1 /** dnssec_verify */ 2 3 #ifndef LDNS_DNSSEC_VERIFY_H 4 #define LDNS_DNSSEC_VERIFY_H 5 6 #define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10 7 8 #include <ldns/dnssec.h> 9 #include <ldns/host2str.h> 10 11 #ifdef __cplusplus 12 extern "C" { 13 #endif 14 15 /** 16 * Chain structure that contains all DNSSEC data needed to 17 * verify an rrset 18 */ 19 typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain; 20 struct ldns_dnssec_data_chain_struct 21 { 22 ldns_rr_list *rrset; 23 ldns_rr_list *signatures; 24 ldns_rr_type parent_type; 25 ldns_dnssec_data_chain *parent; 26 ldns_pkt_rcode packet_rcode; 27 ldns_rr_type packet_qtype; 28 bool packet_nodata; 29 }; 30 31 /** 32 * Creates a new dnssec_chain structure 33 * \return ldns_dnssec_data_chain * 34 */ 35 ldns_dnssec_data_chain *ldns_dnssec_data_chain_new(); 36 37 /** 38 * Frees a dnssec_data_chain structure 39 * 40 * \param[in] *chain The chain to free 41 */ 42 void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain); 43 44 /** 45 * Frees a dnssec_data_chain structure, and all data 46 * contained therein 47 * 48 * \param[in] *chain The dnssec_data_chain to free 49 */ 50 void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain); 51 52 /** 53 * Prints the dnssec_data_chain to the given file stream 54 * 55 * \param[in] *out The file stream to print to 56 * \param[in] *chain The dnssec_data_chain to print 57 */ 58 void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain); 59 60 /** 61 * Prints the dnssec_data_chain to the given file stream 62 * 63 * \param[in] *out The file stream to print to 64 * \param[in] *fmt The format of the textual representation 65 * \param[in] *chain The dnssec_data_chain to print 66 */ 67 void ldns_dnssec_data_chain_print_fmt(FILE *out, 68 const ldns_output_format *fmt, 69 const ldns_dnssec_data_chain *chain); 70 71 /** 72 * Build an ldns_dnssec_data_chain, which contains all 73 * DNSSEC data that is needed to derive the trust tree later 74 * 75 * The data_set will be cloned 76 * 77 * \param[in] *res resolver structure for further needed queries 78 * \param[in] qflags resolution flags 79 * \param[in] *data_set The original rrset where the chain ends 80 * \param[in] *pkt optional, can contain the original packet 81 * (and hence the sigs and maybe the key) 82 * \param[in] *orig_rr The original Resource Record 83 * 84 * \return the DNSSEC data chain 85 */ 86 ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res, 87 const uint16_t qflags, 88 const ldns_rr_list *data_set, 89 const ldns_pkt *pkt, 90 ldns_rr *orig_rr); 91 92 /** 93 * Tree structure that contains the relation of DNSSEC data, 94 * and their cryptographic status. 95 * 96 * This tree is derived from a data_chain, and can be used 97 * to look whether there is a connection between an RRSET 98 * and a trusted key. The tree only contains pointers to the 99 * data_chain, and therefore one should *never* free() the 100 * data_chain when there is still a trust tree derived from 101 * that chain. 102 * 103 * Example tree: 104 * key key key 105 * \ | / 106 * \ | / 107 * \ | / 108 * ds 109 * | 110 * key 111 * | 112 * key 113 * | 114 * rr 115 * 116 * For each signature there is a parent; if the parent 117 * pointer is null, it couldn't be found and there was no 118 * denial; otherwise is a tree which contains either a 119 * DNSKEY, a DS, or a NSEC rr 120 */ 121 typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree; 122 struct ldns_dnssec_trust_tree_struct 123 { 124 ldns_rr *rr; 125 /* the complete rrset this rr was in */ 126 ldns_rr_list *rrset; 127 ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 128 ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 129 /** for debugging, add signatures too (you might want 130 those if they contain errors) */ 131 ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 132 size_t parent_count; 133 }; 134 135 /** 136 * Creates a new (empty) dnssec_trust_tree structure 137 * 138 * \return ldns_dnssec_trust_tree * 139 */ 140 ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(); 141 142 /** 143 * Frees the dnssec_trust_tree recursively 144 * 145 * There is no deep free; all data in the trust tree 146 * consists of pointers to a data_chain 147 * 148 * \param[in] tree The tree to free 149 */ 150 void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree); 151 152 /** 153 * returns the depth of the trust tree 154 * 155 * \param[in] tree tree to calculate the depth of 156 * \return The depth of the tree 157 */ 158 size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree); 159 160 /** 161 * Prints the dnssec_trust_tree structure to the given file 162 * stream. 163 * 164 * If a link status is not LDNS_STATUS_OK; the status and 165 * relevant signatures are printed too 166 * 167 * \param[in] *out The file stream to print to 168 * \param[in] tree The trust tree to print 169 * \param[in] tabs Prepend each line with tabs*2 spaces 170 * \param[in] extended If true, add little explanation lines to the output 171 */ 172 void ldns_dnssec_trust_tree_print(FILE *out, 173 ldns_dnssec_trust_tree *tree, 174 size_t tabs, 175 bool extended); 176 177 /** 178 * Prints the dnssec_trust_tree structure to the given file 179 * stream. 180 * 181 * If a link status is not LDNS_STATUS_OK; the status and 182 * relevant signatures are printed too 183 * 184 * \param[in] *out The file stream to print to 185 * \param[in] *fmt The format of the textual representation 186 * \param[in] tree The trust tree to print 187 * \param[in] tabs Prepend each line with tabs*2 spaces 188 * \param[in] extended If true, add little explanation lines to the output 189 */ 190 void ldns_dnssec_trust_tree_print_fmt(FILE *out, 191 const ldns_output_format *fmt, 192 ldns_dnssec_trust_tree *tree, 193 size_t tabs, 194 bool extended); 195 196 /** 197 * Adds a trust tree as a parent for the given trust tree 198 * 199 * \param[in] *tree The tree to add the parent to 200 * \param[in] *parent The parent tree to add 201 * \param[in] *parent_signature The RRSIG relevant to this parent/child 202 * connection 203 * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG 204 * \return LDNS_STATUS_OK if the addition succeeds, error otherwise 205 */ 206 ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, 207 const ldns_dnssec_trust_tree *parent, 208 const ldns_rr *parent_signature, 209 const ldns_status parent_status); 210 211 /** 212 * Generates a dnssec_trust_tree for the given rr from the 213 * given data_chain 214 * 215 * This does not clone the actual data; Don't free the 216 * data_chain before you are done with this tree 217 * 218 * \param[in] *data_chain The chain to derive the trust tree from 219 * \param[in] *rr The RR this tree will be about 220 * \return ldns_dnssec_trust_tree * 221 */ 222 ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree( 223 ldns_dnssec_data_chain *data_chain, 224 ldns_rr *rr); 225 226 /** 227 * Generates a dnssec_trust_tree for the given rr from the 228 * given data_chain 229 * 230 * This does not clone the actual data; Don't free the 231 * data_chain before you are done with this tree 232 * 233 * \param[in] *data_chain The chain to derive the trust tree from 234 * \param[in] *rr The RR this tree will be about 235 * \param[in] check_time the time for which the validation is performed 236 * \return ldns_dnssec_trust_tree * 237 */ 238 ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time( 239 ldns_dnssec_data_chain *data_chain, 240 ldns_rr *rr, time_t check_time); 241 242 /** 243 * Sub function for derive_trust_tree that is used for a 'normal' rrset 244 * 245 * \param[in] new_tree The trust tree that we are building 246 * \param[in] data_chain The data chain containing the data for the trust tree 247 * \param[in] cur_sig_rr The currently relevant signature 248 */ 249 void ldns_dnssec_derive_trust_tree_normal_rrset( 250 ldns_dnssec_trust_tree *new_tree, 251 ldns_dnssec_data_chain *data_chain, 252 ldns_rr *cur_sig_rr); 253 254 /** 255 * Sub function for derive_trust_tree that is used for a 'normal' rrset 256 * 257 * \param[in] new_tree The trust tree that we are building 258 * \param[in] data_chain The data chain containing the data for the trust tree 259 * \param[in] cur_sig_rr The currently relevant signature 260 * \param[in] check_time the time for which the validation is performed 261 */ 262 void ldns_dnssec_derive_trust_tree_normal_rrset_time( 263 ldns_dnssec_trust_tree *new_tree, 264 ldns_dnssec_data_chain *data_chain, 265 ldns_rr *cur_sig_rr, time_t check_time); 266 267 268 /** 269 * Sub function for derive_trust_tree that is used for DNSKEY rrsets 270 * 271 * \param[in] new_tree The trust tree that we are building 272 * \param[in] data_chain The data chain containing the data for the trust tree 273 * \param[in] cur_rr The currently relevant DNSKEY RR 274 * \param[in] cur_sig_rr The currently relevant signature 275 */ 276 void ldns_dnssec_derive_trust_tree_dnskey_rrset( 277 ldns_dnssec_trust_tree *new_tree, 278 ldns_dnssec_data_chain *data_chain, 279 ldns_rr *cur_rr, 280 ldns_rr *cur_sig_rr); 281 282 /** 283 * Sub function for derive_trust_tree that is used for DNSKEY rrsets 284 * 285 * \param[in] new_tree The trust tree that we are building 286 * \param[in] data_chain The data chain containing the data for the trust tree 287 * \param[in] cur_rr The currently relevant DNSKEY RR 288 * \param[in] cur_sig_rr The currently relevant signature 289 * \param[in] check_time the time for which the validation is performed 290 */ 291 void ldns_dnssec_derive_trust_tree_dnskey_rrset_time( 292 ldns_dnssec_trust_tree *new_tree, 293 ldns_dnssec_data_chain *data_chain, 294 ldns_rr *cur_rr, ldns_rr *cur_sig_rr, 295 time_t check_time); 296 297 298 /** 299 * Sub function for derive_trust_tree that is used for DNSKEY rrsets 300 * 301 * \param[in] new_tree The trust tree that we are building 302 * \param[in] data_chain The data chain containing the data for the trust tree 303 * \param[in] cur_rr The currently relevant DNSKEY RR 304 * \param[in] cur_sig_rr The currently relevant signature 305 * \param[in] check_time the time for which the validation is performed 306 */ 307 void ldns_dnssec_derive_trust_tree_dnskey_rrset_time( 308 ldns_dnssec_trust_tree *new_tree, 309 ldns_dnssec_data_chain *data_chain, 310 ldns_rr *cur_rr, ldns_rr *cur_sig_rr, 311 time_t check_time); 312 313 314 /** 315 * Sub function for derive_trust_tree that is used for DS rrsets 316 * 317 * \param[in] new_tree The trust tree that we are building 318 * \param[in] data_chain The data chain containing the data for the trust tree 319 * \param[in] cur_rr The currently relevant DS RR 320 */ 321 void ldns_dnssec_derive_trust_tree_ds_rrset( 322 ldns_dnssec_trust_tree *new_tree, 323 ldns_dnssec_data_chain *data_chain, 324 ldns_rr *cur_rr); 325 326 /** 327 * Sub function for derive_trust_tree that is used for DS rrsets 328 * 329 * \param[in] new_tree The trust tree that we are building 330 * \param[in] data_chain The data chain containing the data for the trust tree 331 * \param[in] cur_rr The currently relevant DS RR 332 * \param[in] check_time the time for which the validation is performed 333 */ 334 void ldns_dnssec_derive_trust_tree_ds_rrset_time( 335 ldns_dnssec_trust_tree *new_tree, 336 ldns_dnssec_data_chain *data_chain, 337 ldns_rr *cur_rr, time_t check_time); 338 339 /** 340 * Sub function for derive_trust_tree that is used when there are no 341 * signatures 342 * 343 * \param[in] new_tree The trust tree that we are building 344 * \param[in] data_chain The data chain containing the data for the trust tree 345 */ 346 void ldns_dnssec_derive_trust_tree_no_sig( 347 ldns_dnssec_trust_tree *new_tree, 348 ldns_dnssec_data_chain *data_chain); 349 350 /** 351 * Sub function for derive_trust_tree that is used when there are no 352 * signatures 353 * 354 * \param[in] new_tree The trust tree that we are building 355 * \param[in] data_chain The data chain containing the data for the trust tree 356 * \param[in] check_time the time for which the validation is performed 357 */ 358 void ldns_dnssec_derive_trust_tree_no_sig_time( 359 ldns_dnssec_trust_tree *new_tree, 360 ldns_dnssec_data_chain *data_chain, 361 time_t check_time); 362 363 364 /** 365 * Returns OK if there is a trusted path in the tree to one of 366 * the DNSKEY or DS RRs in the given list 367 * 368 * \param *tree The trust tree so search 369 * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for 370 * 371 * \return LDNS_STATUS_OK if there is a trusted path to one of 372 * the keys, or the *first* error encountered 373 * if there were no paths 374 */ 375 ldns_status ldns_dnssec_trust_tree_contains_keys( 376 ldns_dnssec_trust_tree *tree, 377 ldns_rr_list *keys); 378 379 /** 380 * Verifies a list of signatures for one rrset. 381 * 382 * \param[in] rrset the rrset to verify 383 * \param[in] rrsig a list of signatures to check 384 * \param[in] keys a list of keys to check with 385 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 386 * from keys that validate one of the signatures 387 * are added to it 388 * \return status LDNS_STATUS_OK if there is at least one correct key 389 */ 390 ldns_status ldns_verify(ldns_rr_list *rrset, 391 ldns_rr_list *rrsig, 392 const ldns_rr_list *keys, 393 ldns_rr_list *good_keys); 394 395 /** 396 * Verifies a list of signatures for one rrset. 397 * 398 * \param[in] rrset the rrset to verify 399 * \param[in] rrsig a list of signatures to check 400 * \param[in] keys a list of keys to check with 401 * \param[in] check_time the time for which the validation is performed 402 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 403 * from keys that validate one of the signatures 404 * are added to it 405 * \return status LDNS_STATUS_OK if there is at least one correct key 406 */ 407 ldns_status ldns_verify_time(ldns_rr_list *rrset, 408 ldns_rr_list *rrsig, 409 const ldns_rr_list *keys, 410 time_t check_time, 411 ldns_rr_list *good_keys); 412 413 414 /** 415 * Verifies a list of signatures for one rrset, but disregard the time. 416 * Inception and Expiration are not checked. 417 * 418 * \param[in] rrset the rrset to verify 419 * \param[in] rrsig a list of signatures to check 420 * \param[in] keys a list of keys to check with 421 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 422 * from keys that validate one of the signatures 423 * are added to it 424 * \return status LDNS_STATUS_OK if there is at least one correct key 425 */ 426 ldns_status ldns_verify_notime(ldns_rr_list *rrset, 427 ldns_rr_list *rrsig, 428 const ldns_rr_list *keys, 429 ldns_rr_list *good_keys); 430 431 /** 432 * Tries to build an authentication chain from the given 433 * keys down to the queried domain. 434 * 435 * If we find a valid trust path, return the valid keys for the domain. 436 * 437 * \param[in] res the current resolver 438 * \param[in] domain the domain we want valid keys for 439 * \param[in] keys the current set of trusted keys 440 * \param[out] status pointer to the status variable where the result 441 * code will be stored 442 * \return the set of trusted keys for the domain, or NULL if no 443 * trust path could be built. 444 */ 445 ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res, 446 const ldns_rdf * domain, 447 const ldns_rr_list * keys, 448 ldns_status *status); 449 450 /** 451 * Tries to build an authentication chain from the given 452 * keys down to the queried domain. 453 * 454 * If we find a valid trust path, return the valid keys for the domain. 455 * 456 * \param[in] res the current resolver 457 * \param[in] domain the domain we want valid keys for 458 * \param[in] keys the current set of trusted keys 459 * \param[in] check_time the time for which the validation is performed 460 * \param[out] status pointer to the status variable where the result 461 * code will be stored 462 * \return the set of trusted keys for the domain, or NULL if no 463 * trust path could be built. 464 */ 465 ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res, 466 const ldns_rdf * domain, const ldns_rr_list * keys, 467 time_t check_time, ldns_status *status); 468 469 470 /** 471 * Validates the DNSKEY RRset for the given domain using the provided 472 * trusted keys. 473 * 474 * \param[in] res the current resolver 475 * \param[in] domain the domain we want valid keys for 476 * \param[in] keys the current set of trusted keys 477 * \return the set of trusted keys for the domain, or NULL if the RRSET 478 * could not be validated 479 */ 480 ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res, 481 const ldns_rdf *domain, 482 const ldns_rr_list *keys); 483 484 /** 485 * Validates the DNSKEY RRset for the given domain using the provided 486 * trusted keys. 487 * 488 * \param[in] res the current resolver 489 * \param[in] domain the domain we want valid keys for 490 * \param[in] keys the current set of trusted keys 491 * \param[in] check_time the time for which the validation is performed 492 * \return the set of trusted keys for the domain, or NULL if the RRSET 493 * could not be validated 494 */ 495 ldns_rr_list *ldns_validate_domain_dnskey_time( 496 const ldns_resolver *res, const ldns_rdf *domain, 497 const ldns_rr_list *keys, time_t check_time); 498 499 500 /** 501 * Validates the DS RRset for the given domain using the provided trusted keys. 502 * 503 * \param[in] res the current resolver 504 * \param[in] domain the domain we want valid keys for 505 * \param[in] keys the current set of trusted keys 506 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 507 */ 508 ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res, 509 const ldns_rdf * 510 domain, 511 const ldns_rr_list * keys); 512 513 /** 514 * Validates the DS RRset for the given domain using the provided trusted keys. 515 * 516 * \param[in] res the current resolver 517 * \param[in] domain the domain we want valid keys for 518 * \param[in] keys the current set of trusted keys 519 * \param[in] check_time the time for which the validation is performed 520 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 521 */ 522 ldns_rr_list *ldns_validate_domain_ds_time( 523 const ldns_resolver *res, const ldns_rdf *domain, 524 const ldns_rr_list * keys, time_t check_time); 525 526 527 /** 528 * Verifies a list of signatures for one RRset using a valid trust path. 529 * 530 * \param[in] res the current resolver 531 * \param[in] rrset the rrset to verify 532 * \param[in] rrsigs a list of signatures to check 533 * \param[out] validating_keys if this is a (initialized) list, the 534 * keys from keys that validate one of 535 * the signatures are added to it 536 * \return status LDNS_STATUS_OK if there is at least one correct key 537 */ 538 ldns_status ldns_verify_trusted(ldns_resolver *res, 539 ldns_rr_list *rrset, 540 ldns_rr_list *rrsigs, 541 ldns_rr_list *validating_keys); 542 543 /** 544 * Verifies a list of signatures for one RRset using a valid trust path. 545 * 546 * \param[in] res the current resolver 547 * \param[in] rrset the rrset to verify 548 * \param[in] rrsigs a list of signatures to check 549 * \param[in] check_time the time for which the validation is performed 550 * \param[out] validating_keys if this is a (initialized) list, the 551 * keys from keys that validate one of 552 * the signatures are added to it 553 * \return status LDNS_STATUS_OK if there is at least one correct key 554 */ 555 ldns_status ldns_verify_trusted_time( 556 ldns_resolver *res, ldns_rr_list *rrset, 557 ldns_rr_list *rrsigs, time_t check_time, 558 ldns_rr_list *validating_keys); 559 560 561 /** 562 * denial is not just a river in egypt 563 * 564 * \param[in] rr The (query) RR to check the denial of existence for 565 * \param[in] nsecs The list of NSEC RRs that are supposed to deny the 566 * existence of the RR 567 * \param[in] rrsigs The RRSIG RR covering the NSEC RRs 568 * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code 569 * containing the reason they do not otherwise 570 */ 571 ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, 572 ldns_rr_list *nsecs, 573 ldns_rr_list *rrsigs); 574 575 /** 576 * Denial of existence using NSEC3 records 577 * Since NSEC3 is a bit more complicated than normal denial, some 578 * context arguments are needed 579 * 580 * \param[in] rr The (query) RR to check the denial of existence for 581 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 582 * existence of the RR 583 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 584 * \param[in] packet_rcode The RCODE value of the packet that provided the 585 * NSEC3 RRs 586 * \param[in] packet_qtype The original query RR type 587 * \param[in] packet_nodata True if the providing packet had an empty ANSWER 588 * section 589 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 590 * containing the reason they do not otherwise 591 */ 592 ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, 593 ldns_rr_list *nsecs, 594 ldns_rr_list *rrsigs, 595 ldns_pkt_rcode packet_rcode, 596 ldns_rr_type packet_qtype, 597 bool packet_nodata); 598 599 /** 600 * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns 601 * the nsec rr that matched. 602 * 603 * \param[in] rr The (query) RR to check the denial of existence for 604 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 605 * existence of the RR 606 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 607 * \param[in] packet_rcode The RCODE value of the packet that provided the 608 * NSEC3 RRs 609 * \param[in] packet_qtype The original query RR type 610 * \param[in] packet_nodata True if the providing packet had an empty ANSWER 611 * section 612 * \param[in] match On match, the given (reference to a) pointer will be set 613 * to point to the matching nsec resource record. 614 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 615 * containing the reason they do not otherwise 616 */ 617 ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, 618 ldns_rr_list *nsecs, 619 ldns_rr_list *rrsigs, 620 ldns_pkt_rcode packet_rcode, 621 ldns_rr_type packet_qtype, 622 bool packet_nodata, 623 ldns_rr **match); 624 /** 625 * Verifies the already processed data in the buffers 626 * This function should probably not be used directly. 627 * 628 * \param[in] rawsig_buf Buffer containing signature data to use 629 * \param[in] verify_buf Buffer containing data to verify 630 * \param[in] key_buf Buffer containing key data to use 631 * \param[in] algo Signing algorithm 632 * \return status LDNS_STATUS_OK if the data verifies. Error if not. 633 */ 634 ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, 635 ldns_buffer *verify_buf, 636 ldns_buffer *key_buf, 637 uint8_t algo); 638 639 /** 640 * Like ldns_verify_rrsig_buffers, but uses raw data. 641 * 642 * \param[in] sig signature data to use 643 * \param[in] siglen length of signature data to use 644 * \param[in] verify_buf Buffer containing data to verify 645 * \param[in] key key data to use 646 * \param[in] keylen length of key data to use 647 * \param[in] algo Signing algorithm 648 * \return status LDNS_STATUS_OK if the data verifies. Error if not. 649 */ 650 ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig, 651 size_t siglen, 652 ldns_buffer *verify_buf, 653 unsigned char* key, 654 size_t keylen, 655 uint8_t algo); 656 657 /** 658 * Verifies an rrsig. All keys in the keyset are tried. 659 * \param[in] rrset the rrset to check 660 * \param[in] rrsig the signature of the rrset 661 * \param[in] keys the keys to try 662 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 663 * from keys that validate one of the signatures 664 * are added to it 665 * \return a list of keys which validate the rrsig + rrset. Returns 666 * status LDNS_STATUS_OK if at least one key matched. Else an error. 667 */ 668 ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, 669 ldns_rr *rrsig, 670 const ldns_rr_list *keys, 671 ldns_rr_list *good_keys); 672 673 /** 674 * Verifies an rrsig. All keys in the keyset are tried. 675 * \param[in] rrset the rrset to check 676 * \param[in] rrsig the signature of the rrset 677 * \param[in] keys the keys to try 678 * \param[in] check_time the time for which the validation is performed 679 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 680 * from keys that validate one of the signatures 681 * are added to it 682 * \return a list of keys which validate the rrsig + rrset. Returns 683 * status LDNS_STATUS_OK if at least one key matched. Else an error. 684 */ 685 ldns_status ldns_verify_rrsig_keylist_time( 686 ldns_rr_list *rrset, ldns_rr *rrsig, 687 const ldns_rr_list *keys, time_t check_time, 688 ldns_rr_list *good_keys); 689 690 691 /** 692 * Verifies an rrsig. All keys in the keyset are tried. Time is not checked. 693 * \param[in] rrset the rrset to check 694 * \param[in] rrsig the signature of the rrset 695 * \param[in] keys the keys to try 696 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 697 * from keys that validate one of the signatures 698 * are added to it 699 * \return a list of keys which validate the rrsig + rrset. Returns 700 * status LDNS_STATUS_OK if at least one key matched. Else an error. 701 */ 702 ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset, 703 ldns_rr *rrsig, 704 const ldns_rr_list *keys, 705 ldns_rr_list *good_keys); 706 707 /** 708 * verify an rrsig with 1 key 709 * \param[in] rrset the rrset 710 * \param[in] rrsig the rrsig to verify 711 * \param[in] key the key to use 712 * \return status message wether verification succeeded. 713 */ 714 ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, 715 ldns_rr *rrsig, 716 ldns_rr *key); 717 718 719 /** 720 * verify an rrsig with 1 key 721 * \param[in] rrset the rrset 722 * \param[in] rrsig the rrsig to verify 723 * \param[in] key the key to use 724 * \param[in] check_time the time for which the validation is performed 725 * \return status message wether verification succeeded. 726 */ 727 ldns_status ldns_verify_rrsig_time( 728 ldns_rr_list *rrset, ldns_rr *rrsig, 729 ldns_rr *key, time_t check_time); 730 731 732 #if LDNS_BUILD_CONFIG_HAVE_SSL 733 /** 734 * verifies a buffer with signature data for a buffer with rrset data 735 * with an EVP_PKEY 736 * 737 * \param[in] sig the signature data 738 * \param[in] rrset the rrset data, sorted and processed for verification 739 * \param[in] key the EVP key structure 740 * \param[in] digest_type The digest type of the signature 741 */ 742 ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, 743 ldns_buffer *rrset, 744 EVP_PKEY *key, 745 const EVP_MD *digest_type); 746 747 /** 748 * Like ldns_verify_rrsig_evp, but uses raw signature data. 749 * \param[in] sig the signature data, wireformat uncompressed 750 * \param[in] siglen length of the signature data 751 * \param[in] rrset the rrset data, sorted and processed for verification 752 * \param[in] key the EVP key structure 753 * \param[in] digest_type The digest type of the signature 754 */ 755 ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig, 756 size_t siglen, 757 ldns_buffer *rrset, 758 EVP_PKEY *key, 759 const EVP_MD *digest_type); 760 #endif 761 762 /** 763 * verifies a buffer with signature data (DSA) for a buffer with rrset data 764 * with a buffer with key data. 765 * 766 * \param[in] sig the signature data 767 * \param[in] rrset the rrset data, sorted and processed for verification 768 * \param[in] key the key data 769 */ 770 ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, 771 ldns_buffer *rrset, 772 ldns_buffer *key); 773 774 /** 775 * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data 776 * with a buffer with key data. 777 * 778 * \param[in] sig the signature data 779 * \param[in] rrset the rrset data, sorted and processed for verification 780 * \param[in] key the key data 781 */ 782 ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, 783 ldns_buffer *rrset, 784 ldns_buffer *key); 785 786 /** 787 * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data 788 * with a buffer with key data. 789 * 790 * \param[in] sig the signature data 791 * \param[in] rrset the rrset data, sorted and processed for verification 792 * \param[in] key the key data 793 */ 794 ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, 795 ldns_buffer *rrset, 796 ldns_buffer *key); 797 798 /** 799 * Like ldns_verify_rrsig_dsa, but uses raw signature and key data. 800 * \param[in] sig raw uncompressed wireformat signature data 801 * \param[in] siglen length of signature data 802 * \param[in] rrset ldns buffer with prepared rrset data. 803 * \param[in] key raw uncompressed wireformat key data 804 * \param[in] keylen length of key data 805 */ 806 ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig, 807 size_t siglen, 808 ldns_buffer* rrset, 809 unsigned char* key, 810 size_t keylen); 811 812 /** 813 * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data. 814 * \param[in] sig raw uncompressed wireformat signature data 815 * \param[in] siglen length of signature data 816 * \param[in] rrset ldns buffer with prepared rrset data. 817 * \param[in] key raw uncompressed wireformat key data 818 * \param[in] keylen length of key data 819 */ 820 ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig, 821 size_t siglen, 822 ldns_buffer* rrset, 823 unsigned char* key, 824 size_t keylen); 825 826 /** 827 * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data. 828 * \param[in] sig raw uncompressed wireformat signature data 829 * \param[in] siglen length of signature data 830 * \param[in] rrset ldns buffer with prepared rrset data. 831 * \param[in] key raw uncompressed wireformat key data 832 * \param[in] keylen length of key data 833 */ 834 835 ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig, 836 size_t siglen, 837 ldns_buffer* rrset, 838 unsigned char* key, 839 size_t keylen); 840 841 /** 842 * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data. 843 * \param[in] sig raw uncompressed wireformat signature data 844 * \param[in] siglen length of signature data 845 * \param[in] rrset ldns buffer with prepared rrset data. 846 * \param[in] key raw uncompressed wireformat key data 847 * \param[in] keylen length of key data 848 */ 849 ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig, 850 size_t siglen, 851 ldns_buffer* rrset, 852 unsigned char* key, 853 size_t keylen); 854 855 /** 856 * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data. 857 * \param[in] sig raw uncompressed wireformat signature data 858 * \param[in] siglen length of signature data 859 * \param[in] rrset ldns buffer with prepared rrset data. 860 * \param[in] key raw uncompressed wireformat key data 861 * \param[in] keylen length of key data 862 */ 863 ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig, 864 size_t siglen, 865 ldns_buffer* rrset, 866 unsigned char* key, 867 size_t keylen); 868 869 #ifdef __cplusplus 870 } 871 #endif 872 873 #endif 874 875