Go to the source code of this file.
Functions | |
uint16_t | ldns_calc_keytag (const ldns_rr *key) |
calculates a keytag of a key for use in DNSSEC. | |
ldns_status | ldns_verify (ldns_rr_list *rrset, ldns_rr_list *rrsig, ldns_rr_list *keys, ldns_rr_list *good_keys) |
Verifies a list of signatures for one rrset. | |
ldns_status | ldns_verify_rrsig_buffers (ldns_buffer *rawsig_buf, ldns_buffer *verify_buf, ldns_buffer *key_buf, uint8_t algo) |
Verifies the already processed data in the buffers This function should probably not be used directly. | |
ldns_status | ldns_verify_rrsig_keylist (ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr_list *keys, ldns_rr_list *good_keys) |
Verifies an rrsig. | |
ldns_status | ldns_verify_rrsig (ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key) |
verify an rrsig with 1 key | |
ldns_status | ldns_verify_rrsig_dsa (ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key) |
verifies a buffer with signature data (DSA) for a buffer with rrset data with a buffer with key data. | |
ldns_status | ldns_verify_rrsig_rsasha1 (ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key) |
verifies a buffer with signature data (RSASHA1) for a buffer with rrset data with a buffer with key data. | |
ldns_status | ldns_verify_rrsig_rsamd5 (ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key) |
verifies a buffer with signature data (RSAMD5) for a buffer with rrset data with a buffer with key data. | |
DSA * | ldns_key_buf2dsa (ldns_buffer *key) |
converts a buffer holding key material to a DSA key in openssl. | |
RSA * | ldns_key_buf2rsa (ldns_buffer *key) |
converts a buffer holding key material to a RSA key in openssl. | |
ldns_rr * | ldns_key_rr2ds (const ldns_rr *key, ldns_hash h) |
returns a new DS rr that represents the given key rr. | |
ldns_rr_list * | ldns_sign_public (ldns_rr_list *rrset, ldns_key_list *keys) |
Sign an rrset. | |
ldns_rdf * | ldns_sign_public_dsa (ldns_buffer *to_sign, DSA *key) |
Sign a buffer with the DSA key (hash with SHA1). | |
ldns_rdf * | ldns_sign_public_rsasha1 (ldns_buffer *to_sign, RSA *key) |
Sign a buffer with the RSA key (hash with SHA1). | |
ldns_rdf * | ldns_sign_public_rsamd5 (ldns_buffer *to_sign, RSA *key) |
Sign a buffer with the RSA key (hash with MD5). | |
ldns_rr * | ldns_create_nsec (ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs) |
Create a NSEC record. | |
bool | ldns_nsec_bitmap_covers_type (const ldns_rdf *nsec_bitmap, ldns_rr_type type) |
Checks coverage of NSEC RR type bitmap. | |
bool | ldns_nsec_covers_name (const ldns_rr *nsec, const ldns_rdf *name) |
Checks coverage of NSEC RR name span Remember that nsec and name must both be in canonical form (ie use ldns_rr2canonical and ldns_dname2canonical prior to calling this function). | |
ldns_status | ldns_pkt_verify (ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys) |
verify a packet | |
ldns_zone * | ldns_zone_sign (const ldns_zone *zone, ldns_key_list *key_list) |
signs the given zone with the given new zone returns a newly allocated signed zone extra arguments will come later (expiration etc. |
uint16_t ldns_calc_keytag | ( | const ldns_rr * | key | ) |
calculates a keytag of a key for use in DNSSEC.
[in] | key | the key as an RR to use for the calc. |
Definition at line 31 of file dnssec.c.
References ldns_buffer_free(), ldns_buffer_new(), LDNS_MIN_BUFLEN, ldns_rdf2native_int8(), ldns_rr_get_type(), ldns_rr_rdata2buffer_wire(), ldns_rr_rdf(), LDNS_RR_TYPE_DNSKEY, LDNS_RR_TYPE_KEY, and LDNS_RSAMD5.
ldns_status ldns_verify | ( | ldns_rr_list * | rrset, | |
ldns_rr_list * | rrsig, | |||
ldns_rr_list * | keys, | |||
ldns_rr_list * | good_keys | |||
) |
Verifies a list of signatures for one rrset.
[in] | rrset | the rrset to verify |
[in] | rrsig | a list of signatures to check |
[in] | keys | a list of keys to check with |
[out] | good_keys | if this is a (initialized) list, the keys from keys that validate one of the signatures are added to it |
Definition at line 81 of file dnssec.c.
References ldns_rr_list_rr(), ldns_rr_list_rr_count(), LDNS_STATUS_CRYPTO_NO_RRSIG, LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY, LDNS_STATUS_ERR, LDNS_STATUS_OK, and ldns_verify_rrsig_keylist().
ldns_status ldns_verify_rrsig_buffers | ( | ldns_buffer * | rawsig_buf, | |
ldns_buffer * | verify_buf, | |||
ldns_buffer * | key_buf, | |||
uint8_t | algo | |||
) |
Verifies the already processed data in the buffers This function should probably not be used directly.
[in] | rawsig_buf | Buffer containing signature data to use |
[in] | verify_buf | Buffer containing data to verify |
[in] | key_buf | Buffer containing key data to use |
[in] | algo | Signing algorithm |
Definition at line 118 of file dnssec.c.
References LDNS_DSA, LDNS_RSAMD5, LDNS_RSASHA1, LDNS_STATUS_CRYPTO_UNKNOWN_ALGO, ldns_verify_rrsig_dsa(), ldns_verify_rrsig_rsamd5(), and ldns_verify_rrsig_rsasha1().
ldns_status ldns_verify_rrsig_keylist | ( | ldns_rr_list * | rrset, | |
ldns_rr * | rrsig, | |||
ldns_rr_list * | keys, | |||
ldns_rr_list * | good_keys | |||
) |
Verifies an rrsig.
All keys in the keyset are tried.
[in] | rrset | the rrset to check |
[in] | rrsig | the signature of the rrset |
[in] | keys | the keys to try |
[out] | good_keys | if this is a (initialized) list, the keys from keys that validate one of the signatures are added to it |
Definition at line 149 of file dnssec.c.
References ldns_buffer_free(), ldns_buffer_new(), ldns_calc_keytag(), ldns_dname2canonical(), ldns_dname_cat(), ldns_dname_label_count(), ldns_dname_left_chop(), LDNS_MAX_PACKETLEN, ldns_rdf2buffer_wire(), ldns_rdf2native_int16(), ldns_rdf2native_int32(), ldns_rdf2native_int8(), ldns_rdf2native_time_t(), ldns_rdf2rr_type(), ldns_rdf_clone(), ldns_rdf_deep_free(), ldns_rr2canonical(), ldns_rr_get_type(), ldns_rr_list2buffer_wire(), ldns_rr_list_cat(), ldns_rr_list_clone(), ldns_rr_list_deep_free(), ldns_rr_list_free(), ldns_rr_list_new(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_list_sort(), ldns_rr_owner(), ldns_rr_rdf(), ldns_rr_rrsig_expiration(), ldns_rr_rrsig_inception(), ldns_rr_rrsig_keytag(), ldns_rr_rrsig_typecovered(), ldns_rr_set_owner(), ldns_rr_set_ttl(), ldns_rrsig2buffer_wire(), LDNS_STATUS_CRYPTO_EXPIRATION_BEFORE_INCEPTION, LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY, LDNS_STATUS_CRYPTO_SIG_EXPIRED, LDNS_STATUS_CRYPTO_SIG_NOT_INCEPTED, LDNS_STATUS_CRYPTO_TYPE_COVERED_ERR, LDNS_STATUS_ERR, LDNS_STATUS_MEM_ERR, LDNS_STATUS_OK, ldns_str2rdf_dname(), and ldns_verify_rrsig_buffers().
ldns_status ldns_verify_rrsig | ( | ldns_rr_list * | rrset, | |
ldns_rr * | rrsig, | |||
ldns_rr * | key | |||
) |
verify an rrsig with 1 key
[in] | rrset | the rrset |
[in] | rrsig | the rrsig to verify |
[in] | key | the key to use |
Definition at line 335 of file dnssec.c.
References ldns_buffer_free(), ldns_buffer_new(), ldns_calc_keytag(), LDNS_DH, ldns_dname2canonical(), ldns_dname_cat(), ldns_dname_label_count(), ldns_dname_left_chop(), LDNS_DSA, LDNS_ECC, LDNS_INDIRECT, LDNS_MAX_PACKETLEN, ldns_rdf2buffer_wire(), ldns_rdf2native_int16(), ldns_rdf2native_int32(), ldns_rdf2native_int8(), ldns_rdf2native_time_t(), ldns_rdf_clone(), ldns_rdf_deep_free(), ldns_rr2canonical(), ldns_rr_list2buffer_wire(), ldns_rr_list_clone(), ldns_rr_list_deep_free(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_list_sort(), ldns_rr_owner(), ldns_rr_rdf(), ldns_rr_rrsig_expiration(), ldns_rr_rrsig_inception(), ldns_rr_rrsig_keytag(), ldns_rr_set_owner(), ldns_rr_set_ttl(), ldns_rrsig2buffer_wire(), LDNS_RSAMD5, LDNS_RSASHA1, LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL, LDNS_STATUS_CRYPTO_EXPIRATION_BEFORE_INCEPTION, LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY, LDNS_STATUS_CRYPTO_SIG_EXPIRED, LDNS_STATUS_CRYPTO_SIG_NOT_INCEPTED, LDNS_STATUS_CRYPTO_UNKNOWN_ALGO, LDNS_STATUS_ERR, LDNS_STATUS_MEM_ERR, LDNS_STATUS_NO_DATA, LDNS_STATUS_OK, ldns_str2rdf_dname(), and ldns_verify_rrsig_buffers().
ldns_status ldns_verify_rrsig_dsa | ( | ldns_buffer * | sig, | |
ldns_buffer * | rrset, | |||
ldns_buffer * | key | |||
) |
verifies a buffer with signature data (DSA) for a buffer with rrset data with a buffer with key data.
[in] | sig | the signature data |
[in] | rrset | the rrset data, sorted and processed for verification |
[in] | key | the key data |
Definition at line 507 of file dnssec.c.
References ldns_key_buf2dsa(), LDNS_STATUS_CRYPTO_BOGUS, LDNS_STATUS_ERR, LDNS_STATUS_MEM_ERR, and LDNS_STATUS_OK.
ldns_status ldns_verify_rrsig_rsasha1 | ( | ldns_buffer * | sig, | |
ldns_buffer * | rrset, | |||
ldns_buffer * | key | |||
) |
verifies a buffer with signature data (RSASHA1) for a buffer with rrset data with a buffer with key data.
[in] | sig | the signature data |
[in] | rrset | the rrset data, sorted and processed for verification |
[in] | key | the key data |
Definition at line 552 of file dnssec.c.
References ldns_key_buf2rsa(), LDNS_STATUS_CRYPTO_BOGUS, LDNS_STATUS_ERR, and LDNS_STATUS_OK.
ldns_status ldns_verify_rrsig_rsamd5 | ( | ldns_buffer * | sig, | |
ldns_buffer * | rrset, | |||
ldns_buffer * | key | |||
) |
verifies a buffer with signature data (RSAMD5) for a buffer with rrset data with a buffer with key data.
[in] | sig | the signature data |
[in] | rrset | the rrset data, sorted and processed for verification |
[in] | key | the key data |
Definition at line 582 of file dnssec.c.
References ldns_key_buf2rsa(), LDNS_STATUS_CRYPTO_BOGUS, LDNS_STATUS_ERR, and LDNS_STATUS_OK.
DSA* ldns_key_buf2dsa | ( | ldns_buffer * | key | ) |
RSA* ldns_key_buf2rsa | ( | ldns_buffer * | key | ) |
returns a new DS rr that represents the given key rr.
[in] | *key | the key to convert |
[in] | h | the hash to use LDNS_SHA1/LDNS_SHA256 |
Definition at line 690 of file dnssec.c.
References ldns_buffer_free(), ldns_buffer_new(), ldns_calc_keytag(), ldns_dname2canonical(), LDNS_FREE, LDNS_MAX_PACKETLEN, ldns_rdf2buffer_wire(), ldns_rdf_clone(), ldns_rdf_deep_free(), ldns_rdf_new_frm_data(), LDNS_RDF_TYPE_HEX, LDNS_RDF_TYPE_INT16, LDNS_RDF_TYPE_INT8, ldns_rr_free(), ldns_rr_get_class(), ldns_rr_get_type(), ldns_rr_new(), ldns_rr_owner(), ldns_rr_push_rdf(), ldns_rr_rdata2buffer_wire(), ldns_rr_rdf(), ldns_rr_set_class(), ldns_rr_set_owner(), ldns_rr_set_ttl(), ldns_rr_set_type(), ldns_rr_ttl(), LDNS_RR_TYPE_DNSKEY, LDNS_RR_TYPE_DS, LDNS_SHA1, LDNS_SHA256, LDNS_STATUS_OK, and LDNS_XMALLOC.
ldns_rr_list* ldns_sign_public | ( | ldns_rr_list * | rrset, | |
ldns_key_list * | keys | |||
) |
Sign an rrset.
[in] | rrset | the rrset |
[in] | keys | the keys to use |
Definition at line 809 of file dnssec.c.
References ldns_buffer_free(), ldns_buffer_new(), LDNS_DEFAULT_EXP_TIME, ldns_dname_cat_clone(), ldns_dname_label(), ldns_dname_label_count(), ldns_dname_left_chop(), ldns_key_algorithm(), ldns_key_dsa_key(), ldns_key_expiration(), ldns_key_flags(), ldns_key_inception(), ldns_key_keytag(), ldns_key_list_key(), ldns_key_list_key_count(), ldns_key_pubkey_owner(), ldns_key_rsa_key(), LDNS_KEY_SEP_KEY, LDNS_KEY_ZONE_KEY, LDNS_MAX_PACKETLEN, ldns_native2rdf_int16(), ldns_native2rdf_int32(), ldns_native2rdf_int8(), ldns_rdf_clone(), ldns_rdf_compare(), ldns_rdf_deep_free(), LDNS_RDF_TYPE_ALG, LDNS_RDF_TYPE_INT16, LDNS_RDF_TYPE_INT32, LDNS_RDF_TYPE_INT8, LDNS_RDF_TYPE_TIME, LDNS_RDF_TYPE_TYPE, ldns_rr2canonical(), ldns_rr_get_type(), ldns_rr_list2buffer_wire(), ldns_rr_list_clone(), ldns_rr_list_deep_free(), ldns_rr_list_new(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_list_sort(), ldns_rr_new_frm_type(), ldns_rr_owner(), ldns_rr_rrsig_set_algorithm(), ldns_rr_rrsig_set_expiration(), ldns_rr_rrsig_set_inception(), ldns_rr_rrsig_set_keytag(), ldns_rr_rrsig_set_labels(), ldns_rr_rrsig_set_origttl(), ldns_rr_rrsig_set_sig(), ldns_rr_rrsig_set_signame(), ldns_rr_rrsig_set_typecovered(), ldns_rr_set_owner(), ldns_rr_set_ttl(), ldns_rr_ttl(), LDNS_RR_TYPE_DNSKEY, LDNS_RR_TYPE_RRSIG, ldns_rrsig2buffer_wire(), LDNS_SIGN_DSA, ldns_sign_public_dsa(), ldns_sign_public_rsamd5(), ldns_sign_public_rsasha1(), LDNS_SIGN_RSAMD5, LDNS_SIGN_RSASHA1, LDNS_STATUS_OK, and ldns_str2rdf_dname().
ldns_rdf* ldns_sign_public_dsa | ( | ldns_buffer * | to_sign, | |
DSA * | key | |||
) |
Sign a buffer with the DSA key (hash with SHA1).
[in] | to_sign | buffer with the data |
[in] | key | the key to use |
Definition at line 979 of file dnssec.c.
References ldns_buffer_free(), ldns_buffer_new(), LDNS_FREE, LDNS_MAX_PACKETLEN, ldns_rdf_new_frm_data(), LDNS_RDF_TYPE_B64, and LDNS_XMALLOC.
ldns_rdf* ldns_sign_public_rsasha1 | ( | ldns_buffer * | to_sign, | |
RSA * | key | |||
) |
Sign a buffer with the RSA key (hash with SHA1).
[in] | to_sign | buffer with the data |
[in] | key | the key to use |
Definition at line 1028 of file dnssec.c.
References ldns_buffer_free(), ldns_buffer_new(), LDNS_MAX_PACKETLEN, ldns_rdf_new_frm_data(), and LDNS_RDF_TYPE_B64.
ldns_rdf* ldns_sign_public_rsamd5 | ( | ldns_buffer * | to_sign, | |
RSA * | key | |||
) |
Sign a buffer with the RSA key (hash with MD5).
[in] | to_sign | buffer with the data |
[in] | key | the key to use |
Definition at line 1063 of file dnssec.c.
References ldns_buffer_free(), ldns_buffer_new(), LDNS_MAX_PACKETLEN, ldns_rdf_new_frm_data(), and LDNS_RDF_TYPE_B64.
ldns_rr* ldns_create_nsec | ( | ldns_rdf * | cur_owner, | |
ldns_rdf * | next_owner, | |||
ldns_rr_list * | rrs | |||
) |
Create a NSEC record.
[in] | cur_owner | the current owner which should be taken as the starting point |
[in] | next_owner | the rrlist which the nsec rr should point to |
[in] | rrs | all rrs from the zone, to find all RR types of cur_owner in |
Definition at line 1093 of file dnssec.c.
References LDNS_FREE, ldns_rdf_clone(), ldns_rdf_compare(), ldns_rdf_new_frm_data(), LDNS_RDF_TYPE_NSEC, ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_new(), ldns_rr_owner(), ldns_rr_push_rdf(), ldns_rr_set_owner(), ldns_rr_set_type(), LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_RRSIG, ldns_set_bit(), LDNS_XMALLOC, and LDNS_XREALLOC.
bool ldns_nsec_bitmap_covers_type | ( | const ldns_rdf * | nsec_bitmap, | |
ldns_rr_type | type | |||
) |
Checks coverage of NSEC RR type bitmap.
[in] | nsec_bitmap | The NSEC bitmap rdata field to check |
[in] | type | The type to check |
Definition at line 1204 of file dnssec.c.
References ldns_get_bit(), ldns_rdf_data(), and ldns_rdf_size().
Checks coverage of NSEC RR name span Remember that nsec and name must both be in canonical form (ie use ldns_rr2canonical and ldns_dname2canonical prior to calling this function).
[in] | nsec | The NSEC RR to check |
[in] | name | The owner dname to check |
Definition at line 1239 of file dnssec.c.
References ldns_dname_compare(), ldns_rr_owner(), and ldns_rr_rdf().
ldns_status ldns_pkt_verify | ( | ldns_pkt * | p, | |
ldns_rr_type | t, | |||
ldns_rdf * | o, | |||
ldns_rr_list * | k, | |||
ldns_rr_list * | s, | |||
ldns_rr_list * | good_keys | |||
) |
verify a packet
[in] | p | the packet |
[in] | t | the rr set type to check |
[in] | o | the rr set name to ckeck |
[in] | k | list of keys |
[in] | s | list of sigs (may be null) |
[out] | good_keys | keys which validated the packet |
Definition at line 1255 of file dnssec.c.
References ldns_pkt_rr_list_by_name_and_type(), ldns_rdf_new(), LDNS_RDF_TYPE_TYPE, ldns_rr_list_subtype_by_rdf(), LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANY_NOQUESTION, LDNS_STATUS_ERR, and ldns_verify().
ldns_zone* ldns_zone_sign | ( | const ldns_zone * | zone, | |
ldns_key_list * | key_list | |||
) |
signs the given zone with the given new zone returns a newly allocated signed zone extra arguments will come later (expiration etc.
)
[in] | zone | the zone to sign |
[in] | key_list | the list of keys to sign the zone with |
Definition at line 1310 of file dnssec.c.
References ldns_create_nsec(), ldns_dname_is_subdomain(), ldns_key2rr(), ldns_key_list_key(), ldns_key_list_key_count(), ldns_rdf2native_int32(), ldns_rdf_compare(), ldns_rr_clone(), ldns_rr_get_type(), ldns_rr_list_clone(), ldns_rr_list_contains_rr(), ldns_rr_list_deep_free(), ldns_rr_list_free(), ldns_rr_list_new(), ldns_rr_list_pop_rrset(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_list_sort(), ldns_rr_owner(), ldns_rr_rdf(), ldns_rr_set_ttl(), LDNS_RR_TYPE_NS, LDNS_RR_TYPE_RRSIG, ldns_sign_public(), ldns_zone_deep_free(), ldns_zone_glue_rr_list(), ldns_zone_new(), ldns_zone_push_rr_list(), ldns_zone_rrs(), ldns_zone_set_soa(), and ldns_zone_soa().