00001
00003 #ifndef LDNS_DNSSEC_VERIFY_H
00004 #define LDNS_DNSSEC_VERIFY_H
00005
00006 #define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10
00007
00008 #include <ldns/dnssec.h>
00009
00010 typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain;
00015 struct ldns_dnssec_data_chain_struct {
00016 ldns_rr_list *rrset;
00017 ldns_rr_list *signatures;
00018 ldns_rr_type parent_type;
00019 ldns_dnssec_data_chain *parent;
00020 ldns_pkt_rcode packet_rcode;
00021 ldns_rr_type packet_qtype;
00022 bool packet_nodata;
00023 };
00024
00029 ldns_dnssec_data_chain *ldns_dnssec_data_chain_new();
00030
00036 void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain);
00037
00043 void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain);
00044
00051 void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain);
00052
00058 ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res,
00059 const uint16_t qflags,
00060 const ldns_rr_list *data_set,
00061 const ldns_pkt *pkt,
00062 ldns_rr *orig_rr);
00063
00090 typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree;
00091 struct ldns_dnssec_trust_tree_struct {
00092 ldns_rr *rr;
00093
00094 ldns_rr_list *rrset;
00095 ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
00096 ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
00099 ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
00100 size_t parent_count;
00101 };
00102
00108 ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new();
00109
00117 void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree);
00118
00125 size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree);
00126
00138 void ldns_dnssec_trust_tree_print(FILE *out,
00139 ldns_dnssec_trust_tree *tree,
00140 size_t tabs,
00141 bool extended);
00142
00153 ldns_status
00154 ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree,
00155 const ldns_dnssec_trust_tree *parent,
00156 const ldns_rr *parent_signature,
00157 const ldns_status parent_status);
00158
00167 ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr);
00168
00176 void
00177 ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree,
00178 ldns_dnssec_data_chain *data_chain,
00179 ldns_rr *cur_sig_rr);
00180
00189 void
00190 ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree,
00191 ldns_dnssec_data_chain *data_chain,
00192 ldns_rr *cur_rr,
00193 ldns_rr *cur_sig_rr);
00194
00202 void
00203 ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree,
00204 ldns_dnssec_data_chain *data_chain,
00205 ldns_rr *cur_rr);
00206
00214 void
00215 ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree,
00216 ldns_dnssec_data_chain *data_chain);
00217
00228 ldns_status ldns_dnssec_trust_tree_contains_keys(ldns_dnssec_trust_tree *tree,
00229 ldns_rr_list *keys);
00230
00242 ldns_status ldns_verify(ldns_rr_list *rrset,
00243 ldns_rr_list *rrsig,
00244 const ldns_rr_list *keys,
00245 ldns_rr_list *good_keys);
00246
00261 ldns_rr_list *
00262 ldns_fetch_valid_domain_keys(const ldns_resolver * res,
00263 const ldns_rdf * domain,
00264 const ldns_rr_list * keys,
00265 ldns_status *status);
00266
00277 ldns_rr_list *
00278 ldns_validate_domain_dnskey (const ldns_resolver *res,
00279 const ldns_rdf *domain,
00280 const ldns_rr_list *keys);
00281
00290 ldns_rr_list *
00291 ldns_validate_domain_ds(const ldns_resolver *res,
00292 const ldns_rdf *
00293 domain,
00294 const ldns_rr_list * keys);
00295
00307 ldns_status
00308 ldns_verify_trusted(ldns_resolver *res,
00309 ldns_rr_list *rrset,
00310 ldns_rr_list *rrsigs,
00311 ldns_rr_list *validating_keys);
00312
00323 ldns_status
00324 ldns_dnssec_verify_denial(ldns_rr *rr,
00325 ldns_rr_list *nsecs,
00326 ldns_rr_list *rrsigs);
00327
00345 ldns_status
00346 ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
00347 ldns_rr_list *nsecs,
00348 ldns_rr_list *rrsigs,
00349 ldns_pkt_rcode packet_rcode,
00350 ldns_rr_type packet_qtype,
00351 bool packet_nodata);
00352
00363 ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf,
00364 ldns_buffer *verify_buf,
00365 ldns_buffer *key_buf,
00366 uint8_t algo);
00367
00379 ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig,
00380 size_t siglen,
00381 ldns_buffer *verify_buf,
00382 unsigned char* key,
00383 size_t keylen,
00384 uint8_t algo);
00385
00397 ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys);
00398
00406 ldns_status
00407 ldns_convert_dsa_rrsig_rdata(ldns_buffer *target_buffer,
00408 ldns_rdf *sig_rdf);
00409
00417 ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key);
00418
00428 #ifdef HAVE_SSL
00429 ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig,
00430 ldns_buffer *rrset,
00431 EVP_PKEY *key,
00432 const EVP_MD *digest_type);
00433 #endif
00434
00443 #ifdef HAVE_SSL
00444 ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig,
00445 size_t siglen,
00446 ldns_buffer *rrset,
00447 EVP_PKEY *key,
00448 const EVP_MD *digest_type);
00449 #endif
00450
00459 ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig,
00460 ldns_buffer *rrset,
00461 ldns_buffer *key);
00462
00471 ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig,
00472 ldns_buffer *rrset,
00473 ldns_buffer *key);
00474
00483 ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig,
00484 ldns_buffer *rrset,
00485 ldns_buffer *key);
00486
00495 ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig,
00496 size_t siglen,
00497 ldns_buffer* rrset,
00498 unsigned char* key,
00499 size_t keylen);
00500
00509 ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig,
00510 size_t siglen,
00511 ldns_buffer* rrset,
00512 unsigned char* key,
00513 size_t keylen);
00514
00524 ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig,
00525 size_t siglen,
00526 ldns_buffer* rrset,
00527 unsigned char* key,
00528 size_t keylen);
00529
00538 ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig,
00539 size_t siglen,
00540 ldns_buffer* rrset,
00541 unsigned char* key,
00542 size_t keylen);
00543
00552 ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,
00553 size_t siglen,
00554 ldns_buffer* rrset,
00555 unsigned char* key,
00556 size_t keylen);
00557
00558 #endif
00559