diff --git a/src/dnssec.c b/src/dnssec.c index 94cf8cfd..0fd33e01 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -3359,9 +3359,10 @@ static int wire_validate_dnssec(struct mem_funcs *mf, * */ getdns_return_t -getdns_validate_dnssec(getdns_list *records_to_validate, +getdns_validate_dnssec2(getdns_list *records_to_validate, getdns_list *support_records, - getdns_list *trust_anchors) + getdns_list *trust_anchors, + time_t now, uint32_t skew) { uint8_t to_val_buf[4096], *to_val, support_buf[4096], *support, @@ -3377,9 +3378,6 @@ getdns_validate_dnssec(getdns_list *records_to_validate, size_t i; getdns_dict *reply; - time_t now; - uint32_t skew; - #if defined(SEC_DEBUG) && SEC_DEBUG fflush(stdout); #endif @@ -3387,8 +3385,6 @@ getdns_validate_dnssec(getdns_list *records_to_validate, if (!records_to_validate || !support_records || !trust_anchors) return GETDNS_RETURN_INVALID_PARAMETER; mf = &records_to_validate->mf; - now = time(NULL); - skew = 0; /* First convert everything to wire format */ @@ -3453,6 +3449,15 @@ exit_free_support: } +getdns_return_t +getdns_validate_dnssec(getdns_list *records_to_validate, + getdns_list *support_records, + getdns_list *trust_anchors) +{ + return getdns_validate_dnssec2(records_to_validate, support_records, + trust_anchors, time(NULL), 0); +} + /****************** getdns_root_trust_anchor() Function ******************** *****************************************************************************/ diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in index 49664177..5493a7d8 100644 --- a/src/getdns/getdns_extra.h.in +++ b/src/getdns/getdns_extra.h.in @@ -31,6 +31,7 @@ #include #include #include +#include #ifdef __cplusplus extern "C" { @@ -635,6 +636,40 @@ getdns_fp2rr_list( FILE *in, getdns_list **rr_list, const char *origin, uint32_t default_ttl); +/** + * Validate replies or resource records. + * + * @param to_validate A list of RR-dicts with companion RRSIG-RR-dicts + * which will be validated. Or a list of reply-dicts + * that will be validated. The "replies_tree" list + * of a response dict can be used directly here. + * @param support_records A list of DS's RR-dicts and DNSKEY RR-dicts with + * companion RRSIG-RR-dicts that lead up from one of + * the trust_anchors to the RR-dicts or replies to + * validate. The "validation_chain" list of a response + * dict (with the dnssec_return_validation_chain + * extension) can be used directly here. + * @param trust_anchors The list of trusted DNSKEYs or DS'es RR-dicts. + * The result of the getdns_root_trust_anchor() or the + * getdns_context_get_dnssec_trust_anchors() function + * can be used directly here. + * @param validation_time The point in time in seconds since 1 January 1970 + * 00:00:00 UTC, ignoring leap seconds, wrapping using + * "Serial number arithmetic", as defined in RFC1982. + * @param skew The numer of seconds of skew that is allowed in + * either direction when checking an RRSIG's + * Expiration and Inception fields + * @return The dnssec status of validated records or replies, + * GETDNS_DNSSEC_SECURE, GETDNS_DNSSEC_INSECURE, + * GETDNS_DNSSEC_INDETERMINATE or GETDNS_DNSSEC_BOGUS, or an error + * return code. + */ +getdns_return_t +getdns_validate_dnssec2(getdns_list *to_validate, + getdns_list *support_records, + getdns_list *trust_anchors, + time_t validation_time, uint32_t skew); + #ifdef __cplusplus } #endif diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols index 8b35ff37..14fc4cf6 100644 --- a/src/libgetdns.symbols +++ b/src/libgetdns.symbols @@ -130,6 +130,7 @@ getdns_snprint_json_list getdns_str2rr_dict getdns_strerror getdns_validate_dnssec +getdns_validate_dnssec2 getdns_wire2rr_dict getdns_wire2rr_dict_buf getdns_wire2rr_dict_scan