1 #include <ldns/config.h>
9 /* this entire file is rather useless when you don't have
12 #include <openssl/ssl.h>
13 #include <openssl/evp.h>
14 #include <openssl/rand.h>
15 #include <openssl/err.h>
16 #include <openssl/md5.h>
18 ldns_dnssec_data_chain *
19 ldns_dnssec_data_chain_new(void)
21 ldns_dnssec_data_chain *nc = LDNS_CALLOC(ldns_dnssec_data_chain, 1);
24 * not needed anymore because CALLOC initalizes everything to zero.
29 nc->signatures = NULL;
32 nc->packet_nodata = false;
39 ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain)
45 ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain)
47 ldns_rr_list_deep_free(chain->rrset);
48 ldns_rr_list_deep_free(chain->signatures);
50 ldns_dnssec_data_chain_deep_free(chain->parent);
56 ldns_dnssec_data_chain_print_fmt(FILE *out, const ldns_output_format *fmt,
57 const ldns_dnssec_data_chain *chain)
59 ldns_lookup_table *rcode;
60 const ldns_rr_descriptor *rr_descriptor;
62 ldns_dnssec_data_chain_print_fmt(out, fmt, chain->parent);
63 if (ldns_rr_list_rr_count(chain->rrset) > 0) {
64 rcode = ldns_lookup_by_id(ldns_rcodes,
65 (int) chain->packet_rcode);
67 fprintf(out, ";; rcode: %s\n", rcode->name);
70 rr_descriptor = ldns_rr_descript(chain->packet_qtype);
71 if (rr_descriptor && rr_descriptor->_name) {
72 fprintf(out, ";; qtype: %s\n", rr_descriptor->_name);
73 } else if (chain->packet_qtype != 0) {
74 fprintf(out, "TYPE%u",
77 if (chain->packet_nodata) {
78 fprintf(out, ";; NODATA response\n");
80 fprintf(out, "rrset:\n");
81 ldns_rr_list_print_fmt(out, fmt, chain->rrset);
82 fprintf(out, "sigs:\n");
83 ldns_rr_list_print_fmt(out, fmt, chain->signatures);
84 fprintf(out, "---\n");
86 fprintf(out, "<no data>\n");
91 ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain)
93 ldns_dnssec_data_chain_print_fmt(
94 out, ldns_output_format_default, chain);
99 ldns_dnssec_build_data_chain_dnskey(ldns_resolver *res,
102 ldns_rr_list *signatures,
103 ldns_dnssec_data_chain *new_chain,
108 if (signatures && ldns_rr_list_rr_count(signatures) > 0) {
109 new_chain->signatures = ldns_rr_list_clone(signatures);
110 new_chain->parent_type = 0;
112 keys = ldns_pkt_rr_list_by_name_and_type(
116 LDNS_SECTION_ANY_NOQUESTION
119 my_pkt = ldns_resolver_query(res,
125 keys = ldns_pkt_rr_list_by_name_and_type(
129 LDNS_SECTION_ANY_NOQUESTION
131 new_chain->parent = ldns_dnssec_build_data_chain(res,
136 new_chain->parent->packet_qtype = LDNS_RR_TYPE_DNSKEY;
137 ldns_pkt_free(my_pkt);
140 new_chain->parent = ldns_dnssec_build_data_chain(res,
145 new_chain->parent->packet_qtype = LDNS_RR_TYPE_DNSKEY;
147 ldns_rr_list_deep_free(keys);
152 ldns_dnssec_build_data_chain_other(ldns_resolver *res,
154 ldns_dnssec_data_chain *new_chain,
159 /* 'self-signed', parent is a DS */
161 /* okay, either we have other keys signing the current one,
163 * one should have a DS record in the parent zone.
164 * How do we find this out? Try both?
166 * request DNSKEYS for current zone,
167 * add all signatures to current level
170 ldns_rr_list *signatures2;
172 new_chain->parent_type = 1;
174 my_pkt = ldns_resolver_query(res,
180 dss = ldns_pkt_rr_list_by_name_and_type(my_pkt,
183 LDNS_SECTION_ANY_NOQUESTION
186 new_chain->parent = ldns_dnssec_build_data_chain(res,
191 new_chain->parent->packet_qtype = LDNS_RR_TYPE_DS;
192 ldns_rr_list_deep_free(dss);
194 ldns_pkt_free(my_pkt);
197 my_pkt = ldns_resolver_query(res,
203 signatures2 = ldns_pkt_rr_list_by_name_and_type(my_pkt,
206 LDNS_SECTION_ANSWER);
208 if (new_chain->signatures) {
209 printf("There were already sigs!\n");
210 ldns_rr_list_deep_free(new_chain->signatures);
211 printf("replacing the old sigs\n");
213 new_chain->signatures = signatures2;
215 ldns_pkt_free(my_pkt);
219 static ldns_dnssec_data_chain *
220 ldns_dnssec_build_data_chain_nokeyname(ldns_resolver *res,
223 const ldns_rr_list *rrset,
224 ldns_dnssec_data_chain *new_chain)
226 ldns_rdf *possible_parent_name;
228 /* apparently we were not able to find a signing key, so
229 we assume the chain ends here
231 /* try parents for auth denial of DS */
233 possible_parent_name = ldns_rr_owner(orig_rr);
234 } else if (rrset && ldns_rr_list_rr_count(rrset) > 0) {
235 possible_parent_name = ldns_rr_owner(ldns_rr_list_rr(rrset, 0));
237 /* no information to go on, give up */
241 my_pkt = ldns_resolver_query(res,
242 possible_parent_name,
250 if (ldns_pkt_ancount(my_pkt) > 0) {
251 /* add error, no sigs but DS in parent */
252 /*ldns_pkt_print(stdout, my_pkt);*/
253 ldns_pkt_free(my_pkt);
255 /* are there signatures? */
256 new_chain->parent = ldns_dnssec_build_data_chain(res,
262 new_chain->parent->packet_qtype = LDNS_RR_TYPE_DS;
269 ldns_dnssec_data_chain *
270 ldns_dnssec_build_data_chain(ldns_resolver *res,
272 const ldns_rr_list *rrset,
276 ldns_rr_list *signatures = NULL;
277 ldns_rr_list *dss = NULL;
279 ldns_rr_list *my_rrset;
283 ldns_rdf *name = NULL, *key_name = NULL;
284 ldns_rr_type type = 0;
287 bool other_rrset = false;
289 ldns_dnssec_data_chain *new_chain = ldns_dnssec_data_chain_new();
293 if (!ldns_dnssec_pkt_has_rrsigs(pkt)) {
294 /* hmm. no dnssec data in the packet. go up to try and deny
300 new_chain->rrset = ldns_rr_list_new();
301 ldns_rr_list_push_rr(new_chain->rrset, orig_rr);
302 new_chain->parent = ldns_dnssec_build_data_chain(res,
307 new_chain->packet_rcode = ldns_pkt_get_rcode(pkt);
308 new_chain->packet_qtype = ldns_rr_get_type(orig_rr);
309 if (ldns_pkt_ancount(pkt) == 0) {
310 new_chain->packet_nodata = true;
315 if (!rrset || ldns_rr_list_rr_count(rrset) < 1) {
316 /* hmm, no data, do we have denial? only works if pkt was given,
317 otherwise caller has to do the check himself */
318 new_chain->packet_nodata = true;
320 my_rrset = ldns_pkt_rr_list_by_type(pkt,
322 LDNS_SECTION_ANY_NOQUESTION
325 if (ldns_rr_list_rr_count(my_rrset) > 0) {
326 type = LDNS_RR_TYPE_NSEC;
329 ldns_rr_list_deep_free(my_rrset);
333 /* nothing, try nsec3 */
334 my_rrset = ldns_pkt_rr_list_by_type(pkt,
336 LDNS_SECTION_ANY_NOQUESTION);
338 if (ldns_rr_list_rr_count(my_rrset) > 0) {
339 type = LDNS_RR_TYPE_NSEC3;
342 ldns_rr_list_deep_free(my_rrset);
347 /* try parent zone? for denied insecure? */
355 my_rrset = (ldns_rr_list *) rrset;
358 if (my_rrset && ldns_rr_list_rr_count(my_rrset) > 0) {
359 new_chain->rrset = ldns_rr_list_clone(my_rrset);
360 name = ldns_rr_owner(ldns_rr_list_rr(my_rrset, 0));
361 type = ldns_rr_get_type(ldns_rr_list_rr(my_rrset, 0));
362 c = ldns_rr_get_class(ldns_rr_list_rr(my_rrset, 0));
366 ldns_rr_list_deep_free(my_rrset);
369 /* normally there will only be 1 signature 'set'
370 but there can be more than 1 denial (wildcards)
373 if (type == LDNS_RR_TYPE_NSEC || type == LDNS_RR_TYPE_NSEC3) {
374 /* just throw in all signatures, the tree builder must sort
377 signatures = ldns_dnssec_pkt_get_rrsigs_for_type(pkt, type);
379 my_pkt = ldns_resolver_query(res, name, type, c, qflags);
381 signatures = ldns_dnssec_pkt_get_rrsigs_for_type(pkt, type);
382 ldns_pkt_free(my_pkt);
388 ldns_dnssec_pkt_get_rrsigs_for_name_and_type(pkt,
393 my_pkt = ldns_resolver_query(res, name, type, c, qflags);
396 ldns_dnssec_pkt_get_rrsigs_for_name_and_type(my_pkt,
399 ldns_pkt_free(my_pkt);
404 if (signatures && ldns_rr_list_rr_count(signatures) > 0) {
405 key_name = ldns_rr_rdf(ldns_rr_list_rr(signatures, 0), 7);
409 ldns_rr_list_deep_free(signatures);
411 return ldns_dnssec_build_data_chain_nokeyname(res,
417 if (type != LDNS_RR_TYPE_DNSKEY) {
418 ldns_dnssec_build_data_chain_dnskey(res,
427 ldns_dnssec_build_data_chain_other(res,
436 ldns_rr_list_deep_free(signatures);
441 ldns_dnssec_trust_tree *
442 ldns_dnssec_trust_tree_new(void)
444 ldns_dnssec_trust_tree *new_tree = LDNS_XMALLOC(ldns_dnssec_trust_tree,
446 if(!new_tree) return NULL;
448 new_tree->rrset = NULL;
449 new_tree->parent_count = 0;
455 ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree)
459 for (i = 0; i < tree->parent_count; i++) {
460 ldns_dnssec_trust_tree_free(tree->parents[i]);
467 ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree)
473 for (i = 0; i < tree->parent_count; i++) {
474 parent = ldns_dnssec_trust_tree_depth(tree->parents[i]);
475 if (parent > result) {
484 print_tabs(FILE *out, size_t nr, uint8_t *map, size_t treedepth)
487 for (i = 0; i < nr; i++) {
489 fprintf(out, "|---");
490 } else if (map && i < treedepth && map[i] == 1) {
499 ldns_dnssec_trust_tree_print_sm_fmt(FILE *out,
500 const ldns_output_format *fmt,
501 ldns_dnssec_trust_tree *tree,
508 const ldns_rr_descriptor *descriptor;
512 treedepth = ldns_dnssec_trust_tree_depth(tree);
513 sibmap = LDNS_XMALLOC(uint8_t, treedepth);
515 return; /* mem err */
516 memset(sibmap, 0, treedepth);
522 print_tabs(out, tabs, sibmap, treedepth);
523 ldns_rdf_print(out, ldns_rr_owner(tree->rr));
524 descriptor = ldns_rr_descript(ldns_rr_get_type(tree->rr));
526 if (descriptor->_name) {
527 fprintf(out, " (%s", descriptor->_name);
529 fprintf(out, " (TYPE%d",
530 ldns_rr_get_type(tree->rr));
533 if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_DNSKEY) {
534 fprintf(out, " keytag: %u",
535 (unsigned int) ldns_calc_keytag(tree->rr));
536 fprintf(out, " alg: ");
537 ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 2));
538 fprintf(out, " flags: ");
539 ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 0));
540 } else if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_DS) {
541 fprintf(out, " keytag: ");
542 ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 0));
543 fprintf(out, " digest type: ");
544 ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 2));
546 if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_NSEC) {
548 ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 0));
550 ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 1));
555 for (i = 0; i < tree->parent_count; i++) {
556 if (tree->parent_count > 1 && i < tree->parent_count - 1) {
561 /* only print errors */
562 if (ldns_rr_get_type(tree->parents[i]->rr) ==
564 ldns_rr_get_type(tree->parents[i]->rr) ==
565 LDNS_RR_TYPE_NSEC3) {
566 if (tree->parent_status[i] == LDNS_STATUS_OK) {
567 print_tabs(out, tabs + 1, sibmap, treedepth);
569 ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_NS &&
570 ldns_rr_rd_count(tree->rr) > 0) {
571 fprintf(out, "Existence of DS is denied by:\n");
573 fprintf(out, "Existence is denied by:\n");
576 /* NS records aren't signed */
577 if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_NS) {
578 fprintf(out, "Existence of DS is denied by:\n");
580 print_tabs(out, tabs + 1, sibmap, treedepth);
582 "Error in denial of existence: %s\n",
583 ldns_get_errorstr_by_id(
584 tree->parent_status[i]));
588 if (tree->parent_status[i] != LDNS_STATUS_OK) {
589 print_tabs(out, tabs + 1, sibmap, treedepth);
592 ldns_get_errorstr_by_id(
593 tree->parent_status[i]));
594 if (tree->parent_status[i]
595 == LDNS_STATUS_SSL_ERR) {
596 printf("; SSL Error: ");
597 ERR_load_crypto_strings();
598 ERR_print_errors_fp(stdout);
601 ldns_rr_print_fmt(out, fmt,
603 parent_signature[i]);
604 printf("For RRset:\n");
605 ldns_rr_list_print_fmt(out, fmt,
607 printf("With key:\n");
608 ldns_rr_print_fmt(out, fmt,
609 tree->parents[i]->rr);
611 ldns_dnssec_trust_tree_print_sm_fmt(out, fmt,
619 print_tabs(out, tabs, sibmap, treedepth);
620 fprintf(out, "<no data>\n");
623 fprintf(out, "<null pointer>\n");
632 ldns_dnssec_trust_tree_print_fmt(FILE *out, const ldns_output_format *fmt,
633 ldns_dnssec_trust_tree *tree,
637 ldns_dnssec_trust_tree_print_sm_fmt(out, fmt,
638 tree, tabs, extended, NULL, 0);
642 ldns_dnssec_trust_tree_print(FILE *out,
643 ldns_dnssec_trust_tree *tree,
647 ldns_dnssec_trust_tree_print_fmt(out, ldns_output_format_default,
648 tree, tabs, extended);
653 ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree,
654 const ldns_dnssec_trust_tree *parent,
655 const ldns_rr *signature,
656 const ldns_status parent_status)
660 && tree->parent_count < LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS) {
662 printf("Add parent for: ");
663 ldns_rr_print(stdout, tree->rr);
665 ldns_rr_print(stdout, parent->rr);
667 tree->parents[tree->parent_count] =
668 (ldns_dnssec_trust_tree *) parent;
669 tree->parent_status[tree->parent_count] = parent_status;
670 tree->parent_signature[tree->parent_count] = (ldns_rr *) signature;
671 tree->parent_count++;
672 return LDNS_STATUS_OK;
674 return LDNS_STATUS_ERR;
678 /* if rr is null, take the first from the rrset */
679 ldns_dnssec_trust_tree *
680 ldns_dnssec_derive_trust_tree_time(
681 ldns_dnssec_data_chain *data_chain,
686 ldns_rr_list *cur_rrset;
687 ldns_rr_list *cur_sigs;
688 ldns_rr *cur_rr = NULL;
692 ldns_dnssec_trust_tree *new_tree = ldns_dnssec_trust_tree_new();
696 if (data_chain && data_chain->rrset) {
697 cur_rrset = data_chain->rrset;
699 cur_sigs = data_chain->signatures;
705 if (!cur_rr && ldns_rr_list_rr_count(cur_rrset) > 0) {
706 cur_rr = ldns_rr_list_rr(cur_rrset, 0);
710 new_tree->rr = cur_rr;
711 new_tree->rrset = cur_rrset;
712 /* there are three possibilities:
713 1 - 'normal' rrset, signed by a key
714 2 - dnskey signed by other dnskey
715 3 - dnskey proven by higher level DS
716 (data denied by nsec is a special case that can
717 occur in multiple places)
721 for (i = 0; i < ldns_rr_list_rr_count(cur_sigs); i++) {
722 /* find the appropriate key in the parent list */
723 cur_sig_rr = ldns_rr_list_rr(cur_sigs, i);
725 if (ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_NSEC) {
726 if (ldns_dname_compare(ldns_rr_owner(cur_sig_rr),
727 ldns_rr_owner(cur_rr)))
729 /* find first that does match */
732 j < ldns_rr_list_rr_count(cur_rrset) &&
733 ldns_dname_compare(ldns_rr_owner(cur_sig_rr),ldns_rr_owner(cur_rr)) != 0;
735 cur_rr = ldns_rr_list_rr(cur_rrset, j);
738 if (ldns_dname_compare(ldns_rr_owner(cur_sig_rr),
739 ldns_rr_owner(cur_rr)))
747 if (data_chain->parent) {
748 ldns_dnssec_derive_trust_tree_normal_rrset_time(
756 ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
764 ldns_dnssec_derive_trust_tree_ds_rrset_time(
765 new_tree, data_chain,
768 /* no signatures? maybe it's nsec data */
770 /* just add every rr from parent as new parent */
771 ldns_dnssec_derive_trust_tree_no_sig_time(
772 new_tree, data_chain, check_time);
780 ldns_dnssec_trust_tree *
781 ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr)
783 return ldns_dnssec_derive_trust_tree_time(data_chain, rr, ldns_time(NULL));
787 ldns_dnssec_derive_trust_tree_normal_rrset_time(
788 ldns_dnssec_trust_tree *new_tree,
789 ldns_dnssec_data_chain *data_chain,
794 ldns_rr_list *cur_rrset = ldns_rr_list_clone(data_chain->rrset);
795 ldns_dnssec_trust_tree *cur_parent_tree;
796 ldns_rr *cur_parent_rr;
798 ldns_rr_list *tmp_rrset = NULL;
799 ldns_status cur_status;
801 cur_keytag = ldns_rdf2native_int16(ldns_rr_rrsig_keytag(cur_sig_rr));
803 for (j = 0; j < ldns_rr_list_rr_count(data_chain->parent->rrset); j++) {
804 cur_parent_rr = ldns_rr_list_rr(data_chain->parent->rrset, j);
805 if (ldns_rr_get_type(cur_parent_rr) == LDNS_RR_TYPE_DNSKEY) {
806 if (ldns_calc_keytag(cur_parent_rr) == cur_keytag) {
808 /* TODO: check wildcard nsec too */
809 if (cur_rrset && ldns_rr_list_rr_count(cur_rrset) > 0) {
810 tmp_rrset = cur_rrset;
811 if (ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0))
812 == LDNS_RR_TYPE_NSEC ||
813 ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0))
814 == LDNS_RR_TYPE_NSEC3) {
815 /* might contain different names!
817 ldns_rr_list_sort(cur_rrset);
818 assert(tmp_rrset == cur_rrset);
819 tmp_rrset = ldns_rr_list_pop_rrset(cur_rrset);
821 /* with nsecs, this might be the wrong one */
823 ldns_rr_list_rr_count(cur_rrset) > 0 &&
825 ldns_rr_owner(ldns_rr_list_rr(
827 ldns_rr_owner(cur_sig_rr)) != 0) {
828 ldns_rr_list_deep_free(tmp_rrset);
830 ldns_rr_list_pop_rrset(cur_rrset);
833 cur_status = ldns_verify_rrsig_time(
838 if (tmp_rrset && tmp_rrset != cur_rrset
840 ldns_rr_list_deep_free(
845 for (i = 0; i < new_tree->parent_count; i++) {
846 if (cur_parent_rr == new_tree->parents[i]->rr) {
852 ldns_dnssec_derive_trust_tree_time(
856 (void)ldns_dnssec_trust_tree_add_parent(new_tree,
865 ldns_rr_list_deep_free(cur_rrset);
869 ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree,
870 ldns_dnssec_data_chain *data_chain,
873 ldns_dnssec_derive_trust_tree_normal_rrset_time(
874 new_tree, data_chain, cur_sig_rr, ldns_time(NULL));
878 ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
879 ldns_dnssec_trust_tree *new_tree,
880 ldns_dnssec_data_chain *data_chain,
886 ldns_rr_list *cur_rrset = data_chain->rrset;
887 ldns_dnssec_trust_tree *cur_parent_tree;
888 ldns_rr *cur_parent_rr;
890 ldns_status cur_status;
892 cur_keytag = ldns_rdf2native_int16(ldns_rr_rrsig_keytag(cur_sig_rr));
894 for (j = 0; j < ldns_rr_list_rr_count(cur_rrset); j++) {
895 cur_parent_rr = ldns_rr_list_rr(cur_rrset, j);
896 if (cur_parent_rr != cur_rr &&
897 ldns_rr_get_type(cur_parent_rr) == LDNS_RR_TYPE_DNSKEY) {
898 if (ldns_calc_keytag(cur_parent_rr) == cur_keytag
900 cur_parent_tree = ldns_dnssec_trust_tree_new();
901 cur_parent_tree->rr = cur_parent_rr;
902 cur_parent_tree->rrset = cur_rrset;
903 cur_status = ldns_verify_rrsig_time(
904 cur_rrset, cur_sig_rr,
905 cur_parent_rr, check_time);
906 (void) ldns_dnssec_trust_tree_add_parent(new_tree,
907 cur_parent_tree, cur_sig_rr, cur_status);
914 ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree,
915 ldns_dnssec_data_chain *data_chain,
919 ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
920 new_tree, data_chain, cur_rr, cur_sig_rr, ldns_time(NULL));
924 ldns_dnssec_derive_trust_tree_ds_rrset_time(
925 ldns_dnssec_trust_tree *new_tree,
926 ldns_dnssec_data_chain *data_chain,
931 ldns_rr_list *cur_rrset = data_chain->rrset;
932 ldns_dnssec_trust_tree *cur_parent_tree;
933 ldns_rr *cur_parent_rr;
935 /* try the parent to see whether there are DSs there */
936 if (ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_DNSKEY &&
937 data_chain->parent &&
938 data_chain->parent->rrset
941 j < ldns_rr_list_rr_count(data_chain->parent->rrset);
943 cur_parent_rr = ldns_rr_list_rr(data_chain->parent->rrset, j);
944 if (ldns_rr_get_type(cur_parent_rr) == LDNS_RR_TYPE_DS) {
945 for (h = 0; h < ldns_rr_list_rr_count(cur_rrset); h++) {
946 cur_rr = ldns_rr_list_rr(cur_rrset, h);
947 if (ldns_rr_compare_ds(cur_rr, cur_parent_rr)) {
949 ldns_dnssec_derive_trust_tree_time(
953 (void) ldns_dnssec_trust_tree_add_parent(
959 /*ldns_rr_print(stdout, cur_parent_rr);*/
968 ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree,
969 ldns_dnssec_data_chain *data_chain,
972 ldns_dnssec_derive_trust_tree_ds_rrset_time(
973 new_tree, data_chain, cur_rr, ldns_time(NULL));
977 ldns_dnssec_derive_trust_tree_no_sig_time(
978 ldns_dnssec_trust_tree *new_tree,
979 ldns_dnssec_data_chain *data_chain,
983 ldns_rr_list *cur_rrset;
984 ldns_rr *cur_parent_rr;
985 ldns_dnssec_trust_tree *cur_parent_tree;
988 if (data_chain->parent && data_chain->parent->rrset) {
989 cur_rrset = data_chain->parent->rrset;
991 if (cur_rrset && ldns_rr_list_rr_count(cur_rrset) > 0) {
992 if (ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0)) ==
993 LDNS_RR_TYPE_NSEC3) {
994 result = ldns_dnssec_verify_denial_nsec3(
997 data_chain->parent->signatures,
998 data_chain->packet_rcode,
999 data_chain->packet_qtype,
1000 data_chain->packet_nodata);
1001 } else if (ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0)) ==
1002 LDNS_RR_TYPE_NSEC) {
1003 result = ldns_dnssec_verify_denial(
1006 data_chain->parent->signatures);
1008 /* unsigned zone, unsigned parent */
1009 result = LDNS_STATUS_OK;
1012 result = LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
1014 for (i = 0; i < ldns_rr_list_rr_count(cur_rrset); i++) {
1015 cur_parent_rr = ldns_rr_list_rr(cur_rrset, i);
1017 ldns_dnssec_derive_trust_tree_time(
1021 (void) ldns_dnssec_trust_tree_add_parent(new_tree,
1022 cur_parent_tree, NULL, result);
1028 ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree,
1029 ldns_dnssec_data_chain *data_chain)
1031 ldns_dnssec_derive_trust_tree_no_sig_time(
1032 new_tree, data_chain, ldns_time(NULL));
1036 * returns OK if there is a path from tree to key with only OK
1037 * the (first) error in between otherwise
1038 * or NOT_FOUND if the key wasn't present at all
1041 ldns_dnssec_trust_tree_contains_keys(ldns_dnssec_trust_tree *tree,
1042 ldns_rr_list *trusted_keys)
1045 ldns_status result = LDNS_STATUS_CRYPTO_NO_DNSKEY;
1047 ldns_status parent_result;
1049 if (tree && trusted_keys && ldns_rr_list_rr_count(trusted_keys) > 0)
1051 for (i = 0; i < ldns_rr_list_rr_count(trusted_keys); i++) {
1052 equal = ldns_rr_compare_ds(
1054 ldns_rr_list_rr(trusted_keys, i));
1056 result = LDNS_STATUS_OK;
1061 for (i = 0; i < tree->parent_count; i++) {
1063 ldns_dnssec_trust_tree_contains_keys(tree->parents[i],
1065 if (parent_result != LDNS_STATUS_CRYPTO_NO_DNSKEY) {
1066 if (tree->parent_status[i] != LDNS_STATUS_OK) {
1067 result = tree->parent_status[i];
1070 ldns_rr_get_type(tree->rr)
1071 == LDNS_RR_TYPE_NSEC &&
1072 parent_result == LDNS_STATUS_OK
1075 LDNS_STATUS_DNSSEC_EXISTENCE_DENIED;
1077 result = parent_result;
1083 result = LDNS_STATUS_ERR;
1091 ldns_rr_list *rrset,
1092 ldns_rr_list *rrsig,
1093 const ldns_rr_list *keys,
1095 ldns_rr_list *good_keys
1099 ldns_status verify_result = LDNS_STATUS_ERR;
1101 if (!rrset || !rrsig || !keys) {
1102 return LDNS_STATUS_ERR;
1105 if (ldns_rr_list_rr_count(rrset) < 1) {
1106 return LDNS_STATUS_ERR;
1109 if (ldns_rr_list_rr_count(rrsig) < 1) {
1110 return LDNS_STATUS_CRYPTO_NO_RRSIG;
1113 if (ldns_rr_list_rr_count(keys) < 1) {
1114 verify_result = LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY;
1116 for (i = 0; i < ldns_rr_list_rr_count(rrsig); i++) {
1117 ldns_status s = ldns_verify_rrsig_keylist_time(
1118 rrset, ldns_rr_list_rr(rrsig, i),
1119 keys, check_time, good_keys);
1120 /* try a little to get more descriptive error */
1121 if(s == LDNS_STATUS_OK) {
1122 verify_result = LDNS_STATUS_OK;
1123 } else if(verify_result == LDNS_STATUS_ERR)
1125 else if(s != LDNS_STATUS_ERR && verify_result ==
1126 LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY)
1130 return verify_result;
1134 ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys,
1135 ldns_rr_list *good_keys)
1137 return ldns_verify_time(rrset, rrsig, keys, ldns_time(NULL), good_keys);
1141 ldns_verify_notime(ldns_rr_list *rrset, ldns_rr_list *rrsig,
1142 const ldns_rr_list *keys, ldns_rr_list *good_keys)
1145 ldns_status verify_result = LDNS_STATUS_ERR;
1147 if (!rrset || !rrsig || !keys) {
1148 return LDNS_STATUS_ERR;
1151 if (ldns_rr_list_rr_count(rrset) < 1) {
1152 return LDNS_STATUS_ERR;
1155 if (ldns_rr_list_rr_count(rrsig) < 1) {
1156 return LDNS_STATUS_CRYPTO_NO_RRSIG;
1159 if (ldns_rr_list_rr_count(keys) < 1) {
1160 verify_result = LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY;
1162 for (i = 0; i < ldns_rr_list_rr_count(rrsig); i++) {
1163 ldns_status s = ldns_verify_rrsig_keylist_notime(rrset,
1164 ldns_rr_list_rr(rrsig, i), keys, good_keys);
1166 /* try a little to get more descriptive error */
1167 if (s == LDNS_STATUS_OK) {
1168 verify_result = LDNS_STATUS_OK;
1169 } else if (verify_result == LDNS_STATUS_ERR) {
1171 } else if (s != LDNS_STATUS_ERR && verify_result ==
1172 LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY) {
1177 return verify_result;
1181 ldns_fetch_valid_domain_keys_time(const ldns_resolver *res,
1182 const ldns_rdf *domain,
1183 const ldns_rr_list *keys,
1185 ldns_status *status)
1187 ldns_rr_list * trusted_keys = NULL;
1188 ldns_rr_list * ds_keys = NULL;
1189 ldns_rdf * prev_parent_domain;
1190 ldns_rdf * parent_domain;
1191 ldns_rr_list * parent_keys = NULL;
1193 if (res && domain && keys) {
1195 if ((trusted_keys = ldns_validate_domain_dnskey_time(res,
1196 domain, keys, check_time))) {
1197 *status = LDNS_STATUS_OK;
1199 /* No trusted keys in this domain, we'll have to find some in the parent domain */
1200 *status = LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY;
1202 parent_domain = ldns_dname_left_chop(domain);
1203 while (parent_domain && /* Fail if we are at the root*/
1204 ldns_rdf_size(parent_domain) > 0) {
1207 ldns_fetch_valid_domain_keys_time(res,
1212 /* Check DS records */
1214 ldns_validate_domain_ds_time(res,
1219 ldns_fetch_valid_domain_keys_time(
1225 ldns_rr_list_deep_free(ds_keys);
1227 /* No valid DS at the parent -- fail */
1228 *status = LDNS_STATUS_CRYPTO_NO_TRUSTED_DS ;
1230 ldns_rr_list_deep_free(parent_keys);
1233 parent_domain = ldns_dname_left_chop((
1237 ldns_rdf_deep_free(prev_parent_domain);
1240 if (parent_domain) {
1241 ldns_rdf_deep_free(parent_domain);
1245 return trusted_keys;
1249 ldns_fetch_valid_domain_keys(const ldns_resolver *res,
1250 const ldns_rdf *domain,
1251 const ldns_rr_list *keys,
1252 ldns_status *status)
1254 return ldns_fetch_valid_domain_keys_time(
1255 res, domain, keys, ldns_time(NULL), status);
1259 ldns_validate_domain_dnskey_time(
1260 const ldns_resolver * res,
1261 const ldns_rdf * domain,
1262 const ldns_rr_list * keys,
1268 uint16_t key_i; uint16_t key_j; uint16_t key_k;
1269 uint16_t sig_i; ldns_rr * cur_sig;
1271 ldns_rr_list * domain_keys = NULL;
1272 ldns_rr_list * domain_sigs = NULL;
1273 ldns_rr_list * trusted_keys = NULL;
1275 /* Fetch keys for the domain */
1276 keypkt = ldns_resolver_query(res, domain,
1277 LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, LDNS_RD);
1279 domain_keys = ldns_pkt_rr_list_by_type(keypkt,
1280 LDNS_RR_TYPE_DNSKEY,
1281 LDNS_SECTION_ANSWER);
1282 domain_sigs = ldns_pkt_rr_list_by_type(keypkt,
1284 LDNS_SECTION_ANSWER);
1286 /* Try to validate the record using our keys */
1287 for (key_i=0; key_i< ldns_rr_list_rr_count(domain_keys); key_i++) {
1289 cur_key = ldns_rr_list_rr(domain_keys, key_i);
1290 for (key_j=0; key_j<ldns_rr_list_rr_count(keys); key_j++) {
1291 if (ldns_rr_compare_ds(ldns_rr_list_rr(keys, key_j),
1294 /* Current key is trusted -- validate */
1295 trusted_keys = ldns_rr_list_new();
1298 sig_i<ldns_rr_list_rr_count(domain_sigs);
1300 cur_sig = ldns_rr_list_rr(domain_sigs, sig_i);
1301 /* Avoid non-matching sigs */
1302 if (ldns_rdf2native_int16(
1303 ldns_rr_rrsig_keytag(cur_sig))
1304 == ldns_calc_keytag(cur_key)) {
1305 if (ldns_verify_rrsig_time(
1310 == LDNS_STATUS_OK) {
1312 /* Push the whole rrset
1313 -- we can't do much more */
1315 key_k<ldns_rr_list_rr_count(
1318 ldns_rr_list_push_rr(
1326 ldns_rr_list_deep_free(domain_keys);
1327 ldns_rr_list_deep_free(domain_sigs);
1328 ldns_pkt_free(keypkt);
1329 return trusted_keys;
1334 /* Only push our trusted key */
1335 ldns_rr_list_push_rr(trusted_keys,
1336 ldns_rr_clone(cur_key));
1341 ldns_rr_list_deep_free(domain_keys);
1342 ldns_rr_list_deep_free(domain_sigs);
1343 ldns_pkt_free(keypkt);
1346 /* LDNS_STATUS_CRYPTO_NO_DNSKEY */
1349 return trusted_keys;
1353 ldns_validate_domain_dnskey(const ldns_resolver * res,
1354 const ldns_rdf * domain,
1355 const ldns_rr_list * keys)
1357 return ldns_validate_domain_dnskey_time(
1358 res, domain, keys, ldns_time(NULL));
1362 ldns_validate_domain_ds_time(
1363 const ldns_resolver *res,
1364 const ldns_rdf * domain,
1365 const ldns_rr_list * keys,
1370 ldns_rr_list * rrset = NULL;
1371 ldns_rr_list * sigs = NULL;
1372 ldns_rr_list * trusted_keys = NULL;
1374 /* Fetch DS for the domain */
1375 dspkt = ldns_resolver_query(res, domain,
1376 LDNS_RR_TYPE_DS, LDNS_RR_CLASS_IN, LDNS_RD);
1378 rrset = ldns_pkt_rr_list_by_type(dspkt,
1380 LDNS_SECTION_ANSWER);
1381 sigs = ldns_pkt_rr_list_by_type(dspkt,
1383 LDNS_SECTION_ANSWER);
1386 if (ldns_verify_time(rrset, sigs, keys, check_time, NULL)
1387 == LDNS_STATUS_OK) {
1388 trusted_keys = ldns_rr_list_new();
1389 for (key_i=0; key_i<ldns_rr_list_rr_count(rrset); key_i++) {
1390 ldns_rr_list_push_rr(trusted_keys,
1391 ldns_rr_clone(ldns_rr_list_rr(rrset,
1398 ldns_rr_list_deep_free(rrset);
1399 ldns_rr_list_deep_free(sigs);
1400 ldns_pkt_free(dspkt);
1403 /* LDNS_STATUS_CRYPTO_NO_DS */
1406 return trusted_keys;
1410 ldns_validate_domain_ds(const ldns_resolver *res,
1411 const ldns_rdf * domain,
1412 const ldns_rr_list * keys)
1414 return ldns_validate_domain_ds_time(res, domain, keys, ldns_time(NULL));
1418 ldns_verify_trusted_time(
1420 ldns_rr_list *rrset,
1421 ldns_rr_list * rrsigs,
1423 ldns_rr_list * validating_keys
1426 uint16_t sig_i; uint16_t key_i;
1427 ldns_rr * cur_sig; ldns_rr * cur_key;
1428 ldns_rr_list * trusted_keys = NULL;
1429 ldns_status result = LDNS_STATUS_ERR;
1431 if (!res || !rrset || !rrsigs) {
1432 return LDNS_STATUS_ERR;
1435 if (ldns_rr_list_rr_count(rrset) < 1) {
1436 return LDNS_STATUS_ERR;
1439 if (ldns_rr_list_rr_count(rrsigs) < 1) {
1440 return LDNS_STATUS_CRYPTO_NO_RRSIG;
1443 /* Look at each sig */
1444 for (sig_i=0; sig_i < ldns_rr_list_rr_count(rrsigs); sig_i++) {
1446 cur_sig = ldns_rr_list_rr(rrsigs, sig_i);
1447 /* Get a valid signer key and validate the sig */
1448 if ((trusted_keys = ldns_fetch_valid_domain_keys_time(
1450 ldns_rr_rrsig_signame(cur_sig),
1451 ldns_resolver_dnssec_anchors(res),
1456 key_i < ldns_rr_list_rr_count(trusted_keys);
1458 cur_key = ldns_rr_list_rr(trusted_keys, key_i);
1460 if ((result = ldns_verify_rrsig_time(rrset,
1464 == LDNS_STATUS_OK) {
1465 if (validating_keys) {
1466 ldns_rr_list_push_rr(validating_keys,
1467 ldns_rr_clone(cur_key));
1469 ldns_rr_list_deep_free(trusted_keys);
1470 return LDNS_STATUS_OK;
1476 ldns_rr_list_deep_free(trusted_keys);
1481 ldns_verify_trusted(
1483 ldns_rr_list *rrset,
1484 ldns_rr_list * rrsigs,
1485 ldns_rr_list * validating_keys)
1487 return ldns_verify_trusted_time(
1488 res, rrset, rrsigs, ldns_time(NULL), validating_keys);
1493 ldns_dnssec_verify_denial(ldns_rr *rr,
1494 ldns_rr_list *nsecs,
1495 ldns_rr_list *rrsigs)
1498 ldns_rdf *wildcard_name;
1499 ldns_rdf *chopped_dname;
1503 /* needed for wildcard check on exact match */
1505 bool name_covered = false;
1506 bool type_covered = false;
1507 bool wildcard_covered = false;
1508 bool wildcard_type_covered = false;
1510 wildcard_name = ldns_dname_new_frm_str("*");
1511 rr_name = ldns_rr_owner(rr);
1512 chopped_dname = ldns_dname_left_chop(rr_name);
1513 result = ldns_dname_cat(wildcard_name, chopped_dname);
1514 ldns_rdf_deep_free(chopped_dname);
1515 if (result != LDNS_STATUS_OK) {
1519 for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
1520 cur_nsec = ldns_rr_list_rr(nsecs, i);
1521 if (ldns_dname_compare(rr_name, ldns_rr_owner(cur_nsec)) == 0) {
1522 /* see section 5.4 of RFC4035, if the label count of the NSEC's
1523 RRSIG is equal, then it is proven that wildcard expansion
1524 could not have been used to match the request */
1525 rrsig = ldns_dnssec_get_rrsig_for_name_and_type(
1526 ldns_rr_owner(cur_nsec),
1527 ldns_rr_get_type(cur_nsec),
1529 if (rrsig && ldns_rdf2native_int8(ldns_rr_rrsig_labels(rrsig))
1530 == ldns_dname_label_count(rr_name)) {
1531 wildcard_covered = true;
1534 if (ldns_nsec_bitmap_covers_type(ldns_nsec_get_bitmap(cur_nsec),
1535 ldns_rr_get_type(rr))) {
1536 type_covered = true;
1539 if (ldns_nsec_covers_name(cur_nsec, rr_name)) {
1540 name_covered = true;
1543 if (ldns_dname_compare(wildcard_name,
1544 ldns_rr_owner(cur_nsec)) == 0) {
1545 if (ldns_nsec_bitmap_covers_type(ldns_nsec_get_bitmap(cur_nsec),
1546 ldns_rr_get_type(rr))) {
1547 wildcard_type_covered = true;
1551 if (ldns_nsec_covers_name(cur_nsec, wildcard_name)) {
1552 wildcard_covered = true;
1557 ldns_rdf_deep_free(wildcard_name);
1559 if (type_covered || !name_covered) {
1560 return LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
1563 if (wildcard_type_covered || !wildcard_covered) {
1564 return LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED;
1567 return LDNS_STATUS_OK;
1571 ldns_dnssec_verify_denial_nsec3_match( ldns_rr *rr
1572 , ldns_rr_list *nsecs
1573 , ATTR_UNUSED(ldns_rr_list *rrsigs)
1574 , ldns_pkt_rcode packet_rcode
1575 , ldns_rr_type packet_qtype
1576 , bool packet_nodata
1580 ldns_rdf *closest_encloser;
1582 ldns_rdf *hashed_wildcard_name;
1583 bool wildcard_covered = false;
1584 ldns_rdf *zone_name;
1585 ldns_rdf *hashed_name;
1586 /* self assignment to suppress uninitialized warning */
1587 ldns_rdf *next_closer = next_closer;
1588 ldns_rdf *hashed_next_closer;
1590 ldns_status result = LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
1596 zone_name = ldns_dname_left_chop(ldns_rr_owner(ldns_rr_list_rr(nsecs,0)));
1599 if (packet_rcode == LDNS_RCODE_NXDOMAIN) {
1600 closest_encloser = ldns_dnssec_nsec3_closest_encloser(
1602 ldns_rr_get_type(rr),
1604 if(!closest_encloser) {
1605 result = LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
1609 wildcard = ldns_dname_new_frm_str("*");
1610 (void) ldns_dname_cat(wildcard, closest_encloser);
1612 for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
1613 hashed_wildcard_name =
1614 ldns_nsec3_hash_name_frm_nsec3(ldns_rr_list_rr(nsecs, 0),
1617 (void) ldns_dname_cat(hashed_wildcard_name, zone_name);
1619 if (ldns_nsec_covers_name(ldns_rr_list_rr(nsecs, i),
1620 hashed_wildcard_name)) {
1621 wildcard_covered = true;
1623 *match = ldns_rr_list_rr(nsecs, i);
1626 ldns_rdf_deep_free(hashed_wildcard_name);
1629 if (! wildcard_covered) {
1630 result = LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED;
1632 result = LDNS_STATUS_OK;
1634 ldns_rdf_deep_free(closest_encloser);
1635 ldns_rdf_deep_free(wildcard);
1637 } else if (packet_nodata && packet_qtype != LDNS_RR_TYPE_DS) {
1639 hashed_name = ldns_nsec3_hash_name_frm_nsec3(
1640 ldns_rr_list_rr(nsecs, 0),
1642 (void) ldns_dname_cat(hashed_name, zone_name);
1643 for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
1644 if (ldns_dname_compare(hashed_name,
1645 ldns_rr_owner(ldns_rr_list_rr(nsecs, i)))
1647 if (!ldns_nsec_bitmap_covers_type(
1648 ldns_nsec3_bitmap(ldns_rr_list_rr(nsecs, i)),
1651 !ldns_nsec_bitmap_covers_type(
1652 ldns_nsec3_bitmap(ldns_rr_list_rr(nsecs, i)),
1653 LDNS_RR_TYPE_CNAME)) {
1654 result = LDNS_STATUS_OK;
1656 *match = ldns_rr_list_rr(nsecs, i);
1662 result = LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
1663 /* wildcard no data? section 8.7 */
1664 closest_encloser = ldns_dnssec_nsec3_closest_encloser(
1666 ldns_rr_get_type(rr),
1668 if(!closest_encloser) {
1669 result = LDNS_STATUS_NSEC3_ERR;
1672 wildcard = ldns_dname_new_frm_str("*");
1673 (void) ldns_dname_cat(wildcard, closest_encloser);
1674 for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
1675 hashed_wildcard_name =
1676 ldns_nsec3_hash_name_frm_nsec3(ldns_rr_list_rr(nsecs, 0),
1678 (void) ldns_dname_cat(hashed_wildcard_name, zone_name);
1680 if (ldns_dname_compare(hashed_wildcard_name,
1681 ldns_rr_owner(ldns_rr_list_rr(nsecs, i)))
1683 if (!ldns_nsec_bitmap_covers_type(
1684 ldns_nsec3_bitmap(ldns_rr_list_rr(nsecs, i)),
1687 !ldns_nsec_bitmap_covers_type(
1688 ldns_nsec3_bitmap(ldns_rr_list_rr(nsecs, i)),
1689 LDNS_RR_TYPE_CNAME)) {
1690 result = LDNS_STATUS_OK;
1692 *match = ldns_rr_list_rr(nsecs, i);
1696 ldns_rdf_deep_free(hashed_wildcard_name);
1697 if (result == LDNS_STATUS_OK) {
1701 ldns_rdf_deep_free(closest_encloser);
1702 ldns_rdf_deep_free(wildcard);
1703 } else if (packet_nodata && packet_qtype == LDNS_RR_TYPE_DS) {
1705 /* note: up to XXX this is the same as for 8.5 */
1706 hashed_name = ldns_nsec3_hash_name_frm_nsec3(ldns_rr_list_rr(nsecs,
1710 (void) ldns_dname_cat(hashed_name, zone_name);
1711 for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
1712 if (ldns_dname_compare(hashed_name,
1713 ldns_rr_owner(ldns_rr_list_rr(nsecs,
1716 if (!ldns_nsec_bitmap_covers_type(
1717 ldns_nsec3_bitmap(ldns_rr_list_rr(nsecs, i)),
1720 !ldns_nsec_bitmap_covers_type(
1721 ldns_nsec3_bitmap(ldns_rr_list_rr(nsecs, i)),
1722 LDNS_RR_TYPE_CNAME)) {
1723 result = LDNS_STATUS_OK;
1725 *match = ldns_rr_list_rr(nsecs, i);
1732 /* XXX see note above */
1733 result = LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
1735 closest_encloser = ldns_dnssec_nsec3_closest_encloser(
1737 ldns_rr_get_type(rr),
1739 if(!closest_encloser) {
1740 result = LDNS_STATUS_NSEC3_ERR;
1743 /* Now check if we have a Opt-Out NSEC3 that covers the "next closer"*/
1745 if (ldns_dname_label_count(closest_encloser) + 1
1746 >= ldns_dname_label_count(ldns_rr_owner(rr))) {
1748 /* Query name *is* the "next closer". */
1749 hashed_next_closer = hashed_name;
1752 /* "next closer" has less labels than the query name.
1753 * Create the name and hash it.
1755 next_closer = ldns_dname_clone_from(
1757 ldns_dname_label_count(ldns_rr_owner(rr))
1758 - (ldns_dname_label_count(closest_encloser) + 1)
1760 hashed_next_closer = ldns_nsec3_hash_name_frm_nsec3(
1761 ldns_rr_list_rr(nsecs, 0),
1764 (void) ldns_dname_cat(hashed_next_closer, zone_name);
1766 /* Find the NSEC3 that covers the "next closer" */
1767 for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
1768 if (ldns_nsec_covers_name(ldns_rr_list_rr(nsecs, i),
1769 hashed_next_closer) &&
1770 ldns_nsec3_optout(ldns_rr_list_rr(nsecs, i))) {
1772 result = LDNS_STATUS_OK;
1774 *match = ldns_rr_list_rr(nsecs, i);
1779 if (ldns_dname_label_count(closest_encloser) + 1
1780 < ldns_dname_label_count(ldns_rr_owner(rr))) {
1782 /* "next closer" has less labels than the query name.
1783 * Dispose of the temporary variables that held that name.
1785 ldns_rdf_deep_free(hashed_next_closer);
1786 ldns_rdf_deep_free(next_closer);
1788 ldns_rdf_deep_free(closest_encloser);
1792 ldns_rdf_deep_free(zone_name);
1797 ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
1798 ldns_rr_list *nsecs,
1799 ldns_rr_list *rrsigs,
1800 ldns_pkt_rcode packet_rcode,
1801 ldns_rr_type packet_qtype,
1804 return ldns_dnssec_verify_denial_nsec3_match(
1805 rr, nsecs, rrsigs, packet_rcode,
1806 packet_qtype, packet_nodata, NULL
1812 ldns_gost2pkey_raw(unsigned char* key, size_t keylen)
1814 /* prefix header for X509 encoding */
1815 uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85,
1816 0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85,
1817 0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03,
1818 0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40};
1819 unsigned char encoded[37+64];
1820 const unsigned char* pp;
1822 /* key wrong size */
1826 /* create evp_key */
1827 memmove(encoded, asn, 37);
1828 memmove(encoded+37, key, 64);
1829 pp = (unsigned char*)&encoded[0];
1831 return d2i_PUBKEY(NULL, &pp, (int)sizeof(encoded));
1835 ldns_verify_rrsig_gost_raw(unsigned char* sig, size_t siglen,
1836 ldns_buffer* rrset, unsigned char* key, size_t keylen)
1841 (void) ldns_key_EVP_load_gost_id();
1842 evp_key = ldns_gost2pkey_raw(key, keylen);
1844 /* could not convert key */
1845 return LDNS_STATUS_CRYPTO_BOGUS;
1848 /* verify signature */
1849 result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset,
1850 evp_key, EVP_get_digestbyname("md_gost94"));
1851 EVP_PKEY_free(evp_key);
1859 ldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
1861 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
1862 const unsigned char* pp = buf;
1865 /* check length, which uncompressed must be 2 bignums */
1866 if(algo == LDNS_ECDSAP256SHA256) {
1867 if(keylen != 2*256/8) return NULL;
1868 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1869 } else if(algo == LDNS_ECDSAP384SHA384) {
1870 if(keylen != 2*384/8) return NULL;
1871 ec = EC_KEY_new_by_curve_name(NID_secp384r1);
1873 if(!ec) return NULL;
1874 if(keylen+1 > sizeof(buf))
1875 return NULL; /* sanity check */
1876 /* prepend the 0x02 (from docs) (or actually 0x04 from implementation
1877 * of openssl) for uncompressed data */
1878 buf[0] = POINT_CONVERSION_UNCOMPRESSED;
1879 memmove(buf+1, key, keylen);
1880 if(!o2i_ECPublicKey(&ec, &pp, (int)keylen+1)) {
1884 evp_key = EVP_PKEY_new();
1889 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
1890 EVP_PKEY_free(evp_key);
1898 ldns_verify_rrsig_ecdsa_raw(unsigned char* sig, size_t siglen,
1899 ldns_buffer* rrset, unsigned char* key, size_t keylen, uint8_t algo)
1905 evp_key = ldns_ecdsa2pkey_raw(key, keylen, algo);
1907 /* could not convert key */
1908 return LDNS_STATUS_CRYPTO_BOGUS;
1910 if(algo == LDNS_ECDSAP256SHA256)
1912 else d = EVP_sha384(); /* LDNS_ECDSAP384SHA384 */
1913 result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset, evp_key, d);
1914 EVP_PKEY_free(evp_key);
1920 ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, ldns_buffer *verify_buf,
1921 ldns_buffer *key_buf, uint8_t algo)
1923 return ldns_verify_rrsig_buffers_raw(
1924 (unsigned char*)ldns_buffer_begin(rawsig_buf),
1925 ldns_buffer_position(rawsig_buf),
1927 (unsigned char*)ldns_buffer_begin(key_buf),
1928 ldns_buffer_position(key_buf), algo);
1932 ldns_verify_rrsig_buffers_raw(unsigned char* sig, size_t siglen,
1933 ldns_buffer *verify_buf, unsigned char* key, size_t keylen,
1936 /* check for right key */
1939 case LDNS_DSA_NSEC3:
1940 return ldns_verify_rrsig_dsa_raw(sig,
1947 case LDNS_RSASHA1_NSEC3:
1948 return ldns_verify_rrsig_rsasha1_raw(sig,
1955 case LDNS_RSASHA256:
1956 return ldns_verify_rrsig_rsasha256_raw(sig,
1962 case LDNS_RSASHA512:
1963 return ldns_verify_rrsig_rsasha512_raw(sig,
1972 return ldns_verify_rrsig_gost_raw(sig, siglen, verify_buf,
1977 case LDNS_ECDSAP256SHA256:
1978 case LDNS_ECDSAP384SHA384:
1979 return ldns_verify_rrsig_ecdsa_raw(sig, siglen, verify_buf,
1984 return ldns_verify_rrsig_rsamd5_raw(sig,
1991 /* do you know this alg?! */
1992 return LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
1998 * Reset the ttl in the rrset with the orig_ttl from the sig
1999 * and update owner name if it was wildcard
2000 * Also canonicalizes the rrset.
2001 * @param rrset: rrset to modify
2002 * @param sig: signature to take TTL and wildcard values from
2005 ldns_rrset_use_signature_ttl(ldns_rr_list* rrset_clone, ldns_rr* rrsig)
2009 uint8_t label_count;
2010 ldns_rdf *wildcard_name;
2011 ldns_rdf *wildcard_chopped;
2012 ldns_rdf *wildcard_chopped_tmp;
2014 if ((rrsig == NULL) || ldns_rr_rd_count(rrsig) < 4) {
2018 orig_ttl = ldns_rdf2native_int32( ldns_rr_rdf(rrsig, 3));
2019 label_count = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 2));
2021 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
2023 ldns_dname_label_count(
2024 ldns_rr_owner(ldns_rr_list_rr(rrset_clone, i)))) {
2025 (void) ldns_str2rdf_dname(&wildcard_name, "*");
2026 wildcard_chopped = ldns_rdf_clone(ldns_rr_owner(
2027 ldns_rr_list_rr(rrset_clone, i)));
2028 while (label_count < ldns_dname_label_count(wildcard_chopped)) {
2029 wildcard_chopped_tmp = ldns_dname_left_chop(
2031 ldns_rdf_deep_free(wildcard_chopped);
2032 wildcard_chopped = wildcard_chopped_tmp;
2034 (void) ldns_dname_cat(wildcard_name, wildcard_chopped);
2035 ldns_rdf_deep_free(wildcard_chopped);
2036 ldns_rdf_deep_free(ldns_rr_owner(ldns_rr_list_rr(
2038 ldns_rr_set_owner(ldns_rr_list_rr(rrset_clone, i),
2041 ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i), orig_ttl);
2042 /* convert to lowercase */
2043 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
2048 * Make raw signature buffer out of rrsig
2049 * @param rawsig_buf: raw signature buffer for result
2050 * @param rrsig: signature to convert
2051 * @return OK or more specific error.
2054 ldns_rrsig2rawsig_buffer(ldns_buffer* rawsig_buf, ldns_rr* rrsig)
2058 if (rrsig == NULL) {
2059 return LDNS_STATUS_CRYPTO_NO_RRSIG;
2061 if (ldns_rr_rdf(rrsig, 1) == NULL) {
2062 return LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG;
2064 sig_algo = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 1));
2065 /* check for known and implemented algo's now (otherwise
2066 * the function could return a wrong error
2068 /* create a buffer with signature rdata */
2069 /* for some algorithms we need other data than for others... */
2070 /* (the DSA API wants DER encoding for instance) */
2075 case LDNS_RSASHA1_NSEC3:
2077 case LDNS_RSASHA256:
2078 case LDNS_RSASHA512:
2083 if (ldns_rr_rdf(rrsig, 8) == NULL) {
2084 return LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG;
2086 if (ldns_rdf2buffer_wire(rawsig_buf, ldns_rr_rdf(rrsig, 8))
2087 != LDNS_STATUS_OK) {
2088 return LDNS_STATUS_MEM_ERR;
2092 case LDNS_DSA_NSEC3:
2093 /* EVP takes rfc2459 format, which is a tad longer than dns format */
2094 if (ldns_rr_rdf(rrsig, 8) == NULL) {
2095 return LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG;
2097 if (ldns_convert_dsa_rrsig_rdf2asn1(
2098 rawsig_buf, ldns_rr_rdf(rrsig, 8))
2099 != LDNS_STATUS_OK) {
2101 if (ldns_rdf2buffer_wire(rawsig_buf,
2102 ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
2104 return LDNS_STATUS_MEM_ERR;
2108 case LDNS_ECDSAP256SHA256:
2109 case LDNS_ECDSAP384SHA384:
2110 /* EVP produces an ASN prefix on the signature, which is
2111 * not used in the DNS */
2112 if (ldns_rr_rdf(rrsig, 8) == NULL) {
2113 return LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG;
2115 if (ldns_convert_ecdsa_rrsig_rdf2asn1(
2116 rawsig_buf, ldns_rr_rdf(rrsig, 8))
2117 != LDNS_STATUS_OK) {
2118 return LDNS_STATUS_MEM_ERR;
2125 return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL;
2127 return LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
2129 return LDNS_STATUS_OK;
2133 * Check RRSIG timestamps against the given 'now' time.
2134 * @param rrsig: signature to check.
2135 * @param now: the current time in seconds epoch.
2136 * @return status code LDNS_STATUS_OK if all is fine.
2139 ldns_rrsig_check_timestamps(ldns_rr* rrsig, time_t now)
2141 int32_t inception, expiration;
2143 /* check the signature time stamps */
2144 inception = (int32_t)ldns_rdf2native_time_t(
2145 ldns_rr_rrsig_inception(rrsig));
2146 expiration = (int32_t)ldns_rdf2native_time_t(
2147 ldns_rr_rrsig_expiration(rrsig));
2149 if (expiration - inception < 0) {
2150 /* bad sig, expiration before inception?? Tsssg */
2151 return LDNS_STATUS_CRYPTO_EXPIRATION_BEFORE_INCEPTION;
2153 if (((int32_t) now) - inception < 0) {
2154 /* bad sig, inception date has not yet come to pass */
2155 return LDNS_STATUS_CRYPTO_SIG_NOT_INCEPTED;
2157 if (expiration - ((int32_t) now) < 0) {
2158 /* bad sig, expiration date has passed */
2159 return LDNS_STATUS_CRYPTO_SIG_EXPIRED;
2161 return LDNS_STATUS_OK;
2165 * Prepare for verification.
2166 * @param rawsig_buf: raw signature buffer made ready.
2167 * @param verify_buf: data for verification buffer made ready.
2168 * @param rrset_clone: made ready.
2169 * @param rrsig: signature to prepare for.
2170 * @return LDNS_STATUS_OK is all went well. Otherwise specific error.
2173 ldns_prepare_for_verify(ldns_buffer* rawsig_buf, ldns_buffer* verify_buf,
2174 ldns_rr_list* rrset_clone, ldns_rr* rrsig)
2178 /* canonicalize the sig */
2179 ldns_dname2canonical(ldns_rr_owner(rrsig));
2181 /* check if the typecovered is equal to the type checked */
2182 if (ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(rrsig)) !=
2183 ldns_rr_get_type(ldns_rr_list_rr(rrset_clone, 0)))
2184 return LDNS_STATUS_CRYPTO_TYPE_COVERED_ERR;
2186 /* create a buffer with b64 signature rdata */
2187 result = ldns_rrsig2rawsig_buffer(rawsig_buf, rrsig);
2188 if(result != LDNS_STATUS_OK)
2191 /* use TTL from signature. Use wildcard names for wildcards */
2192 /* also canonicalizes rrset_clone */
2193 ldns_rrset_use_signature_ttl(rrset_clone, rrsig);
2195 /* sort the rrset in canonical order */
2196 ldns_rr_list_sort(rrset_clone);
2198 /* put the signature rr (without the b64) to the verify_buf */
2199 if (ldns_rrsig2buffer_wire(verify_buf, rrsig) != LDNS_STATUS_OK)
2200 return LDNS_STATUS_MEM_ERR;
2202 /* add the rrset in verify_buf */
2203 if(ldns_rr_list2buffer_wire(verify_buf, rrset_clone)
2205 return LDNS_STATUS_MEM_ERR;
2207 return LDNS_STATUS_OK;
2211 * Check if a key matches a signature.
2212 * Checks keytag, sigalgo and signature.
2213 * @param rawsig_buf: raw signature buffer for verify
2214 * @param verify_buf: raw data buffer for verify
2215 * @param rrsig: the rrsig
2216 * @param key: key to attempt.
2217 * @return LDNS_STATUS_OK if OK, else some specific error.
2220 ldns_verify_test_sig_key(ldns_buffer* rawsig_buf, ldns_buffer* verify_buf,
2221 ldns_rr* rrsig, ldns_rr* key)
2225 if (rrsig == NULL) {
2226 return LDNS_STATUS_CRYPTO_NO_RRSIG;
2228 if (ldns_rr_rdf(rrsig, 1) == NULL) {
2229 return LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG;
2231 sig_algo = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 1));
2233 /* before anything, check if the keytags match */
2234 if (ldns_calc_keytag(key)
2236 ldns_rdf2native_int16(ldns_rr_rrsig_keytag(rrsig))
2238 ldns_buffer* key_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
2239 ldns_status result = LDNS_STATUS_ERR;
2241 /* put the key-data in a buffer, that's the third rdf, with
2242 * the base64 encoded key data */
2243 if (ldns_rr_rdf(key, 3) == NULL) {
2244 ldns_buffer_free(key_buf);
2245 return LDNS_STATUS_MISSING_RDATA_FIELDS_KEY;
2247 if (ldns_rdf2buffer_wire(key_buf, ldns_rr_rdf(key, 3))
2248 != LDNS_STATUS_OK) {
2249 ldns_buffer_free(key_buf);
2250 /* returning is bad might screw up
2251 good keys later in the list
2253 return LDNS_STATUS_ERR;
2256 if (ldns_rr_rdf(key, 2) == NULL) {
2257 result = LDNS_STATUS_MISSING_RDATA_FIELDS_KEY;
2259 else if (sig_algo == ldns_rdf2native_int8(
2260 ldns_rr_rdf(key, 2))) {
2261 result = ldns_verify_rrsig_buffers(rawsig_buf,
2262 verify_buf, key_buf, sig_algo);
2264 /* No keys with the corresponding algorithm are found */
2265 result = LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY;
2268 ldns_buffer_free(key_buf);
2272 /* No keys with the corresponding keytag are found */
2273 return LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY;
2279 * - create the wire fmt of the b64 key rdata
2280 * - create the wire fmt of the sorted rrset
2281 * - create the wire fmt of the b64 sig rdata
2282 * - create the wire fmt of the sig without the b64 rdata
2283 * - cat the sig data (without b64 rdata) to the rrset
2284 * - verify the rrset+sig, with the b64 data and the b64 key data
2287 ldns_verify_rrsig_keylist_time(
2288 ldns_rr_list *rrset,
2290 const ldns_rr_list *keys,
2292 ldns_rr_list *good_keys)
2295 ldns_rr_list *valid = ldns_rr_list_new();
2297 return LDNS_STATUS_MEM_ERR;
2299 result = ldns_verify_rrsig_keylist_notime(rrset, rrsig, keys, valid);
2300 if(result != LDNS_STATUS_OK) {
2301 ldns_rr_list_free(valid);
2305 /* check timestamps last; its OK except time */
2306 result = ldns_rrsig_check_timestamps(rrsig, check_time);
2307 if(result != LDNS_STATUS_OK) {
2308 ldns_rr_list_free(valid);
2312 ldns_rr_list_cat(good_keys, valid);
2313 ldns_rr_list_free(valid);
2314 return LDNS_STATUS_OK;
2319 * - create the wire fmt of the b64 key rdata
2320 * - create the wire fmt of the sorted rrset
2321 * - create the wire fmt of the b64 sig rdata
2322 * - create the wire fmt of the sig without the b64 rdata
2323 * - cat the sig data (without b64 rdata) to the rrset
2324 * - verify the rrset+sig, with the b64 data and the b64 key data
2327 ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
2329 const ldns_rr_list *keys,
2330 ldns_rr_list *good_keys)
2332 return ldns_verify_rrsig_keylist_time(
2333 rrset, rrsig, keys, ldns_time(NULL), good_keys);
2337 ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset,
2339 const ldns_rr_list *keys,
2340 ldns_rr_list *good_keys)
2342 ldns_buffer *rawsig_buf;
2343 ldns_buffer *verify_buf;
2345 ldns_status result, status;
2346 ldns_rr_list *rrset_clone;
2347 ldns_rr_list *validkeys;
2350 return LDNS_STATUS_ERR;
2353 validkeys = ldns_rr_list_new();
2355 return LDNS_STATUS_MEM_ERR;
2358 /* clone the rrset so that we can fiddle with it */
2359 rrset_clone = ldns_rr_list_clone(rrset);
2361 /* create the buffers which will certainly hold the raw data */
2362 rawsig_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
2363 verify_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
2365 result = ldns_prepare_for_verify(rawsig_buf, verify_buf,
2366 rrset_clone, rrsig);
2367 if(result != LDNS_STATUS_OK) {
2368 ldns_buffer_free(verify_buf);
2369 ldns_buffer_free(rawsig_buf);
2370 ldns_rr_list_deep_free(rrset_clone);
2371 ldns_rr_list_free(validkeys);
2375 result = LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY;
2376 for(i = 0; i < ldns_rr_list_rr_count(keys); i++) {
2377 status = ldns_verify_test_sig_key(rawsig_buf, verify_buf,
2378 rrsig, ldns_rr_list_rr(keys, i));
2379 if (status == LDNS_STATUS_OK) {
2380 /* one of the keys has matched, don't break
2381 * here, instead put the 'winning' key in
2382 * the validkey list and return the list
2384 if (!ldns_rr_list_push_rr(validkeys,
2385 ldns_rr_list_rr(keys,i))) {
2386 /* couldn't push the key?? */
2387 ldns_buffer_free(rawsig_buf);
2388 ldns_buffer_free(verify_buf);
2389 ldns_rr_list_deep_free(rrset_clone);
2390 ldns_rr_list_free(validkeys);
2391 return LDNS_STATUS_MEM_ERR;
2397 if (result == LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY) {
2402 /* no longer needed */
2403 ldns_rr_list_deep_free(rrset_clone);
2404 ldns_buffer_free(rawsig_buf);
2405 ldns_buffer_free(verify_buf);
2407 if (ldns_rr_list_rr_count(validkeys) == 0) {
2408 /* no keys were added, return last error */
2409 ldns_rr_list_free(validkeys);
2413 /* do not check timestamps */
2415 ldns_rr_list_cat(good_keys, validkeys);
2416 ldns_rr_list_free(validkeys);
2417 return LDNS_STATUS_OK;
2421 ldns_verify_rrsig_time(
2422 ldns_rr_list *rrset,
2427 ldns_buffer *rawsig_buf;
2428 ldns_buffer *verify_buf;
2430 ldns_rr_list *rrset_clone;
2433 return LDNS_STATUS_NO_DATA;
2435 /* clone the rrset so that we can fiddle with it */
2436 rrset_clone = ldns_rr_list_clone(rrset);
2437 /* create the buffers which will certainly hold the raw data */
2438 rawsig_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
2439 verify_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
2441 result = ldns_prepare_for_verify(rawsig_buf, verify_buf,
2442 rrset_clone, rrsig);
2443 if(result != LDNS_STATUS_OK) {
2444 ldns_rr_list_deep_free(rrset_clone);
2445 ldns_buffer_free(rawsig_buf);
2446 ldns_buffer_free(verify_buf);
2449 result = ldns_verify_test_sig_key(rawsig_buf, verify_buf,
2451 /* no longer needed */
2452 ldns_rr_list_deep_free(rrset_clone);
2453 ldns_buffer_free(rawsig_buf);
2454 ldns_buffer_free(verify_buf);
2456 /* check timestamp last, apart from time its OK */
2457 if(result == LDNS_STATUS_OK)
2458 result = ldns_rrsig_check_timestamps(rrsig, check_time);
2464 ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key)
2466 return ldns_verify_rrsig_time(rrset, rrsig, key, ldns_time(NULL));
2471 ldns_verify_rrsig_evp(ldns_buffer *sig,
2474 const EVP_MD *digest_type)
2476 return ldns_verify_rrsig_evp_raw(
2477 (unsigned char*)ldns_buffer_begin(sig),
2478 ldns_buffer_position(sig),
2485 ldns_verify_rrsig_evp_raw(unsigned char *sig, size_t siglen,
2486 ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
2491 EVP_MD_CTX_init(&ctx);
2493 EVP_VerifyInit(&ctx, digest_type);
2494 EVP_VerifyUpdate(&ctx,
2495 ldns_buffer_begin(rrset),
2496 ldns_buffer_position(rrset));
2497 res = EVP_VerifyFinal(&ctx, sig, (unsigned int) siglen, key);
2499 EVP_MD_CTX_cleanup(&ctx);
2502 return LDNS_STATUS_OK;
2503 } else if (res == 0) {
2504 return LDNS_STATUS_CRYPTO_BOGUS;
2506 /* TODO how to communicate internal SSL error?
2507 let caller use ssl's get_error() */
2508 return LDNS_STATUS_SSL_ERR;
2512 ldns_verify_rrsig_dsa(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
2514 return ldns_verify_rrsig_dsa_raw(
2515 (unsigned char*) ldns_buffer_begin(sig),
2516 ldns_buffer_position(sig),
2518 (unsigned char*) ldns_buffer_begin(key),
2519 ldns_buffer_position(key));
2523 ldns_verify_rrsig_rsasha1(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
2525 return ldns_verify_rrsig_rsasha1_raw(
2526 (unsigned char*)ldns_buffer_begin(sig),
2527 ldns_buffer_position(sig),
2529 (unsigned char*) ldns_buffer_begin(key),
2530 ldns_buffer_position(key));
2534 ldns_verify_rrsig_rsamd5(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
2536 return ldns_verify_rrsig_rsamd5_raw(
2537 (unsigned char*)ldns_buffer_begin(sig),
2538 ldns_buffer_position(sig),
2540 (unsigned char*) ldns_buffer_begin(key),
2541 ldns_buffer_position(key));
2545 ldns_verify_rrsig_dsa_raw(unsigned char* sig, size_t siglen,
2546 ldns_buffer* rrset, unsigned char* key, size_t keylen)
2551 evp_key = EVP_PKEY_new();
2552 if (EVP_PKEY_assign_DSA(evp_key, ldns_key_buf2dsa_raw(key, keylen))) {
2553 result = ldns_verify_rrsig_evp_raw(sig,
2559 result = LDNS_STATUS_SSL_ERR;
2561 EVP_PKEY_free(evp_key);
2567 ldns_verify_rrsig_rsasha1_raw(unsigned char* sig, size_t siglen,
2568 ldns_buffer* rrset, unsigned char* key, size_t keylen)
2573 evp_key = EVP_PKEY_new();
2574 if (EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen))) {
2575 result = ldns_verify_rrsig_evp_raw(sig,
2581 result = LDNS_STATUS_SSL_ERR;
2583 EVP_PKEY_free(evp_key);
2589 ldns_verify_rrsig_rsasha256_raw(unsigned char* sig,
2599 evp_key = EVP_PKEY_new();
2600 if (EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen))) {
2601 result = ldns_verify_rrsig_evp_raw(sig,
2607 result = LDNS_STATUS_SSL_ERR;
2609 EVP_PKEY_free(evp_key);
2613 /* touch these to prevent compiler warnings */
2619 return LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
2624 ldns_verify_rrsig_rsasha512_raw(unsigned char* sig,
2634 evp_key = EVP_PKEY_new();
2635 if (EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen))) {
2636 result = ldns_verify_rrsig_evp_raw(sig,
2642 result = LDNS_STATUS_SSL_ERR;
2644 EVP_PKEY_free(evp_key);
2648 /* touch these to prevent compiler warnings */
2654 return LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
2660 ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,
2669 evp_key = EVP_PKEY_new();
2670 if (EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen))) {
2671 result = ldns_verify_rrsig_evp_raw(sig,
2677 result = LDNS_STATUS_SSL_ERR;
2679 EVP_PKEY_free(evp_key);