12 #include <openssl/ssl.h> 13 #include <openssl/evp.h> 14 #include <openssl/rand.h> 15 #include <openssl/err.h> 16 #include <openssl/md5.h> 67 fprintf(out,
";; rcode: %s\n", rcode->
name);
71 if (rr_descriptor && rr_descriptor->
_name) {
72 fprintf(out,
";; qtype: %s\n", rr_descriptor->
_name);
74 fprintf(out,
"TYPE%u",
78 fprintf(out,
";; NODATA response\n");
80 fprintf(out,
"rrset:\n");
82 fprintf(out,
"sigs:\n");
84 fprintf(out,
"---\n");
86 fprintf(out,
"<no data>\n");
209 printf(
"There were already sigs!\n");
211 printf(
"replacing the old sigs\n");
242 possible_parent_name,
283 ldns_rdf *name = NULL, *key_name = NULL;
287 bool other_rrset =
false;
411 return ldns_dnssec_build_data_chain_nokeyname(res,
420 ldns_dnssec_build_data_chain_dnskey(res,
430 ldns_dnssec_build_data_chain_other(res,
449 if(!new_tree)
return NULL;
451 new_tree->
rrset = NULL;
478 if (parent > result) {
487 print_tabs(FILE *out,
size_t nr, uint8_t *map,
size_t treedepth)
490 for (i = 0; i < nr; i++) {
492 fprintf(out,
"|---");
493 }
else if (map && i < treedepth && map[i] == 1) {
502 ldns_dnssec_trust_tree_print_sm_fmt(FILE *out,
519 memset(sibmap, 0, treedepth);
525 print_tabs(out, tabs, sibmap, treedepth);
529 if (descriptor->
_name) {
530 fprintf(out,
" (%s", descriptor->
_name);
532 fprintf(out,
" (TYPE%d",
537 fprintf(out,
" keytag: %u",
539 fprintf(out,
" alg: ");
541 fprintf(out,
" flags: ");
544 fprintf(out,
" keytag: ");
546 fprintf(out,
" digest type: ");
559 if (tree->
parent_count > 1 && i < tree->parent_count - 1) {
570 print_tabs(out, tabs + 1, sibmap, treedepth);
574 fprintf(out,
"Existence of DS is denied by:\n");
576 fprintf(out,
"Existence is denied by:\n");
581 fprintf(out,
"Existence of DS is denied by:\n");
583 print_tabs(out, tabs + 1, sibmap, treedepth);
585 "Error in denial of existence: %s\n",
592 print_tabs(out, tabs + 1, sibmap, treedepth);
599 printf(
"; SSL Error: ");
600 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(HAVE_LIBRESSL) 601 ERR_load_crypto_strings();
603 ERR_print_errors_fp(stdout);
608 parent_signature[i]);
609 printf(
"For RRset:\n");
612 printf(
"With key:\n");
616 ldns_dnssec_trust_tree_print_sm_fmt(out, fmt,
624 print_tabs(out, tabs, sibmap, treedepth);
625 fprintf(out,
"<no data>\n");
628 fprintf(out,
"<null pointer>\n");
642 ldns_dnssec_trust_tree_print_sm_fmt(out, fmt,
643 tree, tabs, extended, NULL, 0);
653 tree, tabs, extended);
701 if (data_chain && data_chain->
rrset) {
702 cur_rrset = data_chain->
rrset;
715 new_tree->
rr = cur_rr;
716 new_tree->
rrset = cur_rrset;
770 new_tree, data_chain,
777 new_tree, data_chain, check_time);
815 tmp_rrset = cur_rrset;
823 assert(tmp_rrset == cur_rrset);
843 if (tmp_rrset && tmp_rrset != cur_rrset
851 if (cur_parent_rr == new_tree->
parents[i]->
rr) {
879 new_tree, data_chain, cur_sig_rr, ldns_time(NULL));
901 if (cur_parent_rr != cur_rr &&
906 cur_parent_tree->
rr = cur_parent_rr;
907 cur_parent_tree->
rrset = cur_rrset;
909 cur_rrset, cur_sig_rr,
910 cur_parent_rr, check_time);
912 cur_parent_tree, cur_sig_rr, cur_status))
926 new_tree, data_chain, cur_rr, cur_sig_rr, ldns_time(NULL));
979 new_tree, data_chain, cur_rr, ldns_time(NULL));
1028 cur_parent_tree, NULL, result))
1040 new_tree, data_chain, ldns_time(NULL));
1085 result = parent_result;
1109 if (!rrset || !rrsig || !keys) {
1127 keys, check_time, good_keys);
1138 return verify_result;
1155 if (!rrset || !rrsig || !keys) {
1185 return verify_result;
1201 if (res && domain && keys) {
1204 domain, keys, check_time))) {
1211 while (parent_domain &&
1248 if (parent_domain) {
1253 return trusted_keys;
1263 res, domain, keys, ldns_time(NULL), status);
1276 uint16_t key_i; uint16_t key_j; uint16_t key_k;
1277 uint16_t sig_i;
ldns_rr * cur_sig;
1337 return trusted_keys;
1357 return trusted_keys;
1366 res, domain, keys, ldns_time(NULL));
1414 return trusted_keys;
1434 uint16_t sig_i; uint16_t key_i;
1439 if (!res || !rrset || !rrsigs) {
1473 if (validating_keys) {
1496 res, rrset, rrsigs, ldns_time(NULL), validating_keys);
1513 bool name_covered =
false;
1514 bool type_covered =
false;
1515 bool wildcard_covered =
false;
1516 bool wildcard_type_covered =
false;
1539 wildcard_covered =
true;
1544 type_covered =
true;
1548 name_covered =
true;
1555 wildcard_type_covered =
true;
1560 wildcard_covered =
true;
1567 if (type_covered || !name_covered) {
1571 if (wildcard_type_covered || !wildcard_covered) {
1584 ,
bool packet_nodata
1591 bool wildcard_covered =
false;
1610 if(!closest_encloser) {
1619 hashed_wildcard_name =
1626 hashed_wildcard_name)) {
1627 wildcard_covered =
true;
1635 if (! wildcard_covered) {
1675 if(!closest_encloser) {
1682 hashed_wildcard_name =
1746 if(!closest_encloser) {
1756 hashed_next_closer = hashed_name;
1779 hashed_next_closer) &&
1807 rr, nsecs, rrsigs, packet_rcode,
1808 packet_qtype, packet_nodata, NULL
1817 uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85,
1818 0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85,
1819 0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03,
1820 0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40};
1821 unsigned char encoded[37+64];
1822 const unsigned char* pp;
1829 memmove(encoded, asn, 37);
1830 memmove(encoded+37, key, 64);
1831 pp = (
unsigned char*)&encoded[0];
1833 return d2i_PUBKEY(NULL, &pp, (
int)
sizeof(encoded));
1837 ldns_verify_rrsig_gost_raw(
const unsigned char* sig,
size_t siglen,
1838 const ldns_buffer* rrset,
const unsigned char* key,
size_t keylen)
1852 evp_key, EVP_get_digestbyname(
"md_gost94"));
1853 EVP_PKEY_free(evp_key);
1864 uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
1865 0x70, 0x03, 0x21, 0x00};
1870 const unsigned char* pp = (
unsigned char*)buf;
1871 if(keylen != 32 || keylen + pre_len >
sizeof(buf))
1873 memmove(buf, pre, pre_len);
1874 memmove(buf+pre_len, key, keylen);
1875 evp_key = d2i_PUBKEY(NULL, &pp, (
int)(pre_len+keylen));
1880 ldns_verify_rrsig_ed25519_raw(
unsigned char* sig,
size_t siglen,
1881 ldns_buffer* rrset,
unsigned char* key,
size_t keylen)
1892 EVP_PKEY_free(evp_key);
1902 uint8_t pre[] = {0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
1903 0x71, 0x03, 0x3a, 0x00};
1908 const unsigned char* pp = (
unsigned char*)buf;
1909 if(keylen != 57 || keylen + pre_len >
sizeof(buf))
1911 memmove(buf, pre, pre_len);
1912 memmove(buf+pre_len, key, keylen);
1913 evp_key = d2i_PUBKEY(NULL, &pp, (
int)(pre_len+keylen));
1918 ldns_verify_rrsig_ed448_raw(
unsigned char* sig,
size_t siglen,
1919 ldns_buffer* rrset,
unsigned char* key,
size_t keylen)
1930 EVP_PKEY_free(evp_key);
1939 unsigned char buf[256+2];
1940 const unsigned char* pp = buf;
1945 if(keylen != 2*256/8)
return NULL;
1946 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1948 if(keylen != 2*384/8)
return NULL;
1949 ec = EC_KEY_new_by_curve_name(NID_secp384r1);
1951 if(!ec)
return NULL;
1952 if(keylen+1 >
sizeof(buf))
1956 buf[0] = POINT_CONVERSION_UNCOMPRESSED;
1957 memmove(buf+1, key, keylen);
1958 if(!o2i_ECPublicKey(&ec, &pp, (
int)keylen+1)) {
1962 evp_key = EVP_PKEY_new();
1967 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
1968 EVP_PKEY_free(evp_key);
1976 ldns_verify_rrsig_ecdsa_raw(
unsigned char* sig,
size_t siglen,
1977 ldns_buffer* rrset,
unsigned char* key,
size_t keylen, uint8_t algo)
1990 else d = EVP_sha384();
1992 EVP_PKEY_free(evp_key);
2002 (
unsigned char*)ldns_buffer_begin(rawsig_buf),
2003 ldns_buffer_position(rawsig_buf),
2005 (
unsigned char*)ldns_buffer_begin(key_buf),
2006 ldns_buffer_position(key_buf), algo);
2011 ldns_buffer *verify_buf,
unsigned char* key,
size_t keylen,
2052 return ldns_verify_rrsig_gost_raw(sig, siglen, verify_buf,
2059 return ldns_verify_rrsig_ecdsa_raw(sig, siglen, verify_buf,
2065 return ldns_verify_rrsig_ed25519_raw(sig, siglen, verify_buf,
2071 return ldns_verify_rrsig_ed448_raw(sig, siglen, verify_buf,
2101 uint8_t label_count;
2124 wildcard_chopped = wildcard_chopped_tmp;
2150 if (rrsig == NULL) {
2239 ldns_rrsig_check_timestamps(
const ldns_rr* rrsig, time_t now)
2241 int32_t inception, expiration;
2249 if (expiration - inception < 0) {
2253 if (((int32_t) now) - inception < 0) {
2257 if (expiration - ((int32_t) now) < 0) {
2287 result = ldns_rrsig2rawsig_buffer(rawsig_buf, rrsig);
2293 ldns_rrset_use_signature_ttl(rrset_clone, rrsig);
2325 if (rrsig == NULL) {
2362 verify_buf, key_buf, sig_algo);
2406 result = ldns_rrsig_check_timestamps(rrsig, check_time);
2433 rrset, rrsig, keys, ldns_time(NULL), good_keys);
2465 result = ldns_prepare_for_verify(rawsig_buf, verify_buf,
2466 rrset_clone, rrsig);
2477 status = ldns_verify_test_sig_key(rawsig_buf, verify_buf,
2541 result = ldns_prepare_for_verify(rawsig_buf, verify_buf,
2542 rrset_clone, rrsig);
2549 result = ldns_verify_test_sig_key(rawsig_buf, verify_buf,
2558 result = ldns_rrsig_check_timestamps(rrsig, check_time);
2574 const EVP_MD *digest_type)
2577 (
unsigned char*)ldns_buffer_begin(sig),
2578 ldns_buffer_position(sig),
2586 const ldns_buffer *rrset, EVP_PKEY *key,
const EVP_MD *digest_type)
2591 #ifdef HAVE_EVP_MD_CTX_NEW 2592 ctx = EVP_MD_CTX_new();
2594 ctx = (EVP_MD_CTX*)malloc(
sizeof(*ctx));
2595 if(ctx) EVP_MD_CTX_init(ctx);
2600 #if defined(USE_ED25519) || defined(USE_ED448) 2602 res = EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, key);
2604 res = EVP_DigestVerify(ctx, sig, siglen,
2605 ldns_buffer_begin(rrset),
2606 ldns_buffer_position(rrset));
2613 EVP_VerifyInit(ctx, digest_type);
2614 EVP_VerifyUpdate(ctx,
2615 ldns_buffer_begin(rrset),
2616 ldns_buffer_position(rrset));
2617 res = EVP_VerifyFinal(ctx, sig, (
unsigned int) siglen, key);
2620 EVP_MD_CTX_destroy(ctx);
2625 }
else if (res == 0) {
2637 (
unsigned char*) ldns_buffer_begin(sig),
2638 ldns_buffer_position(sig),
2640 (
unsigned char*) ldns_buffer_begin(key),
2641 ldns_buffer_position(key));
2648 (
unsigned char*)ldns_buffer_begin(sig),
2649 ldns_buffer_position(sig),
2651 (
unsigned char*) ldns_buffer_begin(key),
2652 ldns_buffer_position(key));
2659 (
unsigned char*)ldns_buffer_begin(sig),
2660 ldns_buffer_position(sig),
2662 (
unsigned char*) ldns_buffer_begin(key),
2663 ldns_buffer_position(key));
2668 ldns_buffer* rrset,
unsigned char* key,
size_t keylen)
2674 evp_key = EVP_PKEY_new();
2680 # ifdef HAVE_EVP_DSS1
2689 EVP_PKEY_free(evp_key);
2692 (void)sig; (void)siglen; (void)rrset; (void)key; (void)keylen;
2699 ldns_buffer* rrset,
unsigned char* key,
size_t keylen)
2704 evp_key = EVP_PKEY_new();
2714 EVP_PKEY_free(evp_key);
2730 evp_key = EVP_PKEY_new();
2740 EVP_PKEY_free(evp_key);
2765 evp_key = EVP_PKEY_new();
2775 EVP_PKEY_free(evp_key);
2800 evp_key = EVP_PKEY_new();
2810 EVP_PKEY_free(evp_key);
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
implementation of buffers to ease operations
ldns_rdf * ldns_rr_rrsig_labels(const ldns_rr *r)
returns the number of labels of a LDNS_RR_TYPE_RRSIG RR
bool ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
Checks coverage of NSEC(3) RR name span Remember that nsec and name must both be in canonical form (i...
ldns_rr_list * signatures
void ldns_dnssec_derive_trust_tree_normal_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr, time_t check_time)
Sub function for derive_trust_tree that is used for a 'normal' rrset.
ldns_rr * ldns_rr_clone(const ldns_rr *rr)
clones a rr and all its data
void ldns_rdf_deep_free(ldns_rdf *rd)
frees a rdf structure and frees the data.
ldns_dnssec_trust_tree * ldns_dnssec_trust_tree_new(void)
Creates a new (empty) dnssec_trust_tree structure.
uint8_t ldns_dname_label_count(const ldns_rdf *r)
count the number of labels inside a LDNS_RDF_DNAME type rdf.
bool ldns_rr_compare_ds(const ldns_rr *orr1, const ldns_rr *orr2)
returns true of the given rr's are equal.
void ldns_rr2canonical(ldns_rr *rr)
converts each dname in a rr to its canonical form.
the canonical name for an alias
RSA * ldns_key_buf2rsa_raw(const unsigned char *key, size_t len)
Like ldns_key_buf2rsa, but uses raw buffer.
ldns_rr_type ldns_rdf2rr_type(const ldns_rdf *rd)
convert an rdf of type LDNS_RDF_TYPE_TYPE to an actual LDNS_RR_TYPE.
ldns_status ldns_verify_trusted_time(ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, time_t check_time, ldns_rr_list *validating_keys)
Verifies a list of signatures for one RRset using a valid trust path.
ldns_rr_list * ldns_pkt_rr_list_by_name_and_type(const ldns_pkt *packet, const ldns_rdf *ownername, ldns_rr_type type, ldns_pkt_section sec)
return all the rr with a specific type and type from a packet.
int ldns_dname_compare(const ldns_rdf *dname1, const ldns_rdf *dname2)
Compares the two dname rdf's according to the algorithm for ordering in RFC4034 Section 6.
ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
verifies a buffer with signature data for a buffer with rrset data with an EVP_PKEY
bool ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt)
Checks whether the packet contains rrsigs.
DNS stub resolver structure.
ldns_rdf * ldns_rr_rrsig_inception(const ldns_rr *r)
returns the inception time of a LDNS_RR_TYPE_RRSIG RR
enum ldns_enum_rr_class ldns_rr_class
bool ldns_rr_list_push_rr(ldns_rr_list *rr_list, const ldns_rr *rr)
pushes an rr to an rrlist.
ldns_pkt * ldns_resolver_query(const ldns_resolver *r, const ldns_rdf *name, ldns_rr_type t, ldns_rr_class c, uint16_t flags)
Send a query to a nameserver.
List or Set of Resource Records.
ldns_status ldns_str2rdf_dname(ldns_rdf **d, const char *str)
convert a dname string into wireformat
ldns_pkt_rcode ldns_pkt_get_rcode(const ldns_pkt *packet)
Return the packet's respons code.
uint8_t ldns_rdf2native_int8(const ldns_rdf *rd)
returns the native uint8_t representation from the rdf.
ldns_status parent_status[10]
ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, ldns_buffer *verify_buf, ldns_buffer *key_buf, uint8_t algo)
Verifies the already processed data in the buffers This function should probably not be used directly...
ldns_status ldns_verify_time(const ldns_rr_list *rrset, const ldns_rr_list *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
void ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr)
Sub function for derive_trust_tree that is used for DS rrsets.
void ldns_dnssec_trust_tree_print(FILE *out, ldns_dnssec_trust_tree *tree, size_t tabs, bool extended)
ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs)
denial is not just a river in egypt
ldns_status ldns_rr_list2buffer_wire(ldns_buffer *buffer, const ldns_rr_list *rr_list)
Copies the rr_list data to the buffer in wire format.
#define LDNS_CALLOC(type, count)
#define LDNS_XMALLOC(type, count)
void ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr)
Sub function for derive_trust_tree that is used for a 'normal' rrset.
size_t ldns_rdf_size(const ldns_rdf *rd)
returns the size of the rdf.
ldns_status ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (in rfc2536 format) to a buffer with the signature in rfc2459 format...
void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain)
Frees a dnssec_data_chain structure, and all data contained therein.
ldns_lookup_table ldns_rcodes[]
Response codes.
ldns_rr_list * ldns_fetch_valid_domain_keys_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time, ldns_status *status)
Tries to build an authentication chain from the given keys down to the queried domain.
void ldns_rr_list_deep_free(ldns_rr_list *rr_list)
frees an rr_list structure and all rrs contained therein.
void ldns_buffer_free(ldns_buffer *buffer)
frees the buffer.
ldns_rr_list * ldns_validate_domain_ds(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
Validates the DS RRset for the given domain using the provided trusted keys.
ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
void ldns_dnssec_derive_trust_tree_ds_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, time_t check_time)
Sub function for derive_trust_tree that is used for DS rrsets.
ldns_rdf * ldns_dnssec_nsec3_closest_encloser(const ldns_rdf *qname, ldns_rr_type qtype __attribute__((unused)), const ldns_rr_list *nsec3s)
ldns_rdf * ldns_rdf_clone(const ldns_rdf *rd)
clones a rdf structure.
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree_time(ldns_dnssec_data_chain *data_chain, ldns_rr *rr, time_t check_time)
Generates a dnssec_trust_tree for the given rr from the given data_chain.
void ldns_dname2canonical(const ldns_rdf *rd)
Put a dname into canonical fmt - ie.
ldns_rr * parent_signature[10]
for debugging, add signatures too (you might want those if they contain errors)
signed char packet_nodata
ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
ldns_rdf * ldns_rr_rrsig_keytag(const ldns_rr *r)
returns the keytag of a LDNS_RR_TYPE_RRSIG RR
size_t ldns_rr_rd_count(const ldns_rr *rr)
returns the rd_count of an rr structure.
#define LDNS_MAX_PACKETLEN
ldns_status ldns_verify_notime(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset, but disregard the time.
ldns_status ldns_verify_rrsig_keylist_notime(const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies an rrsig.
ldns_rdf * ldns_dname_left_chop(const ldns_rdf *d)
chop one label off the left side of a dname.
ldns_rr_list * ldns_resolver_dnssec_anchors(const ldns_resolver *r)
Get the resolver's DNSSEC anchors.
EVP_PKEY * ldns_ed4482pkey_raw(const unsigned char *key, size_t keylen)
Converts a holding buffer with key material to EVP PKEY in openssl.
DSA * ldns_key_buf2dsa_raw(const unsigned char *key, size_t len)
Like ldns_key_buf2dsa, but uses raw buffer.
void ldns_rr_list_free(ldns_rr_list *rr_list)
frees an rr_list structure.
ldns_rr_list * ldns_pkt_rr_list_by_type(const ldns_pkt *packet, ldns_rr_type type, ldns_pkt_section sec)
return all the rr with a specific type from a packet.
const ldns_rr_descriptor * ldns_rr_descript(uint16_t type)
returns the resource record descriptor for the given rr type.
void ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain)
Sub function for derive_trust_tree that is used when there are no signatures.
const ldns_output_format * ldns_output_format_default
The default output format record.
ldns_rr_list * ldns_validate_domain_dnskey_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
ldns_status ldns_rdf2buffer_wire(ldns_buffer *buffer, const ldns_rdf *rdf)
Copies the rdata data to the buffer in wire format.
ldns_rr_list * ldns_fetch_valid_domain_keys(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, ldns_status *status)
Tries to build an authentication chain from the given keys down to the queried domain.
ldns_rdf * ldns_nsec_get_bitmap(const ldns_rr *nsec)
Returns the rdata field that contains the bitmap of the covered types of the given NSEC record.
ldns_status ldns_verify_rrsig_buffers_raw(unsigned char *sig, size_t siglen, ldns_buffer *verify_buf, unsigned char *key, size_t keylen, uint8_t algo)
Like ldns_verify_rrsig_buffers, but uses raw data.
Including this file will include all ldns files, and define some lookup tables.
ldns_rdf * ldns_dname_new_frm_str(const char *str)
creates a new dname rdf from a string.
ldns_status ldns_verify_rrsig_time(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key, time_t check_time)
verify an rrsig with 1 key
ldns_rr_list * ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type)
Returns a ldns_rr_list containing the signatures covering the given type.
bool ldns_rr_list_cat(ldns_rr_list *left, const ldns_rr_list *right)
concatenates two ldns_rr_lists together.
ldns_rdf * ldns_dname_clone_from(const ldns_rdf *d, uint16_t n)
Clones the given dname from the nth label on.
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
void ldns_rr_print_fmt(FILE *output, const ldns_output_format *fmt, const ldns_rr *rr)
Prints the data in the resource record to the given file stream (in presentation format)
ldns_rr_list * ldns_validate_domain_dnskey(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
ldns_status ldns_dnssec_trust_tree_contains_keys(ldns_dnssec_trust_tree *tree, ldns_rr_list *trusted_keys)
Returns OK if there is a trusted path in the tree to one of the DNSKEY or DS RRs in the given list.
ldns_dnssec_data_chain * parent
ldns_status ldns_verify_rrsig_keylist_time(const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies an rrsig.
EVP_PKEY * ldns_ecdsa2pkey_raw(const unsigned char *key, size_t keylen, uint8_t algo)
Converts a holding buffer with key material to EVP PKEY in openssl.
void ldns_dnssec_data_chain_print_fmt(FILE *out, const ldns_output_format *fmt, const ldns_dnssec_data_chain *chain)
Prints the dnssec_data_chain to the given file stream.
uint16_t ldns_pkt_ancount(const ldns_pkt *packet)
Return the packet's an count.
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr)
Generates a dnssec_trust_tree for the given rr from the given data_chain.
uint16_t ldns_rdf2native_int16(const ldns_rdf *rd)
returns the native uint16_t representation from the rdf.
time_t ldns_rdf2native_time_t(const ldns_rdf *rd)
returns the native time_t representation from the rdf.
size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree)
returns the depth of the trust tree
void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain)
Frees a dnssec_data_chain structure.
ldns_rr_list * ldns_rr_list_new(void)
creates a new rr_list structure.
void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree)
Frees the dnssec_trust_tree recursively.
ldns_lookup_table * ldns_lookup_by_id(ldns_lookup_table *table, int id)
ldns_pkt_rcode packet_rcode
ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
int ldns_key_EVP_load_gost_id(void)
Get the PKEY id for GOST, loads GOST into openssl as a side effect.
ldns_rr_list * ldns_validate_domain_ds_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
Validates the DS RRset for the given domain using the provided trusted keys.
bool ldns_nsec3_optout(const ldns_rr *nsec3_rr)
Returns true if the opt-out flag has been set in the given NSEC3 RR.
EVP_PKEY * ldns_gost2pkey_raw(const unsigned char *key, size_t keylen)
Converts a holding buffer with key material to EVP PKEY in openssl.
uint16_t ldns_calc_keytag(const ldns_rr *key)
calculates a keytag of a key for use in DNSSEC.
enum ldns_enum_pkt_rcode ldns_pkt_rcode
Contains all information about resource record types.
void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain)
Prints the dnssec_data_chain to the given file stream.
ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs __attribute__((unused)), ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, bool packet_nodata, ldns_rr **match)
ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies an rrsig.
ldns_rr_list * ldns_rr_list_clone(const ldns_rr_list *rrlist)
clones an rrlist.
bool ldns_nsec_bitmap_covers_type(const ldns_rdf *bitmap, ldns_rr_type type)
Check if RR type t is enumerated and set in the RR type bitmap rdf.
ldns_rdf * ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
Returns the bitmap specifying the covered types of the given NSEC3 RR.
ldns_dnssec_trust_tree * parents[10]
void ldns_rr_set_owner(ldns_rr *rr, ldns_rdf *owner)
sets the owner in the rr structure.
void ldns_rdf_print(FILE *output, const ldns_rdf *rdf)
Prints the data in the rdata field to the given file stream (in presentation format)
uint32_t ldns_rdf2native_int32(const ldns_rdf *rd)
returns the native uint32_t representation from the rdf.
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
ldns_rr * ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name, const ldns_rr_type type, const ldns_rr_list *rrs)
Returns the first RRSIG rr that corresponds to the rrset with the given name and type.
ldns_rdf * ldns_rr_rrsig_typecovered(const ldns_rr *r)
returns the type covered of a LDNS_RR_TYPE_RRSIG rr
ldns_dnssec_data_chain * ldns_dnssec_build_data_chain(ldns_resolver *res, uint16_t qflags, const ldns_rr_list *rrset, const ldns_pkt *pkt, ldns_rr *orig_rr)
Build an ldns_dnssec_data_chain, which contains all DNSSEC data that is needed to derive the trust tr...
ldns_rr_type packet_qtype
ldns_rr_list * ldns_rr_list_pop_rrset(ldns_rr_list *rr_list)
pops the first rrset from the list, the list must be sorted, so that all rr's from each rrset are nex...
void ldns_rr_set_ttl(ldns_rr *rr, uint32_t ttl)
sets the ttl in the rr structure.
enum ldns_enum_status ldns_status
ldns_dnssec_data_chain * ldns_dnssec_data_chain_new(void)
Creates a new dnssec_chain structure.
ldns_buffer * ldns_buffer_new(size_t capacity)
creates a new buffer with the specified capacity.
A general purpose lookup table.
ldns_status ldns_verify_rrsig_dsa_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
EVP_PKEY * ldns_ed255192pkey_raw(const unsigned char *key, size_t keylen)
Converts a holding buffer with key material to EVP PKEY in openssl.
#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS
dnssec_verify
ldns_rdf * ldns_rr_rrsig_signame(const ldns_rr *r)
returns the signers name of a LDNS_RR_TYPE_RRSIG RR
void ldns_dnssec_trust_tree_print_fmt(FILE *out, const ldns_output_format *fmt, ldns_dnssec_trust_tree *tree, size_t tabs, bool extended)
bool ldns_dname_is_subdomain(const ldns_rdf *sub, const ldns_rdf *parent)
test whether the name sub falls under parent (i.e.
ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, const ldns_dnssec_trust_tree *parent, const ldns_rr *signature, const ldns_status parent_status)
Adds a trust tree as a parent for the given trust tree.
ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (RSASHA1) for a buffer with rrset data with a buffer with key d...
Resource record data field.
ldns_status ldns_verify_trusted(ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, ldns_rr_list *validating_keys)
Verifies a list of signatures for one RRset using a valid trust path.
ldns_rdf * ldns_rr_owner(const ldns_rr *rr)
returns the owner name of an rr structure.
void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr, time_t check_time)
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (RSAMD5) for a buffer with rrset data with a buffer with key da...
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr's in an rr_list.
enum ldns_enum_rr_type ldns_rr_type
const char * _name
Textual name of the RR type.
ldns_status ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (from DNS) to a buffer with the signature in ASN1 format as openssl ...
an authoritative name server
ldns_status ldns_rrsig2buffer_wire(ldns_buffer *buffer, const ldns_rr *rr)
Converts a rrsig to wireformat BUT EXCLUDE the rrsig rdata This is needed in DNSSEC verification.
const char * ldns_get_errorstr_by_id(ldns_status err)
look up a descriptive text by each error.
ldns_rr_class ldns_rr_get_class(const ldns_rr *rr)
returns the class of the rr.
used to get all non-question rrs from a packet
ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key)
verify an rrsig with 1 key
ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs, ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, bool packet_nodata)
ldns_status ldns_dname_cat(ldns_rdf *rd1, const ldns_rdf *rd2)
concatenates rd2 after rd1 (rd2 is copied, rd1 is modified)
ldns_status ldns_verify_rrsig_evp_raw(const unsigned char *sig, size_t siglen, const ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
Like ldns_verify_rrsig_evp, but uses raw signature data.
void ldns_pkt_free(ldns_pkt *packet)
frees the packet structure and all data that it contains.
void ldns_rr_list_sort(ldns_rr_list *unsorted)
sorts an rr_list (canonical wire format).
void ldns_dnssec_derive_trust_tree_no_sig_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, time_t check_time)
Sub function for derive_trust_tree that is used when there are no signatures.
ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
void ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr)
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (DSA) for a buffer with rrset data with a buffer with key data.
ldns_rdf * ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, const ldns_rdf *name)
Calculates the hashed name using the parameters of the given NSEC3 RR.
ldns_rr_list * ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt, const ldns_rdf *name, ldns_rr_type type)
Returns a ldns_rr_list containing the signatures covering the given name and type.
ldns_status ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
ldns_rdf * ldns_rr_rrsig_expiration(const ldns_rr *r)
returns the expiration time of a LDNS_RR_TYPE_RRSIG RR
void ldns_rr_list_print_fmt(FILE *output, const ldns_output_format *fmt, const ldns_rr_list *lst)
print a rr_list to output