dnssec_verify.h File Reference

Go to the source code of this file.

Data Structures

struct  ldns_dnssec_data_chain_struct
 
struct  ldns_dnssec_trust_tree_struct
 

Macros

#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS   10
 dnssec_verify
 

Typedefs

typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain
 Chain structure that contains all DNSSEC data needed to verify an rrset.
 
typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree
 Tree structure that contains the relation of DNSSEC data, and their cryptographic status.
 

Functions

ldns_dnssec_data_chainldns_dnssec_data_chain_new (void)
 Creates a new dnssec_chain structure.
 
void ldns_dnssec_data_chain_free (ldns_dnssec_data_chain *chain)
 Frees a dnssec_data_chain structure.
 
void ldns_dnssec_data_chain_deep_free (ldns_dnssec_data_chain *chain)
 Frees a dnssec_data_chain structure, and all data contained therein.
 
void ldns_dnssec_data_chain_print (FILE *out, const ldns_dnssec_data_chain *chain)
 Prints the dnssec_data_chain to the given file stream.
 
void ldns_dnssec_data_chain_print_fmt (FILE *out, const ldns_output_format *fmt, const ldns_dnssec_data_chain *chain)
 Prints the dnssec_data_chain to the given file stream.
 
ldns_dnssec_data_chainldns_dnssec_build_data_chain (ldns_resolver *res, const uint16_t qflags, const ldns_rr_list *data_set, const ldns_pkt *pkt, ldns_rr *orig_rr)
 Build an ldns_dnssec_data_chain, which contains all DNSSEC data that is needed to derive the trust tree later.
 
ldns_dnssec_trust_treeldns_dnssec_trust_tree_new (void)
 Creates a new (empty) dnssec_trust_tree structure.
 
void ldns_dnssec_trust_tree_free (ldns_dnssec_trust_tree *tree)
 Frees the dnssec_trust_tree recursively.
 
size_t ldns_dnssec_trust_tree_depth (ldns_dnssec_trust_tree *tree)
 returns the depth of the trust tree
 
void ldns_dnssec_trust_tree_print (FILE *out, ldns_dnssec_trust_tree *tree, size_t tabs, signed char extended)
 Prints the dnssec_trust_tree structure to the given file stream.
 
void ldns_dnssec_trust_tree_print_fmt (FILE *out, const ldns_output_format *fmt, ldns_dnssec_trust_tree *tree, size_t tabs, signed char extended)
 Prints the dnssec_trust_tree structure to the given file stream.
 
ldns_status ldns_dnssec_trust_tree_add_parent (ldns_dnssec_trust_tree *tree, const ldns_dnssec_trust_tree *parent, const ldns_rr *parent_signature, const ldns_status parent_status)
 Adds a trust tree as a parent for the given trust tree.
 
ldns_dnssec_trust_treeldns_dnssec_derive_trust_tree (ldns_dnssec_data_chain *data_chain, ldns_rr *rr)
 Generates a dnssec_trust_tree for the given rr from the given data_chain.
 
ldns_dnssec_trust_treeldns_dnssec_derive_trust_tree_time (ldns_dnssec_data_chain *data_chain, ldns_rr *rr, time_t check_time)
 Generates a dnssec_trust_tree for the given rr from the given data_chain.
 
void ldns_dnssec_derive_trust_tree_normal_rrset (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr)
 Sub function for derive_trust_tree that is used for a 'normal' rrset.
 
void ldns_dnssec_derive_trust_tree_normal_rrset_time (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr, time_t check_time)
 Sub function for derive_trust_tree that is used for a 'normal' rrset.
 
void ldns_dnssec_derive_trust_tree_dnskey_rrset (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr)
 Sub function for derive_trust_tree that is used for DNSKEY rrsets.
 
void ldns_dnssec_derive_trust_tree_dnskey_rrset_time (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr, time_t check_time)
 Sub function for derive_trust_tree that is used for DNSKEY rrsets.
 
void ldns_dnssec_derive_trust_tree_ds_rrset (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr)
 Sub function for derive_trust_tree that is used for DS rrsets.
 
void ldns_dnssec_derive_trust_tree_ds_rrset_time (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, time_t check_time)
 Sub function for derive_trust_tree that is used for DS rrsets.
 
void ldns_dnssec_derive_trust_tree_no_sig (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain)
 Sub function for derive_trust_tree that is used when there are no signatures.
 
void ldns_dnssec_derive_trust_tree_no_sig_time (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, time_t check_time)
 Sub function for derive_trust_tree that is used when there are no signatures.
 
ldns_status ldns_dnssec_trust_tree_contains_keys (ldns_dnssec_trust_tree *tree, ldns_rr_list *keys)
 Returns OK if there is a trusted path in the tree to one of the DNSKEY or DS RRs in the given list.
 
ldns_status ldns_verify (ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
 Verifies a list of signatures for one rrset.
 
ldns_status ldns_verify_time (const ldns_rr_list *rrset, const ldns_rr_list *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
 Verifies a list of signatures for one rrset.
 
ldns_status ldns_verify_notime (ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
 Verifies a list of signatures for one rrset, but disregard the time.
 
ldns_rr_listldns_fetch_valid_domain_keys (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, ldns_status *status)
 Tries to build an authentication chain from the given keys down to the queried domain.
 
ldns_rr_listldns_fetch_valid_domain_keys_time (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time, ldns_status *status)
 Tries to build an authentication chain from the given keys down to the queried domain.
 
ldns_rr_listldns_validate_domain_dnskey (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
 Validates the DNSKEY RRset for the given domain using the provided trusted keys.
 
ldns_rr_listldns_validate_domain_dnskey_time (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
 Validates the DNSKEY RRset for the given domain using the provided trusted keys.
 
ldns_rr_listldns_validate_domain_ds (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
 Validates the DS RRset for the given domain using the provided trusted keys.
 
ldns_rr_listldns_validate_domain_ds_time (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
 Validates the DS RRset for the given domain using the provided trusted keys.
 
ldns_status ldns_verify_trusted (ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, ldns_rr_list *validating_keys)
 Verifies a list of signatures for one RRset using a valid trust path.
 
ldns_status ldns_verify_trusted_time (ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, time_t check_time, ldns_rr_list *validating_keys)
 Verifies a list of signatures for one RRset using a valid trust path.
 
ldns_status ldns_dnssec_verify_denial (ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs)
 denial is not just a river in egypt
 
ldns_status ldns_dnssec_verify_denial_nsec3 (ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs, ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, signed char packet_nodata)
 Denial of existence using NSEC3 records Since NSEC3 is a bit more complicated than normal denial, some context arguments are needed.
 
ldns_status ldns_dnssec_verify_denial_nsec3_match (ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs, ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, signed char packet_nodata, ldns_rr **match)
 Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns the nsec rr that matched.
 
ldns_status ldns_verify_rrsig_buffers (ldns_buffer *rawsig_buf, ldns_buffer *verify_buf, ldns_buffer *key_buf, uint8_t algo)
 Verifies the already processed data in the buffers This function should probably not be used directly.
 
ldns_status ldns_verify_rrsig_buffers_raw (unsigned char *sig, size_t siglen, ldns_buffer *verify_buf, unsigned char *key, size_t keylen, uint8_t algo)
 Like ldns_verify_rrsig_buffers, but uses raw data.
 
ldns_status ldns_verify_rrsig_keylist (ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
 Verifies an rrsig.
 
ldns_status ldns_verify_rrsig_keylist_time (const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
 Verifies an rrsig.
 
ldns_status ldns_verify_rrsig_keylist_notime (const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
 Verifies an rrsig.
 
ldns_status ldns_verify_rrsig (ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key)
 verify an rrsig with 1 key
 
ldns_status ldns_verify_rrsig_time (ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key, time_t check_time)
 verify an rrsig with 1 key
 
ldns_status ldns_verify_rrsig_evp (ldns_buffer *sig, ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
 verifies a buffer with signature data for a buffer with rrset data with an EVP_PKEY
 
ldns_status ldns_verify_rrsig_evp_raw (const unsigned char *sig, size_t siglen, const ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
 Like ldns_verify_rrsig_evp, but uses raw signature data.
 
ldns_status ldns_verify_rrsig_dsa (ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
 verifies a buffer with signature data (DSA) for a buffer with rrset data with a buffer with key data.
 
ldns_status ldns_verify_rrsig_rsasha1 (ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
 verifies a buffer with signature data (RSASHA1) for a buffer with rrset data with a buffer with key data.
 
ldns_status ldns_verify_rrsig_rsamd5 (ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
 verifies a buffer with signature data (RSAMD5) for a buffer with rrset data with a buffer with key data.
 
ldns_status ldns_verify_rrsig_dsa_raw (unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
 Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
 
ldns_status ldns_verify_rrsig_rsasha1_raw (unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
 Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
 
ldns_status ldns_verify_rrsig_rsasha256_raw (unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
 Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
 
ldns_status ldns_verify_rrsig_rsasha512_raw (unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
 Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
 
ldns_status ldns_verify_rrsig_rsamd5_raw (unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
 Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
 

Macro Definition Documentation

◆ LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS

#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS   10

dnssec_verify

Definition at line 6 of file dnssec_verify.h.

Typedef Documentation

◆ ldns_dnssec_data_chain

Chain structure that contains all DNSSEC data needed to verify an rrset.

Definition at line 19 of file dnssec_verify.h.

◆ ldns_dnssec_trust_tree

Tree structure that contains the relation of DNSSEC data, and their cryptographic status.

This tree is derived from a data_chain, and can be used to look whether there is a connection between an RRSET and a trusted key. The tree only contains pointers to the data_chain, and therefore one should never free() the data_chain when there is still a trust tree derived from that chain.

Example tree: key key key \ | / \ | / \ | / ds | key | key | rr

For each signature there is a parent; if the parent pointer is null, it couldn't be found and there was no denial; otherwise is a tree which contains either a DNSKEY, a DS, or a NSEC rr

Definition at line 121 of file dnssec_verify.h.

Function Documentation

◆ ldns_dnssec_data_chain_new()

ldns_dnssec_data_chain * ldns_dnssec_data_chain_new ( void  )

Creates a new dnssec_chain structure.

Returns
ldns_dnssec_data_chain *

Definition at line 19 of file dnssec_verify.c.

References LDNS_CALLOC.

◆ ldns_dnssec_data_chain_free()

void ldns_dnssec_data_chain_free ( ldns_dnssec_data_chain chain)

Frees a dnssec_data_chain structure.

Parameters
[in]*chainThe chain to free

Definition at line 39 of file dnssec_verify.c.

References LDNS_FREE.

◆ ldns_dnssec_data_chain_deep_free()

void ldns_dnssec_data_chain_deep_free ( ldns_dnssec_data_chain chain)

Frees a dnssec_data_chain structure, and all data contained therein.

Parameters
[in]*chainThe dnssec_data_chain to free

Definition at line 45 of file dnssec_verify.c.

References ldns_dnssec_data_chain_deep_free(), LDNS_FREE, ldns_rr_list_deep_free(), ldns_dnssec_data_chain_struct::parent, ldns_dnssec_data_chain_struct::rrset, and ldns_dnssec_data_chain_struct::signatures.

◆ ldns_dnssec_data_chain_print()

void ldns_dnssec_data_chain_print ( FILE *  out,
const ldns_dnssec_data_chain chain 
)

Prints the dnssec_data_chain to the given file stream.

Parameters
[in]*outThe file stream to print to
[in]*chainThe dnssec_data_chain to print

Definition at line 91 of file dnssec_verify.c.

References ldns_dnssec_data_chain_print_fmt(), and ldns_output_format_default.

◆ ldns_dnssec_data_chain_print_fmt()

void ldns_dnssec_data_chain_print_fmt ( FILE *  out,
const ldns_output_format fmt,
const ldns_dnssec_data_chain chain 
)

◆ ldns_dnssec_build_data_chain()

ldns_dnssec_data_chain * ldns_dnssec_build_data_chain ( ldns_resolver res,
const uint16_t  qflags,
const ldns_rr_list data_set,
const ldns_pkt pkt,
ldns_rr orig_rr 
)

Build an ldns_dnssec_data_chain, which contains all DNSSEC data that is needed to derive the trust tree later.

The data_set will be cloned

Parameters
[in]*resresolver structure for further needed queries
[in]qflagsresolution flags
[in]*data_setThe original rrset where the chain ends
[in]*pktoptional, can contain the original packet (and hence the sigs and maybe the key)
[in]*orig_rrThe original Resource Record
Returns
the DNSSEC data chain

Definition at line 270 of file dnssec_verify.c.

References ldns_dname_is_subdomain(), ldns_dnssec_build_data_chain(), ldns_dnssec_data_chain_new(), ldns_dnssec_pkt_get_rrsigs_for_name_and_type(), ldns_dnssec_pkt_get_rrsigs_for_type(), ldns_dnssec_pkt_has_rrsigs(), ldns_pkt_ancount(), ldns_pkt_free(), ldns_pkt_get_rcode(), ldns_pkt_rr_list_by_type(), ldns_resolver_query(), ldns_rr_get_class(), ldns_rr_get_type(), ldns_rr_list_clone(), ldns_rr_list_deep_free(), ldns_rr_list_new(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_owner(), ldns_rr_rdf(), LDNS_RR_TYPE_DNSKEY, LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_NSEC3, LDNS_SECTION_ANY_NOQUESTION, ldns_dnssec_data_chain_struct::packet_nodata, ldns_dnssec_data_chain_struct::packet_qtype, ldns_dnssec_data_chain_struct::packet_rcode, ldns_dnssec_data_chain_struct::parent, and ldns_dnssec_data_chain_struct::rrset.

◆ ldns_dnssec_trust_tree_new()

ldns_dnssec_trust_tree * ldns_dnssec_trust_tree_new ( void  )

Creates a new (empty) dnssec_trust_tree structure.

Returns
ldns_dnssec_trust_tree *

Definition at line 445 of file dnssec_verify.c.

References LDNS_XMALLOC, ldns_dnssec_trust_tree_struct::parent_count, ldns_dnssec_trust_tree_struct::rr, and ldns_dnssec_trust_tree_struct::rrset.

◆ ldns_dnssec_trust_tree_free()

void ldns_dnssec_trust_tree_free ( ldns_dnssec_trust_tree tree)

Frees the dnssec_trust_tree recursively.

There is no deep free; all data in the trust tree consists of pointers to a data_chain

Parameters
[in]treeThe tree to free

Definition at line 458 of file dnssec_verify.c.

References ldns_dnssec_trust_tree_free(), LDNS_FREE, ldns_dnssec_trust_tree_struct::parent_count, and ldns_dnssec_trust_tree_struct::parents.

◆ ldns_dnssec_trust_tree_depth()

size_t ldns_dnssec_trust_tree_depth ( ldns_dnssec_trust_tree tree)

returns the depth of the trust tree

Parameters
[in]treetree to calculate the depth of
Returns
The depth of the tree

Definition at line 470 of file dnssec_verify.c.

References ldns_dnssec_trust_tree_depth(), ldns_dnssec_trust_tree_struct::parent_count, and ldns_dnssec_trust_tree_struct::parents.

◆ ldns_dnssec_trust_tree_print()

void ldns_dnssec_trust_tree_print ( FILE *  out,
ldns_dnssec_trust_tree tree,
size_t  tabs,
signed char  extended 
)

Prints the dnssec_trust_tree structure to the given file stream.

If a link status is not LDNS_STATUS_OK; the status and relevant signatures are printed too

Parameters
[in]*outThe file stream to print to
[in]treeThe trust tree to print
[in]tabsPrepend each line with tabs*2 spaces
[in]extendedIf true, add little explanation lines to the output

Definition at line 647 of file dnssec_verify.c.

References ldns_dnssec_trust_tree_print_fmt(), and ldns_output_format_default.

◆ ldns_dnssec_trust_tree_print_fmt()

void ldns_dnssec_trust_tree_print_fmt ( FILE *  out,
const ldns_output_format fmt,
ldns_dnssec_trust_tree tree,
size_t  tabs,
signed char  extended 
)

Prints the dnssec_trust_tree structure to the given file stream.

If a link status is not LDNS_STATUS_OK; the status and relevant signatures are printed too

Parameters
[in]*outThe file stream to print to
[in]*fmtThe format of the textual representation
[in]treeThe trust tree to print
[in]tabsPrepend each line with tabs*2 spaces
[in]extendedIf true, add little explanation lines to the output

Definition at line 637 of file dnssec_verify.c.

◆ ldns_dnssec_trust_tree_add_parent()

ldns_status ldns_dnssec_trust_tree_add_parent ( ldns_dnssec_trust_tree tree,
const ldns_dnssec_trust_tree parent,
const ldns_rr parent_signature,
const ldns_status  parent_status 
)

Adds a trust tree as a parent for the given trust tree.

Parameters
[in]*treeThe tree to add the parent to
[in]*parentThe parent tree to add
[in]*parent_signatureThe RRSIG relevant to this parent/child connection
[in]parent_statusThe DNSSEC status for this parent, child and RRSIG
Returns
LDNS_STATUS_OK if the addition succeeds, error otherwise

Definition at line 658 of file dnssec_verify.c.

References LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS, LDNS_STATUS_ERR, LDNS_STATUS_OK, ldns_dnssec_trust_tree_struct::parent_count, ldns_dnssec_trust_tree_struct::parent_signature, ldns_dnssec_trust_tree_struct::parent_status, and ldns_dnssec_trust_tree_struct::parents.

◆ ldns_dnssec_derive_trust_tree()

ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree ( ldns_dnssec_data_chain data_chain,
ldns_rr rr 
)

Generates a dnssec_trust_tree for the given rr from the given data_chain.

This does not clone the actual data; Don't free the data_chain before you are done with this tree

Parameters
[in]*data_chainThe chain to derive the trust tree from
[in]*rrThe RR this tree will be about
Returns
ldns_dnssec_trust_tree *

Definition at line 786 of file dnssec_verify.c.

References ldns_dnssec_derive_trust_tree_time().

◆ ldns_dnssec_derive_trust_tree_time()

ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree_time ( ldns_dnssec_data_chain data_chain,
ldns_rr rr,
time_t  check_time 
)

Generates a dnssec_trust_tree for the given rr from the given data_chain.

This does not clone the actual data; Don't free the data_chain before you are done with this tree

Parameters
[in]*data_chainThe chain to derive the trust tree from
[in]*rrThe RR this tree will be about
[in]check_timethe time for which the validation is performed
Returns
ldns_dnssec_trust_tree *

Definition at line 685 of file dnssec_verify.c.

References ldns_dname_compare(), ldns_dnssec_derive_trust_tree_dnskey_rrset_time(), ldns_dnssec_derive_trust_tree_ds_rrset_time(), ldns_dnssec_derive_trust_tree_no_sig_time(), ldns_dnssec_derive_trust_tree_normal_rrset_time(), ldns_dnssec_trust_tree_new(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_owner(), LDNS_RR_TYPE_NSEC, ldns_dnssec_data_chain_struct::parent, ldns_dnssec_trust_tree_struct::rr, ldns_dnssec_data_chain_struct::rrset, ldns_dnssec_trust_tree_struct::rrset, and ldns_dnssec_data_chain_struct::signatures.

◆ ldns_dnssec_derive_trust_tree_normal_rrset()

void ldns_dnssec_derive_trust_tree_normal_rrset ( ldns_dnssec_trust_tree new_tree,
ldns_dnssec_data_chain data_chain,
ldns_rr cur_sig_rr 
)

Sub function for derive_trust_tree that is used for a 'normal' rrset.

Parameters
[in]new_treeThe trust tree that we are building
[in]data_chainThe data chain containing the data for the trust tree
[in]cur_sig_rrThe currently relevant signature

Definition at line 874 of file dnssec_verify.c.

References ldns_dnssec_derive_trust_tree_normal_rrset_time().

◆ ldns_dnssec_derive_trust_tree_normal_rrset_time()

void ldns_dnssec_derive_trust_tree_normal_rrset_time ( ldns_dnssec_trust_tree new_tree,
ldns_dnssec_data_chain data_chain,
ldns_rr cur_sig_rr,
time_t  check_time 
)

◆ ldns_dnssec_derive_trust_tree_dnskey_rrset()

void ldns_dnssec_derive_trust_tree_dnskey_rrset ( ldns_dnssec_trust_tree new_tree,
ldns_dnssec_data_chain data_chain,
ldns_rr cur_rr,
ldns_rr cur_sig_rr 
)

Sub function for derive_trust_tree that is used for DNSKEY rrsets.

Parameters
[in]new_treeThe trust tree that we are building
[in]data_chainThe data chain containing the data for the trust tree
[in]cur_rrThe currently relevant DNSKEY RR
[in]cur_sig_rrThe currently relevant signature

Definition at line 920 of file dnssec_verify.c.

References ldns_dnssec_derive_trust_tree_dnskey_rrset_time().

◆ ldns_dnssec_derive_trust_tree_dnskey_rrset_time()

void ldns_dnssec_derive_trust_tree_dnskey_rrset_time ( ldns_dnssec_trust_tree new_tree,
ldns_dnssec_data_chain data_chain,
ldns_rr cur_rr,
ldns_rr cur_sig_rr,
time_t  check_time 
)

Sub function for derive_trust_tree that is used for DNSKEY rrsets.

Parameters
[in]new_treeThe trust tree that we are building
[in]data_chainThe data chain containing the data for the trust tree
[in]cur_rrThe currently relevant DNSKEY RR
[in]cur_sig_rrThe currently relevant signature
[in]check_timethe time for which the validation is performed

Definition at line 883 of file dnssec_verify.c.

References ldns_calc_keytag(), ldns_dnssec_trust_tree_add_parent(), ldns_dnssec_trust_tree_free(), ldns_dnssec_trust_tree_new(), ldns_rdf2native_int16(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_rrsig_keytag(), LDNS_RR_TYPE_DNSKEY, ldns_verify_rrsig_time(), ldns_dnssec_trust_tree_struct::rr, ldns_dnssec_data_chain_struct::rrset, and ldns_dnssec_trust_tree_struct::rrset.

◆ ldns_dnssec_derive_trust_tree_ds_rrset()

void ldns_dnssec_derive_trust_tree_ds_rrset ( ldns_dnssec_trust_tree new_tree,
ldns_dnssec_data_chain data_chain,
ldns_rr cur_rr 
)

Sub function for derive_trust_tree that is used for DS rrsets.

Parameters
[in]new_treeThe trust tree that we are building
[in]data_chainThe data chain containing the data for the trust tree
[in]cur_rrThe currently relevant DS RR

Definition at line 974 of file dnssec_verify.c.

References ldns_dnssec_derive_trust_tree_ds_rrset_time().

◆ ldns_dnssec_derive_trust_tree_ds_rrset_time()

void ldns_dnssec_derive_trust_tree_ds_rrset_time ( ldns_dnssec_trust_tree new_tree,
ldns_dnssec_data_chain data_chain,
ldns_rr cur_rr,
time_t  check_time 
)

Sub function for derive_trust_tree that is used for DS rrsets.

Parameters
[in]new_treeThe trust tree that we are building
[in]data_chainThe data chain containing the data for the trust tree
[in]cur_rrThe currently relevant DS RR
[in]check_timethe time for which the validation is performed

Definition at line 930 of file dnssec_verify.c.

References ldns_dnssec_derive_trust_tree_time(), ldns_dnssec_trust_tree_add_parent(), ldns_rr_compare_ds(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_RR_TYPE_DNSKEY, LDNS_RR_TYPE_DS, LDNS_STATUS_OK, ldns_dnssec_data_chain_struct::parent, and ldns_dnssec_data_chain_struct::rrset.

◆ ldns_dnssec_derive_trust_tree_no_sig()

void ldns_dnssec_derive_trust_tree_no_sig ( ldns_dnssec_trust_tree new_tree,
ldns_dnssec_data_chain data_chain 
)

Sub function for derive_trust_tree that is used when there are no signatures.

Parameters
[in]new_treeThe trust tree that we are building
[in]data_chainThe data chain containing the data for the trust tree

Definition at line 1036 of file dnssec_verify.c.

References ldns_dnssec_derive_trust_tree_no_sig_time().

◆ ldns_dnssec_derive_trust_tree_no_sig_time()

void ldns_dnssec_derive_trust_tree_no_sig_time ( ldns_dnssec_trust_tree new_tree,
ldns_dnssec_data_chain data_chain,
time_t  check_time 
)

◆ ldns_dnssec_trust_tree_contains_keys()

ldns_status ldns_dnssec_trust_tree_contains_keys ( ldns_dnssec_trust_tree tree,
ldns_rr_list keys 
)

Returns OK if there is a trusted path in the tree to one of the DNSKEY or DS RRs in the given list.

Parameters
*treeThe trust tree so search
*keysA ldns_rr_list of DNSKEY and DS rrs to look for
Returns
LDNS_STATUS_OK if there is a trusted path to one of the keys, or the first error encountered if there were no paths

Definition at line 1049 of file dnssec_verify.c.

References ldns_dnssec_trust_tree_contains_keys(), ldns_rr_compare_ds(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_RR_TYPE_NSEC, LDNS_STATUS_CRYPTO_NO_DNSKEY, LDNS_STATUS_DNSSEC_EXISTENCE_DENIED, LDNS_STATUS_ERR, LDNS_STATUS_OK, ldns_dnssec_trust_tree_struct::parent_count, ldns_dnssec_trust_tree_struct::parent_status, ldns_dnssec_trust_tree_struct::parents, and ldns_dnssec_trust_tree_struct::rr.

◆ ldns_verify()

ldns_status ldns_verify ( ldns_rr_list rrset,
ldns_rr_list rrsig,
const ldns_rr_list keys,
ldns_rr_list good_keys 
)

Verifies a list of signatures for one rrset.

Parameters
[in]rrsetthe rrset to verify
[in]rrsiga list of signatures to check
[in]keysa list of keys to check with
[out]good_keysif this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it
Returns
status LDNS_STATUS_OK if there is at least one correct key

Definition at line 1142 of file dnssec_verify.c.

References ldns_verify_time().

◆ ldns_verify_time()

ldns_status ldns_verify_time ( const ldns_rr_list rrset,
const ldns_rr_list rrsig,
const ldns_rr_list keys,
time_t  check_time,
ldns_rr_list good_keys 
)

Verifies a list of signatures for one rrset.

Parameters
[in]rrsetthe rrset to verify
[in]rrsiga list of signatures to check
[in]keysa list of keys to check with
[in]check_timethe time for which the validation is performed
[out]good_keysif this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it
Returns
status LDNS_STATUS_OK if there is at least one correct key

Definition at line 1098 of file dnssec_verify.c.

References ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY, LDNS_STATUS_CRYPTO_NO_RRSIG, LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY, LDNS_STATUS_ERR, LDNS_STATUS_OK, and ldns_verify_rrsig_keylist_time().

◆ ldns_verify_notime()

ldns_status ldns_verify_notime ( ldns_rr_list rrset,
ldns_rr_list rrsig,
const ldns_rr_list keys,
ldns_rr_list good_keys 
)

Verifies a list of signatures for one rrset, but disregard the time.

Inception and Expiration are not checked.

Parameters
[in]rrsetthe rrset to verify
[in]rrsiga list of signatures to check
[in]keysa list of keys to check with
[out]good_keysif this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it
Returns
status LDNS_STATUS_OK if there is at least one correct key

Definition at line 1149 of file dnssec_verify.c.

References ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY, LDNS_STATUS_CRYPTO_NO_RRSIG, LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY, LDNS_STATUS_ERR, LDNS_STATUS_OK, and ldns_verify_rrsig_keylist_notime().

◆ ldns_fetch_valid_domain_keys()

ldns_rr_list * ldns_fetch_valid_domain_keys ( const ldns_resolver res,
const ldns_rdf domain,
const ldns_rr_list keys,
ldns_status status 
)

Tries to build an authentication chain from the given keys down to the queried domain.

If we find a valid trust path, return the valid keys for the domain.

Parameters
[in]resthe current resolver
[in]domainthe domain we want valid keys for
[in]keysthe current set of trusted keys
[out]statuspointer to the status variable where the result code will be stored
Returns
the set of trusted keys for the domain, or NULL if no trust path could be built.

Definition at line 1257 of file dnssec_verify.c.

References ldns_fetch_valid_domain_keys_time().

◆ ldns_fetch_valid_domain_keys_time()

ldns_rr_list * ldns_fetch_valid_domain_keys_time ( const ldns_resolver res,
const ldns_rdf domain,
const ldns_rr_list keys,
time_t  check_time,
ldns_status status 
)

Tries to build an authentication chain from the given keys down to the queried domain.

If we find a valid trust path, return the valid keys for the domain.

Parameters
[in]resthe current resolver
[in]domainthe domain we want valid keys for
[in]keysthe current set of trusted keys
[in]check_timethe time for which the validation is performed
[out]statuspointer to the status variable where the result code will be stored
Returns
the set of trusted keys for the domain, or NULL if no trust path could be built.

Definition at line 1189 of file dnssec_verify.c.

References ldns_dname_left_chop(), ldns_fetch_valid_domain_keys_time(), ldns_rdf_deep_free(), ldns_rdf_size(), ldns_rr_list_deep_free(), LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY, LDNS_STATUS_CRYPTO_NO_TRUSTED_DS, LDNS_STATUS_OK, ldns_validate_domain_dnskey_time(), and ldns_validate_domain_ds_time().

◆ ldns_validate_domain_dnskey()

ldns_rr_list * ldns_validate_domain_dnskey ( const ldns_resolver res,
const ldns_rdf domain,
const ldns_rr_list keys 
)

Validates the DNSKEY RRset for the given domain using the provided trusted keys.

Parameters
[in]resthe current resolver
[in]domainthe domain we want valid keys for
[in]keysthe current set of trusted keys
Returns
the set of trusted keys for the domain, or NULL if the RRSET could not be validated

Definition at line 1361 of file dnssec_verify.c.

References ldns_validate_domain_dnskey_time().

◆ ldns_validate_domain_dnskey_time()

ldns_rr_list * ldns_validate_domain_dnskey_time ( const ldns_resolver res,
const ldns_rdf domain,
const ldns_rr_list keys,
time_t  check_time 
)

Validates the DNSKEY RRset for the given domain using the provided trusted keys.

Parameters
[in]resthe current resolver
[in]domainthe domain we want valid keys for
[in]keysthe current set of trusted keys
[in]check_timethe time for which the validation is performed
Returns
the set of trusted keys for the domain, or NULL if the RRSET could not be validated

Definition at line 1267 of file dnssec_verify.c.

References ldns_calc_keytag(), ldns_pkt_free(), ldns_pkt_rr_list_by_type(), LDNS_RD, ldns_rdf2native_int16(), ldns_resolver_query(), LDNS_RR_CLASS_IN, ldns_rr_clone(), ldns_rr_compare_ds(), ldns_rr_list_deep_free(), ldns_rr_list_new(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_rrsig_keytag(), LDNS_RR_TYPE_DNSKEY, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANSWER, LDNS_STATUS_OK, and ldns_verify_rrsig_time().

◆ ldns_validate_domain_ds()

ldns_rr_list * ldns_validate_domain_ds ( const ldns_resolver res,
const ldns_rdf domain,
const ldns_rr_list keys 
)

Validates the DS RRset for the given domain using the provided trusted keys.

Parameters
[in]resthe current resolver
[in]domainthe domain we want valid keys for
[in]keysthe current set of trusted keys
Returns
the set of trusted keys for the domain, or NULL if the RRSET could not be validated

Definition at line 1418 of file dnssec_verify.c.

References ldns_validate_domain_ds_time().

◆ ldns_validate_domain_ds_time()

ldns_rr_list * ldns_validate_domain_ds_time ( const ldns_resolver res,
const ldns_rdf domain,
const ldns_rr_list keys,
time_t  check_time 
)

Validates the DS RRset for the given domain using the provided trusted keys.

Parameters
[in]resthe current resolver
[in]domainthe domain we want valid keys for
[in]keysthe current set of trusted keys
[in]check_timethe time for which the validation is performed
Returns
the set of trusted keys for the domain, or NULL if the RRSET could not be validated

Definition at line 1370 of file dnssec_verify.c.

References ldns_pkt_free(), ldns_pkt_rr_list_by_type(), LDNS_RD, ldns_resolver_query(), LDNS_RR_CLASS_IN, ldns_rr_clone(), ldns_rr_list_deep_free(), ldns_rr_list_new(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_RR_TYPE_DS, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANSWER, LDNS_STATUS_OK, and ldns_verify_time().

◆ ldns_verify_trusted()

ldns_status ldns_verify_trusted ( ldns_resolver res,
ldns_rr_list rrset,
ldns_rr_list rrsigs,
ldns_rr_list validating_keys 
)

Verifies a list of signatures for one RRset using a valid trust path.

Parameters
[in]resthe current resolver
[in]rrsetthe rrset to verify
[in]rrsigsa list of signatures to check
[out]validating_keysif this is a (initialized) list, the keys from keys that validate one of the signatures are added to it
Returns
status LDNS_STATUS_OK if there is at least one correct key

Definition at line 1489 of file dnssec_verify.c.

References ldns_verify_trusted_time().

◆ ldns_verify_trusted_time()

ldns_status ldns_verify_trusted_time ( ldns_resolver res,
ldns_rr_list rrset,
ldns_rr_list rrsigs,
time_t  check_time,
ldns_rr_list validating_keys 
)

Verifies a list of signatures for one RRset using a valid trust path.

Parameters
[in]resthe current resolver
[in]rrsetthe rrset to verify
[in]rrsigsa list of signatures to check
[in]check_timethe time for which the validation is performed
[out]validating_keysif this is a (initialized) list, the keys from keys that validate one of the signatures are added to it
Returns
status LDNS_STATUS_OK if there is at least one correct key

Definition at line 1426 of file dnssec_verify.c.

References ldns_fetch_valid_domain_keys_time(), ldns_resolver_dnssec_anchors(), ldns_rr_clone(), ldns_rr_list_deep_free(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_rrsig_signame(), LDNS_STATUS_CRYPTO_NO_RRSIG, LDNS_STATUS_ERR, LDNS_STATUS_OK, and ldns_verify_rrsig_time().

◆ ldns_dnssec_verify_denial()

ldns_status ldns_dnssec_verify_denial ( ldns_rr rr,
ldns_rr_list nsecs,
ldns_rr_list rrsigs 
)

denial is not just a river in egypt

Parameters
[in]rrThe (query) RR to check the denial of existence for
[in]nsecsThe list of NSEC RRs that are supposed to deny the existence of the RR
[in]rrsigsThe RRSIG RR covering the NSEC RRs
Returns
LDNS_STATUS_OK if the NSEC RRs deny the existence, error code containing the reason they do not otherwise

Definition at line 1501 of file dnssec_verify.c.

References ldns_dname_cat(), ldns_dname_compare(), ldns_dname_label_count(), ldns_dname_left_chop(), ldns_dname_new_frm_str(), ldns_dnssec_get_rrsig_for_name_and_type(), ldns_nsec_bitmap_covers_type(), ldns_nsec_covers_name(), ldns_nsec_get_bitmap(), ldns_rdf2native_int8(), ldns_rdf_data(), ldns_rdf_deep_free(), ldns_rdf_size(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_owner(), ldns_rr_rrsig_labels(), LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED, LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED, and LDNS_STATUS_OK.

◆ ldns_dnssec_verify_denial_nsec3()

ldns_status ldns_dnssec_verify_denial_nsec3 ( ldns_rr rr,
ldns_rr_list nsecs,
ldns_rr_list rrsigs,
ldns_pkt_rcode  packet_rcode,
ldns_rr_type  packet_qtype,
signed char  packet_nodata 
)

Denial of existence using NSEC3 records Since NSEC3 is a bit more complicated than normal denial, some context arguments are needed.

Parameters
[in]rrThe (query) RR to check the denial of existence for
[in]nsecsThe list of NSEC3 RRs that are supposed to deny the existence of the RR
[in]rrsigsThe RRSIG rr covering the NSEC RRs
[in]packet_rcodeThe RCODE value of the packet that provided the NSEC3 RRs
[in]packet_qtypeThe original query RR type
[in]packet_nodataTrue if the providing packet had an empty ANSWER section
Returns
LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code containing the reason they do not otherwise

Definition at line 1810 of file dnssec_verify.c.

References ldns_dnssec_verify_denial_nsec3_match().

◆ ldns_dnssec_verify_denial_nsec3_match()

ldns_status ldns_dnssec_verify_denial_nsec3_match ( ldns_rr rr,
ldns_rr_list nsecs,
ldns_rr_list rrsigs,
ldns_pkt_rcode  packet_rcode,
ldns_rr_type  packet_qtype,
signed char  packet_nodata,
ldns_rr **  match 
)

Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns the nsec rr that matched.

Parameters
[in]rrThe (query) RR to check the denial of existence for
[in]nsecsThe list of NSEC3 RRs that are supposed to deny the existence of the RR
[in]rrsigsThe RRSIG rr covering the NSEC RRs
[in]packet_rcodeThe RCODE value of the packet that provided the NSEC3 RRs
[in]packet_qtypeThe original query RR type
[in]packet_nodataTrue if the providing packet had an empty ANSWER section
[out]matchOn match, the given (reference to a) pointer will be set to point to the matching nsec resource record.
Returns
LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code containing the reason they do not otherwise

◆ ldns_verify_rrsig_buffers()

ldns_status ldns_verify_rrsig_buffers ( ldns_buffer rawsig_buf,
ldns_buffer verify_buf,
ldns_buffer key_buf,
uint8_t  algo 
)

Verifies the already processed data in the buffers This function should probably not be used directly.

Parameters
[in]rawsig_bufBuffer containing signature data to use
[in]verify_bufBuffer containing data to verify
[in]key_bufBuffer containing key data to use
[in]algoSigning algorithm
Returns
status LDNS_STATUS_OK if the data verifies. Error if not.

Definition at line 2009 of file dnssec_verify.c.

References ldns_verify_rrsig_buffers_raw().

◆ ldns_verify_rrsig_buffers_raw()

ldns_status ldns_verify_rrsig_buffers_raw ( unsigned char *  sig,
size_t  siglen,
ldns_buffer verify_buf,
unsigned char *  key,
size_t  keylen,
uint8_t  algo 
)

Like ldns_verify_rrsig_buffers, but uses raw data.

Parameters
[in]sigsignature data to use
[in]siglenlength of signature data to use
[in]verify_bufBuffer containing data to verify
[in]keykey data to use
[in]keylenlength of key data to use
[in]algoSigning algorithm
Returns
status LDNS_STATUS_OK if the data verifies. Error if not.

Definition at line 2021 of file dnssec_verify.c.

References LDNS_DSA, LDNS_DSA_NSEC3, LDNS_ECC_GOST, LDNS_ECDSAP256SHA256, LDNS_ECDSAP384SHA384, LDNS_ED25519, LDNS_ED448, LDNS_RSAMD5, LDNS_RSASHA1, LDNS_RSASHA1_NSEC3, LDNS_RSASHA256, LDNS_RSASHA512, LDNS_STATUS_CRYPTO_UNKNOWN_ALGO, ldns_verify_rrsig_dsa_raw(), ldns_verify_rrsig_rsamd5_raw(), ldns_verify_rrsig_rsasha1_raw(), ldns_verify_rrsig_rsasha256_raw(), and ldns_verify_rrsig_rsasha512_raw().

◆ ldns_verify_rrsig_keylist()

ldns_status ldns_verify_rrsig_keylist ( ldns_rr_list rrset,
ldns_rr rrsig,
const ldns_rr_list keys,
ldns_rr_list good_keys 
)

Verifies an rrsig.

All keys in the keyset are tried.

Parameters
[in]rrsetthe rrset to check
[in]rrsigthe signature of the rrset
[in]keysthe keys to try
[out]good_keysif this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it
Returns
a list of keys which validate the rrsig + rrset. Returns status LDNS_STATUS_OK if at least one key matched. Else an error.

Definition at line 2442 of file dnssec_verify.c.

References ldns_verify_rrsig_keylist_time().

◆ ldns_verify_rrsig_keylist_time()

ldns_status ldns_verify_rrsig_keylist_time ( const ldns_rr_list rrset,
const ldns_rr rrsig,
const ldns_rr_list keys,
time_t  check_time,
ldns_rr_list good_keys 
)

Verifies an rrsig.

All keys in the keyset are tried.

Parameters
[in]rrsetthe rrset to check
[in]rrsigthe signature of the rrset
[in]keysthe keys to try
[in]check_timethe time for which the validation is performed
[out]good_keysif this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it
Returns
a list of keys which validate the rrsig + rrset. Returns status LDNS_STATUS_OK if at least one key matched. Else an error.

Definition at line 2398 of file dnssec_verify.c.

References ldns_rr_list_cat(), ldns_rr_list_free(), ldns_rr_list_new(), LDNS_STATUS_MEM_ERR, LDNS_STATUS_OK, and ldns_verify_rrsig_keylist_notime().

◆ ldns_verify_rrsig_keylist_notime()

ldns_status ldns_verify_rrsig_keylist_notime ( const ldns_rr_list rrset,
const ldns_rr rrsig,
const ldns_rr_list keys,
ldns_rr_list good_keys 
)

Verifies an rrsig.

All keys in the keyset are tried. Time is not checked.

Parameters
[in]rrsetthe rrset to check
[in]rrsigthe signature of the rrset
[in]keysthe keys to try
[out]good_keysif this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it
Returns
a list of keys which validate the rrsig + rrset. Returns status LDNS_STATUS_OK if at least one key matched. Else an error.

Definition at line 2452 of file dnssec_verify.c.

References ldns_buffer_free(), ldns_buffer_new(), LDNS_MAX_PACKETLEN, ldns_rr_list_cat(), ldns_rr_list_clone(), ldns_rr_list_deep_free(), ldns_rr_list_free(), ldns_rr_list_new(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY, LDNS_STATUS_ERR, LDNS_STATUS_MEM_ERR, and LDNS_STATUS_OK.

◆ ldns_verify_rrsig()

ldns_status ldns_verify_rrsig ( ldns_rr_list rrset,
ldns_rr rrsig,
ldns_rr key 
)

verify an rrsig with 1 key

Parameters
[in]rrsetthe rrset
[in]rrsigthe rrsig to verify
[in]keythe key to use
Returns
status message whether verification succeeded.

Definition at line 2579 of file dnssec_verify.c.

References ldns_verify_rrsig_time().

◆ ldns_verify_rrsig_time()

ldns_status ldns_verify_rrsig_time ( ldns_rr_list rrset,
ldns_rr rrsig,
ldns_rr key,
time_t  check_time 
)

verify an rrsig with 1 key

Parameters
[in]rrsetthe rrset
[in]rrsigthe rrsig to verify
[in]keythe key to use
[in]check_timethe time for which the validation is performed
Returns
status message whether verification succeeded.

Definition at line 2536 of file dnssec_verify.c.

References ldns_buffer_free(), ldns_buffer_new(), LDNS_MAX_PACKETLEN, ldns_rr_list_clone(), ldns_rr_list_deep_free(), LDNS_STATUS_NO_DATA, and LDNS_STATUS_OK.

◆ ldns_verify_rrsig_evp()

ldns_status ldns_verify_rrsig_evp ( ldns_buffer sig,
ldns_buffer rrset,
EVP_PKEY *  key,
const EVP_MD *  digest_type 
)

verifies a buffer with signature data for a buffer with rrset data with an EVP_PKEY

Parameters
[in]sigthe signature data
[in]rrsetthe rrset data, sorted and processed for verification
[in]keythe EVP key structure
[in]digest_typeThe digest type of the signature

Definition at line 2586 of file dnssec_verify.c.

References ldns_verify_rrsig_evp_raw().

◆ ldns_verify_rrsig_evp_raw()

ldns_status ldns_verify_rrsig_evp_raw ( const unsigned char *  sig,
size_t  siglen,
const ldns_buffer rrset,
EVP_PKEY *  key,
const EVP_MD *  digest_type 
)

Like ldns_verify_rrsig_evp, but uses raw signature data.

Parameters
[in]sigthe signature data, wireformat uncompressed
[in]siglenlength of the signature data
[in]rrsetthe rrset data, sorted and processed for verification
[in]keythe EVP key structure
[in]digest_typeThe digest type of the signature

Definition at line 2600 of file dnssec_verify.c.

References LDNS_STATUS_CRYPTO_BOGUS, LDNS_STATUS_MEM_ERR, LDNS_STATUS_OK, and LDNS_STATUS_SSL_ERR.

◆ ldns_verify_rrsig_dsa()

ldns_status ldns_verify_rrsig_dsa ( ldns_buffer sig,
ldns_buffer rrset,
ldns_buffer key 
)

verifies a buffer with signature data (DSA) for a buffer with rrset data with a buffer with key data.

Parameters
[in]sigthe signature data
[in]rrsetthe rrset data, sorted and processed for verification
[in]keythe key data

Definition at line 2649 of file dnssec_verify.c.

References ldns_verify_rrsig_dsa_raw().

◆ ldns_verify_rrsig_rsasha1()

ldns_status ldns_verify_rrsig_rsasha1 ( ldns_buffer sig,
ldns_buffer rrset,
ldns_buffer key 
)

verifies a buffer with signature data (RSASHA1) for a buffer with rrset data with a buffer with key data.

Parameters
[in]sigthe signature data
[in]rrsetthe rrset data, sorted and processed for verification
[in]keythe key data

Definition at line 2660 of file dnssec_verify.c.

References ldns_verify_rrsig_rsasha1_raw().

◆ ldns_verify_rrsig_rsamd5()

ldns_status ldns_verify_rrsig_rsamd5 ( ldns_buffer sig,
ldns_buffer rrset,
ldns_buffer key 
)

verifies a buffer with signature data (RSAMD5) for a buffer with rrset data with a buffer with key data.

Parameters
[in]sigthe signature data
[in]rrsetthe rrset data, sorted and processed for verification
[in]keythe key data

Definition at line 2671 of file dnssec_verify.c.

References ldns_verify_rrsig_rsamd5_raw().

◆ ldns_verify_rrsig_dsa_raw()

ldns_status ldns_verify_rrsig_dsa_raw ( unsigned char *  sig,
size_t  siglen,
ldns_buffer rrset,
unsigned char *  key,
size_t  keylen 
)

Like ldns_verify_rrsig_dsa, but uses raw signature and key data.

Parameters
[in]sigraw uncompressed wireformat signature data
[in]siglenlength of signature data
[in]rrsetldns buffer with prepared rrset data.
[in]keyraw uncompressed wireformat key data
[in]keylenlength of key data

Definition at line 2682 of file dnssec_verify.c.

References ldns_key_buf2dsa_raw(), LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL, LDNS_STATUS_SSL_ERR, and ldns_verify_rrsig_evp_raw().

◆ ldns_verify_rrsig_rsasha1_raw()

ldns_status ldns_verify_rrsig_rsasha1_raw ( unsigned char *  sig,
size_t  siglen,
ldns_buffer rrset,
unsigned char *  key,
size_t  keylen 
)

Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.

Parameters
[in]sigraw uncompressed wireformat signature data
[in]siglenlength of signature data
[in]rrsetldns buffer with prepared rrset data.
[in]keyraw uncompressed wireformat key data
[in]keylenlength of key data

Definition at line 2713 of file dnssec_verify.c.

References ldns_key_buf2rsa_raw(), LDNS_STATUS_SSL_ERR, and ldns_verify_rrsig_evp_raw().

◆ ldns_verify_rrsig_rsasha256_raw()

ldns_status ldns_verify_rrsig_rsasha256_raw ( unsigned char *  sig,
size_t  siglen,
ldns_buffer rrset,
unsigned char *  key,
size_t  keylen 
)

Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.

Parameters
[in]sigraw uncompressed wireformat signature data
[in]siglenlength of signature data
[in]rrsetldns buffer with prepared rrset data.
[in]keyraw uncompressed wireformat key data
[in]keylenlength of key data

Definition at line 2735 of file dnssec_verify.c.

References ldns_key_buf2rsa_raw(), LDNS_STATUS_CRYPTO_UNKNOWN_ALGO, LDNS_STATUS_SSL_ERR, and ldns_verify_rrsig_evp_raw().

◆ ldns_verify_rrsig_rsasha512_raw()

ldns_status ldns_verify_rrsig_rsasha512_raw ( unsigned char *  sig,
size_t  siglen,
ldns_buffer rrset,
unsigned char *  key,
size_t  keylen 
)

Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.

Parameters
[in]sigraw uncompressed wireformat signature data
[in]siglenlength of signature data
[in]rrsetldns buffer with prepared rrset data.
[in]keyraw uncompressed wireformat key data
[in]keylenlength of key data

Definition at line 2770 of file dnssec_verify.c.

References ldns_key_buf2rsa_raw(), LDNS_STATUS_CRYPTO_UNKNOWN_ALGO, LDNS_STATUS_SSL_ERR, and ldns_verify_rrsig_evp_raw().

◆ ldns_verify_rrsig_rsamd5_raw()

ldns_status ldns_verify_rrsig_rsamd5_raw ( unsigned char *  sig,
size_t  siglen,
ldns_buffer rrset,
unsigned char *  key,
size_t  keylen 
)

Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.

Parameters
[in]sigraw uncompressed wireformat signature data
[in]siglenlength of signature data
[in]rrsetldns buffer with prepared rrset data.
[in]keyraw uncompressed wireformat key data
[in]keylenlength of key data

Definition at line 2806 of file dnssec_verify.c.

References ldns_key_buf2rsa_raw(), LDNS_STATUS_SSL_ERR, and ldns_verify_rrsig_evp_raw().