dnssec_verify.h revision 256281 
1/** dnssec_verify */
2
3#ifndef LDNS_DNSSEC_VERIFY_H
4#define LDNS_DNSSEC_VERIFY_H
5
6#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10
7
8#include <ldns/dnssec.h>
9#include <ldns/host2str.h>
10
11#ifdef __cplusplus
12extern "C" {
13#endif
14
15/**
16 * Chain structure that contains all DNSSEC data needed to
17 * verify an rrset
18 */
19typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain;
20struct ldns_dnssec_data_chain_struct
21{
22	ldns_rr_list *rrset;
23	ldns_rr_list *signatures;
24	ldns_rr_type parent_type;
25	ldns_dnssec_data_chain *parent;
26	ldns_pkt_rcode packet_rcode;
27	ldns_rr_type packet_qtype;
28	bool packet_nodata;
29};
30
31/**
32 * Creates a new dnssec_chain structure
33 * \return ldns_dnssec_data_chain *
34 */
35ldns_dnssec_data_chain *ldns_dnssec_data_chain_new(void);
36
37/**
38 * Frees a dnssec_data_chain structure
39 *
40 * \param[in] *chain The chain to free
41 */
42void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain);
43
44/**
45 * Frees a dnssec_data_chain structure, and all data
46 * contained therein
47 *
48 * \param[in] *chain The dnssec_data_chain to free
49 */
50void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain);
51
52/**
53 * Prints the dnssec_data_chain to the given file stream
54 *
55 * \param[in] *out The file stream to print to
56 * \param[in] *chain The dnssec_data_chain to print
57 */
58void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain);
59
60/**
61 * Prints the dnssec_data_chain to the given file stream
62 *
63 * \param[in] *out The file stream to print to
64 * \param[in] *fmt The format of the textual representation
65 * \param[in] *chain The dnssec_data_chain to print
66 */
67void ldns_dnssec_data_chain_print_fmt(FILE *out,
68		const ldns_output_format *fmt,
69		const ldns_dnssec_data_chain *chain);
70
71/**
72 * Build an ldns_dnssec_data_chain, which contains all
73 * DNSSEC data that is needed to derive the trust tree later
74 *
75 * The data_set will be cloned
76 *
77 * \param[in] *res resolver structure for further needed queries
78 * \param[in] qflags resolution flags
79 * \param[in] *data_set The original rrset where the chain ends
80 * \param[in] *pkt optional, can contain the original packet
81 * (and hence the sigs and maybe the key)
82 * \param[in] *orig_rr The original Resource Record
83 *
84 * \return the DNSSEC data chain
85 */
86ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res,
87										   const uint16_t qflags,
88										   const ldns_rr_list *data_set,
89										   const ldns_pkt *pkt,
90										   ldns_rr *orig_rr);
91
92/**
93 * Tree structure that contains the relation of DNSSEC data,
94 * and their cryptographic status.
95 *
96 * This tree is derived from a data_chain, and can be used
97 * to look whether there is a connection between an RRSET
98 * and a trusted key. The tree only contains pointers to the
99 * data_chain, and therefore one should *never* free() the
100 * data_chain when there is still a trust tree derived from
101 * that chain.
102 *
103 * Example tree:
104 *     key   key    key
105 *       \    |    /
106 *        \   |   /
107 *         \  |  /
108 *            ds
109 *            |
110 *           key
111 *            |
112 *           key
113 *            |
114 *            rr
115 *
116 * For each signature there is a parent; if the parent
117 * pointer is null, it couldn't be found and there was no
118 * denial; otherwise is a tree which contains either a
119 * DNSKEY, a DS, or a NSEC rr
120 */
121typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree;
122struct ldns_dnssec_trust_tree_struct
123{
124	ldns_rr *rr;
125	/* the complete rrset this rr was in */
126	ldns_rr_list *rrset;
127	ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
128	ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
129	/** for debugging, add signatures too (you might want
130	    those if they contain errors) */
131	ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
132	size_t parent_count;
133};
134
135/**
136 * Creates a new (empty) dnssec_trust_tree structure
137 *
138 * \return ldns_dnssec_trust_tree *
139 */
140ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(void);
141
142/**
143 * Frees the dnssec_trust_tree recursively
144 *
145 * There is no deep free; all data in the trust tree
146 * consists of pointers to a data_chain
147 *
148 * \param[in] tree The tree to free
149 */
150void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree);
151
152/**
153 * returns the depth of the trust tree
154 *
155 * \param[in] tree tree to calculate the depth of
156 * \return The depth of the tree
157 */
158size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree);
159
160/**
161 * Prints the dnssec_trust_tree structure to the given file
162 * stream.
163 *
164 * If a link status is not LDNS_STATUS_OK; the status and
165 * relevant signatures are printed too
166 *
167 * \param[in] *out The file stream to print to
168 * \param[in] tree The trust tree to print
169 * \param[in] tabs Prepend each line with tabs*2 spaces
170 * \param[in] extended If true, add little explanation lines to the output
171 */
172void ldns_dnssec_trust_tree_print(FILE *out,
173	       	ldns_dnssec_trust_tree *tree,
174		size_t tabs,
175		bool extended);
176
177/**
178 * Prints the dnssec_trust_tree structure to the given file
179 * stream.
180 *
181 * If a link status is not LDNS_STATUS_OK; the status and
182 * relevant signatures are printed too
183 *
184 * \param[in] *out The file stream to print to
185 * \param[in] *fmt The format of the textual representation
186 * \param[in] tree The trust tree to print
187 * \param[in] tabs Prepend each line with tabs*2 spaces
188 * \param[in] extended If true, add little explanation lines to the output
189 */
190void ldns_dnssec_trust_tree_print_fmt(FILE *out,
191		const ldns_output_format *fmt,
192	       	ldns_dnssec_trust_tree *tree,
193		size_t tabs,
194		bool extended);
195
196/**
197 * Adds a trust tree as a parent for the given trust tree
198 *
199 * \param[in] *tree The tree to add the parent to
200 * \param[in] *parent The parent tree to add
201 * \param[in] *parent_signature The RRSIG relevant to this parent/child
202 *                              connection
203 * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG
204 * \return LDNS_STATUS_OK if the addition succeeds, error otherwise
205 */
206ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree,
207									 const ldns_dnssec_trust_tree *parent,
208									 const ldns_rr *parent_signature,
209									 const ldns_status parent_status);
210
211/**
212 * Generates a dnssec_trust_tree for the given rr from the
213 * given data_chain
214 *
215 * This does not clone the actual data; Don't free the
216 * data_chain before you are done with this tree
217 *
218 * \param[in] *data_chain The chain to derive the trust tree from
219 * \param[in] *rr The RR this tree will be about
220 * \return ldns_dnssec_trust_tree *
221 */
222ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree(
223                            ldns_dnssec_data_chain *data_chain,
224					   ldns_rr *rr);
225
226/**
227 * Generates a dnssec_trust_tree for the given rr from the
228 * given data_chain
229 *
230 * This does not clone the actual data; Don't free the
231 * data_chain before you are done with this tree
232 *
233 * \param[in] *data_chain The chain to derive the trust tree from
234 * \param[in] *rr The RR this tree will be about
235 * \param[in] check_time the time for which the validation is performed
236 * \return ldns_dnssec_trust_tree *
237 */
238ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time(
239		ldns_dnssec_data_chain *data_chain,
240		ldns_rr *rr, time_t check_time);
241
242/**
243 * Sub function for derive_trust_tree that is used for a 'normal' rrset
244 *
245 * \param[in] new_tree The trust tree that we are building
246 * \param[in] data_chain The data chain containing the data for the trust tree
247 * \param[in] cur_sig_rr The currently relevant signature
248 */
249void ldns_dnssec_derive_trust_tree_normal_rrset(
250         ldns_dnssec_trust_tree *new_tree,
251	    ldns_dnssec_data_chain *data_chain,
252	    ldns_rr *cur_sig_rr);
253
254/**
255 * Sub function for derive_trust_tree that is used for a 'normal' rrset
256 *
257 * \param[in] new_tree The trust tree that we are building
258 * \param[in] data_chain The data chain containing the data for the trust tree
259 * \param[in] cur_sig_rr The currently relevant signature
260 * \param[in] check_time the time for which the validation is performed
261 */
262void ldns_dnssec_derive_trust_tree_normal_rrset_time(
263         ldns_dnssec_trust_tree *new_tree,
264	    ldns_dnssec_data_chain *data_chain,
265	    ldns_rr *cur_sig_rr, time_t check_time);
266
267
268/**
269 * Sub function for derive_trust_tree that is used for DNSKEY rrsets
270 *
271 * \param[in] new_tree The trust tree that we are building
272 * \param[in] data_chain The data chain containing the data for the trust tree
273 * \param[in] cur_rr The currently relevant DNSKEY RR
274 * \param[in] cur_sig_rr The currently relevant signature
275 */
276void ldns_dnssec_derive_trust_tree_dnskey_rrset(
277         ldns_dnssec_trust_tree *new_tree,
278	    ldns_dnssec_data_chain *data_chain,
279	    ldns_rr *cur_rr,
280	    ldns_rr *cur_sig_rr);
281
282/**
283 * Sub function for derive_trust_tree that is used for DNSKEY rrsets
284 *
285 * \param[in] new_tree The trust tree that we are building
286 * \param[in] data_chain The data chain containing the data for the trust tree
287 * \param[in] cur_rr The currently relevant DNSKEY RR
288 * \param[in] cur_sig_rr The currently relevant signature
289 * \param[in] check_time the time for which the validation is performed
290 */
291void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
292         ldns_dnssec_trust_tree *new_tree,
293	    ldns_dnssec_data_chain *data_chain,
294	    ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
295	    time_t check_time);
296
297/**
298 * Sub function for derive_trust_tree that is used for DS rrsets
299 *
300 * \param[in] new_tree The trust tree that we are building
301 * \param[in] data_chain The data chain containing the data for the trust tree
302 * \param[in] cur_rr The currently relevant DS RR
303 */
304void ldns_dnssec_derive_trust_tree_ds_rrset(
305         ldns_dnssec_trust_tree *new_tree,
306	    ldns_dnssec_data_chain *data_chain,
307	    ldns_rr *cur_rr);
308
309/**
310 * Sub function for derive_trust_tree that is used for DS rrsets
311 *
312 * \param[in] new_tree The trust tree that we are building
313 * \param[in] data_chain The data chain containing the data for the trust tree
314 * \param[in] cur_rr The currently relevant DS RR
315 * \param[in] check_time the time for which the validation is performed
316 */
317void ldns_dnssec_derive_trust_tree_ds_rrset_time(
318         ldns_dnssec_trust_tree *new_tree,
319	    ldns_dnssec_data_chain *data_chain,
320	    ldns_rr *cur_rr, time_t check_time);
321
322/**
323 * Sub function for derive_trust_tree that is used when there are no
324 * signatures
325 *
326 * \param[in] new_tree The trust tree that we are building
327 * \param[in] data_chain The data chain containing the data for the trust tree
328 */
329void ldns_dnssec_derive_trust_tree_no_sig(
330         ldns_dnssec_trust_tree *new_tree,
331	    ldns_dnssec_data_chain *data_chain);
332
333/**
334 * Sub function for derive_trust_tree that is used when there are no
335 * signatures
336 *
337 * \param[in] new_tree The trust tree that we are building
338 * \param[in] data_chain The data chain containing the data for the trust tree
339 * \param[in] check_time the time for which the validation is performed
340 */
341void ldns_dnssec_derive_trust_tree_no_sig_time(
342         ldns_dnssec_trust_tree *new_tree,
343	    ldns_dnssec_data_chain *data_chain,
344	    time_t check_time);
345
346
347/**
348 * Returns OK if there is a trusted path in the tree to one of
349 * the DNSKEY or DS RRs in the given list
350 *
351 * \param *tree The trust tree so search
352 * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for
353 *
354 * \return LDNS_STATUS_OK if there is a trusted path to one of
355 *                        the keys, or the *first* error encountered
356 *                        if there were no paths
357 */
358ldns_status ldns_dnssec_trust_tree_contains_keys(
359			 ldns_dnssec_trust_tree *tree,
360			 ldns_rr_list *keys);
361
362/**
363 * Verifies a list of signatures for one rrset.
364 *
365 * \param[in] rrset the rrset to verify
366 * \param[in] rrsig a list of signatures to check
367 * \param[in] keys a list of keys to check with
368 * \param[out] good_keys  if this is a (initialized) list, the pointer to keys
369 *                        from keys that validate one of the signatures
370 *                        are added to it
371 * \return status LDNS_STATUS_OK if there is at least one correct key
372 */
373ldns_status ldns_verify(ldns_rr_list *rrset,
374				    ldns_rr_list *rrsig,
375				    const ldns_rr_list *keys,
376				    ldns_rr_list *good_keys);
377
378/**
379 * Verifies a list of signatures for one rrset.
380 *
381 * \param[in] rrset the rrset to verify
382 * \param[in] rrsig a list of signatures to check
383 * \param[in] keys a list of keys to check with
384 * \param[in] check_time the time for which the validation is performed
385 * \param[out] good_keys  if this is a (initialized) list, the pointer to keys
386 *                        from keys that validate one of the signatures
387 *                        are added to it
388 * \return status LDNS_STATUS_OK if there is at least one correct key
389 */
390ldns_status ldns_verify_time(ldns_rr_list *rrset,
391				    ldns_rr_list *rrsig,
392				    const ldns_rr_list *keys,
393				    time_t check_time,
394				    ldns_rr_list *good_keys);
395
396
397/**
398 * Verifies a list of signatures for one rrset, but disregard the time.
399 * Inception and Expiration are not checked.
400 *
401 * \param[in] rrset the rrset to verify
402 * \param[in] rrsig a list of signatures to check
403 * \param[in] keys a list of keys to check with
404 * \param[out] good_keys  if this is a (initialized) list, the pointer to keys
405 *                        from keys that validate one of the signatures
406 *                        are added to it
407 * \return status LDNS_STATUS_OK if there is at least one correct key
408 */
409ldns_status ldns_verify_notime(ldns_rr_list *rrset,
410				    ldns_rr_list *rrsig,
411				    const ldns_rr_list *keys,
412				    ldns_rr_list *good_keys);
413
414/**
415 * Tries to build an authentication chain from the given
416 * keys down to the queried domain.
417 *
418 * If we find a valid trust path, return the valid keys for the domain.
419 *
420 * \param[in] res the current resolver
421 * \param[in] domain the domain we want valid keys for
422 * \param[in] keys the current set of trusted keys
423 * \param[out] status pointer to the status variable where the result
424 *                    code will be stored
425 * \return the set of trusted keys for the domain, or NULL if no
426 *         trust path could be built.
427 */
428ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res,
429								   const ldns_rdf * domain,
430								   const ldns_rr_list * keys,
431								   ldns_status *status);
432
433/**
434 * Tries to build an authentication chain from the given
435 * keys down to the queried domain.
436 *
437 * If we find a valid trust path, return the valid keys for the domain.
438 *
439 * \param[in] res the current resolver
440 * \param[in] domain the domain we want valid keys for
441 * \param[in] keys the current set of trusted keys
442 * \param[in] check_time the time for which the validation is performed
443 * \param[out] status pointer to the status variable where the result
444 *                    code will be stored
445 * \return the set of trusted keys for the domain, or NULL if no
446 *         trust path could be built.
447 */
448ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res,
449		const ldns_rdf * domain, const ldns_rr_list * keys,
450		time_t check_time, ldns_status *status);
451
452
453/**
454 * Validates the DNSKEY RRset for the given domain using the provided
455 * trusted keys.
456 *
457 * \param[in] res the current resolver
458 * \param[in] domain the domain we want valid keys for
459 * \param[in] keys the current set of trusted keys
460 * \return the set of trusted keys for the domain, or NULL if the RRSET
461 *         could not be validated
462 */
463ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res,
464								   const ldns_rdf *domain,
465								   const ldns_rr_list *keys);
466
467/**
468 * Validates the DNSKEY RRset for the given domain using the provided
469 * trusted keys.
470 *
471 * \param[in] res the current resolver
472 * \param[in] domain the domain we want valid keys for
473 * \param[in] keys the current set of trusted keys
474 * \param[in] check_time the time for which the validation is performed
475 * \return the set of trusted keys for the domain, or NULL if the RRSET
476 *         could not be validated
477 */
478ldns_rr_list *ldns_validate_domain_dnskey_time(
479		const ldns_resolver *res, const ldns_rdf *domain,
480		const ldns_rr_list *keys, time_t check_time);
481
482
483/**
484 * Validates the DS RRset for the given domain using the provided trusted keys.
485 *
486 * \param[in] res the current resolver
487 * \param[in] domain the domain we want valid keys for
488 * \param[in] keys the current set of trusted keys
489 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
490 */
491ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res,
492							   const ldns_rdf *
493							   domain,
494							   const ldns_rr_list * keys);
495
496/**
497 * Validates the DS RRset for the given domain using the provided trusted keys.
498 *
499 * \param[in] res the current resolver
500 * \param[in] domain the domain we want valid keys for
501 * \param[in] keys the current set of trusted keys
502 * \param[in] check_time the time for which the validation is performed
503 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
504 */
505ldns_rr_list *ldns_validate_domain_ds_time(
506		const ldns_resolver *res, const ldns_rdf *domain,
507		const ldns_rr_list * keys, time_t check_time);
508
509
510/**
511 * Verifies a list of signatures for one RRset using a valid trust path.
512 *
513 * \param[in] res the current resolver
514 * \param[in] rrset the rrset to verify
515 * \param[in] rrsigs a list of signatures to check
516 * \param[out] validating_keys  if this is a (initialized) list, the
517 *                              keys from keys that validate one of
518 *                              the signatures are added to it
519 * \return status LDNS_STATUS_OK if there is at least one correct key
520 */
521ldns_status ldns_verify_trusted(ldns_resolver *res,
522						  ldns_rr_list *rrset,
523						  ldns_rr_list *rrsigs,
524						  ldns_rr_list *validating_keys);
525
526/**
527 * Verifies a list of signatures for one RRset using a valid trust path.
528 *
529 * \param[in] res the current resolver
530 * \param[in] rrset the rrset to verify
531 * \param[in] rrsigs a list of signatures to check
532 * \param[in] check_time the time for which the validation is performed
533 * \param[out] validating_keys  if this is a (initialized) list, the
534 *                              keys from keys that validate one of
535 *                              the signatures are added to it
536 * \return status LDNS_STATUS_OK if there is at least one correct key
537 */
538ldns_status ldns_verify_trusted_time(
539		ldns_resolver *res, ldns_rr_list *rrset,
540		ldns_rr_list *rrsigs, time_t check_time,
541		ldns_rr_list *validating_keys);
542
543
544/**
545 * denial is not just a river in egypt
546 *
547 * \param[in] rr The (query) RR to check the denial of existence for
548 * \param[in] nsecs The list of NSEC RRs that are supposed to deny the
549 *                  existence of the RR
550 * \param[in] rrsigs The RRSIG RR covering the NSEC RRs
551 * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code
552 *                        containing the reason they do not otherwise
553 */
554ldns_status ldns_dnssec_verify_denial(ldns_rr *rr,
555							   ldns_rr_list *nsecs,
556							   ldns_rr_list *rrsigs);
557
558/**
559 * Denial of existence using NSEC3 records
560 * Since NSEC3 is a bit more complicated than normal denial, some
561 * context arguments are needed
562 *
563 * \param[in] rr The (query) RR to check the denial of existence for
564 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
565 *                  existence of the RR
566 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs
567 * \param[in] packet_rcode The RCODE value of the packet that provided the
568 *                         NSEC3 RRs
569 * \param[in] packet_qtype The original query RR type
570 * \param[in] packet_nodata True if the providing packet had an empty ANSWER
571 *                          section
572 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
573 *                        containing the reason they do not otherwise
574 */
575ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
576								    ldns_rr_list *nsecs,
577								    ldns_rr_list *rrsigs,
578								    ldns_pkt_rcode packet_rcode,
579								    ldns_rr_type packet_qtype,
580								    bool packet_nodata);
581
582/**
583 * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns
584 * the nsec rr that matched.
585 *
586 * \param[in] rr The (query) RR to check the denial of existence for
587 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
588 *                  existence of the RR
589 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs
590 * \param[in] packet_rcode The RCODE value of the packet that provided the
591 *                         NSEC3 RRs
592 * \param[in] packet_qtype The original query RR type
593 * \param[in] packet_nodata True if the providing packet had an empty ANSWER
594 *                          section
595 * \param[in] match On match, the given (reference to a) pointer will be set
596 *                  to point to the matching nsec resource record.
597 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
598 *                        containing the reason they do not otherwise
599 */
600ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr,
601						  ldns_rr_list *nsecs,
602						  ldns_rr_list *rrsigs,
603						  ldns_pkt_rcode packet_rcode,
604						  ldns_rr_type packet_qtype,
605						  bool packet_nodata,
606						  ldns_rr **match);
607/**
608 * Verifies the already processed data in the buffers
609 * This function should probably not be used directly.
610 *
611 * \param[in] rawsig_buf Buffer containing signature data to use
612 * \param[in] verify_buf Buffer containing data to verify
613 * \param[in] key_buf Buffer containing key data to use
614 * \param[in] algo Signing algorithm
615 * \return status LDNS_STATUS_OK if the data verifies. Error if not.
616 */
617ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf,
618							   ldns_buffer *verify_buf,
619							   ldns_buffer *key_buf,
620							   uint8_t algo);
621
622/**
623 * Like ldns_verify_rrsig_buffers, but uses raw data.
624 *
625 * \param[in] sig signature data to use
626 * \param[in] siglen length of signature data to use
627 * \param[in] verify_buf Buffer containing data to verify
628 * \param[in] key key data to use
629 * \param[in] keylen length of key data to use
630 * \param[in] algo Signing algorithm
631 * \return status LDNS_STATUS_OK if the data verifies. Error if not.
632 */
633ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig,
634								  size_t siglen,
635								  ldns_buffer *verify_buf,
636								  unsigned char* key,
637								  size_t keylen,
638								  uint8_t algo);
639
640/**
641 * Verifies an rrsig. All keys in the keyset are tried.
642 * \param[in] rrset the rrset to check
643 * \param[in] rrsig the signature of the rrset
644 * \param[in] keys the keys to try
645 * \param[out] good_keys  if this is a (initialized) list, the pointer to keys
646 *                        from keys that validate one of the signatures
647 *                        are added to it
648 * \return a list of keys which validate the rrsig + rrset. Returns
649 * status LDNS_STATUS_OK if at least one key matched. Else an error.
650 */
651ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
652							   ldns_rr *rrsig,
653							   const ldns_rr_list *keys,
654							   ldns_rr_list *good_keys);
655
656/**
657 * Verifies an rrsig. All keys in the keyset are tried.
658 * \param[in] rrset the rrset to check
659 * \param[in] rrsig the signature of the rrset
660 * \param[in] keys the keys to try
661 * \param[in] check_time the time for which the validation is performed
662 * \param[out] good_keys  if this is a (initialized) list, the pointer to keys
663 *                        from keys that validate one of the signatures
664 *                        are added to it
665 * \return a list of keys which validate the rrsig + rrset. Returns
666 * status LDNS_STATUS_OK if at least one key matched. Else an error.
667 */
668ldns_status ldns_verify_rrsig_keylist_time(
669		ldns_rr_list *rrset, ldns_rr *rrsig,
670		const ldns_rr_list *keys, time_t check_time,
671	       	ldns_rr_list *good_keys);
672
673
674/**
675 * Verifies an rrsig. All keys in the keyset are tried. Time is not checked.
676 * \param[in] rrset the rrset to check
677 * \param[in] rrsig the signature of the rrset
678 * \param[in] keys the keys to try
679 * \param[out] good_keys  if this is a (initialized) list, the pointer to keys
680 *                        from keys that validate one of the signatures
681 *                        are added to it
682 * \return a list of keys which validate the rrsig + rrset. Returns
683 * status LDNS_STATUS_OK if at least one key matched. Else an error.
684 */
685ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset,
686							   ldns_rr *rrsig,
687							   const ldns_rr_list *keys,
688							   ldns_rr_list *good_keys);
689
690/**
691 * verify an rrsig with 1 key
692 * \param[in] rrset the rrset
693 * \param[in] rrsig the rrsig to verify
694 * \param[in] key the key to use
695 * \return status message wether verification succeeded.
696 */
697ldns_status ldns_verify_rrsig(ldns_rr_list *rrset,
698						ldns_rr *rrsig,
699						ldns_rr *key);
700
701
702/**
703 * verify an rrsig with 1 key
704 * \param[in] rrset the rrset
705 * \param[in] rrsig the rrsig to verify
706 * \param[in] key the key to use
707 * \param[in] check_time the time for which the validation is performed
708 * \return status message wether verification succeeded.
709 */
710ldns_status ldns_verify_rrsig_time(
711		ldns_rr_list *rrset, ldns_rr *rrsig,
712		ldns_rr *key, time_t check_time);
713
714
715#if LDNS_BUILD_CONFIG_HAVE_SSL
716/**
717 * verifies a buffer with signature data for a buffer with rrset data
718 * with an EVP_PKEY
719 *
720 * \param[in] sig the signature data
721 * \param[in] rrset the rrset data, sorted and processed for verification
722 * \param[in] key the EVP key structure
723 * \param[in] digest_type The digest type of the signature
724 */
725ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig,
726						    ldns_buffer *rrset,
727						    EVP_PKEY *key,
728						    const EVP_MD *digest_type);
729
730/**
731 * Like ldns_verify_rrsig_evp, but uses raw signature data.
732 * \param[in] sig the signature data, wireformat uncompressed
733 * \param[in] siglen length of the signature data
734 * \param[in] rrset the rrset data, sorted and processed for verification
735 * \param[in] key the EVP key structure
736 * \param[in] digest_type The digest type of the signature
737 */
738ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig,
739							   size_t siglen,
740							   ldns_buffer *rrset,
741							   EVP_PKEY *key,
742							   const EVP_MD *digest_type);
743#endif
744
745/**
746 * verifies a buffer with signature data (DSA) for a buffer with rrset data
747 * with a buffer with key data.
748 *
749 * \param[in] sig the signature data
750 * \param[in] rrset the rrset data, sorted and processed for verification
751 * \param[in] key the key data
752 */
753ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig,
754						    ldns_buffer *rrset,
755						    ldns_buffer *key);
756
757/**
758 * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data
759 * with a buffer with key data.
760 *
761 * \param[in] sig the signature data
762 * \param[in] rrset the rrset data, sorted and processed for verification
763 * \param[in] key the key data
764 */
765ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig,
766							   ldns_buffer *rrset,
767							   ldns_buffer *key);
768
769/**
770 * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data
771 * with a buffer with key data.
772 *
773 * \param[in] sig the signature data
774 * \param[in] rrset the rrset data, sorted and processed for verification
775 * \param[in] key the key data
776 */
777ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig,
778							  ldns_buffer *rrset,
779							  ldns_buffer *key);
780
781/**
782 * Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
783 * \param[in] sig raw uncompressed wireformat signature data
784 * \param[in] siglen length of signature data
785 * \param[in] rrset ldns buffer with prepared rrset data.
786 * \param[in] key raw uncompressed wireformat key data
787 * \param[in] keylen length of key data
788 */
789ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig,
790							   size_t siglen,
791							   ldns_buffer* rrset,
792							   unsigned char* key,
793							   size_t keylen);
794
795/**
796 * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
797 * \param[in] sig raw uncompressed wireformat signature data
798 * \param[in] siglen length of signature data
799 * \param[in] rrset ldns buffer with prepared rrset data.
800 * \param[in] key raw uncompressed wireformat key data
801 * \param[in] keylen length of key data
802 */
803ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig,
804								  size_t siglen,
805								  ldns_buffer* rrset,
806								  unsigned char* key,
807								  size_t keylen);
808
809/**
810 * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
811 * \param[in] sig raw uncompressed wireformat signature data
812 * \param[in] siglen length of signature data
813 * \param[in] rrset ldns buffer with prepared rrset data.
814 * \param[in] key raw uncompressed wireformat key data
815 * \param[in] keylen length of key data
816 */
817
818ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig,
819								    size_t siglen,
820								    ldns_buffer* rrset,
821								    unsigned char* key,
822								    size_t keylen);
823
824/**
825 * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
826 * \param[in] sig raw uncompressed wireformat signature data
827 * \param[in] siglen length of signature data
828 * \param[in] rrset ldns buffer with prepared rrset data.
829 * \param[in] key raw uncompressed wireformat key data
830 * \param[in] keylen length of key data
831 */
832ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig,
833								    size_t siglen,
834								    ldns_buffer* rrset,
835								    unsigned char* key,
836								    size_t keylen);
837
838/**
839 * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
840 * \param[in] sig raw uncompressed wireformat signature data
841 * \param[in] siglen length of signature data
842 * \param[in] rrset ldns buffer with prepared rrset data.
843 * \param[in] key raw uncompressed wireformat key data
844 * \param[in] keylen length of key data
845 */
846ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,
847								 size_t siglen,
848								 ldns_buffer* rrset,
849								 unsigned char* key,
850								 size_t keylen);
851
852#ifdef __cplusplus
853}
854#endif
855
856#endif
857
858