dnssec_verify.h revision 246827 
1/** dnssec_verify */
2
3#ifndef LDNS_DNSSEC_VERIFY_H
4#define LDNS_DNSSEC_VERIFY_H
5
6#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10
7
8#include <ldns/dnssec.h>
9#include <ldns/host2str.h>
10
11#ifdef __cplusplus
12extern "C" {
13#endif
14
15/**
16 * Chain structure that contains all DNSSEC data needed to
17 * verify an rrset
18 */
19typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain;
20struct ldns_dnssec_data_chain_struct
21{
22	ldns_rr_list *rrset;
23	ldns_rr_list *signatures;
24	ldns_rr_type parent_type;
25	ldns_dnssec_data_chain *parent;
26	ldns_pkt_rcode packet_rcode;
27	ldns_rr_type packet_qtype;
28	bool packet_nodata;
29};
30
31/**
32 * Creates a new dnssec_chain structure
33 * \return ldns_dnssec_data_chain *
34 */
35ldns_dnssec_data_chain *ldns_dnssec_data_chain_new(void);
36
37/**
38 * Frees a dnssec_data_chain structure
39 *
40 * \param[in] *chain The chain to free
41 */
42void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain);
43
44/**
45 * Frees a dnssec_data_chain structure, and all data
46 * contained therein
47 *
48 * \param[in] *chain The dnssec_data_chain to free
49 */
50void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain);
51
52/**
53 * Prints the dnssec_data_chain to the given file stream
54 *
55 * \param[in] *out The file stream to print to
56 * \param[in] *chain The dnssec_data_chain to print
57 */
58void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain);
59
60/**
61 * Prints the dnssec_data_chain to the given file stream
62 *
63 * \param[in] *out The file stream to print to
64 * \param[in] *fmt The format of the textual representation
65 * \param[in] *chain The dnssec_data_chain to print
66 */
67void ldns_dnssec_data_chain_print_fmt(FILE *out,
68		const ldns_output_format *fmt,
69		const ldns_dnssec_data_chain *chain);
70
71/**
72 * Build an ldns_dnssec_data_chain, which contains all
73 * DNSSEC data that is needed to derive the trust tree later
74 *
75 * The data_set will be cloned
76 *
77 * \param[in] *res resolver structure for further needed queries
78 * \param[in] qflags resolution flags
79 * \param[in] *data_set The original rrset where the chain ends
80 * \param[in] *pkt optional, can contain the original packet
81 * (and hence the sigs and maybe the key)
82 * \param[in] *orig_rr The original Resource Record
83 *
84 * \return the DNSSEC data chain
85 */
86ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res,
87										   const uint16_t qflags,
88										   const ldns_rr_list *data_set,
89										   const ldns_pkt *pkt,
90										   ldns_rr *orig_rr);
91
92/**
93 * Tree structure that contains the relation of DNSSEC data,
94 * and their cryptographic status.
95 *
96 * This tree is derived from a data_chain, and can be used
97 * to look whether there is a connection between an RRSET
98 * and a trusted key. The tree only contains pointers to the
99 * data_chain, and therefore one should *never* free() the
100 * data_chain when there is still a trust tree derived from
101 * that chain.
102 *
103 * Example tree:
104 *     key   key    key
105 *       \    |    /
106 *        \   |   /
107 *         \  |  /
108 *            ds
109 *            |
110 *           key
111 *            |
112 *           key
113 *            |
114 *            rr
115 *
116 * For each signature there is a parent; if the parent
117 * pointer is null, it couldn't be found and there was no
118 * denial; otherwise is a tree which contains either a
119 * DNSKEY, a DS, or a NSEC rr
120 */
121typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree;
122struct ldns_dnssec_trust_tree_struct
123{
124	ldns_rr *rr;
125	/* the complete rrset this rr was in */
126	ldns_rr_list *rrset;
127	ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
128	ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
129	/** for debugging, add signatures too (you might want
130	    those if they contain errors) */
131	ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
132	size_t parent_count;
133};
134
135/**
136 * Creates a new (empty) dnssec_trust_tree structure
137 *
138 * \return ldns_dnssec_trust_tree *
139 */
140ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(void);
141
142/**
143 * Frees the dnssec_trust_tree recursively
144 *
145 * There is no deep free; all data in the trust tree
146 * consists of pointers to a data_chain
147 *
148 * \param[in] tree The tree to free
149 */
150void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree);
151
152/**
153 * returns the depth of the trust tree
154 *
155 * \param[in] tree tree to calculate the depth of
156 * \return The depth of the tree
157 */
158size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree);
159
160/**
161 * Prints the dnssec_trust_tree structure to the given file
162 * stream.
163 *
164 * If a link status is not LDNS_STATUS_OK; the status and
165 * relevant signatures are printed too
166 *
167 * \param[in] *out The file stream to print to
168 * \param[in] tree The trust tree to print
169 * \param[in] tabs Prepend each line with tabs*2 spaces
170 * \param[in] extended If true, add little explanation lines to the output
171 */
172void ldns_dnssec_trust_tree_print(FILE *out,
173	       	ldns_dnssec_trust_tree *tree,
174		size_t tabs,
175		bool extended);
176
177/**
178 * Prints the dnssec_trust_tree structure to the given file
179 * stream.
180 *
181 * If a link status is not LDNS_STATUS_OK; the status and
182 * relevant signatures are printed too
183 *
184 * \param[in] *out The file stream to print to
185 * \param[in] *fmt The format of the textual representation
186 * \param[in] tree The trust tree to print
187 * \param[in] tabs Prepend each line with tabs*2 spaces
188 * \param[in] extended If true, add little explanation lines to the output
189 */
190void ldns_dnssec_trust_tree_print_fmt(FILE *out,
191		const ldns_output_format *fmt,
192	       	ldns_dnssec_trust_tree *tree,
193		size_t tabs,
194		bool extended);
195
196/**
197 * Adds a trust tree as a parent for the given trust tree
198 *
199 * \param[in] *tree The tree to add the parent to
200 * \param[in] *parent The parent tree to add
201 * \param[in] *parent_signature The RRSIG relevant to this parent/child
202 *                              connection
203 * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG
204 * \return LDNS_STATUS_OK if the addition succeeds, error otherwise
205 */
206ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree,
207									 const ldns_dnssec_trust_tree *parent,
208									 const ldns_rr *parent_signature,
209									 const ldns_status parent_status);
210
211/**
212 * Generates a dnssec_trust_tree for the given rr from the
213 * given data_chain
214 *
215 * This does not clone the actual data; Don't free the
216 * data_chain before you are done with this tree
217 *
218 * \param[in] *data_chain The chain to derive the trust tree from
219 * \param[in] *rr The RR this tree will be about
220 * \return ldns_dnssec_trust_tree *
221 */
222ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree(
223                            ldns_dnssec_data_chain *data_chain,
224					   ldns_rr *rr);
225
226/**
227 * Generates a dnssec_trust_tree for the given rr from the
228 * given data_chain
229 *
230 * This does not clone the actual data; Don't free the
231 * data_chain before you are done with this tree
232 *
233 * \param[in] *data_chain The chain to derive the trust tree from
234 * \param[in] *rr The RR this tree will be about
235 * \param[in] check_time the time for which the validation is performed
236 * \return ldns_dnssec_trust_tree *
237 */
238ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time(
239		ldns_dnssec_data_chain *data_chain,
240		ldns_rr *rr, time_t check_time);
241
242/**
243 * Sub function for derive_trust_tree that is used for a 'normal' rrset
244 *
245 * \param[in] new_tree The trust tree that we are building
246 * \param[in] data_chain The data chain containing the data for the trust tree
247 * \param[in] cur_sig_rr The currently relevant signature
248 */
249void ldns_dnssec_derive_trust_tree_normal_rrset(
250         ldns_dnssec_trust_tree *new_tree,
251	    ldns_dnssec_data_chain *data_chain,
252	    ldns_rr *cur_sig_rr);
253
254/**
255 * Sub function for derive_trust_tree that is used for a 'normal' rrset
256 *
257 * \param[in] new_tree The trust tree that we are building
258 * \param[in] data_chain The data chain containing the data for the trust tree
259 * \param[in] cur_sig_rr The currently relevant signature
260 * \param[in] check_time the time for which the validation is performed
261 */
262void ldns_dnssec_derive_trust_tree_normal_rrset_time(
263         ldns_dnssec_trust_tree *new_tree,
264	    ldns_dnssec_data_chain *data_chain,
265	    ldns_rr *cur_sig_rr, time_t check_time);
266
267
268/**
269 * Sub function for derive_trust_tree that is used for DNSKEY rrsets
270 *
271 * \param[in] new_tree The trust tree that we are building
272 * \param[in] data_chain The data chain containing the data for the trust tree
273 * \param[in] cur_rr The currently relevant DNSKEY RR
274 * \param[in] cur_sig_rr The currently relevant signature
275 */
276void ldns_dnssec_derive_trust_tree_dnskey_rrset(
277         ldns_dnssec_trust_tree *new_tree,
278	    ldns_dnssec_data_chain *data_chain,
279	    ldns_rr *cur_rr,
280	    ldns_rr *cur_sig_rr);
281
282/**
283 * Sub function for derive_trust_tree that is used for DNSKEY rrsets
284 *
285 * \param[in] new_tree The trust tree that we are building
286 * \param[in] data_chain The data chain containing the data for the trust tree
287 * \param[in] cur_rr The currently relevant DNSKEY RR
288 * \param[in] cur_sig_rr The currently relevant signature
289 * \param[in] check_time the time for which the validation is performed
290 */
291void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
292         ldns_dnssec_trust_tree *new_tree,
293	    ldns_dnssec_data_chain *data_chain,
294	    ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
295	    time_t check_time);
296
297
298/**
299 * Sub function for derive_trust_tree that is used for DNSKEY rrsets
300 *
301 * \param[in] new_tree The trust tree that we are building
302 * \param[in] data_chain The data chain containing the data for the trust tree
303 * \param[in] cur_rr The currently relevant DNSKEY RR
304 * \param[in] cur_sig_rr The currently relevant signature
305 * \param[in] check_time the time for which the validation is performed
306 */
307void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
308         ldns_dnssec_trust_tree *new_tree,
309	    ldns_dnssec_data_chain *data_chain,
310	    ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
311	    time_t check_time);
312
313
314/**
315 * Sub function for derive_trust_tree that is used for DS rrsets
316 *
317 * \param[in] new_tree The trust tree that we are building
318 * \param[in] data_chain The data chain containing the data for the trust tree
319 * \param[in] cur_rr The currently relevant DS RR
320 */
321void ldns_dnssec_derive_trust_tree_ds_rrset(
322         ldns_dnssec_trust_tree *new_tree,
323	    ldns_dnssec_data_chain *data_chain,
324	    ldns_rr *cur_rr);
325
326/**
327 * Sub function for derive_trust_tree that is used for DS rrsets
328 *
329 * \param[in] new_tree The trust tree that we are building
330 * \param[in] data_chain The data chain containing the data for the trust tree
331 * \param[in] cur_rr The currently relevant DS RR
332 * \param[in] check_time the time for which the validation is performed
333 */
334void ldns_dnssec_derive_trust_tree_ds_rrset_time(
335         ldns_dnssec_trust_tree *new_tree,
336	    ldns_dnssec_data_chain *data_chain,
337	    ldns_rr *cur_rr, time_t check_time);
338
339/**
340 * Sub function for derive_trust_tree that is used when there are no
341 * signatures
342 *
343 * \param[in] new_tree The trust tree that we are building
344 * \param[in] data_chain The data chain containing the data for the trust tree
345 */
346void ldns_dnssec_derive_trust_tree_no_sig(
347         ldns_dnssec_trust_tree *new_tree,
348	    ldns_dnssec_data_chain *data_chain);
349
350/**
351 * Sub function for derive_trust_tree that is used when there are no
352 * signatures
353 *
354 * \param[in] new_tree The trust tree that we are building
355 * \param[in] data_chain The data chain containing the data for the trust tree
356 * \param[in] check_time the time for which the validation is performed
357 */
358void ldns_dnssec_derive_trust_tree_no_sig_time(
359         ldns_dnssec_trust_tree *new_tree,
360	    ldns_dnssec_data_chain *data_chain,
361	    time_t check_time);
362
363
364/**
365 * Returns OK if there is a trusted path in the tree to one of
366 * the DNSKEY or DS RRs in the given list
367 *
368 * \param *tree The trust tree so search
369 * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for
370 * \return LDNS_STATUS_OK if there is a trusted path to one of
371 *                        the keys, or the *first* error encountered
372 *                        if there were no paths
373 */
374ldns_status ldns_dnssec_trust_tree_contains_keys(
375			 ldns_dnssec_trust_tree *tree,
376			 ldns_rr_list *keys);
377
378/**
379 * Verifies a list of signatures for one rrset.
380 *
381 * \param[in] rrset the rrset to verify
382 * \param[in] rrsig a list of signatures to check
383 * \param[in] keys a list of keys to check with
384 * \param[out] good_keys  if this is a (initialized) list, the pointer to keys
385 *                        from keys that validate one of the signatures
386 *                        are added to it
387 * \return status LDNS_STATUS_OK if there is at least one correct key
388 */
389ldns_status ldns_verify(ldns_rr_list *rrset,
390				    ldns_rr_list *rrsig,
391				    const ldns_rr_list *keys,
392				    ldns_rr_list *good_keys);
393
394/**
395 * Verifies a list of signatures for one rrset.
396 *
397 * \param[in] rrset the rrset to verify
398 * \param[in] rrsig a list of signatures to check
399 * \param[in] keys a list of keys to check with
400 * \param[in] check_time the time for which the validation is performed
401 * \param[out] good_keys  if this is a (initialized) list, the pointer to keys
402 *                        from keys that validate one of the signatures
403 *                        are added to it
404 * \return status LDNS_STATUS_OK if there is at least one correct key
405 */
406ldns_status ldns_verify_time(ldns_rr_list *rrset,
407				    ldns_rr_list *rrsig,
408				    const ldns_rr_list *keys,
409				    time_t check_time,
410				    ldns_rr_list *good_keys);
411
412
413/**
414 * Verifies a list of signatures for one rrset, but disregard the time.
415 * Inception and Expiration are not checked.
416 *
417 * \param[in] rrset the rrset to verify
418 * \param[in] rrsig a list of signatures to check
419 * \param[in] keys a list of keys to check with
420 * \param[out] good_keys  if this is a (initialized) list, the pointer to keys
421 *                        from keys that validate one of the signatures
422 *                        are added to it
423 * \return status LDNS_STATUS_OK if there is at least one correct key
424 */
425ldns_status ldns_verify_notime(ldns_rr_list *rrset,
426				    ldns_rr_list *rrsig,
427				    const ldns_rr_list *keys,
428				    ldns_rr_list *good_keys);
429
430/**
431 * Tries to build an authentication chain from the given
432 * keys down to the queried domain.
433 *
434 * If we find a valid trust path, return the valid keys for the domain.
435 *
436 * \param[in] res the current resolver
437 * \param[in] domain the domain we want valid keys for
438 * \param[in] keys the current set of trusted keys
439 * \param[out] status pointer to the status variable where the result
440 *                    code will be stored
441 * \return the set of trusted keys for the domain, or NULL if no
442 *         trust path could be built.
443 */
444ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res,
445								   const ldns_rdf * domain,
446								   const ldns_rr_list * keys,
447								   ldns_status *status);
448
449/**
450 * Tries to build an authentication chain from the given
451 * keys down to the queried domain.
452 *
453 * If we find a valid trust path, return the valid keys for the domain.
454 *
455 * \param[in] res the current resolver
456 * \param[in] domain the domain we want valid keys for
457 * \param[in] keys the current set of trusted keys
458 * \param[in] check_time the time for which the validation is performed
459 * \param[out] status pointer to the status variable where the result
460 *                    code will be stored
461 * \return the set of trusted keys for the domain, or NULL if no
462 *         trust path could be built.
463 */
464ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res,
465		const ldns_rdf * domain, const ldns_rr_list * keys,
466		time_t check_time, ldns_status *status);
467
468
469/**
470 * Validates the DNSKEY RRset for the given domain using the provided
471 * trusted keys.
472 *
473 * \param[in] res the current resolver
474 * \param[in] domain the domain we want valid keys for
475 * \param[in] keys the current set of trusted keys
476 * \return the set of trusted keys for the domain, or NULL if the RRSET
477 *         could not be validated
478 */
479ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res,
480								   const ldns_rdf *domain,
481								   const ldns_rr_list *keys);
482
483/**
484 * Validates the DNSKEY RRset for the given domain using the provided
485 * trusted keys.
486 *
487 * \param[in] res the current resolver
488 * \param[in] domain the domain we want valid keys for
489 * \param[in] keys the current set of trusted keys
490 * \param[in] check_time the time for which the validation is performed
491 * \return the set of trusted keys for the domain, or NULL if the RRSET
492 *         could not be validated
493 */
494ldns_rr_list *ldns_validate_domain_dnskey_time(
495		const ldns_resolver *res, const ldns_rdf *domain,
496		const ldns_rr_list *keys, time_t check_time);
497
498
499/**
500 * Validates the DS RRset for the given domain using the provided trusted keys.
501 *
502 * \param[in] res the current resolver
503 * \param[in] domain the domain we want valid keys for
504 * \param[in] keys the current set of trusted keys
505 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
506 */
507ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res,
508							   const ldns_rdf *
509							   domain,
510							   const ldns_rr_list * keys);
511
512/**
513 * Validates the DS RRset for the given domain using the provided trusted keys.
514 *
515 * \param[in] res the current resolver
516 * \param[in] domain the domain we want valid keys for
517 * \param[in] keys the current set of trusted keys
518 * \param[in] check_time the time for which the validation is performed
519 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
520 */
521ldns_rr_list *ldns_validate_domain_ds_time(
522		const ldns_resolver *res, const ldns_rdf *domain,
523		const ldns_rr_list * keys, time_t check_time);
524
525
526/**
527 * Verifies a list of signatures for one RRset using a valid trust path.
528 *
529 * \param[in] res the current resolver
530 * \param[in] rrset the rrset to verify
531 * \param[in] rrsigs a list of signatures to check
532 * \param[out] validating_keys  if this is a (initialized) list, the
533 *                              keys from keys that validate one of
534 *                              the signatures are added to it
535 * \return status LDNS_STATUS_OK if there is at least one correct key
536 */
537ldns_status ldns_verify_trusted(ldns_resolver *res,
538						  ldns_rr_list *rrset,
539						  ldns_rr_list *rrsigs,
540						  ldns_rr_list *validating_keys);
541
542/**
543 * Verifies a list of signatures for one RRset using a valid trust path.
544 *
545 * \param[in] res the current resolver
546 * \param[in] rrset the rrset to verify
547 * \param[in] rrsigs a list of signatures to check
548 * \param[in] check_time the time for which the validation is performed
549 * \param[out] validating_keys  if this is a (initialized) list, the
550 *                              keys from keys that validate one of
551 *                              the signatures are added to it
552 * \return status LDNS_STATUS_OK if there is at least one correct key
553 */
554ldns_status ldns_verify_trusted_time(
555		ldns_resolver *res, ldns_rr_list *rrset,
556		ldns_rr_list *rrsigs, time_t check_time,
557		ldns_rr_list *validating_keys);
558
559
560/**
561 * denial is not just a river in egypt
562 *
563 * \param[in] rr The (query) RR to check the denial of existence for
564 * \param[in] nsecs The list of NSEC RRs that are supposed to deny the
565 *                  existence of the RR
566 * \param[in] rrsigs The RRSIG RR covering the NSEC RRs
567 * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code
568 *                        containing the reason they do not otherwise
569 */
570ldns_status ldns_dnssec_verify_denial(ldns_rr *rr,
571							   ldns_rr_list *nsecs,
572							   ldns_rr_list *rrsigs);
573
574/**
575 * Denial of existence using NSEC3 records
576 * Since NSEC3 is a bit more complicated than normal denial, some
577 * context arguments are needed
578 *
579 * \param[in] rr The (query) RR to check the denial of existence for
580 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
581 *                  existence of the RR
582 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs
583 * \param[in] packet_rcode The RCODE value of the packet that provided the
584 *                         NSEC3 RRs
585 * \param[in] packet_qtype The original query RR type
586 * \param[in] packet_nodata True if the providing packet had an empty ANSWER
587 *                          section
588 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
589 *                        containing the reason they do not otherwise
590 */
591ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
592								    ldns_rr_list *nsecs,
593								    ldns_rr_list *rrsigs,
594								    ldns_pkt_rcode packet_rcode,
595								    ldns_rr_type packet_qtype,
596								    bool packet_nodata);
597
598/**
599 * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns
600 * the nsec rr that matched.
601 *
602 * \param[in] rr The (query) RR to check the denial of existence for
603 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
604 *                  existence of the RR
605 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs
606 * \param[in] packet_rcode The RCODE value of the packet that provided the
607 *                         NSEC3 RRs
608 * \param[in] packet_qtype The original query RR type
609 * \param[in] packet_nodata True if the providing packet had an empty ANSWER
610 *                          section
611 * \param[in] match On match, the given (reference to a) pointer will be set
612 *                  to point to the matching nsec resource record.
613 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
614 *                        containing the reason they do not otherwise
615 */
616ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr,
617						  ldns_rr_list *nsecs,
618						  ldns_rr_list *rrsigs,
619						  ldns_pkt_rcode packet_rcode,
620						  ldns_rr_type packet_qtype,
621						  bool packet_nodata,
622						  ldns_rr **match);
623/**
624 * Verifies the already processed data in the buffers
625 * This function should probably not be used directly.
626 *
627 * \param[in] rawsig_buf Buffer containing signature data to use
628 * \param[in] verify_buf Buffer containing data to verify
629 * \param[in] key_buf Buffer containing key data to use
630 * \param[in] algo Signing algorithm
631 * \return status LDNS_STATUS_OK if the data verifies. Error if not.
632 */
633ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf,
634							   ldns_buffer *verify_buf,
635							   ldns_buffer *key_buf,
636							   uint8_t algo);
637
638/**
639 * Like ldns_verify_rrsig_buffers, but uses raw data.
640 *
641 * \param[in] sig signature data to use
642 * \param[in] siglen length of signature data to use
643 * \param[in] verify_buf Buffer containing data to verify
644 * \param[in] key key data to use
645 * \param[in] keylen length of key data to use
646 * \param[in] algo Signing algorithm
647 * \return status LDNS_STATUS_OK if the data verifies. Error if not.
648 */
649ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig,
650								  size_t siglen,
651								  ldns_buffer *verify_buf,
652								  unsigned char* key,
653								  size_t keylen,
654								  uint8_t algo);
655
656/**
657 * Verifies an rrsig. All keys in the keyset are tried.
658 * \param[in] rrset the rrset to check
659 * \param[in] rrsig the signature of the rrset
660 * \param[in] keys the keys to try
661 * \param[out] good_keys  if this is a (initialized) list, the pointer to keys
662 *                        from keys that validate one of the signatures
663 *                        are added to it
664 * \return a list of keys which validate the rrsig + rrset. Returns
665 * status LDNS_STATUS_OK if at least one key matched. Else an error.
666 */
667ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
668							   ldns_rr *rrsig,
669							   const ldns_rr_list *keys,
670							   ldns_rr_list *good_keys);
671
672/**
673 * Verifies an rrsig. All keys in the keyset are tried.
674 * \param[in] rrset the rrset to check
675 * \param[in] rrsig the signature of the rrset
676 * \param[in] keys the keys to try
677 * \param[in] check_time the time for which the validation is performed
678 * \param[out] good_keys  if this is a (initialized) list, the pointer to keys
679 *                        from keys that validate one of the signatures
680 *                        are added to it
681 * \return a list of keys which validate the rrsig + rrset. Returns
682 * status LDNS_STATUS_OK if at least one key matched. Else an error.
683 */
684ldns_status ldns_verify_rrsig_keylist_time(
685		ldns_rr_list *rrset, ldns_rr *rrsig,
686		const ldns_rr_list *keys, time_t check_time,
687	       	ldns_rr_list *good_keys);
688
689
690/**
691 * Verifies an rrsig. All keys in the keyset are tried. Time is not checked.
692 * \param[in] rrset the rrset to check
693 * \param[in] rrsig the signature of the rrset
694 * \param[in] keys the keys to try
695 * \param[out] good_keys  if this is a (initialized) list, the pointer to keys
696 *                        from keys that validate one of the signatures
697 *                        are added to it
698 * \return a list of keys which validate the rrsig + rrset. Returns
699 * status LDNS_STATUS_OK if at least one key matched. Else an error.
700 */
701ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset,
702							   ldns_rr *rrsig,
703							   const ldns_rr_list *keys,
704							   ldns_rr_list *good_keys);
705
706/**
707 * verify an rrsig with 1 key
708 * \param[in] rrset the rrset
709 * \param[in] rrsig the rrsig to verify
710 * \param[in] key the key to use
711 * \return status message wether verification succeeded.
712 */
713ldns_status ldns_verify_rrsig(ldns_rr_list *rrset,
714						ldns_rr *rrsig,
715						ldns_rr *key);
716
717
718/**
719 * verify an rrsig with 1 key
720 * \param[in] rrset the rrset
721 * \param[in] rrsig the rrsig to verify
722 * \param[in] key the key to use
723 * \param[in] check_time the time for which the validation is performed
724 * \return status message wether verification succeeded.
725 */
726ldns_status ldns_verify_rrsig_time(
727		ldns_rr_list *rrset, ldns_rr *rrsig,
728		ldns_rr *key, time_t check_time);
729
730
731#if LDNS_BUILD_CONFIG_HAVE_SSL
732/**
733 * verifies a buffer with signature data for a buffer with rrset data
734 * with an EVP_PKEY
735 *
736 * \param[in] sig the signature data
737 * \param[in] rrset the rrset data, sorted and processed for verification
738 * \param[in] key the EVP key structure
739 * \param[in] digest_type The digest type of the signature
740 */
741ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig,
742						    ldns_buffer *rrset,
743						    EVP_PKEY *key,
744						    const EVP_MD *digest_type);
745
746/**
747 * Like ldns_verify_rrsig_evp, but uses raw signature data.
748 * \param[in] sig the signature data, wireformat uncompressed
749 * \param[in] siglen length of the signature data
750 * \param[in] rrset the rrset data, sorted and processed for verification
751 * \param[in] key the EVP key structure
752 * \param[in] digest_type The digest type of the signature
753 */
754ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig,
755							   size_t siglen,
756							   ldns_buffer *rrset,
757							   EVP_PKEY *key,
758							   const EVP_MD *digest_type);
759#endif
760
761/**
762 * verifies a buffer with signature data (DSA) for a buffer with rrset data
763 * with a buffer with key data.
764 *
765 * \param[in] sig the signature data
766 * \param[in] rrset the rrset data, sorted and processed for verification
767 * \param[in] key the key data
768 */
769ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig,
770						    ldns_buffer *rrset,
771						    ldns_buffer *key);
772
773/**
774 * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data
775 * with a buffer with key data.
776 *
777 * \param[in] sig the signature data
778 * \param[in] rrset the rrset data, sorted and processed for verification
779 * \param[in] key the key data
780 */
781ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig,
782							   ldns_buffer *rrset,
783							   ldns_buffer *key);
784
785/**
786 * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data
787 * with a buffer with key data.
788 *
789 * \param[in] sig the signature data
790 * \param[in] rrset the rrset data, sorted and processed for verification
791 * \param[in] key the key data
792 */
793ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig,
794							  ldns_buffer *rrset,
795							  ldns_buffer *key);
796
797/**
798 * Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
799 * \param[in] sig raw uncompressed wireformat signature data
800 * \param[in] siglen length of signature data
801 * \param[in] rrset ldns buffer with prepared rrset data.
802 * \param[in] key raw uncompressed wireformat key data
803 * \param[in] keylen length of key data
804 */
805ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig,
806							   size_t siglen,
807							   ldns_buffer* rrset,
808							   unsigned char* key,
809							   size_t keylen);
810
811/**
812 * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
813 * \param[in] sig raw uncompressed wireformat signature data
814 * \param[in] siglen length of signature data
815 * \param[in] rrset ldns buffer with prepared rrset data.
816 * \param[in] key raw uncompressed wireformat key data
817 * \param[in] keylen length of key data
818 */
819ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig,
820								  size_t siglen,
821								  ldns_buffer* rrset,
822								  unsigned char* key,
823								  size_t keylen);
824
825/**
826 * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
827 * \param[in] sig raw uncompressed wireformat signature data
828 * \param[in] siglen length of signature data
829 * \param[in] rrset ldns buffer with prepared rrset data.
830 * \param[in] key raw uncompressed wireformat key data
831 * \param[in] keylen length of key data
832 */
833
834ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig,
835								    size_t siglen,
836								    ldns_buffer* rrset,
837								    unsigned char* key,
838								    size_t keylen);
839
840/**
841 * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
842 * \param[in] sig raw uncompressed wireformat signature data
843 * \param[in] siglen length of signature data
844 * \param[in] rrset ldns buffer with prepared rrset data.
845 * \param[in] key raw uncompressed wireformat key data
846 * \param[in] keylen length of key data
847 */
848ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig,
849								    size_t siglen,
850								    ldns_buffer* rrset,
851								    unsigned char* key,
852								    size_t keylen);
853
854/**
855 * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
856 * \param[in] sig raw uncompressed wireformat signature data
857 * \param[in] siglen length of signature data
858 * \param[in] rrset ldns buffer with prepared rrset data.
859 * \param[in] key raw uncompressed wireformat key data
860 * \param[in] keylen length of key data
861 */
862ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,
863								 size_t siglen,
864								 ldns_buffer* rrset,
865								 unsigned char* key,
866								 size_t keylen);
867
868#ifdef __cplusplus
869}
870#endif
871
872#endif
873
874