12 #include <openssl/ssl.h>
13 #include <openssl/evp.h>
14 #include <openssl/rand.h>
15 #include <openssl/err.h>
16 #include <openssl/md5.h>
67 fprintf(out,
";; rcode: %s\n", rcode->
name);
71 if (rr_descriptor && rr_descriptor->
_name) {
72 fprintf(out,
";; qtype: %s\n", rr_descriptor->
_name);
74 fprintf(out,
"TYPE%u",
78 fprintf(out,
";; NODATA response\n");
80 fprintf(out,
"rrset:\n");
82 fprintf(out,
"sigs:\n");
84 fprintf(out,
"---\n");
86 fprintf(out,
"<no data>\n");
209 printf(
"There were already sigs!\n");
211 printf(
"replacing the old sigs\n");
242 possible_parent_name,
283 ldns_rdf *name = NULL, *key_name = NULL;
287 bool other_rrset =
false;
411 return ldns_dnssec_build_data_chain_nokeyname(res,
420 ldns_dnssec_build_data_chain_dnskey(res,
430 ldns_dnssec_build_data_chain_other(res,
449 if(!new_tree)
return NULL;
451 new_tree->
rrset = NULL;
478 if (parent > result) {
487 print_tabs(FILE *out,
size_t nr, uint8_t *map,
size_t treedepth)
490 for (i = 0; i < nr; i++) {
492 fprintf(out,
"|---");
493 }
else if (map && i < treedepth && map[i] == 1) {
502 ldns_dnssec_trust_tree_print_sm_fmt(FILE *out,
519 memset(sibmap, 0, treedepth);
525 print_tabs(out, tabs, sibmap, treedepth);
529 if (descriptor->
_name) {
530 fprintf(out,
" (%s", descriptor->
_name);
532 fprintf(out,
" (TYPE%d",
537 fprintf(out,
" keytag: %u",
539 fprintf(out,
" alg: ");
541 fprintf(out,
" flags: ");
544 fprintf(out,
" keytag: ");
546 fprintf(out,
" digest type: ");
559 if (tree->
parent_count > 1 && i < tree->parent_count - 1) {
570 print_tabs(out, tabs + 1, sibmap, treedepth);
574 fprintf(out,
"Existence of DS is denied by:\n");
576 fprintf(out,
"Existence is denied by:\n");
581 fprintf(out,
"Existence of DS is denied by:\n");
583 print_tabs(out, tabs + 1, sibmap, treedepth);
585 "Error in denial of existence: %s\n",
592 print_tabs(out, tabs + 1, sibmap, treedepth);
599 printf(
"; SSL Error: ");
600 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(HAVE_LIBRESSL)
601 ERR_load_crypto_strings();
603 ERR_print_errors_fp(stdout);
608 parent_signature[i]);
609 printf(
"For RRset:\n");
612 printf(
"With key:\n");
616 ldns_dnssec_trust_tree_print_sm_fmt(out, fmt,
624 print_tabs(out, tabs, sibmap, treedepth);
625 fprintf(out,
"<no data>\n");
628 fprintf(out,
"<null pointer>\n");
642 ldns_dnssec_trust_tree_print_sm_fmt(out, fmt,
643 tree, tabs, extended, NULL, 0);
653 tree, tabs, extended);
701 if (data_chain && data_chain->
rrset) {
702 cur_rrset = data_chain->
rrset;
715 new_tree->
rr = cur_rr;
716 new_tree->
rrset = cur_rrset;
770 new_tree, data_chain,
777 new_tree, data_chain, check_time);
815 tmp_rrset = cur_rrset;
823 assert(tmp_rrset == cur_rrset);
843 if (tmp_rrset && tmp_rrset != cur_rrset
851 if (cur_parent_rr == new_tree->
parents[i]->
rr) {
879 new_tree, data_chain, cur_sig_rr, ldns_time(NULL));
901 if (cur_parent_rr != cur_rr &&
906 cur_parent_tree->
rr = cur_parent_rr;
907 cur_parent_tree->
rrset = cur_rrset;
909 cur_rrset, cur_sig_rr,
910 cur_parent_rr, check_time);
912 cur_parent_tree, cur_sig_rr, cur_status))
926 new_tree, data_chain, cur_rr, cur_sig_rr, ldns_time(NULL));
979 new_tree, data_chain, cur_rr, ldns_time(NULL));
1028 cur_parent_tree, NULL, result))
1040 new_tree, data_chain, ldns_time(NULL));
1085 result = parent_result;
1109 if (!rrset || !rrsig || !keys) {
1127 keys, check_time, good_keys);
1138 return verify_result;
1155 if (!rrset || !rrsig || !keys) {
1185 return verify_result;
1201 if (res && domain && keys) {
1204 domain, keys, check_time))) {
1211 while (parent_domain &&
1248 if (parent_domain) {
1253 return trusted_keys;
1263 res, domain, keys, ldns_time(NULL), status);
1276 uint16_t key_i; uint16_t key_j; uint16_t key_k;
1277 uint16_t sig_i;
ldns_rr * cur_sig;
1337 return trusted_keys;
1357 return trusted_keys;
1366 res, domain, keys, ldns_time(NULL));
1414 return trusted_keys;
1434 uint16_t sig_i; uint16_t key_i;
1439 if (!res || !rrset || !rrsigs) {
1473 if (validating_keys) {
1496 res, rrset, rrsigs, ldns_time(NULL), validating_keys);
1513 bool name_covered =
false;
1514 bool type_covered =
false;
1515 bool wildcard_covered =
false;
1516 bool wildcard_type_covered =
false;
1517 bool rr_name_is_root =
false;
1522 if (!rr_name_is_root) {
1544 wildcard_covered =
true;
1549 type_covered =
true;
1553 name_covered =
true;
1556 if (rr_name_is_root)
1563 wildcard_type_covered =
true;
1568 wildcard_covered =
true;
1575 if (type_covered || !name_covered) {
1579 if (rr_name_is_root)
1582 if (wildcard_type_covered || !wildcard_covered) {
1595 ,
bool packet_nodata
1602 bool wildcard_covered =
false;
1621 if(!closest_encloser) {
1630 hashed_wildcard_name =
1637 hashed_wildcard_name)) {
1638 wildcard_covered =
true;
1646 if (! wildcard_covered) {
1686 if(!closest_encloser) {
1693 hashed_wildcard_name =
1757 if(!closest_encloser) {
1767 hashed_next_closer = hashed_name;
1790 hashed_next_closer) &&
1818 rr, nsecs, rrsigs, packet_rcode,
1819 packet_qtype, packet_nodata, NULL
1828 uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85,
1829 0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85,
1830 0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03,
1831 0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40};
1832 unsigned char encoded[37+64];
1833 const unsigned char* pp;
1840 memmove(encoded, asn, 37);
1841 memmove(encoded+37, key, 64);
1842 pp = (
unsigned char*)&encoded[0];
1844 return d2i_PUBKEY(NULL, &pp, (
int)
sizeof(encoded));
1848 ldns_verify_rrsig_gost_raw(
const unsigned char* sig,
size_t siglen,
1849 const ldns_buffer* rrset,
const unsigned char* key,
size_t keylen)
1863 evp_key, EVP_get_digestbyname(
"md_gost94"));
1864 EVP_PKEY_free(evp_key);
1875 uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
1876 0x70, 0x03, 0x21, 0x00};
1881 const unsigned char* pp = (
unsigned char*)buf;
1882 if(keylen != 32 || keylen + pre_len >
sizeof(buf))
1884 memmove(buf, pre, pre_len);
1885 memmove(buf+pre_len, key, keylen);
1886 evp_key = d2i_PUBKEY(NULL, &pp, (
int)(pre_len+keylen));
1891 ldns_verify_rrsig_ed25519_raw(
unsigned char* sig,
size_t siglen,
1892 ldns_buffer* rrset,
unsigned char* key,
size_t keylen)
1903 EVP_PKEY_free(evp_key);
1913 uint8_t pre[] = {0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
1914 0x71, 0x03, 0x3a, 0x00};
1919 const unsigned char* pp = (
unsigned char*)buf;
1920 if(keylen != 57 || keylen + pre_len >
sizeof(buf))
1922 memmove(buf, pre, pre_len);
1923 memmove(buf+pre_len, key, keylen);
1924 evp_key = d2i_PUBKEY(NULL, &pp, (
int)(pre_len+keylen));
1929 ldns_verify_rrsig_ed448_raw(
unsigned char* sig,
size_t siglen,
1930 ldns_buffer* rrset,
unsigned char* key,
size_t keylen)
1941 EVP_PKEY_free(evp_key);
1950 unsigned char buf[256+2];
1951 const unsigned char* pp = buf;
1956 if(keylen != 2*256/8)
return NULL;
1957 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1959 if(keylen != 2*384/8)
return NULL;
1960 ec = EC_KEY_new_by_curve_name(NID_secp384r1);
1962 if(!ec)
return NULL;
1963 if(keylen+1 >
sizeof(buf))
1967 buf[0] = POINT_CONVERSION_UNCOMPRESSED;
1968 memmove(buf+1, key, keylen);
1969 if(!o2i_ECPublicKey(&ec, &pp, (
int)keylen+1)) {
1973 evp_key = EVP_PKEY_new();
1978 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
1979 EVP_PKEY_free(evp_key);
1987 ldns_verify_rrsig_ecdsa_raw(
unsigned char* sig,
size_t siglen,
1988 ldns_buffer* rrset,
unsigned char* key,
size_t keylen, uint8_t algo)
2001 else d = EVP_sha384();
2003 EVP_PKEY_free(evp_key);
2013 (
unsigned char*)ldns_buffer_begin(rawsig_buf),
2014 ldns_buffer_position(rawsig_buf),
2016 (
unsigned char*)ldns_buffer_begin(key_buf),
2017 ldns_buffer_position(key_buf), algo);
2022 ldns_buffer *verify_buf,
unsigned char* key,
size_t keylen,
2063 return ldns_verify_rrsig_gost_raw(sig, siglen, verify_buf,
2070 return ldns_verify_rrsig_ecdsa_raw(sig, siglen, verify_buf,
2076 return ldns_verify_rrsig_ed25519_raw(sig, siglen, verify_buf,
2082 return ldns_verify_rrsig_ed448_raw(sig, siglen, verify_buf,
2112 uint8_t label_count;
2135 wildcard_chopped = wildcard_chopped_tmp;
2161 if (rrsig == NULL) {
2250 ldns_rrsig_check_timestamps(
const ldns_rr* rrsig, time_t now)
2252 int32_t inception, expiration;
2260 if (expiration - inception < 0) {
2264 if (((int32_t) now) - inception < 0) {
2268 if (expiration - ((int32_t) now) < 0) {
2298 result = ldns_rrsig2rawsig_buffer(rawsig_buf, rrsig);
2304 ldns_rrset_use_signature_ttl(rrset_clone, rrsig);
2336 if (rrsig == NULL) {
2373 verify_buf, key_buf, sig_algo);
2421 result = ldns_rrsig_check_timestamps(rrsig, check_time);
2448 rrset, rrsig, keys, ldns_time(NULL), good_keys);
2480 result = ldns_prepare_for_verify(rawsig_buf, verify_buf,
2481 rrset_clone, rrsig);
2492 status = ldns_verify_test_sig_key(rawsig_buf, verify_buf,
2556 result = ldns_prepare_for_verify(rawsig_buf, verify_buf,
2557 rrset_clone, rrsig);
2564 result = ldns_verify_test_sig_key(rawsig_buf, verify_buf,
2573 result = ldns_rrsig_check_timestamps(rrsig, check_time);
2589 const EVP_MD *digest_type)
2592 (
unsigned char*)ldns_buffer_begin(sig),
2593 ldns_buffer_position(sig),
2601 const ldns_buffer *rrset, EVP_PKEY *key,
const EVP_MD *digest_type)
2606 #ifdef HAVE_EVP_MD_CTX_NEW
2607 ctx = EVP_MD_CTX_new();
2609 ctx = (EVP_MD_CTX*)malloc(
sizeof(*ctx));
2610 if(ctx) EVP_MD_CTX_init(ctx);
2615 #if defined(USE_ED25519) || defined(USE_ED448)
2617 res = EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, key);
2619 res = EVP_DigestVerify(ctx, sig, siglen,
2620 ldns_buffer_begin(rrset),
2621 ldns_buffer_position(rrset));
2628 EVP_VerifyInit(ctx, digest_type);
2629 EVP_VerifyUpdate(ctx,
2630 ldns_buffer_begin(rrset),
2631 ldns_buffer_position(rrset));
2632 res = EVP_VerifyFinal(ctx, sig, (
unsigned int) siglen, key);
2635 EVP_MD_CTX_destroy(ctx);
2640 }
else if (res == 0) {
2652 (
unsigned char*) ldns_buffer_begin(sig),
2653 ldns_buffer_position(sig),
2655 (
unsigned char*) ldns_buffer_begin(key),
2656 ldns_buffer_position(key));
2663 (
unsigned char*)ldns_buffer_begin(sig),
2664 ldns_buffer_position(sig),
2666 (
unsigned char*) ldns_buffer_begin(key),
2667 ldns_buffer_position(key));
2674 (
unsigned char*)ldns_buffer_begin(sig),
2675 ldns_buffer_position(sig),
2677 (
unsigned char*) ldns_buffer_begin(key),
2678 ldns_buffer_position(key));
2683 ldns_buffer* rrset,
unsigned char* key,
size_t keylen)
2689 evp_key = EVP_PKEY_new();
2695 # ifdef HAVE_EVP_DSS1
2704 EVP_PKEY_free(evp_key);
2707 (void)sig; (void)siglen; (void)rrset; (void)key; (void)keylen;
2714 ldns_buffer* rrset,
unsigned char* key,
size_t keylen)
2719 evp_key = EVP_PKEY_new();
2729 EVP_PKEY_free(evp_key);
2745 evp_key = EVP_PKEY_new();
2755 EVP_PKEY_free(evp_key);
2780 evp_key = EVP_PKEY_new();
2790 EVP_PKEY_free(evp_key);
2815 evp_key = EVP_PKEY_new();
2825 EVP_PKEY_free(evp_key);
void ldns_buffer_free(ldns_buffer *buffer)
frees the buffer.
ldns_buffer * ldns_buffer_new(size_t capacity)
creates a new buffer with the specified capacity.
ldns_rdf * ldns_dname_clone_from(const ldns_rdf *d, uint16_t n)
Clones the given dname from the nth label on.
signed char ldns_dname_is_subdomain(const ldns_rdf *sub, const ldns_rdf *parent)
test whether the name sub falls under parent (i.e.
int ldns_dname_compare(const ldns_rdf *dname1, const ldns_rdf *dname2)
Compares the two dname rdf's according to the algorithm for ordering in RFC4034 Section 6.
ldns_rdf * ldns_dname_left_chop(const ldns_rdf *d)
chop one label off the left side of a dname.
void ldns_dname2canonical(const ldns_rdf *rdf)
Put a dname into canonical fmt - ie.
uint8_t ldns_dname_label_count(const ldns_rdf *r)
count the number of labels inside a LDNS_RDF_DNAME type rdf.
ldns_status ldns_dname_cat(ldns_rdf *rd1, const ldns_rdf *rd2)
concatenates rd2 after rd1 (rd2 is copied, rd1 is modified)
ldns_rdf * ldns_dname_new_frm_str(const char *str)
creates a new dname rdf from a string.
ldns_rdf * ldns_nsec_get_bitmap(const ldns_rr *nsec)
Returns the rdata field that contains the bitmap of the covered types of the given NSEC record.
signed char ldns_nsec_bitmap_covers_type(const ldns_rdf *bitmap, ldns_rr_type type)
Check if RR type t is enumerated and set in the RR type bitmap rdf.
ldns_status ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (from DNS) to a buffer with the signature in ASN1 format as openssl ...
ldns_rdf * ldns_dnssec_nsec3_closest_encloser(const ldns_rdf *qname, ldns_rr_type qtype, const ldns_rr_list *nsec3s)
Returns the dname of the closest (provable) encloser.
ldns_rr * ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name, const ldns_rr_type type, const ldns_rr_list *rrs)
Returns the first RRSIG rr that corresponds to the rrset with the given name and type.
signed char ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
Checks coverage of NSEC(3) RR name span Remember that nsec and name must both be in canonical form (i...
signed char ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt)
Checks whether the packet contains rrsigs.
RSA * ldns_key_buf2rsa_raw(const unsigned char *key, size_t len)
Like ldns_key_buf2rsa, but uses raw buffer.
uint16_t ldns_calc_keytag(const ldns_rr *key)
calculates a keytag of a key for use in DNSSEC.
EVP_PKEY * ldns_gost2pkey_raw(const unsigned char *key, size_t keylen)
Converts a holding buffer with key material to EVP PKEY in openssl.
ldns_status ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (in rfc2536 format) to a buffer with the signature in rfc2459 format...
ldns_rr_list * ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt, const ldns_rdf *name, ldns_rr_type type)
Returns a ldns_rr_list containing the signatures covering the given name and type.
signed char ldns_nsec3_optout(const ldns_rr *nsec3_rr)
Returns true if the opt-out flag has been set in the given NSEC3 RR.
ldns_rdf * ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
Returns the bitmap specifying the covered types of the given NSEC3 RR.
DSA * ldns_key_buf2dsa_raw(const unsigned char *key, size_t len)
Like ldns_key_buf2dsa, but uses raw buffer.
ldns_rdf * ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, const ldns_rdf *name)
Calculates the hashed name using the parameters of the given NSEC3 RR.
ldns_rr_list * ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type)
Returns a ldns_rr_list containing the signatures covering the given type.
ldns_status ldns_verify_rrsig_buffers_raw(unsigned char *sig, size_t siglen, ldns_buffer *verify_buf, unsigned char *key, size_t keylen, uint8_t algo)
Like ldns_verify_rrsig_buffers, but uses raw data.
ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs __attribute__((unused)), ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, signed char packet_nodata, ldns_rr **match)
void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain)
Prints the dnssec_data_chain to the given file stream.
EVP_PKEY * ldns_ed255192pkey_raw(const unsigned char *key, size_t keylen)
Converts a holding buffer with key material to EVP PKEY in openssl.
ldns_dnssec_trust_tree * ldns_dnssec_trust_tree_new(void)
Creates a new (empty) dnssec_trust_tree structure.
ldns_rr_list * ldns_fetch_valid_domain_keys_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time, ldns_status *status)
Tries to build an authentication chain from the given keys down to the queried domain.
void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr, time_t check_time)
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
ldns_status ldns_verify_rrsig_keylist_time(const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies an rrsig.
ldns_status ldns_verify_notime(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset, but disregard the time.
ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies an rrsig.
ldns_rr_list * ldns_validate_domain_dnskey(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
ldns_dnssec_data_chain * ldns_dnssec_data_chain_new(void)
Creates a new dnssec_chain structure.
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree_time(ldns_dnssec_data_chain *data_chain, ldns_rr *rr, time_t check_time)
Generates a dnssec_trust_tree for the given rr from the given data_chain.
ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (RSASHA1) for a buffer with rrset data with a buffer with key d...
void ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr)
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
ldns_status ldns_verify_rrsig_keylist_notime(const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies an rrsig.
ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs)
denial is not just a river in egypt
ldns_status ldns_verify_rrsig_dsa_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
ldns_status ldns_verify_trusted(ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, ldns_rr_list *validating_keys)
Verifies a list of signatures for one RRset using a valid trust path.
ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (RSAMD5) for a buffer with rrset data with a buffer with key da...
ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, ldns_buffer *verify_buf, ldns_buffer *key_buf, uint8_t algo)
Verifies the already processed data in the buffers This function should probably not be used directly...
ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key)
verify an rrsig with 1 key
void ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain)
Sub function for derive_trust_tree that is used when there are no signatures.
void ldns_dnssec_derive_trust_tree_no_sig_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, time_t check_time)
Sub function for derive_trust_tree that is used when there are no signatures.
EVP_PKEY * ldns_ed4482pkey_raw(const unsigned char *key, size_t keylen)
Converts a holding buffer with key material to EVP PKEY in openssl.
void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain)
Frees a dnssec_data_chain structure, and all data contained therein.
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr)
Generates a dnssec_trust_tree for the given rr from the given data_chain.
ldns_status ldns_dnssec_trust_tree_contains_keys(ldns_dnssec_trust_tree *tree, ldns_rr_list *trusted_keys)
Returns OK if there is a trusted path in the tree to one of the DNSKEY or DS RRs in the given list.
ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
ldns_status ldns_verify_trusted_time(ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, time_t check_time, ldns_rr_list *validating_keys)
Verifies a list of signatures for one RRset using a valid trust path.
ldns_dnssec_data_chain * ldns_dnssec_build_data_chain(ldns_resolver *res, uint16_t qflags, const ldns_rr_list *rrset, const ldns_pkt *pkt, ldns_rr *orig_rr)
Build an ldns_dnssec_data_chain, which contains all DNSSEC data that is needed to derive the trust tr...
ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs, ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, signed char packet_nodata)
Denial of existence using NSEC3 records Since NSEC3 is a bit more complicated than normal denial,...
ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (DSA) for a buffer with rrset data with a buffer with key data.
ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
ldns_rr_list * ldns_fetch_valid_domain_keys(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, ldns_status *status)
Tries to build an authentication chain from the given keys down to the queried domain.
void ldns_dnssec_data_chain_print_fmt(FILE *out, const ldns_output_format *fmt, const ldns_dnssec_data_chain *chain)
Prints the dnssec_data_chain to the given file stream.
ldns_status ldns_verify_rrsig_evp_raw(const unsigned char *sig, size_t siglen, const ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
Like ldns_verify_rrsig_evp, but uses raw signature data.
ldns_rr_list * ldns_validate_domain_dnskey_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain)
Frees a dnssec_data_chain structure.
ldns_status ldns_verify_rrsig_time(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key, time_t check_time)
verify an rrsig with 1 key
ldns_rr_list * ldns_validate_domain_ds_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
Validates the DS RRset for the given domain using the provided trusted keys.
ldns_rr_list * ldns_validate_domain_ds(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
Validates the DS RRset for the given domain using the provided trusted keys.
ldns_status ldns_verify_time(const ldns_rr_list *rrset, const ldns_rr_list *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
void ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr)
Sub function for derive_trust_tree that is used for DS rrsets.
ldns_status ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
void ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr)
Sub function for derive_trust_tree that is used for a 'normal' rrset.
EVP_PKEY * ldns_ecdsa2pkey_raw(const unsigned char *key, size_t keylen, uint8_t algo)
Converts a holding buffer with key material to EVP PKEY in openssl.
ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, const ldns_dnssec_trust_tree *parent, const ldns_rr *signature, const ldns_status parent_status)
Adds a trust tree as a parent for the given trust tree.
size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree)
returns the depth of the trust tree
void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree)
Frees the dnssec_trust_tree recursively.
ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
verifies a buffer with signature data for a buffer with rrset data with an EVP_PKEY
void ldns_dnssec_trust_tree_print_fmt(FILE *out, const ldns_output_format *fmt, ldns_dnssec_trust_tree *tree, size_t tabs, signed char extended)
Prints the dnssec_trust_tree structure to the given file stream.
void ldns_dnssec_derive_trust_tree_normal_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr, time_t check_time)
Sub function for derive_trust_tree that is used for a 'normal' rrset.
void ldns_dnssec_derive_trust_tree_ds_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, time_t check_time)
Sub function for derive_trust_tree that is used for DS rrsets.
void ldns_dnssec_trust_tree_print(FILE *out, ldns_dnssec_trust_tree *tree, size_t tabs, signed char extended)
Prints the dnssec_trust_tree structure to the given file stream.
#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS
dnssec_verify
@ LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY
@ LDNS_STATUS_CRYPTO_NO_RRSIG
@ LDNS_STATUS_CRYPTO_TYPE_COVERED_ERR
@ LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL
@ LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED
@ LDNS_STATUS_CRYPTO_EXPIRATION_BEFORE_INCEPTION
@ LDNS_STATUS_CRYPTO_NO_DNSKEY
@ LDNS_STATUS_CRYPTO_NO_TRUSTED_DS
@ LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED
@ LDNS_STATUS_CRYPTO_BOGUS
@ LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY
@ LDNS_STATUS_CRYPTO_SIG_NOT_INCEPTED
@ LDNS_STATUS_DNSSEC_EXISTENCE_DENIED
@ LDNS_STATUS_CRYPTO_SIG_EXPIRED
@ LDNS_STATUS_CRYPTO_UNKNOWN_ALGO
@ LDNS_STATUS_MISSING_RDATA_FIELDS_KEY
@ LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG
const char * ldns_get_errorstr_by_id(ldns_status err)
look up a descriptive text by each error.
enum ldns_enum_status ldns_status
void ldns_rdf_print(FILE *output, const ldns_rdf *rdf)
Prints the data in the rdata field to the given file stream (in presentation format)
void ldns_rr_list_print_fmt(FILE *output, const ldns_output_format *fmt, const ldns_rr_list *list)
print a rr_list to output
const ldns_output_format * ldns_output_format_default
The default output format record.
void ldns_rr_print_fmt(FILE *output, const ldns_output_format *fmt, const ldns_rr *rr)
Prints the data in the resource record to the given file stream (in presentation format)
ldns_status ldns_rrsig2buffer_wire(ldns_buffer *output, const ldns_rr *sigrr)
Converts a rrsig to wireformat BUT EXCLUDE the rrsig rdata This is needed in DNSSEC verification.
ldns_status ldns_rdf2buffer_wire(ldns_buffer *output, const ldns_rdf *rdf)
Copies the rdata data to the buffer in wire format.
ldns_status ldns_rr_list2buffer_wire(ldns_buffer *output, const ldns_rr_list *rrlist)
Copies the rr_list data to the buffer in wire format.
int ldns_key_EVP_load_gost_id(void)
Get the PKEY id for GOST, loads GOST into openssl as a side effect.
Including this file will include all ldns files, and define some lookup tables.
ldns_lookup_table ldns_rcodes[]
Response codes.
#define LDNS_MAX_PACKETLEN
void ldns_pkt_free(ldns_pkt *packet)
frees the packet structure and all data that it contains.
uint16_t ldns_pkt_ancount(const ldns_pkt *p)
Return the packet's an count.
enum ldns_enum_pkt_rcode ldns_pkt_rcode
ldns_rr_list * ldns_pkt_rr_list_by_type(const ldns_pkt *p, ldns_rr_type t, ldns_pkt_section s)
return all the rr with a specific type from a packet.
ldns_rr_list * ldns_pkt_rr_list_by_name_and_type(const ldns_pkt *packet, const ldns_rdf *ownername, ldns_rr_type type, ldns_pkt_section sec)
return all the rr with a specific type and type from a packet.
@ LDNS_SECTION_ANY_NOQUESTION
used to get all non-question rrs from a packet
ldns_pkt_rcode ldns_pkt_get_rcode(const ldns_pkt *p)
Return the packet's response code.
void ldns_rdf_deep_free(ldns_rdf *rd)
frees a rdf structure and frees the data.
uint32_t ldns_rdf2native_int32(const ldns_rdf *rd)
returns the native uint32_t representation from the rdf.
uint16_t ldns_rdf2native_int16(const ldns_rdf *rd)
returns the native uint16_t representation from the rdf.
uint8_t ldns_rdf2native_int8(const ldns_rdf *rd)
returns the native uint8_t representation from the rdf.
size_t ldns_rdf_size(const ldns_rdf *rd)
returns the size of the rdf.
time_t ldns_rdf2native_time_t(const ldns_rdf *rd)
returns the native time_t representation from the rdf.
uint8_t * ldns_rdf_data(const ldns_rdf *rd)
returns the data of the rdf.
ldns_rdf * ldns_rdf_clone(const ldns_rdf *rd)
clones a rdf structure.
ldns_pkt * ldns_resolver_query(const ldns_resolver *r, const ldns_rdf *name, ldns_rr_type t, ldns_rr_class c, uint16_t flags)
Send a query to a nameserver.
ldns_rr_list * ldns_resolver_dnssec_anchors(const ldns_resolver *r)
Get the resolver's DNSSEC anchors.
void ldns_rr_list_free(ldns_rr_list *rr_list)
frees an rr_list structure.
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
ldns_rdf * ldns_rr_owner(const ldns_rr *rr)
returns the owner name of an rr structure.
ldns_rr_type ldns_rdf2rr_type(const ldns_rdf *rd)
convert an rdf of type LDNS_RDF_TYPE_TYPE to an actual LDNS_RR_TYPE.
void ldns_rr_list_deep_free(ldns_rr_list *rr_list)
frees an rr_list structure and all rrs contained therein.
const ldns_rr_descriptor * ldns_rr_descript(uint16_t type)
returns the resource record descriptor for the given rr type.
void ldns_rr_set_owner(ldns_rr *rr, ldns_rdf *owner)
sets the owner in the rr structure.
ldns_rr_list * ldns_rr_list_pop_rrset(ldns_rr_list *rr_list)
pops the first rrset from the list, the list must be sorted, so that all rr's from each rrset are nex...
void ldns_rr_list_sort(ldns_rr_list *unsorted)
sorts an rr_list (canonical wire format).
enum ldns_enum_rr_type ldns_rr_type
@ LDNS_RR_TYPE_RRSIG
DNSSEC.
@ LDNS_RR_TYPE_DS
RFC4034, RFC3658.
@ LDNS_RR_TYPE_CNAME
the canonical name for an alias
@ LDNS_RR_TYPE_NS
an authoritative name server
signed char ldns_rr_list_push_rr(ldns_rr_list *rr_list, const ldns_rr *rr)
pushes an rr to an rrlist.
void ldns_rr2canonical(ldns_rr *rr)
converts each dname in a rr to its canonical form.
size_t ldns_rr_rd_count(const ldns_rr *rr)
returns the rd_count of an rr structure.
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr's in an rr_list.
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
void ldns_rr_set_ttl(ldns_rr *rr, uint32_t ttl)
sets the ttl in the rr structure.
signed char ldns_rr_compare_ds(const ldns_rr *rr1, const ldns_rr *rr2)
returns true of the given rr's are equal.
ldns_rr_class ldns_rr_get_class(const ldns_rr *rr)
returns the class of the rr.
enum ldns_enum_rr_class ldns_rr_class
ldns_rr_list * ldns_rr_list_new(void)
creates a new rr_list structure.
signed char ldns_rr_list_cat(ldns_rr_list *left, const ldns_rr_list *right)
concatenates two ldns_rr_lists together.
@ LDNS_RR_CLASS_IN
the Internet
ldns_rr * ldns_rr_clone(const ldns_rr *rr)
clones a rr and all its data
ldns_rr_list * ldns_rr_list_clone(const ldns_rr_list *rrlist)
clones an rrlist.
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
ldns_rdf * ldns_rr_rrsig_inception(const ldns_rr *r)
returns the inception time of a LDNS_RR_TYPE_RRSIG RR
ldns_rdf * ldns_rr_rrsig_expiration(const ldns_rr *r)
returns the expiration time of a LDNS_RR_TYPE_RRSIG RR
ldns_rdf * ldns_rr_rrsig_keytag(const ldns_rr *r)
returns the keytag of a LDNS_RR_TYPE_RRSIG RR
ldns_rdf * ldns_rr_rrsig_labels(const ldns_rr *r)
returns the number of labels of a LDNS_RR_TYPE_RRSIG RR
ldns_rdf * ldns_rr_rrsig_typecovered(const ldns_rr *r)
returns the type covered of a LDNS_RR_TYPE_RRSIG rr
ldns_rdf * ldns_rr_rrsig_signame(const ldns_rr *r)
returns the signers name of a LDNS_RR_TYPE_RRSIG RR
ldns_status ldns_str2rdf_dname(ldns_rdf **rd, const char *str)
convert a dname string into wireformat
ldns_pkt_rcode packet_rcode
ldns_rr_list * signatures
ldns_rr_type packet_qtype
signed char packet_nodata
ldns_dnssec_data_chain * parent
ldns_dnssec_trust_tree * parents[10]
ldns_rr * parent_signature[10]
for debugging, add signatures too (you might want those if they contain errors)
ldns_status parent_status[10]
implementation of buffers to ease operations
A general purpose lookup table.
Resource record data field.
DNS stub resolver structure.
Contains all information about resource record types.
const char * _name
Textual name of the RR type.
List or Set of Resource Records.
ldns_lookup_table * ldns_lookup_by_id(ldns_lookup_table table[], int id)
Looks up the table entry by id, returns NULL if not found.
#define LDNS_CALLOC(type, count)
#define LDNS_XMALLOC(type, count)