From: Willem Toorop Date: Thu, 3 Nov 2011 23:03:11 +0000 (+0000) Subject: Initial work on passing check_time down for validating. X-Git-Tag: release-1.6.12~48 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8b349b42fefc09dce7787aad0c791cacd6e60b6;p=thirdparty%2Fldns.git Initial work on passing check_time down for validating. It may well fail the tests. --- diff --git a/dnssec.c b/dnssec.c index 45430cd4..c4194370 100644 --- a/dnssec.c +++ b/dnssec.c @@ -1418,9 +1418,11 @@ ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name) #ifdef HAVE_SSL /* sig may be null - if so look in the packet */ + ldns_status -ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, - ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys) +ldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, + ldns_rr_list *k, ldns_rr_list *s, + time_t check_time, ldns_rr_list *good_keys) { ldns_rr_list *rrset; ldns_rr_list *sigs; @@ -1475,7 +1477,14 @@ ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, return LDNS_STATUS_ERR; } - return ldns_verify(rrset, sigs, k, good_keys); + return ldns_verify_time(rrset, sigs, k, check_time, good_keys); +} + +ldns_status +ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, + ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys) +{ + return ldns_pkt_verify_time(p, t, o, k, s, ldns_time(NULL), good_keys); } #endif /* HAVE_SSL */ diff --git a/dnssec_verify.c b/dnssec_verify.c index 4e51df74..8e492dae 100644 --- a/dnssec_verify.c +++ b/dnssec_verify.c @@ -688,7 +688,11 @@ ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, /* if rr is null, take the first from the rrset */ ldns_dnssec_trust_tree * -ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr) +ldns_dnssec_derive_trust_tree_time( + ldns_dnssec_data_chain *data_chain, + ldns_rr *rr, + time_t check_time + ) { ldns_rr_list *cur_rrset; ldns_rr_list *cur_sigs; @@ -752,28 +756,31 @@ ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr) } /* option 1 */ if (data_chain->parent) { - ldns_dnssec_derive_trust_tree_normal_rrset( + ldns_dnssec_derive_trust_tree_normal_rrset_time( new_tree, data_chain, - cur_sig_rr); + cur_sig_rr, + check_time); } /* option 2 */ - ldns_dnssec_derive_trust_tree_dnskey_rrset( + ldns_dnssec_derive_trust_tree_dnskey_rrset_time( new_tree, data_chain, cur_rr, - cur_sig_rr); + cur_sig_rr, + check_time); } - ldns_dnssec_derive_trust_tree_ds_rrset(new_tree, - data_chain, - cur_rr); + ldns_dnssec_derive_trust_tree_ds_rrset_time( + new_tree, data_chain, + cur_rr, check_time); } else { /* no signatures? maybe it's nsec data */ /* just add every rr from parent as new parent */ - ldns_dnssec_derive_trust_tree_no_sig(new_tree, data_chain); + ldns_dnssec_derive_trust_tree_no_sig_time( + new_tree, data_chain, check_time); } } } @@ -781,10 +788,18 @@ ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr) return new_tree; } +ldns_dnssec_trust_tree * +ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr) +{ + return ldns_dnssec_derive_trust_tree_time(data_chain, rr, ldns_time(NULL)); +} + void -ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree, - ldns_dnssec_data_chain *data_chain, - ldns_rr *cur_sig_rr) +ldns_dnssec_derive_trust_tree_normal_rrset_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_sig_rr, + time_t check_time) { size_t i, j; ldns_rr_list *cur_rrset = ldns_rr_list_clone(data_chain->rrset); @@ -829,9 +844,11 @@ ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree, ldns_rr_list_pop_rrset(cur_rrset); } } - cur_status = ldns_verify_rrsig(tmp_rrset, - cur_sig_rr, - cur_parent_rr); + cur_status = ldns_verify_rrsig_time( + tmp_rrset, + cur_sig_rr, + cur_parent_rr, + check_time); /* avoid dupes */ for (i = 0; i < new_tree->parent_count; i++) { if (cur_parent_rr == new_tree->parents[i]->rr) { @@ -840,8 +857,10 @@ ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree, } cur_parent_tree = - ldns_dnssec_derive_trust_tree(data_chain->parent, - cur_parent_rr); + ldns_dnssec_derive_trust_tree_time( + data_chain->parent, + cur_parent_rr, + check_time); (void)ldns_dnssec_trust_tree_add_parent(new_tree, cur_parent_tree, cur_sig_rr, @@ -858,10 +877,21 @@ ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree, } void -ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree, +ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, - ldns_rr *cur_rr, ldns_rr *cur_sig_rr) +{ + ldns_dnssec_derive_trust_tree_normal_rrset_time( + new_tree, data_chain, cur_sig_rr, ldns_time(NULL)); +} + +void +ldns_dnssec_derive_trust_tree_dnskey_rrset_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_rr, + ldns_rr *cur_sig_rr, + time_t check_time) { size_t j; ldns_rr_list *cur_rrset = data_chain->rrset; @@ -881,9 +911,9 @@ ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree, cur_parent_tree = ldns_dnssec_trust_tree_new(); cur_parent_tree->rr = cur_parent_rr; cur_parent_tree->rrset = cur_rrset; - cur_status = ldns_verify_rrsig(cur_rrset, - cur_sig_rr, - cur_parent_rr); + cur_status = ldns_verify_rrsig_time( + cur_rrset, cur_sig_rr, + cur_parent_rr, check_time); (void) ldns_dnssec_trust_tree_add_parent(new_tree, cur_parent_tree, cur_sig_rr, cur_status); } @@ -892,9 +922,21 @@ ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree, } void -ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree, - ldns_dnssec_data_chain *data_chain, - ldns_rr *cur_rr) +ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_rr, + ldns_rr *cur_sig_rr) +{ + ldns_dnssec_derive_trust_tree_dnskey_rrset_time( + new_tree, data_chain, cur_rr, cur_sig_rr, ldns_time(NULL)); +} + +void +ldns_dnssec_derive_trust_tree_ds_rrset_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_rr, + time_t check_time) { size_t j, h; ldns_rr_list *cur_rrset = data_chain->rrset; @@ -915,8 +957,10 @@ ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree, cur_rr = ldns_rr_list_rr(cur_rrset, h); if (ldns_rr_compare_ds(cur_rr, cur_parent_rr)) { cur_parent_tree = - ldns_dnssec_derive_trust_tree( - data_chain->parent, cur_parent_rr); + ldns_dnssec_derive_trust_tree_time( + data_chain->parent, + cur_parent_rr, + check_time); (void) ldns_dnssec_trust_tree_add_parent( new_tree, cur_parent_tree, @@ -932,8 +976,19 @@ ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree, } void -ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree, - ldns_dnssec_data_chain *data_chain) +ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_rr) +{ + return ldns_dnssec_derive_trust_tree_ds_rrset_time( + new_tree, data_chain, cur_rr, ldns_time(NULL)); +} + +void +ldns_dnssec_derive_trust_tree_no_sig_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + time_t check_time) { size_t i; ldns_rr_list *cur_rrset; @@ -970,14 +1025,24 @@ ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree, for (i = 0; i < ldns_rr_list_rr_count(cur_rrset); i++) { cur_parent_rr = ldns_rr_list_rr(cur_rrset, i); cur_parent_tree = - ldns_dnssec_derive_trust_tree(data_chain->parent, - cur_parent_rr); + ldns_dnssec_derive_trust_tree_time( + data_chain->parent, + cur_parent_rr, + check_time); (void) ldns_dnssec_trust_tree_add_parent(new_tree, cur_parent_tree, NULL, result); } } } +void +ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain) +{ + return ldns_dnssec_derive_trust_tree_no_sig_time( + new_tree, data_chain, ldns_time(NULL)); +} + /* * returns OK if there is a path from tree to key with only OK * the (first) error in between otherwise @@ -1032,8 +1097,13 @@ ldns_dnssec_trust_tree_contains_keys(ldns_dnssec_trust_tree *tree, } ldns_status -ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, - ldns_rr_list *good_keys) +ldns_verify_time( + ldns_rr_list *rrset, + ldns_rr_list *rrsig, + const ldns_rr_list *keys, + time_t check_time, + ldns_rr_list *good_keys + ) { uint16_t i; ldns_status verify_result = LDNS_STATUS_ERR; @@ -1054,8 +1124,9 @@ ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, verify_result = LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY; } else { for (i = 0; i < ldns_rr_list_rr_count(rrsig); i++) { - ldns_status s = ldns_verify_rrsig_keylist(rrset, - ldns_rr_list_rr(rrsig, i), keys, good_keys); + ldns_status s = ldns_verify_rrsig_keylist_time( + rrset, ldns_rr_list_rr(rrsig, i), + keys, check_time, good_keys); /* try a little to get more descriptive error */ if(s == LDNS_STATUS_OK) { verify_result = LDNS_STATUS_OK; @@ -1069,6 +1140,13 @@ ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, return verify_result; } +ldns_status +ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, + ldns_rr_list *good_keys) +{ + return ldns_verify_time(rrset, rrsig, keys, ldns_time(NULL), good_keys); +} + ldns_status ldns_verify_notime(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys) @@ -1110,9 +1188,10 @@ ldns_verify_notime(ldns_rr_list *rrset, ldns_rr_list *rrsig, } ldns_rr_list * -ldns_fetch_valid_domain_keys(const ldns_resolver *res, +ldns_fetch_valid_domain_keys_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, + time_t check_time, ldns_status *status) { ldns_rr_list * trusted_keys = NULL; @@ -1123,9 +1202,8 @@ ldns_fetch_valid_domain_keys(const ldns_resolver *res, if (res && domain && keys) { - if ((trusted_keys = ldns_validate_domain_dnskey(res, - domain, - keys))) { + if ((trusted_keys = ldns_validate_domain_dnskey_time(res, + domain, keys, check_time))) { *status = LDNS_STATUS_OK; } else { /* No trusted keys in this domain, we'll have to find some in the parent domain */ @@ -1136,20 +1214,24 @@ ldns_fetch_valid_domain_keys(const ldns_resolver *res, /* Fail if we are at the root */ if ((parent_keys = - ldns_fetch_valid_domain_keys(res, + ldns_fetch_valid_domain_keys_time(res, parent_domain, keys, + check_time, status))) { /* Check DS records */ if ((ds_keys = - ldns_validate_domain_ds(res, + ldns_validate_domain_ds_time(res, domain, - parent_keys))) { + parent_keys, + check_time))) { trusted_keys = - ldns_fetch_valid_domain_keys(res, - domain, - ds_keys, - status); + ldns_fetch_valid_domain_keys_time( + res, + domain, + ds_keys, + check_time, + status); ldns_rr_list_deep_free(ds_keys); } else { /* No valid DS at the parent -- fail */ @@ -1172,9 +1254,22 @@ ldns_fetch_valid_domain_keys(const ldns_resolver *res, } ldns_rr_list * -ldns_validate_domain_dnskey(const ldns_resolver * res, - const ldns_rdf * domain, - const ldns_rr_list * keys) +ldns_fetch_valid_domain_keys(const ldns_resolver *res, + const ldns_rdf *domain, + const ldns_rr_list *keys, + ldns_status *status) +{ + return ldns_fetch_valid_domain_keys_time( + res, domain, keys, ldns_time(NULL), status); +} + +ldns_rr_list * +ldns_validate_domain_dnskey_time( + const ldns_resolver * res, + const ldns_rdf * domain, + const ldns_rr_list * keys, + time_t check_time + ) { ldns_pkt * keypkt; ldns_rr * cur_key; @@ -1215,9 +1310,11 @@ ldns_validate_domain_dnskey(const ldns_resolver * res, if (ldns_rdf2native_int16( ldns_rr_rrsig_keytag(cur_sig)) == ldns_calc_keytag(cur_key)) { - if (ldns_verify_rrsig(domain_keys, - cur_sig, - cur_key) + if (ldns_verify_rrsig_time( + domain_keys, + cur_sig, + cur_key, + check_time) == LDNS_STATUS_OK) { /* Push the whole rrset @@ -1261,9 +1358,20 @@ ldns_validate_domain_dnskey(const ldns_resolver * res, } ldns_rr_list * -ldns_validate_domain_ds(const ldns_resolver *res, - const ldns_rdf * domain, - const ldns_rr_list * keys) +ldns_validate_domain_dnskey(const ldns_resolver * res, + const ldns_rdf * domain, + const ldns_rr_list * keys) +{ + return ldns_validate_domain_dnskey_time( + res, domain, keys, ldns_time(NULL)); +} + +ldns_rr_list * +ldns_validate_domain_ds_time( + const ldns_resolver *res, + const ldns_rdf * domain, + const ldns_rr_list * keys, + time_t check_time) { ldns_pkt * dspkt; uint16_t key_i; @@ -1283,7 +1391,8 @@ ldns_validate_domain_ds(const ldns_resolver *res, LDNS_SECTION_ANSWER); /* Validate sigs */ - if (ldns_verify(rrset, sigs, keys, NULL) == LDNS_STATUS_OK) { + if (ldns_verify_time(rrset, sigs, keys, check_time, NULL) + == LDNS_STATUS_OK) { trusted_keys = ldns_rr_list_new(); for (key_i=0; key_irr, keys, good_keys); + status = ldns_verify_rrsig_keylist_time( + rrset_rrs, cur_sig->rr, + keys, check_time, good_keys); if (status != LDNS_STATUS_OK) { if (verbosity > 0) { printf("Error: %s", @@ -464,7 +467,9 @@ verify_dnssec_name(ldns_rdf *zone_name, ldns_dnssec_zone *zone, ldns_rbtree_t *zone_nodes, ldns_rbnode_t *cur_node, - ldns_rr_list *keys) + ldns_rr_list *keys, + time_t check_time + ) { ldns_status result = LDNS_STATUS_OK; ldns_status status; @@ -526,8 +531,9 @@ verify_dnssec_name(ldns_rdf *zone_name, cur_rrset->type != LDNS_RR_TYPE_RRSIG && cur_rrset->type != LDNS_RR_TYPE_NSEC)) { - status = verify_dnssec_rrset(zone_name, - name->name, cur_rrset, keys); + status = verify_dnssec_rrset( + zone_name, name->name, + cur_rrset, keys, check_time); if (status != LDNS_STATUS_OK && result == LDNS_STATUS_OK) { result = status; @@ -545,9 +551,14 @@ verify_dnssec_name(ldns_rdf *zone_name, } static ldns_status -verify_dnssec_zone(ldns_dnssec_zone *dnssec_zone, - ldns_rdf *zone_name, bool apexonly, int percentage) { - +verify_dnssec_zone( + ldns_dnssec_zone *dnssec_zone, + ldns_rdf *zone_name, + bool apexonly, + int percentage, + time_t check_time + ) +{ ldns_rr_list *keys; ldns_rbnode_t *cur_node; ldns_dnssec_rrsets *cur_key_rrset; @@ -604,7 +615,8 @@ verify_dnssec_zone(ldns_dnssec_zone *dnssec_zone, dnssec_zone, dnssec_zone->names, cur_node, - keys); + keys, + check_time); if (status != LDNS_STATUS_OK && result == LDNS_STATUS_OK) { result = status; @@ -632,6 +644,7 @@ main(int argc, char **argv) ldns_status result = LDNS_STATUS_ERR; bool apexonly = false; int percentage = 100; + time_t check_time = ldns_time(NULL); while ((c = getopt(argc, argv, "ahvV:p:")) != -1) { switch(c) { @@ -717,7 +730,7 @@ main(int argc, char **argv) result = verify_dnssec_zone(dnssec_zone, ldns_rr_owner(ldns_zone_soa(z)), - apexonly, percentage); + apexonly, percentage, check_time); if (result == LDNS_STATUS_OK) { if (verbosity >= 1) { diff --git a/ldns/dnssec.h b/ldns/dnssec.h index 78635516..9e602b5b 100644 --- a/ldns/dnssec.h +++ b/ldns/dnssec.h @@ -395,6 +395,21 @@ bool ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name); * */ ldns_status ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys); + +/** + * verify a packet + * \param[in] p the packet + * \param[in] t the rr set type to check + * \param[in] o the rr set name to check + * \param[in] k list of keys + * \param[in] s list of sigs (may be null) + * \param[in] check_time the time for which the validation is performed + * \param[out] good_keys keys which validated the packet + * \return status + * + */ +ldns_status ldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, ldns_rr_list *k, ldns_rr_list *s, time_t check_time, ldns_rr_list *good_keys); + #endif /** diff --git a/ldns/dnssec_verify.h b/ldns/dnssec_verify.h index 13b3fa32..81462bde 100644 --- a/ldns/dnssec_verify.h +++ b/ldns/dnssec_verify.h @@ -222,6 +222,22 @@ ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree( ldns_dnssec_data_chain *data_chain, ldns_rr *rr); +/** + * Generates a dnssec_trust_ttree for the given rr from the + * given data_chain + * + * This does not clone the actual data; Don't free the + * data_chain before you are done with this tree + * + * \param[in] *data_chain The chain to derive the trust tree from + * \param[in] *rr The RR this tree will be about + * \param[in] check_time the time for which the validation is performed + * \return ldns_dnssec_trust_tree * + */ +ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time( + ldns_dnssec_data_chain *data_chain, + ldns_rr *rr, time_t check_time); + /** * Sub function for derive_trust_tree that is used for a 'normal' rrset @@ -235,6 +251,20 @@ void ldns_dnssec_derive_trust_tree_normal_rrset( ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr); +/** + * Sub function for derive_trust_tree that is used for a 'normal' rrset + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] cur_sig_rr The currently relevant signature + * \param[in] check_time the time for which the validation is performed + */ +void ldns_dnssec_derive_trust_tree_normal_rrset_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_sig_rr, time_t check_time); + + /** * Sub function for derive_trust_tree that is used for DNSKEY rrsets * @@ -249,6 +279,38 @@ void ldns_dnssec_derive_trust_tree_dnskey_rrset( ldns_rr *cur_rr, ldns_rr *cur_sig_rr); +/** + * Sub function for derive_trust_tree that is used for DNSKEY rrsets + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] cur_rr The currently relevant DNSKEY RR + * \param[in] cur_sig_rr The currently relevant signature + * \param[in] check_time the time for which the validation is performed + */ +void ldns_dnssec_derive_trust_tree_dnskey_rrset_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_rr, ldns_rr *cur_sig_rr, + time_t check_time); + + +/** + * Sub function for derive_trust_tree that is used for DNSKEY rrsets + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] cur_rr The currently relevant DNSKEY RR + * \param[in] cur_sig_rr The currently relevant signature + * \param[in] check_time the time for which the validation is performed + */ +void ldns_dnssec_derive_trust_tree_dnskey_rrset_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_rr, ldns_rr *cur_sig_rr, + time_t check_time); + + /** * Sub function for derive_trust_tree that is used for DS rrsets * @@ -261,6 +323,19 @@ void ldns_dnssec_derive_trust_tree_ds_rrset( ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr); +/** + * Sub function for derive_trust_tree that is used for DS rrsets + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] cur_rr The currently relevant DS RR + * \param[in] check_time the time for which the validation is performed + */ +void ldns_dnssec_derive_trust_tree_ds_rrset_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + ldns_rr *cur_rr, time_t check_time); + /** * Sub function for derive_trust_tree that is used when there are no * signatures @@ -272,6 +347,20 @@ void ldns_dnssec_derive_trust_tree_no_sig( ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain); +/** + * Sub function for derive_trust_tree that is used when there are no + * signatures + * + * \param[in] new_tree The trust tree that we are building + * \param[in] data_chain The data chain containing the data for the trust tree + * \param[in] check_time the time for which the validation is performed + */ +void ldns_dnssec_derive_trust_tree_no_sig_time( + ldns_dnssec_trust_tree *new_tree, + ldns_dnssec_data_chain *data_chain, + time_t check_time); + + /** * Returns OK if there is a trusted path in the tree to one of * the DNSKEY or DS RRs in the given list @@ -302,6 +391,25 @@ ldns_status ldns_verify(ldns_rr_list *rrset, const ldns_rr_list *keys, ldns_rr_list *good_keys); +/** + * Verifies a list of signatures for one rrset. + * + * \param[in] rrset the rrset to verify + * \param[in] rrsig a list of signatures to check + * \param[in] keys a list of keys to check with + * \param[in] check_time the time for which the validation is performed + * \param[out] good_keys if this is a (initialized) list, the pointer to keys + * from keys that validate one of the signatures + * are added to it + * \return status LDNS_STATUS_OK if there is at least one correct key + */ +ldns_status ldns_verify_time(ldns_rr_list *rrset, + ldns_rr_list *rrsig, + const ldns_rr_list *keys, + time_t check_time, + ldns_rr_list *good_keys); + + /** * Verifies a list of signatures for one rrset, but disregard the time. * Inception and Expiration are not checked. @@ -338,6 +446,26 @@ ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res, const ldns_rr_list * keys, ldns_status *status); +/** + * Tries to build an authentication chain from the given + * keys down to the queried domain. + * + * If we find a valid trust path, return the valid keys for the domain. + * + * \param[in] res the current resolver + * \param[in] domain the domain we want valid keys for + * \param[in] keys the current set of trusted keys + * \param[in] check_time the time for which the validation is performed + * \param[out] status pointer to the status variable where the result + * code will be stored + * \return the set of trusted keys for the domain, or NULL if no + * trust path could be built. + */ +ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res, + const ldns_rdf * domain, const ldns_rr_list * keys, + time_t check_time, ldns_status *status); + + /** * Validates the DNSKEY RRset for the given domain using the provided * trusted keys. @@ -352,6 +480,22 @@ ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys); +/** + * Validates the DNSKEY RRset for the given domain using the provided + * trusted keys. + * + * \param[in] res the current resolver + * \param[in] domain the domain we want valid keys for + * \param[in] keys the current set of trusted keys + * \param[in] check_time the time for which the validation is performed + * \return the set of trusted keys for the domain, or NULL if the RRSET + * could not be validated + */ +ldns_rr_list *ldns_validate_domain_dnskey_time( + const ldns_resolver *res, const ldns_rdf *domain, + const ldns_rr_list *keys, time_t check_time); + + /** * Validates the DS RRset for the given domain using the provided trusted keys. * @@ -365,6 +509,20 @@ ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res, domain, const ldns_rr_list * keys); +/** + * Validates the DS RRset for the given domain using the provided trusted keys. + * + * \param[in] res the current resolver + * \param[in] domain the domain we want valid keys for + * \param[in] keys the current set of trusted keys + * \param[in] check_time the time for which the validation is performed + * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated + */ +ldns_rr_list *ldns_validate_domain_ds_time( + const ldns_resolver *res, const ldns_rdf *domain, + const ldns_rr_list * keys, time_t check_time); + + /** * Verifies a list of signatures for one RRset using a valid trust path. * @@ -381,6 +539,24 @@ ldns_status ldns_verify_trusted(ldns_resolver *res, ldns_rr_list *rrsigs, ldns_rr_list *validating_keys); +/** + * Verifies a list of signatures for one RRset using a valid trust path. + * + * \param[in] res the current resolver + * \param[in] rrset the rrset to verify + * \param[in] rrsigs a list of signatures to check + * \param[in] check_time the time for which the validation is performed + * \param[out] validating_keys if this is a (initialized) list, the + * keys from keys that validate one of + * the signatures are added to it + * \return status LDNS_STATUS_OK if there is at least one correct key + */ +ldns_status ldns_verify_trusted_time( + ldns_resolver *res, ldns_rr_list *rrset, + ldns_rr_list *rrsigs, time_t check_time, + ldns_rr_list *validating_keys); + + /** * denial is not just a river in egypt * @@ -493,6 +669,24 @@ ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, const ldns_rr_list *keys, ldns_rr_list *good_keys); +/** + * Verifies an rrsig. All keys in the keyset are tried. + * \param[in] rrset the rrset to check + * \param[in] rrsig the signature of the rrset + * \param[in] keys the keys to try + * \param[in] check_time the time for which the validation is performed + * \param[out] good_keys if this is a (initialized) list, the pointer to keys + * from keys that validate one of the signatures + * are added to it + * \return a list of keys which validate the rrsig + rrset. Returns + * status LDNS_STATUS_OK if at least one key matched. Else an error. + */ +ldns_status ldns_verify_rrsig_keylist_time( + ldns_rr_list *rrset, ldns_rr *rrsig, + const ldns_rr_list *keys, time_t check_time, + ldns_rr_list *good_keys); + + /** * Verifies an rrsig. All keys in the keyset are tried. Time is not checked. * \param[in] rrset the rrset to check @@ -520,6 +714,20 @@ ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key); + +/** + * verify an rrsig with 1 key + * \param[in] rrset the rrset + * \param[in] rrsig the rrsig to verify + * \param[in] key the key to use + * \param[in] check_time the time for which the validation is performed + * \return status message wether verification succeeded. + */ +ldns_status ldns_verify_rrsig_time( + ldns_rr_list *rrset, ldns_rr *rrsig, + ldns_rr *key, time_t check_time); + + #if LDNS_BUILD_CONFIG_HAVE_SSL /** * verifies a buffer with signature data for a buffer with rrset data diff --git a/ldns/util.h.in b/ldns/util.h.in index c7b6c8be..f9fb1042 100644 --- a/ldns/util.h.in +++ b/ldns/util.h.in @@ -358,6 +358,8 @@ INLINE size_t ldns_b32_pton_calculate_size(size_t srcsize) } #endif /* !B32_PTON */ +INLINE time_t ldns_time(time_t *t) { return time(t); } + #ifdef __cplusplus } #endif