dnssec_verify.h revision 246854
1297627Sjmcneill/** dnssec_verify */ 2297627Sjmcneill 3297627Sjmcneill#ifndef LDNS_DNSSEC_VERIFY_H 4297627Sjmcneill#define LDNS_DNSSEC_VERIFY_H 5297627Sjmcneill 6297627Sjmcneill#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10 7297627Sjmcneill 8297627Sjmcneill#include <ldns/dnssec.h> 9297627Sjmcneill#include <ldns/host2str.h> 10297627Sjmcneill 11297627Sjmcneill#ifdef __cplusplus 12297627Sjmcneillextern "C" { 13297627Sjmcneill#endif 14297627Sjmcneill 15297627Sjmcneill/** 16297627Sjmcneill * Chain structure that contains all DNSSEC data needed to 17297627Sjmcneill * verify an rrset 18297627Sjmcneill */ 19297627Sjmcneilltypedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain; 20297627Sjmcneillstruct ldns_dnssec_data_chain_struct 21297627Sjmcneill{ 22297627Sjmcneill ldns_rr_list *rrset; 23297627Sjmcneill ldns_rr_list *signatures; 24297627Sjmcneill ldns_rr_type parent_type; 25297627Sjmcneill ldns_dnssec_data_chain *parent; 26297627Sjmcneill ldns_pkt_rcode packet_rcode; 27297627Sjmcneill ldns_rr_type packet_qtype; 28297627Sjmcneill bool packet_nodata; 29297627Sjmcneill}; 30297627Sjmcneill 31297627Sjmcneill/** 32297627Sjmcneill * Creates a new dnssec_chain structure 33297627Sjmcneill * \return ldns_dnssec_data_chain * 34297627Sjmcneill */ 35297627Sjmcneillldns_dnssec_data_chain *ldns_dnssec_data_chain_new(void); 36297627Sjmcneill 37297627Sjmcneill/** 38297627Sjmcneill * Frees a dnssec_data_chain structure 39297627Sjmcneill * 40297627Sjmcneill * \param[in] *chain The chain to free 41297627Sjmcneill */ 42297627Sjmcneillvoid ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain); 43297627Sjmcneill 44297627Sjmcneill/** 45297627Sjmcneill * Frees a dnssec_data_chain structure, and all data 46297627Sjmcneill * contained therein 47297627Sjmcneill * 48297627Sjmcneill * \param[in] *chain The dnssec_data_chain to free 49297627Sjmcneill */ 50297627Sjmcneillvoid ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain); 51297627Sjmcneill 52297627Sjmcneill/** 53297627Sjmcneill * Prints the dnssec_data_chain to the given file stream 54297627Sjmcneill * 55297627Sjmcneill * \param[in] *out The file stream to print to 56297627Sjmcneill * \param[in] *chain The dnssec_data_chain to print 57297627Sjmcneill */ 58297627Sjmcneillvoid ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain); 59297627Sjmcneill 60297627Sjmcneill/** 61297627Sjmcneill * Prints the dnssec_data_chain to the given file stream 62297627Sjmcneill * 63297627Sjmcneill * \param[in] *out The file stream to print to 64305436Smanu * \param[in] *fmt The format of the textual representation 65297627Sjmcneill * \param[in] *chain The dnssec_data_chain to print 66299113Sjmcneill */ 67299688Smanuvoid ldns_dnssec_data_chain_print_fmt(FILE *out, 68297627Sjmcneill const ldns_output_format *fmt, 69297627Sjmcneill const ldns_dnssec_data_chain *chain); 70297627Sjmcneill 71297627Sjmcneill/** 72305436Smanu * Build an ldns_dnssec_data_chain, which contains all 73297627Sjmcneill * DNSSEC data that is needed to derive the trust tree later 74299113Sjmcneill * 75299688Smanu * The data_set will be cloned 76297627Sjmcneill * 77297627Sjmcneill * \param[in] *res resolver structure for further needed queries 78297627Sjmcneill * \param[in] qflags resolution flags 79297627Sjmcneill * \param[in] *data_set The original rrset where the chain ends 80297627Sjmcneill * \param[in] *pkt optional, can contain the original packet 81299688Smanu * (and hence the sigs and maybe the key) 82299688Smanu * \param[in] *orig_rr The original Resource Record 83297627Sjmcneill * 84297627Sjmcneill * \return the DNSSEC data chain 85297627Sjmcneill */ 86297627Sjmcneillldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res, 87297627Sjmcneill const uint16_t qflags, 88297627Sjmcneill const ldns_rr_list *data_set, 89297627Sjmcneill const ldns_pkt *pkt, 90297627Sjmcneill ldns_rr *orig_rr); 91297627Sjmcneill 92297627Sjmcneill/** 93297627Sjmcneill * Tree structure that contains the relation of DNSSEC data, 94297627Sjmcneill * and their cryptographic status. 95297627Sjmcneill * 96297627Sjmcneill * This tree is derived from a data_chain, and can be used 97297627Sjmcneill * to look whether there is a connection between an RRSET 98297627Sjmcneill * and a trusted key. The tree only contains pointers to the 99297627Sjmcneill * data_chain, and therefore one should *never* free() the 100297627Sjmcneill * data_chain when there is still a trust tree derived from 101297627Sjmcneill * that chain. 102297627Sjmcneill * 103297627Sjmcneill * Example tree: 104297627Sjmcneill * key key key 105297627Sjmcneill * \ | / 106297627Sjmcneill * \ | / 107297627Sjmcneill * \ | / 108297627Sjmcneill * ds 109297627Sjmcneill * | 110297627Sjmcneill * key 111297627Sjmcneill * | 112297627Sjmcneill * key 113297627Sjmcneill * | 114297627Sjmcneill * rr 115297627Sjmcneill * 116297627Sjmcneill * For each signature there is a parent; if the parent 117297627Sjmcneill * pointer is null, it couldn't be found and there was no 118297627Sjmcneill * denial; otherwise is a tree which contains either a 119297627Sjmcneill * DNSKEY, a DS, or a NSEC rr 120297627Sjmcneill */ 121297627Sjmcneilltypedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree; 122297627Sjmcneillstruct ldns_dnssec_trust_tree_struct 123297627Sjmcneill{ 124297627Sjmcneill ldns_rr *rr; 125297627Sjmcneill /* the complete rrset this rr was in */ 126297627Sjmcneill ldns_rr_list *rrset; 127297627Sjmcneill ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 128297627Sjmcneill ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 129297627Sjmcneill /** for debugging, add signatures too (you might want 130297627Sjmcneill those if they contain errors) */ 131297627Sjmcneill ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; 132297627Sjmcneill size_t parent_count; 133297627Sjmcneill}; 134297627Sjmcneill 135297627Sjmcneill/** 136297627Sjmcneill * Creates a new (empty) dnssec_trust_tree structure 137297627Sjmcneill * 138297627Sjmcneill * \return ldns_dnssec_trust_tree * 139297627Sjmcneill */ 140297627Sjmcneillldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(void); 141297627Sjmcneill 142297627Sjmcneill/** 143297627Sjmcneill * Frees the dnssec_trust_tree recursively 144297627Sjmcneill * 145297627Sjmcneill * There is no deep free; all data in the trust tree 146297627Sjmcneill * consists of pointers to a data_chain 147297627Sjmcneill * 148297627Sjmcneill * \param[in] tree The tree to free 149297627Sjmcneill */ 150297627Sjmcneillvoid ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree); 151297627Sjmcneill 152297627Sjmcneill/** 153297627Sjmcneill * returns the depth of the trust tree 154297627Sjmcneill * 155297627Sjmcneill * \param[in] tree tree to calculate the depth of 156297627Sjmcneill * \return The depth of the tree 157297627Sjmcneill */ 158297627Sjmcneillsize_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree); 159297627Sjmcneill 160297627Sjmcneill/** 161297627Sjmcneill * Prints the dnssec_trust_tree structure to the given file 162297627Sjmcneill * stream. 163297627Sjmcneill * 164297627Sjmcneill * If a link status is not LDNS_STATUS_OK; the status and 165297627Sjmcneill * relevant signatures are printed too 166297627Sjmcneill * 167297627Sjmcneill * \param[in] *out The file stream to print to 168297627Sjmcneill * \param[in] tree The trust tree to print 169297627Sjmcneill * \param[in] tabs Prepend each line with tabs*2 spaces 170297627Sjmcneill * \param[in] extended If true, add little explanation lines to the output 171297627Sjmcneill */ 172297627Sjmcneillvoid ldns_dnssec_trust_tree_print(FILE *out, 173299113Sjmcneill ldns_dnssec_trust_tree *tree, 174297627Sjmcneill size_t tabs, 175297627Sjmcneill bool extended); 176297627Sjmcneill 177299113Sjmcneill/** 178297627Sjmcneill * Prints the dnssec_trust_tree structure to the given file 179297627Sjmcneill * stream. 180297627Sjmcneill * 181297627Sjmcneill * If a link status is not LDNS_STATUS_OK; the status and 182297627Sjmcneill * relevant signatures are printed too 183297627Sjmcneill * 184297627Sjmcneill * \param[in] *out The file stream to print to 185297627Sjmcneill * \param[in] *fmt The format of the textual representation 186297627Sjmcneill * \param[in] tree The trust tree to print 187297627Sjmcneill * \param[in] tabs Prepend each line with tabs*2 spaces 188297627Sjmcneill * \param[in] extended If true, add little explanation lines to the output 189297627Sjmcneill */ 190297627Sjmcneillvoid ldns_dnssec_trust_tree_print_fmt(FILE *out, 191297627Sjmcneill const ldns_output_format *fmt, 192297627Sjmcneill ldns_dnssec_trust_tree *tree, 193297627Sjmcneill size_t tabs, 194297627Sjmcneill bool extended); 195297627Sjmcneill 196297627Sjmcneill/** 197297627Sjmcneill * Adds a trust tree as a parent for the given trust tree 198297627Sjmcneill * 199297627Sjmcneill * \param[in] *tree The tree to add the parent to 200297627Sjmcneill * \param[in] *parent The parent tree to add 201297627Sjmcneill * \param[in] *parent_signature The RRSIG relevant to this parent/child 202299688Smanu * connection 203299688Smanu * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG 204297627Sjmcneill * \return LDNS_STATUS_OK if the addition succeeds, error otherwise 205308324Smmel */ 206297627Sjmcneillldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, 207297627Sjmcneill const ldns_dnssec_trust_tree *parent, 208297627Sjmcneill const ldns_rr *parent_signature, 209297627Sjmcneill const ldns_status parent_status); 210299113Sjmcneill 211308324Smmel/** 212299113Sjmcneill * Generates a dnssec_trust_tree for the given rr from the 213299113Sjmcneill * given data_chain 214299113Sjmcneill * 215299113Sjmcneill * This does not clone the actual data; Don't free the 216299113Sjmcneill * data_chain before you are done with this tree 217297627Sjmcneill * 218297627Sjmcneill * \param[in] *data_chain The chain to derive the trust tree from 219299113Sjmcneill * \param[in] *rr The RR this tree will be about 220299113Sjmcneill * \return ldns_dnssec_trust_tree * 221299113Sjmcneill */ 222299113Sjmcneillldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree( 223299113Sjmcneill ldns_dnssec_data_chain *data_chain, 224299113Sjmcneill ldns_rr *rr); 225297627Sjmcneill 226297627Sjmcneill/** 227297627Sjmcneill * Generates a dnssec_trust_tree for the given rr from the 228297627Sjmcneill * given data_chain 229297627Sjmcneill * 230297627Sjmcneill * This does not clone the actual data; Don't free the 231297627Sjmcneill * data_chain before you are done with this tree 232297627Sjmcneill * 233297627Sjmcneill * \param[in] *data_chain The chain to derive the trust tree from 234297627Sjmcneill * \param[in] *rr The RR this tree will be about 235297627Sjmcneill * \param[in] check_time the time for which the validation is performed 236297627Sjmcneill * \return ldns_dnssec_trust_tree * 237297627Sjmcneill */ 238297627Sjmcneillldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time( 239297627Sjmcneill ldns_dnssec_data_chain *data_chain, 240297627Sjmcneill ldns_rr *rr, time_t check_time); 241297627Sjmcneill 242297627Sjmcneill/** 243297627Sjmcneill * Sub function for derive_trust_tree that is used for a 'normal' rrset 244297627Sjmcneill * 245297627Sjmcneill * \param[in] new_tree The trust tree that we are building 246297627Sjmcneill * \param[in] data_chain The data chain containing the data for the trust tree 247297627Sjmcneill * \param[in] cur_sig_rr The currently relevant signature 248297627Sjmcneill */ 249297627Sjmcneillvoid ldns_dnssec_derive_trust_tree_normal_rrset( 250297627Sjmcneill ldns_dnssec_trust_tree *new_tree, 251297627Sjmcneill ldns_dnssec_data_chain *data_chain, 252297627Sjmcneill ldns_rr *cur_sig_rr); 253297627Sjmcneill 254297627Sjmcneill/** 255297627Sjmcneill * Sub function for derive_trust_tree that is used for a 'normal' rrset 256297627Sjmcneill * 257297627Sjmcneill * \param[in] new_tree The trust tree that we are building 258297627Sjmcneill * \param[in] data_chain The data chain containing the data for the trust tree 259297627Sjmcneill * \param[in] cur_sig_rr The currently relevant signature 260297627Sjmcneill * \param[in] check_time the time for which the validation is performed 261297627Sjmcneill */ 262297627Sjmcneillvoid ldns_dnssec_derive_trust_tree_normal_rrset_time( 263297627Sjmcneill ldns_dnssec_trust_tree *new_tree, 264297627Sjmcneill ldns_dnssec_data_chain *data_chain, 265297627Sjmcneill ldns_rr *cur_sig_rr, time_t check_time); 266297627Sjmcneill 267297627Sjmcneill 268/** 269 * Sub function for derive_trust_tree that is used for DNSKEY rrsets 270 * 271 * \param[in] new_tree The trust tree that we are building 272 * \param[in] data_chain The data chain containing the data for the trust tree 273 * \param[in] cur_rr The currently relevant DNSKEY RR 274 * \param[in] cur_sig_rr The currently relevant signature 275 */ 276void ldns_dnssec_derive_trust_tree_dnskey_rrset( 277 ldns_dnssec_trust_tree *new_tree, 278 ldns_dnssec_data_chain *data_chain, 279 ldns_rr *cur_rr, 280 ldns_rr *cur_sig_rr); 281 282/** 283 * Sub function for derive_trust_tree that is used for DNSKEY rrsets 284 * 285 * \param[in] new_tree The trust tree that we are building 286 * \param[in] data_chain The data chain containing the data for the trust tree 287 * \param[in] cur_rr The currently relevant DNSKEY RR 288 * \param[in] cur_sig_rr The currently relevant signature 289 * \param[in] check_time the time for which the validation is performed 290 */ 291void ldns_dnssec_derive_trust_tree_dnskey_rrset_time( 292 ldns_dnssec_trust_tree *new_tree, 293 ldns_dnssec_data_chain *data_chain, 294 ldns_rr *cur_rr, ldns_rr *cur_sig_rr, 295 time_t check_time); 296 297 298/** 299 * Sub function for derive_trust_tree that is used for DNSKEY rrsets 300 * 301 * \param[in] new_tree The trust tree that we are building 302 * \param[in] data_chain The data chain containing the data for the trust tree 303 * \param[in] cur_rr The currently relevant DNSKEY RR 304 * \param[in] cur_sig_rr The currently relevant signature 305 * \param[in] check_time the time for which the validation is performed 306 */ 307void ldns_dnssec_derive_trust_tree_dnskey_rrset_time( 308 ldns_dnssec_trust_tree *new_tree, 309 ldns_dnssec_data_chain *data_chain, 310 ldns_rr *cur_rr, ldns_rr *cur_sig_rr, 311 time_t check_time); 312 313 314/** 315 * Sub function for derive_trust_tree that is used for DS rrsets 316 * 317 * \param[in] new_tree The trust tree that we are building 318 * \param[in] data_chain The data chain containing the data for the trust tree 319 * \param[in] cur_rr The currently relevant DS RR 320 */ 321void ldns_dnssec_derive_trust_tree_ds_rrset( 322 ldns_dnssec_trust_tree *new_tree, 323 ldns_dnssec_data_chain *data_chain, 324 ldns_rr *cur_rr); 325 326/** 327 * Sub function for derive_trust_tree that is used for DS rrsets 328 * 329 * \param[in] new_tree The trust tree that we are building 330 * \param[in] data_chain The data chain containing the data for the trust tree 331 * \param[in] cur_rr The currently relevant DS RR 332 * \param[in] check_time the time for which the validation is performed 333 */ 334void ldns_dnssec_derive_trust_tree_ds_rrset_time( 335 ldns_dnssec_trust_tree *new_tree, 336 ldns_dnssec_data_chain *data_chain, 337 ldns_rr *cur_rr, time_t check_time); 338 339/** 340 * Sub function for derive_trust_tree that is used when there are no 341 * signatures 342 * 343 * \param[in] new_tree The trust tree that we are building 344 * \param[in] data_chain The data chain containing the data for the trust tree 345 */ 346void ldns_dnssec_derive_trust_tree_no_sig( 347 ldns_dnssec_trust_tree *new_tree, 348 ldns_dnssec_data_chain *data_chain); 349 350/** 351 * Sub function for derive_trust_tree that is used when there are no 352 * signatures 353 * 354 * \param[in] new_tree The trust tree that we are building 355 * \param[in] data_chain The data chain containing the data for the trust tree 356 * \param[in] check_time the time for which the validation is performed 357 */ 358void ldns_dnssec_derive_trust_tree_no_sig_time( 359 ldns_dnssec_trust_tree *new_tree, 360 ldns_dnssec_data_chain *data_chain, 361 time_t check_time); 362 363 364/** 365 * Returns OK if there is a trusted path in the tree to one of 366 * the DNSKEY or DS RRs in the given list 367 * 368 * \param *tree The trust tree so search 369 * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for 370 * 371 * \return LDNS_STATUS_OK if there is a trusted path to one of 372 * the keys, or the *first* error encountered 373 * if there were no paths 374 */ 375ldns_status ldns_dnssec_trust_tree_contains_keys( 376 ldns_dnssec_trust_tree *tree, 377 ldns_rr_list *keys); 378 379/** 380 * Verifies a list of signatures for one rrset. 381 * 382 * \param[in] rrset the rrset to verify 383 * \param[in] rrsig a list of signatures to check 384 * \param[in] keys a list of keys to check with 385 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 386 * from keys that validate one of the signatures 387 * are added to it 388 * \return status LDNS_STATUS_OK if there is at least one correct key 389 */ 390ldns_status ldns_verify(ldns_rr_list *rrset, 391 ldns_rr_list *rrsig, 392 const ldns_rr_list *keys, 393 ldns_rr_list *good_keys); 394 395/** 396 * Verifies a list of signatures for one rrset. 397 * 398 * \param[in] rrset the rrset to verify 399 * \param[in] rrsig a list of signatures to check 400 * \param[in] keys a list of keys to check with 401 * \param[in] check_time the time for which the validation is performed 402 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 403 * from keys that validate one of the signatures 404 * are added to it 405 * \return status LDNS_STATUS_OK if there is at least one correct key 406 */ 407ldns_status ldns_verify_time(ldns_rr_list *rrset, 408 ldns_rr_list *rrsig, 409 const ldns_rr_list *keys, 410 time_t check_time, 411 ldns_rr_list *good_keys); 412 413 414/** 415 * Verifies a list of signatures for one rrset, but disregard the time. 416 * Inception and Expiration are not checked. 417 * 418 * \param[in] rrset the rrset to verify 419 * \param[in] rrsig a list of signatures to check 420 * \param[in] keys a list of keys to check with 421 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 422 * from keys that validate one of the signatures 423 * are added to it 424 * \return status LDNS_STATUS_OK if there is at least one correct key 425 */ 426ldns_status ldns_verify_notime(ldns_rr_list *rrset, 427 ldns_rr_list *rrsig, 428 const ldns_rr_list *keys, 429 ldns_rr_list *good_keys); 430 431/** 432 * Tries to build an authentication chain from the given 433 * keys down to the queried domain. 434 * 435 * If we find a valid trust path, return the valid keys for the domain. 436 * 437 * \param[in] res the current resolver 438 * \param[in] domain the domain we want valid keys for 439 * \param[in] keys the current set of trusted keys 440 * \param[out] status pointer to the status variable where the result 441 * code will be stored 442 * \return the set of trusted keys for the domain, or NULL if no 443 * trust path could be built. 444 */ 445ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res, 446 const ldns_rdf * domain, 447 const ldns_rr_list * keys, 448 ldns_status *status); 449 450/** 451 * Tries to build an authentication chain from the given 452 * keys down to the queried domain. 453 * 454 * If we find a valid trust path, return the valid keys for the domain. 455 * 456 * \param[in] res the current resolver 457 * \param[in] domain the domain we want valid keys for 458 * \param[in] keys the current set of trusted keys 459 * \param[in] check_time the time for which the validation is performed 460 * \param[out] status pointer to the status variable where the result 461 * code will be stored 462 * \return the set of trusted keys for the domain, or NULL if no 463 * trust path could be built. 464 */ 465ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res, 466 const ldns_rdf * domain, const ldns_rr_list * keys, 467 time_t check_time, ldns_status *status); 468 469 470/** 471 * Validates the DNSKEY RRset for the given domain using the provided 472 * trusted keys. 473 * 474 * \param[in] res the current resolver 475 * \param[in] domain the domain we want valid keys for 476 * \param[in] keys the current set of trusted keys 477 * \return the set of trusted keys for the domain, or NULL if the RRSET 478 * could not be validated 479 */ 480ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res, 481 const ldns_rdf *domain, 482 const ldns_rr_list *keys); 483 484/** 485 * Validates the DNSKEY RRset for the given domain using the provided 486 * trusted keys. 487 * 488 * \param[in] res the current resolver 489 * \param[in] domain the domain we want valid keys for 490 * \param[in] keys the current set of trusted keys 491 * \param[in] check_time the time for which the validation is performed 492 * \return the set of trusted keys for the domain, or NULL if the RRSET 493 * could not be validated 494 */ 495ldns_rr_list *ldns_validate_domain_dnskey_time( 496 const ldns_resolver *res, const ldns_rdf *domain, 497 const ldns_rr_list *keys, time_t check_time); 498 499 500/** 501 * Validates the DS RRset for the given domain using the provided trusted keys. 502 * 503 * \param[in] res the current resolver 504 * \param[in] domain the domain we want valid keys for 505 * \param[in] keys the current set of trusted keys 506 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 507 */ 508ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res, 509 const ldns_rdf * 510 domain, 511 const ldns_rr_list * keys); 512 513/** 514 * Validates the DS RRset for the given domain using the provided trusted keys. 515 * 516 * \param[in] res the current resolver 517 * \param[in] domain the domain we want valid keys for 518 * \param[in] keys the current set of trusted keys 519 * \param[in] check_time the time for which the validation is performed 520 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated 521 */ 522ldns_rr_list *ldns_validate_domain_ds_time( 523 const ldns_resolver *res, const ldns_rdf *domain, 524 const ldns_rr_list * keys, time_t check_time); 525 526 527/** 528 * Verifies a list of signatures for one RRset using a valid trust path. 529 * 530 * \param[in] res the current resolver 531 * \param[in] rrset the rrset to verify 532 * \param[in] rrsigs a list of signatures to check 533 * \param[out] validating_keys if this is a (initialized) list, the 534 * keys from keys that validate one of 535 * the signatures are added to it 536 * \return status LDNS_STATUS_OK if there is at least one correct key 537 */ 538ldns_status ldns_verify_trusted(ldns_resolver *res, 539 ldns_rr_list *rrset, 540 ldns_rr_list *rrsigs, 541 ldns_rr_list *validating_keys); 542 543/** 544 * Verifies a list of signatures for one RRset using a valid trust path. 545 * 546 * \param[in] res the current resolver 547 * \param[in] rrset the rrset to verify 548 * \param[in] rrsigs a list of signatures to check 549 * \param[in] check_time the time for which the validation is performed 550 * \param[out] validating_keys if this is a (initialized) list, the 551 * keys from keys that validate one of 552 * the signatures are added to it 553 * \return status LDNS_STATUS_OK if there is at least one correct key 554 */ 555ldns_status ldns_verify_trusted_time( 556 ldns_resolver *res, ldns_rr_list *rrset, 557 ldns_rr_list *rrsigs, time_t check_time, 558 ldns_rr_list *validating_keys); 559 560 561/** 562 * denial is not just a river in egypt 563 * 564 * \param[in] rr The (query) RR to check the denial of existence for 565 * \param[in] nsecs The list of NSEC RRs that are supposed to deny the 566 * existence of the RR 567 * \param[in] rrsigs The RRSIG RR covering the NSEC RRs 568 * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code 569 * containing the reason they do not otherwise 570 */ 571ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, 572 ldns_rr_list *nsecs, 573 ldns_rr_list *rrsigs); 574 575/** 576 * Denial of existence using NSEC3 records 577 * Since NSEC3 is a bit more complicated than normal denial, some 578 * context arguments are needed 579 * 580 * \param[in] rr The (query) RR to check the denial of existence for 581 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 582 * existence of the RR 583 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 584 * \param[in] packet_rcode The RCODE value of the packet that provided the 585 * NSEC3 RRs 586 * \param[in] packet_qtype The original query RR type 587 * \param[in] packet_nodata True if the providing packet had an empty ANSWER 588 * section 589 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 590 * containing the reason they do not otherwise 591 */ 592ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, 593 ldns_rr_list *nsecs, 594 ldns_rr_list *rrsigs, 595 ldns_pkt_rcode packet_rcode, 596 ldns_rr_type packet_qtype, 597 bool packet_nodata); 598 599/** 600 * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns 601 * the nsec rr that matched. 602 * 603 * \param[in] rr The (query) RR to check the denial of existence for 604 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the 605 * existence of the RR 606 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs 607 * \param[in] packet_rcode The RCODE value of the packet that provided the 608 * NSEC3 RRs 609 * \param[in] packet_qtype The original query RR type 610 * \param[in] packet_nodata True if the providing packet had an empty ANSWER 611 * section 612 * \param[in] match On match, the given (reference to a) pointer will be set 613 * to point to the matching nsec resource record. 614 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code 615 * containing the reason they do not otherwise 616 */ 617ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, 618 ldns_rr_list *nsecs, 619 ldns_rr_list *rrsigs, 620 ldns_pkt_rcode packet_rcode, 621 ldns_rr_type packet_qtype, 622 bool packet_nodata, 623 ldns_rr **match); 624/** 625 * Verifies the already processed data in the buffers 626 * This function should probably not be used directly. 627 * 628 * \param[in] rawsig_buf Buffer containing signature data to use 629 * \param[in] verify_buf Buffer containing data to verify 630 * \param[in] key_buf Buffer containing key data to use 631 * \param[in] algo Signing algorithm 632 * \return status LDNS_STATUS_OK if the data verifies. Error if not. 633 */ 634ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, 635 ldns_buffer *verify_buf, 636 ldns_buffer *key_buf, 637 uint8_t algo); 638 639/** 640 * Like ldns_verify_rrsig_buffers, but uses raw data. 641 * 642 * \param[in] sig signature data to use 643 * \param[in] siglen length of signature data to use 644 * \param[in] verify_buf Buffer containing data to verify 645 * \param[in] key key data to use 646 * \param[in] keylen length of key data to use 647 * \param[in] algo Signing algorithm 648 * \return status LDNS_STATUS_OK if the data verifies. Error if not. 649 */ 650ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig, 651 size_t siglen, 652 ldns_buffer *verify_buf, 653 unsigned char* key, 654 size_t keylen, 655 uint8_t algo); 656 657/** 658 * Verifies an rrsig. All keys in the keyset are tried. 659 * \param[in] rrset the rrset to check 660 * \param[in] rrsig the signature of the rrset 661 * \param[in] keys the keys to try 662 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 663 * from keys that validate one of the signatures 664 * are added to it 665 * \return a list of keys which validate the rrsig + rrset. Returns 666 * status LDNS_STATUS_OK if at least one key matched. Else an error. 667 */ 668ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, 669 ldns_rr *rrsig, 670 const ldns_rr_list *keys, 671 ldns_rr_list *good_keys); 672 673/** 674 * Verifies an rrsig. All keys in the keyset are tried. 675 * \param[in] rrset the rrset to check 676 * \param[in] rrsig the signature of the rrset 677 * \param[in] keys the keys to try 678 * \param[in] check_time the time for which the validation is performed 679 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 680 * from keys that validate one of the signatures 681 * are added to it 682 * \return a list of keys which validate the rrsig + rrset. Returns 683 * status LDNS_STATUS_OK if at least one key matched. Else an error. 684 */ 685ldns_status ldns_verify_rrsig_keylist_time( 686 ldns_rr_list *rrset, ldns_rr *rrsig, 687 const ldns_rr_list *keys, time_t check_time, 688 ldns_rr_list *good_keys); 689 690 691/** 692 * Verifies an rrsig. All keys in the keyset are tried. Time is not checked. 693 * \param[in] rrset the rrset to check 694 * \param[in] rrsig the signature of the rrset 695 * \param[in] keys the keys to try 696 * \param[out] good_keys if this is a (initialized) list, the pointer to keys 697 * from keys that validate one of the signatures 698 * are added to it 699 * \return a list of keys which validate the rrsig + rrset. Returns 700 * status LDNS_STATUS_OK if at least one key matched. Else an error. 701 */ 702ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset, 703 ldns_rr *rrsig, 704 const ldns_rr_list *keys, 705 ldns_rr_list *good_keys); 706 707/** 708 * verify an rrsig with 1 key 709 * \param[in] rrset the rrset 710 * \param[in] rrsig the rrsig to verify 711 * \param[in] key the key to use 712 * \return status message wether verification succeeded. 713 */ 714ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, 715 ldns_rr *rrsig, 716 ldns_rr *key); 717 718 719/** 720 * verify an rrsig with 1 key 721 * \param[in] rrset the rrset 722 * \param[in] rrsig the rrsig to verify 723 * \param[in] key the key to use 724 * \param[in] check_time the time for which the validation is performed 725 * \return status message wether verification succeeded. 726 */ 727ldns_status ldns_verify_rrsig_time( 728 ldns_rr_list *rrset, ldns_rr *rrsig, 729 ldns_rr *key, time_t check_time); 730 731 732#if LDNS_BUILD_CONFIG_HAVE_SSL 733/** 734 * verifies a buffer with signature data for a buffer with rrset data 735 * with an EVP_PKEY 736 * 737 * \param[in] sig the signature data 738 * \param[in] rrset the rrset data, sorted and processed for verification 739 * \param[in] key the EVP key structure 740 * \param[in] digest_type The digest type of the signature 741 */ 742ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, 743 ldns_buffer *rrset, 744 EVP_PKEY *key, 745 const EVP_MD *digest_type); 746 747/** 748 * Like ldns_verify_rrsig_evp, but uses raw signature data. 749 * \param[in] sig the signature data, wireformat uncompressed 750 * \param[in] siglen length of the signature data 751 * \param[in] rrset the rrset data, sorted and processed for verification 752 * \param[in] key the EVP key structure 753 * \param[in] digest_type The digest type of the signature 754 */ 755ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig, 756 size_t siglen, 757 ldns_buffer *rrset, 758 EVP_PKEY *key, 759 const EVP_MD *digest_type); 760#endif 761 762/** 763 * verifies a buffer with signature data (DSA) for a buffer with rrset data 764 * with a buffer with key data. 765 * 766 * \param[in] sig the signature data 767 * \param[in] rrset the rrset data, sorted and processed for verification 768 * \param[in] key the key data 769 */ 770ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, 771 ldns_buffer *rrset, 772 ldns_buffer *key); 773 774/** 775 * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data 776 * with a buffer with key data. 777 * 778 * \param[in] sig the signature data 779 * \param[in] rrset the rrset data, sorted and processed for verification 780 * \param[in] key the key data 781 */ 782ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, 783 ldns_buffer *rrset, 784 ldns_buffer *key); 785 786/** 787 * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data 788 * with a buffer with key data. 789 * 790 * \param[in] sig the signature data 791 * \param[in] rrset the rrset data, sorted and processed for verification 792 * \param[in] key the key data 793 */ 794ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, 795 ldns_buffer *rrset, 796 ldns_buffer *key); 797 798/** 799 * Like ldns_verify_rrsig_dsa, but uses raw signature and key data. 800 * \param[in] sig raw uncompressed wireformat signature data 801 * \param[in] siglen length of signature data 802 * \param[in] rrset ldns buffer with prepared rrset data. 803 * \param[in] key raw uncompressed wireformat key data 804 * \param[in] keylen length of key data 805 */ 806ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig, 807 size_t siglen, 808 ldns_buffer* rrset, 809 unsigned char* key, 810 size_t keylen); 811 812/** 813 * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data. 814 * \param[in] sig raw uncompressed wireformat signature data 815 * \param[in] siglen length of signature data 816 * \param[in] rrset ldns buffer with prepared rrset data. 817 * \param[in] key raw uncompressed wireformat key data 818 * \param[in] keylen length of key data 819 */ 820ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig, 821 size_t siglen, 822 ldns_buffer* rrset, 823 unsigned char* key, 824 size_t keylen); 825 826/** 827 * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data. 828 * \param[in] sig raw uncompressed wireformat signature data 829 * \param[in] siglen length of signature data 830 * \param[in] rrset ldns buffer with prepared rrset data. 831 * \param[in] key raw uncompressed wireformat key data 832 * \param[in] keylen length of key data 833 */ 834 835ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig, 836 size_t siglen, 837 ldns_buffer* rrset, 838 unsigned char* key, 839 size_t keylen); 840 841/** 842 * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data. 843 * \param[in] sig raw uncompressed wireformat signature data 844 * \param[in] siglen length of signature data 845 * \param[in] rrset ldns buffer with prepared rrset data. 846 * \param[in] key raw uncompressed wireformat key data 847 * \param[in] keylen length of key data 848 */ 849ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig, 850 size_t siglen, 851 ldns_buffer* rrset, 852 unsigned char* key, 853 size_t keylen); 854 855/** 856 * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data. 857 * \param[in] sig raw uncompressed wireformat signature data 858 * \param[in] siglen length of signature data 859 * \param[in] rrset ldns buffer with prepared rrset data. 860 * \param[in] key raw uncompressed wireformat key data 861 * \param[in] keylen length of key data 862 */ 863ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig, 864 size_t siglen, 865 ldns_buffer* rrset, 866 unsigned char* key, 867 size_t keylen); 868 869#ifdef __cplusplus 870} 871#endif 872 873#endif 874 875