1238104Sdes/** dnssec_verify */ 2238104Sdes 3238104Sdes#ifndef LDNS_DNSSEC_VERIFY_H 4238104Sdes#define LDNS_DNSSEC_VERIFY_H 5238104Sdes 6238104Sdes#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10 7238104Sdes 8238104Sdes#include <ldns/dnssec.h> 9238104Sdes#include <ldns/host2str.h> 10238104Sdes 11238104Sdes#ifdef __cplusplus 12238104Sdesextern "C" { 13238104Sdes#endif 14238104Sdes 15238104Sdes/** 16238104Sdes * Chain structure that contains all DNSSEC data needed to 17238104Sdes * verify an rrset 18238104Sdes */ 19238104Sdestypedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain; 20238104Sdesstruct ldns_dnssec_data_chain_struct 21238104Sdes{ 22238104Sdes ldns_rr_list *rrset; 23238104Sdes ldns_rr_list *signatures; 24238104Sdes ldns_rr_type parent_type; 25238104Sdes ldns_dnssec_data_chain *parent; 26238104Sdes ldns_pkt_rcode packet_rcode; 27238104Sdes ldns_rr_type packet_qtype; 28238104Sdes bool packet_nodata; 29238104Sdes}; 30238104Sdes 31238104Sdes/** 32238104Sdes * Creates a new dnssec_chain structure 33238104Sdes * \return ldns_dnssec_data_chain * 34238104Sdes */ 35246827Sdesldns_dnssec_data_chain *ldns_dnssec_data_chain_new(void); 36238104Sdes 37238104Sdes/** 38238104Sdes * Frees a dnssec_data_chain structure 39238104Sdes * 40238104Sdes * \param[in] *chain The chain to free 41238104Sdes */ 42238104Sdesvoid ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain); 43238104Sdes 44238104Sdes/** 45238104Sdes * Frees a dnssec_data_chain structure, and all data 46238104Sdes * contained therein 47238104Sdes * 48238104Sdes * \param[in] *chain The dnssec_data_chain to free 49238104Sdes */ 50238104Sdesvoid ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain); 51238104Sdes 52238104Sdes/** 53238104Sdes * Prints the dnssec_data_chain to the given file stream 54238104Sdes * 55238104Sdes * \param[in] *out The file stream to print to 56238104Sdes * \param[in] *chain The dnssec_data_chain to print 57238104Sdes */ 58238104Sdesvoid ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain); 59238104Sdes 60238104Sdes/** 61238104Sdes * Prints the dnssec_data_chain to the given file stream 62238104Sdes * 63238104Sdes * \param[in] *out The file stream to print to 64238104Sdes * \param[in] *fmt The format of the textual representation 65238104Sdes * \param[in] *chain The dnssec_data_chain to print 66238104Sdes */ 67238104Sdesvoid ldns_dnssec_data_chain_print_fmt(FILE *out, 68238104Sdes const ldns_output_format *fmt, 69238104Sdes const ldns_dnssec_data_chain *chain); 70238104Sdes 71238104Sdes/** 72238104Sdes * Build an ldns_dnssec_data_chain, which contains all 73238104Sdes * DNSSEC data that is needed to derive the trust tree later 74238104Sdes * 75238104Sdes * The data_set will be cloned 76238104Sdes * 77238104Sdes * \param[in] *res resolver structure for further needed queries 78238104Sdes * \param[in] qflags resolution flags 79238104Sdes * \param[in] *data_set The original rrset where the chain ends 80238104Sdes * \param[in] *pkt optional, can contain the original packet 81238104Sdes * (and hence the sigs and maybe the key) 82238104Sdes * \param[in] *orig_rr The original Resource Record 83238104Sdes * 84238104Sdes * \return the DNSSEC data chain 85238104Sdes */ 86238104Sdesldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res, 87238104Sdes const uint16_t qflags, 88238104Sdes const ldns_rr_list *data_set, 89238104Sdes const ldns_pkt *pkt, 90238104Sdes ldns_rr *orig_rr); 91238104Sdes 92238104Sdes/** 93238104Sdes * Tree structure that contains the relation of DNSSEC data, 94238104Sdes * and their cryptographic status. 95238104Sdes * 96238104Sdes * This tree is derived from a data_chain, and can be used 97238104Sdes * to look whether there is a connection between an RRSET 98238104Sdes * and a trusted key. The tree only contains pointers to the 99238104Sdes * data_chain, and therefore one should *never* free() the 100238104Sdes * data_chain when there is still a trust tree derived from 101238104Sdes * that chain. 102238104Sdes * 103238104Sdes * Example tree: 104238104Sdes * key key key 105238104Sdes * \ | / 106238104Sdes * \ | / 107238104Sdes * \ | / 108238104Sdes * ds 109238104Sdes * | 110238104Sdes * key 111238104Sdes * | 112238104Sdes * key 113238104Sdes * | 114238104Sdes * rr 115238104Sdes * 116238104Sdes * For each signature there is a parent; if the parent 117238104Sdes * pointer is null, it couldn't be found and there was no 118238104Sdes * denial; otherwise is a tree which contains either a 119238104Sdes * DNSKEY, a DS, or a NSEC rr 120238104Sdes */ 121238104Sdestypedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree; 122238104Sdesstruct ldns_dnssec_trust_tree_struct 123238104Sdes{ 124238104Sdes ldns_rr *rr; 125238104Sdes /* the complete rrset this rr was in */ 126238104Sdes ldns_rr_list *rrset; 127238104Sdes ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 128238104Sdes ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 129238104Sdes /** for debugging, add signatures too (you might want 130238104Sdes those if they contain errors) */ 131238104Sdes ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 132238104Sdes size_t parent_count; 133238104Sdes}; 134238104Sdes 135238104Sdes/** 136238104Sdes * Creates a new (empty) dnssec_trust_tree structure 137238104Sdes * 138238104Sdes * \return ldns_dnssec_trust_tree * 139238104Sdes */ 140246827Sdesldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(void); 141238104Sdes 142238104Sdes/** 143238104Sdes * Frees the dnssec_trust_tree recursively 144238104Sdes * 145238104Sdes * There is no deep free; all data in the trust tree 146238104Sdes * consists of pointers to a data_chain 147238104Sdes * 148238104Sdes * \param[in] tree The tree to free 149238104Sdes */ 150238104Sdesvoid ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree); 151238104Sdes 152238104Sdes/** 153238104Sdes * returns the depth of the trust tree 154238104Sdes * 155238104Sdes * \param[in] tree tree to calculate the depth of 156238104Sdes * \return The depth of the tree 157238104Sdes */ 158238104Sdessize_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree); 159238104Sdes 160238104Sdes/** 161238104Sdes * Prints the dnssec_trust_tree structure to the given file 162238104Sdes * stream. 163238104Sdes * 164238104Sdes * If a link status is not LDNS_STATUS_OK; the status and 165238104Sdes * relevant signatures are printed too 166238104Sdes * 167238104Sdes * \param[in] *out The file stream to print to 168238104Sdes * \param[in] tree The trust tree to print 169238104Sdes * \param[in] tabs Prepend each line with tabs*2 spaces 170238104Sdes * \param[in] extended If true, add little explanation lines to the output 171238104Sdes */ 172238104Sdesvoid ldns_dnssec_trust_tree_print(FILE *out, 173238104Sdes ldns_dnssec_trust_tree *tree, 174238104Sdes size_t tabs, 175238104Sdes bool extended); 176238104Sdes 177238104Sdes/** 178238104Sdes * Prints the dnssec_trust_tree structure to the given file 179238104Sdes * stream. 180238104Sdes * 181238104Sdes * If a link status is not LDNS_STATUS_OK; the status and 182238104Sdes * relevant signatures are printed too 183238104Sdes * 184238104Sdes * \param[in] *out The file stream to print to 185238104Sdes * \param[in] *fmt The format of the textual representation 186238104Sdes * \param[in] tree The trust tree to print 187238104Sdes * \param[in] tabs Prepend each line with tabs*2 spaces 188238104Sdes * \param[in] extended If true, add little explanation lines to the output 189238104Sdes */ 190238104Sdesvoid ldns_dnssec_trust_tree_print_fmt(FILE *out, 191238104Sdes const ldns_output_format *fmt, 192238104Sdes ldns_dnssec_trust_tree *tree, 193238104Sdes size_t tabs, 194238104Sdes bool extended); 195238104Sdes 196238104Sdes/** 197238104Sdes * Adds a trust tree as a parent for the given trust tree 198238104Sdes * 199238104Sdes * \param[in] *tree The tree to add the parent to 200238104Sdes * \param[in] *parent The parent tree to add 201238104Sdes * \param[in] *parent_signature The RRSIG relevant to this parent/child 202238104Sdes * connection 203238104Sdes * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG 204238104Sdes * \return LDNS_STATUS_OK if the addition succeeds, error otherwise 205238104Sdes */ 206238104Sdesldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, 207238104Sdes const ldns_dnssec_trust_tree *parent, 208238104Sdes const ldns_rr *parent_signature, 209238104Sdes const ldns_status parent_status); 210238104Sdes 211238104Sdes/** 212238104Sdes * Generates a dnssec_trust_tree for the given rr from the 213238104Sdes * given data_chain 214238104Sdes * 215238104Sdes * This does not clone the actual data; Don't free the 216238104Sdes * data_chain before you are done with this tree 217238104Sdes * 218238104Sdes * \param[in] *data_chain The chain to derive the trust tree from 219238104Sdes * \param[in] *rr The RR this tree will be about 220238104Sdes * \return ldns_dnssec_trust_tree * 221238104Sdes */ 222238104Sdesldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree( 223238104Sdes ldns_dnssec_data_chain *data_chain, 224238104Sdes ldns_rr *rr); 225238104Sdes 226238104Sdes/** 227238104Sdes * Generates a dnssec_trust_tree for the given rr from the 228238104Sdes * given data_chain 229238104Sdes * 230238104Sdes * This does not clone the actual data; Don't free the 231238104Sdes * data_chain before you are done with this tree 232238104Sdes * 233238104Sdes * \param[in] *data_chain The chain to derive the trust tree from 234238104Sdes * \param[in] *rr The RR this tree will be about 235238104Sdes * \param[in] check_time the time for which the validation is performed 236238104Sdes * \return ldns_dnssec_trust_tree * 237238104Sdes */ 238238104Sdesldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time( 239238104Sdes ldns_dnssec_data_chain *data_chain, 240238104Sdes ldns_rr *rr, time_t check_time); 241238104Sdes 242238104Sdes/** 243238104Sdes * Sub function for derive_trust_tree that is used for a 'normal' rrset 244238104Sdes * 245238104Sdes * \param[in] new_tree The trust tree that we are building 246238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 247238104Sdes * \param[in] cur_sig_rr The currently relevant signature 248238104Sdes */ 249238104Sdesvoid ldns_dnssec_derive_trust_tree_normal_rrset( 250238104Sdes ldns_dnssec_trust_tree *new_tree, 251238104Sdes ldns_dnssec_data_chain *data_chain, 252238104Sdes ldns_rr *cur_sig_rr); 253238104Sdes 254238104Sdes/** 255238104Sdes * Sub function for derive_trust_tree that is used for a 'normal' rrset 256238104Sdes * 257238104Sdes * \param[in] new_tree The trust tree that we are building 258238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 259238104Sdes * \param[in] cur_sig_rr The currently relevant signature 260238104Sdes * \param[in] check_time the time for which the validation is performed 261238104Sdes */ 262238104Sdesvoid ldns_dnssec_derive_trust_tree_normal_rrset_time( 263238104Sdes ldns_dnssec_trust_tree *new_tree, 264238104Sdes ldns_dnssec_data_chain *data_chain, 265238104Sdes ldns_rr *cur_sig_rr, time_t check_time); 266238104Sdes 267238104Sdes 268238104Sdes/** 269238104Sdes * Sub function for derive_trust_tree that is used for DNSKEY rrsets 270238104Sdes * 271238104Sdes * \param[in] new_tree The trust tree that we are building 272238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 273238104Sdes * \param[in] cur_rr The currently relevant DNSKEY RR 274238104Sdes * \param[in] cur_sig_rr The currently relevant signature 275238104Sdes */ 276238104Sdesvoid ldns_dnssec_derive_trust_tree_dnskey_rrset( 277238104Sdes ldns_dnssec_trust_tree *new_tree, 278238104Sdes ldns_dnssec_data_chain *data_chain, 279238104Sdes ldns_rr *cur_rr, 280238104Sdes ldns_rr *cur_sig_rr); 281238104Sdes 282238104Sdes/** 283238104Sdes * Sub function for derive_trust_tree that is used for DNSKEY rrsets 284238104Sdes * 285238104Sdes * \param[in] new_tree The trust tree that we are building 286238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 287238104Sdes * \param[in] cur_rr The currently relevant DNSKEY RR 288238104Sdes * \param[in] cur_sig_rr The currently relevant signature 289238104Sdes * \param[in] check_time the time for which the validation is performed 290238104Sdes */ 291238104Sdesvoid ldns_dnssec_derive_trust_tree_dnskey_rrset_time( 292238104Sdes ldns_dnssec_trust_tree *new_tree, 293238104Sdes ldns_dnssec_data_chain *data_chain, 294238104Sdes ldns_rr *cur_rr, ldns_rr *cur_sig_rr, 295238104Sdes time_t check_time); 296238104Sdes 297238104Sdes/** 298238104Sdes * Sub function for derive_trust_tree that is used for DS rrsets 299238104Sdes * 300238104Sdes * \param[in] new_tree The trust tree that we are building 301238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 302238104Sdes * \param[in] cur_rr The currently relevant DS RR 303238104Sdes */ 304238104Sdesvoid ldns_dnssec_derive_trust_tree_ds_rrset( 305238104Sdes ldns_dnssec_trust_tree *new_tree, 306238104Sdes ldns_dnssec_data_chain *data_chain, 307238104Sdes ldns_rr *cur_rr); 308238104Sdes 309238104Sdes/** 310238104Sdes * Sub function for derive_trust_tree that is used for DS rrsets 311238104Sdes * 312238104Sdes * \param[in] new_tree The trust tree that we are building 313238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 314238104Sdes * \param[in] cur_rr The currently relevant DS RR 315238104Sdes * \param[in] check_time the time for which the validation is performed 316238104Sdes */ 317238104Sdesvoid ldns_dnssec_derive_trust_tree_ds_rrset_time( 318238104Sdes ldns_dnssec_trust_tree *new_tree, 319238104Sdes ldns_dnssec_data_chain *data_chain, 320238104Sdes ldns_rr *cur_rr, time_t check_time); 321238104Sdes 322238104Sdes/** 323238104Sdes * Sub function for derive_trust_tree that is used when there are no 324238104Sdes * signatures 325238104Sdes * 326238104Sdes * \param[in] new_tree The trust tree that we are building 327238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 328238104Sdes */ 329238104Sdesvoid ldns_dnssec_derive_trust_tree_no_sig( 330238104Sdes ldns_dnssec_trust_tree *new_tree, 331238104Sdes ldns_dnssec_data_chain *data_chain); 332238104Sdes 333238104Sdes/** 334238104Sdes * Sub function for derive_trust_tree that is used when there are no 335238104Sdes * signatures 336238104Sdes * 337238104Sdes * \param[in] new_tree The trust tree that we are building 338238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 339238104Sdes * \param[in] check_time the time for which the validation is performed 340238104Sdes */ 341238104Sdesvoid ldns_dnssec_derive_trust_tree_no_sig_time( 342238104Sdes ldns_dnssec_trust_tree *new_tree, 343238104Sdes ldns_dnssec_data_chain *data_chain, 344238104Sdes time_t check_time); 345238104Sdes 346238104Sdes 347238104Sdes/** 348238104Sdes * Returns OK if there is a trusted path in the tree to one of 349238104Sdes * the DNSKEY or DS RRs in the given list 350238104Sdes * 351238104Sdes * \param *tree The trust tree so search 352238104Sdes * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for 353246854Sdes * 354238104Sdes * \return LDNS_STATUS_OK if there is a trusted path to one of 355238104Sdes * the keys, or the *first* error encountered 356238104Sdes * if there were no paths 357238104Sdes */ 358238104Sdesldns_status ldns_dnssec_trust_tree_contains_keys( 359238104Sdes ldns_dnssec_trust_tree *tree, 360238104Sdes ldns_rr_list *keys); 361238104Sdes 362238104Sdes/** 363238104Sdes * Verifies a list of signatures for one rrset. 364238104Sdes * 365238104Sdes * \param[in] rrset the rrset to verify 366238104Sdes * \param[in] rrsig a list of signatures to check 367238104Sdes * \param[in] keys a list of keys to check with 368238104Sdes * \param[out] good_keys if this is a (initialized) list, the pointer to keys 369238104Sdes * from keys that validate one of the signatures 370238104Sdes * are added to it 371238104Sdes * \return status LDNS_STATUS_OK if there is at least one correct key 372238104Sdes */ 373238104Sdesldns_status ldns_verify(ldns_rr_list *rrset, 374238104Sdes ldns_rr_list *rrsig, 375238104Sdes const ldns_rr_list *keys, 376238104Sdes ldns_rr_list *good_keys); 377238104Sdes 378238104Sdes/** 379238104Sdes * Verifies a list of signatures for one rrset. 380238104Sdes * 381238104Sdes * \param[in] rrset the rrset to verify 382238104Sdes * \param[in] rrsig a list of signatures to check 383238104Sdes * \param[in] keys a list of keys to check with 384238104Sdes * \param[in] check_time the time for which the validation is performed 385238104Sdes * \param[out] good_keys if this is a (initialized) list, the pointer to keys 386238104Sdes * from keys that validate one of the signatures 387238104Sdes * are added to it 388238104Sdes * \return status LDNS_STATUS_OK if there is at least one correct key 389238104Sdes */ 390238104Sdesldns_status ldns_verify_time(ldns_rr_list *rrset, 391238104Sdes ldns_rr_list *rrsig, 392238104Sdes const ldns_rr_list *keys, 393238104Sdes time_t check_time, 394238104Sdes ldns_rr_list *good_keys); 395238104Sdes 396238104Sdes 397238104Sdes/** 398238104Sdes * Verifies a list of signatures for one rrset, but disregard the time. 399238104Sdes * Inception and Expiration are not checked. 400238104Sdes * 401238104Sdes * \param[in] rrset the rrset to verify 402238104Sdes * \param[in] rrsig a list of signatures to check 403238104Sdes * \param[in] keys a list of keys to check with 404238104Sdes * \param[out] good_keys if this is a (initialized) list, the pointer to keys 405238104Sdes * from keys that validate one of the signatures 406238104Sdes * are added to it 407238104Sdes * \return status LDNS_STATUS_OK if there is at least one correct key 408238104Sdes */ 409238104Sdesldns_status ldns_verify_notime(ldns_rr_list *rrset, 410238104Sdes ldns_rr_list *rrsig, 411238104Sdes const ldns_rr_list *keys, 412238104Sdes ldns_rr_list *good_keys); 413238104Sdes 414238104Sdes/** 415238104Sdes * Tries to build an authentication chain from the given 416238104Sdes * keys down to the queried domain. 417238104Sdes * 418238104Sdes * If we find a valid trust path, return the valid keys for the domain. 419238104Sdes * 420238104Sdes * \param[in] res the current resolver 421238104Sdes * \param[in] domain the domain we want valid keys for 422238104Sdes * \param[in] keys the current set of trusted keys 423238104Sdes * \param[out] status pointer to the status variable where the result 424238104Sdes * code will be stored 425238104Sdes * \return the set of trusted keys for the domain, or NULL if no 426238104Sdes * trust path could be built. 427238104Sdes */ 428238104Sdesldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res, 429238104Sdes const ldns_rdf * domain, 430238104Sdes const ldns_rr_list * keys, 431238104Sdes ldns_status *status); 432238104Sdes 433238104Sdes/** 434238104Sdes * Tries to build an authentication chain from the given 435238104Sdes * keys down to the queried domain. 436238104Sdes * 437238104Sdes * If we find a valid trust path, return the valid keys for the domain. 438238104Sdes * 439238104Sdes * \param[in] res the current resolver 440238104Sdes * \param[in] domain the domain we want valid keys for 441238104Sdes * \param[in] keys the current set of trusted keys 442238104Sdes * \param[in] check_time the time for which the validation is performed 443238104Sdes * \param[out] status pointer to the status variable where the result 444238104Sdes * code will be stored 445238104Sdes * \return the set of trusted keys for the domain, or NULL if no 446238104Sdes * trust path could be built. 447238104Sdes */ 448238104Sdesldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res, 449238104Sdes const ldns_rdf * domain, const ldns_rr_list * keys, 450238104Sdes time_t check_time, ldns_status *status); 451238104Sdes 452238104Sdes 453238104Sdes/** 454238104Sdes * Validates the DNSKEY RRset for the given domain using the provided 455238104Sdes * trusted keys. 456238104Sdes * 457238104Sdes * \param[in] res the current resolver 458238104Sdes * \param[in] domain the domain we want valid keys for 459238104Sdes * \param[in] keys the current set of trusted keys 460238104Sdes * \return the set of trusted keys for the domain, or NULL if the RRSET 461238104Sdes * could not be validated 462238104Sdes */ 463238104Sdesldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res, 464238104Sdes const ldns_rdf *domain, 465238104Sdes const ldns_rr_list *keys); 466238104Sdes 467238104Sdes/** 468238104Sdes * Validates the DNSKEY RRset for the given domain using the provided 469238104Sdes * trusted keys. 470238104Sdes * 471238104Sdes * \param[in] res the current resolver 472238104Sdes * \param[in] domain the domain we want valid keys for 473238104Sdes * \param[in] keys the current set of trusted keys 474238104Sdes * \param[in] check_time the time for which the validation is performed 475238104Sdes * \return the set of trusted keys for the domain, or NULL if the RRSET 476238104Sdes * could not be validated 477238104Sdes */ 478238104Sdesldns_rr_list *ldns_validate_domain_dnskey_time( 479238104Sdes const ldns_resolver *res, const ldns_rdf *domain, 480238104Sdes const ldns_rr_list *keys, time_t check_time); 481238104Sdes 482238104Sdes 483238104Sdes/** 484238104Sdes * Validates the DS RRset for the given domain using the provided trusted keys. 485238104Sdes * 486238104Sdes * \param[in] res the current resolver 487238104Sdes * \param[in] domain the domain we want valid keys for 488238104Sdes * \param[in] keys the current set of trusted keys 489238104Sdes * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 490238104Sdes */ 491238104Sdesldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res, 492238104Sdes const ldns_rdf * 493238104Sdes domain, 494238104Sdes const ldns_rr_list * keys); 495238104Sdes 496238104Sdes/** 497238104Sdes * Validates the DS RRset for the given domain using the provided trusted keys. 498238104Sdes * 499238104Sdes * \param[in] res the current resolver 500238104Sdes * \param[in] domain the domain we want valid keys for 501238104Sdes * \param[in] keys the current set of trusted keys 502238104Sdes * \param[in] check_time the time for which the validation is performed 503238104Sdes * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 504238104Sdes */ 505238104Sdesldns_rr_list *ldns_validate_domain_ds_time( 506238104Sdes const ldns_resolver *res, const ldns_rdf *domain, 507238104Sdes const ldns_rr_list * keys, time_t check_time); 508238104Sdes 509238104Sdes 510238104Sdes/** 511238104Sdes * Verifies a list of signatures for one RRset using a valid trust path. 512238104Sdes * 513238104Sdes * \param[in] res the current resolver 514238104Sdes * \param[in] rrset the rrset to verify 515238104Sdes * \param[in] rrsigs a list of signatures to check 516238104Sdes * \param[out] validating_keys if this is a (initialized) list, the 517238104Sdes * keys from keys that validate one of 518238104Sdes * the signatures are added to it 519238104Sdes * \return status LDNS_STATUS_OK if there is at least one correct key 520238104Sdes */ 521238104Sdesldns_status ldns_verify_trusted(ldns_resolver *res, 522238104Sdes ldns_rr_list *rrset, 523238104Sdes ldns_rr_list *rrsigs, 524238104Sdes ldns_rr_list *validating_keys); 525238104Sdes 526238104Sdes/** 527238104Sdes * Verifies a list of signatures for one RRset using a valid trust path. 528238104Sdes * 529238104Sdes * \param[in] res the current resolver 530238104Sdes * \param[in] rrset the rrset to verify 531238104Sdes * \param[in] rrsigs a list of signatures to check 532238104Sdes * \param[in] check_time the time for which the validation is performed 533238104Sdes * \param[out] validating_keys if this is a (initialized) list, the 534238104Sdes * keys from keys that validate one of 535238104Sdes * the signatures are added to it 536238104Sdes * \return status LDNS_STATUS_OK if there is at least one correct key 537238104Sdes */ 538238104Sdesldns_status ldns_verify_trusted_time( 539238104Sdes ldns_resolver *res, ldns_rr_list *rrset, 540238104Sdes ldns_rr_list *rrsigs, time_t check_time, 541238104Sdes ldns_rr_list *validating_keys); 542238104Sdes 543238104Sdes 544238104Sdes/** 545238104Sdes * denial is not just a river in egypt 546238104Sdes * 547238104Sdes * \param[in] rr The (query) RR to check the denial of existence for 548238104Sdes * \param[in] nsecs The list of NSEC RRs that are supposed to deny the 549238104Sdes * existence of the RR 550238104Sdes * \param[in] rrsigs The RRSIG RR covering the NSEC RRs 551238104Sdes * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code 552238104Sdes * containing the reason they do not otherwise 553238104Sdes */ 554238104Sdesldns_status ldns_dnssec_verify_denial(ldns_rr *rr, 555238104Sdes ldns_rr_list *nsecs, 556238104Sdes ldns_rr_list *rrsigs); 557238104Sdes 558238104Sdes/** 559238104Sdes * Denial of existence using NSEC3 records 560238104Sdes * Since NSEC3 is a bit more complicated than normal denial, some 561238104Sdes * context arguments are needed 562238104Sdes * 563238104Sdes * \param[in] rr The (query) RR to check the denial of existence for 564238104Sdes * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 565238104Sdes * existence of the RR 566238104Sdes * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 567238104Sdes * \param[in] packet_rcode The RCODE value of the packet that provided the 568238104Sdes * NSEC3 RRs 569238104Sdes * \param[in] packet_qtype The original query RR type 570238104Sdes * \param[in] packet_nodata True if the providing packet had an empty ANSWER 571238104Sdes * section 572238104Sdes * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 573238104Sdes * containing the reason they do not otherwise 574238104Sdes */ 575238104Sdesldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, 576238104Sdes ldns_rr_list *nsecs, 577238104Sdes ldns_rr_list *rrsigs, 578238104Sdes ldns_pkt_rcode packet_rcode, 579238104Sdes ldns_rr_type packet_qtype, 580238104Sdes bool packet_nodata); 581238104Sdes 582238104Sdes/** 583238104Sdes * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns 584238104Sdes * the nsec rr that matched. 585238104Sdes * 586238104Sdes * \param[in] rr The (query) RR to check the denial of existence for 587238104Sdes * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 588238104Sdes * existence of the RR 589238104Sdes * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 590238104Sdes * \param[in] packet_rcode The RCODE value of the packet that provided the 591238104Sdes * NSEC3 RRs 592238104Sdes * \param[in] packet_qtype The original query RR type 593238104Sdes * \param[in] packet_nodata True if the providing packet had an empty ANSWER 594238104Sdes * section 595238104Sdes * \param[in] match On match, the given (reference to a) pointer will be set 596238104Sdes * to point to the matching nsec resource record. 597238104Sdes * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 598238104Sdes * containing the reason they do not otherwise 599238104Sdes */ 600238104Sdesldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, 601238104Sdes ldns_rr_list *nsecs, 602238104Sdes ldns_rr_list *rrsigs, 603238104Sdes ldns_pkt_rcode packet_rcode, 604238104Sdes ldns_rr_type packet_qtype, 605238104Sdes bool packet_nodata, 606238104Sdes ldns_rr **match); 607238104Sdes/** 608238104Sdes * Verifies the already processed data in the buffers 609238104Sdes * This function should probably not be used directly. 610238104Sdes * 611238104Sdes * \param[in] rawsig_buf Buffer containing signature data to use 612238104Sdes * \param[in] verify_buf Buffer containing data to verify 613238104Sdes * \param[in] key_buf Buffer containing key data to use 614238104Sdes * \param[in] algo Signing algorithm 615238104Sdes * \return status LDNS_STATUS_OK if the data verifies. Error if not. 616238104Sdes */ 617238104Sdesldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, 618238104Sdes ldns_buffer *verify_buf, 619238104Sdes ldns_buffer *key_buf, 620238104Sdes uint8_t algo); 621238104Sdes 622238104Sdes/** 623238104Sdes * Like ldns_verify_rrsig_buffers, but uses raw data. 624238104Sdes * 625238104Sdes * \param[in] sig signature data to use 626238104Sdes * \param[in] siglen length of signature data to use 627238104Sdes * \param[in] verify_buf Buffer containing data to verify 628238104Sdes * \param[in] key key data to use 629238104Sdes * \param[in] keylen length of key data to use 630238104Sdes * \param[in] algo Signing algorithm 631238104Sdes * \return status LDNS_STATUS_OK if the data verifies. Error if not. 632238104Sdes */ 633238104Sdesldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig, 634238104Sdes size_t siglen, 635238104Sdes ldns_buffer *verify_buf, 636238104Sdes unsigned char* key, 637238104Sdes size_t keylen, 638238104Sdes uint8_t algo); 639238104Sdes 640238104Sdes/** 641238104Sdes * Verifies an rrsig. All keys in the keyset are tried. 642238104Sdes * \param[in] rrset the rrset to check 643238104Sdes * \param[in] rrsig the signature of the rrset 644238104Sdes * \param[in] keys the keys to try 645238104Sdes * \param[out] good_keys if this is a (initialized) list, the pointer to keys 646238104Sdes * from keys that validate one of the signatures 647238104Sdes * are added to it 648238104Sdes * \return a list of keys which validate the rrsig + rrset. Returns 649238104Sdes * status LDNS_STATUS_OK if at least one key matched. Else an error. 650238104Sdes */ 651238104Sdesldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, 652238104Sdes ldns_rr *rrsig, 653238104Sdes const ldns_rr_list *keys, 654238104Sdes ldns_rr_list *good_keys); 655238104Sdes 656238104Sdes/** 657238104Sdes * Verifies an rrsig. All keys in the keyset are tried. 658238104Sdes * \param[in] rrset the rrset to check 659238104Sdes * \param[in] rrsig the signature of the rrset 660238104Sdes * \param[in] keys the keys to try 661238104Sdes * \param[in] check_time the time for which the validation is performed 662238104Sdes * \param[out] good_keys if this is a (initialized) list, the pointer to keys 663238104Sdes * from keys that validate one of the signatures 664238104Sdes * are added to it 665238104Sdes * \return a list of keys which validate the rrsig + rrset. Returns 666238104Sdes * status LDNS_STATUS_OK if at least one key matched. Else an error. 667238104Sdes */ 668238104Sdesldns_status ldns_verify_rrsig_keylist_time( 669238104Sdes ldns_rr_list *rrset, ldns_rr *rrsig, 670238104Sdes const ldns_rr_list *keys, time_t check_time, 671238104Sdes ldns_rr_list *good_keys); 672238104Sdes 673238104Sdes 674238104Sdes/** 675238104Sdes * Verifies an rrsig. All keys in the keyset are tried. Time is not checked. 676238104Sdes * \param[in] rrset the rrset to check 677238104Sdes * \param[in] rrsig the signature of the rrset 678238104Sdes * \param[in] keys the keys to try 679238104Sdes * \param[out] good_keys if this is a (initialized) list, the pointer to keys 680238104Sdes * from keys that validate one of the signatures 681238104Sdes * are added to it 682238104Sdes * \return a list of keys which validate the rrsig + rrset. Returns 683238104Sdes * status LDNS_STATUS_OK if at least one key matched. Else an error. 684238104Sdes */ 685238104Sdesldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset, 686238104Sdes ldns_rr *rrsig, 687238104Sdes const ldns_rr_list *keys, 688238104Sdes ldns_rr_list *good_keys); 689238104Sdes 690238104Sdes/** 691238104Sdes * verify an rrsig with 1 key 692238104Sdes * \param[in] rrset the rrset 693238104Sdes * \param[in] rrsig the rrsig to verify 694238104Sdes * \param[in] key the key to use 695238104Sdes * \return status message wether verification succeeded. 696238104Sdes */ 697238104Sdesldns_status ldns_verify_rrsig(ldns_rr_list *rrset, 698238104Sdes ldns_rr *rrsig, 699238104Sdes ldns_rr *key); 700238104Sdes 701238104Sdes 702238104Sdes/** 703238104Sdes * verify an rrsig with 1 key 704238104Sdes * \param[in] rrset the rrset 705238104Sdes * \param[in] rrsig the rrsig to verify 706238104Sdes * \param[in] key the key to use 707238104Sdes * \param[in] check_time the time for which the validation is performed 708238104Sdes * \return status message wether verification succeeded. 709238104Sdes */ 710238104Sdesldns_status ldns_verify_rrsig_time( 711238104Sdes ldns_rr_list *rrset, ldns_rr *rrsig, 712238104Sdes ldns_rr *key, time_t check_time); 713238104Sdes 714238104Sdes 715238104Sdes#if LDNS_BUILD_CONFIG_HAVE_SSL 716238104Sdes/** 717238104Sdes * verifies a buffer with signature data for a buffer with rrset data 718238104Sdes * with an EVP_PKEY 719238104Sdes * 720238104Sdes * \param[in] sig the signature data 721238104Sdes * \param[in] rrset the rrset data, sorted and processed for verification 722238104Sdes * \param[in] key the EVP key structure 723238104Sdes * \param[in] digest_type The digest type of the signature 724238104Sdes */ 725238104Sdesldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, 726238104Sdes ldns_buffer *rrset, 727238104Sdes EVP_PKEY *key, 728238104Sdes const EVP_MD *digest_type); 729238104Sdes 730238104Sdes/** 731238104Sdes * Like ldns_verify_rrsig_evp, but uses raw signature data. 732238104Sdes * \param[in] sig the signature data, wireformat uncompressed 733238104Sdes * \param[in] siglen length of the signature data 734238104Sdes * \param[in] rrset the rrset data, sorted and processed for verification 735238104Sdes * \param[in] key the EVP key structure 736238104Sdes * \param[in] digest_type The digest type of the signature 737238104Sdes */ 738238104Sdesldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig, 739238104Sdes size_t siglen, 740238104Sdes ldns_buffer *rrset, 741238104Sdes EVP_PKEY *key, 742238104Sdes const EVP_MD *digest_type); 743238104Sdes#endif 744238104Sdes 745238104Sdes/** 746238104Sdes * verifies a buffer with signature data (DSA) for a buffer with rrset data 747238104Sdes * with a buffer with key data. 748238104Sdes * 749238104Sdes * \param[in] sig the signature data 750238104Sdes * \param[in] rrset the rrset data, sorted and processed for verification 751238104Sdes * \param[in] key the key data 752238104Sdes */ 753238104Sdesldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, 754238104Sdes ldns_buffer *rrset, 755238104Sdes ldns_buffer *key); 756238104Sdes 757238104Sdes/** 758238104Sdes * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data 759238104Sdes * with a buffer with key data. 760238104Sdes * 761238104Sdes * \param[in] sig the signature data 762238104Sdes * \param[in] rrset the rrset data, sorted and processed for verification 763238104Sdes * \param[in] key the key data 764238104Sdes */ 765238104Sdesldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, 766238104Sdes ldns_buffer *rrset, 767238104Sdes ldns_buffer *key); 768238104Sdes 769238104Sdes/** 770238104Sdes * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data 771238104Sdes * with a buffer with key data. 772238104Sdes * 773238104Sdes * \param[in] sig the signature data 774238104Sdes * \param[in] rrset the rrset data, sorted and processed for verification 775238104Sdes * \param[in] key the key data 776238104Sdes */ 777238104Sdesldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, 778238104Sdes ldns_buffer *rrset, 779238104Sdes ldns_buffer *key); 780238104Sdes 781238104Sdes/** 782238104Sdes * Like ldns_verify_rrsig_dsa, but uses raw signature and key data. 783238104Sdes * \param[in] sig raw uncompressed wireformat signature data 784238104Sdes * \param[in] siglen length of signature data 785238104Sdes * \param[in] rrset ldns buffer with prepared rrset data. 786238104Sdes * \param[in] key raw uncompressed wireformat key data 787238104Sdes * \param[in] keylen length of key data 788238104Sdes */ 789238104Sdesldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig, 790238104Sdes size_t siglen, 791238104Sdes ldns_buffer* rrset, 792238104Sdes unsigned char* key, 793238104Sdes size_t keylen); 794238104Sdes 795238104Sdes/** 796238104Sdes * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data. 797238104Sdes * \param[in] sig raw uncompressed wireformat signature data 798238104Sdes * \param[in] siglen length of signature data 799238104Sdes * \param[in] rrset ldns buffer with prepared rrset data. 800238104Sdes * \param[in] key raw uncompressed wireformat key data 801238104Sdes * \param[in] keylen length of key data 802238104Sdes */ 803238104Sdesldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig, 804238104Sdes size_t siglen, 805238104Sdes ldns_buffer* rrset, 806238104Sdes unsigned char* key, 807238104Sdes size_t keylen); 808238104Sdes 809238104Sdes/** 810238104Sdes * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data. 811238104Sdes * \param[in] sig raw uncompressed wireformat signature data 812238104Sdes * \param[in] siglen length of signature data 813238104Sdes * \param[in] rrset ldns buffer with prepared rrset data. 814238104Sdes * \param[in] key raw uncompressed wireformat key data 815238104Sdes * \param[in] keylen length of key data 816238104Sdes */ 817238104Sdes 818238104Sdesldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig, 819238104Sdes size_t siglen, 820238104Sdes ldns_buffer* rrset, 821238104Sdes unsigned char* key, 822238104Sdes size_t keylen); 823238104Sdes 824238104Sdes/** 825238104Sdes * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data. 826238104Sdes * \param[in] sig raw uncompressed wireformat signature data 827238104Sdes * \param[in] siglen length of signature data 828238104Sdes * \param[in] rrset ldns buffer with prepared rrset data. 829238104Sdes * \param[in] key raw uncompressed wireformat key data 830238104Sdes * \param[in] keylen length of key data 831238104Sdes */ 832238104Sdesldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig, 833238104Sdes size_t siglen, 834238104Sdes ldns_buffer* rrset, 835238104Sdes unsigned char* key, 836238104Sdes size_t keylen); 837238104Sdes 838238104Sdes/** 839238104Sdes * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data. 840238104Sdes * \param[in] sig raw uncompressed wireformat signature data 841238104Sdes * \param[in] siglen length of signature data 842238104Sdes * \param[in] rrset ldns buffer with prepared rrset data. 843238104Sdes * \param[in] key raw uncompressed wireformat key data 844238104Sdes * \param[in] keylen length of key data 845238104Sdes */ 846238104Sdesldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig, 847238104Sdes size_t siglen, 848238104Sdes ldns_buffer* rrset, 849238104Sdes unsigned char* key, 850238104Sdes size_t keylen); 851238104Sdes 852238104Sdes#ifdef __cplusplus 853238104Sdes} 854238104Sdes#endif 855238104Sdes 856238104Sdes#endif 857238104Sdes 858