search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ipfw: Support all possible ICMP types.
[dragonfly.git] / contrib / ldns / dnssec_sign.c
blobf2f9d9dda87d8bd860b6b9a4eb3e509bab17ae16
1 #include <ldns/config.h>
2
3 #include <ldns/ldns.h>
4
5 #include <ldns/dnssec.h>
6 #include <ldns/dnssec_sign.h>
7
8 #include <strings.h>
9 #include <time.h>
10
11 #ifdef HAVE_SSL
12 /* this entire file is rather useless when you don't have
13 * crypto...
14 */
15 #include <openssl/ssl.h>
16 #include <openssl/evp.h>
17 #include <openssl/rand.h>
18 #include <openssl/err.h>
19 #include <openssl/md5.h>
20 #endif /* HAVE_SSL */
21
22 ldns_rr *
23 ldns_create_empty_rrsig(ldns_rr_list *rrset,
24 ldns_key *current_key)
25 {
26 uint32_t orig_ttl;
27 ldns_rr_class orig_class;
28 time_t now;
29 ldns_rr *current_sig;
30 uint8_t label_count;
31 ldns_rdf *signame;
32
33 label_count = ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset,
34 0)));
35 /* RFC4035 2.2: not counting the leftmost label if it is a wildcard */
36 if(ldns_dname_is_wildcard(ldns_rr_owner(ldns_rr_list_rr(rrset, 0))))
37 label_count --;
38
39 current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
40
41 /* set the type on the new signature */
42 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
43 orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0));
44
45 ldns_rr_set_ttl(current_sig, orig_ttl);
46 ldns_rr_set_class(current_sig, orig_class);
47 ldns_rr_set_owner(current_sig,
48 ldns_rdf_clone(
49 ldns_rr_owner(
50 ldns_rr_list_rr(rrset,
51 0))));
52
53 /* fill in what we know of the signature */
54
55 /* set the orig_ttl */
56 (void)ldns_rr_rrsig_set_origttl(
57 current_sig,
58 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
59 orig_ttl));
60 /* the signers name */
61 signame = ldns_rdf_clone(ldns_key_pubkey_owner(current_key));
62 ldns_dname2canonical(signame);
63 (void)ldns_rr_rrsig_set_signame(
64 current_sig,
65 signame);
66 /* label count - get it from the first rr in the rr_list */
67 (void)ldns_rr_rrsig_set_labels(
68 current_sig,
69 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
70 label_count));
71 /* inception, expiration */
72 now = time(NULL);
73 if (ldns_key_inception(current_key) != 0) {
74 (void)ldns_rr_rrsig_set_inception(
75 current_sig,
76 ldns_native2rdf_int32(
77 LDNS_RDF_TYPE_TIME,
78 ldns_key_inception(current_key)));
79 } else {
80 (void)ldns_rr_rrsig_set_inception(
81 current_sig,
82 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
83 }
84 if (ldns_key_expiration(current_key) != 0) {
85 (void)ldns_rr_rrsig_set_expiration(
86 current_sig,
87 ldns_native2rdf_int32(
88 LDNS_RDF_TYPE_TIME,
89 ldns_key_expiration(current_key)));
90 } else {
91 (void)ldns_rr_rrsig_set_expiration(
92 current_sig,
93 ldns_native2rdf_int32(
94 LDNS_RDF_TYPE_TIME,
95 now + LDNS_DEFAULT_EXP_TIME));
96 }
97
98 (void)ldns_rr_rrsig_set_keytag(
99 current_sig,
100 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
101 ldns_key_keytag(current_key)));
102
103 (void)ldns_rr_rrsig_set_algorithm(
104 current_sig,
105 ldns_native2rdf_int8(
106 LDNS_RDF_TYPE_ALG,
107 ldns_key_algorithm(current_key)));
108
109 (void)ldns_rr_rrsig_set_typecovered(
110 current_sig,
111 ldns_native2rdf_int16(
112 LDNS_RDF_TYPE_TYPE,
113 ldns_rr_get_type(ldns_rr_list_rr(rrset,
114 0))));
115 return current_sig;
116 }
117
118 #ifdef HAVE_SSL
119 ldns_rdf *
120 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
121 {
122 ldns_rdf *b64rdf = NULL;
123
124 switch(ldns_key_algorithm(current_key)) {
125 case LDNS_SIGN_DSA:
126 case LDNS_SIGN_DSA_NSEC3:
127 b64rdf = ldns_sign_public_evp(
128 sign_buf,
129 ldns_key_evp_key(current_key),
130 EVP_dss1());
131 break;
132 case LDNS_SIGN_RSASHA1:
133 case LDNS_SIGN_RSASHA1_NSEC3:
134 b64rdf = ldns_sign_public_evp(
135 sign_buf,
136 ldns_key_evp_key(current_key),
137 EVP_sha1());
138 break;
139 #ifdef USE_SHA2
140 case LDNS_SIGN_RSASHA256:
141 b64rdf = ldns_sign_public_evp(
142 sign_buf,
143 ldns_key_evp_key(current_key),
144 EVP_sha256());
145 break;
146 case LDNS_SIGN_RSASHA512:
147 b64rdf = ldns_sign_public_evp(
148 sign_buf,
149 ldns_key_evp_key(current_key),
150 EVP_sha512());
151 break;
152 #endif /* USE_SHA2 */
153 #ifdef USE_GOST
154 case LDNS_SIGN_ECC_GOST:
155 b64rdf = ldns_sign_public_evp(
156 sign_buf,
157 ldns_key_evp_key(current_key),
158 EVP_get_digestbyname("md_gost94"));
159 break;
160 #endif /* USE_GOST */
161 #ifdef USE_ECDSA
162 case LDNS_SIGN_ECDSAP256SHA256:
163 b64rdf = ldns_sign_public_evp(
164 sign_buf,
165 ldns_key_evp_key(current_key),
166 EVP_sha256());
167 break;
168 case LDNS_SIGN_ECDSAP384SHA384:
169 b64rdf = ldns_sign_public_evp(
170 sign_buf,
171 ldns_key_evp_key(current_key),
172 EVP_sha384());
173 break;
174 #endif
175 case LDNS_SIGN_RSAMD5:
176 b64rdf = ldns_sign_public_evp(
177 sign_buf,
178 ldns_key_evp_key(current_key),
179 EVP_md5());
180 break;
181 default:
182 /* do _you_ know this alg? */
183 printf("unknown algorithm, ");
184 printf("is the one used available on this system?\n");
185 break;
186 }
187
188 return b64rdf;
189 }
190
191 /**
192 * use this function to sign with a public/private key alg
193 * return the created signatures
194 */
195 ldns_rr_list *
196 ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
197 {
198 ldns_rr_list *signatures;
199 ldns_rr_list *rrset_clone;
200 ldns_rr *current_sig;
201 ldns_rdf *b64rdf;
202 ldns_key *current_key;
203 size_t key_count;
204 uint16_t i;
205 ldns_buffer *sign_buf;
206 ldns_rdf *new_owner;
207
208 if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) {
209 return NULL;
210 }
211
212 new_owner = NULL;
213
214 signatures = ldns_rr_list_new();
215
216 /* prepare a signature and add all the know data
217 * prepare the rrset. Sign this together. */
218 rrset_clone = ldns_rr_list_clone(rrset);
219 if (!rrset_clone) {
220 return NULL;
221 }
222
223 /* make it canonical */
224 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
225 ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i),
226 ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)));
227 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
228 }
229 /* sort */
230 ldns_rr_list_sort(rrset_clone);
231
232 for (key_count = 0;
233 key_count < ldns_key_list_key_count(keys);
234 key_count++) {
235 if (!ldns_key_use(ldns_key_list_key(keys, key_count))) {
236 continue;
237 }
238 sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
239 if (!sign_buf) {
240 ldns_rr_list_free(rrset_clone);
241 ldns_rr_list_free(signatures);
242 ldns_rdf_free(new_owner);
243 return NULL;
244 }
245 b64rdf = NULL;
246
247 current_key = ldns_key_list_key(keys, key_count);
248 /* sign all RRs with keys that have ZSKbit, !SEPbit.
249 sign DNSKEY RRs with keys that have ZSKbit&SEPbit */
250 if (ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY) {
251 current_sig = ldns_create_empty_rrsig(rrset_clone,
252 current_key);
253
254 /* right now, we have: a key, a semi-sig and an rrset. For
255 * which we can create the sig and base64 encode that and
256 * add that to the signature */
257
258 if (ldns_rrsig2buffer_wire(sign_buf, current_sig)
259 != LDNS_STATUS_OK) {
260 ldns_buffer_free(sign_buf);
261 /* ERROR */
262 ldns_rr_list_deep_free(rrset_clone);
263 ldns_rr_free(current_sig);
264 ldns_rr_list_deep_free(signatures);
265 return NULL;
266 }
267
268 /* add the rrset in sign_buf */
269 if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone)
270 != LDNS_STATUS_OK) {
271 ldns_buffer_free(sign_buf);
272 ldns_rr_list_deep_free(rrset_clone);
273 ldns_rr_free(current_sig);
274 ldns_rr_list_deep_free(signatures);
275 return NULL;
276 }
277
278 b64rdf = ldns_sign_public_buffer(sign_buf, current_key);
279
280 if (!b64rdf) {
281 /* signing went wrong */
282 ldns_rr_list_deep_free(rrset_clone);
283 ldns_rr_free(current_sig);
284 ldns_rr_list_deep_free(signatures);
285 return NULL;
286 }
287
288 ldns_rr_rrsig_set_sig(current_sig, b64rdf);
289
290 /* push the signature to the signatures list */
291 ldns_rr_list_push_rr(signatures, current_sig);
292 }
293 ldns_buffer_free(sign_buf); /* restart for the next key */
294 }
295 ldns_rr_list_deep_free(rrset_clone);
296
297 return signatures;
298 }
299
300 /**
301 * Sign data with DSA
302 *
303 * \param[in] to_sign The ldns_buffer containing raw data that is
304 * to be signed
305 * \param[in] key The DSA key structure to sign with
306 * \return ldns_rdf for the RRSIG ldns_rr
307 */
308 ldns_rdf *
309 ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
310 {
311 unsigned char *sha1_hash;
312 ldns_rdf *sigdata_rdf;
313 ldns_buffer *b64sig;
314
315 DSA_SIG *sig;
316 uint8_t *data;
317 size_t pad;
318
319 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
320 if (!b64sig) {
321 return NULL;
322 }
323
324 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
325 ldns_buffer_position(to_sign), NULL);
326 if (!sha1_hash) {
327 ldns_buffer_free(b64sig);
328 return NULL;
329 }
330
331 sig = DSA_do_sign(sha1_hash, SHA_DIGEST_LENGTH, key);
332 if(!sig) {
333 ldns_buffer_free(b64sig);
334 return NULL;
335 }
336
337 data = LDNS_XMALLOC(uint8_t, 1 + 2 * SHA_DIGEST_LENGTH);
338 if(!data) {
339 ldns_buffer_free(b64sig);
340 DSA_SIG_free(sig);
341 return NULL;
342 }
343
344 data[0] = 1;
345 pad = 20 - (size_t) BN_num_bytes(sig->r);
346 if (pad > 0) {
347 memset(data + 1, 0, pad);
348 }
349 BN_bn2bin(sig->r, (unsigned char *) (data + 1) + pad);
350
351 pad = 20 - (size_t) BN_num_bytes(sig->s);
352 if (pad > 0) {
353 memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad);
354 }
355 BN_bn2bin(sig->s, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad));
356
357 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64,
358 1 + 2 * SHA_DIGEST_LENGTH,
359 data);
360
361 ldns_buffer_free(b64sig);
362 LDNS_FREE(data);
363 DSA_SIG_free(sig);
364
365 return sigdata_rdf;
366 }
367
368 #ifdef USE_ECDSA
369 #ifndef S_SPLINT_S
370 static int
371 ldns_pkey_is_ecdsa(EVP_PKEY* pkey)
372 {
373 EC_KEY* ec;
374 const EC_GROUP* g;
375 if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC)
376 return 0;
377 ec = EVP_PKEY_get1_EC_KEY(pkey);
378 g = EC_KEY_get0_group(ec);
379 if(!g) {
380 EC_KEY_free(ec);
381 return 0;
382 }
383 if(EC_GROUP_get_curve_name(g) == NID_secp224r1 ||
384 EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1 ||
385 EC_GROUP_get_curve_name(g) == NID_secp384r1) {
386 EC_KEY_free(ec);
387 return 1;
388 }
389 /* downref the eckey, the original is still inside the pkey */
390 EC_KEY_free(ec);
391 return 0;
392 }
393 #endif /* splint */
394 #endif /* USE_ECDSA */
395
396 ldns_rdf *
397 ldns_sign_public_evp(ldns_buffer *to_sign,
398 EVP_PKEY *key,
399 const EVP_MD *digest_type)
400 {
401 unsigned int siglen;
402 ldns_rdf *sigdata_rdf;
403 ldns_buffer *b64sig;
404 EVP_MD_CTX ctx;
405 const EVP_MD *md_type;
406 int r;
407
408 siglen = 0;
409 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
410 if (!b64sig) {
411 return NULL;
412 }
413
414 /* initializes a signing context */
415 md_type = digest_type;
416 if(!md_type) {
417 /* unknown message difest */
418 ldns_buffer_free(b64sig);
419 return NULL;
420 }
421
422 EVP_MD_CTX_init(&ctx);
423 r = EVP_SignInit(&ctx, md_type);
424 if(r == 1) {
425 r = EVP_SignUpdate(&ctx, (unsigned char*)
426 ldns_buffer_begin(to_sign),
427 ldns_buffer_position(to_sign));
428 } else {
429 ldns_buffer_free(b64sig);
430 return NULL;
431 }
432 if(r == 1) {
433 r = EVP_SignFinal(&ctx, (unsigned char*)
434 ldns_buffer_begin(b64sig), &siglen, key);
435 } else {
436 ldns_buffer_free(b64sig);
437 return NULL;
438 }
439 if(r != 1) {
440 ldns_buffer_free(b64sig);
441 return NULL;
442 }
443
444 /* unfortunately, OpenSSL output is differenct from DNS DSA format */
445 #ifndef S_SPLINT_S
446 if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
447 sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen);
448 #ifdef USE_ECDSA
449 } else if(EVP_PKEY_type(key->type) == EVP_PKEY_EC &&
450 ldns_pkey_is_ecdsa(key)) {
451 sigdata_rdf = ldns_convert_ecdsa_rrsig_asn12rdf(b64sig, siglen);
452 #endif
453 } else {
454 /* ok output for other types is the same */
455 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
456 ldns_buffer_begin(b64sig));
457 }
458 #endif /* splint */
459 ldns_buffer_free(b64sig);
460 EVP_MD_CTX_cleanup(&ctx);
461 return sigdata_rdf;
462 }
463
464 ldns_rdf *
465 ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key)
466 {
467 unsigned char *sha1_hash;
468 unsigned int siglen;
469 ldns_rdf *sigdata_rdf;
470 ldns_buffer *b64sig;
471 int result;
472
473 siglen = 0;
474 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
475 if (!b64sig) {
476 return NULL;
477 }
478
479 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
480 ldns_buffer_position(to_sign), NULL);
481 if (!sha1_hash) {
482 ldns_buffer_free(b64sig);
483 return NULL;
484 }
485
486 result = RSA_sign(NID_sha1, sha1_hash, SHA_DIGEST_LENGTH,
487 (unsigned char*)ldns_buffer_begin(b64sig),
488 &siglen, key);
489 if (result != 1) {
490 ldns_buffer_free(b64sig);
491 return NULL;
492 }
493
494 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
495 ldns_buffer_begin(b64sig));
496 ldns_buffer_free(b64sig); /* can't free this buffer ?? */
497 return sigdata_rdf;
498 }
499
500 ldns_rdf *
501 ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key)
502 {
503 unsigned char *md5_hash;
504 unsigned int siglen;
505 ldns_rdf *sigdata_rdf;
506 ldns_buffer *b64sig;
507
508 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
509 if (!b64sig) {
510 return NULL;
511 }
512
513 md5_hash = MD5((unsigned char*)ldns_buffer_begin(to_sign),
514 ldns_buffer_position(to_sign), NULL);
515 if (!md5_hash) {
516 ldns_buffer_free(b64sig);
517 return NULL;
518 }
519
520 RSA_sign(NID_md5, md5_hash, MD5_DIGEST_LENGTH,
521 (unsigned char*)ldns_buffer_begin(b64sig),
522 &siglen, key);
523
524 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
525 ldns_buffer_begin(b64sig));
526 ldns_buffer_free(b64sig);
527 return sigdata_rdf;
528 }
529 #endif /* HAVE_SSL */
530
531 /**
532 * Pushes all rrs from the rrsets of type A and AAAA on gluelist.
533 */
534 static ldns_status
535 ldns_dnssec_addresses_on_glue_list(
536 ldns_dnssec_rrsets *cur_rrset,
537 ldns_rr_list *glue_list)
538 {
539 ldns_dnssec_rrs *cur_rrs;
540 while (cur_rrset) {
541 if (cur_rrset->type == LDNS_RR_TYPE_A
542 || cur_rrset->type == LDNS_RR_TYPE_AAAA) {
543 for (cur_rrs = cur_rrset->rrs;
544 cur_rrs;
545 cur_rrs = cur_rrs->next) {
546 if (cur_rrs->rr) {
547 if (!ldns_rr_list_push_rr(glue_list,
548 cur_rrs->rr)) {
549 return LDNS_STATUS_MEM_ERR;
550 /* ldns_rr_list_push_rr()
551 * returns false when unable
552 * to increase the capacity
553 * of the ldsn_rr_list
554 */
555 }
556 }
557 }
558 }
559 cur_rrset = cur_rrset->next;
560 }
561 return LDNS_STATUS_OK;
562 }
563
564 /**
565 * Marks the names in the zone that are occluded. Those names will be skipped
566 * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
567 * function. But watch out! Names that are partially occluded (like glue with
568 * the same name as the delegation) will not be marked and should specifically
569 * be taken into account seperately.
570 *
571 * When glue_list is given (not NULL), in the process of marking the names, all
572 * glue resource records will be pushed to that list, even glue at delegation names.
573 *
574 * \param[in] zone the zone in which to mark the names
575 * \param[in] glue_list the list to which to push the glue rrs
576 * \return LDNS_STATUS_OK on success, an error code otherwise
577 */
578 ldns_status
579 ldns_dnssec_zone_mark_and_get_glue(ldns_dnssec_zone *zone,
580 ldns_rr_list *glue_list)
581 {
582 ldns_rbnode_t *node;
583 ldns_dnssec_name *name;
584 ldns_rdf *owner;
585 ldns_rdf *cut = NULL; /* keeps track of zone cuts */
586 /* When the cut is caused by a delegation, below_delegation will be 1.
587 * When caused by a DNAME, below_delegation will be 0.
588 */
589 int below_delegation = -1; /* init suppresses comiler warning */
590 ldns_status s;
591
592 if (!zone || !zone->names) {
593 return LDNS_STATUS_NULL;
594 }
595 for (node = ldns_rbtree_first(zone->names);
596 node != LDNS_RBTREE_NULL;
597 node = ldns_rbtree_next(node)) {
598 name = (ldns_dnssec_name *) node->data;
599 owner = ldns_dnssec_name_name(name);
600
601 if (cut) {
602 /* The previous node was a zone cut, or a subdomain
603 * below a zone cut. Is this node (still) a subdomain
604 * below the cut? Then the name is occluded. Unless
605 * the name contains a SOA, after which we are
606 * authoritative again.
607 *
608 * FIXME! If there are labels in between the SOA and
609 * the cut, going from the authoritative space (below
610 * the SOA) up into occluded space again, will not be
611 * detected with the contruct below!
612 */
613 if (ldns_dname_is_subdomain(owner, cut) &&
614 !ldns_dnssec_rrsets_contains_type(
615 name->rrsets, LDNS_RR_TYPE_SOA)) {
616
617 if (below_delegation && glue_list) {
618 s = ldns_dnssec_addresses_on_glue_list(
619 name->rrsets, glue_list);
620 if (s != LDNS_STATUS_OK) {
621 return s;
622 }
623 }
624 name->is_glue = true; /* Mark occluded name! */
625 continue;
626 } else {
627 cut = NULL;
628 }
629 }
630
631 /* The node is not below a zone cut. Is it a zone cut itself?
632 * Everything below a SOA is authoritative of course; Except
633 * when the name also contains a DNAME :).
634 */
635 if (ldns_dnssec_rrsets_contains_type(
636 name->rrsets, LDNS_RR_TYPE_NS)
637 && !ldns_dnssec_rrsets_contains_type(
638 name->rrsets, LDNS_RR_TYPE_SOA)) {
639 cut = owner;
640 below_delegation = 1;
641 if (glue_list) { /* record glue on the zone cut */
642 s = ldns_dnssec_addresses_on_glue_list(
643 name->rrsets, glue_list);
644 if (s != LDNS_STATUS_OK) {
645 return s;
646 }
647 }
648 } else if (ldns_dnssec_rrsets_contains_type(
649 name->rrsets, LDNS_RR_TYPE_DNAME)) {
650 cut = owner;
651 below_delegation = 0;
652 }
653 }
654 return LDNS_STATUS_OK;
655 }
656
657 /**
658 * Marks the names in the zone that are occluded. Those names will be skipped
659 * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
660 * function. But watch out! Names that are partially occluded (like glue with
661 * the same name as the delegation) will not be marked and should specifically
662 * be taken into account seperately.
663 *
664 * \param[in] zone the zone in which to mark the names
665 * \return LDNS_STATUS_OK on success, an error code otherwise
666 */
667 ldns_status
668 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone)
669 {
670 return ldns_dnssec_zone_mark_and_get_glue(zone, NULL);
671 }
672
673 ldns_rbnode_t *
674 ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node)
675 {
676 ldns_rbnode_t *next_node = NULL;
677 ldns_dnssec_name *next_name = NULL;
678 bool done = false;
679
680 if (node == LDNS_RBTREE_NULL) {
681 return NULL;
682 }
683 next_node = node;
684 while (!done) {
685 if (next_node == LDNS_RBTREE_NULL) {
686 return NULL;
687 } else {
688 next_name = (ldns_dnssec_name *)next_node->data;
689 if (!next_name->is_glue) {
690 done = true;
691 } else {
692 next_node = ldns_rbtree_next(next_node);
693 }
694 }
695 }
696 return next_node;
697 }
698
699 ldns_status
700 ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
701 ldns_rr_list *new_rrs)
702 {
703
704 ldns_rbnode_t *first_node, *cur_node, *next_node;
705 ldns_dnssec_name *cur_name, *next_name;
706 ldns_rr *nsec_rr;
707 uint32_t nsec_ttl;
708 ldns_dnssec_rrsets *soa;
709
710 /* the TTL of NSEC rrs should be set to the minimum TTL of
711 * the zone SOA (RFC4035 Section 2.3)
712 */
713 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA);
714
715 /* did the caller actually set it? if not,
716 * fall back to default ttl
717 */
718 if (soa && soa->rrs && soa->rrs->rr
719 && (ldns_rr_rdf(soa->rrs->rr, 6) != NULL)) {
720 nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6));
721 } else {
722 nsec_ttl = LDNS_DEFAULT_TTL;
723 }
724
725 first_node = ldns_dnssec_name_node_next_nonglue(
726 ldns_rbtree_first(zone->names));
727 cur_node = first_node;
728 if (cur_node) {
729 next_node = ldns_dnssec_name_node_next_nonglue(
730 ldns_rbtree_next(cur_node));
731 } else {
732 next_node = NULL;
733 }
734
735 while (cur_node && next_node) {
736 cur_name = (ldns_dnssec_name *)cur_node->data;
737 next_name = (ldns_dnssec_name *)next_node->data;
738 nsec_rr = ldns_dnssec_create_nsec(cur_name,
739 next_name,
740 LDNS_RR_TYPE_NSEC);
741 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
742 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
743 ldns_rr_free(nsec_rr);
744 return LDNS_STATUS_ERR;
745 }
746 ldns_rr_list_push_rr(new_rrs, nsec_rr);
747 cur_node = next_node;
748 if (cur_node) {
749 next_node = ldns_dnssec_name_node_next_nonglue(
750 ldns_rbtree_next(cur_node));
751 }
752 }
753
754 if (cur_node && !next_node) {
755 cur_name = (ldns_dnssec_name *)cur_node->data;
756 next_name = (ldns_dnssec_name *)first_node->data;
757 nsec_rr = ldns_dnssec_create_nsec(cur_name,
758 next_name,
759 LDNS_RR_TYPE_NSEC);
760 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
761 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
762 ldns_rr_free(nsec_rr);
763 return LDNS_STATUS_ERR;
764 }
765 ldns_rr_list_push_rr(new_rrs, nsec_rr);
766 } else {
767 printf("error\n");
768 }
769
770 return LDNS_STATUS_OK;
771 }
772
773 #ifdef HAVE_SSL
774 /* in dnssec_zone.c */
775 extern int ldns_dname_compare_v(const void *a, const void *b);
776
777 ldns_status
778 ldns_dnssec_zone_create_nsec3s_mkmap(ldns_dnssec_zone *zone,
779 ldns_rr_list *new_rrs,
780 uint8_t algorithm,
781 uint8_t flags,
782 uint16_t iterations,
783 uint8_t salt_length,
784 uint8_t *salt,
785 ldns_rbtree_t **map)
786 {
787 ldns_rbnode_t *first_name_node;
788 ldns_rbnode_t *current_name_node;
789 ldns_dnssec_name *current_name;
790 ldns_status result = LDNS_STATUS_OK;
791 ldns_rr *nsec_rr;
792 ldns_rr_list *nsec3_list;
793 uint32_t nsec_ttl;
794 ldns_dnssec_rrsets *soa;
795 ldns_rbnode_t *hashmap_node;
796
797 if (!zone || !new_rrs || !zone->names) {
798 return LDNS_STATUS_ERR;
799 }
800
801 /* the TTL of NSEC rrs should be set to the minimum TTL of
802 * the zone SOA (RFC4035 Section 2.3)
803 */
804 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA);
805
806 /* did the caller actually set it? if not,
807 * fall back to default ttl
808 */
809 if (soa && soa->rrs && soa->rrs->rr
810 && ldns_rr_rdf(soa->rrs->rr, 6) != NULL) {
811 nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6));
812 } else {
813 nsec_ttl = LDNS_DEFAULT_TTL;
814 }
815
816 if (map) {
817 if ((*map = ldns_rbtree_create(ldns_dname_compare_v))
818 == NULL) {
819 map = NULL;
820 };
821 }
822 nsec3_list = ldns_rr_list_new();
823
824 first_name_node = ldns_dnssec_name_node_next_nonglue(
825 ldns_rbtree_first(zone->names));
826
827 current_name_node = first_name_node;
828
829 while (current_name_node &&
830 current_name_node != LDNS_RBTREE_NULL) {
831 current_name = (ldns_dnssec_name *) current_name_node->data;
832 nsec_rr = ldns_dnssec_create_nsec3(current_name,
833 NULL,
834 zone->soa->name,
835 algorithm,
836 flags,
837 iterations,
838 salt_length,
839 salt);
840 /* by default, our nsec based generator adds rrsigs
841 * remove the bitmap for empty nonterminals */
842 if (!current_name->rrsets) {
843 ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr));
844 }
845 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
846 result = ldns_dnssec_name_add_rr(current_name, nsec_rr);
847 ldns_rr_list_push_rr(new_rrs, nsec_rr);
848 ldns_rr_list_push_rr(nsec3_list, nsec_rr);
849 if (map) {
850 hashmap_node = LDNS_MALLOC(ldns_rbnode_t);
851 if (hashmap_node && ldns_rr_owner(nsec_rr)) {
852 hashmap_node->key = ldns_dname_label(
853 ldns_rr_owner(nsec_rr), 0);
854 if (hashmap_node->key) {
855 hashmap_node->data = current_name->name;
856 (void) ldns_rbtree_insert(
857 *map, hashmap_node);
858 }
859 }
860 }
861 current_name_node = ldns_dnssec_name_node_next_nonglue(
862 ldns_rbtree_next(current_name_node));
863 }
864 if (result != LDNS_STATUS_OK) {
865 ldns_rr_list_free(nsec3_list);
866 return result;
867 }
868
869 ldns_rr_list_sort_nsec3(nsec3_list);
870 result = ldns_dnssec_chain_nsec3_list(nsec3_list);
871 ldns_rr_list_free(nsec3_list);
872
873 return result;
874 }
875
876 ldns_status
877 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
878 ldns_rr_list *new_rrs,
879 uint8_t algorithm,
880 uint8_t flags,
881 uint16_t iterations,
882 uint8_t salt_length,
883 uint8_t *salt)
884 {
885 return ldns_dnssec_zone_create_nsec3s_mkmap(zone, new_rrs, algorithm,
886 flags, iterations, salt_length, salt, NULL);
887
888 }
889 #endif /* HAVE_SSL */
890
891 ldns_dnssec_rrs *
892 ldns_dnssec_remove_signatures( ldns_dnssec_rrs *signatures
893 , ATTR_UNUSED(ldns_key_list *key_list)
894 , int (*func)(ldns_rr *, void *)
895 , void *arg
896 )
897 {
898 ldns_dnssec_rrs *base_rrs = signatures;
899 ldns_dnssec_rrs *cur_rr = base_rrs;
900 ldns_dnssec_rrs *prev_rr = NULL;
901 ldns_dnssec_rrs *next_rr;
902
903 uint16_t keytag;
904 size_t i;
905
906 if (!cur_rr) {
907 switch(func(NULL, arg)) {
908 case LDNS_SIGNATURE_LEAVE_ADD_NEW:
909 case LDNS_SIGNATURE_REMOVE_ADD_NEW:
910 break;
911 case LDNS_SIGNATURE_LEAVE_NO_ADD:
912 case LDNS_SIGNATURE_REMOVE_NO_ADD:
913 ldns_key_list_set_use(key_list, false);
914 break;
915 default:
916 fprintf(stderr, "[XX] unknown return value from callback\n");
917 break;
918 }
919 return NULL;
920 }
921 (void)func(cur_rr->rr, arg);
922
923 while (cur_rr) {
924 next_rr = cur_rr->next;
925
926 switch (func(cur_rr->rr, arg)) {
927 case LDNS_SIGNATURE_LEAVE_ADD_NEW:
928 prev_rr = cur_rr;
929 break;
930 case LDNS_SIGNATURE_LEAVE_NO_ADD:
931 keytag = ldns_rdf2native_int16(
932 ldns_rr_rrsig_keytag(cur_rr->rr));
933 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
934 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) ==
935 keytag) {
936 ldns_key_set_use(ldns_key_list_key(key_list, i),
937 false);
938 }
939 }
940 prev_rr = cur_rr;
941 break;
942 case LDNS_SIGNATURE_REMOVE_NO_ADD:
943 keytag = ldns_rdf2native_int16(
944 ldns_rr_rrsig_keytag(cur_rr->rr));
945 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
946 if (ldns_key_keytag(ldns_key_list_key(key_list, i))
947 == keytag) {
948 ldns_key_set_use(ldns_key_list_key(key_list, i),
949 false);
950 }
951 }
952 if (prev_rr) {
953 prev_rr->next = next_rr;
954 } else {
955 base_rrs = next_rr;
956 }
957 LDNS_FREE(cur_rr);
958 break;
959 case LDNS_SIGNATURE_REMOVE_ADD_NEW:
960 if (prev_rr) {
961 prev_rr->next = next_rr;
962 } else {
963 base_rrs = next_rr;
964 }
965 LDNS_FREE(cur_rr);
966 break;
967 default:
968 fprintf(stderr, "[XX] unknown return value from callback\n");
969 break;
970 }
971 cur_rr = next_rr;
972 }
973
974 return base_rrs;
975 }
976
977 #ifdef HAVE_SSL
978 ldns_status
979 ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
980 ldns_rr_list *new_rrs,
981 ldns_key_list *key_list,
982 int (*func)(ldns_rr *, void*),
983 void *arg)
984 {
985 return ldns_dnssec_zone_create_rrsigs_flg(zone, new_rrs, key_list,
986 func, arg, 0);
987 }
988
989 /** If there are KSKs use only them and mark ZSKs unused */
990 static void
991 ldns_key_list_filter_for_dnskey(ldns_key_list *key_list)
992 {
993 int saw_ksk = 0;
994 size_t i;
995 for(i=0; i<ldns_key_list_key_count(key_list); i++)
996 if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
997 saw_ksk = 1;
998 break;
999 }
1000 if(!saw_ksk)
1001 return;
1002 for(i=0; i<ldns_key_list_key_count(key_list); i++)
1003 if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
1004 ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
1005 }
1006
1007 /** If there are no ZSKs use KSK as ZSK */
1008 static void
1009 ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list)
1010 {
1011 int saw_zsk = 0;
1012 size_t i;
1013 for(i=0; i<ldns_key_list_key_count(key_list); i++)
1014 if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
1015 saw_zsk = 1;
1016 break;
1017 }
1018 if(!saw_zsk)
1019 return;
1020 /* else filter all KSKs */
1021 for(i=0; i<ldns_key_list_key_count(key_list); i++)
1022 if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
1023 ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
1024 }
1025
1026 ldns_status
1027 ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
1028 , ldns_rr_list *new_rrs
1029 , ldns_key_list *key_list
1030 , int (*func)(ldns_rr *, void*)
1031 , void *arg
1032 , int flags
1033 )
1034 {
1035 ldns_status result = LDNS_STATUS_OK;
1036
1037 ldns_rbnode_t *cur_node;
1038 ldns_rr_list *rr_list;
1039
1040 ldns_dnssec_name *cur_name;
1041 ldns_dnssec_rrsets *cur_rrset;
1042 ldns_dnssec_rrs *cur_rr;
1043
1044 ldns_rr_list *siglist;
1045
1046 size_t i;
1047
1048 int on_delegation_point = 0; /* handle partially occluded names */
1049
1050 ldns_rr_list *pubkey_list = ldns_rr_list_new();
1051 for (i = 0; i<ldns_key_list_key_count(key_list); i++) {
1052 ldns_rr_list_push_rr( pubkey_list
1053 , ldns_key2rr(ldns_key_list_key(
1054 key_list, i))
1055 );
1056 }
1057 /* TODO: callback to see is list should be signed */
1058 /* TODO: remove 'old' signatures from signature list */
1059 cur_node = ldns_rbtree_first(zone->names);
1060 while (cur_node != LDNS_RBTREE_NULL) {
1061 cur_name = (ldns_dnssec_name *) cur_node->data;
1062
1063 if (!cur_name->is_glue) {
1064 on_delegation_point = ldns_dnssec_rrsets_contains_type(
1065 cur_name->rrsets, LDNS_RR_TYPE_NS)
1066 && !ldns_dnssec_rrsets_contains_type(
1067 cur_name->rrsets, LDNS_RR_TYPE_SOA);
1068 cur_rrset = cur_name->rrsets;
1069 while (cur_rrset) {
1070 /* reset keys to use */
1071 ldns_key_list_set_use(key_list, true);
1072
1073 /* walk through old sigs, remove the old,
1074 and mark which keys (not) to use) */
1075 cur_rrset->signatures =
1076 ldns_dnssec_remove_signatures(cur_rrset->signatures,
1077 key_list,
1078 func,
1079 arg);
1080 if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
1081 cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
1082 ldns_key_list_filter_for_dnskey(key_list);
1083
1084 if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY)
1085 ldns_key_list_filter_for_non_dnskey(key_list);
1086
1087 /* TODO: just set count to zero? */
1088 rr_list = ldns_rr_list_new();
1089
1090 cur_rr = cur_rrset->rrs;
1091 while (cur_rr) {
1092 ldns_rr_list_push_rr(rr_list, cur_rr->rr);
1093 cur_rr = cur_rr->next;
1094 }
1095
1096 /* only sign non-delegation RRsets */
1097 /* (glue should have been marked earlier,
1098 * except on the delegation points itself) */
1099 if (!on_delegation_point ||
1100 ldns_rr_list_type(rr_list)
1101 == LDNS_RR_TYPE_DS ||
1102 ldns_rr_list_type(rr_list)
1103 == LDNS_RR_TYPE_NSEC ||
1104 ldns_rr_list_type(rr_list)
1105 == LDNS_RR_TYPE_NSEC3) {
1106 siglist = ldns_sign_public(rr_list, key_list);
1107 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
1108 if (cur_rrset->signatures) {
1109 result = ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
1110 ldns_rr_list_rr(siglist,
1111 i));
1112 } else {
1113 cur_rrset->signatures = ldns_dnssec_rrs_new();
1114 cur_rrset->signatures->rr =
1115 ldns_rr_list_rr(siglist, i);
1116 }
1117 if (new_rrs) {
1118 ldns_rr_list_push_rr(new_rrs,
1119 ldns_rr_list_rr(siglist,
1120 i));
1121 }
1122 }
1123 ldns_rr_list_free(siglist);
1124 }
1125
1126 ldns_rr_list_free(rr_list);
1127
1128 cur_rrset = cur_rrset->next;
1129 }
1130
1131 /* sign the nsec */
1132 ldns_key_list_set_use(key_list, true);
1133 cur_name->nsec_signatures =
1134 ldns_dnssec_remove_signatures(cur_name->nsec_signatures,
1135 key_list,
1136 func,
1137 arg);
1138 ldns_key_list_filter_for_non_dnskey(key_list);
1139
1140 rr_list = ldns_rr_list_new();
1141 ldns_rr_list_push_rr(rr_list, cur_name->nsec);
1142 siglist = ldns_sign_public(rr_list, key_list);
1143
1144 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
1145 if (cur_name->nsec_signatures) {
1146 result = ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
1147 ldns_rr_list_rr(siglist, i));
1148 } else {
1149 cur_name->nsec_signatures = ldns_dnssec_rrs_new();
1150 cur_name->nsec_signatures->rr =
1151 ldns_rr_list_rr(siglist, i);
1152 }
1153 if (new_rrs) {
1154 ldns_rr_list_push_rr(new_rrs,
1155 ldns_rr_list_rr(siglist, i));
1156 }
1157 }
1158
1159 ldns_rr_list_free(siglist);
1160 ldns_rr_list_free(rr_list);
1161 }
1162 cur_node = ldns_rbtree_next(cur_node);
1163 }
1164
1165 ldns_rr_list_deep_free(pubkey_list);
1166 return result;
1167 }
1168
1169 ldns_status
1170 ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
1171 ldns_rr_list *new_rrs,
1172 ldns_key_list *key_list,
1173 int (*func)(ldns_rr *, void *),
1174 void *arg)
1175 {
1176 return ldns_dnssec_zone_sign_flg(zone, new_rrs, key_list, func, arg, 0);
1177 }
1178
1179 ldns_status
1180 ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
1181 ldns_rr_list *new_rrs,
1182 ldns_key_list *key_list,
1183 int (*func)(ldns_rr *, void *),
1184 void *arg,
1185 int flags)
1186 {
1187 ldns_status result = LDNS_STATUS_OK;
1188
1189 if (!zone || !new_rrs || !key_list) {
1190 return LDNS_STATUS_ERR;
1191 }
1192
1193 /* zone is already sorted */
1194 result = ldns_dnssec_zone_mark_glue(zone);
1195 if (result != LDNS_STATUS_OK) {
1196 return result;
1197 }
1198
1199 /* check whether we need to add nsecs */
1200 if (zone->names && !((ldns_dnssec_name *)zone->names->root->data)->nsec) {
1201 result = ldns_dnssec_zone_create_nsecs(zone, new_rrs);
1202 if (result != LDNS_STATUS_OK) {
1203 return result;
1204 }
1205 }
1206
1207 result = ldns_dnssec_zone_create_rrsigs_flg(zone,
1208 new_rrs,
1209 key_list,
1210 func,
1211 arg,
1212 flags);
1213
1214 return result;
1215 }
1216
1217 ldns_status
1218 ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
1219 ldns_rr_list *new_rrs,
1220 ldns_key_list *key_list,
1221 int (*func)(ldns_rr *, void *),
1222 void *arg,
1223 uint8_t algorithm,
1224 uint8_t flags,
1225 uint16_t iterations,
1226 uint8_t salt_length,
1227 uint8_t *salt)
1228 {
1229 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list,
1230 func, arg, algorithm, flags, iterations, salt_length, salt, 0,
1231 NULL);
1232 }
1233
1234 ldns_status
1235 ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone,
1236 ldns_rr_list *new_rrs,
1237 ldns_key_list *key_list,
1238 int (*func)(ldns_rr *, void *),
1239 void *arg,
1240 uint8_t algorithm,
1241 uint8_t flags,
1242 uint16_t iterations,
1243 uint8_t salt_length,
1244 uint8_t *salt,
1245 int signflags,
1246 ldns_rbtree_t **map)
1247 {
1248 ldns_rr *nsec3, *nsec3param;
1249 ldns_status result = LDNS_STATUS_OK;
1250
1251 /* zone is already sorted */
1252 result = ldns_dnssec_zone_mark_glue(zone);
1253 if (result != LDNS_STATUS_OK) {
1254 return result;
1255 }
1256
1257 /* TODO if there are already nsec3s presents and their
1258 * parameters are the same as these, we don't have to recreate
1259 */
1260 if (zone->names) {
1261 /* add empty nonterminals */
1262 result = ldns_dnssec_zone_add_empty_nonterminals(zone);
1263 if (result != LDNS_STATUS_OK) {
1264 return result;
1265 }
1266
1267 nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec;
1268 if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) {
1269 /* no need to recreate */
1270 } else {
1271 if (!ldns_dnssec_zone_find_rrset(zone,
1272 zone->soa->name,
1273 LDNS_RR_TYPE_NSEC3PARAM)) {
1274 /* create and add the nsec3param rr */
1275 nsec3param =
1276 ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAM);
1277 ldns_rr_set_owner(nsec3param,
1278 ldns_rdf_clone(zone->soa->name));
1279 ldns_nsec3_add_param_rdfs(nsec3param,
1280 algorithm,
1281 flags,
1282 iterations,
1283 salt_length,
1284 salt);
1285 /* always set bit 7 of the flags to zero, according to
1286 * rfc5155 section 11. The bits are counted from right to left,
1287 * so bit 7 in rfc5155 is bit 0 in ldns */
1288 ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 0, 0);
1289 result = ldns_dnssec_zone_add_rr(zone, nsec3param);
1290 if (result != LDNS_STATUS_OK) {
1291 return result;
1292 }
1293 ldns_rr_list_push_rr(new_rrs, nsec3param);
1294 }
1295 result = ldns_dnssec_zone_create_nsec3s_mkmap(zone,
1296 new_rrs,
1297 algorithm,
1298 flags,
1299 iterations,
1300 salt_length,
1301 salt,
1302 map);
1303 if (result != LDNS_STATUS_OK) {
1304 return result;
1305 }
1306 }
1307
1308 result = ldns_dnssec_zone_create_rrsigs_flg(zone,
1309 new_rrs,
1310 key_list,
1311 func,
1312 arg,
1313 signflags);
1314 }
1315
1316 return result;
1317 }
1318
1319 ldns_status
1320 ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
1321 ldns_rr_list *new_rrs,
1322 ldns_key_list *key_list,
1323 int (*func)(ldns_rr *, void *),
1324 void *arg,
1325 uint8_t algorithm,
1326 uint8_t flags,
1327 uint16_t iterations,
1328 uint8_t salt_length,
1329 uint8_t *salt,
1330 int signflags)
1331 {
1332 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list,
1333 func, arg, algorithm, flags, iterations, salt_length, salt,
1334 signflags, NULL);
1335 }
1336
1337 ldns_zone *
1338 ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list)
1339 {
1340 ldns_dnssec_zone *dnssec_zone;
1341 ldns_zone *signed_zone;
1342 ldns_rr_list *new_rrs;
1343 size_t i;
1344
1345 signed_zone = ldns_zone_new();
1346 dnssec_zone = ldns_dnssec_zone_new();
1347
1348 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1349 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
1350
1351 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1352 (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1353 ldns_rr_list_rr(ldns_zone_rrs(zone),
1354 i));
1355 ldns_zone_push_rr(signed_zone,
1356 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
1357 i)));
1358 }
1359
1360 new_rrs = ldns_rr_list_new();
1361 (void) ldns_dnssec_zone_sign(dnssec_zone,
1362 new_rrs,
1363 key_list,
1364 ldns_dnssec_default_replace_signatures,
1365 NULL);
1366
1367 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1368 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
1369 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1370 }
1371
1372 ldns_rr_list_deep_free(new_rrs);
1373 ldns_dnssec_zone_free(dnssec_zone);
1374
1375 return signed_zone;
1376 }
1377
1378 ldns_zone *
1379 ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
1380 {
1381 ldns_dnssec_zone *dnssec_zone;
1382 ldns_zone *signed_zone;
1383 ldns_rr_list *new_rrs;
1384 size_t i;
1385
1386 signed_zone = ldns_zone_new();
1387 dnssec_zone = ldns_dnssec_zone_new();
1388
1389 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1390 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
1391
1392 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1393 (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1394 ldns_rr_list_rr(ldns_zone_rrs(zone),
1395 i));
1396 ldns_zone_push_rr(signed_zone,
1397 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
1398 i)));
1399 }
1400
1401 new_rrs = ldns_rr_list_new();
1402 (void) ldns_dnssec_zone_sign_nsec3(dnssec_zone,
1403 new_rrs,
1404 key_list,
1405 ldns_dnssec_default_replace_signatures,
1406 NULL,
1407 algorithm,
1408 flags,
1409 iterations,
1410 salt_length,
1411 salt);
1412
1413 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1414 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
1415 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1416 }
1417
1418 ldns_rr_list_deep_free(new_rrs);
1419 ldns_dnssec_zone_free(dnssec_zone);
1420
1421 return signed_zone;
1422 }
1423 #endif /* HAVE_SSL */
1424
1425
DragonFly BSD