1 #include <ldns/config.h>
5 #include <ldns/dnssec.h>
6 #include <ldns/dnssec_sign.h>
12 /* this entire file is rather useless when you don't have
15 #include <openssl/ssl.h>
16 #include <openssl/evp.h>
17 #include <openssl/rand.h>
18 #include <openssl/err.h>
19 #include <openssl/md5.h>
23 ldns_create_empty_rrsig(const ldns_rr_list
*rrset
,
24 const ldns_key
*current_key
)
27 ldns_rr_class orig_class
;
33 label_count
= ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset
,
35 /* RFC4035 2.2: not counting the leftmost label if it is a wildcard */
36 if(ldns_dname_is_wildcard(ldns_rr_owner(ldns_rr_list_rr(rrset
, 0))))
39 current_sig
= ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG
);
41 /* set the type on the new signature */
42 orig_ttl
= ldns_rr_ttl(ldns_rr_list_rr(rrset
, 0));
43 orig_class
= ldns_rr_get_class(ldns_rr_list_rr(rrset
, 0));
45 ldns_rr_set_ttl(current_sig
, orig_ttl
);
46 ldns_rr_set_class(current_sig
, orig_class
);
47 ldns_rr_set_owner(current_sig
,
50 ldns_rr_list_rr(rrset
,
53 /* fill in what we know of the signature */
55 /* set the orig_ttl */
56 (void)ldns_rr_rrsig_set_origttl(
58 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32
,
60 /* the signers name */
61 signame
= ldns_rdf_clone(ldns_key_pubkey_owner(current_key
));
62 ldns_dname2canonical(signame
);
63 (void)ldns_rr_rrsig_set_signame(
66 /* label count - get it from the first rr in the rr_list */
67 (void)ldns_rr_rrsig_set_labels(
69 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8
,
71 /* inception, expiration */
73 if (ldns_key_inception(current_key
) != 0) {
74 (void)ldns_rr_rrsig_set_inception(
76 ldns_native2rdf_int32(
78 ldns_key_inception(current_key
)));
80 (void)ldns_rr_rrsig_set_inception(
82 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME
, now
));
84 if (ldns_key_expiration(current_key
) != 0) {
85 (void)ldns_rr_rrsig_set_expiration(
87 ldns_native2rdf_int32(
89 ldns_key_expiration(current_key
)));
91 (void)ldns_rr_rrsig_set_expiration(
93 ldns_native2rdf_int32(
95 now
+ LDNS_DEFAULT_EXP_TIME
));
98 (void)ldns_rr_rrsig_set_keytag(
100 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16
,
101 ldns_key_keytag(current_key
)));
103 (void)ldns_rr_rrsig_set_algorithm(
105 ldns_native2rdf_int8(
107 ldns_key_algorithm(current_key
)));
109 (void)ldns_rr_rrsig_set_typecovered(
111 ldns_native2rdf_int16(
113 ldns_rr_get_type(ldns_rr_list_rr(rrset
,
120 ldns_sign_public_buffer(ldns_buffer
*sign_buf
, ldns_key
*current_key
)
122 ldns_rdf
*b64rdf
= NULL
;
124 switch(ldns_key_algorithm(current_key
)) {
127 case LDNS_SIGN_DSA_NSEC3
:
128 b64rdf
= ldns_sign_public_evp(
130 ldns_key_evp_key(current_key
),
131 # ifdef HAVE_EVP_DSS1
139 case LDNS_SIGN_RSASHA1
:
140 case LDNS_SIGN_RSASHA1_NSEC3
:
141 b64rdf
= ldns_sign_public_evp(
143 ldns_key_evp_key(current_key
),
147 case LDNS_SIGN_RSASHA256
:
148 b64rdf
= ldns_sign_public_evp(
150 ldns_key_evp_key(current_key
),
153 case LDNS_SIGN_RSASHA512
:
154 b64rdf
= ldns_sign_public_evp(
156 ldns_key_evp_key(current_key
),
159 #endif /* USE_SHA2 */
161 case LDNS_SIGN_ECC_GOST
:
162 b64rdf
= ldns_sign_public_evp(
164 ldns_key_evp_key(current_key
),
165 EVP_get_digestbyname("md_gost94"));
167 #endif /* USE_GOST */
169 case LDNS_SIGN_ECDSAP256SHA256
:
170 b64rdf
= ldns_sign_public_evp(
172 ldns_key_evp_key(current_key
),
175 case LDNS_SIGN_ECDSAP384SHA384
:
176 b64rdf
= ldns_sign_public_evp(
178 ldns_key_evp_key(current_key
),
183 case LDNS_SIGN_ED25519
:
184 b64rdf
= ldns_sign_public_evp(
186 ldns_key_evp_key(current_key
),
191 case LDNS_SIGN_ED448
:
192 b64rdf
= ldns_sign_public_evp(
194 ldns_key_evp_key(current_key
),
198 case LDNS_SIGN_RSAMD5
:
199 b64rdf
= ldns_sign_public_evp(
201 ldns_key_evp_key(current_key
),
205 /* do _you_ know this alg? */
206 printf("unknown algorithm, ");
207 printf("is the one used available on this system?\n");
215 * use this function to sign with a public/private key alg
216 * return the created signatures
219 ldns_sign_public(ldns_rr_list
*rrset
, ldns_key_list
*keys
)
221 ldns_rr_list
*signatures
;
222 ldns_rr_list
*rrset_clone
;
223 ldns_rr
*current_sig
;
225 ldns_key
*current_key
;
228 ldns_buffer
*sign_buf
;
231 if (!rrset
|| ldns_rr_list_rr_count(rrset
) < 1 || !keys
) {
237 signatures
= ldns_rr_list_new();
239 /* prepare a signature and add all the know data
240 * prepare the rrset. Sign this together. */
241 rrset_clone
= ldns_rr_list_clone(rrset
);
246 /* make it canonical */
247 for(i
= 0; i
< ldns_rr_list_rr_count(rrset_clone
); i
++) {
248 ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone
, i
),
249 ldns_rr_ttl(ldns_rr_list_rr(rrset
, 0)));
250 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone
, i
));
253 ldns_rr_list_sort(rrset_clone
);
256 key_count
< ldns_key_list_key_count(keys
);
258 if (!ldns_key_use(ldns_key_list_key(keys
, key_count
))) {
261 sign_buf
= ldns_buffer_new(LDNS_MAX_PACKETLEN
);
263 ldns_rr_list_free(rrset_clone
);
264 ldns_rr_list_free(signatures
);
265 ldns_rdf_free(new_owner
);
270 current_key
= ldns_key_list_key(keys
, key_count
);
271 /* sign all RRs with keys that have ZSKbit, !SEPbit.
272 sign DNSKEY RRs with keys that have ZSKbit&SEPbit */
273 if (ldns_key_flags(current_key
) & LDNS_KEY_ZONE_KEY
) {
274 current_sig
= ldns_create_empty_rrsig(rrset_clone
,
277 /* right now, we have: a key, a semi-sig and an rrset. For
278 * which we can create the sig and base64 encode that and
279 * add that to the signature */
281 if (ldns_rrsig2buffer_wire(sign_buf
, current_sig
)
283 ldns_buffer_free(sign_buf
);
285 ldns_rr_list_deep_free(rrset_clone
);
286 ldns_rr_free(current_sig
);
287 ldns_rr_list_deep_free(signatures
);
291 /* add the rrset in sign_buf */
292 if (ldns_rr_list2buffer_wire(sign_buf
, rrset_clone
)
294 ldns_buffer_free(sign_buf
);
295 ldns_rr_list_deep_free(rrset_clone
);
296 ldns_rr_free(current_sig
);
297 ldns_rr_list_deep_free(signatures
);
301 b64rdf
= ldns_sign_public_buffer(sign_buf
, current_key
);
304 /* signing went wrong */
305 ldns_rr_list_deep_free(rrset_clone
);
306 ldns_rr_free(current_sig
);
307 ldns_rr_list_deep_free(signatures
);
311 ldns_rr_rrsig_set_sig(current_sig
, b64rdf
);
313 /* push the signature to the signatures list */
314 ldns_rr_list_push_rr(signatures
, current_sig
);
316 ldns_buffer_free(sign_buf
); /* restart for the next key */
318 ldns_rr_list_deep_free(rrset_clone
);
326 * \param[in] to_sign The ldns_buffer containing raw data that is
328 * \param[in] key The DSA key structure to sign with
329 * \return ldns_rdf for the RRSIG ldns_rr
332 ldns_sign_public_dsa(ldns_buffer
*to_sign
, DSA
*key
)
335 unsigned char *sha1_hash
;
336 ldns_rdf
*sigdata_rdf
;
344 b64sig
= ldns_buffer_new(LDNS_MAX_PACKETLEN
);
349 sha1_hash
= SHA1((unsigned char*)ldns_buffer_begin(to_sign
),
350 ldns_buffer_position(to_sign
), NULL
);
352 ldns_buffer_free(b64sig
);
356 sig
= DSA_do_sign(sha1_hash
, SHA_DIGEST_LENGTH
, key
);
358 ldns_buffer_free(b64sig
);
362 data
= LDNS_XMALLOC(uint8_t, 1 + 2 * SHA_DIGEST_LENGTH
);
364 ldns_buffer_free(b64sig
);
370 # ifdef HAVE_DSA_SIG_GET0
371 DSA_SIG_get0(sig
, &R
, &S
);
376 pad
= 20 - (size_t) BN_num_bytes(R
);
378 memset(data
+ 1, 0, pad
);
380 BN_bn2bin(R
, (unsigned char *) (data
+ 1) + pad
);
382 pad
= 20 - (size_t) BN_num_bytes(S
);
384 memset(data
+ 1 + SHA_DIGEST_LENGTH
, 0, pad
);
386 BN_bn2bin(S
, (unsigned char *) (data
+ 1 + SHA_DIGEST_LENGTH
+ pad
));
388 sigdata_rdf
= ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64
,
389 1 + 2 * SHA_DIGEST_LENGTH
,
392 ldns_buffer_free(b64sig
);
398 (void)to_sign
; (void)key
;
405 /** returns the number of bytes per signature-component (i.e. bits/8), or 0. */
407 ldns_pkey_is_ecdsa(EVP_PKEY
* pkey
)
411 #ifdef HAVE_EVP_PKEY_BASE_ID
412 if(EVP_PKEY_base_id(pkey
) != EVP_PKEY_EC
)
415 if(EVP_PKEY_type(key
->type
) != EVP_PKEY_EC
)
418 ec
= EVP_PKEY_get1_EC_KEY(pkey
);
419 g
= EC_KEY_get0_group(ec
);
424 if(EC_GROUP_get_curve_name(g
) == NID_X9_62_prime256v1
) {
426 return 32; /* 256/8 */
428 if(EC_GROUP_get_curve_name(g
) == NID_secp384r1
) {
430 return 48; /* 384/8 */
432 /* downref the eckey, the original is still inside the pkey */
437 #endif /* USE_ECDSA */
440 ldns_sign_public_evp(ldns_buffer
*to_sign
,
442 const EVP_MD
*digest_type
)
445 ldns_rdf
*sigdata_rdf
= NULL
;
448 const EVP_MD
*md_type
;
452 b64sig
= ldns_buffer_new(LDNS_MAX_PACKETLEN
);
457 /* initializes a signing context */
458 md_type
= digest_type
;
460 /* unknown message difest */
461 ldns_buffer_free(b64sig
);
465 #ifdef HAVE_EVP_MD_CTX_NEW
466 ctx
= EVP_MD_CTX_new();
468 ctx
= (EVP_MD_CTX
*)malloc(sizeof(*ctx
));
469 if(ctx
) EVP_MD_CTX_init(ctx
);
472 ldns_buffer_free(b64sig
);
476 r
= EVP_SignInit(ctx
, md_type
);
478 r
= EVP_SignUpdate(ctx
, (unsigned char*)
479 ldns_buffer_begin(to_sign
),
480 ldns_buffer_position(to_sign
));
482 ldns_buffer_free(b64sig
);
483 EVP_MD_CTX_destroy(ctx
);
487 r
= EVP_SignFinal(ctx
, (unsigned char*)
488 ldns_buffer_begin(b64sig
), &siglen
, key
);
490 ldns_buffer_free(b64sig
);
491 EVP_MD_CTX_destroy(ctx
);
495 ldns_buffer_free(b64sig
);
496 EVP_MD_CTX_destroy(ctx
);
500 /* OpenSSL output is different, convert it */
504 /* unfortunately, OpenSSL output is different from DNS DSA format */
505 # ifdef HAVE_EVP_PKEY_BASE_ID
506 if (EVP_PKEY_base_id(key
) == EVP_PKEY_DSA
) {
508 if (EVP_PKEY_type(key
->type
) == EVP_PKEY_DSA
) {
511 sigdata_rdf
= ldns_convert_dsa_rrsig_asn12rdf(b64sig
, siglen
);
515 #if defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
517 # ifdef HAVE_EVP_PKEY_BASE_ID
518 EVP_PKEY_base_id(key
)
520 EVP_PKEY_type(key
->type
)
524 if(ldns_pkey_is_ecdsa(key
)) {
526 sigdata_rdf
= ldns_convert_ecdsa_rrsig_asn1len2rdf(
527 b64sig
, (long)siglen
, ldns_pkey_is_ecdsa(key
));
529 # endif /* USE_ECDSA */
531 if(EVP_PKEY_id(key
) == NID_X25519
) {
533 sigdata_rdf
= ldns_convert_ed25519_rrsig_asn12rdf(
536 # endif /* USE_ED25519 */
538 if(EVP_PKEY_id(key
) == NID_X448
) {
540 sigdata_rdf
= ldns_convert_ed448_rrsig_asn12rdf(
543 # endif /* USE_ED448 */
547 /* ok output for other types is the same */
548 sigdata_rdf
= ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64
, siglen
,
549 ldns_buffer_begin(b64sig
));
551 ldns_buffer_free(b64sig
);
552 EVP_MD_CTX_destroy(ctx
);
557 ldns_sign_public_rsasha1(ldns_buffer
*to_sign
, RSA
*key
)
559 unsigned char *sha1_hash
;
561 ldns_rdf
*sigdata_rdf
;
566 b64sig
= ldns_buffer_new(LDNS_MAX_PACKETLEN
);
571 sha1_hash
= SHA1((unsigned char*)ldns_buffer_begin(to_sign
),
572 ldns_buffer_position(to_sign
), NULL
);
574 ldns_buffer_free(b64sig
);
578 result
= RSA_sign(NID_sha1
, sha1_hash
, SHA_DIGEST_LENGTH
,
579 (unsigned char*)ldns_buffer_begin(b64sig
),
582 ldns_buffer_free(b64sig
);
586 sigdata_rdf
= ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64
, siglen
,
587 ldns_buffer_begin(b64sig
));
588 ldns_buffer_free(b64sig
); /* can't free this buffer ?? */
593 ldns_sign_public_rsamd5(ldns_buffer
*to_sign
, RSA
*key
)
595 unsigned char *md5_hash
;
597 ldns_rdf
*sigdata_rdf
;
600 b64sig
= ldns_buffer_new(LDNS_MAX_PACKETLEN
);
605 md5_hash
= MD5((unsigned char*)ldns_buffer_begin(to_sign
),
606 ldns_buffer_position(to_sign
), NULL
);
608 ldns_buffer_free(b64sig
);
612 RSA_sign(NID_md5
, md5_hash
, MD5_DIGEST_LENGTH
,
613 (unsigned char*)ldns_buffer_begin(b64sig
),
616 sigdata_rdf
= ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64
, siglen
,
617 ldns_buffer_begin(b64sig
));
618 ldns_buffer_free(b64sig
);
621 #endif /* HAVE_SSL */
624 * Pushes all rrs from the rrsets of type A and AAAA on gluelist.
627 ldns_dnssec_addresses_on_glue_list(
628 ldns_dnssec_rrsets
*cur_rrset
,
629 ldns_rr_list
*glue_list
)
631 ldns_dnssec_rrs
*cur_rrs
;
633 if (cur_rrset
->type
== LDNS_RR_TYPE_A
634 || cur_rrset
->type
== LDNS_RR_TYPE_AAAA
) {
635 for (cur_rrs
= cur_rrset
->rrs
;
637 cur_rrs
= cur_rrs
->next
) {
639 if (!ldns_rr_list_push_rr(glue_list
,
641 return LDNS_STATUS_MEM_ERR
;
642 /* ldns_rr_list_push_rr()
643 * returns false when unable
644 * to increase the capacity
645 * of the ldsn_rr_list
651 cur_rrset
= cur_rrset
->next
;
653 return LDNS_STATUS_OK
;
657 * Marks the names in the zone that are occluded. Those names will be skipped
658 * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
659 * function. But watch out! Names that are partially occluded (like glue with
660 * the same name as the delegation) will not be marked and should specifically
661 * be taken into account separately.
663 * When glue_list is given (not NULL), in the process of marking the names, all
664 * glue resource records will be pushed to that list, even glue at delegation names.
666 * \param[in] zone the zone in which to mark the names
667 * \param[in] glue_list the list to which to push the glue rrs
668 * \return LDNS_STATUS_OK on success, an error code otherwise
671 ldns_dnssec_zone_mark_and_get_glue(ldns_dnssec_zone
*zone
,
672 ldns_rr_list
*glue_list
)
675 ldns_dnssec_name
*name
;
677 ldns_rdf
*cut
= NULL
; /* keeps track of zone cuts */
678 /* When the cut is caused by a delegation, below_delegation will be 1.
679 * When caused by a DNAME, below_delegation will be 0.
681 int below_delegation
= -1; /* init suppresses comiler warning */
684 if (!zone
|| !zone
->names
) {
685 return LDNS_STATUS_NULL
;
687 for (node
= ldns_rbtree_first(zone
->names
);
688 node
!= LDNS_RBTREE_NULL
;
689 node
= ldns_rbtree_next(node
)) {
690 name
= (ldns_dnssec_name
*) node
->data
;
691 owner
= ldns_dnssec_name_name(name
);
694 /* The previous node was a zone cut, or a subdomain
695 * below a zone cut. Is this node (still) a subdomain
696 * below the cut? Then the name is occluded. Unless
697 * the name contains a SOA, after which we are
698 * authoritative again.
700 * FIXME! If there are labels in between the SOA and
701 * the cut, going from the authoritative space (below
702 * the SOA) up into occluded space again, will not be
703 * detected with the contruct below!
705 if (ldns_dname_is_subdomain(owner
, cut
) &&
706 !ldns_dnssec_rrsets_contains_type(
707 name
->rrsets
, LDNS_RR_TYPE_SOA
)) {
709 if (below_delegation
&& glue_list
) {
710 s
= ldns_dnssec_addresses_on_glue_list(
711 name
->rrsets
, glue_list
);
712 if (s
!= LDNS_STATUS_OK
) {
716 name
->is_glue
= true; /* Mark occluded name! */
723 /* The node is not below a zone cut. Is it a zone cut itself?
724 * Everything below a SOA is authoritative of course; Except
725 * when the name also contains a DNAME :).
727 if (ldns_dnssec_rrsets_contains_type(
728 name
->rrsets
, LDNS_RR_TYPE_NS
)
729 && !ldns_dnssec_rrsets_contains_type(
730 name
->rrsets
, LDNS_RR_TYPE_SOA
)) {
732 below_delegation
= 1;
733 if (glue_list
) { /* record glue on the zone cut */
734 s
= ldns_dnssec_addresses_on_glue_list(
735 name
->rrsets
, glue_list
);
736 if (s
!= LDNS_STATUS_OK
) {
740 } else if (ldns_dnssec_rrsets_contains_type(
741 name
->rrsets
, LDNS_RR_TYPE_DNAME
)) {
743 below_delegation
= 0;
746 return LDNS_STATUS_OK
;
750 * Marks the names in the zone that are occluded. Those names will be skipped
751 * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
752 * function. But watch out! Names that are partially occluded (like glue with
753 * the same name as the delegation) will not be marked and should specifically
754 * be taken into account separately.
756 * \param[in] zone the zone in which to mark the names
757 * \return LDNS_STATUS_OK on success, an error code otherwise
760 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone
*zone
)
762 return ldns_dnssec_zone_mark_and_get_glue(zone
, NULL
);
766 ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t
*node
)
768 ldns_rbnode_t
*next_node
= NULL
;
769 ldns_dnssec_name
*next_name
= NULL
;
772 if (node
== LDNS_RBTREE_NULL
) {
777 if (next_node
== LDNS_RBTREE_NULL
) {
780 next_name
= (ldns_dnssec_name
*)next_node
->data
;
781 if (!next_name
->is_glue
) {
784 next_node
= ldns_rbtree_next(next_node
);
792 ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone
*zone
,
793 ldns_rr_list
*new_rrs
)
796 ldns_rbnode_t
*first_node
, *cur_node
, *next_node
;
797 ldns_dnssec_name
*cur_name
, *next_name
;
800 ldns_dnssec_rrsets
*soa
;
802 /* the TTL of NSEC rrs should be set to the minimum TTL of
803 * the zone SOA (RFC4035 Section 2.3)
805 soa
= ldns_dnssec_name_find_rrset(zone
->soa
, LDNS_RR_TYPE_SOA
);
807 /* did the caller actually set it? if not,
808 * fall back to default ttl
810 if (soa
&& soa
->rrs
&& soa
->rrs
->rr
811 && (ldns_rr_rdf(soa
->rrs
->rr
, 6) != NULL
)) {
812 nsec_ttl
= ldns_rdf2native_int32(ldns_rr_rdf(soa
->rrs
->rr
, 6));
814 nsec_ttl
= LDNS_DEFAULT_TTL
;
817 first_node
= ldns_dnssec_name_node_next_nonglue(
818 ldns_rbtree_first(zone
->names
));
819 cur_node
= first_node
;
821 next_node
= ldns_dnssec_name_node_next_nonglue(
822 ldns_rbtree_next(cur_node
));
827 while (cur_node
&& next_node
) {
828 cur_name
= (ldns_dnssec_name
*)cur_node
->data
;
829 next_name
= (ldns_dnssec_name
*)next_node
->data
;
830 nsec_rr
= ldns_dnssec_create_nsec(cur_name
,
833 ldns_rr_set_ttl(nsec_rr
, nsec_ttl
);
834 if(ldns_dnssec_name_add_rr(cur_name
, nsec_rr
)!=LDNS_STATUS_OK
){
835 ldns_rr_free(nsec_rr
);
836 return LDNS_STATUS_ERR
;
838 ldns_rr_list_push_rr(new_rrs
, nsec_rr
);
839 cur_node
= next_node
;
841 next_node
= ldns_dnssec_name_node_next_nonglue(
842 ldns_rbtree_next(cur_node
));
846 if (cur_node
&& !next_node
) {
847 cur_name
= (ldns_dnssec_name
*)cur_node
->data
;
848 next_name
= (ldns_dnssec_name
*)first_node
->data
;
849 nsec_rr
= ldns_dnssec_create_nsec(cur_name
,
852 ldns_rr_set_ttl(nsec_rr
, nsec_ttl
);
853 if(ldns_dnssec_name_add_rr(cur_name
, nsec_rr
)!=LDNS_STATUS_OK
){
854 ldns_rr_free(nsec_rr
);
855 return LDNS_STATUS_ERR
;
857 ldns_rr_list_push_rr(new_rrs
, nsec_rr
);
862 return LDNS_STATUS_OK
;
867 ldns_hashed_names_node_free(ldns_rbnode_t
*node
, void *arg
) {
873 ldns_dnssec_zone_create_nsec3s_mkmap(ldns_dnssec_zone
*zone
,
874 ldns_rr_list
*new_rrs
,
882 ldns_rbnode_t
*first_name_node
;
883 ldns_rbnode_t
*current_name_node
;
884 ldns_dnssec_name
*current_name
;
885 ldns_status result
= LDNS_STATUS_OK
;
887 ldns_rr_list
*nsec3_list
;
889 ldns_dnssec_rrsets
*soa
;
890 ldns_rbnode_t
*hashmap_node
;
892 if (!zone
|| !new_rrs
|| !zone
->names
) {
893 return LDNS_STATUS_ERR
;
896 /* the TTL of NSEC rrs should be set to the minimum TTL of
897 * the zone SOA (RFC4035 Section 2.3)
899 soa
= ldns_dnssec_name_find_rrset(zone
->soa
, LDNS_RR_TYPE_SOA
);
901 /* did the caller actually set it? if not,
902 * fall back to default ttl
904 if (soa
&& soa
->rrs
&& soa
->rrs
->rr
905 && ldns_rr_rdf(soa
->rrs
->rr
, 6) != NULL
) {
906 nsec_ttl
= ldns_rdf2native_int32(ldns_rr_rdf(soa
->rrs
->rr
, 6));
908 nsec_ttl
= LDNS_DEFAULT_TTL
;
911 if (ldns_rdf_size(zone
->soa
->name
) > 222) {
912 return LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW
;
915 if (zone
->hashed_names
) {
916 ldns_traverse_postorder(zone
->hashed_names
,
917 ldns_hashed_names_node_free
, NULL
);
918 LDNS_FREE(zone
->hashed_names
);
920 zone
->hashed_names
= ldns_rbtree_create(ldns_dname_compare_v
);
921 if (zone
->hashed_names
&& map
) {
922 *map
= zone
->hashed_names
;
925 first_name_node
= ldns_dnssec_name_node_next_nonglue(
926 ldns_rbtree_first(zone
->names
));
928 current_name_node
= first_name_node
;
930 while (current_name_node
&& current_name_node
!= LDNS_RBTREE_NULL
&&
931 result
== LDNS_STATUS_OK
) {
933 current_name
= (ldns_dnssec_name
*) current_name_node
->data
;
934 nsec_rr
= ldns_dnssec_create_nsec3(current_name
,
942 /* by default, our nsec based generator adds rrsigs
943 * remove the bitmap for empty nonterminals */
944 if (!current_name
->rrsets
) {
945 ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr
));
947 ldns_rr_set_ttl(nsec_rr
, nsec_ttl
);
948 result
= ldns_dnssec_name_add_rr(current_name
, nsec_rr
);
949 ldns_rr_list_push_rr(new_rrs
, nsec_rr
);
950 if (ldns_rr_owner(nsec_rr
)) {
951 hashmap_node
= LDNS_MALLOC(ldns_rbnode_t
);
952 if (hashmap_node
== NULL
) {
953 return LDNS_STATUS_MEM_ERR
;
955 current_name
->hashed_name
=
956 ldns_dname_label(ldns_rr_owner(nsec_rr
), 0);
958 if (current_name
->hashed_name
== NULL
) {
959 LDNS_FREE(hashmap_node
);
960 return LDNS_STATUS_MEM_ERR
;
962 hashmap_node
->key
= current_name
->hashed_name
;
963 hashmap_node
->data
= current_name
;
965 if (! ldns_rbtree_insert(zone
->hashed_names
967 LDNS_FREE(hashmap_node
);
970 current_name_node
= ldns_dnssec_name_node_next_nonglue(
971 ldns_rbtree_next(current_name_node
));
973 if (result
!= LDNS_STATUS_OK
) {
977 /* Make sorted list of nsec3s (via zone->hashed_names)
979 nsec3_list
= ldns_rr_list_new();
980 if (nsec3_list
== NULL
) {
981 return LDNS_STATUS_MEM_ERR
;
983 for ( hashmap_node
= ldns_rbtree_first(zone
->hashed_names
)
984 ; hashmap_node
!= LDNS_RBTREE_NULL
985 ; hashmap_node
= ldns_rbtree_next(hashmap_node
)
987 current_name
= (ldns_dnssec_name
*) hashmap_node
->data
;
988 nsec_rr
= ((ldns_dnssec_name
*) hashmap_node
->data
)->nsec
;
990 ldns_rr_list_push_rr(nsec3_list
, nsec_rr
);
993 result
= ldns_dnssec_chain_nsec3_list(nsec3_list
);
994 ldns_rr_list_free(nsec3_list
);
1000 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone
*zone
,
1001 ldns_rr_list
*new_rrs
,
1004 uint16_t iterations
,
1005 uint8_t salt_length
,
1008 return ldns_dnssec_zone_create_nsec3s_mkmap(zone
, new_rrs
, algorithm
,
1009 flags
, iterations
, salt_length
, salt
, NULL
);
1012 #endif /* HAVE_SSL */
1015 ldns_dnssec_remove_signatures( ldns_dnssec_rrs
*signatures
1016 , ATTR_UNUSED(ldns_key_list
*key_list
)
1017 , int (*func
)(ldns_rr
*, void *)
1021 ldns_dnssec_rrs
*base_rrs
= signatures
;
1022 ldns_dnssec_rrs
*cur_rr
= base_rrs
;
1023 ldns_dnssec_rrs
*prev_rr
= NULL
;
1024 ldns_dnssec_rrs
*next_rr
;
1030 switch(func(NULL
, arg
)) {
1031 case LDNS_SIGNATURE_LEAVE_ADD_NEW
:
1032 case LDNS_SIGNATURE_REMOVE_ADD_NEW
:
1034 case LDNS_SIGNATURE_LEAVE_NO_ADD
:
1035 case LDNS_SIGNATURE_REMOVE_NO_ADD
:
1036 ldns_key_list_set_use(key_list
, false);
1040 fprintf(stderr
, "[XX] unknown return value from callback\n");
1046 (void)func(cur_rr
->rr
, arg
);
1049 next_rr
= cur_rr
->next
;
1051 switch (func(cur_rr
->rr
, arg
)) {
1052 case LDNS_SIGNATURE_LEAVE_ADD_NEW
:
1055 case LDNS_SIGNATURE_LEAVE_NO_ADD
:
1056 keytag
= ldns_rdf2native_int16(
1057 ldns_rr_rrsig_keytag(cur_rr
->rr
));
1058 for (i
= 0; i
< ldns_key_list_key_count(key_list
); i
++) {
1059 if (ldns_key_keytag(ldns_key_list_key(key_list
, i
)) ==
1061 ldns_key_set_use(ldns_key_list_key(key_list
, i
),
1067 case LDNS_SIGNATURE_REMOVE_NO_ADD
:
1068 keytag
= ldns_rdf2native_int16(
1069 ldns_rr_rrsig_keytag(cur_rr
->rr
));
1070 for (i
= 0; i
< ldns_key_list_key_count(key_list
); i
++) {
1071 if (ldns_key_keytag(ldns_key_list_key(key_list
, i
))
1073 ldns_key_set_use(ldns_key_list_key(key_list
, i
),
1078 prev_rr
->next
= next_rr
;
1084 case LDNS_SIGNATURE_REMOVE_ADD_NEW
:
1086 prev_rr
->next
= next_rr
;
1094 fprintf(stderr
, "[XX] unknown return value from callback\n");
1106 ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone
*zone
,
1107 ldns_rr_list
*new_rrs
,
1108 ldns_key_list
*key_list
,
1109 int (*func
)(ldns_rr
*, void*),
1112 return ldns_dnssec_zone_create_rrsigs_flg(zone
, new_rrs
, key_list
,
1116 /** If there are KSKs use only them and mark ZSKs unused */
1118 ldns_key_list_filter_for_dnskey(ldns_key_list
*key_list
, int flags
)
1125 ldns_signing_algorithm saw_ksk
= 0;
1129 if (!ldns_key_list_key_count(key_list
))
1132 for (i
= 0; i
< ldns_key_list_key_count(key_list
); i
++) {
1133 key
= ldns_key_list_key(key_list
, i
);
1134 if ((ldns_key_flags(key
) & LDNS_KEY_SEP_KEY
) && !saw_ksk
)
1135 saw_ksk
= ldns_key_algorithm(key
);
1136 algos
[ldns_key_algorithm(key
)] = true;
1143 for (i
=0; i
< ldns_key_list_key_count(key_list
); i
++) {
1144 key
= ldns_key_list_key(key_list
, i
);
1145 if (!(ldns_key_flags(key
) & LDNS_KEY_SEP_KEY
)) {
1147 * Still use it if it has a unique algorithm though!
1149 if ((flags
& LDNS_SIGN_WITH_ALL_ALGORITHMS
) &&
1150 algos
[ldns_key_algorithm(key
)])
1151 algos
[ldns_key_algorithm(key
)] = false;
1153 ldns_key_set_use(key
, 0);
1158 /** If there are no ZSKs use KSK as ZSK */
1160 ldns_key_list_filter_for_non_dnskey(ldns_key_list
*key_list
, int flags
)
1167 ldns_signing_algorithm saw_zsk
= 0;
1171 if (!ldns_key_list_key_count(key_list
))
1174 for (i
= 0; i
< ldns_key_list_key_count(key_list
); i
++) {
1175 key
= ldns_key_list_key(key_list
, i
);
1176 if (!(ldns_key_flags(key
) & LDNS_KEY_SEP_KEY
) && !saw_zsk
)
1177 saw_zsk
= ldns_key_algorithm(key
);
1178 algos
[ldns_key_algorithm(key
)] = true;
1185 for (i
= 0; i
< ldns_key_list_key_count(key_list
); i
++) {
1186 key
= ldns_key_list_key(key_list
, i
);
1187 if((ldns_key_flags(key
) & LDNS_KEY_SEP_KEY
)) {
1189 * Still use it if it has a unique algorithm though!
1191 if ((flags
& LDNS_SIGN_WITH_ALL_ALGORITHMS
) &&
1192 algos
[ldns_key_algorithm(key
)])
1193 algos
[ldns_key_algorithm(key
)] = false;
1195 ldns_key_set_use(key
, 0);
1201 ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone
*zone
1202 , ldns_rr_list
*new_rrs
1203 , ldns_key_list
*key_list
1204 , int (*func
)(ldns_rr
*, void*)
1209 ldns_status result
= LDNS_STATUS_OK
;
1211 ldns_rbnode_t
*cur_node
;
1212 ldns_rr_list
*rr_list
;
1214 ldns_dnssec_name
*cur_name
;
1215 ldns_dnssec_rrsets
*cur_rrset
;
1216 ldns_dnssec_rrs
*cur_rr
;
1218 ldns_rr_list
*siglist
;
1222 int on_delegation_point
= 0; /* handle partially occluded names */
1224 ldns_rr_list
*pubkey_list
= ldns_rr_list_new();
1225 for (i
= 0; i
<ldns_key_list_key_count(key_list
); i
++) {
1226 ldns_rr_list_push_rr( pubkey_list
1227 , ldns_key2rr(ldns_key_list_key(
1231 /* TODO: callback to see is list should be signed */
1232 /* TODO: remove 'old' signatures from signature list */
1233 cur_node
= ldns_rbtree_first(zone
->names
);
1234 while (cur_node
!= LDNS_RBTREE_NULL
) {
1235 cur_name
= (ldns_dnssec_name
*) cur_node
->data
;
1237 if (!cur_name
->is_glue
) {
1238 on_delegation_point
= ldns_dnssec_rrsets_contains_type(
1239 cur_name
->rrsets
, LDNS_RR_TYPE_NS
)
1240 && !ldns_dnssec_rrsets_contains_type(
1241 cur_name
->rrsets
, LDNS_RR_TYPE_SOA
);
1242 cur_rrset
= cur_name
->rrsets
;
1244 /* reset keys to use */
1245 ldns_key_list_set_use(key_list
, true);
1247 /* walk through old sigs, remove the old,
1248 and mark which keys (not) to use) */
1249 cur_rrset
->signatures
=
1250 ldns_dnssec_remove_signatures(cur_rrset
->signatures
,
1254 if(!(flags
&LDNS_SIGN_DNSKEY_WITH_ZSK
) &&
1255 cur_rrset
->type
== LDNS_RR_TYPE_DNSKEY
)
1256 ldns_key_list_filter_for_dnskey(key_list
, flags
);
1258 if(cur_rrset
->type
!= LDNS_RR_TYPE_DNSKEY
)
1259 ldns_key_list_filter_for_non_dnskey(key_list
, flags
);
1261 /* TODO: just set count to zero? */
1262 rr_list
= ldns_rr_list_new();
1264 cur_rr
= cur_rrset
->rrs
;
1266 ldns_rr_list_push_rr(rr_list
, cur_rr
->rr
);
1267 cur_rr
= cur_rr
->next
;
1270 /* only sign non-delegation RRsets */
1271 /* (glue should have been marked earlier,
1272 * except on the delegation points itself) */
1273 if (!on_delegation_point
||
1274 ldns_rr_list_type(rr_list
)
1275 == LDNS_RR_TYPE_DS
||
1276 ldns_rr_list_type(rr_list
)
1277 == LDNS_RR_TYPE_NSEC
||
1278 ldns_rr_list_type(rr_list
)
1279 == LDNS_RR_TYPE_NSEC3
) {
1280 siglist
= ldns_sign_public(rr_list
, key_list
);
1281 for (i
= 0; i
< ldns_rr_list_rr_count(siglist
); i
++) {
1282 if (cur_rrset
->signatures
) {
1283 result
= ldns_dnssec_rrs_add_rr(cur_rrset
->signatures
,
1284 ldns_rr_list_rr(siglist
,
1287 cur_rrset
->signatures
= ldns_dnssec_rrs_new();
1288 cur_rrset
->signatures
->rr
=
1289 ldns_rr_list_rr(siglist
, i
);
1292 ldns_rr_list_push_rr(new_rrs
,
1293 ldns_rr_list_rr(siglist
,
1297 ldns_rr_list_free(siglist
);
1300 ldns_rr_list_free(rr_list
);
1302 cur_rrset
= cur_rrset
->next
;
1306 ldns_key_list_set_use(key_list
, true);
1307 cur_name
->nsec_signatures
=
1308 ldns_dnssec_remove_signatures(cur_name
->nsec_signatures
,
1312 ldns_key_list_filter_for_non_dnskey(key_list
, flags
);
1314 rr_list
= ldns_rr_list_new();
1315 ldns_rr_list_push_rr(rr_list
, cur_name
->nsec
);
1316 siglist
= ldns_sign_public(rr_list
, key_list
);
1318 for (i
= 0; i
< ldns_rr_list_rr_count(siglist
); i
++) {
1319 if (cur_name
->nsec_signatures
) {
1320 result
= ldns_dnssec_rrs_add_rr(cur_name
->nsec_signatures
,
1321 ldns_rr_list_rr(siglist
, i
));
1323 cur_name
->nsec_signatures
= ldns_dnssec_rrs_new();
1324 cur_name
->nsec_signatures
->rr
=
1325 ldns_rr_list_rr(siglist
, i
);
1328 ldns_rr_list_push_rr(new_rrs
,
1329 ldns_rr_list_rr(siglist
, i
));
1333 ldns_rr_list_free(siglist
);
1334 ldns_rr_list_free(rr_list
);
1336 cur_node
= ldns_rbtree_next(cur_node
);
1339 ldns_rr_list_deep_free(pubkey_list
);
1344 ldns_dnssec_zone_sign(ldns_dnssec_zone
*zone
,
1345 ldns_rr_list
*new_rrs
,
1346 ldns_key_list
*key_list
,
1347 int (*func
)(ldns_rr
*, void *),
1350 return ldns_dnssec_zone_sign_flg(zone
, new_rrs
, key_list
, func
, arg
, 0);
1354 ldns_dnssec_zone_sign_flg(ldns_dnssec_zone
*zone
,
1355 ldns_rr_list
*new_rrs
,
1356 ldns_key_list
*key_list
,
1357 int (*func
)(ldns_rr
*, void *),
1361 ldns_status result
= LDNS_STATUS_OK
;
1363 if (!zone
|| !new_rrs
|| !key_list
) {
1364 return LDNS_STATUS_ERR
;
1367 /* zone is already sorted */
1368 result
= ldns_dnssec_zone_mark_glue(zone
);
1369 if (result
!= LDNS_STATUS_OK
) {
1373 /* check whether we need to add nsecs */
1374 if (zone
->names
&& !((ldns_dnssec_name
*)zone
->names
->root
->data
)->nsec
) {
1375 result
= ldns_dnssec_zone_create_nsecs(zone
, new_rrs
);
1376 if (result
!= LDNS_STATUS_OK
) {
1381 result
= ldns_dnssec_zone_create_rrsigs_flg(zone
,
1392 ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone
*zone
,
1393 ldns_rr_list
*new_rrs
,
1394 ldns_key_list
*key_list
,
1395 int (*func
)(ldns_rr
*, void *),
1399 uint16_t iterations
,
1400 uint8_t salt_length
,
1403 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone
, new_rrs
, key_list
,
1404 func
, arg
, algorithm
, flags
, iterations
, salt_length
, salt
, 0,
1409 ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone
*zone
,
1410 ldns_rr_list
*new_rrs
,
1411 ldns_key_list
*key_list
,
1412 int (*func
)(ldns_rr
*, void *),
1416 uint16_t iterations
,
1417 uint8_t salt_length
,
1420 ldns_rbtree_t
**map
)
1422 ldns_rr
*nsec3
, *nsec3param
;
1423 ldns_status result
= LDNS_STATUS_OK
;
1425 /* zone is already sorted */
1426 result
= ldns_dnssec_zone_mark_glue(zone
);
1427 if (result
!= LDNS_STATUS_OK
) {
1431 /* TODO if there are already nsec3s presents and their
1432 * parameters are the same as these, we don't have to recreate
1435 /* add empty nonterminals */
1436 result
= ldns_dnssec_zone_add_empty_nonterminals(zone
);
1437 if (result
!= LDNS_STATUS_OK
) {
1441 nsec3
= ((ldns_dnssec_name
*)zone
->names
->root
->data
)->nsec
;
1442 if (nsec3
&& ldns_rr_get_type(nsec3
) == LDNS_RR_TYPE_NSEC3
) {
1443 /* no need to recreate */
1445 if (!ldns_dnssec_zone_find_rrset(zone
,
1447 LDNS_RR_TYPE_NSEC3PARAM
)) {
1448 /* create and add the nsec3param rr */
1450 ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAM
);
1451 ldns_rr_set_owner(nsec3param
,
1452 ldns_rdf_clone(zone
->soa
->name
));
1453 ldns_nsec3_add_param_rdfs(nsec3param
,
1459 /* always set bit 7 of the flags to zero, according to
1460 * rfc5155 section 11. The bits are counted from right to left,
1461 * so bit 7 in rfc5155 is bit 0 in ldns */
1462 ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param
, 1)), 0, 0);
1463 result
= ldns_dnssec_zone_add_rr(zone
, nsec3param
);
1464 if (result
!= LDNS_STATUS_OK
) {
1467 ldns_rr_list_push_rr(new_rrs
, nsec3param
);
1469 result
= ldns_dnssec_zone_create_nsec3s_mkmap(zone
,
1477 if (result
!= LDNS_STATUS_OK
) {
1482 result
= ldns_dnssec_zone_create_rrsigs_flg(zone
,
1494 ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone
*zone
,
1495 ldns_rr_list
*new_rrs
,
1496 ldns_key_list
*key_list
,
1497 int (*func
)(ldns_rr
*, void *),
1501 uint16_t iterations
,
1502 uint8_t salt_length
,
1506 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone
, new_rrs
, key_list
,
1507 func
, arg
, algorithm
, flags
, iterations
, salt_length
, salt
,
1512 ldns_zone_sign(const ldns_zone
*zone
, ldns_key_list
*key_list
)
1514 ldns_dnssec_zone
*dnssec_zone
;
1515 ldns_zone
*signed_zone
;
1516 ldns_rr_list
*new_rrs
;
1519 signed_zone
= ldns_zone_new();
1520 dnssec_zone
= ldns_dnssec_zone_new();
1522 (void) ldns_dnssec_zone_add_rr(dnssec_zone
, ldns_zone_soa(zone
));
1523 ldns_zone_set_soa(signed_zone
, ldns_rr_clone(ldns_zone_soa(zone
)));
1525 for (i
= 0; i
< ldns_rr_list_rr_count(ldns_zone_rrs(zone
)); i
++) {
1526 (void) ldns_dnssec_zone_add_rr(dnssec_zone
,
1527 ldns_rr_list_rr(ldns_zone_rrs(zone
),
1529 ldns_zone_push_rr(signed_zone
,
1530 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone
),
1534 new_rrs
= ldns_rr_list_new();
1535 (void) ldns_dnssec_zone_sign(dnssec_zone
,
1538 ldns_dnssec_default_replace_signatures
,
1541 for (i
= 0; i
< ldns_rr_list_rr_count(new_rrs
); i
++) {
1542 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone
),
1543 ldns_rr_clone(ldns_rr_list_rr(new_rrs
, i
)));
1546 ldns_rr_list_deep_free(new_rrs
);
1547 ldns_dnssec_zone_free(dnssec_zone
);
1553 ldns_zone_sign_nsec3(ldns_zone
*zone
, ldns_key_list
*key_list
, uint8_t algorithm
, uint8_t flags
, uint16_t iterations
, uint8_t salt_length
, uint8_t *salt
)
1555 ldns_dnssec_zone
*dnssec_zone
;
1556 ldns_zone
*signed_zone
;
1557 ldns_rr_list
*new_rrs
;
1560 signed_zone
= ldns_zone_new();
1561 dnssec_zone
= ldns_dnssec_zone_new();
1563 (void) ldns_dnssec_zone_add_rr(dnssec_zone
, ldns_zone_soa(zone
));
1564 ldns_zone_set_soa(signed_zone
, ldns_rr_clone(ldns_zone_soa(zone
)));
1566 for (i
= 0; i
< ldns_rr_list_rr_count(ldns_zone_rrs(zone
)); i
++) {
1567 (void) ldns_dnssec_zone_add_rr(dnssec_zone
,
1568 ldns_rr_list_rr(ldns_zone_rrs(zone
),
1570 ldns_zone_push_rr(signed_zone
,
1571 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone
),
1575 new_rrs
= ldns_rr_list_new();
1576 (void) ldns_dnssec_zone_sign_nsec3(dnssec_zone
,
1579 ldns_dnssec_default_replace_signatures
,
1587 for (i
= 0; i
< ldns_rr_list_rr_count(new_rrs
); i
++) {
1588 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone
),
1589 ldns_rr_clone(ldns_rr_list_rr(new_rrs
, i
)));
1592 ldns_rr_list_deep_free(new_rrs
);
1593 ldns_dnssec_zone_free(dnssec_zone
);
1597 #endif /* HAVE_SSL */