13dcb24b8Ssthen /* 23dcb24b8Ssthen * validator/val_secalgo.h - validator security algorithm functions. 33dcb24b8Ssthen * 43dcb24b8Ssthen * Copyright (c) 2012, NLnet Labs. All rights reserved. 53dcb24b8Ssthen * 63dcb24b8Ssthen * This software is open source. 73dcb24b8Ssthen * 83dcb24b8Ssthen * Redistribution and use in source and binary forms, with or without 93dcb24b8Ssthen * modification, are permitted provided that the following conditions 103dcb24b8Ssthen * are met: 113dcb24b8Ssthen * 123dcb24b8Ssthen * Redistributions of source code must retain the above copyright notice, 133dcb24b8Ssthen * this list of conditions and the following disclaimer. 143dcb24b8Ssthen * 153dcb24b8Ssthen * Redistributions in binary form must reproduce the above copyright notice, 163dcb24b8Ssthen * this list of conditions and the following disclaimer in the documentation 173dcb24b8Ssthen * and/or other materials provided with the distribution. 183dcb24b8Ssthen * 193dcb24b8Ssthen * Neither the name of the NLNET LABS nor the names of its contributors may 203dcb24b8Ssthen * be used to endorse or promote products derived from this software without 213dcb24b8Ssthen * specific prior written permission. 223dcb24b8Ssthen * 233dcb24b8Ssthen * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 245d76a658Ssthen * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 255d76a658Ssthen * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 265d76a658Ssthen * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 275d76a658Ssthen * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 285d76a658Ssthen * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 295d76a658Ssthen * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 305d76a658Ssthen * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 315d76a658Ssthen * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 325d76a658Ssthen * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 335d76a658Ssthen * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 343dcb24b8Ssthen */ 353dcb24b8Ssthen 363dcb24b8Ssthen /** 373dcb24b8Ssthen * \file 383dcb24b8Ssthen * 393dcb24b8Ssthen * This file contains helper functions for the validator module. 403dcb24b8Ssthen * The functions take buffers with raw data and convert to library calls. 413dcb24b8Ssthen */ 423dcb24b8Ssthen 433dcb24b8Ssthen #ifndef VALIDATOR_VAL_SECALGO_H 443dcb24b8Ssthen #define VALIDATOR_VAL_SECALGO_H 455d76a658Ssthen struct sldns_buffer; 46*191f22c6Ssthen struct secalgo_hash; 473dcb24b8Ssthen 4824893edcSsthen /** Return size of nsec3 hash algorithm, 0 if not supported */ 4924893edcSsthen size_t nsec3_hash_algo_size_supported(int id); 5024893edcSsthen 5124893edcSsthen /** 5224893edcSsthen * Hash a single hash call of an NSEC3 hash algorithm. 5324893edcSsthen * Iterations and salt are done by the caller. 5424893edcSsthen * @param algo: nsec3 hash algorithm. 5524893edcSsthen * @param buf: the buffer to digest 5624893edcSsthen * @param len: length of buffer to digest. 5724893edcSsthen * @param res: result stored here (must have sufficient space). 5824893edcSsthen * @return false on failure. 5924893edcSsthen */ 6024893edcSsthen int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 6124893edcSsthen unsigned char* res); 6224893edcSsthen 633dcb24b8Ssthen /** 642ee382b6Ssthen * Calculate the sha256 hash for the data buffer into the result. 652ee382b6Ssthen * @param buf: buffer to digest. 662ee382b6Ssthen * @param len: length of the buffer to digest. 672ee382b6Ssthen * @param res: result is stored here (space 256/8 bytes). 682ee382b6Ssthen */ 692ee382b6Ssthen void secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res); 702ee382b6Ssthen 712ee382b6Ssthen /** 72*191f22c6Ssthen * Start a hash of type sha384. Allocates structure, then inits it, 73*191f22c6Ssthen * so that a series of updates can be performed, before the final result. 74*191f22c6Ssthen * @return hash structure. NULL on malloc failure or no support. 75*191f22c6Ssthen */ 76*191f22c6Ssthen struct secalgo_hash* secalgo_hash_create_sha384(void); 77*191f22c6Ssthen 78*191f22c6Ssthen /** 79*191f22c6Ssthen * Start a hash of type sha512. Allocates structure, then inits it, 80*191f22c6Ssthen * so that a series of updates can be performed, before the final result. 81*191f22c6Ssthen * @return hash structure. NULL on malloc failure or no support. 82*191f22c6Ssthen */ 83*191f22c6Ssthen struct secalgo_hash* secalgo_hash_create_sha512(void); 84*191f22c6Ssthen 85*191f22c6Ssthen /** 86*191f22c6Ssthen * Update a hash with more information to add to it. 87*191f22c6Ssthen * @param hash: the hash that is updated. 88*191f22c6Ssthen * @param data: data to add. 89*191f22c6Ssthen * @param len: length of data. 90*191f22c6Ssthen * @return false on failure. 91*191f22c6Ssthen */ 92*191f22c6Ssthen int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len); 93*191f22c6Ssthen 94*191f22c6Ssthen /** 95*191f22c6Ssthen * Get the final result of the hash. 96*191f22c6Ssthen * @param hash: the hash that has had updates to it. 97*191f22c6Ssthen * @param result: where to store the result. 98*191f22c6Ssthen * @param maxlen: length of the result buffer, eg. size of the allocation. 99*191f22c6Ssthen * If not large enough the routine fails. 100*191f22c6Ssthen * @param resultlen: the length of the result, returned to the caller. 101*191f22c6Ssthen * How much of maxlen is used. 102*191f22c6Ssthen * @return false on failure. 103*191f22c6Ssthen */ 104*191f22c6Ssthen int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result, 105*191f22c6Ssthen size_t maxlen, size_t* resultlen); 106*191f22c6Ssthen 107*191f22c6Ssthen /** 108*191f22c6Ssthen * Delete the hash structure. 109*191f22c6Ssthen * @param hash: the hash to delete. 110*191f22c6Ssthen */ 111*191f22c6Ssthen void secalgo_hash_delete(struct secalgo_hash* hash); 112*191f22c6Ssthen 113*191f22c6Ssthen /** 1143dcb24b8Ssthen * Return size of DS digest according to its hash algorithm. 1153dcb24b8Ssthen * @param algo: DS digest algo. 1163dcb24b8Ssthen * @return size in bytes of digest, or 0 if not supported. 1173dcb24b8Ssthen */ 1183dcb24b8Ssthen size_t ds_digest_size_supported(int algo); 1193dcb24b8Ssthen 1203dcb24b8Ssthen /** 1213dcb24b8Ssthen * @param algo: the DS digest algo 1223dcb24b8Ssthen * @param buf: the buffer to digest 1233dcb24b8Ssthen * @param len: length of buffer to digest. 1243dcb24b8Ssthen * @param res: result stored here (must have sufficient space). 1253dcb24b8Ssthen * @return false on failure. 1263dcb24b8Ssthen */ 1273dcb24b8Ssthen int secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 1283dcb24b8Ssthen unsigned char* res); 1293dcb24b8Ssthen 1303dcb24b8Ssthen /** return true if DNSKEY algorithm id is supported */ 1313dcb24b8Ssthen int dnskey_algo_id_is_supported(int id); 1323dcb24b8Ssthen 1333dcb24b8Ssthen /** 1343dcb24b8Ssthen * Check a canonical sig+rrset and signature against a dnskey 1353dcb24b8Ssthen * @param buf: buffer with data to verify, the first rrsig part and the 1363dcb24b8Ssthen * canonicalized rrset. 1373dcb24b8Ssthen * @param algo: DNSKEY algorithm. 1383dcb24b8Ssthen * @param sigblock: signature rdata field from RRSIG 1393dcb24b8Ssthen * @param sigblock_len: length of sigblock data. 1403dcb24b8Ssthen * @param key: public key data from DNSKEY RR. 1413dcb24b8Ssthen * @param keylen: length of keydata. 1423dcb24b8Ssthen * @param reason: bogus reason in more detail. 1433dcb24b8Ssthen * @return secure if verification succeeded, bogus on crypto failure, 1443dcb24b8Ssthen * unchecked on format errors and alloc failures. 1453dcb24b8Ssthen */ 1465d76a658Ssthen enum sec_status verify_canonrrset(struct sldns_buffer* buf, int algo, 1473dcb24b8Ssthen unsigned char* sigblock, unsigned int sigblock_len, 1483dcb24b8Ssthen unsigned char* key, unsigned int keylen, char** reason); 1493dcb24b8Ssthen 1503dcb24b8Ssthen #endif /* VALIDATOR_VAL_SECALGO_H */ 151