1 /** dnssec_verify */ 2 3 #ifndef LDNS_DNSSEC_VERIFY_H 4 #define LDNS_DNSSEC_VERIFY_H 5 6 #define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10 7 8 #include <ldns/dnssec.h> 9 #include <ldns/host2str.h> 10 11 #ifdef __cplusplus 12 extern "C" { 13 #endif 14 15 /** 16 * Chain structure that contains all DNSSEC data needed to 17 * verify an rrset 18 */ 19 typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain; 20 struct ldns_dnssec_data_chain_struct 21 { 22 ldns_rr_list *rrset; 23 ldns_rr_list *signatures; 24 ldns_rr_type parent_type; 25 ldns_dnssec_data_chain *parent; 26 ldns_pkt_rcode packet_rcode; 27 ldns_rr_type packet_qtype; 28 bool packet_nodata; 29 }; 30 31 /** 32 * Creates a new dnssec_chain structure 33 * \return ldns_dnssec_data_chain * 34 */ 35 ldns_dnssec_data_chain *ldns_dnssec_data_chain_new(); 36 37 /** 38 * Frees a dnssec_data_chain structure 39 * 40 * \param[in] *chain The chain to free 41 */ 42 void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain); 43 44 /** 45 * Frees a dnssec_data_chain structure, and all data 46 * contained therein 47 * 48 * \param[in] *chain The dnssec_data_chain to free 49 */ 50 void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain); 51 52 /** 53 * Prints the dnssec_data_chain to the given file stream 54 * 55 * \param[in] *out The file stream to print to 56 * \param[in] *chain The dnssec_data_chain to print 57 */ 58 void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain); 59 60 /** 61 * Prints the dnssec_data_chain to the given file stream 62 * 63 * \param[in] *out The file stream to print to 64 * \param[in] *fmt The format of the textual representation 65 * \param[in] *chain The dnssec_data_chain to print 66 */ 67 void ldns_dnssec_data_chain_print_fmt(FILE *out, 68 const ldns_output_format *fmt, 69 const ldns_dnssec_data_chain *chain); 70 71 /** 72 * Build an ldns_dnssec_data_chain, which contains all 73 * DNSSEC data that is needed to derive the trust tree later 74 * 75 * The data_set will be cloned 76 * 77 * \param[in] *res resolver structure for further needed queries 78 * \param[in] qflags resolution flags 79 * \param[in] *data_set The original rrset where the chain ends 80 * \param[in] *pkt optional, can contain the original packet 81 * (and hence the sigs and maybe the key) 82 * \param[in] *orig_rr The original Resource Record 83 * 84 * \return the DNSSEC data chain 85 */ 86 ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res, 87 const uint16_t qflags, 88 const ldns_rr_list *data_set, 89 const ldns_pkt *pkt, 90 ldns_rr *orig_rr); 91 92 /** 93 * Tree structure that contains the relation of DNSSEC data, 94 * and their cryptographic status. 95 * 96 * This tree is derived from a data_chain, and can be used 97 * to look whether there is a connection between an RRSET 98 * and a trusted key. The tree only contains pointers to the 99 * data_chain, and therefore one should *never* free() the 100 * data_chain when there is still a trust tree derived from 101 * that chain. 102 * 103 * Example tree: 104 * key key key 105 * \ | / 106 * \ | / 107 * \ | / 108 * ds 109 * | 110 * key 111 * | 112 * key 113 * | 114 * rr 115 * 116 * For each signature there is a parent; if the parent 117 * pointer is null, it couldn't be found and there was no 118 * denial; otherwise is a tree which contains either a 119 * DNSKEY, a DS, or a NSEC rr 120 */ 121 typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree; 122 struct ldns_dnssec_trust_tree_struct 123 { 124 ldns_rr *rr; 125 /* the complete rrset this rr was in */ 126 ldns_rr_list *rrset; 127 ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 128 ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 129 /** for debugging, add signatures too (you might want 130 those if they contain errors) */ 131 ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 132 size_t parent_count; 133 }; 134 135 /** 136 * Creates a new (empty) dnssec_trust_tree structure 137 * 138 * \return ldns_dnssec_trust_tree * 139 */ 140 ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(); 141 142 /** 143 * Frees the dnssec_trust_tree recursively 144 * 145 * There is no deep free; all data in the trust tree 146 * consists of pointers to a data_chain 147 * 148 * \param[in] tree The tree to free 149 */ 150 void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree); 151 152 /** 153 * returns the depth of the trust tree 154 * 155 * \param[in] tree tree to calculate the depth of 156 * \return The depth of the tree 157 */ 158 size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree); 159 160 /** 161 * Prints the dnssec_trust_tree structure to the given file 162 * stream. 163 * 164 * If a link status is not LDNS_STATUS_OK; the status and 165 * relevant signatures are printed too 166 * 167 * \param[in] *out The file stream to print to 168 * \param[in] tree The trust tree to print 169 * \param[in] tabs Prepend each line with tabs*2 spaces 170 * \param[in] extended If true, add little explanation lines to the output 171 */ 172 void ldns_dnssec_trust_tree_print(FILE *out, 173 ldns_dnssec_trust_tree *tree, 174 size_t tabs, 175 bool extended); 176 177 /** 178 * Prints the dnssec_trust_tree structure to the given file 179 * stream. 180 * 181 * If a link status is not LDNS_STATUS_OK; the status and 182 * relevant signatures are printed too 183 * 184 * \param[in] *out The file stream to print to 185 * \param[in] *fmt The format of the textual representation 186 * \param[in] tree The trust tree to print 187 * \param[in] tabs Prepend each line with tabs*2 spaces 188 * \param[in] extended If true, add little explanation lines to the output 189 */ 190 void ldns_dnssec_trust_tree_print_fmt(FILE *out, 191 const ldns_output_format *fmt, 192 ldns_dnssec_trust_tree *tree, 193 size_t tabs, 194 bool extended); 195 196 /** 197 * Adds a trust tree as a parent for the given trust tree 198 * 199 * \param[in] *tree The tree to add the parent to 200 * \param[in] *parent The parent tree to add 201 * \param[in] *parent_signature The RRSIG relevant to this parent/child 202 * connection 203 * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG 204 * \return LDNS_STATUS_OK if the addition succeeds, error otherwise 205 */ 206 ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, 207 const ldns_dnssec_trust_tree *parent, 208 const ldns_rr *parent_signature, 209 const ldns_status parent_status); 210 211 /** 212 * Generates a dnssec_trust_ttree for the given rr from the 213 * given data_chain 214 * 215 * This does not clone the actual data; Don't free the 216 * data_chain before you are done with this tree 217 * 218 * \param[in] *data_chain The chain to derive the trust tree from 219 * \param[in] *rr The RR this tree will be about 220 * \return ldns_dnssec_trust_tree * 221 */ 222 ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree( 223 ldns_dnssec_data_chain *data_chain, 224 ldns_rr *rr); 225 226 /** 227 * Sub function for derive_trust_tree that is used for a 'normal' rrset 228 * 229 * \param[in] new_tree The trust tree that we are building 230 * \param[in] data_chain The data chain containing the data for the trust tree 231 * \param[in] cur_sig_rr The currently relevant signature 232 */ 233 void ldns_dnssec_derive_trust_tree_normal_rrset( 234 ldns_dnssec_trust_tree *new_tree, 235 ldns_dnssec_data_chain *data_chain, 236 ldns_rr *cur_sig_rr); 237 238 /** 239 * Sub function for derive_trust_tree that is used for DNSKEY rrsets 240 * 241 * \param[in] new_tree The trust tree that we are building 242 * \param[in] data_chain The data chain containing the data for the trust tree 243 * \param[in] cur_rr The currently relevant DNSKEY RR 244 * \param[in] cur_sig_rr The currently relevant signature 245 */ 246 void ldns_dnssec_derive_trust_tree_dnskey_rrset( 247 ldns_dnssec_trust_tree *new_tree, 248 ldns_dnssec_data_chain *data_chain, 249 ldns_rr *cur_rr, 250 ldns_rr *cur_sig_rr); 251 252 /** 253 * Sub function for derive_trust_tree that is used for DS rrsets 254 * 255 * \param[in] new_tree The trust tree that we are building 256 * \param[in] data_chain The data chain containing the data for the trust tree 257 * \param[in] cur_rr The currently relevant DS RR 258 */ 259 void ldns_dnssec_derive_trust_tree_ds_rrset( 260 ldns_dnssec_trust_tree *new_tree, 261 ldns_dnssec_data_chain *data_chain, 262 ldns_rr *cur_rr); 263 264 /** 265 * Sub function for derive_trust_tree that is used when there are no 266 * signatures 267 * 268 * \param[in] new_tree The trust tree that we are building 269 * \param[in] data_chain The data chain containing the data for the trust tree 270 */ 271 void ldns_dnssec_derive_trust_tree_no_sig( 272 ldns_dnssec_trust_tree *new_tree, 273 ldns_dnssec_data_chain *data_chain); 274 275 /** 276 * Returns OK if there is a trusted path in the tree to one of 277 * the DNSKEY or DS RRs in the given list 278 * 279 * \param *tree The trust tree so search 280 * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for 281 * \return LDNS_STATUS_OK if there is a trusted path to one of 282 * the keys, or the *first* error encountered 283 * if there were no paths 284 */ 285 ldns_status ldns_dnssec_trust_tree_contains_keys( 286 ldns_dnssec_trust_tree *tree, 287 ldns_rr_list *keys); 288 289 /** 290 * Verifies a list of signatures for one rrset. 291 * 292 * \param[in] rrset the rrset to verify 293 * \param[in] rrsig a list of signatures to check 294 * \param[in] keys a list of keys to check with 295 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 296 * from keys that validate one of the signatures 297 * are added to it 298 * \return status LDNS_STATUS_OK if there is at least one correct key 299 */ 300 ldns_status ldns_verify(ldns_rr_list *rrset, 301 ldns_rr_list *rrsig, 302 const ldns_rr_list *keys, 303 ldns_rr_list *good_keys); 304 305 /** 306 * Verifies a list of signatures for one rrset, but disregard the time. 307 * Inception and Expiration are not checked. 308 * 309 * \param[in] rrset the rrset to verify 310 * \param[in] rrsig a list of signatures to check 311 * \param[in] keys a list of keys to check with 312 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 313 * from keys that validate one of the signatures 314 * are added to it 315 * \return status LDNS_STATUS_OK if there is at least one correct key 316 */ 317 ldns_status ldns_verify_notime(ldns_rr_list *rrset, 318 ldns_rr_list *rrsig, 319 const ldns_rr_list *keys, 320 ldns_rr_list *good_keys); 321 322 /** 323 * Tries to build an authentication chain from the given 324 * keys down to the queried domain. 325 * 326 * If we find a valid trust path, return the valid keys for the domain. 327 * 328 * \param[in] res the current resolver 329 * \param[in] domain the domain we want valid keys for 330 * \param[in] keys the current set of trusted keys 331 * \param[out] status pointer to the status variable where the result 332 * code will be stored 333 * \return the set of trusted keys for the domain, or NULL if no 334 * trust path could be built. 335 */ 336 ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res, 337 const ldns_rdf * domain, 338 const ldns_rr_list * keys, 339 ldns_status *status); 340 341 /** 342 * Validates the DNSKEY RRset for the given domain using the provided 343 * trusted keys. 344 * 345 * \param[in] res the current resolver 346 * \param[in] domain the domain we want valid keys for 347 * \param[in] keys the current set of trusted keys 348 * \return the set of trusted keys for the domain, or NULL if the RRSET 349 * could not be validated 350 */ 351 ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res, 352 const ldns_rdf *domain, 353 const ldns_rr_list *keys); 354 355 /** 356 * Validates the DS RRset for the given domain using the provided trusted keys. 357 * 358 * \param[in] res the current resolver 359 * \param[in] domain the domain we want valid keys for 360 * \param[in] keys the current set of trusted keys 361 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 362 */ 363 ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res, 364 const ldns_rdf * 365 domain, 366 const ldns_rr_list * keys); 367 368 /** 369 * Verifies a list of signatures for one RRset using a valid trust path. 370 * 371 * \param[in] res the current resolver 372 * \param[in] rrset the rrset to verify 373 * \param[in] rrsigs a list of signatures to check 374 * \param[out] validating_keys if this is a (initialized) list, the 375 * keys from keys that validate one of 376 * the signatures are added to it 377 * \return status LDNS_STATUS_OK if there is at least one correct key 378 */ 379 ldns_status ldns_verify_trusted(ldns_resolver *res, 380 ldns_rr_list *rrset, 381 ldns_rr_list *rrsigs, 382 ldns_rr_list *validating_keys); 383 384 /** 385 * denial is not just a river in egypt 386 * 387 * \param[in] rr The (query) RR to check the denial of existence for 388 * \param[in] nsecs The list of NSEC RRs that are supposed to deny the 389 * existence of the RR 390 * \param[in] rrsigs The RRSIG RR covering the NSEC RRs 391 * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code 392 * containing the reason they do not otherwise 393 */ 394 ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, 395 ldns_rr_list *nsecs, 396 ldns_rr_list *rrsigs); 397 398 /** 399 * Denial of existence using NSEC3 records 400 * Since NSEC3 is a bit more complicated than normal denial, some 401 * context arguments are needed 402 * 403 * \param[in] rr The (query) RR to check the denial of existence for 404 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 405 * existence of the RR 406 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 407 * \param[in] packet_rcode The RCODE value of the packet that provided the 408 * NSEC3 RRs 409 * \param[in] packet_qtype The original query RR type 410 * \param[in] packet_nodata True if the providing packet had an empty ANSWER 411 * section 412 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 413 * containing the reason they do not otherwise 414 */ 415 ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, 416 ldns_rr_list *nsecs, 417 ldns_rr_list *rrsigs, 418 ldns_pkt_rcode packet_rcode, 419 ldns_rr_type packet_qtype, 420 bool packet_nodata); 421 422 /** 423 * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns 424 * the nsec rr that matched. 425 * 426 * \param[in] rr The (query) RR to check the denial of existence for 427 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 428 * existence of the RR 429 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 430 * \param[in] packet_rcode The RCODE value of the packet that provided the 431 * NSEC3 RRs 432 * \param[in] packet_qtype The original query RR type 433 * \param[in] packet_nodata True if the providing packet had an empty ANSWER 434 * section 435 * \param[in] match On match, the given (reference to a) pointer will be set 436 * to point to the matching nsec resource record. 437 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 438 * containing the reason they do not otherwise 439 */ 440 ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, 441 ldns_rr_list *nsecs, 442 ldns_rr_list *rrsigs, 443 ldns_pkt_rcode packet_rcode, 444 ldns_rr_type packet_qtype, 445 bool packet_nodata, 446 ldns_rr **match); 447 /** 448 * Verifies the already processed data in the buffers 449 * This function should probably not be used directly. 450 * 451 * \param[in] rawsig_buf Buffer containing signature data to use 452 * \param[in] verify_buf Buffer containing data to verify 453 * \param[in] key_buf Buffer containing key data to use 454 * \param[in] algo Signing algorithm 455 * \return status LDNS_STATUS_OK if the data verifies. Error if not. 456 */ 457 ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, 458 ldns_buffer *verify_buf, 459 ldns_buffer *key_buf, 460 uint8_t algo); 461 462 /** 463 * Like ldns_verify_rrsig_buffers, but uses raw data. 464 * 465 * \param[in] sig signature data to use 466 * \param[in] siglen length of signature data to use 467 * \param[in] verify_buf Buffer containing data to verify 468 * \param[in] key key data to use 469 * \param[in] keylen length of key data to use 470 * \param[in] algo Signing algorithm 471 * \return status LDNS_STATUS_OK if the data verifies. Error if not. 472 */ 473 ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig, 474 size_t siglen, 475 ldns_buffer *verify_buf, 476 unsigned char* key, 477 size_t keylen, 478 uint8_t algo); 479 480 /** 481 * Verifies an rrsig. All keys in the keyset are tried. 482 * \param[in] rrset the rrset to check 483 * \param[in] rrsig the signature of the rrset 484 * \param[in] keys the keys to try 485 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 486 * from keys that validate one of the signatures 487 * are added to it 488 * \return a list of keys which validate the rrsig + rrset. Returns 489 * status LDNS_STATUS_OK if at least one key matched. Else an error. 490 */ 491 ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, 492 ldns_rr *rrsig, 493 const ldns_rr_list *keys, 494 ldns_rr_list *good_keys); 495 496 /** 497 * Verifies an rrsig. All keys in the keyset are tried. Time is not checked. 498 * \param[in] rrset the rrset to check 499 * \param[in] rrsig the signature of the rrset 500 * \param[in] keys the keys to try 501 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 502 * from keys that validate one of the signatures 503 * are added to it 504 * \return a list of keys which validate the rrsig + rrset. Returns 505 * status LDNS_STATUS_OK if at least one key matched. Else an error. 506 */ 507 ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset, 508 ldns_rr *rrsig, 509 const ldns_rr_list *keys, 510 ldns_rr_list *good_keys); 511 512 /** 513 * verify an rrsig with 1 key 514 * \param[in] rrset the rrset 515 * \param[in] rrsig the rrsig to verify 516 * \param[in] key the key to use 517 * \return status message wether verification succeeded. 518 */ 519 ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, 520 ldns_rr *rrsig, 521 ldns_rr *key); 522 523 #if LDNS_BUILD_CONFIG_HAVE_SSL 524 /** 525 * verifies a buffer with signature data for a buffer with rrset data 526 * with an EVP_PKEY 527 * 528 * \param[in] sig the signature data 529 * \param[in] rrset the rrset data, sorted and processed for verification 530 * \param[in] key the EVP key structure 531 * \param[in] digest_type The digest type of the signature 532 */ 533 ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, 534 ldns_buffer *rrset, 535 EVP_PKEY *key, 536 const EVP_MD *digest_type); 537 538 /** 539 * Like ldns_verify_rrsig_evp, but uses raw signature data. 540 * \param[in] sig the signature data, wireformat uncompressed 541 * \param[in] siglen length of the signature data 542 * \param[in] rrset the rrset data, sorted and processed for verification 543 * \param[in] key the EVP key structure 544 * \param[in] digest_type The digest type of the signature 545 */ 546 ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig, 547 size_t siglen, 548 ldns_buffer *rrset, 549 EVP_PKEY *key, 550 const EVP_MD *digest_type); 551 #endif 552 553 /** 554 * verifies a buffer with signature data (DSA) for a buffer with rrset data 555 * with a buffer with key data. 556 * 557 * \param[in] sig the signature data 558 * \param[in] rrset the rrset data, sorted and processed for verification 559 * \param[in] key the key data 560 */ 561 ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, 562 ldns_buffer *rrset, 563 ldns_buffer *key); 564 565 /** 566 * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data 567 * with a buffer with key data. 568 * 569 * \param[in] sig the signature data 570 * \param[in] rrset the rrset data, sorted and processed for verification 571 * \param[in] key the key data 572 */ 573 ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, 574 ldns_buffer *rrset, 575 ldns_buffer *key); 576 577 /** 578 * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data 579 * with a buffer with key data. 580 * 581 * \param[in] sig the signature data 582 * \param[in] rrset the rrset data, sorted and processed for verification 583 * \param[in] key the key data 584 */ 585 ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, 586 ldns_buffer *rrset, 587 ldns_buffer *key); 588 589 /** 590 * Like ldns_verify_rrsig_dsa, but uses raw signature and key data. 591 * \param[in] sig raw uncompressed wireformat signature data 592 * \param[in] siglen length of signature data 593 * \param[in] rrset ldns buffer with prepared rrset data. 594 * \param[in] key raw uncompressed wireformat key data 595 * \param[in] keylen length of key data 596 */ 597 ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig, 598 size_t siglen, 599 ldns_buffer* rrset, 600 unsigned char* key, 601 size_t keylen); 602 603 /** 604 * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data. 605 * \param[in] sig raw uncompressed wireformat signature data 606 * \param[in] siglen length of signature data 607 * \param[in] rrset ldns buffer with prepared rrset data. 608 * \param[in] key raw uncompressed wireformat key data 609 * \param[in] keylen length of key data 610 */ 611 ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig, 612 size_t siglen, 613 ldns_buffer* rrset, 614 unsigned char* key, 615 size_t keylen); 616 617 /** 618 * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data. 619 * \param[in] sig raw uncompressed wireformat signature data 620 * \param[in] siglen length of signature data 621 * \param[in] rrset ldns buffer with prepared rrset data. 622 * \param[in] key raw uncompressed wireformat key data 623 * \param[in] keylen length of key data 624 */ 625 626 ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig, 627 size_t siglen, 628 ldns_buffer* rrset, 629 unsigned char* key, 630 size_t keylen); 631 632 /** 633 * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data. 634 * \param[in] sig raw uncompressed wireformat signature data 635 * \param[in] siglen length of signature data 636 * \param[in] rrset ldns buffer with prepared rrset data. 637 * \param[in] key raw uncompressed wireformat key data 638 * \param[in] keylen length of key data 639 */ 640 ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig, 641 size_t siglen, 642 ldns_buffer* rrset, 643 unsigned char* key, 644 size_t keylen); 645 646 /** 647 * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data. 648 * \param[in] sig raw uncompressed wireformat signature data 649 * \param[in] siglen length of signature data 650 * \param[in] rrset ldns buffer with prepared rrset data. 651 * \param[in] key raw uncompressed wireformat key data 652 * \param[in] keylen length of key data 653 */ 654 ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig, 655 size_t siglen, 656 ldns_buffer* rrset, 657 unsigned char* key, 658 size_t keylen); 659 660 #ifdef __cplusplus 661 } 662 #endif 663 664 #endif 665 666