875 lines
30 KiB
C
875 lines
30 KiB
C
/** dnssec_verify */
|
|
|
|
#ifndef LDNS_DNSSEC_VERIFY_H
|
|
#define LDNS_DNSSEC_VERIFY_H
|
|
|
|
#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10
|
|
|
|
#include <ldns/dnssec.h>
|
|
#include <ldns/host2str.h>
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
/**
|
|
* Chain structure that contains all DNSSEC data needed to
|
|
* verify an rrset
|
|
*/
|
|
typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain;
|
|
struct ldns_dnssec_data_chain_struct
|
|
{
|
|
ldns_rr_list *rrset;
|
|
ldns_rr_list *signatures;
|
|
ldns_rr_type parent_type;
|
|
ldns_dnssec_data_chain *parent;
|
|
ldns_pkt_rcode packet_rcode;
|
|
ldns_rr_type packet_qtype;
|
|
bool packet_nodata;
|
|
};
|
|
|
|
/**
|
|
* Creates a new dnssec_chain structure
|
|
* \return ldns_dnssec_data_chain *
|
|
*/
|
|
ldns_dnssec_data_chain *ldns_dnssec_data_chain_new();
|
|
|
|
/**
|
|
* Frees a dnssec_data_chain structure
|
|
*
|
|
* \param[in] *chain The chain to free
|
|
*/
|
|
void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain);
|
|
|
|
/**
|
|
* Frees a dnssec_data_chain structure, and all data
|
|
* contained therein
|
|
*
|
|
* \param[in] *chain The dnssec_data_chain to free
|
|
*/
|
|
void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain);
|
|
|
|
/**
|
|
* Prints the dnssec_data_chain to the given file stream
|
|
*
|
|
* \param[in] *out The file stream to print to
|
|
* \param[in] *chain The dnssec_data_chain to print
|
|
*/
|
|
void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain);
|
|
|
|
/**
|
|
* Prints the dnssec_data_chain to the given file stream
|
|
*
|
|
* \param[in] *out The file stream to print to
|
|
* \param[in] *fmt The format of the textual representation
|
|
* \param[in] *chain The dnssec_data_chain to print
|
|
*/
|
|
void ldns_dnssec_data_chain_print_fmt(FILE *out,
|
|
const ldns_output_format *fmt,
|
|
const ldns_dnssec_data_chain *chain);
|
|
|
|
/**
|
|
* Build an ldns_dnssec_data_chain, which contains all
|
|
* DNSSEC data that is needed to derive the trust tree later
|
|
*
|
|
* The data_set will be cloned
|
|
*
|
|
* \param[in] *res resolver structure for further needed queries
|
|
* \param[in] qflags resolution flags
|
|
* \param[in] *data_set The original rrset where the chain ends
|
|
* \param[in] *pkt optional, can contain the original packet
|
|
* (and hence the sigs and maybe the key)
|
|
* \param[in] *orig_rr The original Resource Record
|
|
*
|
|
* \return the DNSSEC data chain
|
|
*/
|
|
ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res,
|
|
const uint16_t qflags,
|
|
const ldns_rr_list *data_set,
|
|
const ldns_pkt *pkt,
|
|
ldns_rr *orig_rr);
|
|
|
|
/**
|
|
* Tree structure that contains the relation of DNSSEC data,
|
|
* and their cryptographic status.
|
|
*
|
|
* This tree is derived from a data_chain, and can be used
|
|
* to look whether there is a connection between an RRSET
|
|
* and a trusted key. The tree only contains pointers to the
|
|
* data_chain, and therefore one should *never* free() the
|
|
* data_chain when there is still a trust tree derived from
|
|
* that chain.
|
|
*
|
|
* Example tree:
|
|
* key key key
|
|
* \ | /
|
|
* \ | /
|
|
* \ | /
|
|
* ds
|
|
* |
|
|
* key
|
|
* |
|
|
* key
|
|
* |
|
|
* rr
|
|
*
|
|
* For each signature there is a parent; if the parent
|
|
* pointer is null, it couldn't be found and there was no
|
|
* denial; otherwise is a tree which contains either a
|
|
* DNSKEY, a DS, or a NSEC rr
|
|
*/
|
|
typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree;
|
|
struct ldns_dnssec_trust_tree_struct
|
|
{
|
|
ldns_rr *rr;
|
|
/* the complete rrset this rr was in */
|
|
ldns_rr_list *rrset;
|
|
ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
|
|
ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
|
|
/** for debugging, add signatures too (you might want
|
|
those if they contain errors) */
|
|
ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
|
|
size_t parent_count;
|
|
};
|
|
|
|
/**
|
|
* Creates a new (empty) dnssec_trust_tree structure
|
|
*
|
|
* \return ldns_dnssec_trust_tree *
|
|
*/
|
|
ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new();
|
|
|
|
/**
|
|
* Frees the dnssec_trust_tree recursively
|
|
*
|
|
* There is no deep free; all data in the trust tree
|
|
* consists of pointers to a data_chain
|
|
*
|
|
* \param[in] tree The tree to free
|
|
*/
|
|
void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree);
|
|
|
|
/**
|
|
* returns the depth of the trust tree
|
|
*
|
|
* \param[in] tree tree to calculate the depth of
|
|
* \return The depth of the tree
|
|
*/
|
|
size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree);
|
|
|
|
/**
|
|
* Prints the dnssec_trust_tree structure to the given file
|
|
* stream.
|
|
*
|
|
* If a link status is not LDNS_STATUS_OK; the status and
|
|
* relevant signatures are printed too
|
|
*
|
|
* \param[in] *out The file stream to print to
|
|
* \param[in] tree The trust tree to print
|
|
* \param[in] tabs Prepend each line with tabs*2 spaces
|
|
* \param[in] extended If true, add little explanation lines to the output
|
|
*/
|
|
void ldns_dnssec_trust_tree_print(FILE *out,
|
|
ldns_dnssec_trust_tree *tree,
|
|
size_t tabs,
|
|
bool extended);
|
|
|
|
/**
|
|
* Prints the dnssec_trust_tree structure to the given file
|
|
* stream.
|
|
*
|
|
* If a link status is not LDNS_STATUS_OK; the status and
|
|
* relevant signatures are printed too
|
|
*
|
|
* \param[in] *out The file stream to print to
|
|
* \param[in] *fmt The format of the textual representation
|
|
* \param[in] tree The trust tree to print
|
|
* \param[in] tabs Prepend each line with tabs*2 spaces
|
|
* \param[in] extended If true, add little explanation lines to the output
|
|
*/
|
|
void ldns_dnssec_trust_tree_print_fmt(FILE *out,
|
|
const ldns_output_format *fmt,
|
|
ldns_dnssec_trust_tree *tree,
|
|
size_t tabs,
|
|
bool extended);
|
|
|
|
/**
|
|
* Adds a trust tree as a parent for the given trust tree
|
|
*
|
|
* \param[in] *tree The tree to add the parent to
|
|
* \param[in] *parent The parent tree to add
|
|
* \param[in] *parent_signature The RRSIG relevant to this parent/child
|
|
* connection
|
|
* \param[in] parent_status The DNSSEC status for this parent, child and RRSIG
|
|
* \return LDNS_STATUS_OK if the addition succeeds, error otherwise
|
|
*/
|
|
ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree,
|
|
const ldns_dnssec_trust_tree *parent,
|
|
const ldns_rr *parent_signature,
|
|
const ldns_status parent_status);
|
|
|
|
/**
|
|
* Generates a dnssec_trust_tree for the given rr from the
|
|
* given data_chain
|
|
*
|
|
* This does not clone the actual data; Don't free the
|
|
* data_chain before you are done with this tree
|
|
*
|
|
* \param[in] *data_chain The chain to derive the trust tree from
|
|
* \param[in] *rr The RR this tree will be about
|
|
* \return ldns_dnssec_trust_tree *
|
|
*/
|
|
ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree(
|
|
ldns_dnssec_data_chain *data_chain,
|
|
ldns_rr *rr);
|
|
|
|
/**
|
|
* Generates a dnssec_trust_tree for the given rr from the
|
|
* given data_chain
|
|
*
|
|
* This does not clone the actual data; Don't free the
|
|
* data_chain before you are done with this tree
|
|
*
|
|
* \param[in] *data_chain The chain to derive the trust tree from
|
|
* \param[in] *rr The RR this tree will be about
|
|
* \param[in] check_time the time for which the validation is performed
|
|
* \return ldns_dnssec_trust_tree *
|
|
*/
|
|
ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time(
|
|
ldns_dnssec_data_chain *data_chain,
|
|
ldns_rr *rr, time_t check_time);
|
|
|
|
/**
|
|
* Sub function for derive_trust_tree that is used for a 'normal' rrset
|
|
*
|
|
* \param[in] new_tree The trust tree that we are building
|
|
* \param[in] data_chain The data chain containing the data for the trust tree
|
|
* \param[in] cur_sig_rr The currently relevant signature
|
|
*/
|
|
void ldns_dnssec_derive_trust_tree_normal_rrset(
|
|
ldns_dnssec_trust_tree *new_tree,
|
|
ldns_dnssec_data_chain *data_chain,
|
|
ldns_rr *cur_sig_rr);
|
|
|
|
/**
|
|
* Sub function for derive_trust_tree that is used for a 'normal' rrset
|
|
*
|
|
* \param[in] new_tree The trust tree that we are building
|
|
* \param[in] data_chain The data chain containing the data for the trust tree
|
|
* \param[in] cur_sig_rr The currently relevant signature
|
|
* \param[in] check_time the time for which the validation is performed
|
|
*/
|
|
void ldns_dnssec_derive_trust_tree_normal_rrset_time(
|
|
ldns_dnssec_trust_tree *new_tree,
|
|
ldns_dnssec_data_chain *data_chain,
|
|
ldns_rr *cur_sig_rr, time_t check_time);
|
|
|
|
|
|
/**
|
|
* Sub function for derive_trust_tree that is used for DNSKEY rrsets
|
|
*
|
|
* \param[in] new_tree The trust tree that we are building
|
|
* \param[in] data_chain The data chain containing the data for the trust tree
|
|
* \param[in] cur_rr The currently relevant DNSKEY RR
|
|
* \param[in] cur_sig_rr The currently relevant signature
|
|
*/
|
|
void ldns_dnssec_derive_trust_tree_dnskey_rrset(
|
|
ldns_dnssec_trust_tree *new_tree,
|
|
ldns_dnssec_data_chain *data_chain,
|
|
ldns_rr *cur_rr,
|
|
ldns_rr *cur_sig_rr);
|
|
|
|
/**
|
|
* Sub function for derive_trust_tree that is used for DNSKEY rrsets
|
|
*
|
|
* \param[in] new_tree The trust tree that we are building
|
|
* \param[in] data_chain The data chain containing the data for the trust tree
|
|
* \param[in] cur_rr The currently relevant DNSKEY RR
|
|
* \param[in] cur_sig_rr The currently relevant signature
|
|
* \param[in] check_time the time for which the validation is performed
|
|
*/
|
|
void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
|
|
ldns_dnssec_trust_tree *new_tree,
|
|
ldns_dnssec_data_chain *data_chain,
|
|
ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
|
|
time_t check_time);
|
|
|
|
|
|
/**
|
|
* Sub function for derive_trust_tree that is used for DNSKEY rrsets
|
|
*
|
|
* \param[in] new_tree The trust tree that we are building
|
|
* \param[in] data_chain The data chain containing the data for the trust tree
|
|
* \param[in] cur_rr The currently relevant DNSKEY RR
|
|
* \param[in] cur_sig_rr The currently relevant signature
|
|
* \param[in] check_time the time for which the validation is performed
|
|
*/
|
|
void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
|
|
ldns_dnssec_trust_tree *new_tree,
|
|
ldns_dnssec_data_chain *data_chain,
|
|
ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
|
|
time_t check_time);
|
|
|
|
|
|
/**
|
|
* Sub function for derive_trust_tree that is used for DS rrsets
|
|
*
|
|
* \param[in] new_tree The trust tree that we are building
|
|
* \param[in] data_chain The data chain containing the data for the trust tree
|
|
* \param[in] cur_rr The currently relevant DS RR
|
|
*/
|
|
void ldns_dnssec_derive_trust_tree_ds_rrset(
|
|
ldns_dnssec_trust_tree *new_tree,
|
|
ldns_dnssec_data_chain *data_chain,
|
|
ldns_rr *cur_rr);
|
|
|
|
/**
|
|
* Sub function for derive_trust_tree that is used for DS rrsets
|
|
*
|
|
* \param[in] new_tree The trust tree that we are building
|
|
* \param[in] data_chain The data chain containing the data for the trust tree
|
|
* \param[in] cur_rr The currently relevant DS RR
|
|
* \param[in] check_time the time for which the validation is performed
|
|
*/
|
|
void ldns_dnssec_derive_trust_tree_ds_rrset_time(
|
|
ldns_dnssec_trust_tree *new_tree,
|
|
ldns_dnssec_data_chain *data_chain,
|
|
ldns_rr *cur_rr, time_t check_time);
|
|
|
|
/**
|
|
* Sub function for derive_trust_tree that is used when there are no
|
|
* signatures
|
|
*
|
|
* \param[in] new_tree The trust tree that we are building
|
|
* \param[in] data_chain The data chain containing the data for the trust tree
|
|
*/
|
|
void ldns_dnssec_derive_trust_tree_no_sig(
|
|
ldns_dnssec_trust_tree *new_tree,
|
|
ldns_dnssec_data_chain *data_chain);
|
|
|
|
/**
|
|
* Sub function for derive_trust_tree that is used when there are no
|
|
* signatures
|
|
*
|
|
* \param[in] new_tree The trust tree that we are building
|
|
* \param[in] data_chain The data chain containing the data for the trust tree
|
|
* \param[in] check_time the time for which the validation is performed
|
|
*/
|
|
void ldns_dnssec_derive_trust_tree_no_sig_time(
|
|
ldns_dnssec_trust_tree *new_tree,
|
|
ldns_dnssec_data_chain *data_chain,
|
|
time_t check_time);
|
|
|
|
|
|
/**
|
|
* Returns OK if there is a trusted path in the tree to one of
|
|
* the DNSKEY or DS RRs in the given list
|
|
*
|
|
* \param *tree The trust tree so search
|
|
* \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for
|
|
*
|
|
* \return LDNS_STATUS_OK if there is a trusted path to one of
|
|
* the keys, or the *first* error encountered
|
|
* if there were no paths
|
|
*/
|
|
ldns_status ldns_dnssec_trust_tree_contains_keys(
|
|
ldns_dnssec_trust_tree *tree,
|
|
ldns_rr_list *keys);
|
|
|
|
/**
|
|
* Verifies a list of signatures for one rrset.
|
|
*
|
|
* \param[in] rrset the rrset to verify
|
|
* \param[in] rrsig a list of signatures to check
|
|
* \param[in] keys a list of keys to check with
|
|
* \param[out] good_keys if this is a (initialized) list, the pointer to keys
|
|
* from keys that validate one of the signatures
|
|
* are added to it
|
|
* \return status LDNS_STATUS_OK if there is at least one correct key
|
|
*/
|
|
ldns_status ldns_verify(ldns_rr_list *rrset,
|
|
ldns_rr_list *rrsig,
|
|
const ldns_rr_list *keys,
|
|
ldns_rr_list *good_keys);
|
|
|
|
/**
|
|
* Verifies a list of signatures for one rrset.
|
|
*
|
|
* \param[in] rrset the rrset to verify
|
|
* \param[in] rrsig a list of signatures to check
|
|
* \param[in] keys a list of keys to check with
|
|
* \param[in] check_time the time for which the validation is performed
|
|
* \param[out] good_keys if this is a (initialized) list, the pointer to keys
|
|
* from keys that validate one of the signatures
|
|
* are added to it
|
|
* \return status LDNS_STATUS_OK if there is at least one correct key
|
|
*/
|
|
ldns_status ldns_verify_time(ldns_rr_list *rrset,
|
|
ldns_rr_list *rrsig,
|
|
const ldns_rr_list *keys,
|
|
time_t check_time,
|
|
ldns_rr_list *good_keys);
|
|
|
|
|
|
/**
|
|
* Verifies a list of signatures for one rrset, but disregard the time.
|
|
* Inception and Expiration are not checked.
|
|
*
|
|
* \param[in] rrset the rrset to verify
|
|
* \param[in] rrsig a list of signatures to check
|
|
* \param[in] keys a list of keys to check with
|
|
* \param[out] good_keys if this is a (initialized) list, the pointer to keys
|
|
* from keys that validate one of the signatures
|
|
* are added to it
|
|
* \return status LDNS_STATUS_OK if there is at least one correct key
|
|
*/
|
|
ldns_status ldns_verify_notime(ldns_rr_list *rrset,
|
|
ldns_rr_list *rrsig,
|
|
const ldns_rr_list *keys,
|
|
ldns_rr_list *good_keys);
|
|
|
|
/**
|
|
* Tries to build an authentication chain from the given
|
|
* keys down to the queried domain.
|
|
*
|
|
* If we find a valid trust path, return the valid keys for the domain.
|
|
*
|
|
* \param[in] res the current resolver
|
|
* \param[in] domain the domain we want valid keys for
|
|
* \param[in] keys the current set of trusted keys
|
|
* \param[out] status pointer to the status variable where the result
|
|
* code will be stored
|
|
* \return the set of trusted keys for the domain, or NULL if no
|
|
* trust path could be built.
|
|
*/
|
|
ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res,
|
|
const ldns_rdf * domain,
|
|
const ldns_rr_list * keys,
|
|
ldns_status *status);
|
|
|
|
/**
|
|
* Tries to build an authentication chain from the given
|
|
* keys down to the queried domain.
|
|
*
|
|
* If we find a valid trust path, return the valid keys for the domain.
|
|
*
|
|
* \param[in] res the current resolver
|
|
* \param[in] domain the domain we want valid keys for
|
|
* \param[in] keys the current set of trusted keys
|
|
* \param[in] check_time the time for which the validation is performed
|
|
* \param[out] status pointer to the status variable where the result
|
|
* code will be stored
|
|
* \return the set of trusted keys for the domain, or NULL if no
|
|
* trust path could be built.
|
|
*/
|
|
ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res,
|
|
const ldns_rdf * domain, const ldns_rr_list * keys,
|
|
time_t check_time, ldns_status *status);
|
|
|
|
|
|
/**
|
|
* Validates the DNSKEY RRset for the given domain using the provided
|
|
* trusted keys.
|
|
*
|
|
* \param[in] res the current resolver
|
|
* \param[in] domain the domain we want valid keys for
|
|
* \param[in] keys the current set of trusted keys
|
|
* \return the set of trusted keys for the domain, or NULL if the RRSET
|
|
* could not be validated
|
|
*/
|
|
ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res,
|
|
const ldns_rdf *domain,
|
|
const ldns_rr_list *keys);
|
|
|
|
/**
|
|
* Validates the DNSKEY RRset for the given domain using the provided
|
|
* trusted keys.
|
|
*
|
|
* \param[in] res the current resolver
|
|
* \param[in] domain the domain we want valid keys for
|
|
* \param[in] keys the current set of trusted keys
|
|
* \param[in] check_time the time for which the validation is performed
|
|
* \return the set of trusted keys for the domain, or NULL if the RRSET
|
|
* could not be validated
|
|
*/
|
|
ldns_rr_list *ldns_validate_domain_dnskey_time(
|
|
const ldns_resolver *res, const ldns_rdf *domain,
|
|
const ldns_rr_list *keys, time_t check_time);
|
|
|
|
|
|
/**
|
|
* Validates the DS RRset for the given domain using the provided trusted keys.
|
|
*
|
|
* \param[in] res the current resolver
|
|
* \param[in] domain the domain we want valid keys for
|
|
* \param[in] keys the current set of trusted keys
|
|
* \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
|
|
*/
|
|
ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res,
|
|
const ldns_rdf *
|
|
domain,
|
|
const ldns_rr_list * keys);
|
|
|
|
/**
|
|
* Validates the DS RRset for the given domain using the provided trusted keys.
|
|
*
|
|
* \param[in] res the current resolver
|
|
* \param[in] domain the domain we want valid keys for
|
|
* \param[in] keys the current set of trusted keys
|
|
* \param[in] check_time the time for which the validation is performed
|
|
* \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
|
|
*/
|
|
ldns_rr_list *ldns_validate_domain_ds_time(
|
|
const ldns_resolver *res, const ldns_rdf *domain,
|
|
const ldns_rr_list * keys, time_t check_time);
|
|
|
|
|
|
/**
|
|
* Verifies a list of signatures for one RRset using a valid trust path.
|
|
*
|
|
* \param[in] res the current resolver
|
|
* \param[in] rrset the rrset to verify
|
|
* \param[in] rrsigs a list of signatures to check
|
|
* \param[out] validating_keys if this is a (initialized) list, the
|
|
* keys from keys that validate one of
|
|
* the signatures are added to it
|
|
* \return status LDNS_STATUS_OK if there is at least one correct key
|
|
*/
|
|
ldns_status ldns_verify_trusted(ldns_resolver *res,
|
|
ldns_rr_list *rrset,
|
|
ldns_rr_list *rrsigs,
|
|
ldns_rr_list *validating_keys);
|
|
|
|
/**
|
|
* Verifies a list of signatures for one RRset using a valid trust path.
|
|
*
|
|
* \param[in] res the current resolver
|
|
* \param[in] rrset the rrset to verify
|
|
* \param[in] rrsigs a list of signatures to check
|
|
* \param[in] check_time the time for which the validation is performed
|
|
* \param[out] validating_keys if this is a (initialized) list, the
|
|
* keys from keys that validate one of
|
|
* the signatures are added to it
|
|
* \return status LDNS_STATUS_OK if there is at least one correct key
|
|
*/
|
|
ldns_status ldns_verify_trusted_time(
|
|
ldns_resolver *res, ldns_rr_list *rrset,
|
|
ldns_rr_list *rrsigs, time_t check_time,
|
|
ldns_rr_list *validating_keys);
|
|
|
|
|
|
/**
|
|
* denial is not just a river in egypt
|
|
*
|
|
* \param[in] rr The (query) RR to check the denial of existence for
|
|
* \param[in] nsecs The list of NSEC RRs that are supposed to deny the
|
|
* existence of the RR
|
|
* \param[in] rrsigs The RRSIG RR covering the NSEC RRs
|
|
* \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code
|
|
* containing the reason they do not otherwise
|
|
*/
|
|
ldns_status ldns_dnssec_verify_denial(ldns_rr *rr,
|
|
ldns_rr_list *nsecs,
|
|
ldns_rr_list *rrsigs);
|
|
|
|
/**
|
|
* Denial of existence using NSEC3 records
|
|
* Since NSEC3 is a bit more complicated than normal denial, some
|
|
* context arguments are needed
|
|
*
|
|
* \param[in] rr The (query) RR to check the denial of existence for
|
|
* \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
|
|
* existence of the RR
|
|
* \param[in] rrsigs The RRSIG rr covering the NSEC RRs
|
|
* \param[in] packet_rcode The RCODE value of the packet that provided the
|
|
* NSEC3 RRs
|
|
* \param[in] packet_qtype The original query RR type
|
|
* \param[in] packet_nodata True if the providing packet had an empty ANSWER
|
|
* section
|
|
* \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
|
|
* containing the reason they do not otherwise
|
|
*/
|
|
ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
|
|
ldns_rr_list *nsecs,
|
|
ldns_rr_list *rrsigs,
|
|
ldns_pkt_rcode packet_rcode,
|
|
ldns_rr_type packet_qtype,
|
|
bool packet_nodata);
|
|
|
|
/**
|
|
* Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns
|
|
* the nsec rr that matched.
|
|
*
|
|
* \param[in] rr The (query) RR to check the denial of existence for
|
|
* \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
|
|
* existence of the RR
|
|
* \param[in] rrsigs The RRSIG rr covering the NSEC RRs
|
|
* \param[in] packet_rcode The RCODE value of the packet that provided the
|
|
* NSEC3 RRs
|
|
* \param[in] packet_qtype The original query RR type
|
|
* \param[in] packet_nodata True if the providing packet had an empty ANSWER
|
|
* section
|
|
* \param[in] match On match, the given (reference to a) pointer will be set
|
|
* to point to the matching nsec resource record.
|
|
* \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
|
|
* containing the reason they do not otherwise
|
|
*/
|
|
ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr,
|
|
ldns_rr_list *nsecs,
|
|
ldns_rr_list *rrsigs,
|
|
ldns_pkt_rcode packet_rcode,
|
|
ldns_rr_type packet_qtype,
|
|
bool packet_nodata,
|
|
ldns_rr **match);
|
|
/**
|
|
* Verifies the already processed data in the buffers
|
|
* This function should probably not be used directly.
|
|
*
|
|
* \param[in] rawsig_buf Buffer containing signature data to use
|
|
* \param[in] verify_buf Buffer containing data to verify
|
|
* \param[in] key_buf Buffer containing key data to use
|
|
* \param[in] algo Signing algorithm
|
|
* \return status LDNS_STATUS_OK if the data verifies. Error if not.
|
|
*/
|
|
ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf,
|
|
ldns_buffer *verify_buf,
|
|
ldns_buffer *key_buf,
|
|
uint8_t algo);
|
|
|
|
/**
|
|
* Like ldns_verify_rrsig_buffers, but uses raw data.
|
|
*
|
|
* \param[in] sig signature data to use
|
|
* \param[in] siglen length of signature data to use
|
|
* \param[in] verify_buf Buffer containing data to verify
|
|
* \param[in] key key data to use
|
|
* \param[in] keylen length of key data to use
|
|
* \param[in] algo Signing algorithm
|
|
* \return status LDNS_STATUS_OK if the data verifies. Error if not.
|
|
*/
|
|
ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig,
|
|
size_t siglen,
|
|
ldns_buffer *verify_buf,
|
|
unsigned char* key,
|
|
size_t keylen,
|
|
uint8_t algo);
|
|
|
|
/**
|
|
* Verifies an rrsig. All keys in the keyset are tried.
|
|
* \param[in] rrset the rrset to check
|
|
* \param[in] rrsig the signature of the rrset
|
|
* \param[in] keys the keys to try
|
|
* \param[out] good_keys if this is a (initialized) list, the pointer to keys
|
|
* from keys that validate one of the signatures
|
|
* are added to it
|
|
* \return a list of keys which validate the rrsig + rrset. Returns
|
|
* status LDNS_STATUS_OK if at least one key matched. Else an error.
|
|
*/
|
|
ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
|
|
ldns_rr *rrsig,
|
|
const ldns_rr_list *keys,
|
|
ldns_rr_list *good_keys);
|
|
|
|
/**
|
|
* Verifies an rrsig. All keys in the keyset are tried.
|
|
* \param[in] rrset the rrset to check
|
|
* \param[in] rrsig the signature of the rrset
|
|
* \param[in] keys the keys to try
|
|
* \param[in] check_time the time for which the validation is performed
|
|
* \param[out] good_keys if this is a (initialized) list, the pointer to keys
|
|
* from keys that validate one of the signatures
|
|
* are added to it
|
|
* \return a list of keys which validate the rrsig + rrset. Returns
|
|
* status LDNS_STATUS_OK if at least one key matched. Else an error.
|
|
*/
|
|
ldns_status ldns_verify_rrsig_keylist_time(
|
|
ldns_rr_list *rrset, ldns_rr *rrsig,
|
|
const ldns_rr_list *keys, time_t check_time,
|
|
ldns_rr_list *good_keys);
|
|
|
|
|
|
/**
|
|
* Verifies an rrsig. All keys in the keyset are tried. Time is not checked.
|
|
* \param[in] rrset the rrset to check
|
|
* \param[in] rrsig the signature of the rrset
|
|
* \param[in] keys the keys to try
|
|
* \param[out] good_keys if this is a (initialized) list, the pointer to keys
|
|
* from keys that validate one of the signatures
|
|
* are added to it
|
|
* \return a list of keys which validate the rrsig + rrset. Returns
|
|
* status LDNS_STATUS_OK if at least one key matched. Else an error.
|
|
*/
|
|
ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset,
|
|
ldns_rr *rrsig,
|
|
const ldns_rr_list *keys,
|
|
ldns_rr_list *good_keys);
|
|
|
|
/**
|
|
* verify an rrsig with 1 key
|
|
* \param[in] rrset the rrset
|
|
* \param[in] rrsig the rrsig to verify
|
|
* \param[in] key the key to use
|
|
* \return status message wether verification succeeded.
|
|
*/
|
|
ldns_status ldns_verify_rrsig(ldns_rr_list *rrset,
|
|
ldns_rr *rrsig,
|
|
ldns_rr *key);
|
|
|
|
|
|
/**
|
|
* verify an rrsig with 1 key
|
|
* \param[in] rrset the rrset
|
|
* \param[in] rrsig the rrsig to verify
|
|
* \param[in] key the key to use
|
|
* \param[in] check_time the time for which the validation is performed
|
|
* \return status message wether verification succeeded.
|
|
*/
|
|
ldns_status ldns_verify_rrsig_time(
|
|
ldns_rr_list *rrset, ldns_rr *rrsig,
|
|
ldns_rr *key, time_t check_time);
|
|
|
|
|
|
#if LDNS_BUILD_CONFIG_HAVE_SSL
|
|
/**
|
|
* verifies a buffer with signature data for a buffer with rrset data
|
|
* with an EVP_PKEY
|
|
*
|
|
* \param[in] sig the signature data
|
|
* \param[in] rrset the rrset data, sorted and processed for verification
|
|
* \param[in] key the EVP key structure
|
|
* \param[in] digest_type The digest type of the signature
|
|
*/
|
|
ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig,
|
|
ldns_buffer *rrset,
|
|
EVP_PKEY *key,
|
|
const EVP_MD *digest_type);
|
|
|
|
/**
|
|
* Like ldns_verify_rrsig_evp, but uses raw signature data.
|
|
* \param[in] sig the signature data, wireformat uncompressed
|
|
* \param[in] siglen length of the signature data
|
|
* \param[in] rrset the rrset data, sorted and processed for verification
|
|
* \param[in] key the EVP key structure
|
|
* \param[in] digest_type The digest type of the signature
|
|
*/
|
|
ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig,
|
|
size_t siglen,
|
|
ldns_buffer *rrset,
|
|
EVP_PKEY *key,
|
|
const EVP_MD *digest_type);
|
|
#endif
|
|
|
|
/**
|
|
* verifies a buffer with signature data (DSA) for a buffer with rrset data
|
|
* with a buffer with key data.
|
|
*
|
|
* \param[in] sig the signature data
|
|
* \param[in] rrset the rrset data, sorted and processed for verification
|
|
* \param[in] key the key data
|
|
*/
|
|
ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig,
|
|
ldns_buffer *rrset,
|
|
ldns_buffer *key);
|
|
|
|
/**
|
|
* verifies a buffer with signature data (RSASHA1) for a buffer with rrset data
|
|
* with a buffer with key data.
|
|
*
|
|
* \param[in] sig the signature data
|
|
* \param[in] rrset the rrset data, sorted and processed for verification
|
|
* \param[in] key the key data
|
|
*/
|
|
ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig,
|
|
ldns_buffer *rrset,
|
|
ldns_buffer *key);
|
|
|
|
/**
|
|
* verifies a buffer with signature data (RSAMD5) for a buffer with rrset data
|
|
* with a buffer with key data.
|
|
*
|
|
* \param[in] sig the signature data
|
|
* \param[in] rrset the rrset data, sorted and processed for verification
|
|
* \param[in] key the key data
|
|
*/
|
|
ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig,
|
|
ldns_buffer *rrset,
|
|
ldns_buffer *key);
|
|
|
|
/**
|
|
* Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
|
|
* \param[in] sig raw uncompressed wireformat signature data
|
|
* \param[in] siglen length of signature data
|
|
* \param[in] rrset ldns buffer with prepared rrset data.
|
|
* \param[in] key raw uncompressed wireformat key data
|
|
* \param[in] keylen length of key data
|
|
*/
|
|
ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig,
|
|
size_t siglen,
|
|
ldns_buffer* rrset,
|
|
unsigned char* key,
|
|
size_t keylen);
|
|
|
|
/**
|
|
* Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
|
|
* \param[in] sig raw uncompressed wireformat signature data
|
|
* \param[in] siglen length of signature data
|
|
* \param[in] rrset ldns buffer with prepared rrset data.
|
|
* \param[in] key raw uncompressed wireformat key data
|
|
* \param[in] keylen length of key data
|
|
*/
|
|
ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig,
|
|
size_t siglen,
|
|
ldns_buffer* rrset,
|
|
unsigned char* key,
|
|
size_t keylen);
|
|
|
|
/**
|
|
* Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
|
|
* \param[in] sig raw uncompressed wireformat signature data
|
|
* \param[in] siglen length of signature data
|
|
* \param[in] rrset ldns buffer with prepared rrset data.
|
|
* \param[in] key raw uncompressed wireformat key data
|
|
* \param[in] keylen length of key data
|
|
*/
|
|
|
|
ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig,
|
|
size_t siglen,
|
|
ldns_buffer* rrset,
|
|
unsigned char* key,
|
|
size_t keylen);
|
|
|
|
/**
|
|
* Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
|
|
* \param[in] sig raw uncompressed wireformat signature data
|
|
* \param[in] siglen length of signature data
|
|
* \param[in] rrset ldns buffer with prepared rrset data.
|
|
* \param[in] key raw uncompressed wireformat key data
|
|
* \param[in] keylen length of key data
|
|
*/
|
|
ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig,
|
|
size_t siglen,
|
|
ldns_buffer* rrset,
|
|
unsigned char* key,
|
|
size_t keylen);
|
|
|
|
/**
|
|
* Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
|
|
* \param[in] sig raw uncompressed wireformat signature data
|
|
* \param[in] siglen length of signature data
|
|
* \param[in] rrset ldns buffer with prepared rrset data.
|
|
* \param[in] key raw uncompressed wireformat key data
|
|
* \param[in] keylen length of key data
|
|
*/
|
|
ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,
|
|
size_t siglen,
|
|
ldns_buffer* rrset,
|
|
unsigned char* key,
|
|
size_t keylen);
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif
|
|
|