskey 135 * @param buf: buffer with data to verify, the first rrsig part and the 136 * canonicalized rrset. 137 * @param algo: DNSKEY algorithm. 138 * @param sigblock: signature rdata field from RRSIG 139 * @param sigblock_len: length of sigblock data. 140 * @param key: public key data from DNSKEY RR. 141 * @param keylen: length of keydata. 142 * @param reason: bogus reason in more detail. 143 * @return secure if verification succeeded, bogus on crypto failure, 144 * unchecked on format errors and alloc failures. 145 */ 146 enum sec_status verify_canonrrset(struct sldns_buffer* buf, int algo, 147 unsigned char* sigblock, unsigned int sigblock_len, 148 unsigned char* key, unsigned int keylen, char** reason); 149 150 #endif /* VALIDATOR_VAL_SECALGO_H */ 151