dnssec_verify.h
Go to the documentation of this file.
1 
3 #ifndef LDNS_DNSSEC_VERIFY_H
4 #define LDNS_DNSSEC_VERIFY_H
5 
6 #define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10
7 
8 #include <ldns/dnssec.h>
9 #include <ldns/host2str.h>
10 
11 #ifdef __cplusplus
12 extern "C" {
13 #endif
14 
21 {
29 };
30 
36 
43 
51 
58 void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain);
59 
67 void ldns_dnssec_data_chain_print_fmt(FILE *out,
68  const ldns_output_format *fmt,
69  const ldns_dnssec_data_chain *chain);
70 
87  const uint16_t qflags,
88  const ldns_rr_list *data_set,
89  const ldns_pkt *pkt,
90  ldns_rr *orig_rr);
91 
123 {
125  /* the complete rrset this rr was in */
132  size_t parent_count;
133 };
134 
141 
151 
159 
172 void ldns_dnssec_trust_tree_print(FILE *out,
174  size_t tabs,
175  bool extended);
176 
190 void ldns_dnssec_trust_tree_print_fmt(FILE *out,
191  const ldns_output_format *fmt,
193  size_t tabs,
194  bool extended);
195 
207  const ldns_dnssec_trust_tree *parent,
208  const ldns_rr *parent_signature,
209  const ldns_status parent_status);
210 
223  ldns_dnssec_data_chain *data_chain,
224  ldns_rr *rr);
225 
239  ldns_dnssec_data_chain *data_chain,
240  ldns_rr *rr, time_t check_time);
241 
250  ldns_dnssec_trust_tree *new_tree,
251  ldns_dnssec_data_chain *data_chain,
252  ldns_rr *cur_sig_rr);
253 
263  ldns_dnssec_trust_tree *new_tree,
264  ldns_dnssec_data_chain *data_chain,
265  ldns_rr *cur_sig_rr, time_t check_time);
266 
267 
277  ldns_dnssec_trust_tree *new_tree,
278  ldns_dnssec_data_chain *data_chain,
279  ldns_rr *cur_rr,
280  ldns_rr *cur_sig_rr);
281 
292  ldns_dnssec_trust_tree *new_tree,
293  ldns_dnssec_data_chain *data_chain,
294  ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
295  time_t check_time);
296 
305  ldns_dnssec_trust_tree *new_tree,
306  ldns_dnssec_data_chain *data_chain,
307  ldns_rr *cur_rr);
308 
318  ldns_dnssec_trust_tree *new_tree,
319  ldns_dnssec_data_chain *data_chain,
320  ldns_rr *cur_rr, time_t check_time);
321 
330  ldns_dnssec_trust_tree *new_tree,
331  ldns_dnssec_data_chain *data_chain);
332 
342  ldns_dnssec_trust_tree *new_tree,
343  ldns_dnssec_data_chain *data_chain,
344  time_t check_time);
345 
346 
360  ldns_rr_list *keys);
361 
374  ldns_rr_list *rrsig,
375  const ldns_rr_list *keys,
376  ldns_rr_list *good_keys);
377 
391  const ldns_rr_list *rrsig,
392  const ldns_rr_list *keys,
393  time_t check_time,
394  ldns_rr_list *good_keys);
395 
396 
410  ldns_rr_list *rrsig,
411  const ldns_rr_list *keys,
412  ldns_rr_list *good_keys);
413 
429  const ldns_rdf * domain,
430  const ldns_rr_list * keys,
431  ldns_status *status);
432 
449  const ldns_rdf * domain, const ldns_rr_list * keys,
450  time_t check_time, ldns_status *status);
451 
452 
464  const ldns_rdf *domain,
465  const ldns_rr_list *keys);
466 
479  const ldns_resolver *res, const ldns_rdf *domain,
480  const ldns_rr_list *keys, time_t check_time);
481 
482 
492  const ldns_rdf *
493  domain,
494  const ldns_rr_list * keys);
495 
506  const ldns_resolver *res, const ldns_rdf *domain,
507  const ldns_rr_list * keys, time_t check_time);
508 
509 
522  ldns_rr_list *rrset,
523  ldns_rr_list *rrsigs,
524  ldns_rr_list *validating_keys);
525 
539  ldns_resolver *res, ldns_rr_list *rrset,
540  ldns_rr_list *rrsigs, time_t check_time,
541  ldns_rr_list *validating_keys);
542 
543 
555  ldns_rr_list *nsecs,
556  ldns_rr_list *rrsigs);
557 
576  ldns_rr_list *nsecs,
577  ldns_rr_list *rrsigs,
578  ldns_pkt_rcode packet_rcode,
579  ldns_rr_type packet_qtype,
580  bool packet_nodata);
581 
601  ldns_rr_list *nsecs,
602  ldns_rr_list *rrsigs,
603  ldns_pkt_rcode packet_rcode,
604  ldns_rr_type packet_qtype,
605  bool packet_nodata,
606  ldns_rr **match);
618  ldns_buffer *verify_buf,
619  ldns_buffer *key_buf,
620  uint8_t algo);
621 
633 ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig,
634  size_t siglen,
635  ldns_buffer *verify_buf,
636  unsigned char* key,
637  size_t keylen,
638  uint8_t algo);
639 
652  ldns_rr *rrsig,
653  const ldns_rr_list *keys,
654  ldns_rr_list *good_keys);
655 
669  const ldns_rr_list *rrset, const ldns_rr *rrsig,
670  const ldns_rr_list *keys, time_t check_time,
671  ldns_rr_list *good_keys);
672 
673 
686  const ldns_rr *rrsig,
687  const ldns_rr_list *keys,
688  ldns_rr_list *good_keys);
689 
698  ldns_rr *rrsig,
699  ldns_rr *key);
700 
701 
711  ldns_rr_list *rrset, ldns_rr *rrsig,
712  ldns_rr *key, time_t check_time);
713 
714 
715 #if LDNS_BUILD_CONFIG_HAVE_SSL
726  ldns_buffer *rrset,
727  EVP_PKEY *key,
728  const EVP_MD *digest_type);
729 
738 ldns_status ldns_verify_rrsig_evp_raw(const unsigned char *sig,
739  size_t siglen,
740  const ldns_buffer *rrset,
741  EVP_PKEY *key,
742  const EVP_MD *digest_type);
743 #endif
744 
754  ldns_buffer *rrset,
755  ldns_buffer *key);
756 
766  ldns_buffer *rrset,
767  ldns_buffer *key);
768 
778  ldns_buffer *rrset,
779  ldns_buffer *key);
780 
789 ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig,
790  size_t siglen,
791  ldns_buffer* rrset,
792  unsigned char* key,
793  size_t keylen);
794 
803 ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig,
804  size_t siglen,
805  ldns_buffer* rrset,
806  unsigned char* key,
807  size_t keylen);
808 
819  size_t siglen,
820  ldns_buffer* rrset,
821  unsigned char* key,
822  size_t keylen);
823 
833  size_t siglen,
834  ldns_buffer* rrset,
835  unsigned char* key,
836  size_t keylen);
837 
846 ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,
847  size_t siglen,
848  ldns_buffer* rrset,
849  unsigned char* key,
850  size_t keylen);
851 
852 #ifdef __cplusplus
853 }
854 #endif
855 
856 #endif
857 
This module contains base functions for DNSSEC operations (RFC4033 t/m RFC4035).
ldns_status ldns_dnssec_trust_tree_contains_keys(ldns_dnssec_trust_tree *tree, ldns_rr_list *keys)
Returns OK if there is a trusted path in the tree to one of the DNSKEY or DS RRs in the given list.
ldns_status ldns_verify_rrsig_buffers_raw(unsigned char *sig, size_t siglen, ldns_buffer *verify_buf, unsigned char *key, size_t keylen, uint8_t algo)
Like ldns_verify_rrsig_buffers, but uses raw data.
void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain)
Prints the dnssec_data_chain to the given file stream.
Definition: dnssec_verify.c:91
ldns_dnssec_trust_tree * ldns_dnssec_trust_tree_new(void)
Creates a new (empty) dnssec_trust_tree structure.
ldns_rr_list * ldns_fetch_valid_domain_keys_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time, ldns_status *status)
Tries to build an authentication chain from the given keys down to the queried domain.
void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr, time_t check_time)
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
ldns_status ldns_verify_rrsig_keylist_time(const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies an rrsig.
ldns_status ldns_verify_notime(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset, but disregard the time.
ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies an rrsig.
ldns_rr_list * ldns_validate_domain_dnskey(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
ldns_dnssec_data_chain * ldns_dnssec_data_chain_new(void)
Creates a new dnssec_chain structure.
Definition: dnssec_verify.c:19
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree_time(ldns_dnssec_data_chain *data_chain, ldns_rr *rr, time_t check_time)
Generates a dnssec_trust_tree for the given rr from the given data_chain.
ldns_dnssec_data_chain * ldns_dnssec_build_data_chain(ldns_resolver *res, const uint16_t qflags, const ldns_rr_list *data_set, const ldns_pkt *pkt, ldns_rr *orig_rr)
Build an ldns_dnssec_data_chain, which contains all DNSSEC data that is needed to derive the trust tr...
ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (RSASHA1) for a buffer with rrset data with a buffer with key d...
ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs, ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, bool packet_nodata, ldns_rr **match)
Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns the nsec rr that matched.
void ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr)
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
ldns_status ldns_verify_rrsig_keylist_notime(const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies an rrsig.
ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs)
denial is not just a river in egypt
ldns_status ldns_verify_rrsig_dsa_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
ldns_status ldns_verify_trusted(ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, ldns_rr_list *validating_keys)
Verifies a list of signatures for one RRset using a valid trust path.
ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (RSAMD5) for a buffer with rrset data with a buffer with key da...
ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, ldns_buffer *verify_buf, ldns_buffer *key_buf, uint8_t algo)
Verifies the already processed data in the buffers This function should probably not be used directly...
ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key)
verify an rrsig with 1 key
void ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain)
Sub function for derive_trust_tree that is used when there are no signatures.
void ldns_dnssec_derive_trust_tree_no_sig_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, time_t check_time)
Sub function for derive_trust_tree that is used when there are no signatures.
void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain)
Frees a dnssec_data_chain structure, and all data contained therein.
Definition: dnssec_verify.c:45
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr)
Generates a dnssec_trust_tree for the given rr from the given data_chain.
ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
ldns_status ldns_verify_trusted_time(ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, time_t check_time, ldns_rr_list *validating_keys)
Verifies a list of signatures for one RRset using a valid trust path.
void ldns_dnssec_trust_tree_print_fmt(FILE *out, const ldns_output_format *fmt, ldns_dnssec_trust_tree *tree, size_t tabs, bool extended)
Prints the dnssec_trust_tree structure to the given file stream.
ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, const ldns_dnssec_trust_tree *parent, const ldns_rr *parent_signature, const ldns_status parent_status)
Adds a trust tree as a parent for the given trust tree.
ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (DSA) for a buffer with rrset data with a buffer with key data.
#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS
dnssec_verify
Definition: dnssec_verify.h:6
ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs, ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, bool packet_nodata)
Denial of existence using NSEC3 records Since NSEC3 is a bit more complicated than normal denial,...
void ldns_dnssec_trust_tree_print(FILE *out, ldns_dnssec_trust_tree *tree, size_t tabs, bool extended)
Prints the dnssec_trust_tree structure to the given file stream.
ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
ldns_rr_list * ldns_fetch_valid_domain_keys(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, ldns_status *status)
Tries to build an authentication chain from the given keys down to the queried domain.
void ldns_dnssec_data_chain_print_fmt(FILE *out, const ldns_output_format *fmt, const ldns_dnssec_data_chain *chain)
Prints the dnssec_data_chain to the given file stream.
Definition: dnssec_verify.c:56
ldns_status ldns_verify_rrsig_evp_raw(const unsigned char *sig, size_t siglen, const ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
Like ldns_verify_rrsig_evp, but uses raw signature data.
ldns_rr_list * ldns_validate_domain_dnskey_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain)
Frees a dnssec_data_chain structure.
Definition: dnssec_verify.c:39
ldns_status ldns_verify_rrsig_time(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key, time_t check_time)
verify an rrsig with 1 key
ldns_rr_list * ldns_validate_domain_ds_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
Validates the DS RRset for the given domain using the provided trusted keys.
ldns_rr_list * ldns_validate_domain_ds(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
Validates the DS RRset for the given domain using the provided trusted keys.
ldns_status ldns_verify_time(const ldns_rr_list *rrset, const ldns_rr_list *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
void ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr)
Sub function for derive_trust_tree that is used for DS rrsets.
ldns_status ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
void ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr)
Sub function for derive_trust_tree that is used for a 'normal' rrset.
size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree)
returns the depth of the trust tree
void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree)
Frees the dnssec_trust_tree recursively.
ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
verifies a buffer with signature data for a buffer with rrset data with an EVP_PKEY
void ldns_dnssec_derive_trust_tree_normal_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr, time_t check_time)
Sub function for derive_trust_tree that is used for a 'normal' rrset.
void ldns_dnssec_derive_trust_tree_ds_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, time_t check_time)
Sub function for derive_trust_tree that is used for DS rrsets.
enum ldns_enum_status ldns_status
Definition: error.h:146
host2str.h - txt presentation of RRs
enum ldns_enum_pkt_rcode ldns_pkt_rcode
Definition: packet.h:69
enum ldns_enum_rr_type ldns_rr_type
Definition: rr.h:243
ldns_dnssec_data_chain * parent
Definition: dnssec_verify.h:25
ldns_dnssec_trust_tree * parents[10]
ldns_rr * parent_signature[10]
for debugging, add signatures too (you might want those if they contain errors)
implementation of buffers to ease operations
Definition: buffer.h:51
Output format specifier.
Definition: host2str.h:89
DNS packet.
Definition: packet.h:235
Resource record data field.
Definition: rdata.h:197
DNS stub resolver structure.
Definition: resolver.h:60
List or Set of Resource Records.
Definition: rr.h:338
Resource Record.
Definition: rr.h:310