dnssec_verify.h revision 246854
1238104Sdes/** dnssec_verify */ 2238104Sdes 3238104Sdes#ifndef LDNS_DNSSEC_VERIFY_H 4238104Sdes#define LDNS_DNSSEC_VERIFY_H 5238104Sdes 6238104Sdes#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10 7238104Sdes 8238104Sdes#include <ldns/dnssec.h> 9238104Sdes#include <ldns/host2str.h> 10238104Sdes 11238104Sdes#ifdef __cplusplus 12238104Sdesextern "C" { 13238104Sdes#endif 14238104Sdes 15238104Sdes/** 16238104Sdes * Chain structure that contains all DNSSEC data needed to 17238104Sdes * verify an rrset 18238104Sdes */ 19238104Sdestypedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain; 20238104Sdesstruct ldns_dnssec_data_chain_struct 21238104Sdes{ 22238104Sdes ldns_rr_list *rrset; 23238104Sdes ldns_rr_list *signatures; 24238104Sdes ldns_rr_type parent_type; 25238104Sdes ldns_dnssec_data_chain *parent; 26238104Sdes ldns_pkt_rcode packet_rcode; 27238104Sdes ldns_rr_type packet_qtype; 28238104Sdes bool packet_nodata; 29238104Sdes}; 30238104Sdes 31238104Sdes/** 32238104Sdes * Creates a new dnssec_chain structure 33238104Sdes * \return ldns_dnssec_data_chain * 34238104Sdes */ 35246827Sdesldns_dnssec_data_chain *ldns_dnssec_data_chain_new(void); 36238104Sdes 37238104Sdes/** 38238104Sdes * Frees a dnssec_data_chain structure 39238104Sdes * 40238104Sdes * \param[in] *chain The chain to free 41238104Sdes */ 42238104Sdesvoid ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain); 43238104Sdes 44238104Sdes/** 45238104Sdes * Frees a dnssec_data_chain structure, and all data 46238104Sdes * contained therein 47238104Sdes * 48238104Sdes * \param[in] *chain The dnssec_data_chain to free 49238104Sdes */ 50238104Sdesvoid ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain); 51238104Sdes 52238104Sdes/** 53238104Sdes * Prints the dnssec_data_chain to the given file stream 54238104Sdes * 55238104Sdes * \param[in] *out The file stream to print to 56238104Sdes * \param[in] *chain The dnssec_data_chain to print 57238104Sdes */ 58238104Sdesvoid ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain); 59238104Sdes 60238104Sdes/** 61238104Sdes * Prints the dnssec_data_chain to the given file stream 62238104Sdes * 63238104Sdes * \param[in] *out The file stream to print to 64238104Sdes * \param[in] *fmt The format of the textual representation 65238104Sdes * \param[in] *chain The dnssec_data_chain to print 66238104Sdes */ 67238104Sdesvoid ldns_dnssec_data_chain_print_fmt(FILE *out, 68238104Sdes const ldns_output_format *fmt, 69238104Sdes const ldns_dnssec_data_chain *chain); 70238104Sdes 71238104Sdes/** 72238104Sdes * Build an ldns_dnssec_data_chain, which contains all 73238104Sdes * DNSSEC data that is needed to derive the trust tree later 74238104Sdes * 75238104Sdes * The data_set will be cloned 76238104Sdes * 77238104Sdes * \param[in] *res resolver structure for further needed queries 78238104Sdes * \param[in] qflags resolution flags 79238104Sdes * \param[in] *data_set The original rrset where the chain ends 80238104Sdes * \param[in] *pkt optional, can contain the original packet 81238104Sdes * (and hence the sigs and maybe the key) 82238104Sdes * \param[in] *orig_rr The original Resource Record 83238104Sdes * 84238104Sdes * \return the DNSSEC data chain 85238104Sdes */ 86238104Sdesldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res, 87238104Sdes const uint16_t qflags, 88238104Sdes const ldns_rr_list *data_set, 89238104Sdes const ldns_pkt *pkt, 90238104Sdes ldns_rr *orig_rr); 91238104Sdes 92238104Sdes/** 93238104Sdes * Tree structure that contains the relation of DNSSEC data, 94238104Sdes * and their cryptographic status. 95238104Sdes * 96238104Sdes * This tree is derived from a data_chain, and can be used 97238104Sdes * to look whether there is a connection between an RRSET 98238104Sdes * and a trusted key. The tree only contains pointers to the 99238104Sdes * data_chain, and therefore one should *never* free() the 100238104Sdes * data_chain when there is still a trust tree derived from 101238104Sdes * that chain. 102238104Sdes * 103238104Sdes * Example tree: 104238104Sdes * key key key 105238104Sdes * \ | / 106238104Sdes * \ | / 107238104Sdes * \ | / 108238104Sdes * ds 109238104Sdes * | 110238104Sdes * key 111238104Sdes * | 112238104Sdes * key 113238104Sdes * | 114238104Sdes * rr 115238104Sdes * 116238104Sdes * For each signature there is a parent; if the parent 117238104Sdes * pointer is null, it couldn't be found and there was no 118238104Sdes * denial; otherwise is a tree which contains either a 119238104Sdes * DNSKEY, a DS, or a NSEC rr 120238104Sdes */ 121238104Sdestypedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree; 122238104Sdesstruct ldns_dnssec_trust_tree_struct 123238104Sdes{ 124238104Sdes ldns_rr *rr; 125238104Sdes /* the complete rrset this rr was in */ 126238104Sdes ldns_rr_list *rrset; 127238104Sdes ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 128238104Sdes ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 129238104Sdes /** for debugging, add signatures too (you might want 130238104Sdes those if they contain errors) */ 131238104Sdes ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 132238104Sdes size_t parent_count; 133238104Sdes}; 134238104Sdes 135238104Sdes/** 136238104Sdes * Creates a new (empty) dnssec_trust_tree structure 137238104Sdes * 138238104Sdes * \return ldns_dnssec_trust_tree * 139238104Sdes */ 140246827Sdesldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(void); 141238104Sdes 142238104Sdes/** 143238104Sdes * Frees the dnssec_trust_tree recursively 144238104Sdes * 145238104Sdes * There is no deep free; all data in the trust tree 146238104Sdes * consists of pointers to a data_chain 147238104Sdes * 148238104Sdes * \param[in] tree The tree to free 149238104Sdes */ 150238104Sdesvoid ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree); 151238104Sdes 152238104Sdes/** 153238104Sdes * returns the depth of the trust tree 154238104Sdes * 155238104Sdes * \param[in] tree tree to calculate the depth of 156238104Sdes * \return The depth of the tree 157238104Sdes */ 158238104Sdessize_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree); 159238104Sdes 160238104Sdes/** 161238104Sdes * Prints the dnssec_trust_tree structure to the given file 162238104Sdes * stream. 163238104Sdes * 164238104Sdes * If a link status is not LDNS_STATUS_OK; the status and 165238104Sdes * relevant signatures are printed too 166238104Sdes * 167238104Sdes * \param[in] *out The file stream to print to 168238104Sdes * \param[in] tree The trust tree to print 169238104Sdes * \param[in] tabs Prepend each line with tabs*2 spaces 170238104Sdes * \param[in] extended If true, add little explanation lines to the output 171238104Sdes */ 172238104Sdesvoid ldns_dnssec_trust_tree_print(FILE *out, 173238104Sdes ldns_dnssec_trust_tree *tree, 174238104Sdes size_t tabs, 175238104Sdes bool extended); 176238104Sdes 177238104Sdes/** 178238104Sdes * Prints the dnssec_trust_tree structure to the given file 179238104Sdes * stream. 180238104Sdes * 181238104Sdes * If a link status is not LDNS_STATUS_OK; the status and 182238104Sdes * relevant signatures are printed too 183238104Sdes * 184238104Sdes * \param[in] *out The file stream to print to 185238104Sdes * \param[in] *fmt The format of the textual representation 186238104Sdes * \param[in] tree The trust tree to print 187238104Sdes * \param[in] tabs Prepend each line with tabs*2 spaces 188238104Sdes * \param[in] extended If true, add little explanation lines to the output 189238104Sdes */ 190238104Sdesvoid ldns_dnssec_trust_tree_print_fmt(FILE *out, 191238104Sdes const ldns_output_format *fmt, 192238104Sdes ldns_dnssec_trust_tree *tree, 193238104Sdes size_t tabs, 194238104Sdes bool extended); 195238104Sdes 196238104Sdes/** 197238104Sdes * Adds a trust tree as a parent for the given trust tree 198238104Sdes * 199238104Sdes * \param[in] *tree The tree to add the parent to 200238104Sdes * \param[in] *parent The parent tree to add 201238104Sdes * \param[in] *parent_signature The RRSIG relevant to this parent/child 202238104Sdes * connection 203238104Sdes * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG 204238104Sdes * \return LDNS_STATUS_OK if the addition succeeds, error otherwise 205238104Sdes */ 206238104Sdesldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, 207238104Sdes const ldns_dnssec_trust_tree *parent, 208238104Sdes const ldns_rr *parent_signature, 209238104Sdes const ldns_status parent_status); 210238104Sdes 211238104Sdes/** 212238104Sdes * Generates a dnssec_trust_tree for the given rr from the 213238104Sdes * given data_chain 214238104Sdes * 215238104Sdes * This does not clone the actual data; Don't free the 216238104Sdes * data_chain before you are done with this tree 217238104Sdes * 218238104Sdes * \param[in] *data_chain The chain to derive the trust tree from 219238104Sdes * \param[in] *rr The RR this tree will be about 220238104Sdes * \return ldns_dnssec_trust_tree * 221238104Sdes */ 222238104Sdesldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree( 223238104Sdes ldns_dnssec_data_chain *data_chain, 224238104Sdes ldns_rr *rr); 225238104Sdes 226238104Sdes/** 227238104Sdes * Generates a dnssec_trust_tree for the given rr from the 228238104Sdes * given data_chain 229238104Sdes * 230238104Sdes * This does not clone the actual data; Don't free the 231238104Sdes * data_chain before you are done with this tree 232238104Sdes * 233238104Sdes * \param[in] *data_chain The chain to derive the trust tree from 234238104Sdes * \param[in] *rr The RR this tree will be about 235238104Sdes * \param[in] check_time the time for which the validation is performed 236238104Sdes * \return ldns_dnssec_trust_tree * 237238104Sdes */ 238238104Sdesldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time( 239238104Sdes ldns_dnssec_data_chain *data_chain, 240238104Sdes ldns_rr *rr, time_t check_time); 241238104Sdes 242238104Sdes/** 243238104Sdes * Sub function for derive_trust_tree that is used for a 'normal' rrset 244238104Sdes * 245238104Sdes * \param[in] new_tree The trust tree that we are building 246238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 247238104Sdes * \param[in] cur_sig_rr The currently relevant signature 248238104Sdes */ 249238104Sdesvoid ldns_dnssec_derive_trust_tree_normal_rrset( 250238104Sdes ldns_dnssec_trust_tree *new_tree, 251238104Sdes ldns_dnssec_data_chain *data_chain, 252238104Sdes ldns_rr *cur_sig_rr); 253238104Sdes 254238104Sdes/** 255238104Sdes * Sub function for derive_trust_tree that is used for a 'normal' rrset 256238104Sdes * 257238104Sdes * \param[in] new_tree The trust tree that we are building 258238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 259238104Sdes * \param[in] cur_sig_rr The currently relevant signature 260238104Sdes * \param[in] check_time the time for which the validation is performed 261238104Sdes */ 262238104Sdesvoid ldns_dnssec_derive_trust_tree_normal_rrset_time( 263238104Sdes ldns_dnssec_trust_tree *new_tree, 264238104Sdes ldns_dnssec_data_chain *data_chain, 265238104Sdes ldns_rr *cur_sig_rr, time_t check_time); 266238104Sdes 267238104Sdes 268238104Sdes/** 269238104Sdes * Sub function for derive_trust_tree that is used for DNSKEY rrsets 270238104Sdes * 271238104Sdes * \param[in] new_tree The trust tree that we are building 272238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 273238104Sdes * \param[in] cur_rr The currently relevant DNSKEY RR 274238104Sdes * \param[in] cur_sig_rr The currently relevant signature 275238104Sdes */ 276238104Sdesvoid ldns_dnssec_derive_trust_tree_dnskey_rrset( 277238104Sdes ldns_dnssec_trust_tree *new_tree, 278238104Sdes ldns_dnssec_data_chain *data_chain, 279238104Sdes ldns_rr *cur_rr, 280238104Sdes ldns_rr *cur_sig_rr); 281238104Sdes 282238104Sdes/** 283238104Sdes * Sub function for derive_trust_tree that is used for DNSKEY rrsets 284238104Sdes * 285238104Sdes * \param[in] new_tree The trust tree that we are building 286238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 287238104Sdes * \param[in] cur_rr The currently relevant DNSKEY RR 288238104Sdes * \param[in] cur_sig_rr The currently relevant signature 289238104Sdes * \param[in] check_time the time for which the validation is performed 290238104Sdes */ 291238104Sdesvoid ldns_dnssec_derive_trust_tree_dnskey_rrset_time( 292238104Sdes ldns_dnssec_trust_tree *new_tree, 293238104Sdes ldns_dnssec_data_chain *data_chain, 294238104Sdes ldns_rr *cur_rr, ldns_rr *cur_sig_rr, 295238104Sdes time_t check_time); 296238104Sdes 297238104Sdes 298238104Sdes/** 299238104Sdes * Sub function for derive_trust_tree that is used for DNSKEY rrsets 300238104Sdes * 301238104Sdes * \param[in] new_tree The trust tree that we are building 302238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 303238104Sdes * \param[in] cur_rr The currently relevant DNSKEY RR 304238104Sdes * \param[in] cur_sig_rr The currently relevant signature 305238104Sdes * \param[in] check_time the time for which the validation is performed 306238104Sdes */ 307238104Sdesvoid ldns_dnssec_derive_trust_tree_dnskey_rrset_time( 308238104Sdes ldns_dnssec_trust_tree *new_tree, 309238104Sdes ldns_dnssec_data_chain *data_chain, 310238104Sdes ldns_rr *cur_rr, ldns_rr *cur_sig_rr, 311238104Sdes time_t check_time); 312238104Sdes 313238104Sdes 314238104Sdes/** 315238104Sdes * Sub function for derive_trust_tree that is used for DS rrsets 316238104Sdes * 317238104Sdes * \param[in] new_tree The trust tree that we are building 318238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 319238104Sdes * \param[in] cur_rr The currently relevant DS RR 320238104Sdes */ 321238104Sdesvoid ldns_dnssec_derive_trust_tree_ds_rrset( 322238104Sdes ldns_dnssec_trust_tree *new_tree, 323238104Sdes ldns_dnssec_data_chain *data_chain, 324238104Sdes ldns_rr *cur_rr); 325238104Sdes 326238104Sdes/** 327238104Sdes * Sub function for derive_trust_tree that is used for DS rrsets 328238104Sdes * 329238104Sdes * \param[in] new_tree The trust tree that we are building 330238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 331238104Sdes * \param[in] cur_rr The currently relevant DS RR 332238104Sdes * \param[in] check_time the time for which the validation is performed 333238104Sdes */ 334238104Sdesvoid ldns_dnssec_derive_trust_tree_ds_rrset_time( 335238104Sdes ldns_dnssec_trust_tree *new_tree, 336238104Sdes ldns_dnssec_data_chain *data_chain, 337238104Sdes ldns_rr *cur_rr, time_t check_time); 338238104Sdes 339238104Sdes/** 340238104Sdes * Sub function for derive_trust_tree that is used when there are no 341238104Sdes * signatures 342238104Sdes * 343238104Sdes * \param[in] new_tree The trust tree that we are building 344238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 345238104Sdes */ 346238104Sdesvoid ldns_dnssec_derive_trust_tree_no_sig( 347238104Sdes ldns_dnssec_trust_tree *new_tree, 348238104Sdes ldns_dnssec_data_chain *data_chain); 349238104Sdes 350238104Sdes/** 351238104Sdes * Sub function for derive_trust_tree that is used when there are no 352238104Sdes * signatures 353238104Sdes * 354238104Sdes * \param[in] new_tree The trust tree that we are building 355238104Sdes * \param[in] data_chain The data chain containing the data for the trust tree 356238104Sdes * \param[in] check_time the time for which the validation is performed 357238104Sdes */ 358238104Sdesvoid ldns_dnssec_derive_trust_tree_no_sig_time( 359238104Sdes ldns_dnssec_trust_tree *new_tree, 360238104Sdes ldns_dnssec_data_chain *data_chain, 361238104Sdes time_t check_time); 362238104Sdes 363238104Sdes 364238104Sdes/** 365238104Sdes * Returns OK if there is a trusted path in the tree to one of 366238104Sdes * the DNSKEY or DS RRs in the given list 367238104Sdes * 368238104Sdes * \param *tree The trust tree so search 369238104Sdes * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for 370246854Sdes * 371238104Sdes * \return LDNS_STATUS_OK if there is a trusted path to one of 372238104Sdes * the keys, or the *first* error encountered 373238104Sdes * if there were no paths 374238104Sdes */ 375238104Sdesldns_status ldns_dnssec_trust_tree_contains_keys( 376238104Sdes ldns_dnssec_trust_tree *tree, 377238104Sdes ldns_rr_list *keys); 378238104Sdes 379238104Sdes/** 380238104Sdes * Verifies a list of signatures for one rrset. 381238104Sdes * 382238104Sdes * \param[in] rrset the rrset to verify 383238104Sdes * \param[in] rrsig a list of signatures to check 384238104Sdes * \param[in] keys a list of keys to check with 385238104Sdes * \param[out] good_keys if this is a (initialized) list, the pointer to keys 386238104Sdes * from keys that validate one of the signatures 387238104Sdes * are added to it 388238104Sdes * \return status LDNS_STATUS_OK if there is at least one correct key 389238104Sdes */ 390238104Sdesldns_status ldns_verify(ldns_rr_list *rrset, 391238104Sdes ldns_rr_list *rrsig, 392238104Sdes const ldns_rr_list *keys, 393238104Sdes ldns_rr_list *good_keys); 394238104Sdes 395238104Sdes/** 396238104Sdes * Verifies a list of signatures for one rrset. 397238104Sdes * 398238104Sdes * \param[in] rrset the rrset to verify 399238104Sdes * \param[in] rrsig a list of signatures to check 400238104Sdes * \param[in] keys a list of keys to check with 401238104Sdes * \param[in] check_time the time for which the validation is performed 402238104Sdes * \param[out] good_keys if this is a (initialized) list, the pointer to keys 403238104Sdes * from keys that validate one of the signatures 404238104Sdes * are added to it 405238104Sdes * \return status LDNS_STATUS_OK if there is at least one correct key 406238104Sdes */ 407238104Sdesldns_status ldns_verify_time(ldns_rr_list *rrset, 408238104Sdes ldns_rr_list *rrsig, 409238104Sdes const ldns_rr_list *keys, 410238104Sdes time_t check_time, 411238104Sdes ldns_rr_list *good_keys); 412238104Sdes 413238104Sdes 414238104Sdes/** 415238104Sdes * Verifies a list of signatures for one rrset, but disregard the time. 416238104Sdes * Inception and Expiration are not checked. 417238104Sdes * 418238104Sdes * \param[in] rrset the rrset to verify 419238104Sdes * \param[in] rrsig a list of signatures to check 420238104Sdes * \param[in] keys a list of keys to check with 421238104Sdes * \param[out] good_keys if this is a (initialized) list, the pointer to keys 422238104Sdes * from keys that validate one of the signatures 423238104Sdes * are added to it 424238104Sdes * \return status LDNS_STATUS_OK if there is at least one correct key 425238104Sdes */ 426238104Sdesldns_status ldns_verify_notime(ldns_rr_list *rrset, 427238104Sdes ldns_rr_list *rrsig, 428238104Sdes const ldns_rr_list *keys, 429238104Sdes ldns_rr_list *good_keys); 430238104Sdes 431238104Sdes/** 432238104Sdes * Tries to build an authentication chain from the given 433238104Sdes * keys down to the queried domain. 434238104Sdes * 435238104Sdes * If we find a valid trust path, return the valid keys for the domain. 436238104Sdes * 437238104Sdes * \param[in] res the current resolver 438238104Sdes * \param[in] domain the domain we want valid keys for 439238104Sdes * \param[in] keys the current set of trusted keys 440238104Sdes * \param[out] status pointer to the status variable where the result 441238104Sdes * code will be stored 442238104Sdes * \return the set of trusted keys for the domain, or NULL if no 443238104Sdes * trust path could be built. 444238104Sdes */ 445238104Sdesldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res, 446238104Sdes const ldns_rdf * domain, 447238104Sdes const ldns_rr_list * keys, 448238104Sdes ldns_status *status); 449238104Sdes 450238104Sdes/** 451238104Sdes * Tries to build an authentication chain from the given 452238104Sdes * keys down to the queried domain. 453238104Sdes * 454238104Sdes * If we find a valid trust path, return the valid keys for the domain. 455238104Sdes * 456238104Sdes * \param[in] res the current resolver 457238104Sdes * \param[in] domain the domain we want valid keys for 458238104Sdes * \param[in] keys the current set of trusted keys 459238104Sdes * \param[in] check_time the time for which the validation is performed 460238104Sdes * \param[out] status pointer to the status variable where the result 461238104Sdes * code will be stored 462238104Sdes * \return the set of trusted keys for the domain, or NULL if no 463238104Sdes * trust path could be built. 464238104Sdes */ 465238104Sdesldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res, 466238104Sdes const ldns_rdf * domain, const ldns_rr_list * keys, 467238104Sdes time_t check_time, ldns_status *status); 468238104Sdes 469238104Sdes 470238104Sdes/** 471238104Sdes * Validates the DNSKEY RRset for the given domain using the provided 472238104Sdes * trusted keys. 473238104Sdes * 474238104Sdes * \param[in] res the current resolver 475238104Sdes * \param[in] domain the domain we want valid keys for 476238104Sdes * \param[in] keys the current set of trusted keys 477238104Sdes * \return the set of trusted keys for the domain, or NULL if the RRSET 478238104Sdes * could not be validated 479238104Sdes */ 480238104Sdesldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res, 481238104Sdes const ldns_rdf *domain, 482238104Sdes const ldns_rr_list *keys); 483238104Sdes 484238104Sdes/** 485238104Sdes * Validates the DNSKEY RRset for the given domain using the provided 486238104Sdes * trusted keys. 487238104Sdes * 488238104Sdes * \param[in] res the current resolver 489238104Sdes * \param[in] domain the domain we want valid keys for 490238104Sdes * \param[in] keys the current set of trusted keys 491238104Sdes * \param[in] check_time the time for which the validation is performed 492238104Sdes * \return the set of trusted keys for the domain, or NULL if the RRSET 493238104Sdes * could not be validated 494238104Sdes */ 495238104Sdesldns_rr_list *ldns_validate_domain_dnskey_time( 496238104Sdes const ldns_resolver *res, const ldns_rdf *domain, 497238104Sdes const ldns_rr_list *keys, time_t check_time); 498238104Sdes 499238104Sdes 500238104Sdes/** 501238104Sdes * Validates the DS RRset for the given domain using the provided trusted keys. 502238104Sdes * 503238104Sdes * \param[in] res the current resolver 504238104Sdes * \param[in] domain the domain we want valid keys for 505238104Sdes * \param[in] keys the current set of trusted keys 506238104Sdes * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 507238104Sdes */ 508238104Sdesldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res, 509238104Sdes const ldns_rdf * 510238104Sdes domain, 511238104Sdes const ldns_rr_list * keys); 512238104Sdes 513238104Sdes/** 514238104Sdes * Validates the DS RRset for the given domain using the provided trusted keys. 515238104Sdes * 516238104Sdes * \param[in] res the current resolver 517238104Sdes * \param[in] domain the domain we want valid keys for 518238104Sdes * \param[in] keys the current set of trusted keys 519238104Sdes * \param[in] check_time the time for which the validation is performed 520238104Sdes * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 521238104Sdes */ 522238104Sdesldns_rr_list *ldns_validate_domain_ds_time( 523238104Sdes const ldns_resolver *res, const ldns_rdf *domain, 524238104Sdes const ldns_rr_list * keys, time_t check_time); 525238104Sdes 526238104Sdes 527238104Sdes/** 528238104Sdes * Verifies a list of signatures for one RRset using a valid trust path. 529238104Sdes * 530238104Sdes * \param[in] res the current resolver 531238104Sdes * \param[in] rrset the rrset to verify 532238104Sdes * \param[in] rrsigs a list of signatures to check 533238104Sdes * \param[out] validating_keys if this is a (initialized) list, the 534238104Sdes * keys from keys that validate one of 535238104Sdes * the signatures are added to it 536238104Sdes * \return status LDNS_STATUS_OK if there is at least one correct key 537238104Sdes */ 538238104Sdesldns_status ldns_verify_trusted(ldns_resolver *res, 539238104Sdes ldns_rr_list *rrset, 540238104Sdes ldns_rr_list *rrsigs, 541238104Sdes ldns_rr_list *validating_keys); 542238104Sdes 543238104Sdes/** 544238104Sdes * Verifies a list of signatures for one RRset using a valid trust path. 545238104Sdes * 546238104Sdes * \param[in] res the current resolver 547238104Sdes * \param[in] rrset the rrset to verify 548238104Sdes * \param[in] rrsigs a list of signatures to check 549238104Sdes * \param[in] check_time the time for which the validation is performed 550238104Sdes * \param[out] validating_keys if this is a (initialized) list, the 551238104Sdes * keys from keys that validate one of 552238104Sdes * the signatures are added to it 553238104Sdes * \return status LDNS_STATUS_OK if there is at least one correct key 554238104Sdes */ 555238104Sdesldns_status ldns_verify_trusted_time( 556238104Sdes ldns_resolver *res, ldns_rr_list *rrset, 557238104Sdes ldns_rr_list *rrsigs, time_t check_time, 558238104Sdes ldns_rr_list *validating_keys); 559238104Sdes 560238104Sdes 561238104Sdes/** 562238104Sdes * denial is not just a river in egypt 563238104Sdes * 564238104Sdes * \param[in] rr The (query) RR to check the denial of existence for 565238104Sdes * \param[in] nsecs The list of NSEC RRs that are supposed to deny the 566238104Sdes * existence of the RR 567238104Sdes * \param[in] rrsigs The RRSIG RR covering the NSEC RRs 568238104Sdes * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code 569238104Sdes * containing the reason they do not otherwise 570238104Sdes */ 571238104Sdesldns_status ldns_dnssec_verify_denial(ldns_rr *rr, 572238104Sdes ldns_rr_list *nsecs, 573238104Sdes ldns_rr_list *rrsigs); 574238104Sdes 575238104Sdes/** 576238104Sdes * Denial of existence using NSEC3 records 577238104Sdes * Since NSEC3 is a bit more complicated than normal denial, some 578238104Sdes * context arguments are needed 579238104Sdes * 580238104Sdes * \param[in] rr The (query) RR to check the denial of existence for 581238104Sdes * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 582238104Sdes * existence of the RR 583238104Sdes * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 584238104Sdes * \param[in] packet_rcode The RCODE value of the packet that provided the 585238104Sdes * NSEC3 RRs 586238104Sdes * \param[in] packet_qtype The original query RR type 587238104Sdes * \param[in] packet_nodata True if the providing packet had an empty ANSWER 588238104Sdes * section 589238104Sdes * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 590238104Sdes * containing the reason they do not otherwise 591238104Sdes */ 592238104Sdesldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, 593238104Sdes ldns_rr_list *nsecs, 594238104Sdes ldns_rr_list *rrsigs, 595238104Sdes ldns_pkt_rcode packet_rcode, 596238104Sdes ldns_rr_type packet_qtype, 597238104Sdes bool packet_nodata); 598238104Sdes 599238104Sdes/** 600238104Sdes * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns 601238104Sdes * the nsec rr that matched. 602238104Sdes * 603238104Sdes * \param[in] rr The (query) RR to check the denial of existence for 604238104Sdes * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 605238104Sdes * existence of the RR 606238104Sdes * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 607238104Sdes * \param[in] packet_rcode The RCODE value of the packet that provided the 608238104Sdes * NSEC3 RRs 609238104Sdes * \param[in] packet_qtype The original query RR type 610238104Sdes * \param[in] packet_nodata True if the providing packet had an empty ANSWER 611238104Sdes * section 612238104Sdes * \param[in] match On match, the given (reference to a) pointer will be set 613238104Sdes * to point to the matching nsec resource record. 614238104Sdes * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 615238104Sdes * containing the reason they do not otherwise 616238104Sdes */ 617238104Sdesldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, 618238104Sdes ldns_rr_list *nsecs, 619238104Sdes ldns_rr_list *rrsigs, 620238104Sdes ldns_pkt_rcode packet_rcode, 621238104Sdes ldns_rr_type packet_qtype, 622238104Sdes bool packet_nodata, 623238104Sdes ldns_rr **match); 624238104Sdes/** 625238104Sdes * Verifies the already processed data in the buffers 626238104Sdes * This function should probably not be used directly. 627238104Sdes * 628238104Sdes * \param[in] rawsig_buf Buffer containing signature data to use 629238104Sdes * \param[in] verify_buf Buffer containing data to verify 630238104Sdes * \param[in] key_buf Buffer containing key data to use 631238104Sdes * \param[in] algo Signing algorithm 632238104Sdes * \return status LDNS_STATUS_OK if the data verifies. Error if not. 633238104Sdes */ 634238104Sdesldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, 635238104Sdes ldns_buffer *verify_buf, 636238104Sdes ldns_buffer *key_buf, 637238104Sdes uint8_t algo); 638238104Sdes 639238104Sdes/** 640238104Sdes * Like ldns_verify_rrsig_buffers, but uses raw data. 641238104Sdes * 642238104Sdes * \param[in] sig signature data to use 643238104Sdes * \param[in] siglen length of signature data to use 644238104Sdes * \param[in] verify_buf Buffer containing data to verify 645238104Sdes * \param[in] key key data to use 646238104Sdes * \param[in] keylen length of key data to use 647238104Sdes * \param[in] algo Signing algorithm 648238104Sdes * \return status LDNS_STATUS_OK if the data verifies. Error if not. 649238104Sdes */ 650238104Sdesldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig, 651238104Sdes size_t siglen, 652238104Sdes ldns_buffer *verify_buf, 653238104Sdes unsigned char* key, 654238104Sdes size_t keylen, 655238104Sdes uint8_t algo); 656238104Sdes 657238104Sdes/** 658238104Sdes * Verifies an rrsig. All keys in the keyset are tried. 659238104Sdes * \param[in] rrset the rrset to check 660238104Sdes * \param[in] rrsig the signature of the rrset 661238104Sdes * \param[in] keys the keys to try 662238104Sdes * \param[out] good_keys if this is a (initialized) list, the pointer to keys 663238104Sdes * from keys that validate one of the signatures 664238104Sdes * are added to it 665238104Sdes * \return a list of keys which validate the rrsig + rrset. Returns 666238104Sdes * status LDNS_STATUS_OK if at least one key matched. Else an error. 667238104Sdes */ 668238104Sdesldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, 669238104Sdes ldns_rr *rrsig, 670238104Sdes const ldns_rr_list *keys, 671238104Sdes ldns_rr_list *good_keys); 672238104Sdes 673238104Sdes/** 674238104Sdes * Verifies an rrsig. All keys in the keyset are tried. 675238104Sdes * \param[in] rrset the rrset to check 676238104Sdes * \param[in] rrsig the signature of the rrset 677238104Sdes * \param[in] keys the keys to try 678238104Sdes * \param[in] check_time the time for which the validation is performed 679238104Sdes * \param[out] good_keys if this is a (initialized) list, the pointer to keys 680238104Sdes * from keys that validate one of the signatures 681238104Sdes * are added to it 682238104Sdes * \return a list of keys which validate the rrsig + rrset. Returns 683238104Sdes * status LDNS_STATUS_OK if at least one key matched. Else an error. 684238104Sdes */ 685238104Sdesldns_status ldns_verify_rrsig_keylist_time( 686238104Sdes ldns_rr_list *rrset, ldns_rr *rrsig, 687238104Sdes const ldns_rr_list *keys, time_t check_time, 688238104Sdes ldns_rr_list *good_keys); 689238104Sdes 690238104Sdes 691238104Sdes/** 692238104Sdes * Verifies an rrsig. All keys in the keyset are tried. Time is not checked. 693238104Sdes * \param[in] rrset the rrset to check 694238104Sdes * \param[in] rrsig the signature of the rrset 695238104Sdes * \param[in] keys the keys to try 696238104Sdes * \param[out] good_keys if this is a (initialized) list, the pointer to keys 697238104Sdes * from keys that validate one of the signatures 698238104Sdes * are added to it 699238104Sdes * \return a list of keys which validate the rrsig + rrset. Returns 700238104Sdes * status LDNS_STATUS_OK if at least one key matched. Else an error. 701238104Sdes */ 702238104Sdesldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset, 703238104Sdes ldns_rr *rrsig, 704238104Sdes const ldns_rr_list *keys, 705238104Sdes ldns_rr_list *good_keys); 706238104Sdes 707238104Sdes/** 708238104Sdes * verify an rrsig with 1 key 709238104Sdes * \param[in] rrset the rrset 710238104Sdes * \param[in] rrsig the rrsig to verify 711238104Sdes * \param[in] key the key to use 712238104Sdes * \return status message wether verification succeeded. 713238104Sdes */ 714238104Sdesldns_status ldns_verify_rrsig(ldns_rr_list *rrset, 715238104Sdes ldns_rr *rrsig, 716238104Sdes ldns_rr *key); 717238104Sdes 718238104Sdes 719238104Sdes/** 720238104Sdes * verify an rrsig with 1 key 721238104Sdes * \param[in] rrset the rrset 722238104Sdes * \param[in] rrsig the rrsig to verify 723238104Sdes * \param[in] key the key to use 724238104Sdes * \param[in] check_time the time for which the validation is performed 725238104Sdes * \return status message wether verification succeeded. 726238104Sdes */ 727238104Sdesldns_status ldns_verify_rrsig_time( 728238104Sdes ldns_rr_list *rrset, ldns_rr *rrsig, 729238104Sdes ldns_rr *key, time_t check_time); 730238104Sdes 731238104Sdes 732238104Sdes#if LDNS_BUILD_CONFIG_HAVE_SSL 733238104Sdes/** 734238104Sdes * verifies a buffer with signature data for a buffer with rrset data 735238104Sdes * with an EVP_PKEY 736238104Sdes * 737238104Sdes * \param[in] sig the signature data 738238104Sdes * \param[in] rrset the rrset data, sorted and processed for verification 739238104Sdes * \param[in] key the EVP key structure 740238104Sdes * \param[in] digest_type The digest type of the signature 741238104Sdes */ 742238104Sdesldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, 743238104Sdes ldns_buffer *rrset, 744238104Sdes EVP_PKEY *key, 745238104Sdes const EVP_MD *digest_type); 746238104Sdes 747238104Sdes/** 748238104Sdes * Like ldns_verify_rrsig_evp, but uses raw signature data. 749238104Sdes * \param[in] sig the signature data, wireformat uncompressed 750238104Sdes * \param[in] siglen length of the signature data 751238104Sdes * \param[in] rrset the rrset data, sorted and processed for verification 752238104Sdes * \param[in] key the EVP key structure 753238104Sdes * \param[in] digest_type The digest type of the signature 754238104Sdes */ 755238104Sdesldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig, 756238104Sdes size_t siglen, 757238104Sdes ldns_buffer *rrset, 758238104Sdes EVP_PKEY *key, 759238104Sdes const EVP_MD *digest_type); 760238104Sdes#endif 761238104Sdes 762238104Sdes/** 763238104Sdes * verifies a buffer with signature data (DSA) for a buffer with rrset data 764238104Sdes * with a buffer with key data. 765238104Sdes * 766238104Sdes * \param[in] sig the signature data 767238104Sdes * \param[in] rrset the rrset data, sorted and processed for verification 768238104Sdes * \param[in] key the key data 769238104Sdes */ 770238104Sdesldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, 771238104Sdes ldns_buffer *rrset, 772238104Sdes ldns_buffer *key); 773238104Sdes 774238104Sdes/** 775238104Sdes * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data 776238104Sdes * with a buffer with key data. 777238104Sdes * 778238104Sdes * \param[in] sig the signature data 779238104Sdes * \param[in] rrset the rrset data, sorted and processed for verification 780238104Sdes * \param[in] key the key data 781238104Sdes */ 782238104Sdesldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, 783238104Sdes ldns_buffer *rrset, 784238104Sdes ldns_buffer *key); 785238104Sdes 786238104Sdes/** 787238104Sdes * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data 788238104Sdes * with a buffer with key data. 789238104Sdes * 790238104Sdes * \param[in] sig the signature data 791238104Sdes * \param[in] rrset the rrset data, sorted and processed for verification 792238104Sdes * \param[in] key the key data 793238104Sdes */ 794238104Sdesldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, 795238104Sdes ldns_buffer *rrset, 796238104Sdes ldns_buffer *key); 797238104Sdes 798238104Sdes/** 799238104Sdes * Like ldns_verify_rrsig_dsa, but uses raw signature and key data. 800238104Sdes * \param[in] sig raw uncompressed wireformat signature data 801238104Sdes * \param[in] siglen length of signature data 802238104Sdes * \param[in] rrset ldns buffer with prepared rrset data. 803238104Sdes * \param[in] key raw uncompressed wireformat key data 804238104Sdes * \param[in] keylen length of key data 805238104Sdes */ 806238104Sdesldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig, 807238104Sdes size_t siglen, 808238104Sdes ldns_buffer* rrset, 809238104Sdes unsigned char* key, 810238104Sdes size_t keylen); 811238104Sdes 812238104Sdes/** 813238104Sdes * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data. 814238104Sdes * \param[in] sig raw uncompressed wireformat signature data 815238104Sdes * \param[in] siglen length of signature data 816238104Sdes * \param[in] rrset ldns buffer with prepared rrset data. 817238104Sdes * \param[in] key raw uncompressed wireformat key data 818238104Sdes * \param[in] keylen length of key data 819238104Sdes */ 820238104Sdesldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig, 821238104Sdes size_t siglen, 822238104Sdes ldns_buffer* rrset, 823238104Sdes unsigned char* key, 824238104Sdes size_t keylen); 825238104Sdes 826238104Sdes/** 827238104Sdes * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data. 828238104Sdes * \param[in] sig raw uncompressed wireformat signature data 829238104Sdes * \param[in] siglen length of signature data 830238104Sdes * \param[in] rrset ldns buffer with prepared rrset data. 831238104Sdes * \param[in] key raw uncompressed wireformat key data 832238104Sdes * \param[in] keylen length of key data 833238104Sdes */ 834238104Sdes 835238104Sdesldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig, 836238104Sdes size_t siglen, 837238104Sdes ldns_buffer* rrset, 838238104Sdes unsigned char* key, 839238104Sdes size_t keylen); 840238104Sdes 841238104Sdes/** 842238104Sdes * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data. 843238104Sdes * \param[in] sig raw uncompressed wireformat signature data 844238104Sdes * \param[in] siglen length of signature data 845238104Sdes * \param[in] rrset ldns buffer with prepared rrset data. 846238104Sdes * \param[in] key raw uncompressed wireformat key data 847238104Sdes * \param[in] keylen length of key data 848238104Sdes */ 849238104Sdesldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig, 850238104Sdes size_t siglen, 851238104Sdes ldns_buffer* rrset, 852238104Sdes unsigned char* key, 853238104Sdes size_t keylen); 854238104Sdes 855238104Sdes/** 856238104Sdes * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data. 857238104Sdes * \param[in] sig raw uncompressed wireformat signature data 858238104Sdes * \param[in] siglen length of signature data 859238104Sdes * \param[in] rrset ldns buffer with prepared rrset data. 860238104Sdes * \param[in] key raw uncompressed wireformat key data 861238104Sdes * \param[in] keylen length of key data 862238104Sdes */ 863238104Sdesldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig, 864238104Sdes size_t siglen, 865238104Sdes ldns_buffer* rrset, 866238104Sdes unsigned char* key, 867238104Sdes size_t keylen); 868238104Sdes 869238104Sdes#ifdef __cplusplus 870238104Sdes} 871238104Sdes#endif 872238104Sdes 873238104Sdes#endif 874238104Sdes 875