1238104Sdes/* 2238104Sdes * dnssec.h -- defines for the Domain Name System (SEC) (DNSSEC) 3238104Sdes * 4238104Sdes * Copyright (c) 2005-2008, NLnet Labs. All rights reserved. 5238104Sdes * 6238104Sdes * See LICENSE for the license. 7238104Sdes * 8238104Sdes * A bunch of defines that are used in the DNS 9238104Sdes */ 10238104Sdes 11238104Sdes/** 12238104Sdes * \file dnssec.h 13238104Sdes * 14238104Sdes * This module contains base functions for DNSSEC operations 15238104Sdes * (RFC4033 t/m RFC4035). 16238104Sdes * 17238104Sdes * Since those functions heavily rely op cryptographic operations, 18238104Sdes * this module is dependent on openssl. 19238104Sdes * 20238104Sdes */ 21238104Sdes 22238104Sdes 23238104Sdes#ifndef LDNS_DNSSEC_H 24238104Sdes#define LDNS_DNSSEC_H 25238104Sdes 26238104Sdes#include <ldns/common.h> 27238104Sdes#if LDNS_BUILD_CONFIG_HAVE_SSL 28238104Sdes#include <openssl/ssl.h> 29238104Sdes#include <openssl/evp.h> 30238104Sdes#endif /* LDNS_BUILD_CONFIG_HAVE_SSL */ 31238104Sdes#include <ldns/packet.h> 32238104Sdes#include <ldns/keys.h> 33238104Sdes#include <ldns/zone.h> 34238104Sdes#include <ldns/resolver.h> 35238104Sdes#include <ldns/dnssec_zone.h> 36238104Sdes 37238104Sdes#ifdef __cplusplus 38238104Sdesextern "C" { 39238104Sdes#endif 40238104Sdes 41238104Sdes#define LDNS_MAX_KEYLEN 2048 42238104Sdes#define LDNS_DNSSEC_KEYPROTO 3 43238104Sdes/* default time before sigs expire */ 44238104Sdes#define LDNS_DEFAULT_EXP_TIME 2419200 /* 4 weeks */ 45238104Sdes 46238104Sdes/** return values for the old-signature callback */ 47238104Sdes#define LDNS_SIGNATURE_LEAVE_ADD_NEW 0 48238104Sdes#define LDNS_SIGNATURE_LEAVE_NO_ADD 1 49238104Sdes#define LDNS_SIGNATURE_REMOVE_ADD_NEW 2 50238104Sdes#define LDNS_SIGNATURE_REMOVE_NO_ADD 3 51238104Sdes 52238104Sdes/** 53238104Sdes * Returns the first RRSIG rr that corresponds to the rrset 54238104Sdes * with the given name and type 55238104Sdes * 56238104Sdes * \param[in] name The dname of the RRset covered by the RRSIG to find 57238104Sdes * \param[in] type The type of the RRset covered by the RRSIG to find 58238104Sdes * \param[in] rrs List of rrs to search in 59238104Sdes * \returns Pointer to the first RRsig ldns_rr found, or NULL if it is 60238104Sdes * not present 61238104Sdes */ 62238104Sdesldns_rr *ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name, 63238104Sdes const ldns_rr_type type, 64238104Sdes const ldns_rr_list *rrs); 65238104Sdes 66238104Sdes/** 67238104Sdes * Returns the DNSKEY that corresponds to the given RRSIG rr from the list, if 68238104Sdes * any 69238104Sdes * 70238104Sdes * \param[in] rrsig The rrsig to find the DNSKEY for 71238104Sdes * \param[in] rrs The rr list to find the key in 72238104Sdes * \return The DNSKEY that corresponds to the given RRSIG, or NULL if it was 73238104Sdes * not found. 74238104Sdes */ 75238104Sdesldns_rr *ldns_dnssec_get_dnskey_for_rrsig(const ldns_rr *rrsig, const ldns_rr_list *rrs); 76238104Sdes 77238104Sdes/** 78238104Sdes * Returns the rdata field that contains the bitmap of the covered types of 79238104Sdes * the given NSEC record 80238104Sdes * 81238104Sdes * \param[in] nsec The nsec to get the covered type bitmap of 82238104Sdes * \return An ldns_rdf containing the bitmap, or NULL on error 83238104Sdes */ 84238104Sdesldns_rdf *ldns_nsec_get_bitmap(ldns_rr *nsec); 85238104Sdes 86238104Sdes 87238104Sdes#define LDNS_NSEC3_MAX_ITERATIONS 65535 88238104Sdes 89238104Sdes/** 90238104Sdes * Returns the dname of the closest (provable) encloser 91238104Sdes */ 92238104Sdesldns_rdf * 93238104Sdesldns_dnssec_nsec3_closest_encloser(ldns_rdf *qname, 94238104Sdes ldns_rr_type qtype, 95238104Sdes ldns_rr_list *nsec3s); 96238104Sdes 97238104Sdes/** 98238104Sdes * Checks whether the packet contains rrsigs 99238104Sdes */ 100238104Sdesbool 101238104Sdesldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt); 102238104Sdes 103238104Sdes/** 104238104Sdes * Returns a ldns_rr_list containing the signatures covering the given name 105238104Sdes * and type 106238104Sdes */ 107238104Sdesldns_rr_list *ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type); 108238104Sdes 109238104Sdes/** 110238104Sdes * Returns a ldns_rr_list containing the signatures covering the given type 111238104Sdes */ 112238104Sdesldns_rr_list *ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type); 113238104Sdes 114238104Sdes/** 115238104Sdes * calculates a keytag of a key for use in DNSSEC. 116238104Sdes * 117238104Sdes * \param[in] key the key as an RR to use for the calc. 118238104Sdes * \return the keytag 119238104Sdes */ 120238104Sdesuint16_t ldns_calc_keytag(const ldns_rr *key); 121238104Sdes 122238104Sdes/** 123238104Sdes * Calculates keytag of DNSSEC key, operates on wireformat rdata. 124238104Sdes * \param[in] key the key as uncompressed wireformat rdata. 125238104Sdes * \param[in] keysize length of key data. 126238104Sdes * \return the keytag 127238104Sdes */ 128238104Sdesuint16_t ldns_calc_keytag_raw(uint8_t* key, size_t keysize); 129238104Sdes 130238104Sdes#if LDNS_BUILD_CONFIG_HAVE_SSL 131238104Sdes/** 132238104Sdes * converts a buffer holding key material to a DSA key in openssl. 133238104Sdes * 134238104Sdes * \param[in] key the key to convert 135238104Sdes * \return a DSA * structure with the key material 136238104Sdes */ 137238104SdesDSA *ldns_key_buf2dsa(ldns_buffer *key); 138238104Sdes/** 139238104Sdes * Like ldns_key_buf2dsa, but uses raw buffer. 140238104Sdes * \param[in] key the uncompressed wireformat of the key. 141238104Sdes * \param[in] len length of key data 142238104Sdes * \return a DSA * structure with the key material 143238104Sdes */ 144238104SdesDSA *ldns_key_buf2dsa_raw(unsigned char* key, size_t len); 145238104Sdes 146238104Sdes/** 147238104Sdes * Utility function to calculate hash using generic EVP_MD pointer. 148238104Sdes * \param[in] data the data to hash. 149238104Sdes * \param[in] len length of data. 150238104Sdes * \param[out] dest the destination of the hash, must be large enough. 151238104Sdes * \param[in] md the message digest to use. 152238104Sdes * \return true if worked, false on failure. 153238104Sdes */ 154238104Sdesint ldns_digest_evp(unsigned char* data, unsigned int len, 155238104Sdes unsigned char* dest, const EVP_MD* md); 156238104Sdes 157238104Sdes/** 158238104Sdes * Converts a holding buffer with key material to EVP PKEY in openssl. 159238104Sdes * Only available if ldns was compiled with GOST. 160238104Sdes * \param[in] key data to convert 161238104Sdes * \param[in] keylen length of the key data 162238104Sdes * \return the key or NULL on error. 163238104Sdes */ 164238104SdesEVP_PKEY* ldns_gost2pkey_raw(unsigned char* key, size_t keylen); 165238104Sdes 166238104Sdes/** 167238104Sdes * Converts a holding buffer with key material to EVP PKEY in openssl. 168238104Sdes * Only available if ldns was compiled with ECDSA. 169238104Sdes * \param[in] key data to convert 170238104Sdes * \param[in] keylen length of the key data 171238104Sdes * \param[in] algo precise algorithm to initialize ECC group values. 172238104Sdes * \return the key or NULL on error. 173238104Sdes */ 174238104SdesEVP_PKEY* ldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo); 175238104Sdes 176238104Sdes#endif /* LDNS_BUILD_CONFIG_HAVE_SSL */ 177238104Sdes 178238104Sdes#if LDNS_BUILD_CONFIG_HAVE_SSL 179238104Sdes/** 180238104Sdes * converts a buffer holding key material to a RSA key in openssl. 181238104Sdes * 182238104Sdes * \param[in] key the key to convert 183238104Sdes * \return a RSA * structure with the key material 184238104Sdes */ 185238104SdesRSA *ldns_key_buf2rsa(ldns_buffer *key); 186238104Sdes 187238104Sdes/** 188238104Sdes * Like ldns_key_buf2rsa, but uses raw buffer. 189238104Sdes * \param[in] key the uncompressed wireformat of the key. 190238104Sdes * \param[in] len length of key data 191238104Sdes * \return a RSA * structure with the key material 192238104Sdes */ 193238104SdesRSA *ldns_key_buf2rsa_raw(unsigned char* key, size_t len); 194238104Sdes#endif /* LDNS_BUILD_CONFIG_HAVE_SSL */ 195238104Sdes 196238104Sdes/** 197238104Sdes * returns a new DS rr that represents the given key rr. 198238104Sdes * 199238104Sdes * \param[in] *key the key to convert 200238104Sdes * \param[in] h the hash to use LDNS_SHA1/LDNS_SHA256 201246854Sdes * 202238104Sdes * \return ldns_rr* a new rr pointer to a DS 203238104Sdes */ 204238104Sdesldns_rr *ldns_key_rr2ds(const ldns_rr *key, ldns_hash h); 205238104Sdes 206238104Sdes/** 207238104Sdes * Create the type bitmap for an NSEC(3) record 208238104Sdes */ 209238104Sdesldns_rdf * 210238104Sdesldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[], 211238104Sdes size_t size, 212238104Sdes ldns_rr_type nsec_type); 213238104Sdes 214238104Sdes/** 215238104Sdes * returns whether a rrset of the given type is found in the rrsets. 216238104Sdes * 217238104Sdes * \param[in] rrsets the rrsets to be tested 218238104Sdes * \param[in] type the type to test for 219238104Sdes * \return int 1 if the type was found, 0 otherwise. 220238104Sdes */ 221238104Sdesint 222238104Sdesldns_dnssec_rrsets_contains_type (ldns_dnssec_rrsets *rrsets, ldns_rr_type type); 223238104Sdes 224238104Sdes/** 225238104Sdes * Creates NSEC 226238104Sdes */ 227238104Sdesldns_rr * 228238104Sdesldns_dnssec_create_nsec(ldns_dnssec_name *from, 229238104Sdes ldns_dnssec_name *to, 230238104Sdes ldns_rr_type nsec_type); 231238104Sdes 232238104Sdes 233238104Sdes/** 234238104Sdes * Creates NSEC3 235238104Sdes */ 236238104Sdesldns_rr * 237238104Sdesldns_dnssec_create_nsec3(ldns_dnssec_name *from, 238238104Sdes ldns_dnssec_name *to, 239238104Sdes ldns_rdf *zone_name, 240238104Sdes uint8_t algorithm, 241238104Sdes uint8_t flags, 242238104Sdes uint16_t iterations, 243238104Sdes uint8_t salt_length, 244238104Sdes uint8_t *salt); 245238104Sdes 246238104Sdes/** 247238104Sdes * Create a NSEC record 248238104Sdes * \param[in] cur_owner the current owner which should be taken as the starting point 249238104Sdes * \param[in] next_owner the rrlist which the nsec rr should point to 250238104Sdes * \param[in] rrs all rrs from the zone, to find all RR types of cur_owner in 251238104Sdes * \return a ldns_rr with the nsec record in it 252238104Sdes */ 253238104Sdesldns_rr * ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs); 254238104Sdes 255238104Sdes/** 256238104Sdes * Calculates the hashed name using the given parameters 257238104Sdes * \param[in] *name The owner name to calculate the hash for 258238104Sdes * \param[in] algorithm The hash algorithm to use 259238104Sdes * \param[in] iterations The number of hash iterations to use 260238104Sdes * \param[in] salt_length The length of the salt in bytes 261238104Sdes * \param[in] salt The salt to use 262238104Sdes * \return The hashed owner name rdf, without the domain name 263238104Sdes */ 264238104Sdesldns_rdf *ldns_nsec3_hash_name(ldns_rdf *name, uint8_t algorithm, uint16_t iterations, uint8_t salt_length, uint8_t *salt); 265238104Sdes 266238104Sdes/** 267238104Sdes * Sets all the NSEC3 options. The rr to set them in must be initialized with _new() and 268238104Sdes * type LDNS_RR_TYPE_NSEC3 269238104Sdes * \param[in] *rr The RR to set the values in 270238104Sdes * \param[in] algorithm The NSEC3 hash algorithm 271238104Sdes * \param[in] flags The flags field 272238104Sdes * \param[in] iterations The number of hash iterations 273238104Sdes * \param[in] salt_length The length of the salt in bytes 274238104Sdes * \param[in] salt The salt bytes 275238104Sdes */ 276238104Sdesvoid ldns_nsec3_add_param_rdfs(ldns_rr *rr, 277238104Sdes uint8_t algorithm, 278238104Sdes uint8_t flags, 279238104Sdes uint16_t iterations, 280238104Sdes uint8_t salt_length, 281238104Sdes uint8_t *salt); 282238104Sdes 283238104Sdes/* this will NOT return the NSEC3 completed, you will have to run the 284238104Sdes finalize function on the rrlist later! */ 285238104Sdesldns_rr * 286238104Sdesldns_create_nsec3(ldns_rdf *cur_owner, 287238104Sdes ldns_rdf *cur_zone, 288238104Sdes ldns_rr_list *rrs, 289238104Sdes uint8_t algorithm, 290238104Sdes uint8_t flags, 291238104Sdes uint16_t iterations, 292238104Sdes uint8_t salt_length, 293238104Sdes uint8_t *salt, 294238104Sdes bool emptynonterminal); 295238104Sdes 296238104Sdes/** 297238104Sdes * Returns the hash algorithm used in the given NSEC3 RR 298238104Sdes * \param[in] *nsec3_rr The RR to read from 299238104Sdes * \return The algorithm identifier, or 0 on error 300238104Sdes */ 301238104Sdesuint8_t ldns_nsec3_algorithm(const ldns_rr *nsec3_rr); 302238104Sdes 303238104Sdes/** 304238104Sdes * Returns flags field 305238104Sdes */ 306238104Sdesuint8_t 307238104Sdesldns_nsec3_flags(const ldns_rr *nsec3_rr); 308238104Sdes 309238104Sdes/** 310238104Sdes * Returns true if the opt-out flag has been set in the given NSEC3 RR 311238104Sdes * \param[in] *nsec3_rr The RR to read from 312238104Sdes * \return true if the RR has type NSEC3 and the opt-out bit has been set, false otherwise 313238104Sdes */ 314238104Sdesbool ldns_nsec3_optout(const ldns_rr *nsec3_rr); 315238104Sdes 316238104Sdes/** 317238104Sdes * Returns the number of hash iterations used in the given NSEC3 RR 318238104Sdes * \param[in] *nsec3_rr The RR to read from 319238104Sdes * \return The number of iterations 320238104Sdes */ 321238104Sdesuint16_t ldns_nsec3_iterations(const ldns_rr *nsec3_rr); 322238104Sdes 323238104Sdes/** 324238104Sdes * Returns the salt used in the given NSEC3 RR 325238104Sdes * \param[in] *nsec3_rr The RR to read from 326238104Sdes * \return The salt rdf, or NULL on error 327238104Sdes */ 328238104Sdesldns_rdf *ldns_nsec3_salt(const ldns_rr *nsec3_rr); 329238104Sdes 330238104Sdes/** 331238104Sdes * Returns the length of the salt used in the given NSEC3 RR 332238104Sdes * \param[in] *nsec3_rr The RR to read from 333238104Sdes * \return The length of the salt in bytes 334238104Sdes */ 335238104Sdesuint8_t ldns_nsec3_salt_length(const ldns_rr *nsec3_rr); 336238104Sdes 337238104Sdes/** 338238104Sdes * Returns the salt bytes used in the given NSEC3 RR 339238104Sdes * \param[in] *nsec3_rr The RR to read from 340238104Sdes * \return The salt in bytes, this is alloced, so you need to free it 341238104Sdes */ 342238104Sdesuint8_t *ldns_nsec3_salt_data(const ldns_rr *nsec3_rr); 343238104Sdes 344238104Sdes/** 345238104Sdes * Returns the first label of the next ownername in the NSEC3 chain (ie. without the domain) 346238104Sdes * \param[in] nsec3_rr The RR to read from 347238104Sdes * \return The first label of the next owner name in the NSEC3 chain, or NULL on error 348238104Sdes */ 349238104Sdesldns_rdf *ldns_nsec3_next_owner(const ldns_rr *nsec3_rr); 350238104Sdes 351238104Sdes/** 352238104Sdes * Returns the bitmap specifying the covered types of the given NSEC3 RR 353238104Sdes * \param[in] *nsec3_rr The RR to read from 354238104Sdes * \return The covered type bitmap rdf 355238104Sdes */ 356238104Sdesldns_rdf *ldns_nsec3_bitmap(const ldns_rr *nsec3_rr); 357238104Sdes 358238104Sdes/** 359238104Sdes * Calculates the hashed name using the parameters of the given NSEC3 RR 360238104Sdes * \param[in] *nsec The RR to use the parameters from 361238104Sdes * \param[in] *name The owner name to calculate the hash for 362238104Sdes * \return The hashed owner name rdf, without the domain name 363238104Sdes */ 364238104Sdesldns_rdf *ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, ldns_rdf *name); 365238104Sdes 366238104Sdes/** 367266114Sdes * Check if RR type t is enumerated and set in the RR type bitmap rdf. 368266114Sdes * \param[in] bitmap the RR type bitmap rdf to look in 369266114Sdes * \param[in] type the type to check for 370266114Sdes * \return true when t is found and set, otherwise return false 371238104Sdes */ 372266114Sdesbool ldns_nsec_bitmap_covers_type(const ldns_rdf* bitmap, ldns_rr_type type); 373238104Sdes 374238104Sdes/** 375266114Sdes * Checks if RR type t is enumerated in the type bitmap rdf and sets the bit. 376266114Sdes * \param[in] bitmap the RR type bitmap rdf to look in 377266114Sdes * \param[in] type the type to for which the bit to set 378266114Sdes * \return LDNS_STATUS_OK on success. LDNS_STATUS_TYPE_NOT_IN_BITMAP is 379266114Sdes * returned when the bitmap does not contain the bit to set. 380266114Sdes */ 381266114Sdesldns_status ldns_nsec_bitmap_set_type(ldns_rdf* bitmap, ldns_rr_type type); 382266114Sdes 383266114Sdes/** 384266114Sdes * Checks if RR type t is enumerated in the type bitmap rdf and clears the bit. 385266114Sdes * \param[in] bitmap the RR type bitmap rdf to look in 386266114Sdes * \param[in] type the type to for which the bit to clear 387266114Sdes * \return LDNS_STATUS_OK on success. LDNS_STATUS_TYPE_NOT_IN_BITMAP is 388266114Sdes * returned when the bitmap does not contain the bit to clear. 389266114Sdes */ 390266114Sdesldns_status ldns_nsec_bitmap_clear_type(ldns_rdf* bitmap, ldns_rr_type type); 391266114Sdes 392266114Sdes/** 393238104Sdes * Checks coverage of NSEC(3) RR name span 394238104Sdes * Remember that nsec and name must both be in canonical form (ie use 395238104Sdes * \ref ldns_rr2canonical and \ref ldns_dname2canonical prior to calling this 396238104Sdes * function) 397238104Sdes * 398238104Sdes * \param[in] nsec The NSEC RR to check 399238104Sdes * \param[in] name The owner dname to check, if the nsec record is a NSEC3 record, this should be the hashed name 400238104Sdes * \return true if the NSEC RR covers the owner name 401238104Sdes */ 402238104Sdesbool ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name); 403238104Sdes 404238104Sdes#if LDNS_BUILD_CONFIG_HAVE_SSL 405238104Sdes/** 406238104Sdes * verify a packet 407238104Sdes * \param[in] p the packet 408238104Sdes * \param[in] t the rr set type to check 409238104Sdes * \param[in] o the rr set name to check 410238104Sdes * \param[in] k list of keys 411238104Sdes * \param[in] s list of sigs (may be null) 412238104Sdes * \param[out] good_keys keys which validated the packet 413238104Sdes * \return status 414238104Sdes * 415238104Sdes */ 416238104Sdesldns_status ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys); 417238104Sdes 418238104Sdes/** 419238104Sdes * verify a packet 420238104Sdes * \param[in] p the packet 421238104Sdes * \param[in] t the rr set type to check 422238104Sdes * \param[in] o the rr set name to check 423238104Sdes * \param[in] k list of keys 424238104Sdes * \param[in] s list of sigs (may be null) 425238104Sdes * \param[in] check_time the time for which the validation is performed 426238104Sdes * \param[out] good_keys keys which validated the packet 427238104Sdes * \return status 428238104Sdes * 429238104Sdes */ 430238104Sdesldns_status ldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, ldns_rr_list *k, ldns_rr_list *s, time_t check_time, ldns_rr_list *good_keys); 431238104Sdes 432238104Sdes#endif 433238104Sdes 434238104Sdes/** 435238104Sdes * chains nsec3 list 436238104Sdes */ 437238104Sdesldns_status 438238104Sdesldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs); 439238104Sdes 440238104Sdes/** 441238104Sdes * compare for nsec3 sort 442238104Sdes */ 443238104Sdesint 444238104Sdesqsort_rr_compare_nsec3(const void *a, const void *b); 445238104Sdes 446238104Sdes/** 447238104Sdes * sort nsec3 list 448238104Sdes */ 449238104Sdesvoid 450238104Sdesldns_rr_list_sort_nsec3(ldns_rr_list *unsorted); 451238104Sdes 452238104Sdes/** 453238104Sdes * Default callback function to always leave present signatures, and 454238104Sdes * add new ones 455238104Sdes * \param[in] sig The signature to check for removal (unused) 456238104Sdes * \param[in] n Optional argument (unused) 457238104Sdes * \return LDNS_SIGNATURE_LEAVE_ADD_NEW 458238104Sdes */ 459238104Sdesint ldns_dnssec_default_add_to_signatures(ldns_rr *sig, void *n); 460238104Sdes/** 461238104Sdes * Default callback function to always leave present signatures, and 462238104Sdes * add no new ones for the keys of these signatures 463238104Sdes * \param[in] sig The signature to check for removal (unused) 464238104Sdes * \param[in] n Optional argument (unused) 465238104Sdes * \return LDNS_SIGNATURE_LEAVE_NO_ADD 466238104Sdes */ 467238104Sdesint ldns_dnssec_default_leave_signatures(ldns_rr *sig, void *n); 468238104Sdes/** 469238104Sdes * Default callback function to always remove present signatures, but 470238104Sdes * add no new ones 471238104Sdes * \param[in] sig The signature to check for removal (unused) 472238104Sdes * \param[in] n Optional argument (unused) 473238104Sdes * \return LDNS_SIGNATURE_REMOVE_NO_ADD 474238104Sdes */ 475238104Sdesint ldns_dnssec_default_delete_signatures(ldns_rr *sig, void *n); 476238104Sdes/** 477238104Sdes * Default callback function to always leave present signatures, and 478238104Sdes * add new ones 479238104Sdes * \param[in] sig The signature to check for removal (unused) 480238104Sdes * \param[in] n Optional argument (unused) 481238104Sdes * \return LDNS_SIGNATURE_REMOVE_ADD_NEW 482238104Sdes */ 483238104Sdesint ldns_dnssec_default_replace_signatures(ldns_rr *sig, void *n); 484238104Sdes 485238104Sdes#if LDNS_BUILD_CONFIG_HAVE_SSL 486238104Sdes/** 487238104Sdes * Converts the DSA signature from ASN1 representation (RFC2459, as 488238104Sdes * used by OpenSSL) to raw signature data as used in DNS (rfc2536) 489238104Sdes * 490238104Sdes * \param[in] sig The signature in RFC2459 format 491238104Sdes * \param[in] sig_len The length of the signature 492238104Sdes * \return a new rdf with the signature 493238104Sdes */ 494238104Sdesldns_rdf * 495238104Sdesldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig, 496238104Sdes const long sig_len); 497238104Sdes 498238104Sdes/** 499238104Sdes * Converts the RRSIG signature RDF (in rfc2536 format) to a buffer 500238104Sdes * with the signature in rfc2459 format 501238104Sdes * 502238104Sdes * \param[out] target_buffer buffer to place the signature data 503238104Sdes * \param[in] sig_rdf The signature rdf to convert 504238104Sdes * \return LDNS_STATUS_OK on success, error code otherwise 505238104Sdes */ 506238104Sdesldns_status 507238104Sdesldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, 508238104Sdes const ldns_rdf *sig_rdf); 509238104Sdes 510238104Sdes/** 511238104Sdes * Converts the ECDSA signature from ASN1 representation (as 512238104Sdes * used by OpenSSL) to raw signature data as used in DNS 513238104Sdes * This routine is only present if ldns is compiled with ecdsa support. 514238104Sdes * 515238104Sdes * \param[in] sig The signature in ASN1 format 516238104Sdes * \param[in] sig_len The length of the signature 517238104Sdes * \return a new rdf with the signature 518238104Sdes */ 519238104Sdesldns_rdf * 520238104Sdesldns_convert_ecdsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len); 521238104Sdes 522238104Sdes/** 523238104Sdes * Converts the RRSIG signature RDF (from DNS) to a buffer with the 524238104Sdes * signature in ASN1 format as openssl uses it. 525238104Sdes * This routine is only present if ldns is compiled with ecdsa support. 526238104Sdes * 527238104Sdes * \param[out] target_buffer buffer to place the signature data in ASN1. 528238104Sdes * \param[in] sig_rdf The signature rdf to convert 529238104Sdes * \return LDNS_STATUS_OK on success, error code otherwise 530238104Sdes */ 531238104Sdesldns_status 532238104Sdesldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, 533238104Sdes const ldns_rdf *sig_rdf); 534238104Sdes 535238104Sdes#endif /* LDNS_BUILD_CONFIG_HAVE_SSL */ 536238104Sdes 537238104Sdes#ifdef __cplusplus 538238104Sdes} 539238104Sdes#endif 540238104Sdes 541238104Sdes#endif /* LDNS_DNSSEC_H */ 542