diff options
Diffstat (limited to 'contrib/ldns/ldns/dnssec_verify.h')
-rw-r--r-- | contrib/ldns/ldns/dnssec_verify.h | 873 |
1 files changed, 873 insertions, 0 deletions
diff --git a/contrib/ldns/ldns/dnssec_verify.h b/contrib/ldns/ldns/dnssec_verify.h new file mode 100644 index 0000000..143fee5 --- /dev/null +++ b/contrib/ldns/ldns/dnssec_verify.h @@ -0,0 +1,873 @@ +/** dnssec_verify */ + +#ifndef LDNS_DNSSEC_VERIFY_H +#define LDNS_DNSSEC_VERIFY_H + +#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10 + +#include <ldns/dnssec.h> +#include <ldns/host2str.h> + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * Chain structure that contains all DNSSEC data needed to + * verify an rrset + */ +typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain; +struct ldns_dnssec_data_chain_struct +{ + ldns_rr_list *rrset; + ldns_rr_list *signatures; + ldns_rr_type parent_type; + ldns_dnssec_data_chain *parent; + ldns_pkt_rcode packet_rcode; + ldns_rr_type packet_qtype; + bool packet_nodata; +}; + +/** + * Creates a new dnssec_chain structure + * \return ldns_dnssec_data_chain * + */ +ldns_dnssec_data_chain *ldns_dnssec_data_chain_new(void); + +/** + * Frees a dnssec_data_chain structure + * + * \param[in] *chain The chain to free + */ +void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain); + +/** + * Frees a dnssec_data_chain structure, and all data + * contained therein + * + * \param[in] *chain The dnssec_data_chain to free + */ +void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain); + +/** + * Prints the dnssec_data_chain to the given file stream + * + * \param[in] *out The file stream to print to + * \param[in] *chain The dnssec_data_chain to print + */ +void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain); + +/** + * Prints the dnssec_data_chain to the given file stream + * + * \param[in] *out The file stream to print to + * \param[in] *fmt The format of the textual representation + * \param[in] *chain The dnssec_data_chain to print + */ +void ldns_dnssec_data_chain_print_fmt(FILE *out, + const ldns_output_format *fmt, + const ldns_dnssec_data_chain *chain); + +/** + * Build an ldns_dnssec_data_chain, which contains all + * DNSSEC data that is needed to derive the trust tree later + * + * The data_set will be cloned + * + * \param[in] *res resolver structure for further needed queries + * \param[in] qflags resolution flags + * \param[in] *data_set The original rrset where the chain ends + * \param[in] *pkt optional, can contain the original packet + * (and hence the sigs and maybe the key) + * \param[in] *orig_rr The original Resource Record + * + * \return the DNSSEC data chain + */ +ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res, + const uint16_t qflags, + const ldns_rr_list *data_set, + const ldns_pkt *pkt, + ldns_rr *orig_rr); + +/** + * Tree structure that contains the relation of DNSSEC data, + * and their cryptographic status. + * + * This tree is derived from a data_chain, and can be used + * to look whether there is a connection between an RRSET + * and a trusted key. The tree only contains pointers to the + * data_chain, and therefore one should *never* free() the + * data_chain when there is still a trust tree derived from + * that chain. + * + * Example tree: + * key key key + * \ | / + * \ | / + * \ | / + * ds + * | + * key + * | + * key + * | + * rr + * + * For each signature there is a parent; if the parent + * pointer is null, it couldn't be found and there was no + * denial; otherwise is a tree which contains either a + * DNSKEY, a DS, or a NSEC rr + */ +typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree; +struct ldns_dnssec_trust_tree_struct +{ + ldns_rr *rr; + /* the complete rrset this rr was in */ + ldns_rr_list *rrset; + ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; + ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; + /** for debugging, add signatures too (you might want + those if they contain errors) */ + ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS]; + size_t parent_count; +}; + +/** + * Creates a new (empty) dnssec_trust_tree structure + * + * \return ldns_dnssec_trust_tree * + */ +ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(void); + +/** + * Frees the dnssec_trust_tree recursively + * + * There is no deep free; all data in the trust tree + * consists of pointers to a data_chain + * + * \param[in] tree The tree to free + */ +void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree); + +/** + * returns the depth of the trust tree + * + * \param[in] tree tree to calculate the depth of + * \return The depth of the tree + */ +size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree); + +/** + * Prints the dnssec_trust_tree structure to the given file + * stream. + * + * If a link status is not LDNS_STATUS_OK; the status and + * relevant signatures are printed too + * + * \param[in] *out The file stream to print to + * \param[in] tree The trust tree to print + * \param[in] tabs Prepend each line with tabs*2 spaces + * \param[in] extended If true, add little explanation lines to the output + */ +void ldns_dnssec_trust_tree_print(FILE *out, + ldns_dnssec_trust_tree *tree, + size_t tabs, + bool extended); + +/** + * Prints the dnssec_trust_tree structure to the given file + * stream. + * + * If a link status is not LDNS_STATUS_OK; the status and + * relevant signatures are printed too + * + * \param[in] *out The file stream to print to + * \param[in] *fmt The format of the textual representation + * \param[in] tree The trust tree to print + * \param[in] tabs Prepend each line with tabs*2 spaces + * \param[in] extended If true, add little explanation lines to the output + */ +void ldns_dnssec_trust_tree_print_fmt(FILE *out, + const ldns_output_format *fmt, + ldns_dnssec_trust_tree *tree, + size_t tabs, + bool extended); + +/** + * Adds a trust tree as a parent for the given trust tree + * + * \param[in] *tree The tree to add the parent to + * \param[in] *parent The parent tree to add + * \param[in] *parent_signature The RRSIG relevant to this parent/child + * connection + * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG + * \return LDNS_STATUS_OK if the addition succeeds, error otherwise + */ +ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, + const ldns_dnssec_trust_tree *parent, + const ldns_rr *parent_signature, + const ldns_status parent_status); + +/** + * Generates a dnssec_trust_tree for the given rr from the + * given data_chain + * + * This does not clone the actual data; Don't free the + * data_chain before you are done with this tree + * + * \param[in] *data_chain The chain to derive the trust tree from + * \param[in] *rr The RR this tree will be about + * \return ldns_dnssec_trust_tree * + */ +ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree( + ldns_dnssec_data_chain *data_chain, + ldns_rr *rr); + +/** + * Generates a dnssec_trust_tree for the given rr from the + * given data_chain + * + * This does not clone the actual data; Don't free the + * data_chain before you are done with this tree + * + * \param[in] *data_chain The chain to derive the trust tree from + * \param[in] *rr The RR this tree will be about + * \param[in] check_time the time for which the validation is performed + * \return ldns_dnssec_trust_tree * + */ +ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time( + ldns_dnssec_data_chain *data_chain, + ldns_rr *rr, time_t check_time); + +/** + * Sub function for derive_trust_tree that is used for a 'normal' rrset + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] cur_sig_rr The currently relevant signature + */ +void ldns_dnssec_derive_trust_tree_normal_rrset( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_sig_rr); + +/** + * Sub function for derive_trust_tree that is used for a 'normal' rrset + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] cur_sig_rr The currently relevant signature + * \param[in] check_time the time for which the validation is performed + */ +void ldns_dnssec_derive_trust_tree_normal_rrset_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_sig_rr, time_t check_time); + + +/** + * Sub function for derive_trust_tree that is used for DNSKEY rrsets + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] cur_rr The currently relevant DNSKEY RR + * \param[in] cur_sig_rr The currently relevant signature + */ +void ldns_dnssec_derive_trust_tree_dnskey_rrset( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_rr, + ldns_rr *cur_sig_rr); + +/** + * Sub function for derive_trust_tree that is used for DNSKEY rrsets + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] cur_rr The currently relevant DNSKEY RR + * \param[in] cur_sig_rr The currently relevant signature + * \param[in] check_time the time for which the validation is performed + */ +void ldns_dnssec_derive_trust_tree_dnskey_rrset_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_rr, ldns_rr *cur_sig_rr, + time_t check_time); + + +/** + * Sub function for derive_trust_tree that is used for DNSKEY rrsets + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] cur_rr The currently relevant DNSKEY RR + * \param[in] cur_sig_rr The currently relevant signature + * \param[in] check_time the time for which the validation is performed + */ +void ldns_dnssec_derive_trust_tree_dnskey_rrset_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_rr, ldns_rr *cur_sig_rr, + time_t check_time); + + +/** + * Sub function for derive_trust_tree that is used for DS rrsets + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] cur_rr The currently relevant DS RR + */ +void ldns_dnssec_derive_trust_tree_ds_rrset( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_rr); + +/** + * Sub function for derive_trust_tree that is used for DS rrsets + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] cur_rr The currently relevant DS RR + * \param[in] check_time the time for which the validation is performed + */ +void ldns_dnssec_derive_trust_tree_ds_rrset_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_rr, time_t check_time); + +/** + * Sub function for derive_trust_tree that is used when there are no + * signatures + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + */ +void ldns_dnssec_derive_trust_tree_no_sig( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain); + +/** + * Sub function for derive_trust_tree that is used when there are no + * signatures + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] check_time the time for which the validation is performed + */ +void ldns_dnssec_derive_trust_tree_no_sig_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + time_t check_time); + + +/** + * Returns OK if there is a trusted path in the tree to one of + * the DNSKEY or DS RRs in the given list + * + * \param *tree The trust tree so search + * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for + * \return LDNS_STATUS_OK if there is a trusted path to one of + * the keys, or the *first* error encountered + * if there were no paths + */ +ldns_status ldns_dnssec_trust_tree_contains_keys( + ldns_dnssec_trust_tree *tree, + ldns_rr_list *keys); + +/** + * Verifies a list of signatures for one rrset. + * + * \param[in] rrset the rrset to verify + * \param[in] rrsig a list of signatures to check + * \param[in] keys a list of keys to check with + * \param[out] good_keys if this is a (initialized) list, the pointer to keys + * from keys that validate one of the signatures + * are added to it + * \return status LDNS_STATUS_OK if there is at least one correct key + */ +ldns_status ldns_verify(ldns_rr_list *rrset, + ldns_rr_list *rrsig, + const ldns_rr_list *keys, + ldns_rr_list *good_keys); + +/** + * Verifies a list of signatures for one rrset. + * + * \param[in] rrset the rrset to verify + * \param[in] rrsig a list of signatures to check + * \param[in] keys a list of keys to check with + * \param[in] check_time the time for which the validation is performed + * \param[out] good_keys if this is a (initialized) list, the pointer to keys + * from keys that validate one of the signatures + * are added to it + * \return status LDNS_STATUS_OK if there is at least one correct key + */ +ldns_status ldns_verify_time(ldns_rr_list *rrset, + ldns_rr_list *rrsig, + const ldns_rr_list *keys, + time_t check_time, + ldns_rr_list *good_keys); + + +/** + * Verifies a list of signatures for one rrset, but disregard the time. + * Inception and Expiration are not checked. + * + * \param[in] rrset the rrset to verify + * \param[in] rrsig a list of signatures to check + * \param[in] keys a list of keys to check with + * \param[out] good_keys if this is a (initialized) list, the pointer to keys + * from keys that validate one of the signatures + * are added to it + * \return status LDNS_STATUS_OK if there is at least one correct key + */ +ldns_status ldns_verify_notime(ldns_rr_list *rrset, + ldns_rr_list *rrsig, + const ldns_rr_list *keys, + ldns_rr_list *good_keys); + +/** + * Tries to build an authentication chain from the given + * keys down to the queried domain. + * + * If we find a valid trust path, return the valid keys for the domain. + * + * \param[in] res the current resolver + * \param[in] domain the domain we want valid keys for + * \param[in] keys the current set of trusted keys + * \param[out] status pointer to the status variable where the result + * code will be stored + * \return the set of trusted keys for the domain, or NULL if no + * trust path could be built. + */ +ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res, + const ldns_rdf * domain, + const ldns_rr_list * keys, + ldns_status *status); + +/** + * Tries to build an authentication chain from the given + * keys down to the queried domain. + * + * If we find a valid trust path, return the valid keys for the domain. + * + * \param[in] res the current resolver + * \param[in] domain the domain we want valid keys for + * \param[in] keys the current set of trusted keys + * \param[in] check_time the time for which the validation is performed + * \param[out] status pointer to the status variable where the result + * code will be stored + * \return the set of trusted keys for the domain, or NULL if no + * trust path could be built. + */ +ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res, + const ldns_rdf * domain, const ldns_rr_list * keys, + time_t check_time, ldns_status *status); + + +/** + * Validates the DNSKEY RRset for the given domain using the provided + * trusted keys. + * + * \param[in] res the current resolver + * \param[in] domain the domain we want valid keys for + * \param[in] keys the current set of trusted keys + * \return the set of trusted keys for the domain, or NULL if the RRSET + * could not be validated + */ +ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res, + const ldns_rdf *domain, + const ldns_rr_list *keys); + +/** + * Validates the DNSKEY RRset for the given domain using the provided + * trusted keys. + * + * \param[in] res the current resolver + * \param[in] domain the domain we want valid keys for + * \param[in] keys the current set of trusted keys + * \param[in] check_time the time for which the validation is performed + * \return the set of trusted keys for the domain, or NULL if the RRSET + * could not be validated + */ +ldns_rr_list *ldns_validate_domain_dnskey_time( + const ldns_resolver *res, const ldns_rdf *domain, + const ldns_rr_list *keys, time_t check_time); + + +/** + * Validates the DS RRset for the given domain using the provided trusted keys. + * + * \param[in] res the current resolver + * \param[in] domain the domain we want valid keys for + * \param[in] keys the current set of trusted keys + * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated + */ +ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res, + const ldns_rdf * + domain, + const ldns_rr_list * keys); + +/** + * Validates the DS RRset for the given domain using the provided trusted keys. + * + * \param[in] res the current resolver + * \param[in] domain the domain we want valid keys for + * \param[in] keys the current set of trusted keys + * \param[in] check_time the time for which the validation is performed + * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated + */ +ldns_rr_list *ldns_validate_domain_ds_time( + const ldns_resolver *res, const ldns_rdf *domain, + const ldns_rr_list * keys, time_t check_time); + + +/** + * Verifies a list of signatures for one RRset using a valid trust path. + * + * \param[in] res the current resolver + * \param[in] rrset the rrset to verify + * \param[in] rrsigs a list of signatures to check + * \param[out] validating_keys if this is a (initialized) list, the + * keys from keys that validate one of + * the signatures are added to it + * \return status LDNS_STATUS_OK if there is at least one correct key + */ +ldns_status ldns_verify_trusted(ldns_resolver *res, + ldns_rr_list *rrset, + ldns_rr_list *rrsigs, + ldns_rr_list *validating_keys); + +/** + * Verifies a list of signatures for one RRset using a valid trust path. + * + * \param[in] res the current resolver + * \param[in] rrset the rrset to verify + * \param[in] rrsigs a list of signatures to check + * \param[in] check_time the time for which the validation is performed + * \param[out] validating_keys if this is a (initialized) list, the + * keys from keys that validate one of + * the signatures are added to it + * \return status LDNS_STATUS_OK if there is at least one correct key + */ +ldns_status ldns_verify_trusted_time( + ldns_resolver *res, ldns_rr_list *rrset, + ldns_rr_list *rrsigs, time_t check_time, + ldns_rr_list *validating_keys); + + +/** + * denial is not just a river in egypt + * + * \param[in] rr The (query) RR to check the denial of existence for + * \param[in] nsecs The list of NSEC RRs that are supposed to deny the + * existence of the RR + * \param[in] rrsigs The RRSIG RR covering the NSEC RRs + * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code + * containing the reason they do not otherwise + */ +ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, + ldns_rr_list *nsecs, + ldns_rr_list *rrsigs); + +/** + * Denial of existence using NSEC3 records + * Since NSEC3 is a bit more complicated than normal denial, some + * context arguments are needed + * + * \param[in] rr The (query) RR to check the denial of existence for + * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the + * existence of the RR + * \param[in] rrsigs The RRSIG rr covering the NSEC RRs + * \param[in] packet_rcode The RCODE value of the packet that provided the + * NSEC3 RRs + * \param[in] packet_qtype The original query RR type + * \param[in] packet_nodata True if the providing packet had an empty ANSWER + * section + * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code + * containing the reason they do not otherwise + */ +ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, + ldns_rr_list *nsecs, + ldns_rr_list *rrsigs, + ldns_pkt_rcode packet_rcode, + ldns_rr_type packet_qtype, + bool packet_nodata); + +/** + * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns + * the nsec rr that matched. + * + * \param[in] rr The (query) RR to check the denial of existence for + * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the + * existence of the RR + * \param[in] rrsigs The RRSIG rr covering the NSEC RRs + * \param[in] packet_rcode The RCODE value of the packet that provided the + * NSEC3 RRs + * \param[in] packet_qtype The original query RR type + * \param[in] packet_nodata True if the providing packet had an empty ANSWER + * section + * \param[in] match On match, the given (reference to a) pointer will be set + * to point to the matching nsec resource record. + * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code + * containing the reason they do not otherwise + */ +ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, + ldns_rr_list *nsecs, + ldns_rr_list *rrsigs, + ldns_pkt_rcode packet_rcode, + ldns_rr_type packet_qtype, + bool packet_nodata, + ldns_rr **match); +/** + * Verifies the already processed data in the buffers + * This function should probably not be used directly. + * + * \param[in] rawsig_buf Buffer containing signature data to use + * \param[in] verify_buf Buffer containing data to verify + * \param[in] key_buf Buffer containing key data to use + * \param[in] algo Signing algorithm + * \return status LDNS_STATUS_OK if the data verifies. Error if not. + */ +ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, + ldns_buffer *verify_buf, + ldns_buffer *key_buf, + uint8_t algo); + +/** + * Like ldns_verify_rrsig_buffers, but uses raw data. + * + * \param[in] sig signature data to use + * \param[in] siglen length of signature data to use + * \param[in] verify_buf Buffer containing data to verify + * \param[in] key key data to use + * \param[in] keylen length of key data to use + * \param[in] algo Signing algorithm + * \return status LDNS_STATUS_OK if the data verifies. Error if not. + */ +ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig, + size_t siglen, + ldns_buffer *verify_buf, + unsigned char* key, + size_t keylen, + uint8_t algo); + +/** + * Verifies an rrsig. All keys in the keyset are tried. + * \param[in] rrset the rrset to check + * \param[in] rrsig the signature of the rrset + * \param[in] keys the keys to try + * \param[out] good_keys if this is a (initialized) list, the pointer to keys + * from keys that validate one of the signatures + * are added to it + * \return a list of keys which validate the rrsig + rrset. Returns + * status LDNS_STATUS_OK if at least one key matched. Else an error. + */ +ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, + ldns_rr *rrsig, + const ldns_rr_list *keys, + ldns_rr_list *good_keys); + +/** + * Verifies an rrsig. All keys in the keyset are tried. + * \param[in] rrset the rrset to check + * \param[in] rrsig the signature of the rrset + * \param[in] keys the keys to try + * \param[in] check_time the time for which the validation is performed + * \param[out] good_keys if this is a (initialized) list, the pointer to keys + * from keys that validate one of the signatures + * are added to it + * \return a list of keys which validate the rrsig + rrset. Returns + * status LDNS_STATUS_OK if at least one key matched. Else an error. + */ +ldns_status ldns_verify_rrsig_keylist_time( + ldns_rr_list *rrset, ldns_rr *rrsig, + const ldns_rr_list *keys, time_t check_time, + ldns_rr_list *good_keys); + + +/** + * Verifies an rrsig. All keys in the keyset are tried. Time is not checked. + * \param[in] rrset the rrset to check + * \param[in] rrsig the signature of the rrset + * \param[in] keys the keys to try + * \param[out] good_keys if this is a (initialized) list, the pointer to keys + * from keys that validate one of the signatures + * are added to it + * \return a list of keys which validate the rrsig + rrset. Returns + * status LDNS_STATUS_OK if at least one key matched. Else an error. + */ +ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset, + ldns_rr *rrsig, + const ldns_rr_list *keys, + ldns_rr_list *good_keys); + +/** + * verify an rrsig with 1 key + * \param[in] rrset the rrset + * \param[in] rrsig the rrsig to verify + * \param[in] key the key to use + * \return status message wether verification succeeded. + */ +ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, + ldns_rr *rrsig, + ldns_rr *key); + + +/** + * verify an rrsig with 1 key + * \param[in] rrset the rrset + * \param[in] rrsig the rrsig to verify + * \param[in] key the key to use + * \param[in] check_time the time for which the validation is performed + * \return status message wether verification succeeded. + */ +ldns_status ldns_verify_rrsig_time( + ldns_rr_list *rrset, ldns_rr *rrsig, + ldns_rr *key, time_t check_time); + + +#if LDNS_BUILD_CONFIG_HAVE_SSL +/** + * verifies a buffer with signature data for a buffer with rrset data + * with an EVP_PKEY + * + * \param[in] sig the signature data + * \param[in] rrset the rrset data, sorted and processed for verification + * \param[in] key the EVP key structure + * \param[in] digest_type The digest type of the signature + */ +ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, + ldns_buffer *rrset, + EVP_PKEY *key, + const EVP_MD *digest_type); + +/** + * Like ldns_verify_rrsig_evp, but uses raw signature data. + * \param[in] sig the signature data, wireformat uncompressed + * \param[in] siglen length of the signature data + * \param[in] rrset the rrset data, sorted and processed for verification + * \param[in] key the EVP key structure + * \param[in] digest_type The digest type of the signature + */ +ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig, + size_t siglen, + ldns_buffer *rrset, + EVP_PKEY *key, + const EVP_MD *digest_type); +#endif + +/** + * verifies a buffer with signature data (DSA) for a buffer with rrset data + * with a buffer with key data. + * + * \param[in] sig the signature data + * \param[in] rrset the rrset data, sorted and processed for verification + * \param[in] key the key data + */ +ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, + ldns_buffer *rrset, + ldns_buffer *key); + +/** + * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data + * with a buffer with key data. + * + * \param[in] sig the signature data + * \param[in] rrset the rrset data, sorted and processed for verification + * \param[in] key the key data + */ +ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, + ldns_buffer *rrset, + ldns_buffer *key); + +/** + * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data + * with a buffer with key data. + * + * \param[in] sig the signature data + * \param[in] rrset the rrset data, sorted and processed for verification + * \param[in] key the key data + */ +ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, + ldns_buffer *rrset, + ldns_buffer *key); + +/** + * Like ldns_verify_rrsig_dsa, but uses raw signature and key data. + * \param[in] sig raw uncompressed wireformat signature data + * \param[in] siglen length of signature data + * \param[in] rrset ldns buffer with prepared rrset data. + * \param[in] key raw uncompressed wireformat key data + * \param[in] keylen length of key data + */ +ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig, + size_t siglen, + ldns_buffer* rrset, + unsigned char* key, + size_t keylen); + +/** + * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data. + * \param[in] sig raw uncompressed wireformat signature data + * \param[in] siglen length of signature data + * \param[in] rrset ldns buffer with prepared rrset data. + * \param[in] key raw uncompressed wireformat key data + * \param[in] keylen length of key data + */ +ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig, + size_t siglen, + ldns_buffer* rrset, + unsigned char* key, + size_t keylen); + +/** + * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data. + * \param[in] sig raw uncompressed wireformat signature data + * \param[in] siglen length of signature data + * \param[in] rrset ldns buffer with prepared rrset data. + * \param[in] key raw uncompressed wireformat key data + * \param[in] keylen length of key data + */ + +ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig, + size_t siglen, + ldns_buffer* rrset, + unsigned char* key, + size_t keylen); + +/** + * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data. + * \param[in] sig raw uncompressed wireformat signature data + * \param[in] siglen length of signature data + * \param[in] rrset ldns buffer with prepared rrset data. + * \param[in] key raw uncompressed wireformat key data + * \param[in] keylen length of key data + */ +ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig, + size_t siglen, + ldns_buffer* rrset, + unsigned char* key, + size_t keylen); + +/** + * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data. + * \param[in] sig raw uncompressed wireformat signature data + * \param[in] siglen length of signature data + * \param[in] rrset ldns buffer with prepared rrset data. + * \param[in] key raw uncompressed wireformat key data + * \param[in] keylen length of key data + */ +ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig, + size_t siglen, + ldns_buffer* rrset, + unsigned char* key, + size_t keylen); + +#ifdef __cplusplus +} +#endif + +#endif + |