dnssec_verify.h revision 246827
1/** dnssec_verify */ 2 3#ifndef LDNS_DNSSEC_VERIFY_H 4#define LDNS_DNSSEC_VERIFY_H 5 6#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10 7 8#include <ldns/dnssec.h> 9#include <ldns/host2str.h> 10 11#ifdef __cplusplus 12extern "C" { 13#endif 14 15/** 16 * Chain structure that contains all DNSSEC data needed to 17 * verify an rrset 18 */ 19typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain; 20struct ldns_dnssec_data_chain_struct 21{ 22 ldns_rr_list *rrset; 23 ldns_rr_list *signatures; 24 ldns_rr_type parent_type; 25 ldns_dnssec_data_chain *parent; 26 ldns_pkt_rcode packet_rcode; 27 ldns_rr_type packet_qtype; 28 bool packet_nodata; 29}; 30 31/** 32 * Creates a new dnssec_chain structure 33 * \return ldns_dnssec_data_chain * 34 */ 35ldns_dnssec_data_chain *ldns_dnssec_data_chain_new(void); 36 37/** 38 * Frees a dnssec_data_chain structure 39 * 40 * \param[in] *chain The chain to free 41 */ 42void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain); 43 44/** 45 * Frees a dnssec_data_chain structure, and all data 46 * contained therein 47 * 48 * \param[in] *chain The dnssec_data_chain to free 49 */ 50void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain); 51 52/** 53 * Prints the dnssec_data_chain to the given file stream 54 * 55 * \param[in] *out The file stream to print to 56 * \param[in] *chain The dnssec_data_chain to print 57 */ 58void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain); 59 60/** 61 * Prints the dnssec_data_chain to the given file stream 62 * 63 * \param[in] *out The file stream to print to 64 * \param[in] *fmt The format of the textual representation 65 * \param[in] *chain The dnssec_data_chain to print 66 */ 67void ldns_dnssec_data_chain_print_fmt(FILE *out, 68 const ldns_output_format *fmt, 69 const ldns_dnssec_data_chain *chain); 70 71/** 72 * Build an ldns_dnssec_data_chain, which contains all 73 * DNSSEC data that is needed to derive the trust tree later 74 * 75 * The data_set will be cloned 76 * 77 * \param[in] *res resolver structure for further needed queries 78 * \param[in] qflags resolution flags 79 * \param[in] *data_set The original rrset where the chain ends 80 * \param[in] *pkt optional, can contain the original packet 81 * (and hence the sigs and maybe the key) 82 * \param[in] *orig_rr The original Resource Record 83 * 84 * \return the DNSSEC data chain 85 */ 86ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res, 87 const uint16_t qflags, 88 const ldns_rr_list *data_set, 89 const ldns_pkt *pkt, 90 ldns_rr *orig_rr); 91 92/** 93 * Tree structure that contains the relation of DNSSEC data, 94 * and their cryptographic status. 95 * 96 * This tree is derived from a data_chain, and can be used 97 * to look whether there is a connection between an RRSET 98 * and a trusted key. The tree only contains pointers to the 99 * data_chain, and therefore one should *never* free() the 100 * data_chain when there is still a trust tree derived from 101 * that chain. 102 * 103 * Example tree: 104 * key key key 105 * \ | / 106 * \ | / 107 * \ | / 108 * ds 109 * | 110 * key 111 * | 112 * key 113 * | 114 * rr 115 * 116 * For each signature there is a parent; if the parent 117 * pointer is null, it couldn't be found and there was no 118 * denial; otherwise is a tree which contains either a 119 * DNSKEY, a DS, or a NSEC rr 120 */ 121typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree; 122struct ldns_dnssec_trust_tree_struct 123{ 124 ldns_rr *rr; 125 /* the complete rrset this rr was in */ 126 ldns_rr_list *rrset; 127 ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 128 ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 129 /** for debugging, add signatures too (you might want 130 those if they contain errors) */ 131 ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 132 size_t parent_count; 133}; 134 135/** 136 * Creates a new (empty) dnssec_trust_tree structure 137 * 138 * \return ldns_dnssec_trust_tree * 139 */ 140ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(void); 141 142/** 143 * Frees the dnssec_trust_tree recursively 144 * 145 * There is no deep free; all data in the trust tree 146 * consists of pointers to a data_chain 147 * 148 * \param[in] tree The tree to free 149 */ 150void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree); 151 152/** 153 * returns the depth of the trust tree 154 * 155 * \param[in] tree tree to calculate the depth of 156 * \return The depth of the tree 157 */ 158size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree); 159 160/** 161 * Prints the dnssec_trust_tree structure to the given file 162 * stream. 163 * 164 * If a link status is not LDNS_STATUS_OK; the status and 165 * relevant signatures are printed too 166 * 167 * \param[in] *out The file stream to print to 168 * \param[in] tree The trust tree to print 169 * \param[in] tabs Prepend each line with tabs*2 spaces 170 * \param[in] extended If true, add little explanation lines to the output 171 */ 172void ldns_dnssec_trust_tree_print(FILE *out, 173 ldns_dnssec_trust_tree *tree, 174 size_t tabs, 175 bool extended); 176 177/** 178 * Prints the dnssec_trust_tree structure to the given file 179 * stream. 180 * 181 * If a link status is not LDNS_STATUS_OK; the status and 182 * relevant signatures are printed too 183 * 184 * \param[in] *out The file stream to print to 185 * \param[in] *fmt The format of the textual representation 186 * \param[in] tree The trust tree to print 187 * \param[in] tabs Prepend each line with tabs*2 spaces 188 * \param[in] extended If true, add little explanation lines to the output 189 */ 190void ldns_dnssec_trust_tree_print_fmt(FILE *out, 191 const ldns_output_format *fmt, 192 ldns_dnssec_trust_tree *tree, 193 size_t tabs, 194 bool extended); 195 196/** 197 * Adds a trust tree as a parent for the given trust tree 198 * 199 * \param[in] *tree The tree to add the parent to 200 * \param[in] *parent The parent tree to add 201 * \param[in] *parent_signature The RRSIG relevant to this parent/child 202 * connection 203 * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG 204 * \return LDNS_STATUS_OK if the addition succeeds, error otherwise 205 */ 206ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, 207 const ldns_dnssec_trust_tree *parent, 208 const ldns_rr *parent_signature, 209 const ldns_status parent_status); 210 211/** 212 * Generates a dnssec_trust_tree for the given rr from the 213 * given data_chain 214 * 215 * This does not clone the actual data; Don't free the 216 * data_chain before you are done with this tree 217 * 218 * \param[in] *data_chain The chain to derive the trust tree from 219 * \param[in] *rr The RR this tree will be about 220 * \return ldns_dnssec_trust_tree * 221 */ 222ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree( 223 ldns_dnssec_data_chain *data_chain, 224 ldns_rr *rr); 225 226/** 227 * Generates a dnssec_trust_tree for the given rr from the 228 * given data_chain 229 * 230 * This does not clone the actual data; Don't free the 231 * data_chain before you are done with this tree 232 * 233 * \param[in] *data_chain The chain to derive the trust tree from 234 * \param[in] *rr The RR this tree will be about 235 * \param[in] check_time the time for which the validation is performed 236 * \return ldns_dnssec_trust_tree * 237 */ 238ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time( 239 ldns_dnssec_data_chain *data_chain, 240 ldns_rr *rr, time_t check_time); 241 242/** 243 * Sub function for derive_trust_tree that is used for a 'normal' rrset 244 * 245 * \param[in] new_tree The trust tree that we are building 246 * \param[in] data_chain The data chain containing the data for the trust tree 247 * \param[in] cur_sig_rr The currently relevant signature 248 */ 249void ldns_dnssec_derive_trust_tree_normal_rrset( 250 ldns_dnssec_trust_tree *new_tree, 251 ldns_dnssec_data_chain *data_chain, 252 ldns_rr *cur_sig_rr); 253 254/** 255 * Sub function for derive_trust_tree that is used for a 'normal' rrset 256 * 257 * \param[in] new_tree The trust tree that we are building 258 * \param[in] data_chain The data chain containing the data for the trust tree 259 * \param[in] cur_sig_rr The currently relevant signature 260 * \param[in] check_time the time for which the validation is performed 261 */ 262void ldns_dnssec_derive_trust_tree_normal_rrset_time( 263 ldns_dnssec_trust_tree *new_tree, 264 ldns_dnssec_data_chain *data_chain, 265 ldns_rr *cur_sig_rr, time_t check_time); 266 267 268/** 269 * Sub function for derive_trust_tree that is used for DNSKEY rrsets 270 * 271 * \param[in] new_tree The trust tree that we are building 272 * \param[in] data_chain The data chain containing the data for the trust tree 273 * \param[in] cur_rr The currently relevant DNSKEY RR 274 * \param[in] cur_sig_rr The currently relevant signature 275 */ 276void ldns_dnssec_derive_trust_tree_dnskey_rrset( 277 ldns_dnssec_trust_tree *new_tree, 278 ldns_dnssec_data_chain *data_chain, 279 ldns_rr *cur_rr, 280 ldns_rr *cur_sig_rr); 281 282/** 283 * Sub function for derive_trust_tree that is used for DNSKEY rrsets 284 * 285 * \param[in] new_tree The trust tree that we are building 286 * \param[in] data_chain The data chain containing the data for the trust tree 287 * \param[in] cur_rr The currently relevant DNSKEY RR 288 * \param[in] cur_sig_rr The currently relevant signature 289 * \param[in] check_time the time for which the validation is performed 290 */ 291void ldns_dnssec_derive_trust_tree_dnskey_rrset_time( 292 ldns_dnssec_trust_tree *new_tree, 293 ldns_dnssec_data_chain *data_chain, 294 ldns_rr *cur_rr, ldns_rr *cur_sig_rr, 295 time_t check_time); 296 297 298/** 299 * Sub function for derive_trust_tree that is used for DNSKEY rrsets 300 * 301 * \param[in] new_tree The trust tree that we are building 302 * \param[in] data_chain The data chain containing the data for the trust tree 303 * \param[in] cur_rr The currently relevant DNSKEY RR 304 * \param[in] cur_sig_rr The currently relevant signature 305 * \param[in] check_time the time for which the validation is performed 306 */ 307void ldns_dnssec_derive_trust_tree_dnskey_rrset_time( 308 ldns_dnssec_trust_tree *new_tree, 309 ldns_dnssec_data_chain *data_chain, 310 ldns_rr *cur_rr, ldns_rr *cur_sig_rr, 311 time_t check_time); 312 313 314/** 315 * Sub function for derive_trust_tree that is used for DS rrsets 316 * 317 * \param[in] new_tree The trust tree that we are building 318 * \param[in] data_chain The data chain containing the data for the trust tree 319 * \param[in] cur_rr The currently relevant DS RR 320 */ 321void ldns_dnssec_derive_trust_tree_ds_rrset( 322 ldns_dnssec_trust_tree *new_tree, 323 ldns_dnssec_data_chain *data_chain, 324 ldns_rr *cur_rr); 325 326/** 327 * Sub function for derive_trust_tree that is used for DS rrsets 328 * 329 * \param[in] new_tree The trust tree that we are building 330 * \param[in] data_chain The data chain containing the data for the trust tree 331 * \param[in] cur_rr The currently relevant DS RR 332 * \param[in] check_time the time for which the validation is performed 333 */ 334void ldns_dnssec_derive_trust_tree_ds_rrset_time( 335 ldns_dnssec_trust_tree *new_tree, 336 ldns_dnssec_data_chain *data_chain, 337 ldns_rr *cur_rr, time_t check_time); 338 339/** 340 * Sub function for derive_trust_tree that is used when there are no 341 * signatures 342 * 343 * \param[in] new_tree The trust tree that we are building 344 * \param[in] data_chain The data chain containing the data for the trust tree 345 */ 346void ldns_dnssec_derive_trust_tree_no_sig( 347 ldns_dnssec_trust_tree *new_tree, 348 ldns_dnssec_data_chain *data_chain); 349 350/** 351 * Sub function for derive_trust_tree that is used when there are no 352 * signatures 353 * 354 * \param[in] new_tree The trust tree that we are building 355 * \param[in] data_chain The data chain containing the data for the trust tree 356 * \param[in] check_time the time for which the validation is performed 357 */ 358void ldns_dnssec_derive_trust_tree_no_sig_time( 359 ldns_dnssec_trust_tree *new_tree, 360 ldns_dnssec_data_chain *data_chain, 361 time_t check_time); 362 363 364/** 365 * Returns OK if there is a trusted path in the tree to one of 366 * the DNSKEY or DS RRs in the given list 367 * 368 * \param *tree The trust tree so search 369 * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for 370 * \return LDNS_STATUS_OK if there is a trusted path to one of 371 * the keys, or the *first* error encountered 372 * if there were no paths 373 */ 374ldns_status ldns_dnssec_trust_tree_contains_keys( 375 ldns_dnssec_trust_tree *tree, 376 ldns_rr_list *keys); 377 378/** 379 * Verifies a list of signatures for one rrset. 380 * 381 * \param[in] rrset the rrset to verify 382 * \param[in] rrsig a list of signatures to check 383 * \param[in] keys a list of keys to check with 384 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 385 * from keys that validate one of the signatures 386 * are added to it 387 * \return status LDNS_STATUS_OK if there is at least one correct key 388 */ 389ldns_status ldns_verify(ldns_rr_list *rrset, 390 ldns_rr_list *rrsig, 391 const ldns_rr_list *keys, 392 ldns_rr_list *good_keys); 393 394/** 395 * Verifies a list of signatures for one rrset. 396 * 397 * \param[in] rrset the rrset to verify 398 * \param[in] rrsig a list of signatures to check 399 * \param[in] keys a list of keys to check with 400 * \param[in] check_time the time for which the validation is performed 401 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 402 * from keys that validate one of the signatures 403 * are added to it 404 * \return status LDNS_STATUS_OK if there is at least one correct key 405 */ 406ldns_status ldns_verify_time(ldns_rr_list *rrset, 407 ldns_rr_list *rrsig, 408 const ldns_rr_list *keys, 409 time_t check_time, 410 ldns_rr_list *good_keys); 411 412 413/** 414 * Verifies a list of signatures for one rrset, but disregard the time. 415 * Inception and Expiration are not checked. 416 * 417 * \param[in] rrset the rrset to verify 418 * \param[in] rrsig a list of signatures to check 419 * \param[in] keys a list of keys to check with 420 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 421 * from keys that validate one of the signatures 422 * are added to it 423 * \return status LDNS_STATUS_OK if there is at least one correct key 424 */ 425ldns_status ldns_verify_notime(ldns_rr_list *rrset, 426 ldns_rr_list *rrsig, 427 const ldns_rr_list *keys, 428 ldns_rr_list *good_keys); 429 430/** 431 * Tries to build an authentication chain from the given 432 * keys down to the queried domain. 433 * 434 * If we find a valid trust path, return the valid keys for the domain. 435 * 436 * \param[in] res the current resolver 437 * \param[in] domain the domain we want valid keys for 438 * \param[in] keys the current set of trusted keys 439 * \param[out] status pointer to the status variable where the result 440 * code will be stored 441 * \return the set of trusted keys for the domain, or NULL if no 442 * trust path could be built. 443 */ 444ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res, 445 const ldns_rdf * domain, 446 const ldns_rr_list * keys, 447 ldns_status *status); 448 449/** 450 * Tries to build an authentication chain from the given 451 * keys down to the queried domain. 452 * 453 * If we find a valid trust path, return the valid keys for the domain. 454 * 455 * \param[in] res the current resolver 456 * \param[in] domain the domain we want valid keys for 457 * \param[in] keys the current set of trusted keys 458 * \param[in] check_time the time for which the validation is performed 459 * \param[out] status pointer to the status variable where the result 460 * code will be stored 461 * \return the set of trusted keys for the domain, or NULL if no 462 * trust path could be built. 463 */ 464ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res, 465 const ldns_rdf * domain, const ldns_rr_list * keys, 466 time_t check_time, ldns_status *status); 467 468 469/** 470 * Validates the DNSKEY RRset for the given domain using the provided 471 * trusted keys. 472 * 473 * \param[in] res the current resolver 474 * \param[in] domain the domain we want valid keys for 475 * \param[in] keys the current set of trusted keys 476 * \return the set of trusted keys for the domain, or NULL if the RRSET 477 * could not be validated 478 */ 479ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res, 480 const ldns_rdf *domain, 481 const ldns_rr_list *keys); 482 483/** 484 * Validates the DNSKEY RRset for the given domain using the provided 485 * trusted keys. 486 * 487 * \param[in] res the current resolver 488 * \param[in] domain the domain we want valid keys for 489 * \param[in] keys the current set of trusted keys 490 * \param[in] check_time the time for which the validation is performed 491 * \return the set of trusted keys for the domain, or NULL if the RRSET 492 * could not be validated 493 */ 494ldns_rr_list *ldns_validate_domain_dnskey_time( 495 const ldns_resolver *res, const ldns_rdf *domain, 496 const ldns_rr_list *keys, time_t check_time); 497 498 499/** 500 * Validates the DS RRset for the given domain using the provided trusted keys. 501 * 502 * \param[in] res the current resolver 503 * \param[in] domain the domain we want valid keys for 504 * \param[in] keys the current set of trusted keys 505 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 506 */ 507ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res, 508 const ldns_rdf * 509 domain, 510 const ldns_rr_list * keys); 511 512/** 513 * Validates the DS RRset for the given domain using the provided trusted keys. 514 * 515 * \param[in] res the current resolver 516 * \param[in] domain the domain we want valid keys for 517 * \param[in] keys the current set of trusted keys 518 * \param[in] check_time the time for which the validation is performed 519 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 520 */ 521ldns_rr_list *ldns_validate_domain_ds_time( 522 const ldns_resolver *res, const ldns_rdf *domain, 523 const ldns_rr_list * keys, time_t check_time); 524 525 526/** 527 * Verifies a list of signatures for one RRset using a valid trust path. 528 * 529 * \param[in] res the current resolver 530 * \param[in] rrset the rrset to verify 531 * \param[in] rrsigs a list of signatures to check 532 * \param[out] validating_keys if this is a (initialized) list, the 533 * keys from keys that validate one of 534 * the signatures are added to it 535 * \return status LDNS_STATUS_OK if there is at least one correct key 536 */ 537ldns_status ldns_verify_trusted(ldns_resolver *res, 538 ldns_rr_list *rrset, 539 ldns_rr_list *rrsigs, 540 ldns_rr_list *validating_keys); 541 542/** 543 * Verifies a list of signatures for one RRset using a valid trust path. 544 * 545 * \param[in] res the current resolver 546 * \param[in] rrset the rrset to verify 547 * \param[in] rrsigs a list of signatures to check 548 * \param[in] check_time the time for which the validation is performed 549 * \param[out] validating_keys if this is a (initialized) list, the 550 * keys from keys that validate one of 551 * the signatures are added to it 552 * \return status LDNS_STATUS_OK if there is at least one correct key 553 */ 554ldns_status ldns_verify_trusted_time( 555 ldns_resolver *res, ldns_rr_list *rrset, 556 ldns_rr_list *rrsigs, time_t check_time, 557 ldns_rr_list *validating_keys); 558 559 560/** 561 * denial is not just a river in egypt 562 * 563 * \param[in] rr The (query) RR to check the denial of existence for 564 * \param[in] nsecs The list of NSEC RRs that are supposed to deny the 565 * existence of the RR 566 * \param[in] rrsigs The RRSIG RR covering the NSEC RRs 567 * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code 568 * containing the reason they do not otherwise 569 */ 570ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, 571 ldns_rr_list *nsecs, 572 ldns_rr_list *rrsigs); 573 574/** 575 * Denial of existence using NSEC3 records 576 * Since NSEC3 is a bit more complicated than normal denial, some 577 * context arguments are needed 578 * 579 * \param[in] rr The (query) RR to check the denial of existence for 580 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 581 * existence of the RR 582 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 583 * \param[in] packet_rcode The RCODE value of the packet that provided the 584 * NSEC3 RRs 585 * \param[in] packet_qtype The original query RR type 586 * \param[in] packet_nodata True if the providing packet had an empty ANSWER 587 * section 588 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 589 * containing the reason they do not otherwise 590 */ 591ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, 592 ldns_rr_list *nsecs, 593 ldns_rr_list *rrsigs, 594 ldns_pkt_rcode packet_rcode, 595 ldns_rr_type packet_qtype, 596 bool packet_nodata); 597 598/** 599 * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns 600 * the nsec rr that matched. 601 * 602 * \param[in] rr The (query) RR to check the denial of existence for 603 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 604 * existence of the RR 605 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 606 * \param[in] packet_rcode The RCODE value of the packet that provided the 607 * NSEC3 RRs 608 * \param[in] packet_qtype The original query RR type 609 * \param[in] packet_nodata True if the providing packet had an empty ANSWER 610 * section 611 * \param[in] match On match, the given (reference to a) pointer will be set 612 * to point to the matching nsec resource record. 613 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 614 * containing the reason they do not otherwise 615 */ 616ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, 617 ldns_rr_list *nsecs, 618 ldns_rr_list *rrsigs, 619 ldns_pkt_rcode packet_rcode, 620 ldns_rr_type packet_qtype, 621 bool packet_nodata, 622 ldns_rr **match); 623/** 624 * Verifies the already processed data in the buffers 625 * This function should probably not be used directly. 626 * 627 * \param[in] rawsig_buf Buffer containing signature data to use 628 * \param[in] verify_buf Buffer containing data to verify 629 * \param[in] key_buf Buffer containing key data to use 630 * \param[in] algo Signing algorithm 631 * \return status LDNS_STATUS_OK if the data verifies. Error if not. 632 */ 633ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, 634 ldns_buffer *verify_buf, 635 ldns_buffer *key_buf, 636 uint8_t algo); 637 638/** 639 * Like ldns_verify_rrsig_buffers, but uses raw data. 640 * 641 * \param[in] sig signature data to use 642 * \param[in] siglen length of signature data to use 643 * \param[in] verify_buf Buffer containing data to verify 644 * \param[in] key key data to use 645 * \param[in] keylen length of key data to use 646 * \param[in] algo Signing algorithm 647 * \return status LDNS_STATUS_OK if the data verifies. Error if not. 648 */ 649ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig, 650 size_t siglen, 651 ldns_buffer *verify_buf, 652 unsigned char* key, 653 size_t keylen, 654 uint8_t algo); 655 656/** 657 * Verifies an rrsig. All keys in the keyset are tried. 658 * \param[in] rrset the rrset to check 659 * \param[in] rrsig the signature of the rrset 660 * \param[in] keys the keys to try 661 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 662 * from keys that validate one of the signatures 663 * are added to it 664 * \return a list of keys which validate the rrsig + rrset. Returns 665 * status LDNS_STATUS_OK if at least one key matched. Else an error. 666 */ 667ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, 668 ldns_rr *rrsig, 669 const ldns_rr_list *keys, 670 ldns_rr_list *good_keys); 671 672/** 673 * Verifies an rrsig. All keys in the keyset are tried. 674 * \param[in] rrset the rrset to check 675 * \param[in] rrsig the signature of the rrset 676 * \param[in] keys the keys to try 677 * \param[in] check_time the time for which the validation is performed 678 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 679 * from keys that validate one of the signatures 680 * are added to it 681 * \return a list of keys which validate the rrsig + rrset. Returns 682 * status LDNS_STATUS_OK if at least one key matched. Else an error. 683 */ 684ldns_status ldns_verify_rrsig_keylist_time( 685 ldns_rr_list *rrset, ldns_rr *rrsig, 686 const ldns_rr_list *keys, time_t check_time, 687 ldns_rr_list *good_keys); 688 689 690/** 691 * Verifies an rrsig. All keys in the keyset are tried. Time is not checked. 692 * \param[in] rrset the rrset to check 693 * \param[in] rrsig the signature of the rrset 694 * \param[in] keys the keys to try 695 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 696 * from keys that validate one of the signatures 697 * are added to it 698 * \return a list of keys which validate the rrsig + rrset. Returns 699 * status LDNS_STATUS_OK if at least one key matched. Else an error. 700 */ 701ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset, 702 ldns_rr *rrsig, 703 const ldns_rr_list *keys, 704 ldns_rr_list *good_keys); 705 706/** 707 * verify an rrsig with 1 key 708 * \param[in] rrset the rrset 709 * \param[in] rrsig the rrsig to verify 710 * \param[in] key the key to use 711 * \return status message wether verification succeeded. 712 */ 713ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, 714 ldns_rr *rrsig, 715 ldns_rr *key); 716 717 718/** 719 * verify an rrsig with 1 key 720 * \param[in] rrset the rrset 721 * \param[in] rrsig the rrsig to verify 722 * \param[in] key the key to use 723 * \param[in] check_time the time for which the validation is performed 724 * \return status message wether verification succeeded. 725 */ 726ldns_status ldns_verify_rrsig_time( 727 ldns_rr_list *rrset, ldns_rr *rrsig, 728 ldns_rr *key, time_t check_time); 729 730 731#if LDNS_BUILD_CONFIG_HAVE_SSL 732/** 733 * verifies a buffer with signature data for a buffer with rrset data 734 * with an EVP_PKEY 735 * 736 * \param[in] sig the signature data 737 * \param[in] rrset the rrset data, sorted and processed for verification 738 * \param[in] key the EVP key structure 739 * \param[in] digest_type The digest type of the signature 740 */ 741ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, 742 ldns_buffer *rrset, 743 EVP_PKEY *key, 744 const EVP_MD *digest_type); 745 746/** 747 * Like ldns_verify_rrsig_evp, but uses raw signature data. 748 * \param[in] sig the signature data, wireformat uncompressed 749 * \param[in] siglen length of the signature data 750 * \param[in] rrset the rrset data, sorted and processed for verification 751 * \param[in] key the EVP key structure 752 * \param[in] digest_type The digest type of the signature 753 */ 754ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig, 755 size_t siglen, 756 ldns_buffer *rrset, 757 EVP_PKEY *key, 758 const EVP_MD *digest_type); 759#endif 760 761/** 762 * verifies a buffer with signature data (DSA) for a buffer with rrset data 763 * with a buffer with key data. 764 * 765 * \param[in] sig the signature data 766 * \param[in] rrset the rrset data, sorted and processed for verification 767 * \param[in] key the key data 768 */ 769ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, 770 ldns_buffer *rrset, 771 ldns_buffer *key); 772 773/** 774 * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data 775 * with a buffer with key data. 776 * 777 * \param[in] sig the signature data 778 * \param[in] rrset the rrset data, sorted and processed for verification 779 * \param[in] key the key data 780 */ 781ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, 782 ldns_buffer *rrset, 783 ldns_buffer *key); 784 785/** 786 * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data 787 * with a buffer with key data. 788 * 789 * \param[in] sig the signature data 790 * \param[in] rrset the rrset data, sorted and processed for verification 791 * \param[in] key the key data 792 */ 793ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, 794 ldns_buffer *rrset, 795 ldns_buffer *key); 796 797/** 798 * Like ldns_verify_rrsig_dsa, but uses raw signature and key data. 799 * \param[in] sig raw uncompressed wireformat signature data 800 * \param[in] siglen length of signature data 801 * \param[in] rrset ldns buffer with prepared rrset data. 802 * \param[in] key raw uncompressed wireformat key data 803 * \param[in] keylen length of key data 804 */ 805ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig, 806 size_t siglen, 807 ldns_buffer* rrset, 808 unsigned char* key, 809 size_t keylen); 810 811/** 812 * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data. 813 * \param[in] sig raw uncompressed wireformat signature data 814 * \param[in] siglen length of signature data 815 * \param[in] rrset ldns buffer with prepared rrset data. 816 * \param[in] key raw uncompressed wireformat key data 817 * \param[in] keylen length of key data 818 */ 819ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig, 820 size_t siglen, 821 ldns_buffer* rrset, 822 unsigned char* key, 823 size_t keylen); 824 825/** 826 * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data. 827 * \param[in] sig raw uncompressed wireformat signature data 828 * \param[in] siglen length of signature data 829 * \param[in] rrset ldns buffer with prepared rrset data. 830 * \param[in] key raw uncompressed wireformat key data 831 * \param[in] keylen length of key data 832 */ 833 834ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig, 835 size_t siglen, 836 ldns_buffer* rrset, 837 unsigned char* key, 838 size_t keylen); 839 840/** 841 * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data. 842 * \param[in] sig raw uncompressed wireformat signature data 843 * \param[in] siglen length of signature data 844 * \param[in] rrset ldns buffer with prepared rrset data. 845 * \param[in] key raw uncompressed wireformat key data 846 * \param[in] keylen length of key data 847 */ 848ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig, 849 size_t siglen, 850 ldns_buffer* rrset, 851 unsigned char* key, 852 size_t keylen); 853 854/** 855 * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data. 856 * \param[in] sig raw uncompressed wireformat signature data 857 * \param[in] siglen length of signature data 858 * \param[in] rrset ldns buffer with prepared rrset data. 859 * \param[in] key raw uncompressed wireformat key data 860 * \param[in] keylen length of key data 861 */ 862ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig, 863 size_t siglen, 864 ldns_buffer* rrset, 865 unsigned char* key, 866 size_t keylen); 867 868#ifdef __cplusplus 869} 870#endif 871 872#endif 873 874