4 * contains the cryptographic function needed for DNSSEC in ldns
5 * The crypto library used is openssl
7 * (c) NLnet Labs, 2004-2008
9 * See the file LICENSE for the license
12 #include <ldns/config.h>
14 #include <ldns/ldns.h>
15 #include <ldns/dnssec.h>
21 #include <openssl/ssl.h>
22 #include <openssl/evp.h>
23 #include <openssl/rand.h>
24 #include <openssl/err.h>
25 #include <openssl/md5.h>
29 ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf
*name
,
30 const ldns_rr_type type
,
31 const ldns_rr_list
*rrs
)
40 for (i
= 0; i
< ldns_rr_list_rr_count(rrs
); i
++) {
41 candidate
= ldns_rr_list_rr(rrs
, i
);
42 if (ldns_rr_get_type(candidate
) == LDNS_RR_TYPE_RRSIG
) {
43 if (ldns_dname_compare(ldns_rr_owner(candidate
),
45 ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(candidate
))
57 ldns_dnssec_get_dnskey_for_rrsig(const ldns_rr
*rrsig
,
58 const ldns_rr_list
*rrs
)
67 for (i
= 0; i
< ldns_rr_list_rr_count(rrs
); i
++) {
68 candidate
= ldns_rr_list_rr(rrs
, i
);
69 if (ldns_rr_get_type(candidate
) == LDNS_RR_TYPE_DNSKEY
) {
70 if (ldns_dname_compare(ldns_rr_owner(candidate
),
71 ldns_rr_rrsig_signame(rrsig
)) == 0 &&
72 ldns_rdf2native_int16(ldns_rr_rrsig_keytag(rrsig
)) ==
73 ldns_calc_keytag(candidate
)
84 ldns_nsec_get_bitmap(const ldns_rr
*nsec
) {
85 if (ldns_rr_get_type(nsec
) == LDNS_RR_TYPE_NSEC
) {
86 return ldns_rr_rdf(nsec
, 1);
87 } else if (ldns_rr_get_type(nsec
) == LDNS_RR_TYPE_NSEC3
) {
88 return ldns_rr_rdf(nsec
, 5);
94 /*return the owner name of the closest encloser for name from the list of rrs */
95 /* this is NOT the hash, but the original name! */
97 ldns_dnssec_nsec3_closest_encloser(const ldns_rdf
*qname
,
98 ATTR_UNUSED(ldns_rr_type qtype
),
99 const ldns_rr_list
*nsec3s
)
101 /* remember parameters, they must match */
107 ldns_rdf
*sname
, *hashed_sname
, *tmp
;
110 bool exact_match_found
;
118 ldns_rdf
*result
= NULL
;
120 if (!qname
|| !nsec3s
|| ldns_rr_list_rr_count(nsec3s
) < 1) {
124 nsec
= ldns_rr_list_rr(nsec3s
, 0);
125 algorithm
= ldns_nsec3_algorithm(nsec
);
126 salt_length
= ldns_nsec3_salt_length(nsec
);
127 salt
= ldns_nsec3_salt_data(nsec
);
128 iterations
= ldns_nsec3_iterations(nsec
);
130 sname
= ldns_rdf_clone(qname
);
134 zone_name
= ldns_dname_left_chop(ldns_rr_owner(nsec
));
136 /* algorithm from nsec3-07 8.3 */
137 while (ldns_dname_label_count(sname
) > 0) {
138 exact_match_found
= false;
139 in_range_found
= false;
141 hashed_sname
= ldns_nsec3_hash_name(sname
,
147 status
= ldns_dname_cat(hashed_sname
, zone_name
);
148 if(status
!= LDNS_STATUS_OK
) {
150 ldns_rdf_deep_free(zone_name
);
151 ldns_rdf_deep_free(sname
);
155 for (nsec_i
= 0; nsec_i
< ldns_rr_list_rr_count(nsec3s
); nsec_i
++) {
156 nsec
= ldns_rr_list_rr(nsec3s
, nsec_i
);
158 /* check values of iterations etc! */
161 if (ldns_dname_compare(ldns_rr_owner(nsec
), hashed_sname
) == 0) {
162 exact_match_found
= true;
163 } else if (ldns_nsec_covers_name(nsec
, hashed_sname
)) {
164 in_range_found
= true;
168 if (!exact_match_found
&& in_range_found
) {
170 } else if (exact_match_found
&& flag
) {
171 result
= ldns_rdf_clone(sname
);
172 /* RFC 5155: 8.3. 2.** "The proof is complete" */
173 ldns_rdf_deep_free(hashed_sname
);
175 } else if (exact_match_found
&& !flag
) {
177 ldns_rdf_deep_free(hashed_sname
);
183 ldns_rdf_deep_free(hashed_sname
);
185 sname
= ldns_dname_left_chop(sname
);
186 ldns_rdf_deep_free(tmp
);
191 ldns_rdf_deep_free(zone_name
);
192 ldns_rdf_deep_free(sname
);
198 ldns_dnssec_pkt_has_rrsigs(const ldns_pkt
*pkt
)
201 for (i
= 0; i
< ldns_pkt_ancount(pkt
); i
++) {
202 if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_answer(pkt
), i
)) ==
203 LDNS_RR_TYPE_RRSIG
) {
207 for (i
= 0; i
< ldns_pkt_nscount(pkt
); i
++) {
208 if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_authority(pkt
), i
)) ==
209 LDNS_RR_TYPE_RRSIG
) {
217 ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt
*pkt
,
218 const ldns_rdf
*name
,
223 ldns_rr_list
*sigs_covered
;
226 sigs
= ldns_pkt_rr_list_by_name_and_type(pkt
,
229 LDNS_SECTION_ANY_NOQUESTION
232 t_netorder
= htons(type
); /* rdf are in network order! */
233 rdf_t
= ldns_rdf_new(LDNS_RDF_TYPE_TYPE
, LDNS_RDF_SIZE_WORD
, &t_netorder
);
234 sigs_covered
= ldns_rr_list_subtype_by_rdf(sigs
, rdf_t
, 0);
236 ldns_rdf_free(rdf_t
);
237 ldns_rr_list_deep_free(sigs
);
244 ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt
*pkt
, ldns_rr_type type
)
248 ldns_rr_list
*sigs_covered
;
251 sigs
= ldns_pkt_rr_list_by_type(pkt
,
253 LDNS_SECTION_ANY_NOQUESTION
256 t_netorder
= htons(type
); /* rdf are in network order! */
257 rdf_t
= ldns_rdf_new(LDNS_RDF_TYPE_TYPE
,
260 sigs_covered
= ldns_rr_list_subtype_by_rdf(sigs
, rdf_t
, 0);
262 ldns_rdf_free(rdf_t
);
263 ldns_rr_list_deep_free(sigs
);
269 /* used only on the public key RR */
271 ldns_calc_keytag(const ldns_rr
*key
)
281 if (ldns_rr_get_type(key
) != LDNS_RR_TYPE_DNSKEY
&&
282 ldns_rr_get_type(key
) != LDNS_RR_TYPE_KEY
287 /* rdata to buf - only put the rdata in a buffer */
288 keybuf
= ldns_buffer_new(LDNS_MIN_BUFLEN
); /* grows */
292 (void)ldns_rr_rdata2buffer_wire(keybuf
, key
);
293 /* the current pos in the buffer is the keysize */
294 keysize
= ldns_buffer_position(keybuf
);
296 ac16
= ldns_calc_keytag_raw(ldns_buffer_begin(keybuf
), keysize
);
297 ldns_buffer_free(keybuf
);
301 uint16_t ldns_calc_keytag_raw(const uint8_t* key
, size_t keysize
)
310 /* look at the algorithm field, copied from 2535bis */
311 if (key
[3] == LDNS_RSAMD5
) {
314 memmove(&ac16
, key
+ keysize
- 3, 2);
317 return (uint16_t) ac16
;
320 for (i
= 0; (size_t)i
< keysize
; ++i
) {
321 ac32
+= (i
& 1) ? key
[i
] : key
[i
] << 8;
323 ac32
+= (ac32
>> 16) & 0xFFFF;
324 return (uint16_t) (ac32
& 0xFFFF);
330 ldns_key_buf2dsa(const ldns_buffer
*key
)
332 return ldns_key_buf2dsa_raw((const unsigned char*)ldns_buffer_begin(key
),
333 ldns_buffer_position(key
));
337 ldns_key_buf2dsa_raw(const unsigned char* key
, size_t len
)
343 BIGNUM
*Q
; BIGNUM
*P
;
344 BIGNUM
*G
; BIGNUM
*Y
;
349 length
= (64 + T
* 8);
355 if(len
< (size_t)1 + SHA_DIGEST_LENGTH
+ 3*length
)
358 Q
= BN_bin2bn(key
+offset
, SHA_DIGEST_LENGTH
, NULL
);
359 offset
+= SHA_DIGEST_LENGTH
;
361 P
= BN_bin2bn(key
+offset
, (int)length
, NULL
);
364 G
= BN_bin2bn(key
+offset
, (int)length
, NULL
);
367 Y
= BN_bin2bn(key
+offset
, (int)length
, NULL
);
370 /* create the key and set its properties */
371 if(!Q
|| !P
|| !G
|| !Y
|| !(dsa
= DSA_new())) {
378 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
385 #else /* OPENSSL_VERSION_NUMBER */
386 if (!DSA_set0_pqg(dsa
, P
, Q
, G
)) {
387 /* QPG not yet attached, need to free */
396 if (!DSA_set0_key(dsa
, Y
, NULL
)) {
397 /* QPG attached, cleaned up by DSA_fre() */
402 #endif /* OPENSSL_VERSION_NUMBER */
407 ldns_key_buf2rsa(const ldns_buffer
*key
)
409 return ldns_key_buf2rsa_raw((const unsigned char*)ldns_buffer_begin(key
),
410 ldns_buffer_position(key
));
414 ldns_key_buf2rsa_raw(const unsigned char* key
, size_t len
)
428 /* need some smart comment here XXX*/
429 /* the exponent is too large so it's places
431 memmove(&int16
, key
+1, 2);
439 /* key length at least one */
440 if(len
< (size_t)offset
+ exp
+ 1)
445 if(!exponent
) return NULL
;
446 (void) BN_bin2bn(key
+offset
, (int)exp
, exponent
);
455 /* length of the buffer must match the key length! */
456 (void) BN_bin2bn(key
+offset
, (int)(len
- offset
), modulus
);
464 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
469 #else /* OPENSSL_VERSION_NUMBER */
470 if (!RSA_set0_key(rsa
, modulus
, exponent
, NULL
)) {
476 #endif /* OPENSSL_VERSION_NUMBER */
482 ldns_digest_evp(const unsigned char* data
, unsigned int len
, unsigned char* dest
,
486 ctx
= EVP_MD_CTX_create();
489 if(!EVP_DigestInit_ex(ctx
, md
, NULL
) ||
490 !EVP_DigestUpdate(ctx
, data
, len
) ||
491 !EVP_DigestFinal_ex(ctx
, dest
, NULL
)) {
492 EVP_MD_CTX_destroy(ctx
);
495 EVP_MD_CTX_destroy(ctx
);
498 #endif /* HAVE_SSL */
501 ldns_key_rr2ds(const ldns_rr
*key
, ldns_hash h
)
508 ldns_buffer
*data_buf
;
510 const EVP_MD
* md
= NULL
;
513 if (ldns_rr_get_type(key
) != LDNS_RR_TYPE_DNSKEY
) {
521 ldns_rr_set_type(ds
, LDNS_RR_TYPE_DS
);
522 ldns_rr_set_owner(ds
, ldns_rdf_clone(
523 ldns_rr_owner(key
)));
524 ldns_rr_set_ttl(ds
, ldns_rr_ttl(key
));
525 ldns_rr_set_class(ds
, ldns_rr_get_class(key
));
530 digest
= LDNS_XMALLOC(uint8_t, LDNS_SHA1_DIGEST_LENGTH
);
537 digest
= LDNS_XMALLOC(uint8_t, LDNS_SHA256_DIGEST_LENGTH
);
545 (void)ldns_key_EVP_load_gost_id();
546 md
= EVP_get_digestbyname("md_gost94");
551 digest
= LDNS_XMALLOC(uint8_t, EVP_MD_size(md
));
558 /* not implemented */
564 digest
= LDNS_XMALLOC(uint8_t, SHA384_DIGEST_LENGTH
);
571 /* not implemented */
577 data_buf
= ldns_buffer_new(LDNS_MAX_PACKETLEN
);
585 keytag
= htons(ldns_calc_keytag((ldns_rr
*)key
));
586 tmp
= ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16
,
589 ldns_rr_push_rdf(ds
, tmp
);
591 /* copy the algorithm field */
592 if ((tmp
= ldns_rr_rdf(key
, 2)) == NULL
) {
594 ldns_buffer_free(data_buf
);
598 ldns_rr_push_rdf(ds
, ldns_rdf_clone( tmp
));
601 /* digest hash type */
602 sha1hash
= (uint8_t)h
;
603 tmp
= ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8
,
606 ldns_rr_push_rdf(ds
, tmp
);
610 tmp
= ldns_rdf_clone(ldns_rr_owner(key
));
611 ldns_dname2canonical(tmp
);
612 if (ldns_rdf2buffer_wire(data_buf
, tmp
) != LDNS_STATUS_OK
) {
614 ldns_buffer_free(data_buf
);
616 ldns_rdf_deep_free(tmp
);
619 ldns_rdf_deep_free(tmp
);
621 /* all the rdata's */
622 if (ldns_rr_rdata2buffer_wire(data_buf
,
623 (ldns_rr
*)key
) != LDNS_STATUS_OK
) {
625 ldns_buffer_free(data_buf
);
631 (void) ldns_sha1((unsigned char *) ldns_buffer_begin(data_buf
),
632 (unsigned int) ldns_buffer_position(data_buf
),
633 (unsigned char *) digest
);
635 tmp
= ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX
,
636 LDNS_SHA1_DIGEST_LENGTH
,
638 ldns_rr_push_rdf(ds
, tmp
);
642 (void) ldns_sha256((unsigned char *) ldns_buffer_begin(data_buf
),
643 (unsigned int) ldns_buffer_position(data_buf
),
644 (unsigned char *) digest
);
645 tmp
= ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX
,
646 LDNS_SHA256_DIGEST_LENGTH
,
648 ldns_rr_push_rdf(ds
, tmp
);
652 if(!ldns_digest_evp((unsigned char *) ldns_buffer_begin(data_buf
),
653 (unsigned int) ldns_buffer_position(data_buf
),
654 (unsigned char *) digest
, md
)) {
656 ldns_buffer_free(data_buf
);
660 tmp
= ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX
,
661 (size_t)EVP_MD_size(md
),
663 ldns_rr_push_rdf(ds
, tmp
);
668 (void) SHA384((unsigned char *) ldns_buffer_begin(data_buf
),
669 (unsigned int) ldns_buffer_position(data_buf
),
670 (unsigned char *) digest
);
671 tmp
= ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX
,
672 SHA384_DIGEST_LENGTH
,
674 ldns_rr_push_rdf(ds
, tmp
);
680 ldns_buffer_free(data_buf
);
686 * 2.1.2. The List of Type Bit Map(s) Field
688 * The RR type space is split into 256 window blocks, each representing
689 * the low-order 8 bits of the 16-bit RR type space. Each block that
690 * has at least one active RR type is encoded using a single octet
691 * window number (from 0 to 255), a single octet bitmap length (from 1
692 * to 32) indicating the number of octets used for the window block's
693 * bitmap, and up to 32 octets (256 bits) of bitmap.
695 * Window blocks are present in the NSEC RR RDATA in increasing
698 * "|" denotes concatenation
700 * Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
704 * Blocks with no types present MUST NOT be included. Trailing zero
705 * octets in the bitmap MUST be omitted. The length of each block's
706 * bitmap is determined by the type code with the largest numerical
707 * value within that block, among the set of RR types present at the
708 * NSEC RR's owner name. Trailing zero octets not specified MUST be
709 * interpreted as zero octets.
712 ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list
[],
714 ldns_rr_type nsec_type
)
716 uint8_t window
; /* most significant octet of type */
717 uint8_t subtype
; /* least significant octet of type */
718 int windows
[256]; /* Max subtype per window */
719 uint8_t windowpresent
[256]; /* bool if window appears in bitmap */
720 ldns_rr_type
* d
; /* used to traverse rr_type_list*/
721 size_t i
; /* used to traverse windows array */
723 size_t sz
; /* size needed for type bitmap rdf */
724 uint8_t* data
= NULL
; /* rdf data */
725 uint8_t* dptr
; /* used to itraverse rdf data */
726 ldns_rdf
* rdf
; /* bitmap rdf to return */
728 if (nsec_type
!= LDNS_RR_TYPE_NSEC
&&
729 nsec_type
!= LDNS_RR_TYPE_NSEC3
) {
732 memset(windows
, 0, sizeof(int)*256);
733 memset(windowpresent
, 0, 256);
735 /* Which other windows need to be in the bitmap rdf?
737 for (d
= rr_type_list
; d
< rr_type_list
+ size
; d
++) {
740 windowpresent
[window
] = 1;
741 if (windows
[window
] < (int)subtype
) {
742 windows
[window
] = (int)subtype
;
746 /* How much space do we need in the rdf for those windows?
749 for (i
= 0; i
< 256; i
++) {
750 if (windowpresent
[i
]) {
751 sz
+= windows
[i
] / 8 + 3;
755 /* Format rdf data according RFC3845 Section 2.1.2 (see above)
757 dptr
= data
= LDNS_CALLOC(uint8_t, sz
);
761 for (i
= 0; i
< 256; i
++) {
762 if (windowpresent
[i
]) {
763 *dptr
++ = (uint8_t)i
;
764 *dptr
++ = (uint8_t)(windows
[i
] / 8 + 1);
766 /* Now let windows[i] index the bitmap
769 windows
[i
] = (int)(dptr
- data
);
778 for (d
= rr_type_list
; d
< rr_type_list
+ size
; d
++) {
780 data
[windows
[*d
>> 8] + subtype
/8] |= (0x80 >> (subtype
% 8));
783 /* Allocate and return rdf structure for the data
785 rdf
= ldns_rdf_new(LDNS_RDF_TYPE_BITMAP
, sz
, data
);
794 ldns_dnssec_rrsets_contains_type(const ldns_dnssec_rrsets
*rrsets
,
797 const ldns_dnssec_rrsets
*cur_rrset
= rrsets
;
799 if (cur_rrset
->type
== type
) {
802 cur_rrset
= cur_rrset
->next
;
808 ldns_dnssec_create_nsec(const ldns_dnssec_name
*from
,
809 const ldns_dnssec_name
*to
,
810 ldns_rr_type nsec_type
)
813 ldns_rr_type types
[65536];
814 size_t type_count
= 0;
815 ldns_dnssec_rrsets
*cur_rrsets
;
816 int on_delegation_point
;
818 if (!from
|| !to
|| (nsec_type
!= LDNS_RR_TYPE_NSEC
)) {
822 nsec_rr
= ldns_rr_new();
823 ldns_rr_set_type(nsec_rr
, nsec_type
);
824 ldns_rr_set_owner(nsec_rr
, ldns_rdf_clone(ldns_dnssec_name_name(from
)));
825 ldns_rr_push_rdf(nsec_rr
, ldns_rdf_clone(ldns_dnssec_name_name(to
)));
827 on_delegation_point
= ldns_dnssec_rrsets_contains_type(
828 from
->rrsets
, LDNS_RR_TYPE_NS
)
829 && !ldns_dnssec_rrsets_contains_type(
830 from
->rrsets
, LDNS_RR_TYPE_SOA
);
832 cur_rrsets
= from
->rrsets
;
834 /* Do not include non-authoritative rrsets on the delegation point
835 * in the type bitmap */
836 if ((on_delegation_point
&& (
837 cur_rrsets
->type
== LDNS_RR_TYPE_NS
838 || cur_rrsets
->type
== LDNS_RR_TYPE_DS
))
839 || (!on_delegation_point
&&
840 cur_rrsets
->type
!= LDNS_RR_TYPE_RRSIG
841 && cur_rrsets
->type
!= LDNS_RR_TYPE_NSEC
)) {
843 types
[type_count
] = cur_rrsets
->type
;
846 cur_rrsets
= cur_rrsets
->next
;
849 types
[type_count
] = LDNS_RR_TYPE_RRSIG
;
851 types
[type_count
] = LDNS_RR_TYPE_NSEC
;
854 ldns_rr_push_rdf(nsec_rr
, ldns_dnssec_create_nsec_bitmap(types
,
862 ldns_dnssec_create_nsec3(const ldns_dnssec_name
*from
,
863 const ldns_dnssec_name
*to
,
864 const ldns_rdf
*zone_name
,
872 ldns_rr_type types
[65536];
873 size_t type_count
= 0;
874 ldns_dnssec_rrsets
*cur_rrsets
;
876 int on_delegation_point
;
882 nsec_rr
= ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3
);
883 ldns_rr_set_owner(nsec_rr
,
884 ldns_nsec3_hash_name(ldns_dnssec_name_name(from
),
889 status
= ldns_dname_cat(ldns_rr_owner(nsec_rr
), zone_name
);
890 if(status
!= LDNS_STATUS_OK
) {
891 ldns_rr_free(nsec_rr
);
894 ldns_nsec3_add_param_rdfs(nsec_rr
,
901 on_delegation_point
= ldns_dnssec_rrsets_contains_type(
902 from
->rrsets
, LDNS_RR_TYPE_NS
)
903 && !ldns_dnssec_rrsets_contains_type(
904 from
->rrsets
, LDNS_RR_TYPE_SOA
);
905 cur_rrsets
= from
->rrsets
;
907 /* Do not include non-authoritative rrsets on the delegation point
908 * in the type bitmap. Potentionally not skipping insecure
909 * delegation should have been done earlier, in function
910 * ldns_dnssec_zone_create_nsec3s, or even earlier in:
911 * ldns_dnssec_zone_sign_nsec3_flg .
913 if ((on_delegation_point
&& (
914 cur_rrsets
->type
== LDNS_RR_TYPE_NS
915 || cur_rrsets
->type
== LDNS_RR_TYPE_DS
))
916 || (!on_delegation_point
&&
917 cur_rrsets
->type
!= LDNS_RR_TYPE_RRSIG
)) {
919 types
[type_count
] = cur_rrsets
->type
;
922 cur_rrsets
= cur_rrsets
->next
;
924 /* always add rrsig type if this is not an unsigned
927 if (type_count
> 0 &&
928 !(type_count
== 1 && types
[0] == LDNS_RR_TYPE_NS
)) {
929 types
[type_count
] = LDNS_RR_TYPE_RRSIG
;
933 /* leave next rdata empty if they weren't precomputed yet */
934 if (to
&& to
->hashed_name
) {
935 (void) ldns_rr_set_rdf(nsec_rr
,
936 ldns_rdf_clone(to
->hashed_name
),
939 (void) ldns_rr_set_rdf(nsec_rr
, NULL
, 4);
942 ldns_rr_push_rdf(nsec_rr
,
943 ldns_dnssec_create_nsec_bitmap(types
,
945 LDNS_RR_TYPE_NSEC3
));
951 ldns_create_nsec(ldns_rdf
*cur_owner
, ldns_rdf
*next_owner
, ldns_rr_list
*rrs
)
953 /* we do not do any check here - garbage in, garbage out */
955 /* the the start and end names - get the type from the
958 /* inefficient, just give it a name, a next name, and a list of rrs */
959 /* we make 1 big uberbitmap first, then windows */
960 /* todo: make something more efficient :) */
965 ldns_rr
*nsec
= NULL
;
966 ldns_rr_type i_type_list
[65536];
967 size_t type_count
= 0;
969 nsec
= ldns_rr_new();
970 ldns_rr_set_type(nsec
, LDNS_RR_TYPE_NSEC
);
971 ldns_rr_set_owner(nsec
, ldns_rdf_clone(cur_owner
));
972 ldns_rr_push_rdf(nsec
, ldns_rdf_clone(next_owner
));
974 for (i
= 0; i
< ldns_rr_list_rr_count(rrs
); i
++) {
975 i_rr
= ldns_rr_list_rr(rrs
, i
);
976 if (ldns_rdf_compare(cur_owner
,
977 ldns_rr_owner(i_rr
)) == 0) {
978 i_type
= ldns_rr_get_type(i_rr
);
979 if (i_type
!= LDNS_RR_TYPE_RRSIG
&& i_type
!= LDNS_RR_TYPE_NSEC
) {
980 if (type_count
== 0 || i_type_list
[type_count
-1] != i_type
) {
981 i_type_list
[type_count
] = i_type
;
988 i_type_list
[type_count
] = LDNS_RR_TYPE_RRSIG
;
990 i_type_list
[type_count
] = LDNS_RR_TYPE_NSEC
;
993 ldns_rr_push_rdf(nsec
,
994 ldns_dnssec_create_nsec_bitmap(i_type_list
,
995 type_count
, LDNS_RR_TYPE_NSEC
));
1001 ldns_nsec3_hash_name(const ldns_rdf
*name
,
1003 uint16_t iterations
,
1004 uint8_t salt_length
,
1005 const uint8_t *salt
)
1007 size_t hashed_owner_str_len
;
1009 ldns_rdf
*hashed_owner
;
1010 unsigned char *hashed_owner_str
;
1011 char *hashed_owner_b32
;
1012 size_t hashed_owner_b32_len
;
1014 /* define to contain the largest possible hash, which is
1015 * sha1 at the moment */
1016 unsigned char hash
[LDNS_SHA1_DIGEST_LENGTH
];
1019 /* TODO: mnemonic list for hash algs SHA-1, default to 1 now (sha1) */
1020 if (algorithm
!= LDNS_SHA1
) {
1024 /* prepare the owner name according to the draft section bla */
1025 cann
= ldns_rdf_clone(name
);
1028 fprintf(stderr
, "Memory error\n");
1032 ldns_dname2canonical(cann
);
1034 hashed_owner_str_len
= salt_length
+ ldns_rdf_size(cann
);
1035 hashed_owner_str
= LDNS_XMALLOC(unsigned char, hashed_owner_str_len
);
1036 if(!hashed_owner_str
) {
1037 ldns_rdf_deep_free(cann
);
1040 memcpy(hashed_owner_str
, ldns_rdf_data(cann
), ldns_rdf_size(cann
));
1041 memcpy(hashed_owner_str
+ ldns_rdf_size(cann
), salt
, salt_length
);
1042 ldns_rdf_deep_free(cann
);
1044 for (cur_it
= iterations
+ 1; cur_it
> 0; cur_it
--) {
1045 (void) ldns_sha1((unsigned char *) hashed_owner_str
,
1046 (unsigned int) hashed_owner_str_len
, hash
);
1048 LDNS_FREE(hashed_owner_str
);
1049 hashed_owner_str_len
= salt_length
+ LDNS_SHA1_DIGEST_LENGTH
;
1050 hashed_owner_str
= LDNS_XMALLOC(unsigned char, hashed_owner_str_len
);
1051 if (!hashed_owner_str
) {
1054 memcpy(hashed_owner_str
, hash
, LDNS_SHA1_DIGEST_LENGTH
);
1055 memcpy(hashed_owner_str
+ LDNS_SHA1_DIGEST_LENGTH
, salt
, salt_length
);
1056 hashed_owner_str_len
= LDNS_SHA1_DIGEST_LENGTH
+ salt_length
;
1059 LDNS_FREE(hashed_owner_str
);
1060 hashed_owner_str
= hash
;
1061 hashed_owner_str_len
= LDNS_SHA1_DIGEST_LENGTH
;
1063 hashed_owner_b32
= LDNS_XMALLOC(char,
1064 ldns_b32_ntop_calculate_size(hashed_owner_str_len
) + 1);
1065 if(!hashed_owner_b32
) {
1068 hashed_owner_b32_len
= (size_t) ldns_b32_ntop_extended_hex(
1069 (uint8_t *) hashed_owner_str
,
1070 hashed_owner_str_len
,
1072 ldns_b32_ntop_calculate_size(hashed_owner_str_len
)+1);
1073 if (hashed_owner_b32_len
< 1) {
1075 fprintf(stderr
, "Error in base32 extended hex encoding ");
1076 fprintf(stderr
, "of hashed owner name (name: ");
1077 ldns_rdf_print(stderr
, name
);
1078 fprintf(stderr
, ", return code: %u)\n",
1079 (unsigned int) hashed_owner_b32_len
);
1081 LDNS_FREE(hashed_owner_b32
);
1084 hashed_owner_b32
[hashed_owner_b32_len
] = '\0';
1086 status
= ldns_str2rdf_dname(&hashed_owner
, hashed_owner_b32
);
1087 if (status
!= LDNS_STATUS_OK
) {
1089 fprintf(stderr
, "Error creating rdf from %s\n", hashed_owner_b32
);
1091 LDNS_FREE(hashed_owner_b32
);
1095 LDNS_FREE(hashed_owner_b32
);
1096 return hashed_owner
;
1100 ldns_nsec3_add_param_rdfs(ldns_rr
*rr
,
1103 uint16_t iterations
,
1104 uint8_t salt_length
,
1105 const uint8_t *salt
)
1107 ldns_rdf
*salt_rdf
= NULL
;
1108 uint8_t *salt_data
= NULL
;
1111 old
= ldns_rr_set_rdf(rr
,
1112 ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8
,
1113 1, (void*)&algorithm
),
1115 if (old
) ldns_rdf_deep_free(old
);
1117 old
= ldns_rr_set_rdf(rr
,
1118 ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8
,
1121 if (old
) ldns_rdf_deep_free(old
);
1123 old
= ldns_rr_set_rdf(rr
,
1124 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16
,
1127 if (old
) ldns_rdf_deep_free(old
);
1129 salt_data
= LDNS_XMALLOC(uint8_t, salt_length
+ 1);
1131 /* no way to return error */
1134 salt_data
[0] = salt_length
;
1135 memcpy(salt_data
+ 1, salt
, salt_length
);
1136 salt_rdf
= ldns_rdf_new_frm_data(LDNS_RDF_TYPE_NSEC3_SALT
,
1140 LDNS_FREE(salt_data
);
1141 /* no way to return error */
1145 old
= ldns_rr_set_rdf(rr
, salt_rdf
, 3);
1146 if (old
) ldns_rdf_deep_free(old
);
1147 LDNS_FREE(salt_data
);
1151 rr_list_delegation_only(const ldns_rdf
*origin
, const ldns_rr_list
*rr_list
)
1155 if (!origin
|| !rr_list
) return 0;
1156 for (i
= 0; i
< ldns_rr_list_rr_count(rr_list
); i
++) {
1157 cur_rr
= ldns_rr_list_rr(rr_list
, i
);
1158 if (ldns_dname_compare(ldns_rr_owner(cur_rr
), origin
) == 0) {
1161 if (ldns_rr_get_type(cur_rr
) != LDNS_RR_TYPE_NS
) {
1168 /* this will NOT return the NSEC3 completed, you will have to run the
1169 finalize function on the rrlist later! */
1171 ldns_create_nsec3(const ldns_rdf
*cur_owner
,
1172 const ldns_rdf
*cur_zone
,
1173 const ldns_rr_list
*rrs
,
1176 uint16_t iterations
,
1177 uint8_t salt_length
,
1178 const uint8_t *salt
,
1179 bool emptynonterminal
)
1185 ldns_rr
*nsec
= NULL
;
1186 ldns_rdf
*hashed_owner
= NULL
;
1190 ldns_rr_type i_type_list
[1024];
1191 size_t type_count
= 0;
1193 hashed_owner
= ldns_nsec3_hash_name(cur_owner
,
1198 status
= ldns_dname_cat(hashed_owner
, cur_zone
);
1199 if(status
!= LDNS_STATUS_OK
) {
1200 ldns_rdf_deep_free(hashed_owner
);
1203 nsec
= ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3
);
1205 ldns_rdf_deep_free(hashed_owner
);
1208 ldns_rr_set_type(nsec
, LDNS_RR_TYPE_NSEC3
);
1209 ldns_rr_set_owner(nsec
, hashed_owner
);
1211 ldns_nsec3_add_param_rdfs(nsec
,
1217 (void) ldns_rr_set_rdf(nsec
, NULL
, 4);
1220 for (i
= 0; i
< ldns_rr_list_rr_count(rrs
); i
++) {
1221 i_rr
= ldns_rr_list_rr(rrs
, i
);
1222 if (ldns_rdf_compare(cur_owner
,
1223 ldns_rr_owner(i_rr
)) == 0) {
1224 i_type
= ldns_rr_get_type(i_rr
);
1225 if (type_count
== 0 || i_type_list
[type_count
-1] != i_type
) {
1226 i_type_list
[type_count
] = i_type
;
1232 /* add RRSIG anyway, but only if this is not an ENT or
1233 * an unsigned delegation */
1234 if (!emptynonterminal
&& !rr_list_delegation_only(cur_zone
, rrs
)) {
1235 i_type_list
[type_count
] = LDNS_RR_TYPE_RRSIG
;
1239 /* and SOA if owner == zone */
1240 if (ldns_dname_compare(cur_zone
, cur_owner
) == 0) {
1241 i_type_list
[type_count
] = LDNS_RR_TYPE_SOA
;
1245 ldns_rr_push_rdf(nsec
,
1246 ldns_dnssec_create_nsec_bitmap(i_type_list
,
1247 type_count
, LDNS_RR_TYPE_NSEC3
));
1253 ldns_nsec3_algorithm(const ldns_rr
*nsec3_rr
)
1256 (ldns_rr_get_type(nsec3_rr
) == LDNS_RR_TYPE_NSEC3
||
1257 ldns_rr_get_type(nsec3_rr
) == LDNS_RR_TYPE_NSEC3PARAM
)
1258 && (ldns_rr_rdf(nsec3_rr
, 0) != NULL
)
1259 && ldns_rdf_size(ldns_rr_rdf(nsec3_rr
, 0)) > 0) {
1260 return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr
, 0));
1266 ldns_nsec3_flags(const ldns_rr
*nsec3_rr
)
1269 (ldns_rr_get_type(nsec3_rr
) == LDNS_RR_TYPE_NSEC3
||
1270 ldns_rr_get_type(nsec3_rr
) == LDNS_RR_TYPE_NSEC3PARAM
)
1271 && (ldns_rr_rdf(nsec3_rr
, 1) != NULL
)
1272 && ldns_rdf_size(ldns_rr_rdf(nsec3_rr
, 1)) > 0) {
1273 return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr
, 1));
1279 ldns_nsec3_optout(const ldns_rr
*nsec3_rr
)
1281 return (ldns_nsec3_flags(nsec3_rr
) & LDNS_NSEC3_VARS_OPTOUT_MASK
);
1285 ldns_nsec3_iterations(const ldns_rr
*nsec3_rr
)
1288 (ldns_rr_get_type(nsec3_rr
) == LDNS_RR_TYPE_NSEC3
||
1289 ldns_rr_get_type(nsec3_rr
) == LDNS_RR_TYPE_NSEC3PARAM
)
1290 && (ldns_rr_rdf(nsec3_rr
, 2) != NULL
)
1291 && ldns_rdf_size(ldns_rr_rdf(nsec3_rr
, 2)) > 0) {
1292 return ldns_rdf2native_int16(ldns_rr_rdf(nsec3_rr
, 2));
1299 ldns_nsec3_salt(const ldns_rr
*nsec3_rr
)
1302 (ldns_rr_get_type(nsec3_rr
) == LDNS_RR_TYPE_NSEC3
||
1303 ldns_rr_get_type(nsec3_rr
) == LDNS_RR_TYPE_NSEC3PARAM
)
1305 return ldns_rr_rdf(nsec3_rr
, 3);
1311 ldns_nsec3_salt_length(const ldns_rr
*nsec3_rr
)
1313 ldns_rdf
*salt_rdf
= ldns_nsec3_salt(nsec3_rr
);
1314 if (salt_rdf
&& ldns_rdf_size(salt_rdf
) > 0) {
1315 return (uint8_t) ldns_rdf_data(salt_rdf
)[0];
1320 /* allocs data, free with LDNS_FREE() */
1322 ldns_nsec3_salt_data(const ldns_rr
*nsec3_rr
)
1324 uint8_t salt_length
;
1327 ldns_rdf
*salt_rdf
= ldns_nsec3_salt(nsec3_rr
);
1328 if (salt_rdf
&& ldns_rdf_size(salt_rdf
) > 0) {
1329 salt_length
= ldns_rdf_data(salt_rdf
)[0];
1330 salt
= LDNS_XMALLOC(uint8_t, salt_length
);
1331 if(!salt
) return NULL
;
1332 memcpy(salt
, &ldns_rdf_data(salt_rdf
)[1], salt_length
);
1339 ldns_nsec3_next_owner(const ldns_rr
*nsec3_rr
)
1341 if (!nsec3_rr
|| ldns_rr_get_type(nsec3_rr
) != LDNS_RR_TYPE_NSEC3
) {
1344 return ldns_rr_rdf(nsec3_rr
, 4);
1349 ldns_nsec3_bitmap(const ldns_rr
*nsec3_rr
)
1351 if (!nsec3_rr
|| ldns_rr_get_type(nsec3_rr
) != LDNS_RR_TYPE_NSEC3
) {
1354 return ldns_rr_rdf(nsec3_rr
, 5);
1359 ldns_nsec3_hash_name_frm_nsec3(const ldns_rr
*nsec
, const ldns_rdf
*name
)
1362 uint16_t iterations
;
1363 uint8_t salt_length
;
1366 ldns_rdf
*hashed_owner
;
1368 algorithm
= ldns_nsec3_algorithm(nsec
);
1369 salt_length
= ldns_nsec3_salt_length(nsec
);
1370 salt
= ldns_nsec3_salt_data(nsec
);
1371 iterations
= ldns_nsec3_iterations(nsec
);
1373 hashed_owner
= ldns_nsec3_hash_name(name
,
1380 return hashed_owner
;
1384 ldns_nsec_bitmap_covers_type(const ldns_rdf
* bitmap
, ldns_rr_type type
)
1389 /* From RFC3845 Section 2.1.2:
1391 * "The RR type space is split into 256 window blocks, each re-
1392 * presenting the low-order 8 bits of the 16-bit RR type space."
1394 uint8_t window
= type
>> 8;
1395 uint8_t subtype
= type
& 0xff;
1400 assert(ldns_rdf_get_type(bitmap
) == LDNS_RDF_TYPE_BITMAP
);
1402 dptr
= ldns_rdf_data(bitmap
);
1403 dend
= ldns_rdf_data(bitmap
) + ldns_rdf_size(bitmap
);
1405 /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) +
1406 * dptr[0] dptr[1] dptr[2:]
1408 while (dptr
< dend
&& dptr
[0] <= window
) {
1410 if (dptr
[0] == window
&& subtype
/ 8 < dptr
[1] &&
1411 dptr
+ dptr
[1] + 2 <= dend
) {
1413 return dptr
[2 + subtype
/ 8] & (0x80 >> (subtype
% 8));
1415 dptr
+= dptr
[1] + 2; /* next window */
1421 ldns_nsec_bitmap_set_type(ldns_rdf
* bitmap
, ldns_rr_type type
)
1426 /* From RFC3845 Section 2.1.2:
1428 * "The RR type space is split into 256 window blocks, each re-
1429 * presenting the low-order 8 bits of the 16-bit RR type space."
1431 uint8_t window
= type
>> 8;
1432 uint8_t subtype
= type
& 0xff;
1437 assert(ldns_rdf_get_type(bitmap
) == LDNS_RDF_TYPE_BITMAP
);
1439 dptr
= ldns_rdf_data(bitmap
);
1440 dend
= ldns_rdf_data(bitmap
) + ldns_rdf_size(bitmap
);
1442 /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) +
1443 * dptr[0] dptr[1] dptr[2:]
1445 while (dptr
< dend
&& dptr
[0] <= window
) {
1447 if (dptr
[0] == window
&& subtype
/ 8 < dptr
[1] &&
1448 dptr
+ dptr
[1] + 2 <= dend
) {
1450 dptr
[2 + subtype
/ 8] |= (0x80 >> (subtype
% 8));
1451 return LDNS_STATUS_OK
;
1453 dptr
+= dptr
[1] + 2; /* next window */
1455 return LDNS_STATUS_TYPE_NOT_IN_BITMAP
;
1459 ldns_nsec_bitmap_clear_type(ldns_rdf
* bitmap
, ldns_rr_type type
)
1464 /* From RFC3845 Section 2.1.2:
1466 * "The RR type space is split into 256 window blocks, each re-
1467 * presenting the low-order 8 bits of the 16-bit RR type space."
1469 uint8_t window
= type
>> 8;
1470 uint8_t subtype
= type
& 0xff;
1476 assert(ldns_rdf_get_type(bitmap
) == LDNS_RDF_TYPE_BITMAP
);
1478 dptr
= ldns_rdf_data(bitmap
);
1479 dend
= ldns_rdf_data(bitmap
) + ldns_rdf_size(bitmap
);
1481 /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) +
1482 * dptr[0] dptr[1] dptr[2:]
1484 while (dptr
< dend
&& dptr
[0] <= window
) {
1486 if (dptr
[0] == window
&& subtype
/ 8 < dptr
[1] &&
1487 dptr
+ dptr
[1] + 2 <= dend
) {
1489 dptr
[2 + subtype
/ 8] &= ~(0x80 >> (subtype
% 8));
1490 return LDNS_STATUS_OK
;
1492 dptr
+= dptr
[1] + 2; /* next window */
1494 return LDNS_STATUS_TYPE_NOT_IN_BITMAP
;
1499 ldns_nsec_covers_name(const ldns_rr
*nsec
, const ldns_rdf
*name
)
1501 ldns_rdf
*nsec_owner
= ldns_rr_owner(nsec
);
1502 ldns_rdf
*hash_next
;
1503 char *next_hash_str
;
1504 ldns_rdf
*nsec_next
= NULL
;
1506 ldns_rdf
*chopped_dname
;
1509 if (ldns_rr_get_type(nsec
) == LDNS_RR_TYPE_NSEC
) {
1510 if (ldns_rr_rdf(nsec
, 0) != NULL
) {
1511 nsec_next
= ldns_rdf_clone(ldns_rr_rdf(nsec
, 0));
1515 } else if (ldns_rr_get_type(nsec
) == LDNS_RR_TYPE_NSEC3
) {
1516 hash_next
= ldns_nsec3_next_owner(nsec
);
1517 next_hash_str
= ldns_rdf2str(hash_next
);
1518 nsec_next
= ldns_dname_new_frm_str(next_hash_str
);
1519 LDNS_FREE(next_hash_str
);
1520 chopped_dname
= ldns_dname_left_chop(nsec_owner
);
1521 status
= ldns_dname_cat(nsec_next
, chopped_dname
);
1522 ldns_rdf_deep_free(chopped_dname
);
1523 if (status
!= LDNS_STATUS_OK
) {
1524 printf("error catting: %s\n", ldns_get_errorstr_by_id(status
));
1527 ldns_rdf_deep_free(nsec_next
);
1531 /* in the case of the last nsec */
1532 if(ldns_dname_compare(nsec_owner
, nsec_next
) > 0) {
1533 result
= (ldns_dname_compare(nsec_owner
, name
) <= 0 ||
1534 ldns_dname_compare(name
, nsec_next
) < 0);
1535 } else if(ldns_dname_compare(nsec_owner
, nsec_next
) < 0) {
1536 result
= (ldns_dname_compare(nsec_owner
, name
) <= 0 &&
1537 ldns_dname_compare(name
, nsec_next
) < 0);
1542 ldns_rdf_deep_free(nsec_next
);
1547 /* sig may be null - if so look in the packet */
1550 ldns_pkt_verify_time(const ldns_pkt
*p
, ldns_rr_type t
, const ldns_rdf
*o
,
1551 const ldns_rr_list
*k
, const ldns_rr_list
*s
,
1552 time_t check_time
, ldns_rr_list
*good_keys
)
1554 ldns_rr_list
*rrset
;
1556 ldns_rr_list
*sigs_covered
;
1558 ldns_rr_type t_netorder
;
1561 return LDNS_STATUS_ERR
;
1562 /* return LDNS_STATUS_CRYPTO_NO_DNSKEY; */
1565 if (t
== LDNS_RR_TYPE_RRSIG
) {
1566 /* we don't have RRSIG(RRSIG) (yet? ;-) ) */
1567 return LDNS_STATUS_ERR
;
1571 /* if s is not NULL, the sigs are given to use */
1572 sigs
= (ldns_rr_list
*)s
;
1574 /* otherwise get them from the packet */
1575 sigs
= ldns_pkt_rr_list_by_name_and_type(p
, o
,
1577 LDNS_SECTION_ANY_NOQUESTION
);
1580 return LDNS_STATUS_ERR
;
1581 /* return LDNS_STATUS_CRYPTO_NO_RRSIG; */
1585 /* rrsig are subtyped, so now we need to find the correct
1586 * sigs for the type t
1588 t_netorder
= htons(t
); /* rdf are in network order! */
1589 /* a type identifier is a 16-bit number, so the size is 2 bytes */
1590 rdf_t
= ldns_rdf_new(LDNS_RDF_TYPE_TYPE
, 2, &t_netorder
);
1592 sigs_covered
= ldns_rr_list_subtype_by_rdf(sigs
, rdf_t
, 0);
1593 ldns_rdf_free(rdf_t
);
1594 if (! sigs_covered
) {
1596 ldns_rr_list_deep_free(sigs
);
1598 return LDNS_STATUS_ERR
;
1600 ldns_rr_list_deep_free(sigs_covered
);
1602 rrset
= ldns_pkt_rr_list_by_name_and_type(p
, o
, t
,
1603 LDNS_SECTION_ANY_NOQUESTION
);
1606 ldns_rr_list_deep_free(sigs
);
1608 return LDNS_STATUS_ERR
;
1610 return ldns_verify_time(rrset
, sigs
, k
, check_time
, good_keys
);
1614 ldns_pkt_verify(const ldns_pkt
*p
, ldns_rr_type t
, const ldns_rdf
*o
,
1615 const ldns_rr_list
*k
, const ldns_rr_list
*s
, ldns_rr_list
*good_keys
)
1617 return ldns_pkt_verify_time(p
, t
, o
, k
, s
, ldns_time(NULL
), good_keys
);
1619 #endif /* HAVE_SSL */
1622 ldns_dnssec_chain_nsec3_list(ldns_rr_list
*nsec3_rrs
)
1625 char *next_nsec_owner_str
;
1626 ldns_rdf
*next_nsec_owner_label
;
1627 ldns_rdf
*next_nsec_rdf
;
1628 ldns_status status
= LDNS_STATUS_OK
;
1630 for (i
= 0; i
< ldns_rr_list_rr_count(nsec3_rrs
); i
++) {
1631 if (i
== ldns_rr_list_rr_count(nsec3_rrs
) - 1) {
1632 next_nsec_owner_label
=
1633 ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs
,
1635 next_nsec_owner_str
= ldns_rdf2str(next_nsec_owner_label
);
1636 if (next_nsec_owner_str
[strlen(next_nsec_owner_str
) - 1]
1638 next_nsec_owner_str
[strlen(next_nsec_owner_str
) - 1]
1641 status
= ldns_str2rdf_b32_ext(&next_nsec_rdf
,
1642 next_nsec_owner_str
);
1643 if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs
, i
),
1644 next_nsec_rdf
, 4)) {
1648 ldns_rdf_deep_free(next_nsec_owner_label
);
1649 LDNS_FREE(next_nsec_owner_str
);
1651 next_nsec_owner_label
=
1652 ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs
,
1655 next_nsec_owner_str
= ldns_rdf2str(next_nsec_owner_label
);
1656 if (next_nsec_owner_str
[strlen(next_nsec_owner_str
) - 1]
1658 next_nsec_owner_str
[strlen(next_nsec_owner_str
) - 1]
1661 status
= ldns_str2rdf_b32_ext(&next_nsec_rdf
,
1662 next_nsec_owner_str
);
1663 ldns_rdf_deep_free(next_nsec_owner_label
);
1664 LDNS_FREE(next_nsec_owner_str
);
1665 if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs
, i
),
1666 next_nsec_rdf
, 4)) {
1675 qsort_rr_compare_nsec3(const void *a
, const void *b
)
1677 const ldns_rr
*rr1
= * (const ldns_rr
**) a
;
1678 const ldns_rr
*rr2
= * (const ldns_rr
**) b
;
1679 if (rr1
== NULL
&& rr2
== NULL
) {
1688 return ldns_rdf_compare(ldns_rr_owner(rr1
), ldns_rr_owner(rr2
));
1692 ldns_rr_list_sort_nsec3(ldns_rr_list
*unsorted
)
1694 qsort(unsorted
->_rrs
,
1695 ldns_rr_list_rr_count(unsorted
),
1697 qsort_rr_compare_nsec3
);
1701 ldns_dnssec_default_add_to_signatures( ATTR_UNUSED(ldns_rr
*sig
)
1702 , ATTR_UNUSED(void *n
)
1705 return LDNS_SIGNATURE_LEAVE_ADD_NEW
;
1709 ldns_dnssec_default_leave_signatures( ATTR_UNUSED(ldns_rr
*sig
)
1710 , ATTR_UNUSED(void *n
)
1713 return LDNS_SIGNATURE_LEAVE_NO_ADD
;
1717 ldns_dnssec_default_delete_signatures( ATTR_UNUSED(ldns_rr
*sig
)
1718 , ATTR_UNUSED(void *n
)
1721 return LDNS_SIGNATURE_REMOVE_NO_ADD
;
1725 ldns_dnssec_default_replace_signatures( ATTR_UNUSED(ldns_rr
*sig
)
1726 , ATTR_UNUSED(void *n
)
1729 return LDNS_SIGNATURE_REMOVE_ADD_NEW
;
1734 ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer
*sig
,
1738 ldns_rdf
*sigdata_rdf
;
1740 const BIGNUM
*R
, *S
;
1741 unsigned char *dsasig_data
= (unsigned char*)ldns_buffer_begin(sig
);
1744 dsasig
= d2i_DSA_SIG(NULL
,
1745 (const unsigned char **)&dsasig_data
,
1748 DSA_SIG_free(dsasig
);
1752 dsasig_data
= LDNS_XMALLOC(unsigned char, 41);
1754 DSA_SIG_free(dsasig
);
1758 # ifdef HAVE_DSA_SIG_GET0
1759 DSA_SIG_get0(dsasig
, &R
, &S
);
1764 byte_offset
= (size_t) (20 - BN_num_bytes(R
));
1765 if (byte_offset
> 20) {
1766 DSA_SIG_free(dsasig
);
1767 LDNS_FREE(dsasig_data
);
1770 memset(&dsasig_data
[1], 0, byte_offset
);
1771 BN_bn2bin(R
, &dsasig_data
[1 + byte_offset
]);
1772 byte_offset
= (size_t) (20 - BN_num_bytes(S
));
1773 if (byte_offset
> 20) {
1774 DSA_SIG_free(dsasig
);
1775 LDNS_FREE(dsasig_data
);
1778 memset(&dsasig_data
[21], 0, byte_offset
);
1779 BN_bn2bin(S
, &dsasig_data
[21 + byte_offset
]);
1781 sigdata_rdf
= ldns_rdf_new(LDNS_RDF_TYPE_B64
, 41, dsasig_data
);
1783 LDNS_FREE(dsasig_data
);
1785 DSA_SIG_free(dsasig
);
1789 (void)sig
; (void)sig_len
;
1795 ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer
*target_buffer
,
1796 const ldns_rdf
*sig_rdf
)
1799 /* the EVP api wants the DER encoding of the signature... */
1802 unsigned char *raw_sig
= NULL
;
1805 if(ldns_rdf_size(sig_rdf
) < 1 + 2*SHA_DIGEST_LENGTH
)
1806 return LDNS_STATUS_SYNTAX_RDATA_ERR
;
1807 /* extract the R and S field from the sig buffer */
1809 if(!R
) return LDNS_STATUS_MEM_ERR
;
1810 (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf
) + 1,
1811 SHA_DIGEST_LENGTH
, R
);
1815 return LDNS_STATUS_MEM_ERR
;
1817 (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf
) + 21,
1818 SHA_DIGEST_LENGTH
, S
);
1820 dsasig
= DSA_SIG_new();
1824 return LDNS_STATUS_MEM_ERR
;
1826 # ifdef HAVE_DSA_SIG_SET0
1827 if (! DSA_SIG_set0(dsasig
, R
, S
))
1828 return LDNS_STATUS_SSL_ERR
;
1834 raw_sig_len
= i2d_DSA_SIG(dsasig
, &raw_sig
);
1835 if (raw_sig_len
< 0) {
1836 DSA_SIG_free(dsasig
);
1838 return LDNS_STATUS_SSL_ERR
;
1840 if (ldns_buffer_reserve(target_buffer
, (size_t) raw_sig_len
)) {
1841 ldns_buffer_write(target_buffer
, raw_sig
, (size_t)raw_sig_len
);
1844 DSA_SIG_free(dsasig
);
1847 return ldns_buffer_status(target_buffer
);
1849 (void)target_buffer
; (void)sig_rdf
;
1850 return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL
;
1857 ldns_convert_ecdsa_rrsig_asn1len2rdf(const ldns_buffer
*sig
,
1858 const long sig_len
, int num_bytes
)
1860 ECDSA_SIG
* ecdsa_sig
;
1861 const BIGNUM
*r
, *s
;
1862 unsigned char *data
= (unsigned char*)ldns_buffer_begin(sig
);
1864 ecdsa_sig
= d2i_ECDSA_SIG(NULL
, (const unsigned char **)&data
, sig_len
);
1865 if(!ecdsa_sig
) return NULL
;
1867 #ifdef HAVE_ECDSA_SIG_GET0
1868 ECDSA_SIG_get0(ecdsa_sig
, &r
, &s
);
1874 if(BN_num_bytes(r
) > num_bytes
||
1875 BN_num_bytes(s
) > num_bytes
) {
1876 ECDSA_SIG_free(ecdsa_sig
);
1877 return NULL
; /* numbers too big for passed curve size */
1879 data
= LDNS_XMALLOC(unsigned char, num_bytes
*2);
1881 ECDSA_SIG_free(ecdsa_sig
);
1884 /* write the bignums (in big-endian) a little offset if the BN code
1885 * wants to write a shorter number of bytes, with zeroes prefixed */
1886 memset(data
, 0, num_bytes
*2);
1887 BN_bn2bin(r
, data
+num_bytes
-BN_num_bytes(r
));
1888 BN_bn2bin(s
, data
+num_bytes
*2-BN_num_bytes(s
));
1889 rdf
= ldns_rdf_new(LDNS_RDF_TYPE_B64
, (size_t)(num_bytes
*2), data
);
1890 ECDSA_SIG_free(ecdsa_sig
);
1895 ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer
*target_buffer
,
1896 const ldns_rdf
*sig_rdf
)
1898 /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
1899 * ASN preable: 30440220 <R 32bytefor256> 0220 <S 32bytefor256>
1900 * the '20' is the length of that field (=bnsize).
1901 * the '44' is the total remaining length.
1902 * if negative, start with leading zero.
1903 * if starts with 00s, remove them from the number.
1905 uint8_t pre
[] = {0x30, 0x44, 0x02, 0x20};
1907 uint8_t mid
[] = {0x02, 0x20};
1909 int raw_sig_len
, r_high
, s_high
, r_rem
=0, s_rem
=0;
1910 long bnsize
= (long)ldns_rdf_size(sig_rdf
) / 2;
1911 uint8_t* d
= ldns_rdf_data(sig_rdf
);
1912 /* if too short, or not even length, do not bother */
1913 if(bnsize
< 16 || (size_t)bnsize
*2 != ldns_rdf_size(sig_rdf
))
1914 return LDNS_STATUS_ERR
;
1915 /* strip leading zeroes from r (but not last one) */
1916 while(r_rem
< bnsize
-1 && d
[r_rem
] == 0)
1918 /* strip leading zeroes from s (but not last one) */
1919 while(s_rem
< bnsize
-1 && d
[bnsize
+s_rem
] == 0)
1922 r_high
= ((d
[0+r_rem
]&0x80)?1:0);
1923 s_high
= ((d
[bnsize
+s_rem
]&0x80)?1:0);
1924 raw_sig_len
= pre_len
+ r_high
+ bnsize
- r_rem
+ mid_len
+
1925 s_high
+ bnsize
- s_rem
;
1926 if(ldns_buffer_reserve(target_buffer
, (size_t) raw_sig_len
)) {
1927 ldns_buffer_write_u8(target_buffer
, pre
[0]);
1928 ldns_buffer_write_u8(target_buffer
, raw_sig_len
-2);
1929 ldns_buffer_write_u8(target_buffer
, pre
[2]);
1930 ldns_buffer_write_u8(target_buffer
, bnsize
+ r_high
- r_rem
);
1932 ldns_buffer_write_u8(target_buffer
, 0);
1933 ldns_buffer_write(target_buffer
, d
+r_rem
, bnsize
-r_rem
);
1934 ldns_buffer_write(target_buffer
, mid
, mid_len
-1);
1935 ldns_buffer_write_u8(target_buffer
, bnsize
+ s_high
- s_rem
);
1937 ldns_buffer_write_u8(target_buffer
, 0);
1938 ldns_buffer_write(target_buffer
, d
+bnsize
+s_rem
, bnsize
-s_rem
);
1940 return ldns_buffer_status(target_buffer
);
1943 #endif /* S_SPLINT_S */
1944 #endif /* USE_ECDSA */
1946 #if defined(USE_ED25519) || defined(USE_ED448)
1947 /* debug printout routine */
1948 static void print_hex(const char* str
, uint8_t* d
, int len
)
1950 const char hex
[] = "0123456789abcdef";
1952 printf("%s [len=%d]: ", str
, len
);
1953 for(i
=0; i
<len
; i
++) {
1954 int x
= (d
[i
]&0xf0)>>4;
1955 int y
= (d
[i
]&0x0f);
1956 printf("%c%c", hex
[x
], hex
[y
]);
1964 ldns_convert_ed25519_rrsig_asn12rdf(const ldns_buffer
*sig
, long sig_len
)
1966 unsigned char *data
= (unsigned char*)ldns_buffer_begin(sig
);
1967 ldns_rdf
* rdf
= NULL
;
1969 /* TODO when Openssl supports signing and you can test this */
1970 print_hex("sig in ASN", data
, sig_len
);
1976 ldns_convert_ed25519_rrsig_rdf2asn1(ldns_buffer
*target_buffer
,
1977 const ldns_rdf
*sig_rdf
)
1979 /* TODO when Openssl supports signing and you can test this. */
1980 /* convert sig_buf into ASN1 into the target_buffer */
1981 print_hex("sig raw", ldns_rdf_data(sig_rdf
), ldns_rdf_size(sig_rdf
));
1982 return ldns_buffer_status(target_buffer
);
1984 #endif /* USE_ED25519 */
1988 ldns_convert_ed448_rrsig_asn12rdf(const ldns_buffer
*sig
, long sig_len
)
1990 unsigned char *data
= (unsigned char*)ldns_buffer_begin(sig
);
1991 ldns_rdf
* rdf
= NULL
;
1993 /* TODO when Openssl supports signing and you can test this */
1994 print_hex("sig in ASN", data
, sig_len
);
2000 ldns_convert_ed448_rrsig_rdf2asn1(ldns_buffer
*target_buffer
,
2001 const ldns_rdf
*sig_rdf
)
2003 /* TODO when Openssl supports signing and you can test this. */
2004 /* convert sig_buf into ASN1 into the target_buffer */
2005 print_hex("sig raw", ldns_rdf_data(sig_rdf
), ldns_rdf_size(sig_rdf
));
2006 return ldns_buffer_status(target_buffer
);
2008 #endif /* USE_ED448 */
2010 #endif /* HAVE_SSL */