dnssec_verify.h
Go to the documentation of this file.
1 
3 #ifndef LDNS_DNSSEC_VERIFY_H
4 #define LDNS_DNSSEC_VERIFY_H
5 
6 #define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10
7 
8 #include <ldns/dnssec.h>
9 #include <ldns/host2str.h>
10 
11 #ifdef __cplusplus
12 extern "C" {
13 #endif
14 
21 {
29 };
30 
36 
43 
51 
58 void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain);
59 
67 void ldns_dnssec_data_chain_print_fmt(FILE *out,
68  const ldns_output_format *fmt,
69  const ldns_dnssec_data_chain *chain);
70 
87  const uint16_t qflags,
88  const ldns_rr_list *data_set,
89  const ldns_pkt *pkt,
90  ldns_rr *orig_rr);
91 
123 {
125  /* the complete rrset this rr was in */
132  size_t parent_count;
133 };
134 
141 
151 
159 
172 void ldns_dnssec_trust_tree_print(FILE *out,
174  size_t tabs,
175  bool extended);
176 
190 void ldns_dnssec_trust_tree_print_fmt(FILE *out,
191  const ldns_output_format *fmt,
193  size_t tabs,
194  bool extended);
195 
207  const ldns_dnssec_trust_tree *parent,
208  const ldns_rr *parent_signature,
209  const ldns_status parent_status);
210 
223  ldns_dnssec_data_chain *data_chain,
224  ldns_rr *rr);
225 
239  ldns_dnssec_data_chain *data_chain,
240  ldns_rr *rr, time_t check_time);
241 
250  ldns_dnssec_trust_tree *new_tree,
251  ldns_dnssec_data_chain *data_chain,
252  ldns_rr *cur_sig_rr);
253 
263  ldns_dnssec_trust_tree *new_tree,
264  ldns_dnssec_data_chain *data_chain,
265  ldns_rr *cur_sig_rr, time_t check_time);
266 
267 
277  ldns_dnssec_trust_tree *new_tree,
278  ldns_dnssec_data_chain *data_chain,
279  ldns_rr *cur_rr,
280  ldns_rr *cur_sig_rr);
281 
292  ldns_dnssec_trust_tree *new_tree,
293  ldns_dnssec_data_chain *data_chain,
294  ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
295  time_t check_time);
296 
297 
308  ldns_dnssec_trust_tree *new_tree,
309  ldns_dnssec_data_chain *data_chain,
310  ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
311  time_t check_time);
312 
313 
322  ldns_dnssec_trust_tree *new_tree,
323  ldns_dnssec_data_chain *data_chain,
324  ldns_rr *cur_rr);
325 
335  ldns_dnssec_trust_tree *new_tree,
336  ldns_dnssec_data_chain *data_chain,
337  ldns_rr *cur_rr, time_t check_time);
338 
347  ldns_dnssec_trust_tree *new_tree,
348  ldns_dnssec_data_chain *data_chain);
349 
359  ldns_dnssec_trust_tree *new_tree,
360  ldns_dnssec_data_chain *data_chain,
361  time_t check_time);
362 
363 
377  ldns_rr_list *keys);
378 
391  ldns_rr_list *rrsig,
392  const ldns_rr_list *keys,
393  ldns_rr_list *good_keys);
394 
408  ldns_rr_list *rrsig,
409  const ldns_rr_list *keys,
410  time_t check_time,
411  ldns_rr_list *good_keys);
412 
413 
427  ldns_rr_list *rrsig,
428  const ldns_rr_list *keys,
429  ldns_rr_list *good_keys);
430 
446  const ldns_rdf * domain,
447  const ldns_rr_list * keys,
448  ldns_status *status);
449 
466  const ldns_rdf * domain, const ldns_rr_list * keys,
467  time_t check_time, ldns_status *status);
468 
469 
481  const ldns_rdf *domain,
482  const ldns_rr_list *keys);
483 
496  const ldns_resolver *res, const ldns_rdf *domain,
497  const ldns_rr_list *keys, time_t check_time);
498 
499 
509  const ldns_rdf *
510  domain,
511  const ldns_rr_list * keys);
512 
523  const ldns_resolver *res, const ldns_rdf *domain,
524  const ldns_rr_list * keys, time_t check_time);
525 
526 
539  ldns_rr_list *rrset,
540  ldns_rr_list *rrsigs,
541  ldns_rr_list *validating_keys);
542 
556  ldns_resolver *res, ldns_rr_list *rrset,
557  ldns_rr_list *rrsigs, time_t check_time,
558  ldns_rr_list *validating_keys);
559 
560 
572  ldns_rr_list *nsecs,
573  ldns_rr_list *rrsigs);
574 
593  ldns_rr_list *nsecs,
594  ldns_rr_list *rrsigs,
595  ldns_pkt_rcode packet_rcode,
596  ldns_rr_type packet_qtype,
597  bool packet_nodata);
598 
618  ldns_rr_list *nsecs,
619  ldns_rr_list *rrsigs,
620  ldns_pkt_rcode packet_rcode,
621  ldns_rr_type packet_qtype,
622  bool packet_nodata,
623  ldns_rr **match);
635  ldns_buffer *verify_buf,
636  ldns_buffer *key_buf,
637  uint8_t algo);
638 
650 ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig,
651  size_t siglen,
652  ldns_buffer *verify_buf,
653  unsigned char* key,
654  size_t keylen,
655  uint8_t algo);
656 
669  ldns_rr *rrsig,
670  const ldns_rr_list *keys,
671  ldns_rr_list *good_keys);
672 
686  ldns_rr_list *rrset, ldns_rr *rrsig,
687  const ldns_rr_list *keys, time_t check_time,
688  ldns_rr_list *good_keys);
689 
690 
703  ldns_rr *rrsig,
704  const ldns_rr_list *keys,
705  ldns_rr_list *good_keys);
706 
715  ldns_rr *rrsig,
716  ldns_rr *key);
717 
718 
728  ldns_rr_list *rrset, ldns_rr *rrsig,
729  ldns_rr *key, time_t check_time);
730 
731 
732 #if LDNS_BUILD_CONFIG_HAVE_SSL
733 
743  ldns_buffer *rrset,
744  EVP_PKEY *key,
745  const EVP_MD *digest_type);
746 
755 ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig,
756  size_t siglen,
757  ldns_buffer *rrset,
758  EVP_PKEY *key,
759  const EVP_MD *digest_type);
760 #endif
761 
771  ldns_buffer *rrset,
772  ldns_buffer *key);
773 
783  ldns_buffer *rrset,
784  ldns_buffer *key);
785 
795  ldns_buffer *rrset,
796  ldns_buffer *key);
797 
806 ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig,
807  size_t siglen,
808  ldns_buffer* rrset,
809  unsigned char* key,
810  size_t keylen);
811 
820 ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig,
821  size_t siglen,
822  ldns_buffer* rrset,
823  unsigned char* key,
824  size_t keylen);
825 
836  size_t siglen,
837  ldns_buffer* rrset,
838  unsigned char* key,
839  size_t keylen);
840 
850  size_t siglen,
851  ldns_buffer* rrset,
852  unsigned char* key,
853  size_t keylen);
854 
863 ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,
864  size_t siglen,
865  ldns_buffer* rrset,
866  unsigned char* key,
867  size_t keylen);
868 
869 #ifdef __cplusplus
870 }
871 #endif
872 
873 #endif
874 
implementation of buffers to ease operations
Definition: buffer.h:50
void ldns_dnssec_derive_trust_tree_normal_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr, time_t check_time)
Sub function for derive_trust_tree that is used for a &#39;normal&#39; rrset.
ldns_status ldns_verify_trusted_time(ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, time_t check_time, ldns_rr_list *validating_keys)
Verifies a list of signatures for one RRset using a valid trust path.
ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
verifies a buffer with signature data for a buffer with rrset data with an EVP_PKEY ...
DNS stub resolver structure.
Definition: resolver.h:59
List or Set of Resource Records.
Definition: rr.h:306
Output format specifier.
Definition: host2str.h:80
ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, ldns_buffer *verify_buf, ldns_buffer *key_buf, uint8_t algo)
Verifies the already processed data in the buffers This function should probably not be used directly...
void ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr)
Sub function for derive_trust_tree that is used for DS rrsets.
void ldns_dnssec_trust_tree_print(FILE *out, ldns_dnssec_trust_tree *tree, size_t tabs, bool extended)
ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs)
denial is not just a river in egypt
void ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr)
Sub function for derive_trust_tree that is used for a &#39;normal&#39; rrset.
ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
Like ldns_verify_rrsig_evp, but uses raw signature data.
void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain)
Frees a dnssec_data_chain structure, and all data contained therein.
Definition: dnssec_verify.c:45
ldns_rr_list * ldns_fetch_valid_domain_keys_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time, ldns_status *status)
Tries to build an authentication chain from the given keys down to the queried domain.
ldns_rr_list * ldns_validate_domain_ds(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
Validates the DS RRset for the given domain using the provided trusted keys.
ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
void ldns_dnssec_derive_trust_tree_ds_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, time_t check_time)
Sub function for derive_trust_tree that is used for DS rrsets.
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree_time(ldns_dnssec_data_chain *data_chain, ldns_rr *rr, time_t check_time)
Generates a dnssec_trust_tree for the given rr from the given data_chain.
ldns_rr * parent_signature[10]
for debugging, add signatures too (you might want those if they contain errors)
ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
ldns_status ldns_verify_notime(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset, but disregard the time.
void ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain)
Sub function for derive_trust_tree that is used when there are no signatures.
Resource Record.
Definition: rr.h:278
ldns_rr_list * ldns_validate_domain_dnskey_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
ldns_rr_list * ldns_fetch_valid_domain_keys(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, ldns_status *status)
Tries to build an authentication chain from the given keys down to the queried domain.
ldns_status ldns_verify_rrsig_buffers_raw(unsigned char *sig, size_t siglen, ldns_buffer *verify_buf, unsigned char *key, size_t keylen, uint8_t algo)
Like ldns_verify_rrsig_buffers, but uses raw data.
ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies an rrsig.
ldns_status ldns_verify_rrsig_time(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key, time_t check_time)
verify an rrsig with 1 key
ldns_dnssec_trust_tree * ldns_dnssec_trust_tree_new()
Creates a new (empty) dnssec_trust_tree structure.
ldns_rr_list * ldns_validate_domain_dnskey(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
ldns_status ldns_dnssec_trust_tree_contains_keys(ldns_dnssec_trust_tree *tree, ldns_rr_list *trusted_keys)
Returns OK if there is a trusted path in the tree to one of the DNSKEY or DS RRs in the given list...
ldns_dnssec_data_chain * parent
Definition: dnssec_verify.h:25
void ldns_dnssec_data_chain_print_fmt(FILE *out, const ldns_output_format *fmt, const ldns_dnssec_data_chain *chain)
Prints the dnssec_data_chain to the given file stream.
Definition: dnssec_verify.c:56
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr)
Generates a dnssec_trust_tree for the given rr from the given data_chain.
size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree)
returns the depth of the trust tree
void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain)
Frees a dnssec_data_chain structure.
Definition: dnssec_verify.c:39
ldns_status ldns_verify_rrsig_keylist_time(ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies an rrsig.
void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree)
Frees the dnssec_trust_tree recursively.
ldns_status ldns_verify_time(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
host2str.h - txt presentation of RRs
ldns_rr_list * ldns_validate_domain_ds_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
Validates the DS RRset for the given domain using the provided trusted keys.
enum ldns_enum_pkt_rcode ldns_pkt_rcode
Definition: packet.h:68
void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain)
Prints the dnssec_data_chain to the given file stream.
Definition: dnssec_verify.c:91
ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs __attribute__((unused)), ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, bool packet_nodata, ldns_rr **match)
ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies an rrsig.
ldns_dnssec_trust_tree * parents[10]
DNS packet.
Definition: packet.h:233
ldns_dnssec_data_chain * ldns_dnssec_build_data_chain(ldns_resolver *res, uint16_t qflags, const ldns_rr_list *rrset, const ldns_pkt *pkt, ldns_rr *orig_rr)
Build an ldns_dnssec_data_chain, which contains all DNSSEC data that is needed to derive the trust tr...
ldns_dnssec_data_chain * ldns_dnssec_data_chain_new()
Creates a new dnssec_chain structure.
Definition: dnssec_verify.c:19
enum ldns_enum_status ldns_status
Definition: error.h:122
This module contains base functions for DNSSEC operations (RFC4033 t/m RFC4035).
ldns_status ldns_verify_rrsig_dsa_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS
dnssec_verify
Definition: dnssec_verify.h:6
void ldns_dnssec_trust_tree_print_fmt(FILE *out, const ldns_output_format *fmt, ldns_dnssec_trust_tree *tree, size_t tabs, bool extended)
ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, const ldns_dnssec_trust_tree *parent, const ldns_rr *signature, const ldns_status parent_status)
Adds a trust tree as a parent for the given trust tree.
ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (RSASHA1) for a buffer with rrset data with a buffer with key d...
Resource record data field.
Definition: rdata.h:138
ldns_status ldns_verify_trusted(ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, ldns_rr_list *validating_keys)
Verifies a list of signatures for one RRset using a valid trust path.
void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr, time_t check_time)
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (RSAMD5) for a buffer with rrset data with a buffer with key da...
enum ldns_enum_rr_type ldns_rr_type
Definition: rr.h:215
ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key)
verify an rrsig with 1 key
ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs, ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, bool packet_nodata)
void ldns_dnssec_derive_trust_tree_no_sig_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, time_t check_time)
Sub function for derive_trust_tree that is used when there are no signatures.
ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
void ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr)
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (DSA) for a buffer with rrset data with a buffer with key data...
ldns_status ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.