1 /** dnssec_verify */ 2 3 #ifndef LDNS_DNSSEC_VERIFY_H 4 #define LDNS_DNSSEC_VERIFY_H 5 6 #define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10 7 8 #include <ldns/dnssec.h> 9 #include <ldns/host2str.h> 10 11 #ifdef __cplusplus 12 extern "C" { 13 #endif 14 15 /** 16 * Chain structure that contains all DNSSEC data needed to 17 * verify an rrset 18 */ 19 typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain; 20 struct ldns_dnssec_data_chain_struct 21 { 22 ldns_rr_list *rrset; 23 ldns_rr_list *signatures; 24 ldns_rr_type parent_type; 25 ldns_dnssec_data_chain *parent; 26 ldns_pkt_rcode packet_rcode; 27 ldns_rr_type packet_qtype; 28 bool packet_nodata; 29 }; 30 31 /** 32 * Creates a new dnssec_chain structure 33 * \return ldns_dnssec_data_chain * 34 */ 35 ldns_dnssec_data_chain *ldns_dnssec_data_chain_new(void); 36 37 /** 38 * Frees a dnssec_data_chain structure 39 * 40 * \param[in] *chain The chain to free 41 */ 42 void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain); 43 44 /** 45 * Frees a dnssec_data_chain structure, and all data 46 * contained therein 47 * 48 * \param[in] *chain The dnssec_data_chain to free 49 */ 50 void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain); 51 52 /** 53 * Prints the dnssec_data_chain to the given file stream 54 * 55 * \param[in] *out The file stream to print to 56 * \param[in] *chain The dnssec_data_chain to print 57 */ 58 void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain); 59 60 /** 61 * Prints the dnssec_data_chain to the given file stream 62 * 63 * \param[in] *out The file stream to print to 64 * \param[in] *fmt The format of the textual representation 65 * \param[in] *chain The dnssec_data_chain to print 66 */ 67 void ldns_dnssec_data_chain_print_fmt(FILE *out, 68 const ldns_output_format *fmt, 69 const ldns_dnssec_data_chain *chain); 70 71 /** 72 * Build an ldns_dnssec_data_chain, which contains all 73 * DNSSEC data that is needed to derive the trust tree later 74 * 75 * The data_set will be cloned 76 * 77 * \param[in] *res resolver structure for further needed queries 78 * \param[in] qflags resolution flags 79 * \param[in] *data_set The original rrset where the chain ends 80 * \param[in] *pkt optional, can contain the original packet 81 * (and hence the sigs and maybe the key) 82 * \param[in] *orig_rr The original Resource Record 83 * 84 * \return the DNSSEC data chain 85 */ 86 ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res, 87 const uint16_t qflags, 88 const ldns_rr_list *data_set, 89 const ldns_pkt *pkt, 90 ldns_rr *orig_rr); 91 92 /** 93 * Tree structure that contains the relation of DNSSEC data, 94 * and their cryptographic status. 95 * 96 * This tree is derived from a data_chain, and can be used 97 * to look whether there is a connection between an RRSET 98 * and a trusted key. The tree only contains pointers to the 99 * data_chain, and therefore one should *never* free() the 100 * data_chain when there is still a trust tree derived from 101 * that chain. 102 * 103 * Example tree: 104 * key key key 105 * \ | / 106 * \ | / 107 * \ | / 108 * ds 109 * | 110 * key 111 * | 112 * key 113 * | 114 * rr 115 * 116 * For each signature there is a parent; if the parent 117 * pointer is null, it couldn't be found and there was no 118 * denial; otherwise is a tree which contains either a 119 * DNSKEY, a DS, or a NSEC rr 120 */ 121 typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree; 122 struct ldns_dnssec_trust_tree_struct 123 { 124 ldns_rr *rr; 125 /* the complete rrset this rr was in */ 126 ldns_rr_list *rrset; 127 ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 128 ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 129 /** for debugging, add signatures too (you might want 130 those if they contain errors) */ 131 ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 132 size_t parent_count; 133 }; 134 135 /** 136 * Creates a new (empty) dnssec_trust_tree structure 137 * 138 * \return ldns_dnssec_trust_tree * 139 */ 140 ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(void); 141 142 /** 143 * Frees the dnssec_trust_tree recursively 144 * 145 * There is no deep free; all data in the trust tree 146 * consists of pointers to a data_chain 147 * 148 * \param[in] tree The tree to free 149 */ 150 void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree); 151 152 /** 153 * returns the depth of the trust tree 154 * 155 * \param[in] tree tree to calculate the depth of 156 * \return The depth of the tree 157 */ 158 size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree); 159 160 /** 161 * Prints the dnssec_trust_tree structure to the given file 162 * stream. 163 * 164 * If a link status is not LDNS_STATUS_OK; the status and 165 * relevant signatures are printed too 166 * 167 * \param[in] *out The file stream to print to 168 * \param[in] tree The trust tree to print 169 * \param[in] tabs Prepend each line with tabs*2 spaces 170 * \param[in] extended If true, add little explanation lines to the output 171 */ 172 void ldns_dnssec_trust_tree_print(FILE *out, 173 ldns_dnssec_trust_tree *tree, 174 size_t tabs, 175 bool extended); 176 177 /** 178 * Prints the dnssec_trust_tree structure to the given file 179 * stream. 180 * 181 * If a link status is not LDNS_STATUS_OK; the status and 182 * relevant signatures are printed too 183 * 184 * \param[in] *out The file stream to print to 185 * \param[in] *fmt The format of the textual representation 186 * \param[in] tree The trust tree to print 187 * \param[in] tabs Prepend each line with tabs*2 spaces 188 * \param[in] extended If true, add little explanation lines to the output 189 */ 190 void ldns_dnssec_trust_tree_print_fmt(FILE *out, 191 const ldns_output_format *fmt, 192 ldns_dnssec_trust_tree *tree, 193 size_t tabs, 194 bool extended); 195 196 /** 197 * Adds a trust tree as a parent for the given trust tree 198 * 199 * \param[in] *tree The tree to add the parent to 200 * \param[in] *parent The parent tree to add 201 * \param[in] *parent_signature The RRSIG relevant to this parent/child 202 * connection 203 * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG 204 * \return LDNS_STATUS_OK if the addition succeeds, error otherwise 205 */ 206 ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, 207 const ldns_dnssec_trust_tree *parent, 208 const ldns_rr *parent_signature, 209 const ldns_status parent_status); 210 211 /** 212 * Generates a dnssec_trust_tree for the given rr from the 213 * given data_chain 214 * 215 * This does not clone the actual data; Don't free the 216 * data_chain before you are done with this tree 217 * 218 * \param[in] *data_chain The chain to derive the trust tree from 219 * \param[in] *rr The RR this tree will be about 220 * \return ldns_dnssec_trust_tree * 221 */ 222 ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree( 223 ldns_dnssec_data_chain *data_chain, 224 ldns_rr *rr); 225 226 /** 227 * Generates a dnssec_trust_tree for the given rr from the 228 * given data_chain 229 * 230 * This does not clone the actual data; Don't free the 231 * data_chain before you are done with this tree 232 * 233 * \param[in] *data_chain The chain to derive the trust tree from 234 * \param[in] *rr The RR this tree will be about 235 * \param[in] check_time the time for which the validation is performed 236 * \return ldns_dnssec_trust_tree * 237 */ 238 ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time( 239 ldns_dnssec_data_chain *data_chain, 240 ldns_rr *rr, time_t check_time); 241 242 /** 243 * Sub function for derive_trust_tree that is used for a 'normal' rrset 244 * 245 * \param[in] new_tree The trust tree that we are building 246 * \param[in] data_chain The data chain containing the data for the trust tree 247 * \param[in] cur_sig_rr The currently relevant signature 248 */ 249 void ldns_dnssec_derive_trust_tree_normal_rrset( 250 ldns_dnssec_trust_tree *new_tree, 251 ldns_dnssec_data_chain *data_chain, 252 ldns_rr *cur_sig_rr); 253 254 /** 255 * Sub function for derive_trust_tree that is used for a 'normal' rrset 256 * 257 * \param[in] new_tree The trust tree that we are building 258 * \param[in] data_chain The data chain containing the data for the trust tree 259 * \param[in] cur_sig_rr The currently relevant signature 260 * \param[in] check_time the time for which the validation is performed 261 */ 262 void ldns_dnssec_derive_trust_tree_normal_rrset_time( 263 ldns_dnssec_trust_tree *new_tree, 264 ldns_dnssec_data_chain *data_chain, 265 ldns_rr *cur_sig_rr, time_t check_time); 266 267 268 /** 269 * Sub function for derive_trust_tree that is used for DNSKEY rrsets 270 * 271 * \param[in] new_tree The trust tree that we are building 272 * \param[in] data_chain The data chain containing the data for the trust tree 273 * \param[in] cur_rr The currently relevant DNSKEY RR 274 * \param[in] cur_sig_rr The currently relevant signature 275 */ 276 void ldns_dnssec_derive_trust_tree_dnskey_rrset( 277 ldns_dnssec_trust_tree *new_tree, 278 ldns_dnssec_data_chain *data_chain, 279 ldns_rr *cur_rr, 280 ldns_rr *cur_sig_rr); 281 282 /** 283 * Sub function for derive_trust_tree that is used for DNSKEY rrsets 284 * 285 * \param[in] new_tree The trust tree that we are building 286 * \param[in] data_chain The data chain containing the data for the trust tree 287 * \param[in] cur_rr The currently relevant DNSKEY RR 288 * \param[in] cur_sig_rr The currently relevant signature 289 * \param[in] check_time the time for which the validation is performed 290 */ 291 void ldns_dnssec_derive_trust_tree_dnskey_rrset_time( 292 ldns_dnssec_trust_tree *new_tree, 293 ldns_dnssec_data_chain *data_chain, 294 ldns_rr *cur_rr, ldns_rr *cur_sig_rr, 295 time_t check_time); 296 297 /** 298 * Sub function for derive_trust_tree that is used for DS rrsets 299 * 300 * \param[in] new_tree The trust tree that we are building 301 * \param[in] data_chain The data chain containing the data for the trust tree 302 * \param[in] cur_rr The currently relevant DS RR 303 */ 304 void ldns_dnssec_derive_trust_tree_ds_rrset( 305 ldns_dnssec_trust_tree *new_tree, 306 ldns_dnssec_data_chain *data_chain, 307 ldns_rr *cur_rr); 308 309 /** 310 * Sub function for derive_trust_tree that is used for DS rrsets 311 * 312 * \param[in] new_tree The trust tree that we are building 313 * \param[in] data_chain The data chain containing the data for the trust tree 314 * \param[in] cur_rr The currently relevant DS RR 315 * \param[in] check_time the time for which the validation is performed 316 */ 317 void ldns_dnssec_derive_trust_tree_ds_rrset_time( 318 ldns_dnssec_trust_tree *new_tree, 319 ldns_dnssec_data_chain *data_chain, 320 ldns_rr *cur_rr, time_t check_time); 321 322 /** 323 * Sub function for derive_trust_tree that is used when there are no 324 * signatures 325 * 326 * \param[in] new_tree The trust tree that we are building 327 * \param[in] data_chain The data chain containing the data for the trust tree 328 */ 329 void ldns_dnssec_derive_trust_tree_no_sig( 330 ldns_dnssec_trust_tree *new_tree, 331 ldns_dnssec_data_chain *data_chain); 332 333 /** 334 * Sub function for derive_trust_tree that is used when there are no 335 * signatures 336 * 337 * \param[in] new_tree The trust tree that we are building 338 * \param[in] data_chain The data chain containing the data for the trust tree 339 * \param[in] check_time the time for which the validation is performed 340 */ 341 void ldns_dnssec_derive_trust_tree_no_sig_time( 342 ldns_dnssec_trust_tree *new_tree, 343 ldns_dnssec_data_chain *data_chain, 344 time_t check_time); 345 346 347 /** 348 * Returns OK if there is a trusted path in the tree to one of 349 * the DNSKEY or DS RRs in the given list 350 * 351 * \param *tree The trust tree so search 352 * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for 353 * 354 * \return LDNS_STATUS_OK if there is a trusted path to one of 355 * the keys, or the *first* error encountered 356 * if there were no paths 357 */ 358 ldns_status ldns_dnssec_trust_tree_contains_keys( 359 ldns_dnssec_trust_tree *tree, 360 ldns_rr_list *keys); 361 362 /** 363 * Verifies a list of signatures for one rrset. 364 * 365 * \param[in] rrset the rrset to verify 366 * \param[in] rrsig a list of signatures to check 367 * \param[in] keys a list of keys to check with 368 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 369 * from keys that validate one of the signatures 370 * are added to it 371 * \return status LDNS_STATUS_OK if there is at least one correct key 372 */ 373 ldns_status ldns_verify(ldns_rr_list *rrset, 374 ldns_rr_list *rrsig, 375 const ldns_rr_list *keys, 376 ldns_rr_list *good_keys); 377 378 /** 379 * Verifies a list of signatures for one rrset. 380 * 381 * \param[in] rrset the rrset to verify 382 * \param[in] rrsig a list of signatures to check 383 * \param[in] keys a list of keys to check with 384 * \param[in] check_time the time for which the validation is performed 385 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 386 * from keys that validate one of the signatures 387 * are added to it 388 * \return status LDNS_STATUS_OK if there is at least one correct key 389 */ 390 ldns_status ldns_verify_time(const ldns_rr_list *rrset, 391 const ldns_rr_list *rrsig, 392 const ldns_rr_list *keys, 393 time_t check_time, 394 ldns_rr_list *good_keys); 395 396 397 /** 398 * Verifies a list of signatures for one rrset, but disregard the time. 399 * Inception and Expiration are not checked. 400 * 401 * \param[in] rrset the rrset to verify 402 * \param[in] rrsig a list of signatures to check 403 * \param[in] keys a list of keys to check with 404 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 405 * from keys that validate one of the signatures 406 * are added to it 407 * \return status LDNS_STATUS_OK if there is at least one correct key 408 */ 409 ldns_status ldns_verify_notime(ldns_rr_list *rrset, 410 ldns_rr_list *rrsig, 411 const ldns_rr_list *keys, 412 ldns_rr_list *good_keys); 413 414 /** 415 * Tries to build an authentication chain from the given 416 * keys down to the queried domain. 417 * 418 * If we find a valid trust path, return the valid keys for the domain. 419 * 420 * \param[in] res the current resolver 421 * \param[in] domain the domain we want valid keys for 422 * \param[in] keys the current set of trusted keys 423 * \param[out] status pointer to the status variable where the result 424 * code will be stored 425 * \return the set of trusted keys for the domain, or NULL if no 426 * trust path could be built. 427 */ 428 ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res, 429 const ldns_rdf * domain, 430 const ldns_rr_list * keys, 431 ldns_status *status); 432 433 /** 434 * Tries to build an authentication chain from the given 435 * keys down to the queried domain. 436 * 437 * If we find a valid trust path, return the valid keys for the domain. 438 * 439 * \param[in] res the current resolver 440 * \param[in] domain the domain we want valid keys for 441 * \param[in] keys the current set of trusted keys 442 * \param[in] check_time the time for which the validation is performed 443 * \param[out] status pointer to the status variable where the result 444 * code will be stored 445 * \return the set of trusted keys for the domain, or NULL if no 446 * trust path could be built. 447 */ 448 ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res, 449 const ldns_rdf * domain, const ldns_rr_list * keys, 450 time_t check_time, ldns_status *status); 451 452 453 /** 454 * Validates the DNSKEY RRset for the given domain using the provided 455 * trusted keys. 456 * 457 * \param[in] res the current resolver 458 * \param[in] domain the domain we want valid keys for 459 * \param[in] keys the current set of trusted keys 460 * \return the set of trusted keys for the domain, or NULL if the RRSET 461 * could not be validated 462 */ 463 ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res, 464 const ldns_rdf *domain, 465 const ldns_rr_list *keys); 466 467 /** 468 * Validates the DNSKEY RRset for the given domain using the provided 469 * trusted keys. 470 * 471 * \param[in] res the current resolver 472 * \param[in] domain the domain we want valid keys for 473 * \param[in] keys the current set of trusted keys 474 * \param[in] check_time the time for which the validation is performed 475 * \return the set of trusted keys for the domain, or NULL if the RRSET 476 * could not be validated 477 */ 478 ldns_rr_list *ldns_validate_domain_dnskey_time( 479 const ldns_resolver *res, const ldns_rdf *domain, 480 const ldns_rr_list *keys, time_t check_time); 481 482 483 /** 484 * Validates the DS RRset for the given domain using the provided trusted keys. 485 * 486 * \param[in] res the current resolver 487 * \param[in] domain the domain we want valid keys for 488 * \param[in] keys the current set of trusted keys 489 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 490 */ 491 ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res, 492 const ldns_rdf * 493 domain, 494 const ldns_rr_list * keys); 495 496 /** 497 * Validates the DS RRset for the given domain using the provided trusted keys. 498 * 499 * \param[in] res the current resolver 500 * \param[in] domain the domain we want valid keys for 501 * \param[in] keys the current set of trusted keys 502 * \param[in] check_time the time for which the validation is performed 503 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 504 */ 505 ldns_rr_list *ldns_validate_domain_ds_time( 506 const ldns_resolver *res, const ldns_rdf *domain, 507 const ldns_rr_list * keys, time_t check_time); 508 509 510 /** 511 * Verifies a list of signatures for one RRset using a valid trust path. 512 * 513 * \param[in] res the current resolver 514 * \param[in] rrset the rrset to verify 515 * \param[in] rrsigs a list of signatures to check 516 * \param[out] validating_keys if this is a (initialized) list, the 517 * keys from keys that validate one of 518 * the signatures are added to it 519 * \return status LDNS_STATUS_OK if there is at least one correct key 520 */ 521 ldns_status ldns_verify_trusted(ldns_resolver *res, 522 ldns_rr_list *rrset, 523 ldns_rr_list *rrsigs, 524 ldns_rr_list *validating_keys); 525 526 /** 527 * Verifies a list of signatures for one RRset using a valid trust path. 528 * 529 * \param[in] res the current resolver 530 * \param[in] rrset the rrset to verify 531 * \param[in] rrsigs a list of signatures to check 532 * \param[in] check_time the time for which the validation is performed 533 * \param[out] validating_keys if this is a (initialized) list, the 534 * keys from keys that validate one of 535 * the signatures are added to it 536 * \return status LDNS_STATUS_OK if there is at least one correct key 537 */ 538 ldns_status ldns_verify_trusted_time( 539 ldns_resolver *res, ldns_rr_list *rrset, 540 ldns_rr_list *rrsigs, time_t check_time, 541 ldns_rr_list *validating_keys); 542 543 544 /** 545 * denial is not just a river in egypt 546 * 547 * \param[in] rr The (query) RR to check the denial of existence for 548 * \param[in] nsecs The list of NSEC RRs that are supposed to deny the 549 * existence of the RR 550 * \param[in] rrsigs The RRSIG RR covering the NSEC RRs 551 * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code 552 * containing the reason they do not otherwise 553 */ 554 ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, 555 ldns_rr_list *nsecs, 556 ldns_rr_list *rrsigs); 557 558 /** 559 * Denial of existence using NSEC3 records 560 * Since NSEC3 is a bit more complicated than normal denial, some 561 * context arguments are needed 562 * 563 * \param[in] rr The (query) RR to check the denial of existence for 564 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 565 * existence of the RR 566 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 567 * \param[in] packet_rcode The RCODE value of the packet that provided the 568 * NSEC3 RRs 569 * \param[in] packet_qtype The original query RR type 570 * \param[in] packet_nodata True if the providing packet had an empty ANSWER 571 * section 572 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 573 * containing the reason they do not otherwise 574 */ 575 ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, 576 ldns_rr_list *nsecs, 577 ldns_rr_list *rrsigs, 578 ldns_pkt_rcode packet_rcode, 579 ldns_rr_type packet_qtype, 580 bool packet_nodata); 581 582 /** 583 * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns 584 * the nsec rr that matched. 585 * 586 * \param[in] rr The (query) RR to check the denial of existence for 587 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 588 * existence of the RR 589 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 590 * \param[in] packet_rcode The RCODE value of the packet that provided the 591 * NSEC3 RRs 592 * \param[in] packet_qtype The original query RR type 593 * \param[in] packet_nodata True if the providing packet had an empty ANSWER 594 * section 595 * \param[in] match On match, the given (reference to a) pointer will be set 596 * to point to the matching nsec resource record. 597 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 598 * containing the reason they do not otherwise 599 */ 600 ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, 601 ldns_rr_list *nsecs, 602 ldns_rr_list *rrsigs, 603 ldns_pkt_rcode packet_rcode, 604 ldns_rr_type packet_qtype, 605 bool packet_nodata, 606 ldns_rr **match); 607 /** 608 * Verifies the already processed data in the buffers 609 * This function should probably not be used directly. 610 * 611 * \param[in] rawsig_buf Buffer containing signature data to use 612 * \param[in] verify_buf Buffer containing data to verify 613 * \param[in] key_buf Buffer containing key data to use 614 * \param[in] algo Signing algorithm 615 * \return status LDNS_STATUS_OK if the data verifies. Error if not. 616 */ 617 ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, 618 ldns_buffer *verify_buf, 619 ldns_buffer *key_buf, 620 uint8_t algo); 621 622 /** 623 * Like ldns_verify_rrsig_buffers, but uses raw data. 624 * 625 * \param[in] sig signature data to use 626 * \param[in] siglen length of signature data to use 627 * \param[in] verify_buf Buffer containing data to verify 628 * \param[in] key key data to use 629 * \param[in] keylen length of key data to use 630 * \param[in] algo Signing algorithm 631 * \return status LDNS_STATUS_OK if the data verifies. Error if not. 632 */ 633 ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig, 634 size_t siglen, 635 ldns_buffer *verify_buf, 636 unsigned char* key, 637 size_t keylen, 638 uint8_t algo); 639 640 /** 641 * Verifies an rrsig. All keys in the keyset are tried. 642 * \param[in] rrset the rrset to check 643 * \param[in] rrsig the signature of the rrset 644 * \param[in] keys the keys to try 645 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 646 * from keys that validate one of the signatures 647 * are added to it 648 * \return a list of keys which validate the rrsig + rrset. Returns 649 * status LDNS_STATUS_OK if at least one key matched. Else an error. 650 */ 651 ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, 652 ldns_rr *rrsig, 653 const ldns_rr_list *keys, 654 ldns_rr_list *good_keys); 655 656 /** 657 * Verifies an rrsig. All keys in the keyset are tried. 658 * \param[in] rrset the rrset to check 659 * \param[in] rrsig the signature of the rrset 660 * \param[in] keys the keys to try 661 * \param[in] check_time the time for which the validation is performed 662 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 663 * from keys that validate one of the signatures 664 * are added to it 665 * \return a list of keys which validate the rrsig + rrset. Returns 666 * status LDNS_STATUS_OK if at least one key matched. Else an error. 667 */ 668 ldns_status ldns_verify_rrsig_keylist_time( 669 const ldns_rr_list *rrset, const ldns_rr *rrsig, 670 const ldns_rr_list *keys, time_t check_time, 671 ldns_rr_list *good_keys); 672 673 674 /** 675 * Verifies an rrsig. All keys in the keyset are tried. Time is not checked. 676 * \param[in] rrset the rrset to check 677 * \param[in] rrsig the signature of the rrset 678 * \param[in] keys the keys to try 679 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 680 * from keys that validate one of the signatures 681 * are added to it 682 * \return a list of keys which validate the rrsig + rrset. Returns 683 * status LDNS_STATUS_OK if at least one key matched. Else an error. 684 */ 685 ldns_status ldns_verify_rrsig_keylist_notime(const ldns_rr_list *rrset, 686 const ldns_rr *rrsig, 687 const ldns_rr_list *keys, 688 ldns_rr_list *good_keys); 689 690 /** 691 * verify an rrsig with 1 key 692 * \param[in] rrset the rrset 693 * \param[in] rrsig the rrsig to verify 694 * \param[in] key the key to use 695 * \return status message wether verification succeeded. 696 */ 697 ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, 698 ldns_rr *rrsig, 699 ldns_rr *key); 700 701 702 /** 703 * verify an rrsig with 1 key 704 * \param[in] rrset the rrset 705 * \param[in] rrsig the rrsig to verify 706 * \param[in] key the key to use 707 * \param[in] check_time the time for which the validation is performed 708 * \return status message wether verification succeeded. 709 */ 710 ldns_status ldns_verify_rrsig_time( 711 ldns_rr_list *rrset, ldns_rr *rrsig, 712 ldns_rr *key, time_t check_time); 713 714 715 #if LDNS_BUILD_CONFIG_HAVE_SSL 716 /** 717 * verifies a buffer with signature data for a buffer with rrset data 718 * with an EVP_PKEY 719 * 720 * \param[in] sig the signature data 721 * \param[in] rrset the rrset data, sorted and processed for verification 722 * \param[in] key the EVP key structure 723 * \param[in] digest_type The digest type of the signature 724 */ 725 ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, 726 ldns_buffer *rrset, 727 EVP_PKEY *key, 728 const EVP_MD *digest_type); 729 730 /** 731 * Like ldns_verify_rrsig_evp, but uses raw signature data. 732 * \param[in] sig the signature data, wireformat uncompressed 733 * \param[in] siglen length of the signature data 734 * \param[in] rrset the rrset data, sorted and processed for verification 735 * \param[in] key the EVP key structure 736 * \param[in] digest_type The digest type of the signature 737 */ 738 ldns_status ldns_verify_rrsig_evp_raw(const unsigned char *sig, 739 size_t siglen, 740 const ldns_buffer *rrset, 741 EVP_PKEY *key, 742 const EVP_MD *digest_type); 743 #endif 744 745 /** 746 * verifies a buffer with signature data (DSA) for a buffer with rrset data 747 * with a buffer with key data. 748 * 749 * \param[in] sig the signature data 750 * \param[in] rrset the rrset data, sorted and processed for verification 751 * \param[in] key the key data 752 */ 753 ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, 754 ldns_buffer *rrset, 755 ldns_buffer *key); 756 757 /** 758 * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data 759 * with a buffer with key data. 760 * 761 * \param[in] sig the signature data 762 * \param[in] rrset the rrset data, sorted and processed for verification 763 * \param[in] key the key data 764 */ 765 ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, 766 ldns_buffer *rrset, 767 ldns_buffer *key); 768 769 /** 770 * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data 771 * with a buffer with key data. 772 * 773 * \param[in] sig the signature data 774 * \param[in] rrset the rrset data, sorted and processed for verification 775 * \param[in] key the key data 776 */ 777 ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, 778 ldns_buffer *rrset, 779 ldns_buffer *key); 780 781 /** 782 * Like ldns_verify_rrsig_dsa, but uses raw signature and key data. 783 * \param[in] sig raw uncompressed wireformat signature data 784 * \param[in] siglen length of signature data 785 * \param[in] rrset ldns buffer with prepared rrset data. 786 * \param[in] key raw uncompressed wireformat key data 787 * \param[in] keylen length of key data 788 */ 789 ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig, 790 size_t siglen, 791 ldns_buffer* rrset, 792 unsigned char* key, 793 size_t keylen); 794 795 /** 796 * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data. 797 * \param[in] sig raw uncompressed wireformat signature data 798 * \param[in] siglen length of signature data 799 * \param[in] rrset ldns buffer with prepared rrset data. 800 * \param[in] key raw uncompressed wireformat key data 801 * \param[in] keylen length of key data 802 */ 803 ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig, 804 size_t siglen, 805 ldns_buffer* rrset, 806 unsigned char* key, 807 size_t keylen); 808 809 /** 810 * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data. 811 * \param[in] sig raw uncompressed wireformat signature data 812 * \param[in] siglen length of signature data 813 * \param[in] rrset ldns buffer with prepared rrset data. 814 * \param[in] key raw uncompressed wireformat key data 815 * \param[in] keylen length of key data 816 */ 817 818 ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig, 819 size_t siglen, 820 ldns_buffer* rrset, 821 unsigned char* key, 822 size_t keylen); 823 824 /** 825 * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data. 826 * \param[in] sig raw uncompressed wireformat signature data 827 * \param[in] siglen length of signature data 828 * \param[in] rrset ldns buffer with prepared rrset data. 829 * \param[in] key raw uncompressed wireformat key data 830 * \param[in] keylen length of key data 831 */ 832 ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig, 833 size_t siglen, 834 ldns_buffer* rrset, 835 unsigned char* key, 836 size_t keylen); 837 838 /** 839 * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data. 840 * \param[in] sig raw uncompressed wireformat signature data 841 * \param[in] siglen length of signature data 842 * \param[in] rrset ldns buffer with prepared rrset data. 843 * \param[in] key raw uncompressed wireformat key data 844 * \param[in] keylen length of key data 845 */ 846 ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig, 847 size_t siglen, 848 ldns_buffer* rrset, 849 unsigned char* key, 850 size_t keylen); 851 852 #ifdef __cplusplus 853 } 854 #endif 855 856 #endif 857 858