ldns  1.7.0
dnssec_verify.c
Go to the documentation of this file.
1 #include <ldns/config.h>
2 
3 #include <ldns/ldns.h>
4 
5 #include <strings.h>
6 #include <time.h>
7 
8 #ifdef HAVE_SSL
9 /* this entire file is rather useless when you don't have
10  * crypto...
11  */
12 #include <openssl/ssl.h>
13 #include <openssl/evp.h>
14 #include <openssl/rand.h>
15 #include <openssl/err.h>
16 #include <openssl/md5.h>
17 
20 {
22  if(!nc) return NULL;
23  /*
24  * not needed anymore because CALLOC initalizes everything to zero.
25 
26  nc->rrset = NULL;
27  nc->parent_type = 0;
28  nc->parent = NULL;
29  nc->signatures = NULL;
30  nc->packet_rcode = 0;
31  nc->packet_qtype = 0;
32  nc->packet_nodata = false;
33 
34  */
35  return nc;
36 }
37 
38 void
40 {
41  LDNS_FREE(chain);
42 }
43 
44 void
46 {
49  if (chain->parent) {
51  }
52  LDNS_FREE(chain);
53 }
54 
55 void
57  const ldns_dnssec_data_chain *chain)
58 {
59  ldns_lookup_table *rcode;
60  const ldns_rr_descriptor *rr_descriptor;
61  if (chain) {
62  ldns_dnssec_data_chain_print_fmt(out, fmt, chain->parent);
63  if (ldns_rr_list_rr_count(chain->rrset) > 0) {
65  (int) chain->packet_rcode);
66  if (rcode) {
67  fprintf(out, ";; rcode: %s\n", rcode->name);
68  }
69 
70  rr_descriptor = ldns_rr_descript(chain->packet_qtype);
71  if (rr_descriptor && rr_descriptor->_name) {
72  fprintf(out, ";; qtype: %s\n", rr_descriptor->_name);
73  } else if (chain->packet_qtype != 0) {
74  fprintf(out, "TYPE%u",
75  chain->packet_qtype);
76  }
77  if (chain->packet_nodata) {
78  fprintf(out, ";; NODATA response\n");
79  }
80  fprintf(out, "rrset:\n");
81  ldns_rr_list_print_fmt(out, fmt, chain->rrset);
82  fprintf(out, "sigs:\n");
83  ldns_rr_list_print_fmt(out, fmt, chain->signatures);
84  fprintf(out, "---\n");
85  } else {
86  fprintf(out, "<no data>\n");
87  }
88  }
89 }
90 void
92 {
94  out, ldns_output_format_default, chain);
95 }
96 
97 
98 static void
99 ldns_dnssec_build_data_chain_dnskey(ldns_resolver *res,
100  uint16_t qflags,
101  const ldns_pkt *pkt,
102  ldns_rr_list *signatures,
103  ldns_dnssec_data_chain *new_chain,
104  ldns_rdf *key_name,
105  ldns_rr_class c) {
106  ldns_rr_list *keys;
107  ldns_pkt *my_pkt;
108  if (signatures && ldns_rr_list_rr_count(signatures) > 0) {
109  new_chain->signatures = ldns_rr_list_clone(signatures);
110  new_chain->parent_type = 0;
111 
113  pkt,
114  key_name,
117  );
118  if (!keys) {
119  my_pkt = ldns_resolver_query(res,
120  key_name,
122  c,
123  qflags);
124  if (my_pkt) {
126  my_pkt,
127  key_name,
130  );
131  new_chain->parent = ldns_dnssec_build_data_chain(res,
132  qflags,
133  keys,
134  my_pkt,
135  NULL);
137  ldns_pkt_free(my_pkt);
138  }
139  } else {
140  new_chain->parent = ldns_dnssec_build_data_chain(res,
141  qflags,
142  keys,
143  pkt,
144  NULL);
146  }
148  }
149 }
150 
151 static void
152 ldns_dnssec_build_data_chain_other(ldns_resolver *res,
153  uint16_t qflags,
154  ldns_dnssec_data_chain *new_chain,
155  ldns_rdf *key_name,
156  ldns_rr_class c,
157  ldns_rr_list *dss)
158 {
159  /* 'self-signed', parent is a DS */
160 
161  /* okay, either we have other keys signing the current one,
162  * or the current
163  * one should have a DS record in the parent zone.
164  * How do we find this out? Try both?
165  *
166  * request DNSKEYS for current zone,
167  * add all signatures to current level
168  */
169  ldns_pkt *my_pkt;
170  ldns_rr_list *signatures2;
171 
172  new_chain->parent_type = 1;
173 
174  my_pkt = ldns_resolver_query(res,
175  key_name,
177  c,
178  qflags);
179  if (my_pkt) {
181  key_name,
184  );
185  if (dss) {
186  new_chain->parent = ldns_dnssec_build_data_chain(res,
187  qflags,
188  dss,
189  my_pkt,
190  NULL);
191  new_chain->parent->packet_qtype = LDNS_RR_TYPE_DS;
193  }
194  ldns_pkt_free(my_pkt);
195  }
196 
197  my_pkt = ldns_resolver_query(res,
198  key_name,
200  c,
201  qflags);
202  if (my_pkt) {
203  signatures2 = ldns_pkt_rr_list_by_name_and_type(my_pkt,
204  key_name,
207  if (signatures2) {
208  if (new_chain->signatures) {
209  printf("There were already sigs!\n");
211  printf("replacing the old sigs\n");
212  }
213  new_chain->signatures = signatures2;
214  }
215  ldns_pkt_free(my_pkt);
216  }
217 }
218 
219 static ldns_dnssec_data_chain *
220 ldns_dnssec_build_data_chain_nokeyname(ldns_resolver *res,
221  uint16_t qflags,
222  ldns_rr *orig_rr,
223  const ldns_rr_list *rrset,
224  ldns_dnssec_data_chain *new_chain)
225 {
226  ldns_rdf *possible_parent_name;
227  ldns_pkt *my_pkt;
228  /* apparently we were not able to find a signing key, so
229  we assume the chain ends here
230  */
231  /* try parents for auth denial of DS */
232  if (orig_rr) {
233  possible_parent_name = ldns_rr_owner(orig_rr);
234  } else if (rrset && ldns_rr_list_rr_count(rrset) > 0) {
235  possible_parent_name = ldns_rr_owner(ldns_rr_list_rr(rrset, 0));
236  } else {
237  /* no information to go on, give up */
238  return new_chain;
239  }
240 
241  my_pkt = ldns_resolver_query(res,
242  possible_parent_name,
245  qflags);
246  if (!my_pkt) {
247  return new_chain;
248  }
249 
250  if (ldns_pkt_ancount(my_pkt) > 0) {
251  /* add error, no sigs but DS in parent */
252  /*ldns_pkt_print(stdout, my_pkt);*/
253  ldns_pkt_free(my_pkt);
254  } else {
255  /* are there signatures? */
256  new_chain->parent = ldns_dnssec_build_data_chain(res,
257  qflags,
258  NULL,
259  my_pkt,
260  NULL);
261 
262  new_chain->parent->packet_qtype = LDNS_RR_TYPE_DS;
263 
264  }
265  return new_chain;
266 }
267 
268 
271  uint16_t qflags,
272  const ldns_rr_list *rrset,
273  const ldns_pkt *pkt,
274  ldns_rr *orig_rr)
275 {
276  ldns_rr_list *signatures = NULL;
277  ldns_rr_list *dss = NULL;
278 
279  ldns_rr_list *my_rrset;
280 
281  ldns_pkt *my_pkt;
282 
283  ldns_rdf *name = NULL, *key_name = NULL;
284  ldns_rr_type type = 0;
285  ldns_rr_class c = 0;
286 
287  bool other_rrset = false;
288 
290 
291  assert(pkt != NULL);
292 
293  if (!ldns_dnssec_pkt_has_rrsigs(pkt)) {
294  /* hmm. no dnssec data in the packet. go up to try and deny
295  * DS? */
296  return new_chain;
297  }
298 
299  if (orig_rr) {
300  new_chain->rrset = ldns_rr_list_new();
301  ldns_rr_list_push_rr(new_chain->rrset, orig_rr);
302  new_chain->parent = ldns_dnssec_build_data_chain(res,
303  qflags,
304  rrset,
305  pkt,
306  NULL);
307  new_chain->packet_rcode = ldns_pkt_get_rcode(pkt);
308  new_chain->packet_qtype = ldns_rr_get_type(orig_rr);
309  if (ldns_pkt_ancount(pkt) == 0) {
310  new_chain->packet_nodata = true;
311  }
312  return new_chain;
313  }
314 
315  if (!rrset || ldns_rr_list_rr_count(rrset) < 1) {
316  /* hmm, no data, do we have denial? only works if pkt was given,
317  otherwise caller has to do the check himself */
318  new_chain->packet_nodata = true;
319  if (pkt) {
320  my_rrset = ldns_pkt_rr_list_by_type(pkt,
323  );
324  if (my_rrset) {
325  if (ldns_rr_list_rr_count(my_rrset) > 0) {
326  type = LDNS_RR_TYPE_NSEC;
327  other_rrset = true;
328  } else {
329  ldns_rr_list_deep_free(my_rrset);
330  my_rrset = NULL;
331  }
332  } else {
333  /* nothing, try nsec3 */
334  my_rrset = ldns_pkt_rr_list_by_type(pkt,
337  if (my_rrset) {
338  if (ldns_rr_list_rr_count(my_rrset) > 0) {
339  type = LDNS_RR_TYPE_NSEC3;
340  other_rrset = true;
341  } else {
342  ldns_rr_list_deep_free(my_rrset);
343  my_rrset = NULL;
344  }
345  } else {
346  /* nothing, stop */
347  /* try parent zone? for denied insecure? */
348  return new_chain;
349  }
350  }
351  } else {
352  return new_chain;
353  }
354  } else {
355  my_rrset = (ldns_rr_list *) rrset;
356  }
357 
358  if (my_rrset && ldns_rr_list_rr_count(my_rrset) > 0) {
359  new_chain->rrset = ldns_rr_list_clone(my_rrset);
360  name = ldns_rr_owner(ldns_rr_list_rr(my_rrset, 0));
361  type = ldns_rr_get_type(ldns_rr_list_rr(my_rrset, 0));
362  c = ldns_rr_get_class(ldns_rr_list_rr(my_rrset, 0));
363  }
364 
365  if (other_rrset) {
366  ldns_rr_list_deep_free(my_rrset);
367  }
368 
369  /* normally there will only be 1 signature 'set'
370  but there can be more than 1 denial (wildcards)
371  so check for NSEC
372  */
373  if (type == LDNS_RR_TYPE_NSEC || type == LDNS_RR_TYPE_NSEC3) {
374  /* just throw in all signatures, the tree builder must sort
375  this out */
376  if (pkt) {
377  signatures = ldns_dnssec_pkt_get_rrsigs_for_type(pkt, type);
378  } else {
379  my_pkt = ldns_resolver_query(res, name, type, c, qflags);
380  if (my_pkt) {
381  signatures = ldns_dnssec_pkt_get_rrsigs_for_type(pkt, type);
382  ldns_pkt_free(my_pkt);
383  }
384  }
385  } else {
386  if (pkt) {
387  signatures =
389  name,
390  type);
391  }
392  if (!signatures) {
393  my_pkt = ldns_resolver_query(res, name, type, c, qflags);
394  if (my_pkt) {
395  signatures =
397  name,
398  type);
399  ldns_pkt_free(my_pkt);
400  }
401  }
402  }
403 
404  if (signatures && ldns_rr_list_rr_count(signatures) > 0) {
405  key_name = ldns_rr_rdf(ldns_rr_list_rr(signatures, 0), 7);
406  }
407  if (!key_name) {
408  if (signatures) {
409  ldns_rr_list_deep_free(signatures);
410  }
411  return ldns_dnssec_build_data_chain_nokeyname(res,
412  qflags,
413  orig_rr,
414  rrset,
415  new_chain);
416  }
417  if (type != LDNS_RR_TYPE_DNSKEY) {
418  if (type != LDNS_RR_TYPE_DS ||
419  ldns_dname_is_subdomain(name, key_name)) {
420  ldns_dnssec_build_data_chain_dnskey(res,
421  qflags,
422  pkt,
423  signatures,
424  new_chain,
425  key_name,
426  c
427  );
428  }
429  } else {
430  ldns_dnssec_build_data_chain_other(res,
431  qflags,
432  new_chain,
433  key_name,
434  c,
435  dss
436  );
437  }
438  if (signatures) {
439  ldns_rr_list_deep_free(signatures);
440  }
441  return new_chain;
442 }
443 
446 {
448  1);
449  if(!new_tree) return NULL;
450  new_tree->rr = NULL;
451  new_tree->rrset = NULL;
452  new_tree->parent_count = 0;
453 
454  return new_tree;
455 }
456 
457 void
459 {
460  size_t i;
461  if (tree) {
462  for (i = 0; i < tree->parent_count; i++) {
464  }
465  }
466  LDNS_FREE(tree);
467 }
468 
469 size_t
471 {
472  size_t result = 0;
473  size_t parent = 0;
474  size_t i;
475 
476  for (i = 0; i < tree->parent_count; i++) {
477  parent = ldns_dnssec_trust_tree_depth(tree->parents[i]);
478  if (parent > result) {
479  result = parent;
480  }
481  }
482  return 1 + result;
483 }
484 
485 /* TODO ldns_ */
486 static void
487 print_tabs(FILE *out, size_t nr, uint8_t *map, size_t treedepth)
488 {
489  size_t i;
490  for (i = 0; i < nr; i++) {
491  if (i == nr - 1) {
492  fprintf(out, "|---");
493  } else if (map && i < treedepth && map[i] == 1) {
494  fprintf(out, "| ");
495  } else {
496  fprintf(out, " ");
497  }
498  }
499 }
500 
501 static void
502 ldns_dnssec_trust_tree_print_sm_fmt(FILE *out,
503  const ldns_output_format *fmt,
505  size_t tabs,
506  bool extended,
507  uint8_t *sibmap,
508  size_t treedepth)
509 {
510  size_t i;
511  const ldns_rr_descriptor *descriptor;
512  bool mapset = false;
513 
514  if (!sibmap) {
515  treedepth = ldns_dnssec_trust_tree_depth(tree);
516  sibmap = LDNS_XMALLOC(uint8_t, treedepth);
517  if(!sibmap)
518  return; /* mem err */
519  memset(sibmap, 0, treedepth);
520  mapset = true;
521  }
522 
523  if (tree) {
524  if (tree->rr) {
525  print_tabs(out, tabs, sibmap, treedepth);
526  ldns_rdf_print(out, ldns_rr_owner(tree->rr));
527  descriptor = ldns_rr_descript(ldns_rr_get_type(tree->rr));
528 
529  if (descriptor->_name) {
530  fprintf(out, " (%s", descriptor->_name);
531  } else {
532  fprintf(out, " (TYPE%d",
533  ldns_rr_get_type(tree->rr));
534  }
535  if (tabs > 0) {
536  if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_DNSKEY) {
537  fprintf(out, " keytag: %u",
538  (unsigned int) ldns_calc_keytag(tree->rr));
539  fprintf(out, " alg: ");
540  ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 2));
541  fprintf(out, " flags: ");
542  ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 0));
543  } else if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_DS) {
544  fprintf(out, " keytag: ");
545  ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 0));
546  fprintf(out, " digest type: ");
547  ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 2));
548  }
549  if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_NSEC) {
550  fprintf(out, " ");
551  ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 0));
552  fprintf(out, " ");
553  ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 1));
554  }
555  }
556 
557  fprintf(out, ")\n");
558  for (i = 0; i < tree->parent_count; i++) {
559  if (tree->parent_count > 1 && i < tree->parent_count - 1) {
560  sibmap[tabs] = 1;
561  } else {
562  sibmap[tabs] = 0;
563  }
564  /* only print errors */
565  if (ldns_rr_get_type(tree->parents[i]->rr) ==
567  ldns_rr_get_type(tree->parents[i]->rr) ==
569  if (tree->parent_status[i] == LDNS_STATUS_OK) {
570  print_tabs(out, tabs + 1, sibmap, treedepth);
571  if (tabs == 0 &&
572  ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_NS &&
573  ldns_rr_rd_count(tree->rr) > 0) {
574  fprintf(out, "Existence of DS is denied by:\n");
575  } else {
576  fprintf(out, "Existence is denied by:\n");
577  }
578  } else {
579  /* NS records aren't signed */
580  if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_NS) {
581  fprintf(out, "Existence of DS is denied by:\n");
582  } else {
583  print_tabs(out, tabs + 1, sibmap, treedepth);
584  fprintf(out,
585  "Error in denial of existence: %s\n",
587  tree->parent_status[i]));
588  }
589  }
590  } else
591  if (tree->parent_status[i] != LDNS_STATUS_OK) {
592  print_tabs(out, tabs + 1, sibmap, treedepth);
593  fprintf(out,
594  "%s:\n",
596  tree->parent_status[i]));
597  if (tree->parent_status[i]
598  == LDNS_STATUS_SSL_ERR) {
599  printf("; SSL Error: ");
600 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(HAVE_LIBRESSL)
601  ERR_load_crypto_strings();
602 #endif
603  ERR_print_errors_fp(stdout);
604  printf("\n");
605  }
606  ldns_rr_print_fmt(out, fmt,
607  tree->
608  parent_signature[i]);
609  printf("For RRset:\n");
610  ldns_rr_list_print_fmt(out, fmt,
611  tree->rrset);
612  printf("With key:\n");
613  ldns_rr_print_fmt(out, fmt,
614  tree->parents[i]->rr);
615  }
616  ldns_dnssec_trust_tree_print_sm_fmt(out, fmt,
617  tree->parents[i],
618  tabs+1,
619  extended,
620  sibmap,
621  treedepth);
622  }
623  } else {
624  print_tabs(out, tabs, sibmap, treedepth);
625  fprintf(out, "<no data>\n");
626  }
627  } else {
628  fprintf(out, "<null pointer>\n");
629  }
630 
631  if (mapset) {
632  LDNS_FREE(sibmap);
633  }
634 }
635 
636 void
639  size_t tabs,
640  bool extended)
641 {
642  ldns_dnssec_trust_tree_print_sm_fmt(out, fmt,
643  tree, tabs, extended, NULL, 0);
644 }
645 
646 void
649  size_t tabs,
650  bool extended)
651 {
653  tree, tabs, extended);
654 }
655 
656 
659  const ldns_dnssec_trust_tree *parent,
660  const ldns_rr *signature,
661  const ldns_status parent_status)
662 {
663  if (tree
664  && parent
666  /*
667  printf("Add parent for: ");
668  ldns_rr_print(stdout, tree->rr);
669  printf("parent: ");
670  ldns_rr_print(stdout, parent->rr);
671  */
672  tree->parents[tree->parent_count] =
673  (ldns_dnssec_trust_tree *) parent;
674  tree->parent_status[tree->parent_count] = parent_status;
675  tree->parent_signature[tree->parent_count] = (ldns_rr *) signature;
676  tree->parent_count++;
677  return LDNS_STATUS_OK;
678  } else {
679  return LDNS_STATUS_ERR;
680  }
681 }
682 
683 /* if rr is null, take the first from the rrset */
686  ldns_dnssec_data_chain *data_chain,
687  ldns_rr *rr,
688  time_t check_time
689  )
690 {
691  ldns_rr_list *cur_rrset;
692  ldns_rr_list *cur_sigs;
693  ldns_rr *cur_rr = NULL;
694  ldns_rr *cur_sig_rr;
695  size_t i, j;
696 
698  if(!new_tree)
699  return NULL;
700 
701  if (data_chain && data_chain->rrset) {
702  cur_rrset = data_chain->rrset;
703 
704  cur_sigs = data_chain->signatures;
705 
706  if (rr) {
707  cur_rr = rr;
708  }
709 
710  if (!cur_rr && ldns_rr_list_rr_count(cur_rrset) > 0) {
711  cur_rr = ldns_rr_list_rr(cur_rrset, 0);
712  }
713 
714  if (cur_rr) {
715  new_tree->rr = cur_rr;
716  new_tree->rrset = cur_rrset;
717  /* there are three possibilities:
718  1 - 'normal' rrset, signed by a key
719  2 - dnskey signed by other dnskey
720  3 - dnskey proven by higher level DS
721  (data denied by nsec is a special case that can
722  occur in multiple places)
723 
724  */
725  if (cur_sigs) {
726  for (i = 0; i < ldns_rr_list_rr_count(cur_sigs); i++) {
727  /* find the appropriate key in the parent list */
728  cur_sig_rr = ldns_rr_list_rr(cur_sigs, i);
729 
730  if (ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_NSEC) {
731  if (ldns_dname_compare(ldns_rr_owner(cur_sig_rr),
732  ldns_rr_owner(cur_rr)))
733  {
734  /* find first that does match */
735 
736  for (j = 0;
737  j < ldns_rr_list_rr_count(cur_rrset) &&
738  ldns_dname_compare(ldns_rr_owner(cur_sig_rr),ldns_rr_owner(cur_rr)) != 0;
739  j++) {
740  cur_rr = ldns_rr_list_rr(cur_rrset, j);
741 
742  }
743  if (ldns_dname_compare(ldns_rr_owner(cur_sig_rr),
744  ldns_rr_owner(cur_rr)))
745  {
746  break;
747  }
748  }
749 
750  }
751  /* option 1 */
752  if (data_chain->parent) {
754  new_tree,
755  data_chain,
756  cur_sig_rr,
757  check_time);
758  }
759 
760  /* option 2 */
762  new_tree,
763  data_chain,
764  cur_rr,
765  cur_sig_rr,
766  check_time);
767  }
768 
770  new_tree, data_chain,
771  cur_rr, check_time);
772  } else {
773  /* no signatures? maybe it's nsec data */
774 
775  /* just add every rr from parent as new parent */
777  new_tree, data_chain, check_time);
778  }
779  }
780  }
781 
782  return new_tree;
783 }
784 
787 {
788  return ldns_dnssec_derive_trust_tree_time(data_chain, rr, ldns_time(NULL));
789 }
790 
791 void
793  ldns_dnssec_trust_tree *new_tree,
794  ldns_dnssec_data_chain *data_chain,
795  ldns_rr *cur_sig_rr,
796  time_t check_time)
797 {
798  size_t i, j;
799  ldns_rr_list *cur_rrset = ldns_rr_list_clone(data_chain->rrset);
800  ldns_dnssec_trust_tree *cur_parent_tree;
801  ldns_rr *cur_parent_rr;
802  uint16_t cur_keytag;
803  ldns_rr_list *tmp_rrset = NULL;
804  ldns_status cur_status;
805 
806  cur_keytag = ldns_rdf2native_int16(ldns_rr_rrsig_keytag(cur_sig_rr));
807 
808  for (j = 0; j < ldns_rr_list_rr_count(data_chain->parent->rrset); j++) {
809  cur_parent_rr = ldns_rr_list_rr(data_chain->parent->rrset, j);
810  if (ldns_rr_get_type(cur_parent_rr) == LDNS_RR_TYPE_DNSKEY) {
811  if (ldns_calc_keytag(cur_parent_rr) == cur_keytag) {
812 
813  /* TODO: check wildcard nsec too */
814  if (cur_rrset && ldns_rr_list_rr_count(cur_rrset) > 0) {
815  tmp_rrset = cur_rrset;
816  if (ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0))
817  == LDNS_RR_TYPE_NSEC ||
818  ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0))
819  == LDNS_RR_TYPE_NSEC3) {
820  /* might contain different names!
821  sort and split */
822  ldns_rr_list_sort(cur_rrset);
823  assert(tmp_rrset == cur_rrset);
824  tmp_rrset = ldns_rr_list_pop_rrset(cur_rrset);
825 
826  /* with nsecs, this might be the wrong one */
827  while (tmp_rrset &&
828  ldns_rr_list_rr_count(cur_rrset) > 0 &&
831  tmp_rrset, 0)),
832  ldns_rr_owner(cur_sig_rr)) != 0) {
833  ldns_rr_list_deep_free(tmp_rrset);
834  tmp_rrset =
835  ldns_rr_list_pop_rrset(cur_rrset);
836  }
837  }
838  cur_status = ldns_verify_rrsig_time(
839  tmp_rrset,
840  cur_sig_rr,
841  cur_parent_rr,
842  check_time);
843  if (tmp_rrset && tmp_rrset != cur_rrset
844  ) {
846  tmp_rrset);
847  tmp_rrset = NULL;
848  }
849  /* avoid dupes */
850  for (i = 0; i < new_tree->parent_count; i++) {
851  if (cur_parent_rr == new_tree->parents[i]->rr) {
852  goto done;
853  }
854  }
855 
856  cur_parent_tree =
858  data_chain->parent,
859  cur_parent_rr,
860  check_time);
861  (void)ldns_dnssec_trust_tree_add_parent(new_tree,
862  cur_parent_tree,
863  cur_sig_rr,
864  cur_status);
865  }
866  }
867  }
868  }
869  done:
870  ldns_rr_list_deep_free(cur_rrset);
871 }
872 
873 void
875  ldns_dnssec_data_chain *data_chain,
876  ldns_rr *cur_sig_rr)
877 {
879  new_tree, data_chain, cur_sig_rr, ldns_time(NULL));
880 }
881 
882 void
884  ldns_dnssec_trust_tree *new_tree,
885  ldns_dnssec_data_chain *data_chain,
886  ldns_rr *cur_rr,
887  ldns_rr *cur_sig_rr,
888  time_t check_time)
889 {
890  size_t j;
891  ldns_rr_list *cur_rrset = data_chain->rrset;
892  ldns_dnssec_trust_tree *cur_parent_tree;
893  ldns_rr *cur_parent_rr;
894  uint16_t cur_keytag;
895  ldns_status cur_status;
896 
897  cur_keytag = ldns_rdf2native_int16(ldns_rr_rrsig_keytag(cur_sig_rr));
898 
899  for (j = 0; j < ldns_rr_list_rr_count(cur_rrset); j++) {
900  cur_parent_rr = ldns_rr_list_rr(cur_rrset, j);
901  if (cur_parent_rr != cur_rr &&
902  ldns_rr_get_type(cur_parent_rr) == LDNS_RR_TYPE_DNSKEY) {
903  if (ldns_calc_keytag(cur_parent_rr) == cur_keytag
904  ) {
905  cur_parent_tree = ldns_dnssec_trust_tree_new();
906  cur_parent_tree->rr = cur_parent_rr;
907  cur_parent_tree->rrset = cur_rrset;
908  cur_status = ldns_verify_rrsig_time(
909  cur_rrset, cur_sig_rr,
910  cur_parent_rr, check_time);
912  cur_parent_tree, cur_sig_rr, cur_status))
913  ldns_dnssec_trust_tree_free(cur_parent_tree);
914  }
915  }
916  }
917 }
918 
919 void
921  ldns_dnssec_data_chain *data_chain,
922  ldns_rr *cur_rr,
923  ldns_rr *cur_sig_rr)
924 {
926  new_tree, data_chain, cur_rr, cur_sig_rr, ldns_time(NULL));
927 }
928 
929 void
931  ldns_dnssec_trust_tree *new_tree,
932  ldns_dnssec_data_chain *data_chain,
933  ldns_rr *cur_rr,
934  time_t check_time)
935 {
936  size_t j, h;
937  ldns_rr_list *cur_rrset = data_chain->rrset;
938  ldns_dnssec_trust_tree *cur_parent_tree;
939  ldns_rr *cur_parent_rr;
940 
941  /* try the parent to see whether there are DSs there */
942  if (ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_DNSKEY &&
943  data_chain->parent &&
944  data_chain->parent->rrset
945  ) {
946  for (j = 0;
947  j < ldns_rr_list_rr_count(data_chain->parent->rrset);
948  j++) {
949  cur_parent_rr = ldns_rr_list_rr(data_chain->parent->rrset, j);
950  if (ldns_rr_get_type(cur_parent_rr) == LDNS_RR_TYPE_DS) {
951  for (h = 0; h < ldns_rr_list_rr_count(cur_rrset); h++) {
952  cur_rr = ldns_rr_list_rr(cur_rrset, h);
953  if (ldns_rr_compare_ds(cur_rr, cur_parent_rr)) {
954  cur_parent_tree =
956  data_chain->parent,
957  cur_parent_rr,
958  check_time);
960  new_tree,
961  cur_parent_tree,
962  NULL,
964  } else {
965  /*ldns_rr_print(stdout, cur_parent_rr);*/
966  }
967  }
968  }
969  }
970  }
971 }
972 
973 void
975  ldns_dnssec_data_chain *data_chain,
976  ldns_rr *cur_rr)
977 {
979  new_tree, data_chain, cur_rr, ldns_time(NULL));
980 }
981 
982 void
984  ldns_dnssec_trust_tree *new_tree,
985  ldns_dnssec_data_chain *data_chain,
986  time_t check_time)
987 {
988  size_t i;
989  ldns_rr_list *cur_rrset;
990  ldns_rr *cur_parent_rr;
991  ldns_dnssec_trust_tree *cur_parent_tree;
992  ldns_status result;
993 
994  if (data_chain->parent && data_chain->parent->rrset) {
995  cur_rrset = data_chain->parent->rrset;
996  /* nsec? */
997  if (cur_rrset && ldns_rr_list_rr_count(cur_rrset) > 0) {
998  if (ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0)) ==
1001  new_tree->rr,
1002  cur_rrset,
1003  data_chain->parent->signatures,
1004  data_chain->packet_rcode,
1005  data_chain->packet_qtype,
1006  data_chain->packet_nodata);
1007  } else if (ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0)) ==
1009  result = ldns_dnssec_verify_denial(
1010  new_tree->rr,
1011  cur_rrset,
1012  data_chain->parent->signatures);
1013  } else {
1014  /* unsigned zone, unsigned parent */
1015  result = LDNS_STATUS_OK;
1016  }
1017  } else {
1019  }
1020  for (i = 0; i < ldns_rr_list_rr_count(cur_rrset); i++) {
1021  cur_parent_rr = ldns_rr_list_rr(cur_rrset, i);
1022  cur_parent_tree =
1024  data_chain->parent,
1025  cur_parent_rr,
1026  check_time);
1027  if (ldns_dnssec_trust_tree_add_parent(new_tree,
1028  cur_parent_tree, NULL, result))
1029  ldns_dnssec_trust_tree_free(cur_parent_tree);
1030 
1031  }
1032  }
1033 }
1034 
1035 void
1037  ldns_dnssec_data_chain *data_chain)
1038 {
1040  new_tree, data_chain, ldns_time(NULL));
1041 }
1042 
1043 /*
1044  * returns OK if there is a path from tree to key with only OK
1045  * the (first) error in between otherwise
1046  * or NOT_FOUND if the key wasn't present at all
1047  */
1050  ldns_rr_list *trusted_keys)
1051 {
1052  size_t i;
1054  bool equal;
1055  ldns_status parent_result;
1056 
1057  if (tree && trusted_keys && ldns_rr_list_rr_count(trusted_keys) > 0)
1058  { if (tree->rr) {
1059  for (i = 0; i < ldns_rr_list_rr_count(trusted_keys); i++) {
1060  equal = ldns_rr_compare_ds(
1061  tree->rr,
1062  ldns_rr_list_rr(trusted_keys, i));
1063  if (equal) {
1064  result = LDNS_STATUS_OK;
1065  return result;
1066  }
1067  }
1068  }
1069  for (i = 0; i < tree->parent_count; i++) {
1070  parent_result =
1072  trusted_keys);
1073  if (parent_result != LDNS_STATUS_CRYPTO_NO_DNSKEY) {
1074  if (tree->parent_status[i] != LDNS_STATUS_OK) {
1075  result = tree->parent_status[i];
1076  } else {
1077  if (tree->rr &&
1078  ldns_rr_get_type(tree->rr)
1079  == LDNS_RR_TYPE_NSEC &&
1080  parent_result == LDNS_STATUS_OK
1081  ) {
1082  result =
1084  } else {
1085  result = parent_result;
1086  }
1087  }
1088  }
1089  }
1090  } else {
1091  result = LDNS_STATUS_ERR;
1092  }
1093 
1094  return result;
1095 }
1096 
1099  const ldns_rr_list *rrset,
1100  const ldns_rr_list *rrsig,
1101  const ldns_rr_list *keys,
1102  time_t check_time,
1103  ldns_rr_list *good_keys
1104  )
1105 {
1106  uint16_t i;
1107  ldns_status verify_result = LDNS_STATUS_ERR;
1108 
1109  if (!rrset || !rrsig || !keys) {
1110  return LDNS_STATUS_ERR;
1111  }
1112 
1113  if (ldns_rr_list_rr_count(rrset) < 1) {
1114  return LDNS_STATUS_ERR;
1115  }
1116 
1117  if (ldns_rr_list_rr_count(rrsig) < 1) {
1119  }
1120 
1121  if (ldns_rr_list_rr_count(keys) < 1) {
1122  verify_result = LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY;
1123  } else {
1124  for (i = 0; i < ldns_rr_list_rr_count(rrsig); i++) {
1126  rrset, ldns_rr_list_rr(rrsig, i),
1127  keys, check_time, good_keys);
1128  /* try a little to get more descriptive error */
1129  if(s == LDNS_STATUS_OK) {
1130  verify_result = LDNS_STATUS_OK;
1131  } else if(verify_result == LDNS_STATUS_ERR)
1132  verify_result = s;
1133  else if(s != LDNS_STATUS_ERR && verify_result ==
1135  verify_result = s;
1136  }
1137  }
1138  return verify_result;
1139 }
1140 
1142 ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys,
1143  ldns_rr_list *good_keys)
1144 {
1145  return ldns_verify_time(rrset, rrsig, keys, ldns_time(NULL), good_keys);
1146 }
1147 
1150  const ldns_rr_list *keys, ldns_rr_list *good_keys)
1151 {
1152  uint16_t i;
1153  ldns_status verify_result = LDNS_STATUS_ERR;
1154 
1155  if (!rrset || !rrsig || !keys) {
1156  return LDNS_STATUS_ERR;
1157  }
1158 
1159  if (ldns_rr_list_rr_count(rrset) < 1) {
1160  return LDNS_STATUS_ERR;
1161  }
1162 
1163  if (ldns_rr_list_rr_count(rrsig) < 1) {
1165  }
1166 
1167  if (ldns_rr_list_rr_count(keys) < 1) {
1168  verify_result = LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY;
1169  } else {
1170  for (i = 0; i < ldns_rr_list_rr_count(rrsig); i++) {
1172  ldns_rr_list_rr(rrsig, i), keys, good_keys);
1173 
1174  /* try a little to get more descriptive error */
1175  if (s == LDNS_STATUS_OK) {
1176  verify_result = LDNS_STATUS_OK;
1177  } else if (verify_result == LDNS_STATUS_ERR) {
1178  verify_result = s;
1179  } else if (s != LDNS_STATUS_ERR && verify_result ==
1181  verify_result = s;
1182  }
1183  }
1184  }
1185  return verify_result;
1186 }
1187 
1188 ldns_rr_list *
1190  const ldns_rdf *domain,
1191  const ldns_rr_list *keys,
1192  time_t check_time,
1193  ldns_status *status)
1194 {
1195  ldns_rr_list * trusted_keys = NULL;
1196  ldns_rr_list * ds_keys = NULL;
1197  ldns_rdf * prev_parent_domain;
1198  ldns_rdf * parent_domain;
1199  ldns_rr_list * parent_keys = NULL;
1200 
1201  if (res && domain && keys) {
1202 
1203  if ((trusted_keys = ldns_validate_domain_dnskey_time(res,
1204  domain, keys, check_time))) {
1205  *status = LDNS_STATUS_OK;
1206  } else {
1207  /* No trusted keys in this domain, we'll have to find some in the parent domain */
1209 
1210  parent_domain = ldns_dname_left_chop(domain);
1211  while (parent_domain && /* Fail if we are at the root*/
1212  ldns_rdf_size(parent_domain) > 0) {
1213 
1214  if ((parent_keys =
1216  parent_domain,
1217  keys,
1218  check_time,
1219  status))) {
1220  /* Check DS records */
1221  if ((ds_keys =
1223  domain,
1224  parent_keys,
1225  check_time))) {
1226  trusted_keys =
1228  res,
1229  domain,
1230  ds_keys,
1231  check_time,
1232  status);
1233  ldns_rr_list_deep_free(ds_keys);
1234  } else {
1235  /* No valid DS at the parent -- fail */
1237  }
1238  ldns_rr_list_deep_free(parent_keys);
1239  break;
1240  } else {
1241  parent_domain = ldns_dname_left_chop((
1242  prev_parent_domain
1243  = parent_domain
1244  ));
1245  ldns_rdf_deep_free(prev_parent_domain);
1246  }
1247  }
1248  if (parent_domain) {
1249  ldns_rdf_deep_free(parent_domain);
1250  }
1251  }
1252  }
1253  return trusted_keys;
1254 }
1255 
1256 ldns_rr_list *
1258  const ldns_rdf *domain,
1259  const ldns_rr_list *keys,
1260  ldns_status *status)
1261 {
1263  res, domain, keys, ldns_time(NULL), status);
1264 }
1265 
1266 ldns_rr_list *
1268  const ldns_resolver * res,
1269  const ldns_rdf * domain,
1270  const ldns_rr_list * keys,
1271  time_t check_time
1272  )
1273 {
1274  ldns_pkt * keypkt;
1275  ldns_rr * cur_key;
1276  uint16_t key_i; uint16_t key_j; uint16_t key_k;
1277  uint16_t sig_i; ldns_rr * cur_sig;
1278 
1279  ldns_rr_list * domain_keys = NULL;
1280  ldns_rr_list * domain_sigs = NULL;
1281  ldns_rr_list * trusted_keys = NULL;
1282 
1283  /* Fetch keys for the domain */
1284  keypkt = ldns_resolver_query(res, domain,
1286  if (keypkt) {
1287  domain_keys = ldns_pkt_rr_list_by_type(keypkt,
1290  domain_sigs = ldns_pkt_rr_list_by_type(keypkt,
1293 
1294  /* Try to validate the record using our keys */
1295  for (key_i=0; key_i< ldns_rr_list_rr_count(domain_keys); key_i++) {
1296 
1297  cur_key = ldns_rr_list_rr(domain_keys, key_i);
1298  for (key_j=0; key_j<ldns_rr_list_rr_count(keys); key_j++) {
1299  if (ldns_rr_compare_ds(ldns_rr_list_rr(keys, key_j),
1300  cur_key)) {
1301 
1302  /* Current key is trusted -- validate */
1303  trusted_keys = ldns_rr_list_new();
1304 
1305  for (sig_i=0;
1306  sig_i<ldns_rr_list_rr_count(domain_sigs);
1307  sig_i++) {
1308  cur_sig = ldns_rr_list_rr(domain_sigs, sig_i);
1309  /* Avoid non-matching sigs */
1311  ldns_rr_rrsig_keytag(cur_sig))
1312  == ldns_calc_keytag(cur_key)) {
1314  domain_keys,
1315  cur_sig,
1316  cur_key,
1317  check_time)
1318  == LDNS_STATUS_OK) {
1319 
1320  /* Push the whole rrset
1321  -- we can't do much more */
1322  for (key_k=0;
1323  key_k<ldns_rr_list_rr_count(
1324  domain_keys);
1325  key_k++) {
1327  trusted_keys,
1328  ldns_rr_clone(
1330  domain_keys,
1331  key_k)));
1332  }
1333 
1334  ldns_rr_list_deep_free(domain_keys);
1335  ldns_rr_list_deep_free(domain_sigs);
1336  ldns_pkt_free(keypkt);
1337  return trusted_keys;
1338  }
1339  }
1340  }
1341 
1342  /* Only push our trusted key */
1343  ldns_rr_list_push_rr(trusted_keys,
1344  ldns_rr_clone(cur_key));
1345  }
1346  }
1347  }
1348 
1349  ldns_rr_list_deep_free(domain_keys);
1350  ldns_rr_list_deep_free(domain_sigs);
1351  ldns_pkt_free(keypkt);
1352 
1353  } else {
1354  /* LDNS_STATUS_CRYPTO_NO_DNSKEY */
1355  }
1356 
1357  return trusted_keys;
1358 }
1359 
1360 ldns_rr_list *
1362  const ldns_rdf * domain,
1363  const ldns_rr_list * keys)
1364 {
1366  res, domain, keys, ldns_time(NULL));
1367 }
1368 
1369 ldns_rr_list *
1371  const ldns_resolver *res,
1372  const ldns_rdf * domain,
1373  const ldns_rr_list * keys,
1374  time_t check_time)
1375 {
1376  ldns_pkt * dspkt;
1377  uint16_t key_i;
1378  ldns_rr_list * rrset = NULL;
1379  ldns_rr_list * sigs = NULL;
1380  ldns_rr_list * trusted_keys = NULL;
1381 
1382  /* Fetch DS for the domain */
1383  dspkt = ldns_resolver_query(res, domain,
1385  if (dspkt) {
1386  rrset = ldns_pkt_rr_list_by_type(dspkt,
1389  sigs = ldns_pkt_rr_list_by_type(dspkt,
1392 
1393  /* Validate sigs */
1394  if (ldns_verify_time(rrset, sigs, keys, check_time, NULL)
1395  == LDNS_STATUS_OK) {
1396  trusted_keys = ldns_rr_list_new();
1397  for (key_i=0; key_i<ldns_rr_list_rr_count(rrset); key_i++) {
1398  ldns_rr_list_push_rr(trusted_keys,
1400  key_i)
1401  )
1402  );
1403  }
1404  }
1405 
1406  ldns_rr_list_deep_free(rrset);
1407  ldns_rr_list_deep_free(sigs);
1408  ldns_pkt_free(dspkt);
1409 
1410  } else {
1411  /* LDNS_STATUS_CRYPTO_NO_DS */
1412  }
1413 
1414  return trusted_keys;
1415 }
1416 
1417 ldns_rr_list *
1419  const ldns_rdf * domain,
1420  const ldns_rr_list * keys)
1421 {
1422  return ldns_validate_domain_ds_time(res, domain, keys, ldns_time(NULL));
1423 }
1424 
1427  ldns_resolver *res,
1428  ldns_rr_list *rrset,
1429  ldns_rr_list * rrsigs,
1430  time_t check_time,
1431  ldns_rr_list * validating_keys
1432  )
1433 {
1434  uint16_t sig_i; uint16_t key_i;
1435  ldns_rr * cur_sig; ldns_rr * cur_key;
1436  ldns_rr_list * trusted_keys = NULL;
1437  ldns_status result = LDNS_STATUS_ERR;
1438 
1439  if (!res || !rrset || !rrsigs) {
1440  return LDNS_STATUS_ERR;
1441  }
1442 
1443  if (ldns_rr_list_rr_count(rrset) < 1) {
1444  return LDNS_STATUS_ERR;
1445  }
1446 
1447  if (ldns_rr_list_rr_count(rrsigs) < 1) {
1449  }
1450 
1451  /* Look at each sig */
1452  for (sig_i=0; sig_i < ldns_rr_list_rr_count(rrsigs); sig_i++) {
1453 
1454  cur_sig = ldns_rr_list_rr(rrsigs, sig_i);
1455  /* Get a valid signer key and validate the sig */
1456  if ((trusted_keys = ldns_fetch_valid_domain_keys_time(
1457  res,
1458  ldns_rr_rrsig_signame(cur_sig),
1460  check_time,
1461  &result))) {
1462 
1463  for (key_i = 0;
1464  key_i < ldns_rr_list_rr_count(trusted_keys);
1465  key_i++) {
1466  cur_key = ldns_rr_list_rr(trusted_keys, key_i);
1467 
1468  if ((result = ldns_verify_rrsig_time(rrset,
1469  cur_sig,
1470  cur_key,
1471  check_time))
1472  == LDNS_STATUS_OK) {
1473  if (validating_keys) {
1474  ldns_rr_list_push_rr(validating_keys,
1475  ldns_rr_clone(cur_key));
1476  }
1477  ldns_rr_list_deep_free(trusted_keys);
1478  return LDNS_STATUS_OK;
1479  }
1480  }
1481  }
1482  }
1483 
1484  ldns_rr_list_deep_free(trusted_keys);
1485  return result;
1486 }
1487 
1490  ldns_resolver *res,
1491  ldns_rr_list *rrset,
1492  ldns_rr_list * rrsigs,
1493  ldns_rr_list * validating_keys)
1494 {
1495  return ldns_verify_trusted_time(
1496  res, rrset, rrsigs, ldns_time(NULL), validating_keys);
1497 }
1498 
1499 
1502  ldns_rr_list *nsecs,
1503  ldns_rr_list *rrsigs)
1504 {
1505  ldns_rdf *rr_name;
1506  ldns_rdf *wildcard_name;
1507  ldns_rdf *chopped_dname;
1508  ldns_rr *cur_nsec;
1509  size_t i;
1510  ldns_status result;
1511  /* needed for wildcard check on exact match */
1512  ldns_rr *rrsig;
1513  bool name_covered = false;
1514  bool type_covered = false;
1515  bool wildcard_covered = false;
1516  bool wildcard_type_covered = false;
1517 
1518  wildcard_name = ldns_dname_new_frm_str("*");
1519  rr_name = ldns_rr_owner(rr);
1520  chopped_dname = ldns_dname_left_chop(rr_name);
1521  result = ldns_dname_cat(wildcard_name, chopped_dname);
1522  ldns_rdf_deep_free(chopped_dname);
1523  if (result != LDNS_STATUS_OK) {
1524  return result;
1525  }
1526 
1527  for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
1528  cur_nsec = ldns_rr_list_rr(nsecs, i);
1529  if (ldns_dname_compare(rr_name, ldns_rr_owner(cur_nsec)) == 0) {
1530  /* see section 5.4 of RFC4035, if the label count of the NSEC's
1531  RRSIG is equal, then it is proven that wildcard expansion
1532  could not have been used to match the request */
1534  ldns_rr_owner(cur_nsec),
1535  ldns_rr_get_type(cur_nsec),
1536  rrsigs);
1537  if (rrsig && ldns_rdf2native_int8(ldns_rr_rrsig_labels(rrsig))
1538  == ldns_dname_label_count(rr_name)) {
1539  wildcard_covered = true;
1540  }
1541 
1543  ldns_rr_get_type(rr))) {
1544  type_covered = true;
1545  }
1546  }
1547  if (ldns_nsec_covers_name(cur_nsec, rr_name)) {
1548  name_covered = true;
1549  }
1550 
1551  if (ldns_dname_compare(wildcard_name,
1552  ldns_rr_owner(cur_nsec)) == 0) {
1554  ldns_rr_get_type(rr))) {
1555  wildcard_type_covered = true;
1556  }
1557  }
1558 
1559  if (ldns_nsec_covers_name(cur_nsec, wildcard_name)) {
1560  wildcard_covered = true;
1561  }
1562 
1563  }
1564 
1565  ldns_rdf_deep_free(wildcard_name);
1566 
1567  if (type_covered || !name_covered) {
1569  }
1570 
1571  if (wildcard_type_covered || !wildcard_covered) {
1573  }
1574 
1575  return LDNS_STATUS_OK;
1576 }
1577 
1580  , ldns_rr_list *nsecs
1581  , ATTR_UNUSED(ldns_rr_list *rrsigs)
1582  , ldns_pkt_rcode packet_rcode
1583  , ldns_rr_type packet_qtype
1584  , bool packet_nodata
1585  , ldns_rr **match
1586  )
1587 {
1588  ldns_rdf *closest_encloser;
1589  ldns_rdf *wildcard;
1590  ldns_rdf *hashed_wildcard_name;
1591  bool wildcard_covered = false;
1592  ldns_rdf *zone_name;
1593  ldns_rdf *hashed_name;
1594  ldns_rdf *hashed_next_closer;
1595  size_t i;
1597 
1598  if (match) {
1599  *match = NULL;
1600  }
1601 
1602  zone_name = ldns_dname_left_chop(ldns_rr_owner(ldns_rr_list_rr(nsecs,0)));
1603 
1604  /* section 8.4 */
1605  if (packet_rcode == LDNS_RCODE_NXDOMAIN) {
1606  closest_encloser = ldns_dnssec_nsec3_closest_encloser(
1607  ldns_rr_owner(rr),
1608  ldns_rr_get_type(rr),
1609  nsecs);
1610  if(!closest_encloser) {
1612  goto done;
1613  }
1614 
1615  wildcard = ldns_dname_new_frm_str("*");
1616  (void) ldns_dname_cat(wildcard, closest_encloser);
1617 
1618  for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
1619  hashed_wildcard_name =
1621  wildcard
1622  );
1623  (void) ldns_dname_cat(hashed_wildcard_name, zone_name);
1624 
1625  if (ldns_nsec_covers_name(ldns_rr_list_rr(nsecs, i),
1626  hashed_wildcard_name)) {
1627  wildcard_covered = true;
1628  if (match) {
1629  *match = ldns_rr_list_rr(nsecs, i);
1630  }
1631  }
1632  ldns_rdf_deep_free(hashed_wildcard_name);
1633  }
1634 
1635  if (! wildcard_covered) {
1637  } else {
1638  result = LDNS_STATUS_OK;
1639  }
1640  ldns_rdf_deep_free(closest_encloser);
1641  ldns_rdf_deep_free(wildcard);
1642 
1643  } else if (packet_nodata && packet_qtype != LDNS_RR_TYPE_DS) {
1644  /* section 8.5 */
1645  hashed_name = ldns_nsec3_hash_name_frm_nsec3(
1646  ldns_rr_list_rr(nsecs, 0),
1647  ldns_rr_owner(rr));
1648  (void) ldns_dname_cat(hashed_name, zone_name);
1649  for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
1650  if (ldns_dname_compare(hashed_name,
1651  ldns_rr_owner(ldns_rr_list_rr(nsecs, i)))
1652  == 0) {
1655  packet_qtype)
1656  &&
1659  LDNS_RR_TYPE_CNAME)) {
1660  result = LDNS_STATUS_OK;
1661  if (match) {
1662  *match = ldns_rr_list_rr(nsecs, i);
1663  }
1664  goto done;
1665  }
1666  }
1667  }
1668  ldns_rdf_deep_free(hashed_name);
1670  /* wildcard no data? section 8.7 */
1671  closest_encloser = ldns_dnssec_nsec3_closest_encloser(
1672  ldns_rr_owner(rr),
1673  ldns_rr_get_type(rr),
1674  nsecs);
1675  if(!closest_encloser) {
1676  result = LDNS_STATUS_NSEC3_ERR;
1677  goto done;
1678  }
1679  wildcard = ldns_dname_new_frm_str("*");
1680  (void) ldns_dname_cat(wildcard, closest_encloser);
1681  for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
1682  hashed_wildcard_name =
1684  wildcard);
1685  (void) ldns_dname_cat(hashed_wildcard_name, zone_name);
1686 
1687  if (ldns_dname_compare(hashed_wildcard_name,
1688  ldns_rr_owner(ldns_rr_list_rr(nsecs, i)))
1689  == 0) {
1692  packet_qtype)
1693  &&
1696  LDNS_RR_TYPE_CNAME)) {
1697  result = LDNS_STATUS_OK;
1698  if (match) {
1699  *match = ldns_rr_list_rr(nsecs, i);
1700  }
1701  }
1702  }
1703  ldns_rdf_deep_free(hashed_wildcard_name);
1704  if (result == LDNS_STATUS_OK) {
1705  break;
1706  }
1707  }
1708  ldns_rdf_deep_free(closest_encloser);
1709  ldns_rdf_deep_free(wildcard);
1710  } else if (packet_nodata && packet_qtype == LDNS_RR_TYPE_DS) {
1711  /* section 8.6 */
1712  /* note: up to XXX this is the same as for 8.5 */
1713  hashed_name = ldns_nsec3_hash_name_frm_nsec3(ldns_rr_list_rr(nsecs,
1714  0),
1715  ldns_rr_owner(rr)
1716  );
1717  (void) ldns_dname_cat(hashed_name, zone_name);
1718  for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
1719  if (ldns_dname_compare(hashed_name,
1721  i)))
1722  == 0) {
1726  &&
1729  LDNS_RR_TYPE_CNAME)) {
1730  result = LDNS_STATUS_OK;
1731  if (match) {
1732  *match = ldns_rr_list_rr(nsecs, i);
1733  }
1734  goto done;
1735  }
1736  }
1737  }
1738 
1739  /* XXX see note above */
1741 
1742  closest_encloser = ldns_dnssec_nsec3_closest_encloser(
1743  ldns_rr_owner(rr),
1744  ldns_rr_get_type(rr),
1745  nsecs);
1746  if(!closest_encloser) {
1747  result = LDNS_STATUS_NSEC3_ERR;
1748  goto done;
1749  }
1750  /* Now check if we have a Opt-Out NSEC3 that covers the "next closer"*/
1751 
1752  if (ldns_dname_label_count(closest_encloser) + 1
1754 
1755  /* Query name *is* the "next closer". */
1756  hashed_next_closer = hashed_name;
1757  } else {
1758  ldns_rdf *next_closer;
1759 
1760  ldns_rdf_deep_free(hashed_name);
1761  /* "next closer" has less labels than the query name.
1762  * Create the name and hash it.
1763  */
1764  next_closer = ldns_dname_clone_from(
1765  ldns_rr_owner(rr),
1767  - (ldns_dname_label_count(closest_encloser) + 1)
1768  );
1769  hashed_next_closer = ldns_nsec3_hash_name_frm_nsec3(
1770  ldns_rr_list_rr(nsecs, 0),
1771  next_closer
1772  );
1773  (void) ldns_dname_cat(hashed_next_closer, zone_name);
1774  ldns_rdf_deep_free(next_closer);
1775  }
1776  /* Find the NSEC3 that covers the "next closer" */
1777  for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
1778  if (ldns_nsec_covers_name(ldns_rr_list_rr(nsecs, i),
1779  hashed_next_closer) &&
1780  ldns_nsec3_optout(ldns_rr_list_rr(nsecs, i))) {
1781 
1782  result = LDNS_STATUS_OK;
1783  if (match) {
1784  *match = ldns_rr_list_rr(nsecs, i);
1785  }
1786  break;
1787  }
1788  }
1789  ldns_rdf_deep_free(hashed_next_closer);
1790  ldns_rdf_deep_free(closest_encloser);
1791  }
1792 
1793  done:
1794  ldns_rdf_deep_free(zone_name);
1795  return result;
1796 }
1797 
1800  ldns_rr_list *nsecs,
1801  ldns_rr_list *rrsigs,
1802  ldns_pkt_rcode packet_rcode,
1803  ldns_rr_type packet_qtype,
1804  bool packet_nodata)
1805 {
1807  rr, nsecs, rrsigs, packet_rcode,
1808  packet_qtype, packet_nodata, NULL
1809  );
1810 }
1811 
1812 #ifdef USE_GOST
1813 EVP_PKEY*
1814 ldns_gost2pkey_raw(const unsigned char* key, size_t keylen)
1815 {
1816  /* prefix header for X509 encoding */
1817  uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85,
1818  0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85,
1819  0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03,
1820  0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40};
1821  unsigned char encoded[37+64];
1822  const unsigned char* pp;
1823  if(keylen != 64) {
1824  /* key wrong size */
1825  return NULL;
1826  }
1827 
1828  /* create evp_key */
1829  memmove(encoded, asn, 37);
1830  memmove(encoded+37, key, 64);
1831  pp = (unsigned char*)&encoded[0];
1832 
1833  return d2i_PUBKEY(NULL, &pp, (int)sizeof(encoded));
1834 }
1835 
1836 static ldns_status
1837 ldns_verify_rrsig_gost_raw(const unsigned char* sig, size_t siglen,
1838  const ldns_buffer* rrset, const unsigned char* key, size_t keylen)
1839 {
1840  EVP_PKEY *evp_key;
1841  ldns_status result;
1842 
1843  (void) ldns_key_EVP_load_gost_id();
1844  evp_key = ldns_gost2pkey_raw(key, keylen);
1845  if(!evp_key) {
1846  /* could not convert key */
1847  return LDNS_STATUS_CRYPTO_BOGUS;
1848  }
1849 
1850  /* verify signature */
1851  result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset,
1852  evp_key, EVP_get_digestbyname("md_gost94"));
1853  EVP_PKEY_free(evp_key);
1854 
1855  return result;
1856 }
1857 #endif
1858 
1859 #ifdef USE_ED25519
1860 EVP_PKEY*
1861 ldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
1862 {
1863  /* ASN1 for ED25519 is 302a300506032b6570032100 <32byteskey> */
1864  uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
1865  0x70, 0x03, 0x21, 0x00};
1866  int pre_len = 12;
1867  uint8_t buf[256];
1868  EVP_PKEY *evp_key;
1869  /* pp gets modified by d2i() */
1870  const unsigned char* pp = (unsigned char*)buf;
1871  if(keylen != 32 || keylen + pre_len > sizeof(buf))
1872  return NULL; /* wrong length */
1873  memmove(buf, pre, pre_len);
1874  memmove(buf+pre_len, key, keylen);
1875  evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
1876  return evp_key;
1877 }
1878 
1879 static ldns_status
1880 ldns_verify_rrsig_ed25519_raw(unsigned char* sig, size_t siglen,
1881  ldns_buffer* rrset, unsigned char* key, size_t keylen)
1882 {
1883  EVP_PKEY *evp_key;
1884  ldns_status result;
1885 
1886  evp_key = ldns_ed255192pkey_raw(key, keylen);
1887  if(!evp_key) {
1888  /* could not convert key */
1889  return LDNS_STATUS_CRYPTO_BOGUS;
1890  }
1891  result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset, evp_key, NULL);
1892  EVP_PKEY_free(evp_key);
1893  return result;
1894 }
1895 #endif /* USE_ED25519 */
1896 
1897 #ifdef USE_ED448
1898 EVP_PKEY*
1899 ldns_ed4482pkey_raw(const unsigned char* key, size_t keylen)
1900 {
1901  /* ASN1 for ED448 is 3043300506032b6571033a00 <57byteskey> */
1902  uint8_t pre[] = {0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
1903  0x71, 0x03, 0x3a, 0x00};
1904  int pre_len = 12;
1905  uint8_t buf[256];
1906  EVP_PKEY *evp_key;
1907  /* pp gets modified by d2i() */
1908  const unsigned char* pp = (unsigned char*)buf;
1909  if(keylen != 57 || keylen + pre_len > sizeof(buf))
1910  return NULL; /* wrong length */
1911  memmove(buf, pre, pre_len);
1912  memmove(buf+pre_len, key, keylen);
1913  evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
1914  return evp_key;
1915 }
1916 
1917 static ldns_status
1918 ldns_verify_rrsig_ed448_raw(unsigned char* sig, size_t siglen,
1919  ldns_buffer* rrset, unsigned char* key, size_t keylen)
1920 {
1921  EVP_PKEY *evp_key;
1922  ldns_status result;
1923 
1924  evp_key = ldns_ed4482pkey_raw(key, keylen);
1925  if(!evp_key) {
1926  /* could not convert key */
1927  return LDNS_STATUS_CRYPTO_BOGUS;
1928  }
1929  result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset, evp_key, NULL);
1930  EVP_PKEY_free(evp_key);
1931  return result;
1932 }
1933 #endif /* USE_ED448 */
1934 
1935 #ifdef USE_ECDSA
1936 EVP_PKEY*
1937 ldns_ecdsa2pkey_raw(const unsigned char* key, size_t keylen, uint8_t algo)
1938 {
1939  unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
1940  const unsigned char* pp = buf;
1941  EVP_PKEY *evp_key;
1942  EC_KEY *ec;
1943  /* check length, which uncompressed must be 2 bignums */
1944  if(algo == LDNS_ECDSAP256SHA256) {
1945  if(keylen != 2*256/8) return NULL;
1946  ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1947  } else if(algo == LDNS_ECDSAP384SHA384) {
1948  if(keylen != 2*384/8) return NULL;
1949  ec = EC_KEY_new_by_curve_name(NID_secp384r1);
1950  } else ec = NULL;
1951  if(!ec) return NULL;
1952  if(keylen+1 > sizeof(buf))
1953  return NULL; /* sanity check */
1954  /* prepend the 0x02 (from docs) (or actually 0x04 from implementation
1955  * of openssl) for uncompressed data */
1956  buf[0] = POINT_CONVERSION_UNCOMPRESSED;
1957  memmove(buf+1, key, keylen);
1958  if(!o2i_ECPublicKey(&ec, &pp, (int)keylen+1)) {
1959  EC_KEY_free(ec);
1960  return NULL;
1961  }
1962  evp_key = EVP_PKEY_new();
1963  if(!evp_key) {
1964  EC_KEY_free(ec);
1965  return NULL;
1966  }
1967  if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
1968  EVP_PKEY_free(evp_key);
1969  EC_KEY_free(ec);
1970  return NULL;
1971  }
1972  return evp_key;
1973 }
1974 
1975 static ldns_status
1976 ldns_verify_rrsig_ecdsa_raw(unsigned char* sig, size_t siglen,
1977  ldns_buffer* rrset, unsigned char* key, size_t keylen, uint8_t algo)
1978 {
1979  EVP_PKEY *evp_key;
1980  ldns_status result;
1981  const EVP_MD *d;
1982 
1983  evp_key = ldns_ecdsa2pkey_raw(key, keylen, algo);
1984  if(!evp_key) {
1985  /* could not convert key */
1986  return LDNS_STATUS_CRYPTO_BOGUS;
1987  }
1988  if(algo == LDNS_ECDSAP256SHA256)
1989  d = EVP_sha256();
1990  else d = EVP_sha384(); /* LDNS_ECDSAP384SHA384 */
1991  result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset, evp_key, d);
1992  EVP_PKEY_free(evp_key);
1993  return result;
1994 }
1995 #endif
1996 
1999  ldns_buffer *key_buf, uint8_t algo)
2000 {
2002  (unsigned char*)ldns_buffer_begin(rawsig_buf),
2003  ldns_buffer_position(rawsig_buf),
2004  verify_buf,
2005  (unsigned char*)ldns_buffer_begin(key_buf),
2006  ldns_buffer_position(key_buf), algo);
2007 }
2008 
2010 ldns_verify_rrsig_buffers_raw(unsigned char* sig, size_t siglen,
2011  ldns_buffer *verify_buf, unsigned char* key, size_t keylen,
2012  uint8_t algo)
2013 {
2014  /* check for right key */
2015  switch(algo) {
2016 #ifdef USE_DSA
2017  case LDNS_DSA:
2018  case LDNS_DSA_NSEC3:
2019  return ldns_verify_rrsig_dsa_raw(sig,
2020  siglen,
2021  verify_buf,
2022  key,
2023  keylen);
2024  break;
2025 #endif
2026  case LDNS_RSASHA1:
2027  case LDNS_RSASHA1_NSEC3:
2028  return ldns_verify_rrsig_rsasha1_raw(sig,
2029  siglen,
2030  verify_buf,
2031  key,
2032  keylen);
2033  break;
2034 #ifdef USE_SHA2
2035  case LDNS_RSASHA256:
2037  siglen,
2038  verify_buf,
2039  key,
2040  keylen);
2041  break;
2042  case LDNS_RSASHA512:
2044  siglen,
2045  verify_buf,
2046  key,
2047  keylen);
2048  break;
2049 #endif
2050 #ifdef USE_GOST
2051  case LDNS_ECC_GOST:
2052  return ldns_verify_rrsig_gost_raw(sig, siglen, verify_buf,
2053  key, keylen);
2054  break;
2055 #endif
2056 #ifdef USE_ECDSA
2057  case LDNS_ECDSAP256SHA256:
2058  case LDNS_ECDSAP384SHA384:
2059  return ldns_verify_rrsig_ecdsa_raw(sig, siglen, verify_buf,
2060  key, keylen, algo);
2061  break;
2062 #endif
2063 #ifdef USE_ED25519
2064  case LDNS_ED25519:
2065  return ldns_verify_rrsig_ed25519_raw(sig, siglen, verify_buf,
2066  key, keylen);
2067  break;
2068 #endif
2069 #ifdef USE_ED448
2070  case LDNS_ED448:
2071  return ldns_verify_rrsig_ed448_raw(sig, siglen, verify_buf,
2072  key, keylen);
2073  break;
2074 #endif
2075  case LDNS_RSAMD5:
2076  return ldns_verify_rrsig_rsamd5_raw(sig,
2077  siglen,
2078  verify_buf,
2079  key,
2080  keylen);
2081  break;
2082  default:
2083  /* do you know this alg?! */
2085  }
2086 }
2087 
2088 
2096 static void
2097 ldns_rrset_use_signature_ttl(ldns_rr_list* rrset_clone, const ldns_rr* rrsig)
2098 {
2099  uint32_t orig_ttl;
2100  uint16_t i;
2101  uint8_t label_count;
2102  ldns_rdf *wildcard_name;
2103  ldns_rdf *wildcard_chopped;
2104  ldns_rdf *wildcard_chopped_tmp;
2105 
2106  if ((rrsig == NULL) || ldns_rr_rd_count(rrsig) < 4) {
2107  return;
2108  }
2109 
2110  orig_ttl = ldns_rdf2native_int32( ldns_rr_rdf(rrsig, 3));
2111  label_count = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 2));
2112 
2113  for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
2114  if (label_count <
2116  ldns_rr_owner(ldns_rr_list_rr(rrset_clone, i)))) {
2117  (void) ldns_str2rdf_dname(&wildcard_name, "*");
2118  wildcard_chopped = ldns_rdf_clone(ldns_rr_owner(
2119  ldns_rr_list_rr(rrset_clone, i)));
2120  while (label_count < ldns_dname_label_count(wildcard_chopped)) {
2121  wildcard_chopped_tmp = ldns_dname_left_chop(
2122  wildcard_chopped);
2123  ldns_rdf_deep_free(wildcard_chopped);
2124  wildcard_chopped = wildcard_chopped_tmp;
2125  }
2126  (void) ldns_dname_cat(wildcard_name, wildcard_chopped);
2127  ldns_rdf_deep_free(wildcard_chopped);
2129  rrset_clone, i)));
2130  ldns_rr_set_owner(ldns_rr_list_rr(rrset_clone, i),
2131  wildcard_name);
2132  }
2133  ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i), orig_ttl);
2134  /* convert to lowercase */
2135  ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
2136  }
2137 }
2138 
2145 static ldns_status
2146 ldns_rrsig2rawsig_buffer(ldns_buffer* rawsig_buf, const ldns_rr* rrsig)
2147 {
2148  uint8_t sig_algo;
2149 
2150  if (rrsig == NULL) {
2152  }
2153  if (ldns_rr_rdf(rrsig, 1) == NULL) {
2155  }
2156  sig_algo = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 1));
2157  /* check for known and implemented algo's now (otherwise
2158  * the function could return a wrong error
2159  */
2160  /* create a buffer with signature rdata */
2161  /* for some algorithms we need other data than for others... */
2162  /* (the DSA API wants DER encoding for instance) */
2163 
2164  switch(sig_algo) {
2165  case LDNS_RSAMD5:
2166  case LDNS_RSASHA1:
2167  case LDNS_RSASHA1_NSEC3:
2168 #ifdef USE_SHA2
2169  case LDNS_RSASHA256:
2170  case LDNS_RSASHA512:
2171 #endif
2172 #ifdef USE_GOST
2173  case LDNS_ECC_GOST:
2174 #endif
2175 #ifdef USE_ED25519
2176  case LDNS_ED25519:
2177 #endif
2178 #ifdef USE_ED448
2179  case LDNS_ED448:
2180 #endif
2181  if (ldns_rr_rdf(rrsig, 8) == NULL) {
2183  }
2184  if (ldns_rdf2buffer_wire(rawsig_buf, ldns_rr_rdf(rrsig, 8))
2185  != LDNS_STATUS_OK) {
2186  return LDNS_STATUS_MEM_ERR;
2187  }
2188  break;
2189 #ifdef USE_DSA
2190  case LDNS_DSA:
2191  case LDNS_DSA_NSEC3:
2192  /* EVP takes rfc2459 format, which is a tad longer than dns format */
2193  if (ldns_rr_rdf(rrsig, 8) == NULL) {
2195  }
2197  rawsig_buf, ldns_rr_rdf(rrsig, 8))
2198  != LDNS_STATUS_OK) {
2199  /*
2200  if (ldns_rdf2buffer_wire(rawsig_buf,
2201  ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
2202  */
2203  return LDNS_STATUS_MEM_ERR;
2204  }
2205  break;
2206 #endif
2207 #ifdef USE_ECDSA
2208  case LDNS_ECDSAP256SHA256:
2209  case LDNS_ECDSAP384SHA384:
2210  /* EVP produces an ASN prefix on the signature, which is
2211  * not used in the DNS */
2212  if (ldns_rr_rdf(rrsig, 8) == NULL) {
2214  }
2216  rawsig_buf, ldns_rr_rdf(rrsig, 8))
2217  != LDNS_STATUS_OK) {
2218  return LDNS_STATUS_MEM_ERR;
2219  }
2220  break;
2221 #endif
2222  case LDNS_DH:
2223  case LDNS_ECC:
2224  case LDNS_INDIRECT:
2226  default:
2228  }
2229  return LDNS_STATUS_OK;
2230 }
2231 
2238 static ldns_status
2239 ldns_rrsig_check_timestamps(const ldns_rr* rrsig, time_t now)
2240 {
2241  int32_t inception, expiration;
2242 
2243  /* check the signature time stamps */
2244  inception = (int32_t)ldns_rdf2native_time_t(
2245  ldns_rr_rrsig_inception(rrsig));
2246  expiration = (int32_t)ldns_rdf2native_time_t(
2247  ldns_rr_rrsig_expiration(rrsig));
2248 
2249  if (expiration - inception < 0) {
2250  /* bad sig, expiration before inception?? Tsssg */
2252  }
2253  if (((int32_t) now) - inception < 0) {
2254  /* bad sig, inception date has not yet come to pass */
2256  }
2257  if (expiration - ((int32_t) now) < 0) {
2258  /* bad sig, expiration date has passed */
2260  }
2261  return LDNS_STATUS_OK;
2262 }
2263 
2272 static ldns_status
2273 ldns_prepare_for_verify(ldns_buffer* rawsig_buf, ldns_buffer* verify_buf,
2274  ldns_rr_list* rrset_clone, const ldns_rr* rrsig)
2275 {
2276  ldns_status result;
2277 
2278  /* canonicalize the sig */
2280 
2281  /* check if the typecovered is equal to the type checked */
2283  ldns_rr_get_type(ldns_rr_list_rr(rrset_clone, 0)))
2285 
2286  /* create a buffer with b64 signature rdata */
2287  result = ldns_rrsig2rawsig_buffer(rawsig_buf, rrsig);
2288  if(result != LDNS_STATUS_OK)
2289  return result;
2290 
2291  /* use TTL from signature. Use wildcard names for wildcards */
2292  /* also canonicalizes rrset_clone */
2293  ldns_rrset_use_signature_ttl(rrset_clone, rrsig);
2294 
2295  /* sort the rrset in canonical order */
2296  ldns_rr_list_sort(rrset_clone);
2297 
2298  /* put the signature rr (without the b64) to the verify_buf */
2299  if (ldns_rrsig2buffer_wire(verify_buf, rrsig) != LDNS_STATUS_OK)
2300  return LDNS_STATUS_MEM_ERR;
2301 
2302  /* add the rrset in verify_buf */
2303  if(ldns_rr_list2buffer_wire(verify_buf, rrset_clone)
2304  != LDNS_STATUS_OK)
2305  return LDNS_STATUS_MEM_ERR;
2306 
2307  return LDNS_STATUS_OK;
2308 }
2309 
2319 static ldns_status
2320 ldns_verify_test_sig_key(ldns_buffer* rawsig_buf, ldns_buffer* verify_buf,
2321  const ldns_rr* rrsig, ldns_rr* key)
2322 {
2323  uint8_t sig_algo;
2324 
2325  if (rrsig == NULL) {
2327  }
2328  if (ldns_rr_rdf(rrsig, 1) == NULL) {
2330  }
2331  sig_algo = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 1));
2332 
2333  /* before anything, check if the keytags match */
2334  if (ldns_calc_keytag(key)
2335  ==
2337  ) {
2339  ldns_status result = LDNS_STATUS_ERR;
2340 
2341  /* put the key-data in a buffer, that's the third rdf, with
2342  * the base64 encoded key data */
2343  if (ldns_rr_rdf(key, 3) == NULL) {
2344  ldns_buffer_free(key_buf);
2346  }
2347  if (ldns_rdf2buffer_wire(key_buf, ldns_rr_rdf(key, 3))
2348  != LDNS_STATUS_OK) {
2349  ldns_buffer_free(key_buf);
2350  /* returning is bad might screw up
2351  good keys later in the list
2352  what to do? */
2353  return LDNS_STATUS_ERR;
2354  }
2355 
2356  if (ldns_rr_rdf(key, 2) == NULL) {
2358  }
2359  else if (sig_algo == ldns_rdf2native_int8(
2360  ldns_rr_rdf(key, 2))) {
2361  result = ldns_verify_rrsig_buffers(rawsig_buf,
2362  verify_buf, key_buf, sig_algo);
2363  } else {
2364  /* No keys with the corresponding algorithm are found */
2366  }
2367 
2368  ldns_buffer_free(key_buf);
2369  return result;
2370  }
2371  else {
2372  /* No keys with the corresponding keytag are found */
2374  }
2375 }
2376 
2377 /*
2378  * to verify:
2379  * - create the wire fmt of the b64 key rdata
2380  * - create the wire fmt of the sorted rrset
2381  * - create the wire fmt of the b64 sig rdata
2382  * - create the wire fmt of the sig without the b64 rdata
2383  * - cat the sig data (without b64 rdata) to the rrset
2384  * - verify the rrset+sig, with the b64 data and the b64 key data
2385  */
2388  const ldns_rr_list *rrset,
2389  const ldns_rr *rrsig,
2390  const ldns_rr_list *keys,
2391  time_t check_time,
2392  ldns_rr_list *good_keys)
2393 {
2394  ldns_status result;
2395  ldns_rr_list *valid = ldns_rr_list_new();
2396  if (!valid)
2397  return LDNS_STATUS_MEM_ERR;
2398 
2399  result = ldns_verify_rrsig_keylist_notime(rrset, rrsig, keys, valid);
2400  if(result != LDNS_STATUS_OK) {
2401  ldns_rr_list_free(valid);
2402  return result;
2403  }
2404 
2405  /* check timestamps last; its OK except time */
2406  result = ldns_rrsig_check_timestamps(rrsig, check_time);
2407  if(result != LDNS_STATUS_OK) {
2408  ldns_rr_list_free(valid);
2409  return result;
2410  }
2411 
2412  ldns_rr_list_cat(good_keys, valid);
2413  ldns_rr_list_free(valid);
2414  return LDNS_STATUS_OK;
2415 }
2416 
2417 /*
2418  * to verify:
2419  * - create the wire fmt of the b64 key rdata
2420  * - create the wire fmt of the sorted rrset
2421  * - create the wire fmt of the b64 sig rdata
2422  * - create the wire fmt of the sig without the b64 rdata
2423  * - cat the sig data (without b64 rdata) to the rrset
2424  * - verify the rrset+sig, with the b64 data and the b64 key data
2425  */
2428  ldns_rr *rrsig,
2429  const ldns_rr_list *keys,
2430  ldns_rr_list *good_keys)
2431 {
2433  rrset, rrsig, keys, ldns_time(NULL), good_keys);
2434 }
2435 
2438  const ldns_rr *rrsig,
2439  const ldns_rr_list *keys,
2440  ldns_rr_list *good_keys)
2441 {
2442  ldns_buffer *rawsig_buf;
2443  ldns_buffer *verify_buf;
2444  uint16_t i;
2445  ldns_status result, status;
2446  ldns_rr_list *rrset_clone;
2447  ldns_rr_list *validkeys;
2448 
2449  if (!rrset) {
2450  return LDNS_STATUS_ERR;
2451  }
2452 
2453  validkeys = ldns_rr_list_new();
2454  if (!validkeys) {
2455  return LDNS_STATUS_MEM_ERR;
2456  }
2457 
2458  /* clone the rrset so that we can fiddle with it */
2459  rrset_clone = ldns_rr_list_clone(rrset);
2460 
2461  /* create the buffers which will certainly hold the raw data */
2462  rawsig_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
2463  verify_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
2464 
2465  result = ldns_prepare_for_verify(rawsig_buf, verify_buf,
2466  rrset_clone, rrsig);
2467  if(result != LDNS_STATUS_OK) {
2468  ldns_buffer_free(verify_buf);
2469  ldns_buffer_free(rawsig_buf);
2470  ldns_rr_list_deep_free(rrset_clone);
2471  ldns_rr_list_free(validkeys);
2472  return result;
2473  }
2474 
2476  for(i = 0; i < ldns_rr_list_rr_count(keys); i++) {
2477  status = ldns_verify_test_sig_key(rawsig_buf, verify_buf,
2478  rrsig, ldns_rr_list_rr(keys, i));
2479  if (status == LDNS_STATUS_OK) {
2480  /* one of the keys has matched, don't break
2481  * here, instead put the 'winning' key in
2482  * the validkey list and return the list
2483  * later */
2484  if (!ldns_rr_list_push_rr(validkeys,
2485  ldns_rr_list_rr(keys,i))) {
2486  /* couldn't push the key?? */
2487  ldns_buffer_free(rawsig_buf);
2488  ldns_buffer_free(verify_buf);
2489  ldns_rr_list_deep_free(rrset_clone);
2490  ldns_rr_list_free(validkeys);
2491  return LDNS_STATUS_MEM_ERR;
2492  }
2493 
2494  result = status;
2495  }
2496 
2498  result = status;
2499  }
2500  }
2501 
2502  /* no longer needed */
2503  ldns_rr_list_deep_free(rrset_clone);
2504  ldns_buffer_free(rawsig_buf);
2505  ldns_buffer_free(verify_buf);
2506 
2507  if (ldns_rr_list_rr_count(validkeys) == 0) {
2508  /* no keys were added, return last error */
2509  ldns_rr_list_free(validkeys);
2510  return result;
2511  }
2512 
2513  /* do not check timestamps */
2514 
2515  ldns_rr_list_cat(good_keys, validkeys);
2516  ldns_rr_list_free(validkeys);
2517  return LDNS_STATUS_OK;
2518 }
2519 
2522  ldns_rr_list *rrset,
2523  ldns_rr *rrsig,
2524  ldns_rr *key,
2525  time_t check_time)
2526 {
2527  ldns_buffer *rawsig_buf;
2528  ldns_buffer *verify_buf;
2529  ldns_status result;
2530  ldns_rr_list *rrset_clone;
2531 
2532  if (!rrset) {
2533  return LDNS_STATUS_NO_DATA;
2534  }
2535  /* clone the rrset so that we can fiddle with it */
2536  rrset_clone = ldns_rr_list_clone(rrset);
2537  /* create the buffers which will certainly hold the raw data */
2538  rawsig_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
2539  verify_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
2540 
2541  result = ldns_prepare_for_verify(rawsig_buf, verify_buf,
2542  rrset_clone, rrsig);
2543  if(result != LDNS_STATUS_OK) {
2544  ldns_rr_list_deep_free(rrset_clone);
2545  ldns_buffer_free(rawsig_buf);
2546  ldns_buffer_free(verify_buf);
2547  return result;
2548  }
2549  result = ldns_verify_test_sig_key(rawsig_buf, verify_buf,
2550  rrsig, key);
2551  /* no longer needed */
2552  ldns_rr_list_deep_free(rrset_clone);
2553  ldns_buffer_free(rawsig_buf);
2554  ldns_buffer_free(verify_buf);
2555 
2556  /* check timestamp last, apart from time its OK */
2557  if(result == LDNS_STATUS_OK)
2558  result = ldns_rrsig_check_timestamps(rrsig, check_time);
2559 
2560  return result;
2561 }
2562 
2565 {
2566  return ldns_verify_rrsig_time(rrset, rrsig, key, ldns_time(NULL));
2567 }
2568 
2569 
2572  ldns_buffer *rrset,
2573  EVP_PKEY *key,
2574  const EVP_MD *digest_type)
2575 {
2577  (unsigned char*)ldns_buffer_begin(sig),
2578  ldns_buffer_position(sig),
2579  rrset,
2580  key,
2581  digest_type);
2582 }
2583 
2585 ldns_verify_rrsig_evp_raw(const unsigned char *sig, size_t siglen,
2586  const ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
2587 {
2588  EVP_MD_CTX *ctx;
2589  int res;
2590 
2591 #ifdef HAVE_EVP_MD_CTX_NEW
2592  ctx = EVP_MD_CTX_new();
2593 #else
2594  ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
2595  if(ctx) EVP_MD_CTX_init(ctx);
2596 #endif
2597  if(!ctx)
2598  return LDNS_STATUS_MEM_ERR;
2599 
2600 #if defined(USE_ED25519) || defined(USE_ED448)
2601  if(!digest_type) {
2602  res = EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, key);
2603  if(res == 1) {
2604  res = EVP_DigestVerify(ctx, sig, siglen,
2605  ldns_buffer_begin(rrset),
2606  ldns_buffer_position(rrset));
2607  }
2608  } else {
2609 #else
2610  res = 0;
2611  if(digest_type) {
2612 #endif
2613  EVP_VerifyInit(ctx, digest_type);
2614  EVP_VerifyUpdate(ctx,
2615  ldns_buffer_begin(rrset),
2616  ldns_buffer_position(rrset));
2617  res = EVP_VerifyFinal(ctx, sig, (unsigned int) siglen, key);
2618  }
2619 
2620  EVP_MD_CTX_destroy(ctx);
2621 
2622  if (res == 1) {
2623  return LDNS_STATUS_OK;
2624 
2625  } else if (res == 0) {
2626  return LDNS_STATUS_CRYPTO_BOGUS;
2627  }
2628  /* TODO how to communicate internal SSL error?
2629  let caller use ssl's get_error() */
2630  return LDNS_STATUS_SSL_ERR;
2631 }
2632 
2635 {
2637  (unsigned char*) ldns_buffer_begin(sig),
2638  ldns_buffer_position(sig),
2639  rrset,
2640  (unsigned char*) ldns_buffer_begin(key),
2641  ldns_buffer_position(key));
2642 }
2643 
2646 {
2648  (unsigned char*)ldns_buffer_begin(sig),
2649  ldns_buffer_position(sig),
2650  rrset,
2651  (unsigned char*) ldns_buffer_begin(key),
2652  ldns_buffer_position(key));
2653 }
2654 
2657 {
2659  (unsigned char*)ldns_buffer_begin(sig),
2660  ldns_buffer_position(sig),
2661  rrset,
2662  (unsigned char*) ldns_buffer_begin(key),
2663  ldns_buffer_position(key));
2664 }
2665 
2667 ldns_verify_rrsig_dsa_raw(unsigned char* sig, size_t siglen,
2668  ldns_buffer* rrset, unsigned char* key, size_t keylen)
2669 {
2670 #ifdef USE_DSA
2671  EVP_PKEY *evp_key;
2672  ldns_status result;
2673 
2674  evp_key = EVP_PKEY_new();
2675  if (EVP_PKEY_assign_DSA(evp_key, ldns_key_buf2dsa_raw(key, keylen))) {
2676  result = ldns_verify_rrsig_evp_raw(sig,
2677  siglen,
2678  rrset,
2679  evp_key,
2680 # ifdef HAVE_EVP_DSS1
2681  EVP_dss1()
2682 # else
2683  EVP_sha1()
2684 # endif
2685  );
2686  } else {
2687  result = LDNS_STATUS_SSL_ERR;
2688  }
2689  EVP_PKEY_free(evp_key);
2690  return result;
2691 #else
2692  (void)sig; (void)siglen; (void)rrset; (void)key; (void)keylen;
2694 #endif
2695 }
2696 
2698 ldns_verify_rrsig_rsasha1_raw(unsigned char* sig, size_t siglen,
2699  ldns_buffer* rrset, unsigned char* key, size_t keylen)
2700 {
2701  EVP_PKEY *evp_key;
2702  ldns_status result;
2703 
2704  evp_key = EVP_PKEY_new();
2705  if (EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen))) {
2706  result = ldns_verify_rrsig_evp_raw(sig,
2707  siglen,
2708  rrset,
2709  evp_key,
2710  EVP_sha1());
2711  } else {
2712  result = LDNS_STATUS_SSL_ERR;
2713  }
2714  EVP_PKEY_free(evp_key);
2715 
2716  return result;
2717 }
2718 
2721  size_t siglen,
2722  ldns_buffer* rrset,
2723  unsigned char* key,
2724  size_t keylen)
2725 {
2726 #ifdef USE_SHA2
2727  EVP_PKEY *evp_key;
2728  ldns_status result;
2729 
2730  evp_key = EVP_PKEY_new();
2731  if (EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen))) {
2732  result = ldns_verify_rrsig_evp_raw(sig,
2733  siglen,
2734  rrset,
2735  evp_key,
2736  EVP_sha256());
2737  } else {
2738  result = LDNS_STATUS_SSL_ERR;
2739  }
2740  EVP_PKEY_free(evp_key);
2741 
2742  return result;
2743 #else
2744  /* touch these to prevent compiler warnings */
2745  (void) sig;
2746  (void) siglen;
2747  (void) rrset;
2748  (void) key;
2749  (void) keylen;
2751 #endif
2752 }
2753 
2756  size_t siglen,
2757  ldns_buffer* rrset,
2758  unsigned char* key,
2759  size_t keylen)
2760 {
2761 #ifdef USE_SHA2
2762  EVP_PKEY *evp_key;
2763  ldns_status result;
2764 
2765  evp_key = EVP_PKEY_new();
2766  if (EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen))) {
2767  result = ldns_verify_rrsig_evp_raw(sig,
2768  siglen,
2769  rrset,
2770  evp_key,
2771  EVP_sha512());
2772  } else {
2773  result = LDNS_STATUS_SSL_ERR;
2774  }
2775  EVP_PKEY_free(evp_key);
2776 
2777  return result;
2778 #else
2779  /* touch these to prevent compiler warnings */
2780  (void) sig;
2781  (void) siglen;
2782  (void) rrset;
2783  (void) key;
2784  (void) keylen;
2786 #endif
2787 }
2788 
2789 
2791 ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,
2792  size_t siglen,
2793  ldns_buffer* rrset,
2794  unsigned char* key,
2795  size_t keylen)
2796 {
2797  EVP_PKEY *evp_key;
2798  ldns_status result;
2799 
2800  evp_key = EVP_PKEY_new();
2801  if (EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen))) {
2802  result = ldns_verify_rrsig_evp_raw(sig,
2803  siglen,
2804  rrset,
2805  evp_key,
2806  EVP_md5());
2807  } else {
2808  result = LDNS_STATUS_SSL_ERR;
2809  }
2810  EVP_PKEY_free(evp_key);
2811 
2812  return result;
2813 }
2814 
2815 #endif
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
Definition: rr.c:904
implementation of buffers to ease operations
Definition: buffer.h:50
ldns_rdf * ldns_rr_rrsig_labels(const ldns_rr *r)
returns the number of labels of a LDNS_RR_TYPE_RRSIG RR
Definition: rr_functions.c:135
bool ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
Checks coverage of NSEC(3) RR name span Remember that nsec and name must both be in canonical form (i...
Definition: dnssec.c:1506
void ldns_dnssec_derive_trust_tree_normal_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr, time_t check_time)
Sub function for derive_trust_tree that is used for a 'normal' rrset.
ldns_rr * ldns_rr_clone(const ldns_rr *rr)
clones a rr and all its data
Definition: rr.c:1394
void ldns_rdf_deep_free(ldns_rdf *rd)
frees a rdf structure and frees the data.
Definition: rdata.c:230
ldns_dnssec_trust_tree * ldns_dnssec_trust_tree_new(void)
Creates a new (empty) dnssec_trust_tree structure.
uint8_t ldns_dname_label_count(const ldns_rdf *r)
count the number of labels inside a LDNS_RDF_DNAME type rdf.
Definition: dname.c:214
bool ldns_rr_compare_ds(const ldns_rr *orr1, const ldns_rr *orr2)
returns true of the given rr's are equal.
Definition: rr.c:1704
void ldns_rr2canonical(ldns_rr *rr)
converts each dname in a rr to its canonical form.
Definition: rr.c:1775
the canonical name for an alias
Definition: rr.h:88
RSA * ldns_key_buf2rsa_raw(const unsigned char *key, size_t len)
Like ldns_key_buf2rsa, but uses raw buffer.
Definition: dnssec.c:419
ldns_rr_type ldns_rdf2rr_type(const ldns_rdf *rd)
convert an rdf of type LDNS_RDF_TYPE_TYPE to an actual LDNS_RR_TYPE.
Definition: rr.c:2729
DNSSEC.
Definition: rr.h:170
ldns_status ldns_verify_trusted_time(ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, time_t check_time, ldns_rr_list *validating_keys)
Verifies a list of signatures for one RRset using a valid trust path.
ldns_rr_list * ldns_pkt_rr_list_by_name_and_type(const ldns_pkt *packet, const ldns_rdf *ownername, ldns_rr_type type, ldns_pkt_section sec)
return all the rr with a specific type and type from a packet.
Definition: packet.c:340
int ldns_dname_compare(const ldns_rdf *dname1, const ldns_rdf *dname2)
Compares the two dname rdf's according to the algorithm for ordering in RFC4034 Section 6.
Definition: dname.c:359
ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
verifies a buffer with signature data for a buffer with rrset data with an EVP_PKEY
bool ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt)
Checks whether the packet contains rrsigs.
Definition: dnssec.c:204
DNS stub resolver structure.
Definition: resolver.h:59
ldns_rdf * ldns_rr_rrsig_inception(const ldns_rr *r)
returns the inception time of a LDNS_RR_TYPE_RRSIG RR
Definition: rr_functions.c:171
enum ldns_enum_rr_class ldns_rr_class
Definition: rr.h:61
bool ldns_rr_list_push_rr(ldns_rr_list *rr_list, const ldns_rr *rr)
pushes an rr to an rrlist.
Definition: rr.c:1127
ldns_pkt * ldns_resolver_query(const ldns_resolver *r, const ldns_rdf *name, ldns_rr_type t, ldns_rr_class c, uint16_t flags)
Send a query to a nameserver.
Definition: resolver.c:1164
List or Set of Resource Records.
Definition: rr.h:335
ldns_status ldns_str2rdf_dname(ldns_rdf **d, const char *str)
convert a dname string into wireformat
Definition: str2host.c:311
ldns_pkt_rcode ldns_pkt_get_rcode(const ldns_pkt *packet)
Return the packet's respons code.
Definition: packet.c:94
Output format specifier.
Definition: host2str.h:86
uint8_t ldns_rdf2native_int8(const ldns_rdf *rd)
returns the native uint8_t representation from the rdf.
Definition: rdata.c:70
ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, ldns_buffer *verify_buf, ldns_buffer *key_buf, uint8_t algo)
Verifies the already processed data in the buffers This function should probably not be used directly...
ldns_status ldns_verify_time(const ldns_rr_list *rrset, const ldns_rr_list *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
void ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr)
Sub function for derive_trust_tree that is used for DS rrsets.
#define LDNS_RD
Definition: packet.h:30
void ldns_dnssec_trust_tree_print(FILE *out, ldns_dnssec_trust_tree *tree, size_t tabs, bool extended)
ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs)
denial is not just a river in egypt
Definition: keys.h:48
ldns_status ldns_rr_list2buffer_wire(ldns_buffer *buffer, const ldns_rr_list *rr_list)
Copies the rr_list data to the buffer in wire format.
Definition: host2wire.c:156
#define LDNS_CALLOC(type, count)
Definition: util.h:53
#define LDNS_XMALLOC(type, count)
Definition: util.h:51
void ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr)
Sub function for derive_trust_tree that is used for a 'normal' rrset.
size_t ldns_rdf_size(const ldns_rdf *rd)
returns the size of the rdf.
Definition: rdata.c:24
ldns_status ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (in rfc2536 format) to a buffer with the signature in rfc2459 format...
Definition: dnssec.c:1805
void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain)
Frees a dnssec_data_chain structure, and all data contained therein.
Definition: dnssec_verify.c:45
ldns_lookup_table ldns_rcodes[]
Response codes.
Definition: host2str.c:106
ldns_rr_list * ldns_fetch_valid_domain_keys_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time, ldns_status *status)
Tries to build an authentication chain from the given keys down to the queried domain.
void ldns_rr_list_deep_free(ldns_rr_list *rr_list)
frees an rr_list structure and all rrs contained therein.
Definition: rr.c:1015
void ldns_buffer_free(ldns_buffer *buffer)
frees the buffer.
Definition: buffer.c:137
ldns_rr_list * ldns_validate_domain_ds(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
Validates the DS RRset for the given domain using the provided trusted keys.
ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
void ldns_dnssec_derive_trust_tree_ds_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, time_t check_time)
Sub function for derive_trust_tree that is used for DS rrsets.
ldns_rdf * ldns_dnssec_nsec3_closest_encloser(const ldns_rdf *qname, ldns_rr_type qtype __attribute__((unused)), const ldns_rr_list *nsec3s)
Definition: dnssec.c:102
ldns_rdf * ldns_rdf_clone(const ldns_rdf *rd)
clones a rdf structure.
Definition: rdata.c:222
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree_time(ldns_dnssec_data_chain *data_chain, ldns_rr *rr, time_t check_time)
Generates a dnssec_trust_tree for the given rr from the given data_chain.
void ldns_dname2canonical(const ldns_rdf *rd)
Put a dname into canonical fmt - ie.
Definition: dname.c:280
ldns_rr * parent_signature[10]
for debugging, add signatures too (you might want those if they contain errors)
ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
ldns_rdf * ldns_rr_rrsig_keytag(const ldns_rr *r)
returns the keytag of a LDNS_RR_TYPE_RRSIG RR
Definition: rr_functions.c:183
size_t ldns_rr_rd_count(const ldns_rr *rr)
returns the rd_count of an rr structure.
Definition: rr.c:932
#define LDNS_MAX_PACKETLEN
Definition: packet.h:24
ldns_status ldns_verify_notime(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset, but disregard the time.
ldns_status ldns_verify_rrsig_keylist_notime(const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies an rrsig.
ldns_rdf * ldns_dname_left_chop(const ldns_rdf *d)
chop one label off the left side of a dname.
Definition: dname.c:189
ldns_rr_list * ldns_resolver_dnssec_anchors(const ldns_resolver *r)
Get the resolver's DNSSEC anchors.
Definition: resolver.c:132
EVP_PKEY * ldns_ed4482pkey_raw(const unsigned char *key, size_t keylen)
Converts a holding buffer with key material to EVP PKEY in openssl.
DSA * ldns_key_buf2dsa_raw(const unsigned char *key, size_t len)
Like ldns_key_buf2dsa, but uses raw buffer.
Definition: dnssec.c:343
void ldns_rr_list_free(ldns_rr_list *rr_list)
frees an rr_list structure.
Definition: rr.c:1006
ldns_rr_list * ldns_pkt_rr_list_by_type(const ldns_pkt *packet, ldns_rr_type type, ldns_pkt_section sec)
return all the rr with a specific type from a packet.
Definition: packet.c:304
const ldns_rr_descriptor * ldns_rr_descript(uint16_t type)
returns the resource record descriptor for the given rr type.
Definition: rr.c:2611
void ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain)
Sub function for derive_trust_tree that is used when there are no signatures.
const ldns_output_format * ldns_output_format_default
The default output format record.
Definition: host2str.c:139
Resource Record.
Definition: rr.h:307
ldns_rr_list * ldns_validate_domain_dnskey_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
ldns_status ldns_rdf2buffer_wire(ldns_buffer *buffer, const ldns_rdf *rdf)
Copies the rdata data to the buffer in wire format.
Definition: host2wire.c:109
ldns_rr_list * ldns_fetch_valid_domain_keys(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, ldns_status *status)
Tries to build an authentication chain from the given keys down to the queried domain.
ldns_rdf * ldns_nsec_get_bitmap(const ldns_rr *nsec)
Returns the rdata field that contains the bitmap of the covered types of the given NSEC record.
Definition: dnssec.c:89
ldns_status ldns_verify_rrsig_buffers_raw(unsigned char *sig, size_t siglen, ldns_buffer *verify_buf, unsigned char *key, size_t keylen, uint8_t algo)
Like ldns_verify_rrsig_buffers, but uses raw data.
Including this file will include all ldns files, and define some lookup tables.
ldns_rdf * ldns_dname_new_frm_str(const char *str)
creates a new dname rdf from a string.
Definition: dname.c:268
ldns_status ldns_verify_rrsig_time(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key, time_t check_time)
verify an rrsig with 1 key
ldns_rr_list * ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type)
Returns a ldns_rr_list containing the signatures covering the given type.
Definition: dnssec.c:250
bool ldns_rr_list_cat(ldns_rr_list *left, const ldns_rr_list *right)
concatenates two ldns_rr_lists together.
Definition: rr.c:1031
ldns_rdf * ldns_dname_clone_from(const ldns_rdf *d, uint16_t n)
Clones the given dname from the nth label on.
Definition: dname.c:160
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
Definition: rr.c:985
void ldns_rr_print_fmt(FILE *output, const ldns_output_format *fmt, const ldns_rr *rr)
Prints the data in the resource record to the given file stream (in presentation format)
Definition: host2str.c:2571
ldns_rr_list * ldns_validate_domain_dnskey(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
ldns_status ldns_dnssec_trust_tree_contains_keys(ldns_dnssec_trust_tree *tree, ldns_rr_list *trusted_keys)
Returns OK if there is a trusted path in the tree to one of the DNSKEY or DS RRs in the given list.
ldns_dnssec_data_chain * parent
Definition: dnssec_verify.h:25
ldns_status ldns_verify_rrsig_keylist_time(const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies an rrsig.
EVP_PKEY * ldns_ecdsa2pkey_raw(const unsigned char *key, size_t keylen, uint8_t algo)
Converts a holding buffer with key material to EVP PKEY in openssl.
void ldns_dnssec_data_chain_print_fmt(FILE *out, const ldns_output_format *fmt, const ldns_dnssec_data_chain *chain)
Prints the dnssec_data_chain to the given file stream.
Definition: dnssec_verify.c:56
#define ATTR_UNUSED(x)
Definition: common.h:69
uint16_t ldns_pkt_ancount(const ldns_pkt *packet)
Return the packet's an count.
Definition: packet.c:106
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr)
Generates a dnssec_trust_tree for the given rr from the given data_chain.
uint16_t ldns_rdf2native_int16(const ldns_rdf *rd)
returns the native uint16_t representation from the rdf.
Definition: rdata.c:84
time_t ldns_rdf2native_time_t(const ldns_rdf *rd)
returns the native time_t representation from the rdf.
Definition: rdata.c:112
size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree)
returns the depth of the trust tree
void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain)
Frees a dnssec_data_chain structure.
Definition: dnssec_verify.c:39
ldns_rr_list * ldns_rr_list_new(void)
creates a new rr_list structure.
Definition: rr.c:995
void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree)
Frees the dnssec_trust_tree recursively.
ldns_lookup_table * ldns_lookup_by_id(ldns_lookup_table *table, int id)
Definition: util.c:41
ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
the Internet
Definition: rr.h:47
int ldns_key_EVP_load_gost_id(void)
Get the PKEY id for GOST, loads GOST into openssl as a side effect.
ldns_rr_list * ldns_validate_domain_ds_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
Validates the DS RRset for the given domain using the provided trusted keys.
bool ldns_nsec3_optout(const ldns_rr *nsec3_rr)
Returns true if the opt-out flag has been set in the given NSEC3 RR.
Definition: dnssec.c:1284
EVP_PKEY * ldns_gost2pkey_raw(const unsigned char *key, size_t keylen)
Converts a holding buffer with key material to EVP PKEY in openssl.
uint16_t ldns_calc_keytag(const ldns_rr *key)
calculates a keytag of a key for use in DNSSEC.
Definition: dnssec.c:277
enum ldns_enum_pkt_rcode ldns_pkt_rcode
Definition: packet.h:68
Contains all information about resource record types.
Definition: rr.h:348
void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain)
Prints the dnssec_data_chain to the given file stream.
Definition: dnssec_verify.c:91
RFC4034, RFC3658.
Definition: rr.h:164
ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs __attribute__((unused)), ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, bool packet_nodata, ldns_rr **match)
ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies an rrsig.
ldns_rr_list * ldns_rr_list_clone(const ldns_rr_list *rrlist)
clones an rrlist.
Definition: rr.c:1425
bool ldns_nsec_bitmap_covers_type(const ldns_rdf *bitmap, ldns_rr_type type)
Check if RR type t is enumerated and set in the RR type bitmap rdf.
Definition: dnssec.c:1391
ldns_rdf * ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
Returns the bitmap specifying the covered types of the given NSEC3 RR.
Definition: dnssec.c:1356
ldns_dnssec_trust_tree * parents[10]
DNS packet.
Definition: packet.h:233
void ldns_rr_set_owner(ldns_rr *rr, ldns_rdf *owner)
sets the owner in the rr structure.
Definition: rr.c:799
void ldns_rdf_print(FILE *output, const ldns_rdf *rdf)
Prints the data in the rdata field to the given file stream (in presentation format)
Definition: host2str.c:2559
uint32_t ldns_rdf2native_int32(const ldns_rdf *rd)
returns the native uint32_t representation from the rdf.
Definition: rdata.c:98
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
Definition: rr.c:938
ldns_rr * ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name, const ldns_rr_type type, const ldns_rr_list *rrs)
Returns the first RRSIG rr that corresponds to the rrset with the given name and type.
Definition: dnssec.c:34
ldns_rdf * ldns_rr_rrsig_typecovered(const ldns_rr *r)
returns the type covered of a LDNS_RR_TYPE_RRSIG rr
Definition: rr_functions.c:111
ldns_dnssec_data_chain * ldns_dnssec_build_data_chain(ldns_resolver *res, uint16_t qflags, const ldns_rr_list *rrset, const ldns_pkt *pkt, ldns_rr *orig_rr)
Build an ldns_dnssec_data_chain, which contains all DNSSEC data that is needed to derive the trust tr...
ldns_rr_list * ldns_rr_list_pop_rrset(ldns_rr_list *rr_list)
pops the first rrset from the list, the list must be sorted, so that all rr's from each rrset are nex...
Definition: rr.c:1342
const char * name
Definition: util.h:158
void ldns_rr_set_ttl(ldns_rr *rr, uint32_t ttl)
sets the ttl in the rr structure.
Definition: rr.c:811
enum ldns_enum_status ldns_status
Definition: error.h:134
ldns_dnssec_data_chain * ldns_dnssec_data_chain_new(void)
Creates a new dnssec_chain structure.
Definition: dnssec_verify.c:19
ldns_buffer * ldns_buffer_new(size_t capacity)
creates a new buffer with the specified capacity.
Definition: buffer.c:16
Definition: keys.h:47
A general purpose lookup table.
Definition: util.h:156
ldns_status ldns_verify_rrsig_dsa_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
EVP_PKEY * ldns_ed255192pkey_raw(const unsigned char *key, size_t keylen)
Converts a holding buffer with key material to EVP PKEY in openssl.
#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS
dnssec_verify
Definition: dnssec_verify.h:6
ldns_rdf * ldns_rr_rrsig_signame(const ldns_rr *r)
returns the signers name of a LDNS_RR_TYPE_RRSIG RR
Definition: rr_functions.c:195
void ldns_dnssec_trust_tree_print_fmt(FILE *out, const ldns_output_format *fmt, ldns_dnssec_trust_tree *tree, size_t tabs, bool extended)
bool ldns_dname_is_subdomain(const ldns_rdf *sub, const ldns_rdf *parent)
test whether the name sub falls under parent (i.e.
Definition: dname.c:296
ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, const ldns_dnssec_trust_tree *parent, const ldns_rr *signature, const ldns_status parent_status)
Adds a trust tree as a parent for the given trust tree.
ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (RSASHA1) for a buffer with rrset data with a buffer with key d...
Resource record data field.
Definition: rdata.h:177
ldns_status ldns_verify_trusted(ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, ldns_rr_list *validating_keys)
Verifies a list of signatures for one RRset using a valid trust path.
ldns_rdf * ldns_rr_owner(const ldns_rr *rr)
returns the owner name of an rr structure.
Definition: rr.c:914
void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr, time_t check_time)
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (RSAMD5) for a buffer with rrset data with a buffer with key da...
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr's in an rr_list.
Definition: rr.c:952
enum ldns_enum_rr_type ldns_rr_type
Definition: rr.h:241
const char * _name
Textual name of the RR type.
Definition: rr.h:353
#define LDNS_FREE(ptr)
Definition: util.h:60
ldns_status ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (from DNS) to a buffer with the signature in ASN1 format as openssl ...
Definition: dnssec.c:1905
an authoritative name server
Definition: rr.h:82
ldns_status ldns_rrsig2buffer_wire(ldns_buffer *buffer, const ldns_rr *rr)
Converts a rrsig to wireformat BUT EXCLUDE the rrsig rdata This is needed in DNSSEC verification.
Definition: host2wire.c:294
const char * ldns_get_errorstr_by_id(ldns_status err)
look up a descriptive text by each error.
Definition: error.c:164
ldns_rr_class ldns_rr_get_class(const ldns_rr *rr)
returns the class of the rr.
Definition: rr.c:944
Definition: keys.h:49
used to get all non-question rrs from a packet
Definition: packet.h:282
ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key)
verify an rrsig with 1 key
ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs, ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, bool packet_nodata)
ldns_status ldns_dname_cat(ldns_rdf *rd1, const ldns_rdf *rd2)
concatenates rd2 after rd1 (rd2 is copied, rd1 is modified)
Definition: dname.c:90
ldns_status ldns_verify_rrsig_evp_raw(const unsigned char *sig, size_t siglen, const ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
Like ldns_verify_rrsig_evp, but uses raw signature data.
void ldns_pkt_free(ldns_pkt *packet)
frees the packet structure and all data that it contains.
Definition: packet.c:807
void ldns_rr_list_sort(ldns_rr_list *unsorted)
sorts an rr_list (canonical wire format).
Definition: rr.c:1510
void ldns_dnssec_derive_trust_tree_no_sig_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, time_t check_time)
Sub function for derive_trust_tree that is used when there are no signatures.
ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
void ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr)
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (DSA) for a buffer with rrset data with a buffer with key data.
ldns_rdf * ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, const ldns_rdf *name)
Calculates the hashed name using the parameters of the given NSEC3 RR.
Definition: dnssec.c:1366
ldns_rr_list * ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt, const ldns_rdf *name, ldns_rr_type type)
Returns a ldns_rr_list containing the signatures covering the given name and type.
Definition: dnssec.c:223
ldns_status ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
ldns_rdf * ldns_rr_rrsig_expiration(const ldns_rr *r)
returns the expiration time of a LDNS_RR_TYPE_RRSIG RR
Definition: rr_functions.c:159
void ldns_rr_list_print_fmt(FILE *output, const ldns_output_format *fmt, const ldns_rr_list *lst)
print a rr_list to output
Definition: host2str.c:2609