xref: /freebsd/contrib/unbound/validator/val_secalgo.h (revision 3fc36ee018bb836bd1796067cf4ef8683f166ebc)
1 /*
2  * validator/val_secalgo.h - validator security algorithm functions.
3  *
4  * Copyright (c) 2012, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * The functions take buffers with raw data and convert to library calls.
41  */
42 
43 #ifndef VALIDATOR_VAL_SECALGO_H
44 #define VALIDATOR_VAL_SECALGO_H
45 struct sldns_buffer;
46 
47 /** Return size of nsec3 hash algorithm, 0 if not supported */
48 size_t nsec3_hash_algo_size_supported(int id);
49 
50 /**
51  * Hash a single hash call of an NSEC3 hash algorithm.
52  * Iterations and salt are done by the caller.
53  * @param algo: nsec3 hash algorithm.
54  * @param buf: the buffer to digest
55  * @param len: length of buffer to digest.
56  * @param res: result stored here (must have sufficient space).
57  * @return false on failure.
58 */
59 int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
60         unsigned char* res);
61 
62 /**
63  * Calculate the sha256 hash for the data buffer into the result.
64  * @param buf: buffer to digest.
65  * @param len: length of the buffer to digest.
66  * @param res: result is stored here (space 256/8 bytes).
67  */
68 void secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res);
69 
70 /**
71  * Return size of DS digest according to its hash algorithm.
72  * @param algo: DS digest algo.
73  * @return size in bytes of digest, or 0 if not supported.
74  */
75 size_t ds_digest_size_supported(int algo);
76 
77 /**
78  * @param algo: the DS digest algo
79  * @param buf: the buffer to digest
80  * @param len: length of buffer to digest.
81  * @param res: result stored here (must have sufficient space).
82  * @return false on failure.
83  */
84 int secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
85 	unsigned char* res);
86 
87 /** return true if DNSKEY algorithm id is supported */
88 int dnskey_algo_id_is_supported(int id);
89 
90 /**
91  * Check a canonical sig+rrset and signature against a dnskey
92  * @param buf: buffer with data to verify, the first rrsig part and the
93  *	canonicalized rrset.
94  * @param algo: DNSKEY algorithm.
95  * @param sigblock: signature rdata field from RRSIG
96  * @param sigblock_len: length of sigblock data.
97  * @param key: public key data from DNSKEY RR.
98  * @param keylen: length of keydata.
99  * @param reason: bogus reason in more detail.
100  * @return secure if verification succeeded, bogus on crypto failure,
101  *	unchecked on format errors and alloc failures.
102  */
103 enum sec_status verify_canonrrset(struct sldns_buffer* buf, int algo,
104 	unsigned char* sigblock, unsigned int sigblock_len,
105 	unsigned char* key, unsigned int keylen, char** reason);
106 
107 #endif /* VALIDATOR_VAL_SECALGO_H */
108