3 #ifndef LDNS_DNSSEC_VERIFY_H
4 #define LDNS_DNSSEC_VERIFY_H
6 #define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10
8 #include <ldns/dnssec.h>
9 #include <ldns/host2str.h>
16 * Chain structure that contains all DNSSEC data needed to
19 typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain;
20 struct ldns_dnssec_data_chain_struct
23 ldns_rr_list *signatures;
24 ldns_rr_type parent_type;
25 ldns_dnssec_data_chain *parent;
26 ldns_pkt_rcode packet_rcode;
27 ldns_rr_type packet_qtype;
32 * Creates a new dnssec_chain structure
33 * \return ldns_dnssec_data_chain *
35 ldns_dnssec_data_chain *ldns_dnssec_data_chain_new();
38 * Frees a dnssec_data_chain structure
40 * \param[in] *chain The chain to free
42 void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain);
45 * Frees a dnssec_data_chain structure, and all data
48 * \param[in] *chain The dnssec_data_chain to free
50 void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain);
53 * Prints the dnssec_data_chain to the given file stream
55 * \param[in] *out The file stream to print to
56 * \param[in] *chain The dnssec_data_chain to print
58 void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain);
61 * Prints the dnssec_data_chain to the given file stream
63 * \param[in] *out The file stream to print to
64 * \param[in] *fmt The format of the textual representation
65 * \param[in] *chain The dnssec_data_chain to print
67 void ldns_dnssec_data_chain_print_fmt(FILE *out,
68 const ldns_output_format *fmt,
69 const ldns_dnssec_data_chain *chain);
72 * Build an ldns_dnssec_data_chain, which contains all
73 * DNSSEC data that is needed to derive the trust tree later
75 * The data_set will be cloned
77 * \param[in] *res resolver structure for further needed queries
78 * \param[in] qflags resolution flags
79 * \param[in] *data_set The original rrset where the chain ends
80 * \param[in] *pkt optional, can contain the original packet
81 * (and hence the sigs and maybe the key)
82 * \param[in] *orig_rr The original Resource Record
84 * \return the DNSSEC data chain
86 ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res,
87 const uint16_t qflags,
88 const ldns_rr_list *data_set,
93 * Tree structure that contains the relation of DNSSEC data,
94 * and their cryptographic status.
96 * This tree is derived from a data_chain, and can be used
97 * to look whether there is a connection between an RRSET
98 * and a trusted key. The tree only contains pointers to the
99 * data_chain, and therefore one should *never* free() the
100 * data_chain when there is still a trust tree derived from
116 * For each signature there is a parent; if the parent
117 * pointer is null, it couldn't be found and there was no
118 * denial; otherwise is a tree which contains either a
119 * DNSKEY, a DS, or a NSEC rr
121 typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree;
122 struct ldns_dnssec_trust_tree_struct
125 /* the complete rrset this rr was in */
127 ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
128 ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
129 /** for debugging, add signatures too (you might want
130 those if they contain errors) */
131 ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
136 * Creates a new (empty) dnssec_trust_tree structure
138 * \return ldns_dnssec_trust_tree *
140 ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new();
143 * Frees the dnssec_trust_tree recursively
145 * There is no deep free; all data in the trust tree
146 * consists of pointers to a data_chain
148 * \param[in] tree The tree to free
150 void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree);
153 * returns the depth of the trust tree
155 * \param[in] tree tree to calculate the depth of
156 * \return The depth of the tree
158 size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree);
161 * Prints the dnssec_trust_tree structure to the given file
164 * If a link status is not LDNS_STATUS_OK; the status and
165 * relevant signatures are printed too
167 * \param[in] *out The file stream to print to
168 * \param[in] tree The trust tree to print
169 * \param[in] tabs Prepend each line with tabs*2 spaces
170 * \param[in] extended If true, add little explanation lines to the output
172 void ldns_dnssec_trust_tree_print(FILE *out,
173 ldns_dnssec_trust_tree *tree,
178 * Prints the dnssec_trust_tree structure to the given file
181 * If a link status is not LDNS_STATUS_OK; the status and
182 * relevant signatures are printed too
184 * \param[in] *out The file stream to print to
185 * \param[in] *fmt The format of the textual representation
186 * \param[in] tree The trust tree to print
187 * \param[in] tabs Prepend each line with tabs*2 spaces
188 * \param[in] extended If true, add little explanation lines to the output
190 void ldns_dnssec_trust_tree_print_fmt(FILE *out,
191 const ldns_output_format *fmt,
192 ldns_dnssec_trust_tree *tree,
197 * Adds a trust tree as a parent for the given trust tree
199 * \param[in] *tree The tree to add the parent to
200 * \param[in] *parent The parent tree to add
201 * \param[in] *parent_signature The RRSIG relevant to this parent/child
203 * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG
204 * \return LDNS_STATUS_OK if the addition succeeds, error otherwise
206 ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree,
207 const ldns_dnssec_trust_tree *parent,
208 const ldns_rr *parent_signature,
209 const ldns_status parent_status);
212 * Generates a dnssec_trust_ttree for the given rr from the
215 * This does not clone the actual data; Don't free the
216 * data_chain before you are done with this tree
218 * \param[in] *data_chain The chain to derive the trust tree from
219 * \param[in] *rr The RR this tree will be about
220 * \return ldns_dnssec_trust_tree *
222 ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree(
223 ldns_dnssec_data_chain *data_chain,
227 * Sub function for derive_trust_tree that is used for a 'normal' rrset
229 * \param[in] new_tree The trust tree that we are building
230 * \param[in] data_chain The data chain containing the data for the trust tree
231 * \param[in] cur_sig_rr The currently relevant signature
233 void ldns_dnssec_derive_trust_tree_normal_rrset(
234 ldns_dnssec_trust_tree *new_tree,
235 ldns_dnssec_data_chain *data_chain,
236 ldns_rr *cur_sig_rr);
239 * Sub function for derive_trust_tree that is used for DNSKEY rrsets
241 * \param[in] new_tree The trust tree that we are building
242 * \param[in] data_chain The data chain containing the data for the trust tree
243 * \param[in] cur_rr The currently relevant DNSKEY RR
244 * \param[in] cur_sig_rr The currently relevant signature
246 void ldns_dnssec_derive_trust_tree_dnskey_rrset(
247 ldns_dnssec_trust_tree *new_tree,
248 ldns_dnssec_data_chain *data_chain,
250 ldns_rr *cur_sig_rr);
253 * Sub function for derive_trust_tree that is used for DS rrsets
255 * \param[in] new_tree The trust tree that we are building
256 * \param[in] data_chain The data chain containing the data for the trust tree
257 * \param[in] cur_rr The currently relevant DS RR
259 void ldns_dnssec_derive_trust_tree_ds_rrset(
260 ldns_dnssec_trust_tree *new_tree,
261 ldns_dnssec_data_chain *data_chain,
265 * Sub function for derive_trust_tree that is used when there are no
268 * \param[in] new_tree The trust tree that we are building
269 * \param[in] data_chain The data chain containing the data for the trust tree
271 void ldns_dnssec_derive_trust_tree_no_sig(
272 ldns_dnssec_trust_tree *new_tree,
273 ldns_dnssec_data_chain *data_chain);
276 * Returns OK if there is a trusted path in the tree to one of
277 * the DNSKEY or DS RRs in the given list
279 * \param *tree The trust tree so search
280 * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for
281 * \return LDNS_STATUS_OK if there is a trusted path to one of
282 * the keys, or the *first* error encountered
283 * if there were no paths
285 ldns_status ldns_dnssec_trust_tree_contains_keys(
286 ldns_dnssec_trust_tree *tree,
290 * Verifies a list of signatures for one rrset.
292 * \param[in] rrset the rrset to verify
293 * \param[in] rrsig a list of signatures to check
294 * \param[in] keys a list of keys to check with
295 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
296 * from keys that validate one of the signatures
298 * \return status LDNS_STATUS_OK if there is at least one correct key
300 ldns_status ldns_verify(ldns_rr_list *rrset,
302 const ldns_rr_list *keys,
303 ldns_rr_list *good_keys);
306 * Verifies a list of signatures for one rrset, but disregard the time.
307 * Inception and Expiration are not checked.
309 * \param[in] rrset the rrset to verify
310 * \param[in] rrsig a list of signatures to check
311 * \param[in] keys a list of keys to check with
312 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
313 * from keys that validate one of the signatures
315 * \return status LDNS_STATUS_OK if there is at least one correct key
317 ldns_status ldns_verify_notime(ldns_rr_list *rrset,
319 const ldns_rr_list *keys,
320 ldns_rr_list *good_keys);
323 * Tries to build an authentication chain from the given
324 * keys down to the queried domain.
326 * If we find a valid trust path, return the valid keys for the domain.
328 * \param[in] res the current resolver
329 * \param[in] domain the domain we want valid keys for
330 * \param[in] keys the current set of trusted keys
331 * \param[out] status pointer to the status variable where the result
332 * code will be stored
333 * \return the set of trusted keys for the domain, or NULL if no
334 * trust path could be built.
336 ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res,
337 const ldns_rdf * domain,
338 const ldns_rr_list * keys,
339 ldns_status *status);
342 * Validates the DNSKEY RRset for the given domain using the provided
345 * \param[in] res the current resolver
346 * \param[in] domain the domain we want valid keys for
347 * \param[in] keys the current set of trusted keys
348 * \return the set of trusted keys for the domain, or NULL if the RRSET
349 * could not be validated
351 ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res,
352 const ldns_rdf *domain,
353 const ldns_rr_list *keys);
356 * Validates the DS RRset for the given domain using the provided trusted keys.
358 * \param[in] res the current resolver
359 * \param[in] domain the domain we want valid keys for
360 * \param[in] keys the current set of trusted keys
361 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
363 ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res,
366 const ldns_rr_list * keys);
369 * Verifies a list of signatures for one RRset using a valid trust path.
371 * \param[in] res the current resolver
372 * \param[in] rrset the rrset to verify
373 * \param[in] rrsigs a list of signatures to check
374 * \param[out] validating_keys if this is a (initialized) list, the
375 * keys from keys that validate one of
376 * the signatures are added to it
377 * \return status LDNS_STATUS_OK if there is at least one correct key
379 ldns_status ldns_verify_trusted(ldns_resolver *res,
381 ldns_rr_list *rrsigs,
382 ldns_rr_list *validating_keys);
385 * denial is not just a river in egypt
387 * \param[in] rr The (query) RR to check the denial of existence for
388 * \param[in] nsecs The list of NSEC RRs that are supposed to deny the
389 * existence of the RR
390 * \param[in] rrsigs The RRSIG RR covering the NSEC RRs
391 * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code
392 * containing the reason they do not otherwise
394 ldns_status ldns_dnssec_verify_denial(ldns_rr *rr,
396 ldns_rr_list *rrsigs);
399 * Denial of existence using NSEC3 records
400 * Since NSEC3 is a bit more complicated than normal denial, some
401 * context arguments are needed
403 * \param[in] rr The (query) RR to check the denial of existence for
404 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
405 * existence of the RR
406 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs
407 * \param[in] packet_rcode The RCODE value of the packet that provided the
409 * \param[in] packet_qtype The original query RR type
410 * \param[in] packet_nodata True if the providing packet had an empty ANSWER
412 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
413 * containing the reason they do not otherwise
415 ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
417 ldns_rr_list *rrsigs,
418 ldns_pkt_rcode packet_rcode,
419 ldns_rr_type packet_qtype,
423 * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns
424 * the nsec rr that matched.
426 * \param[in] rr The (query) RR to check the denial of existence for
427 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
428 * existence of the RR
429 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs
430 * \param[in] packet_rcode The RCODE value of the packet that provided the
432 * \param[in] packet_qtype The original query RR type
433 * \param[in] packet_nodata True if the providing packet had an empty ANSWER
435 * \param[in] match On match, the given (reference to a) pointer will be set
436 * to point to the matching nsec resource record.
437 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
438 * containing the reason they do not otherwise
440 ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr,
442 ldns_rr_list *rrsigs,
443 ldns_pkt_rcode packet_rcode,
444 ldns_rr_type packet_qtype,
448 * Verifies the already processed data in the buffers
449 * This function should probably not be used directly.
451 * \param[in] rawsig_buf Buffer containing signature data to use
452 * \param[in] verify_buf Buffer containing data to verify
453 * \param[in] key_buf Buffer containing key data to use
454 * \param[in] algo Signing algorithm
455 * \return status LDNS_STATUS_OK if the data verifies. Error if not.
457 ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf,
458 ldns_buffer *verify_buf,
459 ldns_buffer *key_buf,
463 * Like ldns_verify_rrsig_buffers, but uses raw data.
465 * \param[in] sig signature data to use
466 * \param[in] siglen length of signature data to use
467 * \param[in] verify_buf Buffer containing data to verify
468 * \param[in] key key data to use
469 * \param[in] keylen length of key data to use
470 * \param[in] algo Signing algorithm
471 * \return status LDNS_STATUS_OK if the data verifies. Error if not.
473 ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig,
475 ldns_buffer *verify_buf,
481 * Verifies an rrsig. All keys in the keyset are tried.
482 * \param[in] rrset the rrset to check
483 * \param[in] rrsig the signature of the rrset
484 * \param[in] keys the keys to try
485 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
486 * from keys that validate one of the signatures
488 * \return a list of keys which validate the rrsig + rrset. Returns
489 * status LDNS_STATUS_OK if at least one key matched. Else an error.
491 ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
493 const ldns_rr_list *keys,
494 ldns_rr_list *good_keys);
497 * Verifies an rrsig. All keys in the keyset are tried. Time is not checked.
498 * \param[in] rrset the rrset to check
499 * \param[in] rrsig the signature of the rrset
500 * \param[in] keys the keys to try
501 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
502 * from keys that validate one of the signatures
504 * \return a list of keys which validate the rrsig + rrset. Returns
505 * status LDNS_STATUS_OK if at least one key matched. Else an error.
507 ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset,
509 const ldns_rr_list *keys,
510 ldns_rr_list *good_keys);
513 * verify an rrsig with 1 key
514 * \param[in] rrset the rrset
515 * \param[in] rrsig the rrsig to verify
516 * \param[in] key the key to use
517 * \return status message wether verification succeeded.
519 ldns_status ldns_verify_rrsig(ldns_rr_list *rrset,
523 #if LDNS_BUILD_CONFIG_HAVE_SSL
525 * verifies a buffer with signature data for a buffer with rrset data
528 * \param[in] sig the signature data
529 * \param[in] rrset the rrset data, sorted and processed for verification
530 * \param[in] key the EVP key structure
531 * \param[in] digest_type The digest type of the signature
533 ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig,
536 const EVP_MD *digest_type);
539 * Like ldns_verify_rrsig_evp, but uses raw signature data.
540 * \param[in] sig the signature data, wireformat uncompressed
541 * \param[in] siglen length of the signature data
542 * \param[in] rrset the rrset data, sorted and processed for verification
543 * \param[in] key the EVP key structure
544 * \param[in] digest_type The digest type of the signature
546 ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig,
550 const EVP_MD *digest_type);
554 * verifies a buffer with signature data (DSA) for a buffer with rrset data
555 * with a buffer with key data.
557 * \param[in] sig the signature data
558 * \param[in] rrset the rrset data, sorted and processed for verification
559 * \param[in] key the key data
561 ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig,
566 * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data
567 * with a buffer with key data.
569 * \param[in] sig the signature data
570 * \param[in] rrset the rrset data, sorted and processed for verification
571 * \param[in] key the key data
573 ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig,
578 * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data
579 * with a buffer with key data.
581 * \param[in] sig the signature data
582 * \param[in] rrset the rrset data, sorted and processed for verification
583 * \param[in] key the key data
585 ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig,
590 * Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
591 * \param[in] sig raw uncompressed wireformat signature data
592 * \param[in] siglen length of signature data
593 * \param[in] rrset ldns buffer with prepared rrset data.
594 * \param[in] key raw uncompressed wireformat key data
595 * \param[in] keylen length of key data
597 ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig,
604 * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
605 * \param[in] sig raw uncompressed wireformat signature data
606 * \param[in] siglen length of signature data
607 * \param[in] rrset ldns buffer with prepared rrset data.
608 * \param[in] key raw uncompressed wireformat key data
609 * \param[in] keylen length of key data
611 ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig,
618 * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
619 * \param[in] sig raw uncompressed wireformat signature data
620 * \param[in] siglen length of signature data
621 * \param[in] rrset ldns buffer with prepared rrset data.
622 * \param[in] key raw uncompressed wireformat key data
623 * \param[in] keylen length of key data
626 ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig,
633 * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
634 * \param[in] sig raw uncompressed wireformat signature data
635 * \param[in] siglen length of signature data
636 * \param[in] rrset ldns buffer with prepared rrset data.
637 * \param[in] key raw uncompressed wireformat key data
638 * \param[in] keylen length of key data
640 ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig,
647 * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
648 * \param[in] sig raw uncompressed wireformat signature data
649 * \param[in] siglen length of signature data
650 * \param[in] rrset ldns buffer with prepared rrset data.
651 * \param[in] key raw uncompressed wireformat key data
652 * \param[in] keylen length of key data
654 ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,