1/*
2 * validator/val_secalgo.h - validator security algorithm functions.
3 *
4 * Copyright (c) 2012, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file contains helper functions for the validator module.
40 * The functions take buffers with raw data and convert to library calls.
41 */
42
43#ifndef VALIDATOR_VAL_SECALGO_H
44#define VALIDATOR_VAL_SECALGO_H
45struct sldns_buffer;
46struct secalgo_hash;
47
48/** Return size of nsec3 hash algorithm, 0 if not supported */
49size_t nsec3_hash_algo_size_supported(int id);
50
51/**
52 * Hash a single hash call of an NSEC3 hash algorithm.
53 * Iterations and salt are done by the caller.
54 * @param algo: nsec3 hash algorithm.
55 * @param buf: the buffer to digest
56 * @param len: length of buffer to digest.
57 * @param res: result stored here (must have sufficient space).
58 * @return false on failure.
59*/
60int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
61        unsigned char* res);
62
63/**
64 * Calculate the sha256 hash for the data buffer into the result.
65 * @param buf: buffer to digest.
66 * @param len: length of the buffer to digest.
67 * @param res: result is stored here (space 256/8 bytes).
68 */
69void secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res);
70
71/**
72 * Start a hash of type sha384. Allocates structure, then inits it,
73 * so that a series of updates can be performed, before the final result.
74 * @return hash structure.  NULL on malloc failure or no support.
75 */
76struct secalgo_hash* secalgo_hash_create_sha384(void);
77
78/**
79 * Start a hash of type sha512. Allocates structure, then inits it,
80 * so that a series of updates can be performed, before the final result.
81 * @return hash structure.  NULL on malloc failure or no support.
82 */
83struct secalgo_hash* secalgo_hash_create_sha512(void);
84
85/**
86 * Update a hash with more information to add to it.
87 * @param hash: the hash that is updated.
88 * @param data: data to add.
89 * @param len: length of data.
90 * @return false on failure.
91 */
92int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len);
93
94/**
95 * Get the final result of the hash.
96 * @param hash: the hash that has had updates to it.
97 * @param result: where to store the result.
98 * @param maxlen: length of the result buffer, eg. size of the allocation.
99 *	If not large enough the routine fails.
100 * @param resultlen: the length of the result, returned to the caller.
101 *	How much of maxlen is used.
102 * @return false on failure.
103 */
104int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result,
105	size_t maxlen, size_t* resultlen);
106
107/**
108 * Delete the hash structure.
109 * @param hash: the hash to delete.
110 */
111void secalgo_hash_delete(struct secalgo_hash* hash);
112
113/**
114 * Return size of DS digest according to its hash algorithm.
115 * @param algo: DS digest algo.
116 * @return size in bytes of digest, or 0 if not supported.
117 */
118size_t ds_digest_size_supported(int algo);
119
120/**
121 * @param algo: the DS digest algo
122 * @param buf: the buffer to digest
123 * @param len: length of buffer to digest.
124 * @param res: result stored here (must have sufficient space).
125 * @return false on failure.
126 */
127int secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
128	unsigned char* res);
129
130/** return true if DNSKEY algorithm id is supported */
131int dnskey_algo_id_is_supported(int id);
132
133/**
134 * Check a canonical sig+rrset and signature against a dnskey
135 * @param buf: buffer with data to verify, the first rrsig part and the
136 *	canonicalized rrset.
137 * @param algo: DNSKEY algorithm.
138 * @param sigblock: signature rdata field from RRSIG
139 * @param sigblock_len: length of sigblock data.
140 * @param key: public key data from DNSKEY RR.
141 * @param keylen: length of keydata.
142 * @param reason: bogus reason in more detail.
143 * @return secure if verification succeeded, bogus on crypto failure,
144 *	unchecked on format errors and alloc failures.
145 */
146enum sec_status verify_canonrrset(struct sldns_buffer* buf, int algo,
147	unsigned char* sigblock, unsigned int sigblock_len,
148	unsigned char* key, unsigned int keylen, char** reason);
149
150#endif /* VALIDATOR_VAL_SECALGO_H */
151