Go to the source code of this file.
Data Structures | |
struct | ldns_dnssec_data_chain_struct |
struct | ldns_dnssec_trust_tree_struct |
Macros | |
#define | LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10 |
dnssec_verify | |
Typedefs | |
typedef struct ldns_dnssec_data_chain_struct | ldns_dnssec_data_chain |
Chain structure that contains all DNSSEC data needed to verify an rrset. | |
typedef struct ldns_dnssec_trust_tree_struct | ldns_dnssec_trust_tree |
Tree structure that contains the relation of DNSSEC data, and their cryptographic status. | |
Functions | |
ldns_dnssec_data_chain * | ldns_dnssec_data_chain_new (void) |
Creates a new dnssec_chain structure. | |
void | ldns_dnssec_data_chain_free (ldns_dnssec_data_chain *chain) |
Frees a dnssec_data_chain structure. | |
void | ldns_dnssec_data_chain_deep_free (ldns_dnssec_data_chain *chain) |
Frees a dnssec_data_chain structure, and all data contained therein. | |
void | ldns_dnssec_data_chain_print (FILE *out, const ldns_dnssec_data_chain *chain) |
Prints the dnssec_data_chain to the given file stream. | |
void | ldns_dnssec_data_chain_print_fmt (FILE *out, const ldns_output_format *fmt, const ldns_dnssec_data_chain *chain) |
Prints the dnssec_data_chain to the given file stream. | |
ldns_dnssec_data_chain * | ldns_dnssec_build_data_chain (ldns_resolver *res, const uint16_t qflags, const ldns_rr_list *data_set, const ldns_pkt *pkt, ldns_rr *orig_rr) |
Build an ldns_dnssec_data_chain, which contains all DNSSEC data that is needed to derive the trust tree later. | |
ldns_dnssec_trust_tree * | ldns_dnssec_trust_tree_new (void) |
Creates a new (empty) dnssec_trust_tree structure. | |
void | ldns_dnssec_trust_tree_free (ldns_dnssec_trust_tree *tree) |
Frees the dnssec_trust_tree recursively. | |
size_t | ldns_dnssec_trust_tree_depth (ldns_dnssec_trust_tree *tree) |
returns the depth of the trust tree | |
void | ldns_dnssec_trust_tree_print (FILE *out, ldns_dnssec_trust_tree *tree, size_t tabs, signed char extended) |
Prints the dnssec_trust_tree structure to the given file stream. | |
void | ldns_dnssec_trust_tree_print_fmt (FILE *out, const ldns_output_format *fmt, ldns_dnssec_trust_tree *tree, size_t tabs, signed char extended) |
Prints the dnssec_trust_tree structure to the given file stream. | |
ldns_status | ldns_dnssec_trust_tree_add_parent (ldns_dnssec_trust_tree *tree, const ldns_dnssec_trust_tree *parent, const ldns_rr *parent_signature, const ldns_status parent_status) |
Adds a trust tree as a parent for the given trust tree. | |
ldns_dnssec_trust_tree * | ldns_dnssec_derive_trust_tree (ldns_dnssec_data_chain *data_chain, ldns_rr *rr) |
Generates a dnssec_trust_tree for the given rr from the given data_chain. | |
ldns_dnssec_trust_tree * | ldns_dnssec_derive_trust_tree_time (ldns_dnssec_data_chain *data_chain, ldns_rr *rr, time_t check_time) |
Generates a dnssec_trust_tree for the given rr from the given data_chain. | |
void | ldns_dnssec_derive_trust_tree_normal_rrset (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr) |
Sub function for derive_trust_tree that is used for a 'normal' rrset. | |
void | ldns_dnssec_derive_trust_tree_normal_rrset_time (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr, time_t check_time) |
Sub function for derive_trust_tree that is used for a 'normal' rrset. | |
void | ldns_dnssec_derive_trust_tree_dnskey_rrset (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr) |
Sub function for derive_trust_tree that is used for DNSKEY rrsets. | |
void | ldns_dnssec_derive_trust_tree_dnskey_rrset_time (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr, time_t check_time) |
Sub function for derive_trust_tree that is used for DNSKEY rrsets. | |
void | ldns_dnssec_derive_trust_tree_ds_rrset (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr) |
Sub function for derive_trust_tree that is used for DS rrsets. | |
void | ldns_dnssec_derive_trust_tree_ds_rrset_time (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, time_t check_time) |
Sub function for derive_trust_tree that is used for DS rrsets. | |
void | ldns_dnssec_derive_trust_tree_no_sig (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain) |
Sub function for derive_trust_tree that is used when there are no signatures. | |
void | ldns_dnssec_derive_trust_tree_no_sig_time (ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, time_t check_time) |
Sub function for derive_trust_tree that is used when there are no signatures. | |
ldns_status | ldns_dnssec_trust_tree_contains_keys (ldns_dnssec_trust_tree *tree, ldns_rr_list *keys) |
Returns OK if there is a trusted path in the tree to one of the DNSKEY or DS RRs in the given list. | |
ldns_status | ldns_verify (ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys) |
Verifies a list of signatures for one rrset. | |
ldns_status | ldns_verify_time (const ldns_rr_list *rrset, const ldns_rr_list *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys) |
Verifies a list of signatures for one rrset. | |
ldns_status | ldns_verify_notime (ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys) |
Verifies a list of signatures for one rrset, but disregard the time. | |
ldns_rr_list * | ldns_fetch_valid_domain_keys (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, ldns_status *status) |
Tries to build an authentication chain from the given keys down to the queried domain. | |
ldns_rr_list * | ldns_fetch_valid_domain_keys_time (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time, ldns_status *status) |
Tries to build an authentication chain from the given keys down to the queried domain. | |
ldns_rr_list * | ldns_validate_domain_dnskey (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys) |
Validates the DNSKEY RRset for the given domain using the provided trusted keys. | |
ldns_rr_list * | ldns_validate_domain_dnskey_time (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time) |
Validates the DNSKEY RRset for the given domain using the provided trusted keys. | |
ldns_rr_list * | ldns_validate_domain_ds (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys) |
Validates the DS RRset for the given domain using the provided trusted keys. | |
ldns_rr_list * | ldns_validate_domain_ds_time (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time) |
Validates the DS RRset for the given domain using the provided trusted keys. | |
ldns_status | ldns_verify_trusted (ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, ldns_rr_list *validating_keys) |
Verifies a list of signatures for one RRset using a valid trust path. | |
ldns_status | ldns_verify_trusted_time (ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, time_t check_time, ldns_rr_list *validating_keys) |
Verifies a list of signatures for one RRset using a valid trust path. | |
ldns_status | ldns_dnssec_verify_denial (ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs) |
denial is not just a river in egypt | |
ldns_status | ldns_dnssec_verify_denial_nsec3 (ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs, ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, signed char packet_nodata) |
Denial of existence using NSEC3 records Since NSEC3 is a bit more complicated than normal denial, some context arguments are needed. | |
ldns_status | ldns_dnssec_verify_denial_nsec3_match (ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs, ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, signed char packet_nodata, ldns_rr **match) |
Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns the nsec rr that matched. | |
ldns_status | ldns_verify_rrsig_buffers (ldns_buffer *rawsig_buf, ldns_buffer *verify_buf, ldns_buffer *key_buf, uint8_t algo) |
Verifies the already processed data in the buffers This function should probably not be used directly. | |
ldns_status | ldns_verify_rrsig_buffers_raw (unsigned char *sig, size_t siglen, ldns_buffer *verify_buf, unsigned char *key, size_t keylen, uint8_t algo) |
Like ldns_verify_rrsig_buffers, but uses raw data. | |
ldns_status | ldns_verify_rrsig_keylist (ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys) |
Verifies an rrsig. | |
ldns_status | ldns_verify_rrsig_keylist_time (const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys) |
Verifies an rrsig. | |
ldns_status | ldns_verify_rrsig_keylist_notime (const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys) |
Verifies an rrsig. | |
ldns_status | ldns_verify_rrsig (ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key) |
verify an rrsig with 1 key | |
ldns_status | ldns_verify_rrsig_time (ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key, time_t check_time) |
verify an rrsig with 1 key | |
ldns_status | ldns_verify_rrsig_evp (ldns_buffer *sig, ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type) |
verifies a buffer with signature data for a buffer with rrset data with an EVP_PKEY | |
ldns_status | ldns_verify_rrsig_evp_raw (const unsigned char *sig, size_t siglen, const ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type) |
Like ldns_verify_rrsig_evp, but uses raw signature data. | |
ldns_status | ldns_verify_rrsig_dsa (ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key) |
verifies a buffer with signature data (DSA) for a buffer with rrset data with a buffer with key data. | |
ldns_status | ldns_verify_rrsig_rsasha1 (ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key) |
verifies a buffer with signature data (RSASHA1) for a buffer with rrset data with a buffer with key data. | |
ldns_status | ldns_verify_rrsig_rsamd5 (ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key) |
verifies a buffer with signature data (RSAMD5) for a buffer with rrset data with a buffer with key data. | |
ldns_status | ldns_verify_rrsig_dsa_raw (unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen) |
Like ldns_verify_rrsig_dsa, but uses raw signature and key data. | |
ldns_status | ldns_verify_rrsig_rsasha1_raw (unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen) |
Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data. | |
ldns_status | ldns_verify_rrsig_rsasha256_raw (unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen) |
Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data. | |
ldns_status | ldns_verify_rrsig_rsasha512_raw (unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen) |
Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data. | |
ldns_status | ldns_verify_rrsig_rsamd5_raw (unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen) |
Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data. | |
#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10 |
dnssec_verify
Definition at line 6 of file dnssec_verify.h.
typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain |
Chain structure that contains all DNSSEC data needed to verify an rrset.
Definition at line 19 of file dnssec_verify.h.
typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree |
Tree structure that contains the relation of DNSSEC data, and their cryptographic status.
This tree is derived from a data_chain, and can be used to look whether there is a connection between an RRSET and a trusted key. The tree only contains pointers to the data_chain, and therefore one should never free() the data_chain when there is still a trust tree derived from that chain.
Example tree: key key key \ | / \ | / \ | / ds | key | key | rr
For each signature there is a parent; if the parent pointer is null, it couldn't be found and there was no denial; otherwise is a tree which contains either a DNSKEY, a DS, or a NSEC rr
Definition at line 121 of file dnssec_verify.h.
ldns_dnssec_data_chain * ldns_dnssec_data_chain_new | ( | void | ) |
Creates a new dnssec_chain structure.
Definition at line 19 of file dnssec_verify.c.
References LDNS_CALLOC.
void ldns_dnssec_data_chain_free | ( | ldns_dnssec_data_chain * | chain | ) |
Frees a dnssec_data_chain structure.
[in] | *chain | The chain to free |
Definition at line 39 of file dnssec_verify.c.
References LDNS_FREE.
void ldns_dnssec_data_chain_deep_free | ( | ldns_dnssec_data_chain * | chain | ) |
Frees a dnssec_data_chain structure, and all data contained therein.
[in] | *chain | The dnssec_data_chain to free |
Definition at line 45 of file dnssec_verify.c.
References ldns_dnssec_data_chain_deep_free(), LDNS_FREE, ldns_rr_list_deep_free(), ldns_dnssec_data_chain_struct::parent, ldns_dnssec_data_chain_struct::rrset, and ldns_dnssec_data_chain_struct::signatures.
void ldns_dnssec_data_chain_print | ( | FILE * | out, |
const ldns_dnssec_data_chain * | chain | ||
) |
Prints the dnssec_data_chain to the given file stream.
[in] | *out | The file stream to print to |
[in] | *chain | The dnssec_data_chain to print |
Definition at line 91 of file dnssec_verify.c.
References ldns_dnssec_data_chain_print_fmt(), and ldns_output_format_default.
void ldns_dnssec_data_chain_print_fmt | ( | FILE * | out, |
const ldns_output_format * | fmt, | ||
const ldns_dnssec_data_chain * | chain | ||
) |
Prints the dnssec_data_chain to the given file stream.
[in] | *out | The file stream to print to |
[in] | *fmt | The format of the textual representation |
[in] | *chain | The dnssec_data_chain to print |
Definition at line 56 of file dnssec_verify.c.
References ldns_struct_rr_descriptor::_name, ldns_dnssec_data_chain_print_fmt(), ldns_lookup_by_id(), ldns_rcodes, ldns_rr_descript(), ldns_rr_list_print_fmt(), ldns_rr_list_rr_count(), ldns_struct_lookup_table::name, ldns_dnssec_data_chain_struct::packet_nodata, ldns_dnssec_data_chain_struct::packet_qtype, ldns_dnssec_data_chain_struct::packet_rcode, ldns_dnssec_data_chain_struct::parent, ldns_dnssec_data_chain_struct::rrset, and ldns_dnssec_data_chain_struct::signatures.
ldns_dnssec_data_chain * ldns_dnssec_build_data_chain | ( | ldns_resolver * | res, |
const uint16_t | qflags, | ||
const ldns_rr_list * | data_set, | ||
const ldns_pkt * | pkt, | ||
ldns_rr * | orig_rr | ||
) |
Build an ldns_dnssec_data_chain, which contains all DNSSEC data that is needed to derive the trust tree later.
The data_set will be cloned
[in] | *res | resolver structure for further needed queries |
[in] | qflags | resolution flags |
[in] | *data_set | The original rrset where the chain ends |
[in] | *pkt | optional, can contain the original packet (and hence the sigs and maybe the key) |
[in] | *orig_rr | The original Resource Record |
Definition at line 270 of file dnssec_verify.c.
References ldns_dname_is_subdomain(), ldns_dnssec_build_data_chain(), ldns_dnssec_data_chain_new(), ldns_dnssec_pkt_get_rrsigs_for_name_and_type(), ldns_dnssec_pkt_get_rrsigs_for_type(), ldns_dnssec_pkt_has_rrsigs(), ldns_pkt_ancount(), ldns_pkt_free(), ldns_pkt_get_rcode(), ldns_pkt_rr_list_by_type(), ldns_resolver_query(), ldns_rr_get_class(), ldns_rr_get_type(), ldns_rr_list_clone(), ldns_rr_list_deep_free(), ldns_rr_list_new(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_owner(), ldns_rr_rdf(), LDNS_RR_TYPE_DNSKEY, LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_NSEC3, LDNS_SECTION_ANY_NOQUESTION, ldns_dnssec_data_chain_struct::packet_nodata, ldns_dnssec_data_chain_struct::packet_qtype, ldns_dnssec_data_chain_struct::packet_rcode, ldns_dnssec_data_chain_struct::parent, and ldns_dnssec_data_chain_struct::rrset.
ldns_dnssec_trust_tree * ldns_dnssec_trust_tree_new | ( | void | ) |
Creates a new (empty) dnssec_trust_tree structure.
Definition at line 445 of file dnssec_verify.c.
References LDNS_XMALLOC, ldns_dnssec_trust_tree_struct::parent_count, ldns_dnssec_trust_tree_struct::rr, and ldns_dnssec_trust_tree_struct::rrset.
void ldns_dnssec_trust_tree_free | ( | ldns_dnssec_trust_tree * | tree | ) |
Frees the dnssec_trust_tree recursively.
There is no deep free; all data in the trust tree consists of pointers to a data_chain
[in] | tree | The tree to free |
Definition at line 458 of file dnssec_verify.c.
References ldns_dnssec_trust_tree_free(), LDNS_FREE, ldns_dnssec_trust_tree_struct::parent_count, and ldns_dnssec_trust_tree_struct::parents.
size_t ldns_dnssec_trust_tree_depth | ( | ldns_dnssec_trust_tree * | tree | ) |
returns the depth of the trust tree
[in] | tree | tree to calculate the depth of |
Definition at line 470 of file dnssec_verify.c.
References ldns_dnssec_trust_tree_depth(), ldns_dnssec_trust_tree_struct::parent_count, and ldns_dnssec_trust_tree_struct::parents.
void ldns_dnssec_trust_tree_print | ( | FILE * | out, |
ldns_dnssec_trust_tree * | tree, | ||
size_t | tabs, | ||
signed char | extended | ||
) |
Prints the dnssec_trust_tree structure to the given file stream.
If a link status is not LDNS_STATUS_OK; the status and relevant signatures are printed too
[in] | *out | The file stream to print to |
[in] | tree | The trust tree to print |
[in] | tabs | Prepend each line with tabs*2 spaces |
[in] | extended | If true, add little explanation lines to the output |
Definition at line 647 of file dnssec_verify.c.
References ldns_dnssec_trust_tree_print_fmt(), and ldns_output_format_default.
void ldns_dnssec_trust_tree_print_fmt | ( | FILE * | out, |
const ldns_output_format * | fmt, | ||
ldns_dnssec_trust_tree * | tree, | ||
size_t | tabs, | ||
signed char | extended | ||
) |
Prints the dnssec_trust_tree structure to the given file stream.
If a link status is not LDNS_STATUS_OK; the status and relevant signatures are printed too
[in] | *out | The file stream to print to |
[in] | *fmt | The format of the textual representation |
[in] | tree | The trust tree to print |
[in] | tabs | Prepend each line with tabs*2 spaces |
[in] | extended | If true, add little explanation lines to the output |
Definition at line 637 of file dnssec_verify.c.
ldns_status ldns_dnssec_trust_tree_add_parent | ( | ldns_dnssec_trust_tree * | tree, |
const ldns_dnssec_trust_tree * | parent, | ||
const ldns_rr * | parent_signature, | ||
const ldns_status | parent_status | ||
) |
Adds a trust tree as a parent for the given trust tree.
[in] | *tree | The tree to add the parent to |
[in] | *parent | The parent tree to add |
[in] | *parent_signature | The RRSIG relevant to this parent/child connection |
[in] | parent_status | The DNSSEC status for this parent, child and RRSIG |
Definition at line 658 of file dnssec_verify.c.
References LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS, LDNS_STATUS_ERR, LDNS_STATUS_OK, ldns_dnssec_trust_tree_struct::parent_count, ldns_dnssec_trust_tree_struct::parent_signature, ldns_dnssec_trust_tree_struct::parent_status, and ldns_dnssec_trust_tree_struct::parents.
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree | ( | ldns_dnssec_data_chain * | data_chain, |
ldns_rr * | rr | ||
) |
Generates a dnssec_trust_tree for the given rr from the given data_chain.
This does not clone the actual data; Don't free the data_chain before you are done with this tree
[in] | *data_chain | The chain to derive the trust tree from |
[in] | *rr | The RR this tree will be about |
Definition at line 786 of file dnssec_verify.c.
References ldns_dnssec_derive_trust_tree_time().
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree_time | ( | ldns_dnssec_data_chain * | data_chain, |
ldns_rr * | rr, | ||
time_t | check_time | ||
) |
Generates a dnssec_trust_tree for the given rr from the given data_chain.
This does not clone the actual data; Don't free the data_chain before you are done with this tree
[in] | *data_chain | The chain to derive the trust tree from |
[in] | *rr | The RR this tree will be about |
[in] | check_time | the time for which the validation is performed |
Definition at line 685 of file dnssec_verify.c.
References ldns_dname_compare(), ldns_dnssec_derive_trust_tree_dnskey_rrset_time(), ldns_dnssec_derive_trust_tree_ds_rrset_time(), ldns_dnssec_derive_trust_tree_no_sig_time(), ldns_dnssec_derive_trust_tree_normal_rrset_time(), ldns_dnssec_trust_tree_new(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_owner(), LDNS_RR_TYPE_NSEC, ldns_dnssec_data_chain_struct::parent, ldns_dnssec_trust_tree_struct::rr, ldns_dnssec_data_chain_struct::rrset, ldns_dnssec_trust_tree_struct::rrset, and ldns_dnssec_data_chain_struct::signatures.
void ldns_dnssec_derive_trust_tree_normal_rrset | ( | ldns_dnssec_trust_tree * | new_tree, |
ldns_dnssec_data_chain * | data_chain, | ||
ldns_rr * | cur_sig_rr | ||
) |
Sub function for derive_trust_tree that is used for a 'normal' rrset.
[in] | new_tree | The trust tree that we are building |
[in] | data_chain | The data chain containing the data for the trust tree |
[in] | cur_sig_rr | The currently relevant signature |
Definition at line 874 of file dnssec_verify.c.
References ldns_dnssec_derive_trust_tree_normal_rrset_time().
void ldns_dnssec_derive_trust_tree_normal_rrset_time | ( | ldns_dnssec_trust_tree * | new_tree, |
ldns_dnssec_data_chain * | data_chain, | ||
ldns_rr * | cur_sig_rr, | ||
time_t | check_time | ||
) |
Sub function for derive_trust_tree that is used for a 'normal' rrset.
[in] | new_tree | The trust tree that we are building |
[in] | data_chain | The data chain containing the data for the trust tree |
[in] | cur_sig_rr | The currently relevant signature |
[in] | check_time | the time for which the validation is performed |
Definition at line 792 of file dnssec_verify.c.
References ldns_calc_keytag(), ldns_dname_compare(), ldns_dnssec_derive_trust_tree_time(), ldns_dnssec_trust_tree_add_parent(), ldns_rdf2native_int16(), ldns_rr_get_type(), ldns_rr_list_clone(), ldns_rr_list_deep_free(), ldns_rr_list_pop_rrset(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_list_sort(), ldns_rr_owner(), ldns_rr_rrsig_keytag(), LDNS_RR_TYPE_DNSKEY, LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_NSEC3, ldns_verify_rrsig_time(), ldns_dnssec_data_chain_struct::parent, ldns_dnssec_trust_tree_struct::parent_count, ldns_dnssec_trust_tree_struct::parents, ldns_dnssec_trust_tree_struct::rr, and ldns_dnssec_data_chain_struct::rrset.
void ldns_dnssec_derive_trust_tree_dnskey_rrset | ( | ldns_dnssec_trust_tree * | new_tree, |
ldns_dnssec_data_chain * | data_chain, | ||
ldns_rr * | cur_rr, | ||
ldns_rr * | cur_sig_rr | ||
) |
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
[in] | new_tree | The trust tree that we are building |
[in] | data_chain | The data chain containing the data for the trust tree |
[in] | cur_rr | The currently relevant DNSKEY RR |
[in] | cur_sig_rr | The currently relevant signature |
Definition at line 920 of file dnssec_verify.c.
References ldns_dnssec_derive_trust_tree_dnskey_rrset_time().
void ldns_dnssec_derive_trust_tree_dnskey_rrset_time | ( | ldns_dnssec_trust_tree * | new_tree, |
ldns_dnssec_data_chain * | data_chain, | ||
ldns_rr * | cur_rr, | ||
ldns_rr * | cur_sig_rr, | ||
time_t | check_time | ||
) |
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
[in] | new_tree | The trust tree that we are building |
[in] | data_chain | The data chain containing the data for the trust tree |
[in] | cur_rr | The currently relevant DNSKEY RR |
[in] | cur_sig_rr | The currently relevant signature |
[in] | check_time | the time for which the validation is performed |
Definition at line 883 of file dnssec_verify.c.
References ldns_calc_keytag(), ldns_dnssec_trust_tree_add_parent(), ldns_dnssec_trust_tree_free(), ldns_dnssec_trust_tree_new(), ldns_rdf2native_int16(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_rrsig_keytag(), LDNS_RR_TYPE_DNSKEY, ldns_verify_rrsig_time(), ldns_dnssec_trust_tree_struct::rr, ldns_dnssec_data_chain_struct::rrset, and ldns_dnssec_trust_tree_struct::rrset.
void ldns_dnssec_derive_trust_tree_ds_rrset | ( | ldns_dnssec_trust_tree * | new_tree, |
ldns_dnssec_data_chain * | data_chain, | ||
ldns_rr * | cur_rr | ||
) |
Sub function for derive_trust_tree that is used for DS rrsets.
[in] | new_tree | The trust tree that we are building |
[in] | data_chain | The data chain containing the data for the trust tree |
[in] | cur_rr | The currently relevant DS RR |
Definition at line 974 of file dnssec_verify.c.
References ldns_dnssec_derive_trust_tree_ds_rrset_time().
void ldns_dnssec_derive_trust_tree_ds_rrset_time | ( | ldns_dnssec_trust_tree * | new_tree, |
ldns_dnssec_data_chain * | data_chain, | ||
ldns_rr * | cur_rr, | ||
time_t | check_time | ||
) |
Sub function for derive_trust_tree that is used for DS rrsets.
[in] | new_tree | The trust tree that we are building |
[in] | data_chain | The data chain containing the data for the trust tree |
[in] | cur_rr | The currently relevant DS RR |
[in] | check_time | the time for which the validation is performed |
Definition at line 930 of file dnssec_verify.c.
References ldns_dnssec_derive_trust_tree_time(), ldns_dnssec_trust_tree_add_parent(), ldns_rr_compare_ds(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_RR_TYPE_DNSKEY, LDNS_RR_TYPE_DS, LDNS_STATUS_OK, ldns_dnssec_data_chain_struct::parent, and ldns_dnssec_data_chain_struct::rrset.
void ldns_dnssec_derive_trust_tree_no_sig | ( | ldns_dnssec_trust_tree * | new_tree, |
ldns_dnssec_data_chain * | data_chain | ||
) |
Sub function for derive_trust_tree that is used when there are no signatures.
[in] | new_tree | The trust tree that we are building |
[in] | data_chain | The data chain containing the data for the trust tree |
Definition at line 1036 of file dnssec_verify.c.
References ldns_dnssec_derive_trust_tree_no_sig_time().
void ldns_dnssec_derive_trust_tree_no_sig_time | ( | ldns_dnssec_trust_tree * | new_tree, |
ldns_dnssec_data_chain * | data_chain, | ||
time_t | check_time | ||
) |
Sub function for derive_trust_tree that is used when there are no signatures.
[in] | new_tree | The trust tree that we are building |
[in] | data_chain | The data chain containing the data for the trust tree |
[in] | check_time | the time for which the validation is performed |
Definition at line 983 of file dnssec_verify.c.
References ldns_dnssec_derive_trust_tree_time(), ldns_dnssec_trust_tree_add_parent(), ldns_dnssec_trust_tree_free(), ldns_dnssec_verify_denial(), ldns_dnssec_verify_denial_nsec3(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_NSEC3, LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED, LDNS_STATUS_OK, ldns_dnssec_data_chain_struct::packet_nodata, ldns_dnssec_data_chain_struct::packet_qtype, ldns_dnssec_data_chain_struct::packet_rcode, ldns_dnssec_data_chain_struct::parent, ldns_dnssec_trust_tree_struct::rr, ldns_dnssec_data_chain_struct::rrset, and ldns_dnssec_data_chain_struct::signatures.
ldns_status ldns_dnssec_trust_tree_contains_keys | ( | ldns_dnssec_trust_tree * | tree, |
ldns_rr_list * | keys | ||
) |
Returns OK if there is a trusted path in the tree to one of the DNSKEY or DS RRs in the given list.
*tree | The trust tree so search |
*keys | A ldns_rr_list of DNSKEY and DS rrs to look for |
Definition at line 1049 of file dnssec_verify.c.
References ldns_dnssec_trust_tree_contains_keys(), ldns_rr_compare_ds(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_RR_TYPE_NSEC, LDNS_STATUS_CRYPTO_NO_DNSKEY, LDNS_STATUS_DNSSEC_EXISTENCE_DENIED, LDNS_STATUS_ERR, LDNS_STATUS_OK, ldns_dnssec_trust_tree_struct::parent_count, ldns_dnssec_trust_tree_struct::parent_status, ldns_dnssec_trust_tree_struct::parents, and ldns_dnssec_trust_tree_struct::rr.
ldns_status ldns_verify | ( | ldns_rr_list * | rrset, |
ldns_rr_list * | rrsig, | ||
const ldns_rr_list * | keys, | ||
ldns_rr_list * | good_keys | ||
) |
Verifies a list of signatures for one rrset.
[in] | rrset | the rrset to verify |
[in] | rrsig | a list of signatures to check |
[in] | keys | a list of keys to check with |
[out] | good_keys | if this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it |
Definition at line 1142 of file dnssec_verify.c.
References ldns_verify_time().
ldns_status ldns_verify_time | ( | const ldns_rr_list * | rrset, |
const ldns_rr_list * | rrsig, | ||
const ldns_rr_list * | keys, | ||
time_t | check_time, | ||
ldns_rr_list * | good_keys | ||
) |
Verifies a list of signatures for one rrset.
[in] | rrset | the rrset to verify |
[in] | rrsig | a list of signatures to check |
[in] | keys | a list of keys to check with |
[in] | check_time | the time for which the validation is performed |
[out] | good_keys | if this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it |
Definition at line 1098 of file dnssec_verify.c.
References ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY, LDNS_STATUS_CRYPTO_NO_RRSIG, LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY, LDNS_STATUS_ERR, LDNS_STATUS_OK, and ldns_verify_rrsig_keylist_time().
ldns_status ldns_verify_notime | ( | ldns_rr_list * | rrset, |
ldns_rr_list * | rrsig, | ||
const ldns_rr_list * | keys, | ||
ldns_rr_list * | good_keys | ||
) |
Verifies a list of signatures for one rrset, but disregard the time.
Inception and Expiration are not checked.
[in] | rrset | the rrset to verify |
[in] | rrsig | a list of signatures to check |
[in] | keys | a list of keys to check with |
[out] | good_keys | if this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it |
Definition at line 1149 of file dnssec_verify.c.
References ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY, LDNS_STATUS_CRYPTO_NO_RRSIG, LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY, LDNS_STATUS_ERR, LDNS_STATUS_OK, and ldns_verify_rrsig_keylist_notime().
ldns_rr_list * ldns_fetch_valid_domain_keys | ( | const ldns_resolver * | res, |
const ldns_rdf * | domain, | ||
const ldns_rr_list * | keys, | ||
ldns_status * | status | ||
) |
Tries to build an authentication chain from the given keys down to the queried domain.
If we find a valid trust path, return the valid keys for the domain.
[in] | res | the current resolver |
[in] | domain | the domain we want valid keys for |
[in] | keys | the current set of trusted keys |
[out] | status | pointer to the status variable where the result code will be stored |
Definition at line 1257 of file dnssec_verify.c.
References ldns_fetch_valid_domain_keys_time().
ldns_rr_list * ldns_fetch_valid_domain_keys_time | ( | const ldns_resolver * | res, |
const ldns_rdf * | domain, | ||
const ldns_rr_list * | keys, | ||
time_t | check_time, | ||
ldns_status * | status | ||
) |
Tries to build an authentication chain from the given keys down to the queried domain.
If we find a valid trust path, return the valid keys for the domain.
[in] | res | the current resolver |
[in] | domain | the domain we want valid keys for |
[in] | keys | the current set of trusted keys |
[in] | check_time | the time for which the validation is performed |
[out] | status | pointer to the status variable where the result code will be stored |
Definition at line 1189 of file dnssec_verify.c.
References ldns_dname_left_chop(), ldns_fetch_valid_domain_keys_time(), ldns_rdf_deep_free(), ldns_rdf_size(), ldns_rr_list_deep_free(), LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY, LDNS_STATUS_CRYPTO_NO_TRUSTED_DS, LDNS_STATUS_OK, ldns_validate_domain_dnskey_time(), and ldns_validate_domain_ds_time().
ldns_rr_list * ldns_validate_domain_dnskey | ( | const ldns_resolver * | res, |
const ldns_rdf * | domain, | ||
const ldns_rr_list * | keys | ||
) |
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
[in] | res | the current resolver |
[in] | domain | the domain we want valid keys for |
[in] | keys | the current set of trusted keys |
Definition at line 1361 of file dnssec_verify.c.
References ldns_validate_domain_dnskey_time().
ldns_rr_list * ldns_validate_domain_dnskey_time | ( | const ldns_resolver * | res, |
const ldns_rdf * | domain, | ||
const ldns_rr_list * | keys, | ||
time_t | check_time | ||
) |
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
[in] | res | the current resolver |
[in] | domain | the domain we want valid keys for |
[in] | keys | the current set of trusted keys |
[in] | check_time | the time for which the validation is performed |
Definition at line 1267 of file dnssec_verify.c.
References ldns_calc_keytag(), ldns_pkt_free(), ldns_pkt_rr_list_by_type(), LDNS_RD, ldns_rdf2native_int16(), ldns_resolver_query(), LDNS_RR_CLASS_IN, ldns_rr_clone(), ldns_rr_compare_ds(), ldns_rr_list_deep_free(), ldns_rr_list_new(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_rrsig_keytag(), LDNS_RR_TYPE_DNSKEY, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANSWER, LDNS_STATUS_OK, and ldns_verify_rrsig_time().
ldns_rr_list * ldns_validate_domain_ds | ( | const ldns_resolver * | res, |
const ldns_rdf * | domain, | ||
const ldns_rr_list * | keys | ||
) |
Validates the DS RRset for the given domain using the provided trusted keys.
[in] | res | the current resolver |
[in] | domain | the domain we want valid keys for |
[in] | keys | the current set of trusted keys |
Definition at line 1418 of file dnssec_verify.c.
References ldns_validate_domain_ds_time().
ldns_rr_list * ldns_validate_domain_ds_time | ( | const ldns_resolver * | res, |
const ldns_rdf * | domain, | ||
const ldns_rr_list * | keys, | ||
time_t | check_time | ||
) |
Validates the DS RRset for the given domain using the provided trusted keys.
[in] | res | the current resolver |
[in] | domain | the domain we want valid keys for |
[in] | keys | the current set of trusted keys |
[in] | check_time | the time for which the validation is performed |
Definition at line 1370 of file dnssec_verify.c.
References ldns_pkt_free(), ldns_pkt_rr_list_by_type(), LDNS_RD, ldns_resolver_query(), LDNS_RR_CLASS_IN, ldns_rr_clone(), ldns_rr_list_deep_free(), ldns_rr_list_new(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_RR_TYPE_DS, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANSWER, LDNS_STATUS_OK, and ldns_verify_time().
ldns_status ldns_verify_trusted | ( | ldns_resolver * | res, |
ldns_rr_list * | rrset, | ||
ldns_rr_list * | rrsigs, | ||
ldns_rr_list * | validating_keys | ||
) |
Verifies a list of signatures for one RRset using a valid trust path.
[in] | res | the current resolver |
[in] | rrset | the rrset to verify |
[in] | rrsigs | a list of signatures to check |
[out] | validating_keys | if this is a (initialized) list, the keys from keys that validate one of the signatures are added to it |
Definition at line 1489 of file dnssec_verify.c.
References ldns_verify_trusted_time().
ldns_status ldns_verify_trusted_time | ( | ldns_resolver * | res, |
ldns_rr_list * | rrset, | ||
ldns_rr_list * | rrsigs, | ||
time_t | check_time, | ||
ldns_rr_list * | validating_keys | ||
) |
Verifies a list of signatures for one RRset using a valid trust path.
[in] | res | the current resolver |
[in] | rrset | the rrset to verify |
[in] | rrsigs | a list of signatures to check |
[in] | check_time | the time for which the validation is performed |
[out] | validating_keys | if this is a (initialized) list, the keys from keys that validate one of the signatures are added to it |
Definition at line 1426 of file dnssec_verify.c.
References ldns_fetch_valid_domain_keys_time(), ldns_resolver_dnssec_anchors(), ldns_rr_clone(), ldns_rr_list_deep_free(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_rrsig_signame(), LDNS_STATUS_CRYPTO_NO_RRSIG, LDNS_STATUS_ERR, LDNS_STATUS_OK, and ldns_verify_rrsig_time().
ldns_status ldns_dnssec_verify_denial | ( | ldns_rr * | rr, |
ldns_rr_list * | nsecs, | ||
ldns_rr_list * | rrsigs | ||
) |
denial is not just a river in egypt
[in] | rr | The (query) RR to check the denial of existence for |
[in] | nsecs | The list of NSEC RRs that are supposed to deny the existence of the RR |
[in] | rrsigs | The RRSIG RR covering the NSEC RRs |
Definition at line 1501 of file dnssec_verify.c.
References ldns_dname_cat(), ldns_dname_compare(), ldns_dname_label_count(), ldns_dname_left_chop(), ldns_dname_new_frm_str(), ldns_dnssec_get_rrsig_for_name_and_type(), ldns_nsec_bitmap_covers_type(), ldns_nsec_covers_name(), ldns_nsec_get_bitmap(), ldns_rdf2native_int8(), ldns_rdf_data(), ldns_rdf_deep_free(), ldns_rdf_size(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_owner(), ldns_rr_rrsig_labels(), LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED, LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED, and LDNS_STATUS_OK.
ldns_status ldns_dnssec_verify_denial_nsec3 | ( | ldns_rr * | rr, |
ldns_rr_list * | nsecs, | ||
ldns_rr_list * | rrsigs, | ||
ldns_pkt_rcode | packet_rcode, | ||
ldns_rr_type | packet_qtype, | ||
signed char | packet_nodata | ||
) |
Denial of existence using NSEC3 records Since NSEC3 is a bit more complicated than normal denial, some context arguments are needed.
[in] | rr | The (query) RR to check the denial of existence for |
[in] | nsecs | The list of NSEC3 RRs that are supposed to deny the existence of the RR |
[in] | rrsigs | The RRSIG rr covering the NSEC RRs |
[in] | packet_rcode | The RCODE value of the packet that provided the NSEC3 RRs |
[in] | packet_qtype | The original query RR type |
[in] | packet_nodata | True if the providing packet had an empty ANSWER section |
Definition at line 1810 of file dnssec_verify.c.
References ldns_dnssec_verify_denial_nsec3_match().
ldns_status ldns_dnssec_verify_denial_nsec3_match | ( | ldns_rr * | rr, |
ldns_rr_list * | nsecs, | ||
ldns_rr_list * | rrsigs, | ||
ldns_pkt_rcode | packet_rcode, | ||
ldns_rr_type | packet_qtype, | ||
signed char | packet_nodata, | ||
ldns_rr ** | match | ||
) |
Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns the nsec rr that matched.
[in] | rr | The (query) RR to check the denial of existence for |
[in] | nsecs | The list of NSEC3 RRs that are supposed to deny the existence of the RR |
[in] | rrsigs | The RRSIG rr covering the NSEC RRs |
[in] | packet_rcode | The RCODE value of the packet that provided the NSEC3 RRs |
[in] | packet_qtype | The original query RR type |
[in] | packet_nodata | True if the providing packet had an empty ANSWER section |
[out] | match | On match, the given (reference to a) pointer will be set to point to the matching nsec resource record. |
ldns_status ldns_verify_rrsig_buffers | ( | ldns_buffer * | rawsig_buf, |
ldns_buffer * | verify_buf, | ||
ldns_buffer * | key_buf, | ||
uint8_t | algo | ||
) |
Verifies the already processed data in the buffers This function should probably not be used directly.
[in] | rawsig_buf | Buffer containing signature data to use |
[in] | verify_buf | Buffer containing data to verify |
[in] | key_buf | Buffer containing key data to use |
[in] | algo | Signing algorithm |
Definition at line 2009 of file dnssec_verify.c.
References ldns_verify_rrsig_buffers_raw().
ldns_status ldns_verify_rrsig_buffers_raw | ( | unsigned char * | sig, |
size_t | siglen, | ||
ldns_buffer * | verify_buf, | ||
unsigned char * | key, | ||
size_t | keylen, | ||
uint8_t | algo | ||
) |
Like ldns_verify_rrsig_buffers, but uses raw data.
[in] | sig | signature data to use |
[in] | siglen | length of signature data to use |
[in] | verify_buf | Buffer containing data to verify |
[in] | key | key data to use |
[in] | keylen | length of key data to use |
[in] | algo | Signing algorithm |
Definition at line 2021 of file dnssec_verify.c.
References LDNS_DSA, LDNS_DSA_NSEC3, LDNS_ECC_GOST, LDNS_ECDSAP256SHA256, LDNS_ECDSAP384SHA384, LDNS_ED25519, LDNS_ED448, LDNS_RSAMD5, LDNS_RSASHA1, LDNS_RSASHA1_NSEC3, LDNS_RSASHA256, LDNS_RSASHA512, LDNS_STATUS_CRYPTO_UNKNOWN_ALGO, ldns_verify_rrsig_dsa_raw(), ldns_verify_rrsig_rsamd5_raw(), ldns_verify_rrsig_rsasha1_raw(), ldns_verify_rrsig_rsasha256_raw(), and ldns_verify_rrsig_rsasha512_raw().
ldns_status ldns_verify_rrsig_keylist | ( | ldns_rr_list * | rrset, |
ldns_rr * | rrsig, | ||
const ldns_rr_list * | keys, | ||
ldns_rr_list * | good_keys | ||
) |
Verifies an rrsig.
All keys in the keyset are tried.
[in] | rrset | the rrset to check |
[in] | rrsig | the signature of the rrset |
[in] | keys | the keys to try |
[out] | good_keys | if this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it |
Definition at line 2442 of file dnssec_verify.c.
References ldns_verify_rrsig_keylist_time().
ldns_status ldns_verify_rrsig_keylist_time | ( | const ldns_rr_list * | rrset, |
const ldns_rr * | rrsig, | ||
const ldns_rr_list * | keys, | ||
time_t | check_time, | ||
ldns_rr_list * | good_keys | ||
) |
Verifies an rrsig.
All keys in the keyset are tried.
[in] | rrset | the rrset to check |
[in] | rrsig | the signature of the rrset |
[in] | keys | the keys to try |
[in] | check_time | the time for which the validation is performed |
[out] | good_keys | if this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it |
Definition at line 2398 of file dnssec_verify.c.
References ldns_rr_list_cat(), ldns_rr_list_free(), ldns_rr_list_new(), LDNS_STATUS_MEM_ERR, LDNS_STATUS_OK, and ldns_verify_rrsig_keylist_notime().
ldns_status ldns_verify_rrsig_keylist_notime | ( | const ldns_rr_list * | rrset, |
const ldns_rr * | rrsig, | ||
const ldns_rr_list * | keys, | ||
ldns_rr_list * | good_keys | ||
) |
Verifies an rrsig.
All keys in the keyset are tried. Time is not checked.
[in] | rrset | the rrset to check |
[in] | rrsig | the signature of the rrset |
[in] | keys | the keys to try |
[out] | good_keys | if this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it |
Definition at line 2452 of file dnssec_verify.c.
References ldns_buffer_free(), ldns_buffer_new(), LDNS_MAX_PACKETLEN, ldns_rr_list_cat(), ldns_rr_list_clone(), ldns_rr_list_deep_free(), ldns_rr_list_free(), ldns_rr_list_new(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY, LDNS_STATUS_ERR, LDNS_STATUS_MEM_ERR, and LDNS_STATUS_OK.
ldns_status ldns_verify_rrsig | ( | ldns_rr_list * | rrset, |
ldns_rr * | rrsig, | ||
ldns_rr * | key | ||
) |
verify an rrsig with 1 key
[in] | rrset | the rrset |
[in] | rrsig | the rrsig to verify |
[in] | key | the key to use |
Definition at line 2579 of file dnssec_verify.c.
References ldns_verify_rrsig_time().
ldns_status ldns_verify_rrsig_time | ( | ldns_rr_list * | rrset, |
ldns_rr * | rrsig, | ||
ldns_rr * | key, | ||
time_t | check_time | ||
) |
verify an rrsig with 1 key
[in] | rrset | the rrset |
[in] | rrsig | the rrsig to verify |
[in] | key | the key to use |
[in] | check_time | the time for which the validation is performed |
Definition at line 2536 of file dnssec_verify.c.
References ldns_buffer_free(), ldns_buffer_new(), LDNS_MAX_PACKETLEN, ldns_rr_list_clone(), ldns_rr_list_deep_free(), LDNS_STATUS_NO_DATA, and LDNS_STATUS_OK.
ldns_status ldns_verify_rrsig_evp | ( | ldns_buffer * | sig, |
ldns_buffer * | rrset, | ||
EVP_PKEY * | key, | ||
const EVP_MD * | digest_type | ||
) |
verifies a buffer with signature data for a buffer with rrset data with an EVP_PKEY
[in] | sig | the signature data |
[in] | rrset | the rrset data, sorted and processed for verification |
[in] | key | the EVP key structure |
[in] | digest_type | The digest type of the signature |
Definition at line 2586 of file dnssec_verify.c.
References ldns_verify_rrsig_evp_raw().
ldns_status ldns_verify_rrsig_evp_raw | ( | const unsigned char * | sig, |
size_t | siglen, | ||
const ldns_buffer * | rrset, | ||
EVP_PKEY * | key, | ||
const EVP_MD * | digest_type | ||
) |
Like ldns_verify_rrsig_evp, but uses raw signature data.
[in] | sig | the signature data, wireformat uncompressed |
[in] | siglen | length of the signature data |
[in] | rrset | the rrset data, sorted and processed for verification |
[in] | key | the EVP key structure |
[in] | digest_type | The digest type of the signature |
Definition at line 2600 of file dnssec_verify.c.
References LDNS_STATUS_CRYPTO_BOGUS, LDNS_STATUS_MEM_ERR, LDNS_STATUS_OK, and LDNS_STATUS_SSL_ERR.
ldns_status ldns_verify_rrsig_dsa | ( | ldns_buffer * | sig, |
ldns_buffer * | rrset, | ||
ldns_buffer * | key | ||
) |
verifies a buffer with signature data (DSA) for a buffer with rrset data with a buffer with key data.
[in] | sig | the signature data |
[in] | rrset | the rrset data, sorted and processed for verification |
[in] | key | the key data |
Definition at line 2649 of file dnssec_verify.c.
References ldns_verify_rrsig_dsa_raw().
ldns_status ldns_verify_rrsig_rsasha1 | ( | ldns_buffer * | sig, |
ldns_buffer * | rrset, | ||
ldns_buffer * | key | ||
) |
verifies a buffer with signature data (RSASHA1) for a buffer with rrset data with a buffer with key data.
[in] | sig | the signature data |
[in] | rrset | the rrset data, sorted and processed for verification |
[in] | key | the key data |
Definition at line 2660 of file dnssec_verify.c.
References ldns_verify_rrsig_rsasha1_raw().
ldns_status ldns_verify_rrsig_rsamd5 | ( | ldns_buffer * | sig, |
ldns_buffer * | rrset, | ||
ldns_buffer * | key | ||
) |
verifies a buffer with signature data (RSAMD5) for a buffer with rrset data with a buffer with key data.
[in] | sig | the signature data |
[in] | rrset | the rrset data, sorted and processed for verification |
[in] | key | the key data |
Definition at line 2671 of file dnssec_verify.c.
References ldns_verify_rrsig_rsamd5_raw().
ldns_status ldns_verify_rrsig_dsa_raw | ( | unsigned char * | sig, |
size_t | siglen, | ||
ldns_buffer * | rrset, | ||
unsigned char * | key, | ||
size_t | keylen | ||
) |
Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
[in] | sig | raw uncompressed wireformat signature data |
[in] | siglen | length of signature data |
[in] | rrset | ldns buffer with prepared rrset data. |
[in] | key | raw uncompressed wireformat key data |
[in] | keylen | length of key data |
Definition at line 2682 of file dnssec_verify.c.
References ldns_key_buf2dsa_raw(), LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL, LDNS_STATUS_SSL_ERR, and ldns_verify_rrsig_evp_raw().
ldns_status ldns_verify_rrsig_rsasha1_raw | ( | unsigned char * | sig, |
size_t | siglen, | ||
ldns_buffer * | rrset, | ||
unsigned char * | key, | ||
size_t | keylen | ||
) |
Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
[in] | sig | raw uncompressed wireformat signature data |
[in] | siglen | length of signature data |
[in] | rrset | ldns buffer with prepared rrset data. |
[in] | key | raw uncompressed wireformat key data |
[in] | keylen | length of key data |
Definition at line 2713 of file dnssec_verify.c.
References ldns_key_buf2rsa_raw(), LDNS_STATUS_SSL_ERR, and ldns_verify_rrsig_evp_raw().
ldns_status ldns_verify_rrsig_rsasha256_raw | ( | unsigned char * | sig, |
size_t | siglen, | ||
ldns_buffer * | rrset, | ||
unsigned char * | key, | ||
size_t | keylen | ||
) |
Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
[in] | sig | raw uncompressed wireformat signature data |
[in] | siglen | length of signature data |
[in] | rrset | ldns buffer with prepared rrset data. |
[in] | key | raw uncompressed wireformat key data |
[in] | keylen | length of key data |
Definition at line 2735 of file dnssec_verify.c.
References ldns_key_buf2rsa_raw(), LDNS_STATUS_CRYPTO_UNKNOWN_ALGO, LDNS_STATUS_SSL_ERR, and ldns_verify_rrsig_evp_raw().
ldns_status ldns_verify_rrsig_rsasha512_raw | ( | unsigned char * | sig, |
size_t | siglen, | ||
ldns_buffer * | rrset, | ||
unsigned char * | key, | ||
size_t | keylen | ||
) |
Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
[in] | sig | raw uncompressed wireformat signature data |
[in] | siglen | length of signature data |
[in] | rrset | ldns buffer with prepared rrset data. |
[in] | key | raw uncompressed wireformat key data |
[in] | keylen | length of key data |
Definition at line 2770 of file dnssec_verify.c.
References ldns_key_buf2rsa_raw(), LDNS_STATUS_CRYPTO_UNKNOWN_ALGO, LDNS_STATUS_SSL_ERR, and ldns_verify_rrsig_evp_raw().
ldns_status ldns_verify_rrsig_rsamd5_raw | ( | unsigned char * | sig, |
size_t | siglen, | ||
ldns_buffer * | rrset, | ||
unsigned char * | key, | ||
size_t | keylen | ||
) |
Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
[in] | sig | raw uncompressed wireformat signature data |
[in] | siglen | length of signature data |
[in] | rrset | ldns buffer with prepared rrset data. |
[in] | key | raw uncompressed wireformat key data |
[in] | keylen | length of key data |
Definition at line 2806 of file dnssec_verify.c.
References ldns_key_buf2rsa_raw(), LDNS_STATUS_SSL_ERR, and ldns_verify_rrsig_evp_raw().