17b5038d7SDag-Erling Smørgrav /** dnssec_verify */ 27b5038d7SDag-Erling Smørgrav 37b5038d7SDag-Erling Smørgrav #ifndef LDNS_DNSSEC_VERIFY_H 47b5038d7SDag-Erling Smørgrav #define LDNS_DNSSEC_VERIFY_H 57b5038d7SDag-Erling Smørgrav 67b5038d7SDag-Erling Smørgrav #define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10 77b5038d7SDag-Erling Smørgrav 87b5038d7SDag-Erling Smørgrav #include <ldns/dnssec.h> 97b5038d7SDag-Erling Smørgrav #include <ldns/host2str.h> 107b5038d7SDag-Erling Smørgrav 117b5038d7SDag-Erling Smørgrav #ifdef __cplusplus 127b5038d7SDag-Erling Smørgrav extern "C" { 137b5038d7SDag-Erling Smørgrav #endif 147b5038d7SDag-Erling Smørgrav 157b5038d7SDag-Erling Smørgrav /** 167b5038d7SDag-Erling Smørgrav * Chain structure that contains all DNSSEC data needed to 177b5038d7SDag-Erling Smørgrav * verify an rrset 187b5038d7SDag-Erling Smørgrav */ 197b5038d7SDag-Erling Smørgrav typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain; 207b5038d7SDag-Erling Smørgrav struct ldns_dnssec_data_chain_struct 217b5038d7SDag-Erling Smørgrav { 227b5038d7SDag-Erling Smørgrav ldns_rr_list *rrset; 237b5038d7SDag-Erling Smørgrav ldns_rr_list *signatures; 247b5038d7SDag-Erling Smørgrav ldns_rr_type parent_type; 257b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *parent; 267b5038d7SDag-Erling Smørgrav ldns_pkt_rcode packet_rcode; 277b5038d7SDag-Erling Smørgrav ldns_rr_type packet_qtype; 287b5038d7SDag-Erling Smørgrav bool packet_nodata; 297b5038d7SDag-Erling Smørgrav }; 307b5038d7SDag-Erling Smørgrav 317b5038d7SDag-Erling Smørgrav /** 327b5038d7SDag-Erling Smørgrav * Creates a new dnssec_chain structure 337b5038d7SDag-Erling Smørgrav * \return ldns_dnssec_data_chain * 347b5038d7SDag-Erling Smørgrav */ 357b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *ldns_dnssec_data_chain_new(void); 367b5038d7SDag-Erling Smørgrav 377b5038d7SDag-Erling Smørgrav /** 387b5038d7SDag-Erling Smørgrav * Frees a dnssec_data_chain structure 397b5038d7SDag-Erling Smørgrav * 407b5038d7SDag-Erling Smørgrav * \param[in] *chain The chain to free 417b5038d7SDag-Erling Smørgrav */ 427b5038d7SDag-Erling Smørgrav void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain); 437b5038d7SDag-Erling Smørgrav 447b5038d7SDag-Erling Smørgrav /** 457b5038d7SDag-Erling Smørgrav * Frees a dnssec_data_chain structure, and all data 467b5038d7SDag-Erling Smørgrav * contained therein 477b5038d7SDag-Erling Smørgrav * 487b5038d7SDag-Erling Smørgrav * \param[in] *chain The dnssec_data_chain to free 497b5038d7SDag-Erling Smørgrav */ 507b5038d7SDag-Erling Smørgrav void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain); 517b5038d7SDag-Erling Smørgrav 527b5038d7SDag-Erling Smørgrav /** 537b5038d7SDag-Erling Smørgrav * Prints the dnssec_data_chain to the given file stream 547b5038d7SDag-Erling Smørgrav * 557b5038d7SDag-Erling Smørgrav * \param[in] *out The file stream to print to 567b5038d7SDag-Erling Smørgrav * \param[in] *chain The dnssec_data_chain to print 577b5038d7SDag-Erling Smørgrav */ 587b5038d7SDag-Erling Smørgrav void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain); 597b5038d7SDag-Erling Smørgrav 607b5038d7SDag-Erling Smørgrav /** 617b5038d7SDag-Erling Smørgrav * Prints the dnssec_data_chain to the given file stream 627b5038d7SDag-Erling Smørgrav * 637b5038d7SDag-Erling Smørgrav * \param[in] *out The file stream to print to 647b5038d7SDag-Erling Smørgrav * \param[in] *fmt The format of the textual representation 657b5038d7SDag-Erling Smørgrav * \param[in] *chain The dnssec_data_chain to print 667b5038d7SDag-Erling Smørgrav */ 677b5038d7SDag-Erling Smørgrav void ldns_dnssec_data_chain_print_fmt(FILE *out, 687b5038d7SDag-Erling Smørgrav const ldns_output_format *fmt, 697b5038d7SDag-Erling Smørgrav const ldns_dnssec_data_chain *chain); 707b5038d7SDag-Erling Smørgrav 717b5038d7SDag-Erling Smørgrav /** 727b5038d7SDag-Erling Smørgrav * Build an ldns_dnssec_data_chain, which contains all 737b5038d7SDag-Erling Smørgrav * DNSSEC data that is needed to derive the trust tree later 747b5038d7SDag-Erling Smørgrav * 757b5038d7SDag-Erling Smørgrav * The data_set will be cloned 767b5038d7SDag-Erling Smørgrav * 777b5038d7SDag-Erling Smørgrav * \param[in] *res resolver structure for further needed queries 787b5038d7SDag-Erling Smørgrav * \param[in] qflags resolution flags 797b5038d7SDag-Erling Smørgrav * \param[in] *data_set The original rrset where the chain ends 807b5038d7SDag-Erling Smørgrav * \param[in] *pkt optional, can contain the original packet 817b5038d7SDag-Erling Smørgrav * (and hence the sigs and maybe the key) 827b5038d7SDag-Erling Smørgrav * \param[in] *orig_rr The original Resource Record 837b5038d7SDag-Erling Smørgrav * 847b5038d7SDag-Erling Smørgrav * \return the DNSSEC data chain 857b5038d7SDag-Erling Smørgrav */ 867b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res, 877b5038d7SDag-Erling Smørgrav const uint16_t qflags, 887b5038d7SDag-Erling Smørgrav const ldns_rr_list *data_set, 897b5038d7SDag-Erling Smørgrav const ldns_pkt *pkt, 907b5038d7SDag-Erling Smørgrav ldns_rr *orig_rr); 917b5038d7SDag-Erling Smørgrav 927b5038d7SDag-Erling Smørgrav /** 937b5038d7SDag-Erling Smørgrav * Tree structure that contains the relation of DNSSEC data, 947b5038d7SDag-Erling Smørgrav * and their cryptographic status. 957b5038d7SDag-Erling Smørgrav * 967b5038d7SDag-Erling Smørgrav * This tree is derived from a data_chain, and can be used 977b5038d7SDag-Erling Smørgrav * to look whether there is a connection between an RRSET 987b5038d7SDag-Erling Smørgrav * and a trusted key. The tree only contains pointers to the 997b5038d7SDag-Erling Smørgrav * data_chain, and therefore one should *never* free() the 1007b5038d7SDag-Erling Smørgrav * data_chain when there is still a trust tree derived from 1017b5038d7SDag-Erling Smørgrav * that chain. 1027b5038d7SDag-Erling Smørgrav * 1037b5038d7SDag-Erling Smørgrav * Example tree: 1047b5038d7SDag-Erling Smørgrav * key key key 1057b5038d7SDag-Erling Smørgrav * \ | / 1067b5038d7SDag-Erling Smørgrav * \ | / 1077b5038d7SDag-Erling Smørgrav * \ | / 1087b5038d7SDag-Erling Smørgrav * ds 1097b5038d7SDag-Erling Smørgrav * | 1107b5038d7SDag-Erling Smørgrav * key 1117b5038d7SDag-Erling Smørgrav * | 1127b5038d7SDag-Erling Smørgrav * key 1137b5038d7SDag-Erling Smørgrav * | 1147b5038d7SDag-Erling Smørgrav * rr 1157b5038d7SDag-Erling Smørgrav * 1167b5038d7SDag-Erling Smørgrav * For each signature there is a parent; if the parent 1177b5038d7SDag-Erling Smørgrav * pointer is null, it couldn't be found and there was no 1187b5038d7SDag-Erling Smørgrav * denial; otherwise is a tree which contains either a 1197b5038d7SDag-Erling Smørgrav * DNSKEY, a DS, or a NSEC rr 1207b5038d7SDag-Erling Smørgrav */ 1217b5038d7SDag-Erling Smørgrav typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree; 1227b5038d7SDag-Erling Smørgrav struct ldns_dnssec_trust_tree_struct 1237b5038d7SDag-Erling Smørgrav { 1247b5038d7SDag-Erling Smørgrav ldns_rr *rr; 1257b5038d7SDag-Erling Smørgrav /* the complete rrset this rr was in */ 1267b5038d7SDag-Erling Smørgrav ldns_rr_list *rrset; 1277b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 1287b5038d7SDag-Erling Smørgrav ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 1297b5038d7SDag-Erling Smørgrav /** for debugging, add signatures too (you might want 1307b5038d7SDag-Erling Smørgrav those if they contain errors) */ 1317b5038d7SDag-Erling Smørgrav ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 1327b5038d7SDag-Erling Smørgrav size_t parent_count; 1337b5038d7SDag-Erling Smørgrav }; 1347b5038d7SDag-Erling Smørgrav 1357b5038d7SDag-Erling Smørgrav /** 1367b5038d7SDag-Erling Smørgrav * Creates a new (empty) dnssec_trust_tree structure 1377b5038d7SDag-Erling Smørgrav * 1387b5038d7SDag-Erling Smørgrav * \return ldns_dnssec_trust_tree * 1397b5038d7SDag-Erling Smørgrav */ 1407b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(void); 1417b5038d7SDag-Erling Smørgrav 1427b5038d7SDag-Erling Smørgrav /** 1437b5038d7SDag-Erling Smørgrav * Frees the dnssec_trust_tree recursively 1447b5038d7SDag-Erling Smørgrav * 1457b5038d7SDag-Erling Smørgrav * There is no deep free; all data in the trust tree 1467b5038d7SDag-Erling Smørgrav * consists of pointers to a data_chain 1477b5038d7SDag-Erling Smørgrav * 1487b5038d7SDag-Erling Smørgrav * \param[in] tree The tree to free 1497b5038d7SDag-Erling Smørgrav */ 1507b5038d7SDag-Erling Smørgrav void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree); 1517b5038d7SDag-Erling Smørgrav 1527b5038d7SDag-Erling Smørgrav /** 1537b5038d7SDag-Erling Smørgrav * returns the depth of the trust tree 1547b5038d7SDag-Erling Smørgrav * 1557b5038d7SDag-Erling Smørgrav * \param[in] tree tree to calculate the depth of 1567b5038d7SDag-Erling Smørgrav * \return The depth of the tree 1577b5038d7SDag-Erling Smørgrav */ 1587b5038d7SDag-Erling Smørgrav size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree); 1597b5038d7SDag-Erling Smørgrav 1607b5038d7SDag-Erling Smørgrav /** 1617b5038d7SDag-Erling Smørgrav * Prints the dnssec_trust_tree structure to the given file 1627b5038d7SDag-Erling Smørgrav * stream. 1637b5038d7SDag-Erling Smørgrav * 1647b5038d7SDag-Erling Smørgrav * If a link status is not LDNS_STATUS_OK; the status and 1657b5038d7SDag-Erling Smørgrav * relevant signatures are printed too 1667b5038d7SDag-Erling Smørgrav * 1677b5038d7SDag-Erling Smørgrav * \param[in] *out The file stream to print to 1687b5038d7SDag-Erling Smørgrav * \param[in] tree The trust tree to print 1697b5038d7SDag-Erling Smørgrav * \param[in] tabs Prepend each line with tabs*2 spaces 1707b5038d7SDag-Erling Smørgrav * \param[in] extended If true, add little explanation lines to the output 1717b5038d7SDag-Erling Smørgrav */ 1727b5038d7SDag-Erling Smørgrav void ldns_dnssec_trust_tree_print(FILE *out, 1737b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *tree, 1747b5038d7SDag-Erling Smørgrav size_t tabs, 1757b5038d7SDag-Erling Smørgrav bool extended); 1767b5038d7SDag-Erling Smørgrav 1777b5038d7SDag-Erling Smørgrav /** 1787b5038d7SDag-Erling Smørgrav * Prints the dnssec_trust_tree structure to the given file 1797b5038d7SDag-Erling Smørgrav * stream. 1807b5038d7SDag-Erling Smørgrav * 1817b5038d7SDag-Erling Smørgrav * If a link status is not LDNS_STATUS_OK; the status and 1827b5038d7SDag-Erling Smørgrav * relevant signatures are printed too 1837b5038d7SDag-Erling Smørgrav * 1847b5038d7SDag-Erling Smørgrav * \param[in] *out The file stream to print to 1857b5038d7SDag-Erling Smørgrav * \param[in] *fmt The format of the textual representation 1867b5038d7SDag-Erling Smørgrav * \param[in] tree The trust tree to print 1877b5038d7SDag-Erling Smørgrav * \param[in] tabs Prepend each line with tabs*2 spaces 1887b5038d7SDag-Erling Smørgrav * \param[in] extended If true, add little explanation lines to the output 1897b5038d7SDag-Erling Smørgrav */ 1907b5038d7SDag-Erling Smørgrav void ldns_dnssec_trust_tree_print_fmt(FILE *out, 1917b5038d7SDag-Erling Smørgrav const ldns_output_format *fmt, 1927b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *tree, 1937b5038d7SDag-Erling Smørgrav size_t tabs, 1947b5038d7SDag-Erling Smørgrav bool extended); 1957b5038d7SDag-Erling Smørgrav 1967b5038d7SDag-Erling Smørgrav /** 1977b5038d7SDag-Erling Smørgrav * Adds a trust tree as a parent for the given trust tree 1987b5038d7SDag-Erling Smørgrav * 1997b5038d7SDag-Erling Smørgrav * \param[in] *tree The tree to add the parent to 2007b5038d7SDag-Erling Smørgrav * \param[in] *parent The parent tree to add 2017b5038d7SDag-Erling Smørgrav * \param[in] *parent_signature The RRSIG relevant to this parent/child 2027b5038d7SDag-Erling Smørgrav * connection 2037b5038d7SDag-Erling Smørgrav * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG 2047b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK if the addition succeeds, error otherwise 2057b5038d7SDag-Erling Smørgrav */ 2067b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, 2077b5038d7SDag-Erling Smørgrav const ldns_dnssec_trust_tree *parent, 2087b5038d7SDag-Erling Smørgrav const ldns_rr *parent_signature, 2097b5038d7SDag-Erling Smørgrav const ldns_status parent_status); 2107b5038d7SDag-Erling Smørgrav 2117b5038d7SDag-Erling Smørgrav /** 2127b5038d7SDag-Erling Smørgrav * Generates a dnssec_trust_tree for the given rr from the 2137b5038d7SDag-Erling Smørgrav * given data_chain 2147b5038d7SDag-Erling Smørgrav * 2157b5038d7SDag-Erling Smørgrav * This does not clone the actual data; Don't free the 2167b5038d7SDag-Erling Smørgrav * data_chain before you are done with this tree 2177b5038d7SDag-Erling Smørgrav * 2187b5038d7SDag-Erling Smørgrav * \param[in] *data_chain The chain to derive the trust tree from 2197b5038d7SDag-Erling Smørgrav * \param[in] *rr The RR this tree will be about 2207b5038d7SDag-Erling Smørgrav * \return ldns_dnssec_trust_tree * 2217b5038d7SDag-Erling Smørgrav */ 2227b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree( 2237b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *data_chain, 2247b5038d7SDag-Erling Smørgrav ldns_rr *rr); 2257b5038d7SDag-Erling Smørgrav 2267b5038d7SDag-Erling Smørgrav /** 2277b5038d7SDag-Erling Smørgrav * Generates a dnssec_trust_tree for the given rr from the 2287b5038d7SDag-Erling Smørgrav * given data_chain 2297b5038d7SDag-Erling Smørgrav * 2307b5038d7SDag-Erling Smørgrav * This does not clone the actual data; Don't free the 2317b5038d7SDag-Erling Smørgrav * data_chain before you are done with this tree 2327b5038d7SDag-Erling Smørgrav * 2337b5038d7SDag-Erling Smørgrav * \param[in] *data_chain The chain to derive the trust tree from 2347b5038d7SDag-Erling Smørgrav * \param[in] *rr The RR this tree will be about 2357b5038d7SDag-Erling Smørgrav * \param[in] check_time the time for which the validation is performed 2367b5038d7SDag-Erling Smørgrav * \return ldns_dnssec_trust_tree * 2377b5038d7SDag-Erling Smørgrav */ 2387b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time( 2397b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *data_chain, 2407b5038d7SDag-Erling Smørgrav ldns_rr *rr, time_t check_time); 2417b5038d7SDag-Erling Smørgrav 2427b5038d7SDag-Erling Smørgrav /** 2437b5038d7SDag-Erling Smørgrav * Sub function for derive_trust_tree that is used for a 'normal' rrset 2447b5038d7SDag-Erling Smørgrav * 2457b5038d7SDag-Erling Smørgrav * \param[in] new_tree The trust tree that we are building 2467b5038d7SDag-Erling Smørgrav * \param[in] data_chain The data chain containing the data for the trust tree 2477b5038d7SDag-Erling Smørgrav * \param[in] cur_sig_rr The currently relevant signature 2487b5038d7SDag-Erling Smørgrav */ 2497b5038d7SDag-Erling Smørgrav void ldns_dnssec_derive_trust_tree_normal_rrset( 2507b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *new_tree, 2517b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *data_chain, 2527b5038d7SDag-Erling Smørgrav ldns_rr *cur_sig_rr); 2537b5038d7SDag-Erling Smørgrav 2547b5038d7SDag-Erling Smørgrav /** 2557b5038d7SDag-Erling Smørgrav * Sub function for derive_trust_tree that is used for a 'normal' rrset 2567b5038d7SDag-Erling Smørgrav * 2577b5038d7SDag-Erling Smørgrav * \param[in] new_tree The trust tree that we are building 2587b5038d7SDag-Erling Smørgrav * \param[in] data_chain The data chain containing the data for the trust tree 2597b5038d7SDag-Erling Smørgrav * \param[in] cur_sig_rr The currently relevant signature 2607b5038d7SDag-Erling Smørgrav * \param[in] check_time the time for which the validation is performed 2617b5038d7SDag-Erling Smørgrav */ 2627b5038d7SDag-Erling Smørgrav void ldns_dnssec_derive_trust_tree_normal_rrset_time( 2637b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *new_tree, 2647b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *data_chain, 2657b5038d7SDag-Erling Smørgrav ldns_rr *cur_sig_rr, time_t check_time); 2667b5038d7SDag-Erling Smørgrav 2677b5038d7SDag-Erling Smørgrav 2687b5038d7SDag-Erling Smørgrav /** 2697b5038d7SDag-Erling Smørgrav * Sub function for derive_trust_tree that is used for DNSKEY rrsets 2707b5038d7SDag-Erling Smørgrav * 2717b5038d7SDag-Erling Smørgrav * \param[in] new_tree The trust tree that we are building 2727b5038d7SDag-Erling Smørgrav * \param[in] data_chain The data chain containing the data for the trust tree 2737b5038d7SDag-Erling Smørgrav * \param[in] cur_rr The currently relevant DNSKEY RR 2747b5038d7SDag-Erling Smørgrav * \param[in] cur_sig_rr The currently relevant signature 2757b5038d7SDag-Erling Smørgrav */ 2767b5038d7SDag-Erling Smørgrav void ldns_dnssec_derive_trust_tree_dnskey_rrset( 2777b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *new_tree, 2787b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *data_chain, 2797b5038d7SDag-Erling Smørgrav ldns_rr *cur_rr, 2807b5038d7SDag-Erling Smørgrav ldns_rr *cur_sig_rr); 2817b5038d7SDag-Erling Smørgrav 2827b5038d7SDag-Erling Smørgrav /** 2837b5038d7SDag-Erling Smørgrav * Sub function for derive_trust_tree that is used for DNSKEY rrsets 2847b5038d7SDag-Erling Smørgrav * 2857b5038d7SDag-Erling Smørgrav * \param[in] new_tree The trust tree that we are building 2867b5038d7SDag-Erling Smørgrav * \param[in] data_chain The data chain containing the data for the trust tree 2877b5038d7SDag-Erling Smørgrav * \param[in] cur_rr The currently relevant DNSKEY RR 2887b5038d7SDag-Erling Smørgrav * \param[in] cur_sig_rr The currently relevant signature 2897b5038d7SDag-Erling Smørgrav * \param[in] check_time the time for which the validation is performed 2907b5038d7SDag-Erling Smørgrav */ 2917b5038d7SDag-Erling Smørgrav void ldns_dnssec_derive_trust_tree_dnskey_rrset_time( 2927b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *new_tree, 2937b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *data_chain, 2947b5038d7SDag-Erling Smørgrav ldns_rr *cur_rr, ldns_rr *cur_sig_rr, 2957b5038d7SDag-Erling Smørgrav time_t check_time); 2967b5038d7SDag-Erling Smørgrav 2977b5038d7SDag-Erling Smørgrav /** 2987b5038d7SDag-Erling Smørgrav * Sub function for derive_trust_tree that is used for DS rrsets 2997b5038d7SDag-Erling Smørgrav * 3007b5038d7SDag-Erling Smørgrav * \param[in] new_tree The trust tree that we are building 3017b5038d7SDag-Erling Smørgrav * \param[in] data_chain The data chain containing the data for the trust tree 3027b5038d7SDag-Erling Smørgrav * \param[in] cur_rr The currently relevant DS RR 3037b5038d7SDag-Erling Smørgrav */ 3047b5038d7SDag-Erling Smørgrav void ldns_dnssec_derive_trust_tree_ds_rrset( 3057b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *new_tree, 3067b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *data_chain, 3077b5038d7SDag-Erling Smørgrav ldns_rr *cur_rr); 3087b5038d7SDag-Erling Smørgrav 3097b5038d7SDag-Erling Smørgrav /** 3107b5038d7SDag-Erling Smørgrav * Sub function for derive_trust_tree that is used for DS rrsets 3117b5038d7SDag-Erling Smørgrav * 3127b5038d7SDag-Erling Smørgrav * \param[in] new_tree The trust tree that we are building 3137b5038d7SDag-Erling Smørgrav * \param[in] data_chain The data chain containing the data for the trust tree 3147b5038d7SDag-Erling Smørgrav * \param[in] cur_rr The currently relevant DS RR 3157b5038d7SDag-Erling Smørgrav * \param[in] check_time the time for which the validation is performed 3167b5038d7SDag-Erling Smørgrav */ 3177b5038d7SDag-Erling Smørgrav void ldns_dnssec_derive_trust_tree_ds_rrset_time( 3187b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *new_tree, 3197b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *data_chain, 3207b5038d7SDag-Erling Smørgrav ldns_rr *cur_rr, time_t check_time); 3217b5038d7SDag-Erling Smørgrav 3227b5038d7SDag-Erling Smørgrav /** 3237b5038d7SDag-Erling Smørgrav * Sub function for derive_trust_tree that is used when there are no 3247b5038d7SDag-Erling Smørgrav * signatures 3257b5038d7SDag-Erling Smørgrav * 3267b5038d7SDag-Erling Smørgrav * \param[in] new_tree The trust tree that we are building 3277b5038d7SDag-Erling Smørgrav * \param[in] data_chain The data chain containing the data for the trust tree 3287b5038d7SDag-Erling Smørgrav */ 3297b5038d7SDag-Erling Smørgrav void ldns_dnssec_derive_trust_tree_no_sig( 3307b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *new_tree, 3317b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *data_chain); 3327b5038d7SDag-Erling Smørgrav 3337b5038d7SDag-Erling Smørgrav /** 3347b5038d7SDag-Erling Smørgrav * Sub function for derive_trust_tree that is used when there are no 3357b5038d7SDag-Erling Smørgrav * signatures 3367b5038d7SDag-Erling Smørgrav * 3377b5038d7SDag-Erling Smørgrav * \param[in] new_tree The trust tree that we are building 3387b5038d7SDag-Erling Smørgrav * \param[in] data_chain The data chain containing the data for the trust tree 3397b5038d7SDag-Erling Smørgrav * \param[in] check_time the time for which the validation is performed 3407b5038d7SDag-Erling Smørgrav */ 3417b5038d7SDag-Erling Smørgrav void ldns_dnssec_derive_trust_tree_no_sig_time( 3427b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *new_tree, 3437b5038d7SDag-Erling Smørgrav ldns_dnssec_data_chain *data_chain, 3447b5038d7SDag-Erling Smørgrav time_t check_time); 3457b5038d7SDag-Erling Smørgrav 3467b5038d7SDag-Erling Smørgrav 3477b5038d7SDag-Erling Smørgrav /** 3487b5038d7SDag-Erling Smørgrav * Returns OK if there is a trusted path in the tree to one of 3497b5038d7SDag-Erling Smørgrav * the DNSKEY or DS RRs in the given list 3507b5038d7SDag-Erling Smørgrav * 3517b5038d7SDag-Erling Smørgrav * \param *tree The trust tree so search 3527b5038d7SDag-Erling Smørgrav * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for 3532787e39aSDag-Erling Smørgrav * 3547b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK if there is a trusted path to one of 3557b5038d7SDag-Erling Smørgrav * the keys, or the *first* error encountered 3567b5038d7SDag-Erling Smørgrav * if there were no paths 3577b5038d7SDag-Erling Smørgrav */ 3587b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_trust_tree_contains_keys( 3597b5038d7SDag-Erling Smørgrav ldns_dnssec_trust_tree *tree, 3607b5038d7SDag-Erling Smørgrav ldns_rr_list *keys); 3617b5038d7SDag-Erling Smørgrav 3627b5038d7SDag-Erling Smørgrav /** 3637b5038d7SDag-Erling Smørgrav * Verifies a list of signatures for one rrset. 3647b5038d7SDag-Erling Smørgrav * 3657b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset to verify 3667b5038d7SDag-Erling Smørgrav * \param[in] rrsig a list of signatures to check 3677b5038d7SDag-Erling Smørgrav * \param[in] keys a list of keys to check with 3687b5038d7SDag-Erling Smørgrav * \param[out] good_keys if this is a (initialized) list, the pointer to keys 3697b5038d7SDag-Erling Smørgrav * from keys that validate one of the signatures 3707b5038d7SDag-Erling Smørgrav * are added to it 3717b5038d7SDag-Erling Smørgrav * \return status LDNS_STATUS_OK if there is at least one correct key 3727b5038d7SDag-Erling Smørgrav */ 3737b5038d7SDag-Erling Smørgrav ldns_status ldns_verify(ldns_rr_list *rrset, 3747b5038d7SDag-Erling Smørgrav ldns_rr_list *rrsig, 3757b5038d7SDag-Erling Smørgrav const ldns_rr_list *keys, 3767b5038d7SDag-Erling Smørgrav ldns_rr_list *good_keys); 3777b5038d7SDag-Erling Smørgrav 3787b5038d7SDag-Erling Smørgrav /** 3797b5038d7SDag-Erling Smørgrav * Verifies a list of signatures for one rrset. 3807b5038d7SDag-Erling Smørgrav * 3817b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset to verify 3827b5038d7SDag-Erling Smørgrav * \param[in] rrsig a list of signatures to check 3837b5038d7SDag-Erling Smørgrav * \param[in] keys a list of keys to check with 3847b5038d7SDag-Erling Smørgrav * \param[in] check_time the time for which the validation is performed 3857b5038d7SDag-Erling Smørgrav * \param[out] good_keys if this is a (initialized) list, the pointer to keys 3867b5038d7SDag-Erling Smørgrav * from keys that validate one of the signatures 3877b5038d7SDag-Erling Smørgrav * are added to it 3887b5038d7SDag-Erling Smørgrav * \return status LDNS_STATUS_OK if there is at least one correct key 3897b5038d7SDag-Erling Smørgrav */ 390986ba33cSDag-Erling Smørgrav ldns_status ldns_verify_time(const ldns_rr_list *rrset, 391986ba33cSDag-Erling Smørgrav const ldns_rr_list *rrsig, 3927b5038d7SDag-Erling Smørgrav const ldns_rr_list *keys, 3937b5038d7SDag-Erling Smørgrav time_t check_time, 3947b5038d7SDag-Erling Smørgrav ldns_rr_list *good_keys); 3957b5038d7SDag-Erling Smørgrav 3967b5038d7SDag-Erling Smørgrav 3977b5038d7SDag-Erling Smørgrav /** 3987b5038d7SDag-Erling Smørgrav * Verifies a list of signatures for one rrset, but disregard the time. 3997b5038d7SDag-Erling Smørgrav * Inception and Expiration are not checked. 4007b5038d7SDag-Erling Smørgrav * 4017b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset to verify 4027b5038d7SDag-Erling Smørgrav * \param[in] rrsig a list of signatures to check 4037b5038d7SDag-Erling Smørgrav * \param[in] keys a list of keys to check with 4047b5038d7SDag-Erling Smørgrav * \param[out] good_keys if this is a (initialized) list, the pointer to keys 4057b5038d7SDag-Erling Smørgrav * from keys that validate one of the signatures 4067b5038d7SDag-Erling Smørgrav * are added to it 4077b5038d7SDag-Erling Smørgrav * \return status LDNS_STATUS_OK if there is at least one correct key 4087b5038d7SDag-Erling Smørgrav */ 4097b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_notime(ldns_rr_list *rrset, 4107b5038d7SDag-Erling Smørgrav ldns_rr_list *rrsig, 4117b5038d7SDag-Erling Smørgrav const ldns_rr_list *keys, 4127b5038d7SDag-Erling Smørgrav ldns_rr_list *good_keys); 4137b5038d7SDag-Erling Smørgrav 4147b5038d7SDag-Erling Smørgrav /** 4157b5038d7SDag-Erling Smørgrav * Tries to build an authentication chain from the given 4167b5038d7SDag-Erling Smørgrav * keys down to the queried domain. 4177b5038d7SDag-Erling Smørgrav * 4187b5038d7SDag-Erling Smørgrav * If we find a valid trust path, return the valid keys for the domain. 4197b5038d7SDag-Erling Smørgrav * 4207b5038d7SDag-Erling Smørgrav * \param[in] res the current resolver 4217b5038d7SDag-Erling Smørgrav * \param[in] domain the domain we want valid keys for 4227b5038d7SDag-Erling Smørgrav * \param[in] keys the current set of trusted keys 4237b5038d7SDag-Erling Smørgrav * \param[out] status pointer to the status variable where the result 4247b5038d7SDag-Erling Smørgrav * code will be stored 4257b5038d7SDag-Erling Smørgrav * \return the set of trusted keys for the domain, or NULL if no 4267b5038d7SDag-Erling Smørgrav * trust path could be built. 4277b5038d7SDag-Erling Smørgrav */ 4287b5038d7SDag-Erling Smørgrav ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res, 4297b5038d7SDag-Erling Smørgrav const ldns_rdf * domain, 4307b5038d7SDag-Erling Smørgrav const ldns_rr_list * keys, 4317b5038d7SDag-Erling Smørgrav ldns_status *status); 4327b5038d7SDag-Erling Smørgrav 4337b5038d7SDag-Erling Smørgrav /** 4347b5038d7SDag-Erling Smørgrav * Tries to build an authentication chain from the given 4357b5038d7SDag-Erling Smørgrav * keys down to the queried domain. 4367b5038d7SDag-Erling Smørgrav * 4377b5038d7SDag-Erling Smørgrav * If we find a valid trust path, return the valid keys for the domain. 4387b5038d7SDag-Erling Smørgrav * 4397b5038d7SDag-Erling Smørgrav * \param[in] res the current resolver 4407b5038d7SDag-Erling Smørgrav * \param[in] domain the domain we want valid keys for 4417b5038d7SDag-Erling Smørgrav * \param[in] keys the current set of trusted keys 4427b5038d7SDag-Erling Smørgrav * \param[in] check_time the time for which the validation is performed 4437b5038d7SDag-Erling Smørgrav * \param[out] status pointer to the status variable where the result 4447b5038d7SDag-Erling Smørgrav * code will be stored 4457b5038d7SDag-Erling Smørgrav * \return the set of trusted keys for the domain, or NULL if no 4467b5038d7SDag-Erling Smørgrav * trust path could be built. 4477b5038d7SDag-Erling Smørgrav */ 4487b5038d7SDag-Erling Smørgrav ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res, 4497b5038d7SDag-Erling Smørgrav const ldns_rdf * domain, const ldns_rr_list * keys, 4507b5038d7SDag-Erling Smørgrav time_t check_time, ldns_status *status); 4517b5038d7SDag-Erling Smørgrav 4527b5038d7SDag-Erling Smørgrav 4537b5038d7SDag-Erling Smørgrav /** 4547b5038d7SDag-Erling Smørgrav * Validates the DNSKEY RRset for the given domain using the provided 4557b5038d7SDag-Erling Smørgrav * trusted keys. 4567b5038d7SDag-Erling Smørgrav * 4577b5038d7SDag-Erling Smørgrav * \param[in] res the current resolver 4587b5038d7SDag-Erling Smørgrav * \param[in] domain the domain we want valid keys for 4597b5038d7SDag-Erling Smørgrav * \param[in] keys the current set of trusted keys 4607b5038d7SDag-Erling Smørgrav * \return the set of trusted keys for the domain, or NULL if the RRSET 4617b5038d7SDag-Erling Smørgrav * could not be validated 4627b5038d7SDag-Erling Smørgrav */ 4637b5038d7SDag-Erling Smørgrav ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res, 4647b5038d7SDag-Erling Smørgrav const ldns_rdf *domain, 4657b5038d7SDag-Erling Smørgrav const ldns_rr_list *keys); 4667b5038d7SDag-Erling Smørgrav 4677b5038d7SDag-Erling Smørgrav /** 4687b5038d7SDag-Erling Smørgrav * Validates the DNSKEY RRset for the given domain using the provided 4697b5038d7SDag-Erling Smørgrav * trusted keys. 4707b5038d7SDag-Erling Smørgrav * 4717b5038d7SDag-Erling Smørgrav * \param[in] res the current resolver 4727b5038d7SDag-Erling Smørgrav * \param[in] domain the domain we want valid keys for 4737b5038d7SDag-Erling Smørgrav * \param[in] keys the current set of trusted keys 4747b5038d7SDag-Erling Smørgrav * \param[in] check_time the time for which the validation is performed 4757b5038d7SDag-Erling Smørgrav * \return the set of trusted keys for the domain, or NULL if the RRSET 4767b5038d7SDag-Erling Smørgrav * could not be validated 4777b5038d7SDag-Erling Smørgrav */ 4787b5038d7SDag-Erling Smørgrav ldns_rr_list *ldns_validate_domain_dnskey_time( 4797b5038d7SDag-Erling Smørgrav const ldns_resolver *res, const ldns_rdf *domain, 4807b5038d7SDag-Erling Smørgrav const ldns_rr_list *keys, time_t check_time); 4817b5038d7SDag-Erling Smørgrav 4827b5038d7SDag-Erling Smørgrav 4837b5038d7SDag-Erling Smørgrav /** 4847b5038d7SDag-Erling Smørgrav * Validates the DS RRset for the given domain using the provided trusted keys. 4857b5038d7SDag-Erling Smørgrav * 4867b5038d7SDag-Erling Smørgrav * \param[in] res the current resolver 4877b5038d7SDag-Erling Smørgrav * \param[in] domain the domain we want valid keys for 4887b5038d7SDag-Erling Smørgrav * \param[in] keys the current set of trusted keys 4897b5038d7SDag-Erling Smørgrav * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 4907b5038d7SDag-Erling Smørgrav */ 4917b5038d7SDag-Erling Smørgrav ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res, 4927b5038d7SDag-Erling Smørgrav const ldns_rdf * 4937b5038d7SDag-Erling Smørgrav domain, 4947b5038d7SDag-Erling Smørgrav const ldns_rr_list * keys); 4957b5038d7SDag-Erling Smørgrav 4967b5038d7SDag-Erling Smørgrav /** 4977b5038d7SDag-Erling Smørgrav * Validates the DS RRset for the given domain using the provided trusted keys. 4987b5038d7SDag-Erling Smørgrav * 4997b5038d7SDag-Erling Smørgrav * \param[in] res the current resolver 5007b5038d7SDag-Erling Smørgrav * \param[in] domain the domain we want valid keys for 5017b5038d7SDag-Erling Smørgrav * \param[in] keys the current set of trusted keys 5027b5038d7SDag-Erling Smørgrav * \param[in] check_time the time for which the validation is performed 5037b5038d7SDag-Erling Smørgrav * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 5047b5038d7SDag-Erling Smørgrav */ 5057b5038d7SDag-Erling Smørgrav ldns_rr_list *ldns_validate_domain_ds_time( 5067b5038d7SDag-Erling Smørgrav const ldns_resolver *res, const ldns_rdf *domain, 5077b5038d7SDag-Erling Smørgrav const ldns_rr_list * keys, time_t check_time); 5087b5038d7SDag-Erling Smørgrav 5097b5038d7SDag-Erling Smørgrav 5107b5038d7SDag-Erling Smørgrav /** 5117b5038d7SDag-Erling Smørgrav * Verifies a list of signatures for one RRset using a valid trust path. 5127b5038d7SDag-Erling Smørgrav * 5137b5038d7SDag-Erling Smørgrav * \param[in] res the current resolver 5147b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset to verify 5157b5038d7SDag-Erling Smørgrav * \param[in] rrsigs a list of signatures to check 5167b5038d7SDag-Erling Smørgrav * \param[out] validating_keys if this is a (initialized) list, the 5177b5038d7SDag-Erling Smørgrav * keys from keys that validate one of 5187b5038d7SDag-Erling Smørgrav * the signatures are added to it 5197b5038d7SDag-Erling Smørgrav * \return status LDNS_STATUS_OK if there is at least one correct key 5207b5038d7SDag-Erling Smørgrav */ 5217b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_trusted(ldns_resolver *res, 5227b5038d7SDag-Erling Smørgrav ldns_rr_list *rrset, 5237b5038d7SDag-Erling Smørgrav ldns_rr_list *rrsigs, 5247b5038d7SDag-Erling Smørgrav ldns_rr_list *validating_keys); 5257b5038d7SDag-Erling Smørgrav 5267b5038d7SDag-Erling Smørgrav /** 5277b5038d7SDag-Erling Smørgrav * Verifies a list of signatures for one RRset using a valid trust path. 5287b5038d7SDag-Erling Smørgrav * 5297b5038d7SDag-Erling Smørgrav * \param[in] res the current resolver 5307b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset to verify 5317b5038d7SDag-Erling Smørgrav * \param[in] rrsigs a list of signatures to check 5327b5038d7SDag-Erling Smørgrav * \param[in] check_time the time for which the validation is performed 5337b5038d7SDag-Erling Smørgrav * \param[out] validating_keys if this is a (initialized) list, the 5347b5038d7SDag-Erling Smørgrav * keys from keys that validate one of 5357b5038d7SDag-Erling Smørgrav * the signatures are added to it 5367b5038d7SDag-Erling Smørgrav * \return status LDNS_STATUS_OK if there is at least one correct key 5377b5038d7SDag-Erling Smørgrav */ 5387b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_trusted_time( 5397b5038d7SDag-Erling Smørgrav ldns_resolver *res, ldns_rr_list *rrset, 5407b5038d7SDag-Erling Smørgrav ldns_rr_list *rrsigs, time_t check_time, 5417b5038d7SDag-Erling Smørgrav ldns_rr_list *validating_keys); 5427b5038d7SDag-Erling Smørgrav 5437b5038d7SDag-Erling Smørgrav 5447b5038d7SDag-Erling Smørgrav /** 5457b5038d7SDag-Erling Smørgrav * denial is not just a river in egypt 5467b5038d7SDag-Erling Smørgrav * 5477b5038d7SDag-Erling Smørgrav * \param[in] rr The (query) RR to check the denial of existence for 5487b5038d7SDag-Erling Smørgrav * \param[in] nsecs The list of NSEC RRs that are supposed to deny the 5497b5038d7SDag-Erling Smørgrav * existence of the RR 5507b5038d7SDag-Erling Smørgrav * \param[in] rrsigs The RRSIG RR covering the NSEC RRs 5517b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code 5527b5038d7SDag-Erling Smørgrav * containing the reason they do not otherwise 5537b5038d7SDag-Erling Smørgrav */ 5547b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, 5557b5038d7SDag-Erling Smørgrav ldns_rr_list *nsecs, 5567b5038d7SDag-Erling Smørgrav ldns_rr_list *rrsigs); 5577b5038d7SDag-Erling Smørgrav 5587b5038d7SDag-Erling Smørgrav /** 5597b5038d7SDag-Erling Smørgrav * Denial of existence using NSEC3 records 5607b5038d7SDag-Erling Smørgrav * Since NSEC3 is a bit more complicated than normal denial, some 5617b5038d7SDag-Erling Smørgrav * context arguments are needed 5627b5038d7SDag-Erling Smørgrav * 5637b5038d7SDag-Erling Smørgrav * \param[in] rr The (query) RR to check the denial of existence for 5647b5038d7SDag-Erling Smørgrav * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 5657b5038d7SDag-Erling Smørgrav * existence of the RR 5667b5038d7SDag-Erling Smørgrav * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 5677b5038d7SDag-Erling Smørgrav * \param[in] packet_rcode The RCODE value of the packet that provided the 5687b5038d7SDag-Erling Smørgrav * NSEC3 RRs 5697b5038d7SDag-Erling Smørgrav * \param[in] packet_qtype The original query RR type 5707b5038d7SDag-Erling Smørgrav * \param[in] packet_nodata True if the providing packet had an empty ANSWER 5717b5038d7SDag-Erling Smørgrav * section 5727b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 5737b5038d7SDag-Erling Smørgrav * containing the reason they do not otherwise 5747b5038d7SDag-Erling Smørgrav */ 5757b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, 5767b5038d7SDag-Erling Smørgrav ldns_rr_list *nsecs, 5777b5038d7SDag-Erling Smørgrav ldns_rr_list *rrsigs, 5787b5038d7SDag-Erling Smørgrav ldns_pkt_rcode packet_rcode, 5797b5038d7SDag-Erling Smørgrav ldns_rr_type packet_qtype, 5807b5038d7SDag-Erling Smørgrav bool packet_nodata); 5817b5038d7SDag-Erling Smørgrav 5827b5038d7SDag-Erling Smørgrav /** 5837b5038d7SDag-Erling Smørgrav * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns 5847b5038d7SDag-Erling Smørgrav * the nsec rr that matched. 5857b5038d7SDag-Erling Smørgrav * 5867b5038d7SDag-Erling Smørgrav * \param[in] rr The (query) RR to check the denial of existence for 5877b5038d7SDag-Erling Smørgrav * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 5887b5038d7SDag-Erling Smørgrav * existence of the RR 5897b5038d7SDag-Erling Smørgrav * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 5907b5038d7SDag-Erling Smørgrav * \param[in] packet_rcode The RCODE value of the packet that provided the 5917b5038d7SDag-Erling Smørgrav * NSEC3 RRs 5927b5038d7SDag-Erling Smørgrav * \param[in] packet_qtype The original query RR type 5937b5038d7SDag-Erling Smørgrav * \param[in] packet_nodata True if the providing packet had an empty ANSWER 5947b5038d7SDag-Erling Smørgrav * section 5955afab0e5SDag-Erling Smørgrav * \param[out] match On match, the given (reference to a) pointer will be set 5967b5038d7SDag-Erling Smørgrav * to point to the matching nsec resource record. 5977b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 5987b5038d7SDag-Erling Smørgrav * containing the reason they do not otherwise 5997b5038d7SDag-Erling Smørgrav */ 6007b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, 6017b5038d7SDag-Erling Smørgrav ldns_rr_list *nsecs, 6027b5038d7SDag-Erling Smørgrav ldns_rr_list *rrsigs, 6037b5038d7SDag-Erling Smørgrav ldns_pkt_rcode packet_rcode, 6047b5038d7SDag-Erling Smørgrav ldns_rr_type packet_qtype, 6057b5038d7SDag-Erling Smørgrav bool packet_nodata, 6067b5038d7SDag-Erling Smørgrav ldns_rr **match); 6077b5038d7SDag-Erling Smørgrav /** 6087b5038d7SDag-Erling Smørgrav * Verifies the already processed data in the buffers 6097b5038d7SDag-Erling Smørgrav * This function should probably not be used directly. 6107b5038d7SDag-Erling Smørgrav * 6117b5038d7SDag-Erling Smørgrav * \param[in] rawsig_buf Buffer containing signature data to use 6127b5038d7SDag-Erling Smørgrav * \param[in] verify_buf Buffer containing data to verify 6137b5038d7SDag-Erling Smørgrav * \param[in] key_buf Buffer containing key data to use 6147b5038d7SDag-Erling Smørgrav * \param[in] algo Signing algorithm 6157b5038d7SDag-Erling Smørgrav * \return status LDNS_STATUS_OK if the data verifies. Error if not. 6167b5038d7SDag-Erling Smørgrav */ 6177b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, 6187b5038d7SDag-Erling Smørgrav ldns_buffer *verify_buf, 6197b5038d7SDag-Erling Smørgrav ldns_buffer *key_buf, 6207b5038d7SDag-Erling Smørgrav uint8_t algo); 6217b5038d7SDag-Erling Smørgrav 6227b5038d7SDag-Erling Smørgrav /** 6237b5038d7SDag-Erling Smørgrav * Like ldns_verify_rrsig_buffers, but uses raw data. 6247b5038d7SDag-Erling Smørgrav * 6257b5038d7SDag-Erling Smørgrav * \param[in] sig signature data to use 6267b5038d7SDag-Erling Smørgrav * \param[in] siglen length of signature data to use 6277b5038d7SDag-Erling Smørgrav * \param[in] verify_buf Buffer containing data to verify 6287b5038d7SDag-Erling Smørgrav * \param[in] key key data to use 6297b5038d7SDag-Erling Smørgrav * \param[in] keylen length of key data to use 6307b5038d7SDag-Erling Smørgrav * \param[in] algo Signing algorithm 6317b5038d7SDag-Erling Smørgrav * \return status LDNS_STATUS_OK if the data verifies. Error if not. 6327b5038d7SDag-Erling Smørgrav */ 6337b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig, 6347b5038d7SDag-Erling Smørgrav size_t siglen, 6357b5038d7SDag-Erling Smørgrav ldns_buffer *verify_buf, 6367b5038d7SDag-Erling Smørgrav unsigned char* key, 6377b5038d7SDag-Erling Smørgrav size_t keylen, 6387b5038d7SDag-Erling Smørgrav uint8_t algo); 6397b5038d7SDag-Erling Smørgrav 6407b5038d7SDag-Erling Smørgrav /** 6417b5038d7SDag-Erling Smørgrav * Verifies an rrsig. All keys in the keyset are tried. 6427b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset to check 6437b5038d7SDag-Erling Smørgrav * \param[in] rrsig the signature of the rrset 6447b5038d7SDag-Erling Smørgrav * \param[in] keys the keys to try 6457b5038d7SDag-Erling Smørgrav * \param[out] good_keys if this is a (initialized) list, the pointer to keys 6467b5038d7SDag-Erling Smørgrav * from keys that validate one of the signatures 6477b5038d7SDag-Erling Smørgrav * are added to it 6487b5038d7SDag-Erling Smørgrav * \return a list of keys which validate the rrsig + rrset. Returns 6497b5038d7SDag-Erling Smørgrav * status LDNS_STATUS_OK if at least one key matched. Else an error. 6507b5038d7SDag-Erling Smørgrav */ 6517b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, 6527b5038d7SDag-Erling Smørgrav ldns_rr *rrsig, 6537b5038d7SDag-Erling Smørgrav const ldns_rr_list *keys, 6547b5038d7SDag-Erling Smørgrav ldns_rr_list *good_keys); 6557b5038d7SDag-Erling Smørgrav 6567b5038d7SDag-Erling Smørgrav /** 6577b5038d7SDag-Erling Smørgrav * Verifies an rrsig. All keys in the keyset are tried. 6587b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset to check 6597b5038d7SDag-Erling Smørgrav * \param[in] rrsig the signature of the rrset 6607b5038d7SDag-Erling Smørgrav * \param[in] keys the keys to try 6617b5038d7SDag-Erling Smørgrav * \param[in] check_time the time for which the validation is performed 6627b5038d7SDag-Erling Smørgrav * \param[out] good_keys if this is a (initialized) list, the pointer to keys 6637b5038d7SDag-Erling Smørgrav * from keys that validate one of the signatures 6647b5038d7SDag-Erling Smørgrav * are added to it 6657b5038d7SDag-Erling Smørgrav * \return a list of keys which validate the rrsig + rrset. Returns 6667b5038d7SDag-Erling Smørgrav * status LDNS_STATUS_OK if at least one key matched. Else an error. 6677b5038d7SDag-Erling Smørgrav */ 6687b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_keylist_time( 669986ba33cSDag-Erling Smørgrav const ldns_rr_list *rrset, const ldns_rr *rrsig, 6707b5038d7SDag-Erling Smørgrav const ldns_rr_list *keys, time_t check_time, 6717b5038d7SDag-Erling Smørgrav ldns_rr_list *good_keys); 6727b5038d7SDag-Erling Smørgrav 6737b5038d7SDag-Erling Smørgrav 6747b5038d7SDag-Erling Smørgrav /** 6757b5038d7SDag-Erling Smørgrav * Verifies an rrsig. All keys in the keyset are tried. Time is not checked. 6767b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset to check 6777b5038d7SDag-Erling Smørgrav * \param[in] rrsig the signature of the rrset 6787b5038d7SDag-Erling Smørgrav * \param[in] keys the keys to try 6797b5038d7SDag-Erling Smørgrav * \param[out] good_keys if this is a (initialized) list, the pointer to keys 6807b5038d7SDag-Erling Smørgrav * from keys that validate one of the signatures 6817b5038d7SDag-Erling Smørgrav * are added to it 6827b5038d7SDag-Erling Smørgrav * \return a list of keys which validate the rrsig + rrset. Returns 6837b5038d7SDag-Erling Smørgrav * status LDNS_STATUS_OK if at least one key matched. Else an error. 6847b5038d7SDag-Erling Smørgrav */ 685986ba33cSDag-Erling Smørgrav ldns_status ldns_verify_rrsig_keylist_notime(const ldns_rr_list *rrset, 686986ba33cSDag-Erling Smørgrav const ldns_rr *rrsig, 6877b5038d7SDag-Erling Smørgrav const ldns_rr_list *keys, 6887b5038d7SDag-Erling Smørgrav ldns_rr_list *good_keys); 6897b5038d7SDag-Erling Smørgrav 6907b5038d7SDag-Erling Smørgrav /** 6917b5038d7SDag-Erling Smørgrav * verify an rrsig with 1 key 6927b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset 6937b5038d7SDag-Erling Smørgrav * \param[in] rrsig the rrsig to verify 6947b5038d7SDag-Erling Smørgrav * \param[in] key the key to use 6955afab0e5SDag-Erling Smørgrav * \return status message whether verification succeeded. 6967b5038d7SDag-Erling Smørgrav */ 6977b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, 6987b5038d7SDag-Erling Smørgrav ldns_rr *rrsig, 6997b5038d7SDag-Erling Smørgrav ldns_rr *key); 7007b5038d7SDag-Erling Smørgrav 7017b5038d7SDag-Erling Smørgrav 7027b5038d7SDag-Erling Smørgrav /** 7037b5038d7SDag-Erling Smørgrav * verify an rrsig with 1 key 7047b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset 7057b5038d7SDag-Erling Smørgrav * \param[in] rrsig the rrsig to verify 7067b5038d7SDag-Erling Smørgrav * \param[in] key the key to use 7077b5038d7SDag-Erling Smørgrav * \param[in] check_time the time for which the validation is performed 7085afab0e5SDag-Erling Smørgrav * \return status message whether verification succeeded. 7097b5038d7SDag-Erling Smørgrav */ 7107b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_time( 7117b5038d7SDag-Erling Smørgrav ldns_rr_list *rrset, ldns_rr *rrsig, 7127b5038d7SDag-Erling Smørgrav ldns_rr *key, time_t check_time); 7137b5038d7SDag-Erling Smørgrav 7147b5038d7SDag-Erling Smørgrav 7157b5038d7SDag-Erling Smørgrav #if LDNS_BUILD_CONFIG_HAVE_SSL 7167b5038d7SDag-Erling Smørgrav /** 7177b5038d7SDag-Erling Smørgrav * verifies a buffer with signature data for a buffer with rrset data 7187b5038d7SDag-Erling Smørgrav * with an EVP_PKEY 7197b5038d7SDag-Erling Smørgrav * 7207b5038d7SDag-Erling Smørgrav * \param[in] sig the signature data 7217b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset data, sorted and processed for verification 7227b5038d7SDag-Erling Smørgrav * \param[in] key the EVP key structure 7237b5038d7SDag-Erling Smørgrav * \param[in] digest_type The digest type of the signature 7247b5038d7SDag-Erling Smørgrav */ 7257b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, 7267b5038d7SDag-Erling Smørgrav ldns_buffer *rrset, 7277b5038d7SDag-Erling Smørgrav EVP_PKEY *key, 7287b5038d7SDag-Erling Smørgrav const EVP_MD *digest_type); 7297b5038d7SDag-Erling Smørgrav 7307b5038d7SDag-Erling Smørgrav /** 7317b5038d7SDag-Erling Smørgrav * Like ldns_verify_rrsig_evp, but uses raw signature data. 7327b5038d7SDag-Erling Smørgrav * \param[in] sig the signature data, wireformat uncompressed 7337b5038d7SDag-Erling Smørgrav * \param[in] siglen length of the signature data 7347b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset data, sorted and processed for verification 7357b5038d7SDag-Erling Smørgrav * \param[in] key the EVP key structure 7367b5038d7SDag-Erling Smørgrav * \param[in] digest_type The digest type of the signature 7377b5038d7SDag-Erling Smørgrav */ 738986ba33cSDag-Erling Smørgrav ldns_status ldns_verify_rrsig_evp_raw(const unsigned char *sig, 7397b5038d7SDag-Erling Smørgrav size_t siglen, 740986ba33cSDag-Erling Smørgrav const ldns_buffer *rrset, 7417b5038d7SDag-Erling Smørgrav EVP_PKEY *key, 7427b5038d7SDag-Erling Smørgrav const EVP_MD *digest_type); 7437b5038d7SDag-Erling Smørgrav #endif 7447b5038d7SDag-Erling Smørgrav 7457b5038d7SDag-Erling Smørgrav /** 7467b5038d7SDag-Erling Smørgrav * verifies a buffer with signature data (DSA) for a buffer with rrset data 7477b5038d7SDag-Erling Smørgrav * with a buffer with key data. 7487b5038d7SDag-Erling Smørgrav * 7497b5038d7SDag-Erling Smørgrav * \param[in] sig the signature data 7507b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset data, sorted and processed for verification 7517b5038d7SDag-Erling Smørgrav * \param[in] key the key data 7527b5038d7SDag-Erling Smørgrav */ 7537b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, 7547b5038d7SDag-Erling Smørgrav ldns_buffer *rrset, 7557b5038d7SDag-Erling Smørgrav ldns_buffer *key); 7567b5038d7SDag-Erling Smørgrav 7577b5038d7SDag-Erling Smørgrav /** 7587b5038d7SDag-Erling Smørgrav * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data 7597b5038d7SDag-Erling Smørgrav * with a buffer with key data. 7607b5038d7SDag-Erling Smørgrav * 7617b5038d7SDag-Erling Smørgrav * \param[in] sig the signature data 7627b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset data, sorted and processed for verification 7637b5038d7SDag-Erling Smørgrav * \param[in] key the key data 7647b5038d7SDag-Erling Smørgrav */ 7657b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, 7667b5038d7SDag-Erling Smørgrav ldns_buffer *rrset, 7677b5038d7SDag-Erling Smørgrav ldns_buffer *key); 7687b5038d7SDag-Erling Smørgrav 7697b5038d7SDag-Erling Smørgrav /** 7707b5038d7SDag-Erling Smørgrav * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data 7717b5038d7SDag-Erling Smørgrav * with a buffer with key data. 7727b5038d7SDag-Erling Smørgrav * 7737b5038d7SDag-Erling Smørgrav * \param[in] sig the signature data 7747b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset data, sorted and processed for verification 7757b5038d7SDag-Erling Smørgrav * \param[in] key the key data 7767b5038d7SDag-Erling Smørgrav */ 7777b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, 7787b5038d7SDag-Erling Smørgrav ldns_buffer *rrset, 7797b5038d7SDag-Erling Smørgrav ldns_buffer *key); 7807b5038d7SDag-Erling Smørgrav 7817b5038d7SDag-Erling Smørgrav /** 7827b5038d7SDag-Erling Smørgrav * Like ldns_verify_rrsig_dsa, but uses raw signature and key data. 7837b5038d7SDag-Erling Smørgrav * \param[in] sig raw uncompressed wireformat signature data 7847b5038d7SDag-Erling Smørgrav * \param[in] siglen length of signature data 7857b5038d7SDag-Erling Smørgrav * \param[in] rrset ldns buffer with prepared rrset data. 7867b5038d7SDag-Erling Smørgrav * \param[in] key raw uncompressed wireformat key data 7877b5038d7SDag-Erling Smørgrav * \param[in] keylen length of key data 7887b5038d7SDag-Erling Smørgrav */ 7897b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig, 7907b5038d7SDag-Erling Smørgrav size_t siglen, 7917b5038d7SDag-Erling Smørgrav ldns_buffer* rrset, 7927b5038d7SDag-Erling Smørgrav unsigned char* key, 7937b5038d7SDag-Erling Smørgrav size_t keylen); 7947b5038d7SDag-Erling Smørgrav 7957b5038d7SDag-Erling Smørgrav /** 7967b5038d7SDag-Erling Smørgrav * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data. 7977b5038d7SDag-Erling Smørgrav * \param[in] sig raw uncompressed wireformat signature data 7987b5038d7SDag-Erling Smørgrav * \param[in] siglen length of signature data 7997b5038d7SDag-Erling Smørgrav * \param[in] rrset ldns buffer with prepared rrset data. 8007b5038d7SDag-Erling Smørgrav * \param[in] key raw uncompressed wireformat key data 8017b5038d7SDag-Erling Smørgrav * \param[in] keylen length of key data 8027b5038d7SDag-Erling Smørgrav */ 8037b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig, 8047b5038d7SDag-Erling Smørgrav size_t siglen, 8057b5038d7SDag-Erling Smørgrav ldns_buffer* rrset, 8067b5038d7SDag-Erling Smørgrav unsigned char* key, 8077b5038d7SDag-Erling Smørgrav size_t keylen); 8087b5038d7SDag-Erling Smørgrav 8097b5038d7SDag-Erling Smørgrav /** 8107b5038d7SDag-Erling Smørgrav * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data. 8117b5038d7SDag-Erling Smørgrav * \param[in] sig raw uncompressed wireformat signature data 8127b5038d7SDag-Erling Smørgrav * \param[in] siglen length of signature data 8137b5038d7SDag-Erling Smørgrav * \param[in] rrset ldns buffer with prepared rrset data. 8147b5038d7SDag-Erling Smørgrav * \param[in] key raw uncompressed wireformat key data 8157b5038d7SDag-Erling Smørgrav * \param[in] keylen length of key data 8167b5038d7SDag-Erling Smørgrav */ 8177b5038d7SDag-Erling Smørgrav 8187b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig, 8197b5038d7SDag-Erling Smørgrav size_t siglen, 8207b5038d7SDag-Erling Smørgrav ldns_buffer* rrset, 8217b5038d7SDag-Erling Smørgrav unsigned char* key, 8227b5038d7SDag-Erling Smørgrav size_t keylen); 8237b5038d7SDag-Erling Smørgrav 8247b5038d7SDag-Erling Smørgrav /** 8257b5038d7SDag-Erling Smørgrav * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data. 8267b5038d7SDag-Erling Smørgrav * \param[in] sig raw uncompressed wireformat signature data 8277b5038d7SDag-Erling Smørgrav * \param[in] siglen length of signature data 8287b5038d7SDag-Erling Smørgrav * \param[in] rrset ldns buffer with prepared rrset data. 8297b5038d7SDag-Erling Smørgrav * \param[in] key raw uncompressed wireformat key data 8307b5038d7SDag-Erling Smørgrav * \param[in] keylen length of key data 8317b5038d7SDag-Erling Smørgrav */ 8327b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig, 8337b5038d7SDag-Erling Smørgrav size_t siglen, 8347b5038d7SDag-Erling Smørgrav ldns_buffer* rrset, 8357b5038d7SDag-Erling Smørgrav unsigned char* key, 8367b5038d7SDag-Erling Smørgrav size_t keylen); 8377b5038d7SDag-Erling Smørgrav 8387b5038d7SDag-Erling Smørgrav /** 8397b5038d7SDag-Erling Smørgrav * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data. 8407b5038d7SDag-Erling Smørgrav * \param[in] sig raw uncompressed wireformat signature data 8417b5038d7SDag-Erling Smørgrav * \param[in] siglen length of signature data 8427b5038d7SDag-Erling Smørgrav * \param[in] rrset ldns buffer with prepared rrset data. 8437b5038d7SDag-Erling Smørgrav * \param[in] key raw uncompressed wireformat key data 8447b5038d7SDag-Erling Smørgrav * \param[in] keylen length of key data 8457b5038d7SDag-Erling Smørgrav */ 8467b5038d7SDag-Erling Smørgrav ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig, 8477b5038d7SDag-Erling Smørgrav size_t siglen, 8487b5038d7SDag-Erling Smørgrav ldns_buffer* rrset, 8497b5038d7SDag-Erling Smørgrav unsigned char* key, 8507b5038d7SDag-Erling Smørgrav size_t keylen); 8517b5038d7SDag-Erling Smørgrav 8527b5038d7SDag-Erling Smørgrav #ifdef __cplusplus 8537b5038d7SDag-Erling Smørgrav } 8547b5038d7SDag-Erling Smørgrav #endif 8557b5038d7SDag-Erling Smørgrav 8567b5038d7SDag-Erling Smørgrav #endif 8577b5038d7SDag-Erling Smørgrav 858