3 #ifndef LDNS_DNSSEC_VERIFY_H
4 #define LDNS_DNSSEC_VERIFY_H
6 #define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10
8 #include <ldns/dnssec.h>
9 #include <ldns/host2str.h>
16 * Chain structure that contains all DNSSEC data needed to
19 typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain;
20 struct ldns_dnssec_data_chain_struct
23 ldns_rr_list *signatures;
24 ldns_rr_type parent_type;
25 ldns_dnssec_data_chain *parent;
26 ldns_pkt_rcode packet_rcode;
27 ldns_rr_type packet_qtype;
32 * Creates a new dnssec_chain structure
33 * \return ldns_dnssec_data_chain *
35 ldns_dnssec_data_chain *ldns_dnssec_data_chain_new(void);
38 * Frees a dnssec_data_chain structure
40 * \param[in] *chain The chain to free
42 void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain);
45 * Frees a dnssec_data_chain structure, and all data
48 * \param[in] *chain The dnssec_data_chain to free
50 void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain);
53 * Prints the dnssec_data_chain to the given file stream
55 * \param[in] *out The file stream to print to
56 * \param[in] *chain The dnssec_data_chain to print
58 void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain);
61 * Prints the dnssec_data_chain to the given file stream
63 * \param[in] *out The file stream to print to
64 * \param[in] *fmt The format of the textual representation
65 * \param[in] *chain The dnssec_data_chain to print
67 void ldns_dnssec_data_chain_print_fmt(FILE *out,
68 const ldns_output_format *fmt,
69 const ldns_dnssec_data_chain *chain);
72 * Build an ldns_dnssec_data_chain, which contains all
73 * DNSSEC data that is needed to derive the trust tree later
75 * The data_set will be cloned
77 * \param[in] *res resolver structure for further needed queries
78 * \param[in] qflags resolution flags
79 * \param[in] *data_set The original rrset where the chain ends
80 * \param[in] *pkt optional, can contain the original packet
81 * (and hence the sigs and maybe the key)
82 * \param[in] *orig_rr The original Resource Record
84 * \return the DNSSEC data chain
86 ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res,
87 const uint16_t qflags,
88 const ldns_rr_list *data_set,
93 * Tree structure that contains the relation of DNSSEC data,
94 * and their cryptographic status.
96 * This tree is derived from a data_chain, and can be used
97 * to look whether there is a connection between an RRSET
98 * and a trusted key. The tree only contains pointers to the
99 * data_chain, and therefore one should *never* free() the
100 * data_chain when there is still a trust tree derived from
116 * For each signature there is a parent; if the parent
117 * pointer is null, it couldn't be found and there was no
118 * denial; otherwise is a tree which contains either a
119 * DNSKEY, a DS, or a NSEC rr
121 typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree;
122 struct ldns_dnssec_trust_tree_struct
125 /* the complete rrset this rr was in */
127 ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
128 ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
129 /** for debugging, add signatures too (you might want
130 those if they contain errors) */
131 ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
136 * Creates a new (empty) dnssec_trust_tree structure
138 * \return ldns_dnssec_trust_tree *
140 ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(void);
143 * Frees the dnssec_trust_tree recursively
145 * There is no deep free; all data in the trust tree
146 * consists of pointers to a data_chain
148 * \param[in] tree The tree to free
150 void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree);
153 * returns the depth of the trust tree
155 * \param[in] tree tree to calculate the depth of
156 * \return The depth of the tree
158 size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree);
161 * Prints the dnssec_trust_tree structure to the given file
164 * If a link status is not LDNS_STATUS_OK; the status and
165 * relevant signatures are printed too
167 * \param[in] *out The file stream to print to
168 * \param[in] tree The trust tree to print
169 * \param[in] tabs Prepend each line with tabs*2 spaces
170 * \param[in] extended If true, add little explanation lines to the output
172 void ldns_dnssec_trust_tree_print(FILE *out,
173 ldns_dnssec_trust_tree *tree,
178 * Prints the dnssec_trust_tree structure to the given file
181 * If a link status is not LDNS_STATUS_OK; the status and
182 * relevant signatures are printed too
184 * \param[in] *out The file stream to print to
185 * \param[in] *fmt The format of the textual representation
186 * \param[in] tree The trust tree to print
187 * \param[in] tabs Prepend each line with tabs*2 spaces
188 * \param[in] extended If true, add little explanation lines to the output
190 void ldns_dnssec_trust_tree_print_fmt(FILE *out,
191 const ldns_output_format *fmt,
192 ldns_dnssec_trust_tree *tree,
197 * Adds a trust tree as a parent for the given trust tree
199 * \param[in] *tree The tree to add the parent to
200 * \param[in] *parent The parent tree to add
201 * \param[in] *parent_signature The RRSIG relevant to this parent/child
203 * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG
204 * \return LDNS_STATUS_OK if the addition succeeds, error otherwise
206 ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree,
207 const ldns_dnssec_trust_tree *parent,
208 const ldns_rr *parent_signature,
209 const ldns_status parent_status);
212 * Generates a dnssec_trust_tree for the given rr from the
215 * This does not clone the actual data; Don't free the
216 * data_chain before you are done with this tree
218 * \param[in] *data_chain The chain to derive the trust tree from
219 * \param[in] *rr The RR this tree will be about
220 * \return ldns_dnssec_trust_tree *
222 ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree(
223 ldns_dnssec_data_chain *data_chain,
227 * Generates a dnssec_trust_tree for the given rr from the
230 * This does not clone the actual data; Don't free the
231 * data_chain before you are done with this tree
233 * \param[in] *data_chain The chain to derive the trust tree from
234 * \param[in] *rr The RR this tree will be about
235 * \param[in] check_time the time for which the validation is performed
236 * \return ldns_dnssec_trust_tree *
238 ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time(
239 ldns_dnssec_data_chain *data_chain,
240 ldns_rr *rr, time_t check_time);
243 * Sub function for derive_trust_tree that is used for a 'normal' rrset
245 * \param[in] new_tree The trust tree that we are building
246 * \param[in] data_chain The data chain containing the data for the trust tree
247 * \param[in] cur_sig_rr The currently relevant signature
249 void ldns_dnssec_derive_trust_tree_normal_rrset(
250 ldns_dnssec_trust_tree *new_tree,
251 ldns_dnssec_data_chain *data_chain,
252 ldns_rr *cur_sig_rr);
255 * Sub function for derive_trust_tree that is used for a 'normal' rrset
257 * \param[in] new_tree The trust tree that we are building
258 * \param[in] data_chain The data chain containing the data for the trust tree
259 * \param[in] cur_sig_rr The currently relevant signature
260 * \param[in] check_time the time for which the validation is performed
262 void ldns_dnssec_derive_trust_tree_normal_rrset_time(
263 ldns_dnssec_trust_tree *new_tree,
264 ldns_dnssec_data_chain *data_chain,
265 ldns_rr *cur_sig_rr, time_t check_time);
269 * Sub function for derive_trust_tree that is used for DNSKEY rrsets
271 * \param[in] new_tree The trust tree that we are building
272 * \param[in] data_chain The data chain containing the data for the trust tree
273 * \param[in] cur_rr The currently relevant DNSKEY RR
274 * \param[in] cur_sig_rr The currently relevant signature
276 void ldns_dnssec_derive_trust_tree_dnskey_rrset(
277 ldns_dnssec_trust_tree *new_tree,
278 ldns_dnssec_data_chain *data_chain,
280 ldns_rr *cur_sig_rr);
283 * Sub function for derive_trust_tree that is used for DNSKEY rrsets
285 * \param[in] new_tree The trust tree that we are building
286 * \param[in] data_chain The data chain containing the data for the trust tree
287 * \param[in] cur_rr The currently relevant DNSKEY RR
288 * \param[in] cur_sig_rr The currently relevant signature
289 * \param[in] check_time the time for which the validation is performed
291 void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
292 ldns_dnssec_trust_tree *new_tree,
293 ldns_dnssec_data_chain *data_chain,
294 ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
298 * Sub function for derive_trust_tree that is used for DS rrsets
300 * \param[in] new_tree The trust tree that we are building
301 * \param[in] data_chain The data chain containing the data for the trust tree
302 * \param[in] cur_rr The currently relevant DS RR
304 void ldns_dnssec_derive_trust_tree_ds_rrset(
305 ldns_dnssec_trust_tree *new_tree,
306 ldns_dnssec_data_chain *data_chain,
310 * Sub function for derive_trust_tree that is used for DS rrsets
312 * \param[in] new_tree The trust tree that we are building
313 * \param[in] data_chain The data chain containing the data for the trust tree
314 * \param[in] cur_rr The currently relevant DS RR
315 * \param[in] check_time the time for which the validation is performed
317 void ldns_dnssec_derive_trust_tree_ds_rrset_time(
318 ldns_dnssec_trust_tree *new_tree,
319 ldns_dnssec_data_chain *data_chain,
320 ldns_rr *cur_rr, time_t check_time);
323 * Sub function for derive_trust_tree that is used when there are no
326 * \param[in] new_tree The trust tree that we are building
327 * \param[in] data_chain The data chain containing the data for the trust tree
329 void ldns_dnssec_derive_trust_tree_no_sig(
330 ldns_dnssec_trust_tree *new_tree,
331 ldns_dnssec_data_chain *data_chain);
334 * Sub function for derive_trust_tree that is used when there are no
337 * \param[in] new_tree The trust tree that we are building
338 * \param[in] data_chain The data chain containing the data for the trust tree
339 * \param[in] check_time the time for which the validation is performed
341 void ldns_dnssec_derive_trust_tree_no_sig_time(
342 ldns_dnssec_trust_tree *new_tree,
343 ldns_dnssec_data_chain *data_chain,
348 * Returns OK if there is a trusted path in the tree to one of
349 * the DNSKEY or DS RRs in the given list
351 * \param *tree The trust tree so search
352 * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for
354 * \return LDNS_STATUS_OK if there is a trusted path to one of
355 * the keys, or the *first* error encountered
356 * if there were no paths
358 ldns_status ldns_dnssec_trust_tree_contains_keys(
359 ldns_dnssec_trust_tree *tree,
363 * Verifies a list of signatures for one rrset.
365 * \param[in] rrset the rrset to verify
366 * \param[in] rrsig a list of signatures to check
367 * \param[in] keys a list of keys to check with
368 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
369 * from keys that validate one of the signatures
371 * \return status LDNS_STATUS_OK if there is at least one correct key
373 ldns_status ldns_verify(ldns_rr_list *rrset,
375 const ldns_rr_list *keys,
376 ldns_rr_list *good_keys);
379 * Verifies a list of signatures for one rrset.
381 * \param[in] rrset the rrset to verify
382 * \param[in] rrsig a list of signatures to check
383 * \param[in] keys a list of keys to check with
384 * \param[in] check_time the time for which the validation is performed
385 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
386 * from keys that validate one of the signatures
388 * \return status LDNS_STATUS_OK if there is at least one correct key
390 ldns_status ldns_verify_time(ldns_rr_list *rrset,
392 const ldns_rr_list *keys,
394 ldns_rr_list *good_keys);
398 * Verifies a list of signatures for one rrset, but disregard the time.
399 * Inception and Expiration are not checked.
401 * \param[in] rrset the rrset to verify
402 * \param[in] rrsig a list of signatures to check
403 * \param[in] keys a list of keys to check with
404 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
405 * from keys that validate one of the signatures
407 * \return status LDNS_STATUS_OK if there is at least one correct key
409 ldns_status ldns_verify_notime(ldns_rr_list *rrset,
411 const ldns_rr_list *keys,
412 ldns_rr_list *good_keys);
415 * Tries to build an authentication chain from the given
416 * keys down to the queried domain.
418 * If we find a valid trust path, return the valid keys for the domain.
420 * \param[in] res the current resolver
421 * \param[in] domain the domain we want valid keys for
422 * \param[in] keys the current set of trusted keys
423 * \param[out] status pointer to the status variable where the result
424 * code will be stored
425 * \return the set of trusted keys for the domain, or NULL if no
426 * trust path could be built.
428 ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res,
429 const ldns_rdf * domain,
430 const ldns_rr_list * keys,
431 ldns_status *status);
434 * Tries to build an authentication chain from the given
435 * keys down to the queried domain.
437 * If we find a valid trust path, return the valid keys for the domain.
439 * \param[in] res the current resolver
440 * \param[in] domain the domain we want valid keys for
441 * \param[in] keys the current set of trusted keys
442 * \param[in] check_time the time for which the validation is performed
443 * \param[out] status pointer to the status variable where the result
444 * code will be stored
445 * \return the set of trusted keys for the domain, or NULL if no
446 * trust path could be built.
448 ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res,
449 const ldns_rdf * domain, const ldns_rr_list * keys,
450 time_t check_time, ldns_status *status);
454 * Validates the DNSKEY RRset for the given domain using the provided
457 * \param[in] res the current resolver
458 * \param[in] domain the domain we want valid keys for
459 * \param[in] keys the current set of trusted keys
460 * \return the set of trusted keys for the domain, or NULL if the RRSET
461 * could not be validated
463 ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res,
464 const ldns_rdf *domain,
465 const ldns_rr_list *keys);
468 * Validates the DNSKEY RRset for the given domain using the provided
471 * \param[in] res the current resolver
472 * \param[in] domain the domain we want valid keys for
473 * \param[in] keys the current set of trusted keys
474 * \param[in] check_time the time for which the validation is performed
475 * \return the set of trusted keys for the domain, or NULL if the RRSET
476 * could not be validated
478 ldns_rr_list *ldns_validate_domain_dnskey_time(
479 const ldns_resolver *res, const ldns_rdf *domain,
480 const ldns_rr_list *keys, time_t check_time);
484 * Validates the DS RRset for the given domain using the provided trusted keys.
486 * \param[in] res the current resolver
487 * \param[in] domain the domain we want valid keys for
488 * \param[in] keys the current set of trusted keys
489 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
491 ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res,
494 const ldns_rr_list * keys);
497 * Validates the DS RRset for the given domain using the provided trusted keys.
499 * \param[in] res the current resolver
500 * \param[in] domain the domain we want valid keys for
501 * \param[in] keys the current set of trusted keys
502 * \param[in] check_time the time for which the validation is performed
503 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
505 ldns_rr_list *ldns_validate_domain_ds_time(
506 const ldns_resolver *res, const ldns_rdf *domain,
507 const ldns_rr_list * keys, time_t check_time);
511 * Verifies a list of signatures for one RRset using a valid trust path.
513 * \param[in] res the current resolver
514 * \param[in] rrset the rrset to verify
515 * \param[in] rrsigs a list of signatures to check
516 * \param[out] validating_keys if this is a (initialized) list, the
517 * keys from keys that validate one of
518 * the signatures are added to it
519 * \return status LDNS_STATUS_OK if there is at least one correct key
521 ldns_status ldns_verify_trusted(ldns_resolver *res,
523 ldns_rr_list *rrsigs,
524 ldns_rr_list *validating_keys);
527 * Verifies a list of signatures for one RRset using a valid trust path.
529 * \param[in] res the current resolver
530 * \param[in] rrset the rrset to verify
531 * \param[in] rrsigs a list of signatures to check
532 * \param[in] check_time the time for which the validation is performed
533 * \param[out] validating_keys if this is a (initialized) list, the
534 * keys from keys that validate one of
535 * the signatures are added to it
536 * \return status LDNS_STATUS_OK if there is at least one correct key
538 ldns_status ldns_verify_trusted_time(
539 ldns_resolver *res, ldns_rr_list *rrset,
540 ldns_rr_list *rrsigs, time_t check_time,
541 ldns_rr_list *validating_keys);
545 * denial is not just a river in egypt
547 * \param[in] rr The (query) RR to check the denial of existence for
548 * \param[in] nsecs The list of NSEC RRs that are supposed to deny the
549 * existence of the RR
550 * \param[in] rrsigs The RRSIG RR covering the NSEC RRs
551 * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code
552 * containing the reason they do not otherwise
554 ldns_status ldns_dnssec_verify_denial(ldns_rr *rr,
556 ldns_rr_list *rrsigs);
559 * Denial of existence using NSEC3 records
560 * Since NSEC3 is a bit more complicated than normal denial, some
561 * context arguments are needed
563 * \param[in] rr The (query) RR to check the denial of existence for
564 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
565 * existence of the RR
566 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs
567 * \param[in] packet_rcode The RCODE value of the packet that provided the
569 * \param[in] packet_qtype The original query RR type
570 * \param[in] packet_nodata True if the providing packet had an empty ANSWER
572 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
573 * containing the reason they do not otherwise
575 ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
577 ldns_rr_list *rrsigs,
578 ldns_pkt_rcode packet_rcode,
579 ldns_rr_type packet_qtype,
583 * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns
584 * the nsec rr that matched.
586 * \param[in] rr The (query) RR to check the denial of existence for
587 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
588 * existence of the RR
589 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs
590 * \param[in] packet_rcode The RCODE value of the packet that provided the
592 * \param[in] packet_qtype The original query RR type
593 * \param[in] packet_nodata True if the providing packet had an empty ANSWER
595 * \param[in] match On match, the given (reference to a) pointer will be set
596 * to point to the matching nsec resource record.
597 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
598 * containing the reason they do not otherwise
600 ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr,
602 ldns_rr_list *rrsigs,
603 ldns_pkt_rcode packet_rcode,
604 ldns_rr_type packet_qtype,
608 * Verifies the already processed data in the buffers
609 * This function should probably not be used directly.
611 * \param[in] rawsig_buf Buffer containing signature data to use
612 * \param[in] verify_buf Buffer containing data to verify
613 * \param[in] key_buf Buffer containing key data to use
614 * \param[in] algo Signing algorithm
615 * \return status LDNS_STATUS_OK if the data verifies. Error if not.
617 ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf,
618 ldns_buffer *verify_buf,
619 ldns_buffer *key_buf,
623 * Like ldns_verify_rrsig_buffers, but uses raw data.
625 * \param[in] sig signature data to use
626 * \param[in] siglen length of signature data to use
627 * \param[in] verify_buf Buffer containing data to verify
628 * \param[in] key key data to use
629 * \param[in] keylen length of key data to use
630 * \param[in] algo Signing algorithm
631 * \return status LDNS_STATUS_OK if the data verifies. Error if not.
633 ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig,
635 ldns_buffer *verify_buf,
641 * Verifies an rrsig. All keys in the keyset are tried.
642 * \param[in] rrset the rrset to check
643 * \param[in] rrsig the signature of the rrset
644 * \param[in] keys the keys to try
645 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
646 * from keys that validate one of the signatures
648 * \return a list of keys which validate the rrsig + rrset. Returns
649 * status LDNS_STATUS_OK if at least one key matched. Else an error.
651 ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
653 const ldns_rr_list *keys,
654 ldns_rr_list *good_keys);
657 * Verifies an rrsig. All keys in the keyset are tried.
658 * \param[in] rrset the rrset to check
659 * \param[in] rrsig the signature of the rrset
660 * \param[in] keys the keys to try
661 * \param[in] check_time the time for which the validation is performed
662 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
663 * from keys that validate one of the signatures
665 * \return a list of keys which validate the rrsig + rrset. Returns
666 * status LDNS_STATUS_OK if at least one key matched. Else an error.
668 ldns_status ldns_verify_rrsig_keylist_time(
669 ldns_rr_list *rrset, ldns_rr *rrsig,
670 const ldns_rr_list *keys, time_t check_time,
671 ldns_rr_list *good_keys);
675 * Verifies an rrsig. All keys in the keyset are tried. Time is not checked.
676 * \param[in] rrset the rrset to check
677 * \param[in] rrsig the signature of the rrset
678 * \param[in] keys the keys to try
679 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
680 * from keys that validate one of the signatures
682 * \return a list of keys which validate the rrsig + rrset. Returns
683 * status LDNS_STATUS_OK if at least one key matched. Else an error.
685 ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset,
687 const ldns_rr_list *keys,
688 ldns_rr_list *good_keys);
691 * verify an rrsig with 1 key
692 * \param[in] rrset the rrset
693 * \param[in] rrsig the rrsig to verify
694 * \param[in] key the key to use
695 * \return status message wether verification succeeded.
697 ldns_status ldns_verify_rrsig(ldns_rr_list *rrset,
703 * verify an rrsig with 1 key
704 * \param[in] rrset the rrset
705 * \param[in] rrsig the rrsig to verify
706 * \param[in] key the key to use
707 * \param[in] check_time the time for which the validation is performed
708 * \return status message wether verification succeeded.
710 ldns_status ldns_verify_rrsig_time(
711 ldns_rr_list *rrset, ldns_rr *rrsig,
712 ldns_rr *key, time_t check_time);
715 #if LDNS_BUILD_CONFIG_HAVE_SSL
717 * verifies a buffer with signature data for a buffer with rrset data
720 * \param[in] sig the signature data
721 * \param[in] rrset the rrset data, sorted and processed for verification
722 * \param[in] key the EVP key structure
723 * \param[in] digest_type The digest type of the signature
725 ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig,
728 const EVP_MD *digest_type);
731 * Like ldns_verify_rrsig_evp, but uses raw signature data.
732 * \param[in] sig the signature data, wireformat uncompressed
733 * \param[in] siglen length of the signature data
734 * \param[in] rrset the rrset data, sorted and processed for verification
735 * \param[in] key the EVP key structure
736 * \param[in] digest_type The digest type of the signature
738 ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig,
742 const EVP_MD *digest_type);
746 * verifies a buffer with signature data (DSA) for a buffer with rrset data
747 * with a buffer with key data.
749 * \param[in] sig the signature data
750 * \param[in] rrset the rrset data, sorted and processed for verification
751 * \param[in] key the key data
753 ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig,
758 * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data
759 * with a buffer with key data.
761 * \param[in] sig the signature data
762 * \param[in] rrset the rrset data, sorted and processed for verification
763 * \param[in] key the key data
765 ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig,
770 * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data
771 * with a buffer with key data.
773 * \param[in] sig the signature data
774 * \param[in] rrset the rrset data, sorted and processed for verification
775 * \param[in] key the key data
777 ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig,
782 * Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
783 * \param[in] sig raw uncompressed wireformat signature data
784 * \param[in] siglen length of signature data
785 * \param[in] rrset ldns buffer with prepared rrset data.
786 * \param[in] key raw uncompressed wireformat key data
787 * \param[in] keylen length of key data
789 ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig,
796 * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
797 * \param[in] sig raw uncompressed wireformat signature data
798 * \param[in] siglen length of signature data
799 * \param[in] rrset ldns buffer with prepared rrset data.
800 * \param[in] key raw uncompressed wireformat key data
801 * \param[in] keylen length of key data
803 ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig,
810 * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
811 * \param[in] sig raw uncompressed wireformat signature data
812 * \param[in] siglen length of signature data
813 * \param[in] rrset ldns buffer with prepared rrset data.
814 * \param[in] key raw uncompressed wireformat key data
815 * \param[in] keylen length of key data
818 ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig,
825 * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
826 * \param[in] sig raw uncompressed wireformat signature data
827 * \param[in] siglen length of signature data
828 * \param[in] rrset ldns buffer with prepared rrset data.
829 * \param[in] key raw uncompressed wireformat key data
830 * \param[in] keylen length of key data
832 ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig,
839 * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
840 * \param[in] sig raw uncompressed wireformat signature data
841 * \param[in] siglen length of signature data
842 * \param[in] rrset ldns buffer with prepared rrset data.
843 * \param[in] key raw uncompressed wireformat key data
844 * \param[in] keylen length of key data
846 ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,