1238104Sdes/* 2238104Sdes * dnssec.c 3238104Sdes * 4238104Sdes * contains the cryptographic function needed for DNSSEC in ldns 5238104Sdes * The crypto library used is openssl 6238104Sdes * 7238104Sdes * (c) NLnet Labs, 2004-2008 8238104Sdes * 9238104Sdes * See the file LICENSE for the license 10238104Sdes */ 11238104Sdes 12238104Sdes#include <ldns/config.h> 13238104Sdes 14238104Sdes#include <ldns/ldns.h> 15238104Sdes#include <ldns/dnssec.h> 16238104Sdes 17238104Sdes#include <strings.h> 18238104Sdes#include <time.h> 19238104Sdes 20238104Sdes#ifdef HAVE_SSL 21238104Sdes#include <openssl/ssl.h> 22238104Sdes#include <openssl/evp.h> 23238104Sdes#include <openssl/rand.h> 24238104Sdes#include <openssl/err.h> 25238104Sdes#include <openssl/md5.h> 26238104Sdes#endif 27238104Sdes 28238104Sdesldns_rr * 29238104Sdesldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name, 30238104Sdes const ldns_rr_type type, 31238104Sdes const ldns_rr_list *rrs) 32238104Sdes{ 33238104Sdes size_t i; 34238104Sdes ldns_rr *candidate; 35238104Sdes 36238104Sdes if (!name || !rrs) { 37238104Sdes return NULL; 38238104Sdes } 39238104Sdes 40238104Sdes for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) { 41238104Sdes candidate = ldns_rr_list_rr(rrs, i); 42238104Sdes if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_RRSIG) { 43238104Sdes if (ldns_dname_compare(ldns_rr_owner(candidate), 44238104Sdes name) == 0 && 45238104Sdes ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(candidate)) 46238104Sdes == type 47238104Sdes ) { 48238104Sdes return candidate; 49238104Sdes } 50238104Sdes } 51238104Sdes } 52238104Sdes 53238104Sdes return NULL; 54238104Sdes} 55238104Sdes 56238104Sdesldns_rr * 57238104Sdesldns_dnssec_get_dnskey_for_rrsig(const ldns_rr *rrsig, 58238104Sdes const ldns_rr_list *rrs) 59238104Sdes{ 60238104Sdes size_t i; 61238104Sdes ldns_rr *candidate; 62238104Sdes 63238104Sdes if (!rrsig || !rrs) { 64238104Sdes return NULL; 65238104Sdes } 66238104Sdes 67238104Sdes for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) { 68238104Sdes candidate = ldns_rr_list_rr(rrs, i); 69238104Sdes if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_DNSKEY) { 70238104Sdes if (ldns_dname_compare(ldns_rr_owner(candidate), 71238104Sdes ldns_rr_rrsig_signame(rrsig)) == 0 && 72238104Sdes ldns_rdf2native_int16(ldns_rr_rrsig_keytag(rrsig)) == 73238104Sdes ldns_calc_keytag(candidate) 74238104Sdes ) { 75238104Sdes return candidate; 76238104Sdes } 77238104Sdes } 78238104Sdes } 79238104Sdes 80238104Sdes return NULL; 81238104Sdes} 82238104Sdes 83238104Sdesldns_rdf * 84238104Sdesldns_nsec_get_bitmap(ldns_rr *nsec) { 85238104Sdes if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) { 86238104Sdes return ldns_rr_rdf(nsec, 1); 87238104Sdes } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) { 88238104Sdes return ldns_rr_rdf(nsec, 5); 89238104Sdes } else { 90238104Sdes return NULL; 91238104Sdes } 92238104Sdes} 93238104Sdes 94238104Sdes/*return the owner name of the closest encloser for name from the list of rrs */ 95238104Sdes/* this is NOT the hash, but the original name! */ 96238104Sdesldns_rdf * 97238104Sdesldns_dnssec_nsec3_closest_encloser(ldns_rdf *qname, 98238104Sdes ATTR_UNUSED(ldns_rr_type qtype), 99238104Sdes ldns_rr_list *nsec3s) 100238104Sdes{ 101238104Sdes /* remember parameters, they must match */ 102238104Sdes uint8_t algorithm; 103238104Sdes uint32_t iterations; 104238104Sdes uint8_t salt_length; 105238104Sdes uint8_t *salt; 106238104Sdes 107238104Sdes ldns_rdf *sname, *hashed_sname, *tmp; 108238104Sdes bool flag; 109238104Sdes 110238104Sdes bool exact_match_found; 111238104Sdes bool in_range_found; 112238104Sdes 113238104Sdes ldns_status status; 114238104Sdes ldns_rdf *zone_name; 115238104Sdes 116238104Sdes size_t nsec_i; 117238104Sdes ldns_rr *nsec; 118238104Sdes ldns_rdf *result = NULL; 119238104Sdes 120238104Sdes if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) { 121238104Sdes return NULL; 122238104Sdes } 123238104Sdes 124238104Sdes nsec = ldns_rr_list_rr(nsec3s, 0); 125238104Sdes algorithm = ldns_nsec3_algorithm(nsec); 126238104Sdes salt_length = ldns_nsec3_salt_length(nsec); 127238104Sdes salt = ldns_nsec3_salt_data(nsec); 128238104Sdes iterations = ldns_nsec3_iterations(nsec); 129238104Sdes 130238104Sdes sname = ldns_rdf_clone(qname); 131238104Sdes 132238104Sdes flag = false; 133238104Sdes 134238104Sdes zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec)); 135238104Sdes 136238104Sdes /* algorithm from nsec3-07 8.3 */ 137238104Sdes while (ldns_dname_label_count(sname) > 0) { 138238104Sdes exact_match_found = false; 139238104Sdes in_range_found = false; 140238104Sdes 141238104Sdes hashed_sname = ldns_nsec3_hash_name(sname, 142238104Sdes algorithm, 143238104Sdes iterations, 144238104Sdes salt_length, 145238104Sdes salt); 146238104Sdes 147238104Sdes status = ldns_dname_cat(hashed_sname, zone_name); 148238104Sdes if(status != LDNS_STATUS_OK) { 149238104Sdes LDNS_FREE(salt); 150238104Sdes ldns_rdf_deep_free(zone_name); 151238104Sdes ldns_rdf_deep_free(sname); 152238104Sdes return NULL; 153238104Sdes } 154238104Sdes 155238104Sdes for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) { 156238104Sdes nsec = ldns_rr_list_rr(nsec3s, nsec_i); 157238104Sdes 158238104Sdes /* check values of iterations etc! */ 159238104Sdes 160238104Sdes /* exact match? */ 161238104Sdes if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) { 162238104Sdes exact_match_found = true; 163238104Sdes } else if (ldns_nsec_covers_name(nsec, hashed_sname)) { 164238104Sdes in_range_found = true; 165238104Sdes } 166238104Sdes 167238104Sdes } 168238104Sdes if (!exact_match_found && in_range_found) { 169238104Sdes flag = true; 170238104Sdes } else if (exact_match_found && flag) { 171238104Sdes result = ldns_rdf_clone(sname); 172238104Sdes /* RFC 5155: 8.3. 2.** "The proof is complete" */ 173238104Sdes ldns_rdf_deep_free(hashed_sname); 174238104Sdes goto done; 175238104Sdes } else if (exact_match_found && !flag) { 176238104Sdes /* error! */ 177238104Sdes ldns_rdf_deep_free(hashed_sname); 178238104Sdes goto done; 179238104Sdes } else { 180238104Sdes flag = false; 181238104Sdes } 182238104Sdes 183238104Sdes ldns_rdf_deep_free(hashed_sname); 184238104Sdes tmp = sname; 185238104Sdes sname = ldns_dname_left_chop(sname); 186238104Sdes ldns_rdf_deep_free(tmp); 187238104Sdes } 188238104Sdes 189238104Sdes done: 190238104Sdes LDNS_FREE(salt); 191238104Sdes ldns_rdf_deep_free(zone_name); 192238104Sdes ldns_rdf_deep_free(sname); 193238104Sdes 194238104Sdes return result; 195238104Sdes} 196238104Sdes 197238104Sdesbool 198238104Sdesldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt) 199238104Sdes{ 200238104Sdes size_t i; 201238104Sdes for (i = 0; i < ldns_pkt_ancount(pkt); i++) { 202238104Sdes if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_answer(pkt), i)) == 203238104Sdes LDNS_RR_TYPE_RRSIG) { 204238104Sdes return true; 205238104Sdes } 206238104Sdes } 207238104Sdes for (i = 0; i < ldns_pkt_nscount(pkt); i++) { 208238104Sdes if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_authority(pkt), i)) == 209238104Sdes LDNS_RR_TYPE_RRSIG) { 210238104Sdes return true; 211238104Sdes } 212238104Sdes } 213238104Sdes return false; 214238104Sdes} 215238104Sdes 216238104Sdesldns_rr_list * 217238104Sdesldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt, 218238104Sdes ldns_rdf *name, 219238104Sdes ldns_rr_type type) 220238104Sdes{ 221238104Sdes uint16_t t_netorder; 222238104Sdes ldns_rr_list *sigs; 223238104Sdes ldns_rr_list *sigs_covered; 224238104Sdes ldns_rdf *rdf_t; 225238104Sdes 226238104Sdes sigs = ldns_pkt_rr_list_by_name_and_type(pkt, 227238104Sdes name, 228238104Sdes LDNS_RR_TYPE_RRSIG, 229238104Sdes LDNS_SECTION_ANY_NOQUESTION 230238104Sdes ); 231238104Sdes 232238104Sdes t_netorder = htons(type); /* rdf are in network order! */ 233238104Sdes rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, LDNS_RDF_SIZE_WORD, &t_netorder); 234238104Sdes sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0); 235238104Sdes 236238104Sdes ldns_rdf_free(rdf_t); 237238104Sdes ldns_rr_list_deep_free(sigs); 238238104Sdes 239238104Sdes return sigs_covered; 240238104Sdes 241238104Sdes} 242238104Sdes 243238104Sdesldns_rr_list * 244238104Sdesldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type) 245238104Sdes{ 246238104Sdes uint16_t t_netorder; 247238104Sdes ldns_rr_list *sigs; 248238104Sdes ldns_rr_list *sigs_covered; 249238104Sdes ldns_rdf *rdf_t; 250238104Sdes 251238104Sdes sigs = ldns_pkt_rr_list_by_type(pkt, 252238104Sdes LDNS_RR_TYPE_RRSIG, 253238104Sdes LDNS_SECTION_ANY_NOQUESTION 254238104Sdes ); 255238104Sdes 256238104Sdes t_netorder = htons(type); /* rdf are in network order! */ 257238104Sdes rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, 258238104Sdes 2, 259238104Sdes &t_netorder); 260238104Sdes sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0); 261238104Sdes 262238104Sdes ldns_rdf_free(rdf_t); 263238104Sdes ldns_rr_list_deep_free(sigs); 264238104Sdes 265238104Sdes return sigs_covered; 266238104Sdes 267238104Sdes} 268238104Sdes 269238104Sdes/* used only on the public key RR */ 270238104Sdesuint16_t 271238104Sdesldns_calc_keytag(const ldns_rr *key) 272238104Sdes{ 273238104Sdes uint16_t ac16; 274238104Sdes ldns_buffer *keybuf; 275238104Sdes size_t keysize; 276238104Sdes 277238104Sdes if (!key) { 278238104Sdes return 0; 279238104Sdes } 280238104Sdes 281238104Sdes if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY && 282238104Sdes ldns_rr_get_type(key) != LDNS_RR_TYPE_KEY 283238104Sdes ) { 284238104Sdes return 0; 285238104Sdes } 286238104Sdes 287238104Sdes /* rdata to buf - only put the rdata in a buffer */ 288238104Sdes keybuf = ldns_buffer_new(LDNS_MIN_BUFLEN); /* grows */ 289238104Sdes if (!keybuf) { 290238104Sdes return 0; 291238104Sdes } 292238104Sdes (void)ldns_rr_rdata2buffer_wire(keybuf, key); 293238104Sdes /* the current pos in the buffer is the keysize */ 294238104Sdes keysize= ldns_buffer_position(keybuf); 295238104Sdes 296238104Sdes ac16 = ldns_calc_keytag_raw(ldns_buffer_begin(keybuf), keysize); 297238104Sdes ldns_buffer_free(keybuf); 298238104Sdes return ac16; 299238104Sdes} 300238104Sdes 301238104Sdesuint16_t ldns_calc_keytag_raw(uint8_t* key, size_t keysize) 302238104Sdes{ 303238104Sdes unsigned int i; 304238104Sdes uint32_t ac32; 305238104Sdes uint16_t ac16; 306238104Sdes 307238104Sdes if(keysize < 4) { 308238104Sdes return 0; 309238104Sdes } 310238104Sdes /* look at the algorithm field, copied from 2535bis */ 311238104Sdes if (key[3] == LDNS_RSAMD5) { 312238104Sdes ac16 = 0; 313238104Sdes if (keysize > 4) { 314238104Sdes memmove(&ac16, key + keysize - 3, 2); 315238104Sdes } 316238104Sdes ac16 = ntohs(ac16); 317238104Sdes return (uint16_t) ac16; 318238104Sdes } else { 319238104Sdes ac32 = 0; 320238104Sdes for (i = 0; (size_t)i < keysize; ++i) { 321238104Sdes ac32 += (i & 1) ? key[i] : key[i] << 8; 322238104Sdes } 323238104Sdes ac32 += (ac32 >> 16) & 0xFFFF; 324238104Sdes return (uint16_t) (ac32 & 0xFFFF); 325238104Sdes } 326238104Sdes} 327238104Sdes 328238104Sdes#ifdef HAVE_SSL 329238104SdesDSA * 330238104Sdesldns_key_buf2dsa(ldns_buffer *key) 331238104Sdes{ 332238104Sdes return ldns_key_buf2dsa_raw((unsigned char*)ldns_buffer_begin(key), 333238104Sdes ldns_buffer_position(key)); 334238104Sdes} 335238104Sdes 336238104SdesDSA * 337238104Sdesldns_key_buf2dsa_raw(unsigned char* key, size_t len) 338238104Sdes{ 339238104Sdes uint8_t T; 340238104Sdes uint16_t length; 341238104Sdes uint16_t offset; 342238104Sdes DSA *dsa; 343238104Sdes BIGNUM *Q; BIGNUM *P; 344238104Sdes BIGNUM *G; BIGNUM *Y; 345238104Sdes 346238104Sdes if(len == 0) 347238104Sdes return NULL; 348238104Sdes T = (uint8_t)key[0]; 349238104Sdes length = (64 + T * 8); 350238104Sdes offset = 1; 351238104Sdes 352238104Sdes if (T > 8) { 353238104Sdes return NULL; 354238104Sdes } 355238104Sdes if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length) 356238104Sdes return NULL; 357238104Sdes 358238104Sdes Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL); 359238104Sdes offset += SHA_DIGEST_LENGTH; 360238104Sdes 361238104Sdes P = BN_bin2bn(key+offset, (int)length, NULL); 362238104Sdes offset += length; 363238104Sdes 364238104Sdes G = BN_bin2bn(key+offset, (int)length, NULL); 365238104Sdes offset += length; 366238104Sdes 367238104Sdes Y = BN_bin2bn(key+offset, (int)length, NULL); 368238104Sdes offset += length; 369238104Sdes 370238104Sdes /* create the key and set its properties */ 371238104Sdes if(!Q || !P || !G || !Y || !(dsa = DSA_new())) { 372238104Sdes BN_free(Q); 373238104Sdes BN_free(P); 374238104Sdes BN_free(G); 375238104Sdes BN_free(Y); 376238104Sdes return NULL; 377238104Sdes } 378238104Sdes#ifndef S_SPLINT_S 379238104Sdes dsa->p = P; 380238104Sdes dsa->q = Q; 381238104Sdes dsa->g = G; 382238104Sdes dsa->pub_key = Y; 383238104Sdes#endif /* splint */ 384238104Sdes 385238104Sdes return dsa; 386238104Sdes} 387238104Sdes 388238104SdesRSA * 389238104Sdesldns_key_buf2rsa(ldns_buffer *key) 390238104Sdes{ 391238104Sdes return ldns_key_buf2rsa_raw((unsigned char*)ldns_buffer_begin(key), 392238104Sdes ldns_buffer_position(key)); 393238104Sdes} 394238104Sdes 395238104SdesRSA * 396238104Sdesldns_key_buf2rsa_raw(unsigned char* key, size_t len) 397238104Sdes{ 398238104Sdes uint16_t offset; 399238104Sdes uint16_t exp; 400238104Sdes uint16_t int16; 401238104Sdes RSA *rsa; 402238104Sdes BIGNUM *modulus; 403238104Sdes BIGNUM *exponent; 404238104Sdes 405238104Sdes if (len == 0) 406238104Sdes return NULL; 407238104Sdes if (key[0] == 0) { 408238104Sdes if(len < 3) 409238104Sdes return NULL; 410238104Sdes /* need some smart comment here XXX*/ 411238104Sdes /* the exponent is too large so it's places 412238104Sdes * futher...???? */ 413238104Sdes memmove(&int16, key+1, 2); 414238104Sdes exp = ntohs(int16); 415238104Sdes offset = 3; 416238104Sdes } else { 417238104Sdes exp = key[0]; 418238104Sdes offset = 1; 419238104Sdes } 420238104Sdes 421238104Sdes /* key length at least one */ 422238104Sdes if(len < (size_t)offset + exp + 1) 423238104Sdes return NULL; 424238104Sdes 425238104Sdes /* Exponent */ 426238104Sdes exponent = BN_new(); 427238104Sdes if(!exponent) return NULL; 428238104Sdes (void) BN_bin2bn(key+offset, (int)exp, exponent); 429238104Sdes offset += exp; 430238104Sdes 431238104Sdes /* Modulus */ 432238104Sdes modulus = BN_new(); 433238104Sdes if(!modulus) { 434238104Sdes BN_free(exponent); 435238104Sdes return NULL; 436238104Sdes } 437238104Sdes /* length of the buffer must match the key length! */ 438238104Sdes (void) BN_bin2bn(key+offset, (int)(len - offset), modulus); 439238104Sdes 440238104Sdes rsa = RSA_new(); 441238104Sdes if(!rsa) { 442238104Sdes BN_free(exponent); 443238104Sdes BN_free(modulus); 444238104Sdes return NULL; 445238104Sdes } 446238104Sdes#ifndef S_SPLINT_S 447238104Sdes rsa->n = modulus; 448238104Sdes rsa->e = exponent; 449238104Sdes#endif /* splint */ 450238104Sdes 451238104Sdes return rsa; 452238104Sdes} 453238104Sdes 454238104Sdesint 455238104Sdesldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest, 456238104Sdes const EVP_MD* md) 457238104Sdes{ 458238104Sdes EVP_MD_CTX* ctx; 459238104Sdes ctx = EVP_MD_CTX_create(); 460238104Sdes if(!ctx) 461238104Sdes return false; 462238104Sdes if(!EVP_DigestInit_ex(ctx, md, NULL) || 463238104Sdes !EVP_DigestUpdate(ctx, data, len) || 464238104Sdes !EVP_DigestFinal_ex(ctx, dest, NULL)) { 465238104Sdes EVP_MD_CTX_destroy(ctx); 466238104Sdes return false; 467238104Sdes } 468238104Sdes EVP_MD_CTX_destroy(ctx); 469238104Sdes return true; 470238104Sdes} 471238104Sdes#endif /* HAVE_SSL */ 472238104Sdes 473238104Sdesldns_rr * 474238104Sdesldns_key_rr2ds(const ldns_rr *key, ldns_hash h) 475238104Sdes{ 476238104Sdes ldns_rdf *tmp; 477238104Sdes ldns_rr *ds; 478238104Sdes uint16_t keytag; 479238104Sdes uint8_t sha1hash; 480238104Sdes uint8_t *digest; 481238104Sdes ldns_buffer *data_buf; 482238104Sdes#ifdef USE_GOST 483238104Sdes const EVP_MD* md = NULL; 484238104Sdes#endif 485238104Sdes 486238104Sdes if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY) { 487238104Sdes return NULL; 488238104Sdes } 489238104Sdes 490238104Sdes ds = ldns_rr_new(); 491238104Sdes if (!ds) { 492238104Sdes return NULL; 493238104Sdes } 494238104Sdes ldns_rr_set_type(ds, LDNS_RR_TYPE_DS); 495238104Sdes ldns_rr_set_owner(ds, ldns_rdf_clone( 496238104Sdes ldns_rr_owner(key))); 497238104Sdes ldns_rr_set_ttl(ds, ldns_rr_ttl(key)); 498238104Sdes ldns_rr_set_class(ds, ldns_rr_get_class(key)); 499238104Sdes 500238104Sdes switch(h) { 501238104Sdes default: 502238104Sdes case LDNS_SHA1: 503238104Sdes digest = LDNS_XMALLOC(uint8_t, LDNS_SHA1_DIGEST_LENGTH); 504238104Sdes if (!digest) { 505238104Sdes ldns_rr_free(ds); 506238104Sdes return NULL; 507238104Sdes } 508238104Sdes break; 509238104Sdes case LDNS_SHA256: 510238104Sdes digest = LDNS_XMALLOC(uint8_t, LDNS_SHA256_DIGEST_LENGTH); 511238104Sdes if (!digest) { 512238104Sdes ldns_rr_free(ds); 513238104Sdes return NULL; 514238104Sdes } 515238104Sdes break; 516238104Sdes case LDNS_HASH_GOST: 517238104Sdes#ifdef USE_GOST 518238104Sdes (void)ldns_key_EVP_load_gost_id(); 519238104Sdes md = EVP_get_digestbyname("md_gost94"); 520238104Sdes if(!md) { 521238104Sdes ldns_rr_free(ds); 522238104Sdes return NULL; 523238104Sdes } 524238104Sdes digest = LDNS_XMALLOC(uint8_t, EVP_MD_size(md)); 525238104Sdes if (!digest) { 526238104Sdes ldns_rr_free(ds); 527238104Sdes return NULL; 528238104Sdes } 529238104Sdes break; 530238104Sdes#else 531238104Sdes /* not implemented */ 532238104Sdes ldns_rr_free(ds); 533238104Sdes return NULL; 534238104Sdes#endif 535238104Sdes case LDNS_SHA384: 536238104Sdes#ifdef USE_ECDSA 537238104Sdes digest = LDNS_XMALLOC(uint8_t, SHA384_DIGEST_LENGTH); 538238104Sdes if (!digest) { 539238104Sdes ldns_rr_free(ds); 540238104Sdes return NULL; 541238104Sdes } 542238104Sdes break; 543238104Sdes#else 544238104Sdes /* not implemented */ 545238104Sdes ldns_rr_free(ds); 546238104Sdes return NULL; 547238104Sdes#endif 548238104Sdes } 549238104Sdes 550238104Sdes data_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN); 551238104Sdes if (!data_buf) { 552238104Sdes LDNS_FREE(digest); 553238104Sdes ldns_rr_free(ds); 554238104Sdes return NULL; 555238104Sdes } 556238104Sdes 557238104Sdes /* keytag */ 558238104Sdes keytag = htons(ldns_calc_keytag((ldns_rr*)key)); 559238104Sdes tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16, 560238104Sdes sizeof(uint16_t), 561238104Sdes &keytag); 562238104Sdes ldns_rr_push_rdf(ds, tmp); 563238104Sdes 564238104Sdes /* copy the algorithm field */ 565238104Sdes if ((tmp = ldns_rr_rdf(key, 2)) == NULL) { 566238104Sdes LDNS_FREE(digest); 567238104Sdes ldns_buffer_free(data_buf); 568238104Sdes ldns_rr_free(ds); 569238104Sdes return NULL; 570238104Sdes } else { 571238104Sdes ldns_rr_push_rdf(ds, ldns_rdf_clone( tmp )); 572238104Sdes } 573238104Sdes 574238104Sdes /* digest hash type */ 575238104Sdes sha1hash = (uint8_t)h; 576238104Sdes tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8, 577238104Sdes sizeof(uint8_t), 578238104Sdes &sha1hash); 579238104Sdes ldns_rr_push_rdf(ds, tmp); 580238104Sdes 581238104Sdes /* digest */ 582238104Sdes /* owner name */ 583238104Sdes tmp = ldns_rdf_clone(ldns_rr_owner(key)); 584238104Sdes ldns_dname2canonical(tmp); 585238104Sdes if (ldns_rdf2buffer_wire(data_buf, tmp) != LDNS_STATUS_OK) { 586238104Sdes LDNS_FREE(digest); 587238104Sdes ldns_buffer_free(data_buf); 588238104Sdes ldns_rr_free(ds); 589238104Sdes ldns_rdf_deep_free(tmp); 590238104Sdes return NULL; 591238104Sdes } 592238104Sdes ldns_rdf_deep_free(tmp); 593238104Sdes 594238104Sdes /* all the rdata's */ 595238104Sdes if (ldns_rr_rdata2buffer_wire(data_buf, 596238104Sdes (ldns_rr*)key) != LDNS_STATUS_OK) { 597238104Sdes LDNS_FREE(digest); 598238104Sdes ldns_buffer_free(data_buf); 599238104Sdes ldns_rr_free(ds); 600238104Sdes return NULL; 601238104Sdes } 602238104Sdes switch(h) { 603238104Sdes case LDNS_SHA1: 604238104Sdes (void) ldns_sha1((unsigned char *) ldns_buffer_begin(data_buf), 605238104Sdes (unsigned int) ldns_buffer_position(data_buf), 606238104Sdes (unsigned char *) digest); 607238104Sdes 608238104Sdes tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX, 609238104Sdes LDNS_SHA1_DIGEST_LENGTH, 610238104Sdes digest); 611238104Sdes ldns_rr_push_rdf(ds, tmp); 612238104Sdes 613238104Sdes break; 614238104Sdes case LDNS_SHA256: 615238104Sdes (void) ldns_sha256((unsigned char *) ldns_buffer_begin(data_buf), 616238104Sdes (unsigned int) ldns_buffer_position(data_buf), 617238104Sdes (unsigned char *) digest); 618238104Sdes tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX, 619238104Sdes LDNS_SHA256_DIGEST_LENGTH, 620238104Sdes digest); 621238104Sdes ldns_rr_push_rdf(ds, tmp); 622238104Sdes break; 623238104Sdes case LDNS_HASH_GOST: 624238104Sdes#ifdef USE_GOST 625238104Sdes if(!ldns_digest_evp((unsigned char *) ldns_buffer_begin(data_buf), 626238104Sdes (unsigned int) ldns_buffer_position(data_buf), 627238104Sdes (unsigned char *) digest, md)) { 628238104Sdes LDNS_FREE(digest); 629238104Sdes ldns_buffer_free(data_buf); 630238104Sdes ldns_rr_free(ds); 631238104Sdes return NULL; 632238104Sdes } 633238104Sdes tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX, 634238104Sdes (size_t)EVP_MD_size(md), 635238104Sdes digest); 636238104Sdes ldns_rr_push_rdf(ds, tmp); 637238104Sdes#endif 638238104Sdes break; 639238104Sdes case LDNS_SHA384: 640238104Sdes#ifdef USE_ECDSA 641238104Sdes (void) SHA384((unsigned char *) ldns_buffer_begin(data_buf), 642238104Sdes (unsigned int) ldns_buffer_position(data_buf), 643238104Sdes (unsigned char *) digest); 644238104Sdes tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX, 645238104Sdes SHA384_DIGEST_LENGTH, 646238104Sdes digest); 647238104Sdes ldns_rr_push_rdf(ds, tmp); 648238104Sdes#endif 649238104Sdes break; 650238104Sdes } 651238104Sdes 652238104Sdes LDNS_FREE(digest); 653238104Sdes ldns_buffer_free(data_buf); 654238104Sdes return ds; 655238104Sdes} 656238104Sdes 657269257Sdes/* From RFC3845: 658269257Sdes * 659269257Sdes * 2.1.2. The List of Type Bit Map(s) Field 660269257Sdes * 661269257Sdes * The RR type space is split into 256 window blocks, each representing 662269257Sdes * the low-order 8 bits of the 16-bit RR type space. Each block that 663269257Sdes * has at least one active RR type is encoded using a single octet 664269257Sdes * window number (from 0 to 255), a single octet bitmap length (from 1 665269257Sdes * to 32) indicating the number of octets used for the window block's 666269257Sdes * bitmap, and up to 32 octets (256 bits) of bitmap. 667269257Sdes * 668269257Sdes * Window blocks are present in the NSEC RR RDATA in increasing 669269257Sdes * numerical order. 670269257Sdes * 671269257Sdes * "|" denotes concatenation 672269257Sdes * 673269257Sdes * Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) + 674269257Sdes * 675269257Sdes * <cut> 676269257Sdes * 677269257Sdes * Blocks with no types present MUST NOT be included. Trailing zero 678269257Sdes * octets in the bitmap MUST be omitted. The length of each block's 679269257Sdes * bitmap is determined by the type code with the largest numerical 680269257Sdes * value within that block, among the set of RR types present at the 681269257Sdes * NSEC RR's owner name. Trailing zero octets not specified MUST be 682269257Sdes * interpreted as zero octets. 683269257Sdes */ 684238104Sdesldns_rdf * 685238104Sdesldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[], 686238104Sdes size_t size, 687238104Sdes ldns_rr_type nsec_type) 688238104Sdes{ 689269257Sdes uint8_t window; /* most significant octet of type */ 690269257Sdes uint8_t subtype; /* least significant octet of type */ 691269257Sdes uint16_t windows[256] /* Max subtype per window */ 692269257Sdes#ifndef S_SPLINT_S 693269257Sdes = { 0 } /* Initialize ALL elements with 0 */ 694269257Sdes#endif 695269257Sdes ; 696269257Sdes ldns_rr_type* d; /* used to traverse rr_type_list*/ 697269257Sdes size_t i; /* used to traverse windows array */ 698238104Sdes 699269257Sdes size_t sz; /* size needed for type bitmap rdf */ 700269257Sdes uint8_t* data = NULL; /* rdf data */ 701269257Sdes uint8_t* dptr; /* used to itraverse rdf data */ 702269257Sdes ldns_rdf* rdf; /* bitmap rdf to return */ 703238104Sdes 704238104Sdes if (nsec_type != LDNS_RR_TYPE_NSEC && 705238104Sdes nsec_type != LDNS_RR_TYPE_NSEC3) { 706238104Sdes return NULL; 707238104Sdes } 708238104Sdes 709269257Sdes /* Which other windows need to be in the bitmap rdf? 710269257Sdes */ 711269257Sdes for (d = rr_type_list; d < rr_type_list + size; d++) { 712269257Sdes window = *d >> 8; 713269257Sdes subtype = *d & 0xff; 714269257Sdes if (windows[window] < subtype) { 715269257Sdes windows[window] = subtype; 716269257Sdes } 717238104Sdes } 718238104Sdes 719269257Sdes /* How much space do we need in the rdf for those windows? 720269257Sdes */ 721269257Sdes sz = 0; 722269257Sdes for (i = 0; i < 256; i++) { 723269257Sdes if (windows[i]) { 724269257Sdes sz += windows[i] / 8 + 3; 725269257Sdes } 726238104Sdes } 727269257Sdes if (sz > 0) { 728269257Sdes /* Format rdf data according RFC3845 Section 2.1.2 (see above) 729269257Sdes */ 730269257Sdes dptr = data = LDNS_CALLOC(uint8_t, sz); 731269257Sdes if (!data) { 732269257Sdes return NULL; 733269257Sdes } 734269257Sdes for (i = 0; i < 256; i++) { 735269257Sdes if (windows[i]) { 736269257Sdes *dptr++ = (uint8_t)i; 737269257Sdes *dptr++ = (uint8_t)(windows[i] / 8 + 1); 738238104Sdes 739269257Sdes /* Now let windows[i] index the bitmap 740269257Sdes * within data 741269257Sdes */ 742269257Sdes windows[i] = (uint16_t)(dptr - data); 743238104Sdes 744269257Sdes dptr += dptr[-1]; 745238104Sdes } 746238104Sdes } 747238104Sdes } 748269257Sdes 749269257Sdes /* Set the bits? 750269257Sdes */ 751269257Sdes for (d = rr_type_list; d < rr_type_list + size; d++) { 752269257Sdes subtype = *d & 0xff; 753269257Sdes data[windows[*d >> 8] + subtype/8] |= (0x80 >> (subtype % 8)); 754238104Sdes } 755238104Sdes 756269257Sdes /* Allocate and return rdf structure for the data 757269257Sdes */ 758269257Sdes rdf = ldns_rdf_new(LDNS_RDF_TYPE_BITMAP, sz, data); 759269257Sdes if (!rdf) { 760269257Sdes LDNS_FREE(data); 761269257Sdes return NULL; 762269257Sdes } 763269257Sdes return rdf; 764238104Sdes} 765238104Sdes 766238104Sdesint 767238104Sdesldns_dnssec_rrsets_contains_type(ldns_dnssec_rrsets *rrsets, 768238104Sdes ldns_rr_type type) 769238104Sdes{ 770238104Sdes ldns_dnssec_rrsets *cur_rrset = rrsets; 771238104Sdes while (cur_rrset) { 772238104Sdes if (cur_rrset->type == type) { 773238104Sdes return 1; 774238104Sdes } 775238104Sdes cur_rrset = cur_rrset->next; 776238104Sdes } 777238104Sdes return 0; 778238104Sdes} 779238104Sdes 780238104Sdesldns_rr * 781238104Sdesldns_dnssec_create_nsec(ldns_dnssec_name *from, 782238104Sdes ldns_dnssec_name *to, 783238104Sdes ldns_rr_type nsec_type) 784238104Sdes{ 785238104Sdes ldns_rr *nsec_rr; 786238104Sdes ldns_rr_type types[65536]; 787238104Sdes size_t type_count = 0; 788238104Sdes ldns_dnssec_rrsets *cur_rrsets; 789238104Sdes int on_delegation_point; 790238104Sdes 791238104Sdes if (!from || !to || (nsec_type != LDNS_RR_TYPE_NSEC)) { 792238104Sdes return NULL; 793238104Sdes } 794238104Sdes 795238104Sdes nsec_rr = ldns_rr_new(); 796238104Sdes ldns_rr_set_type(nsec_rr, nsec_type); 797238104Sdes ldns_rr_set_owner(nsec_rr, ldns_rdf_clone(ldns_dnssec_name_name(from))); 798238104Sdes ldns_rr_push_rdf(nsec_rr, ldns_rdf_clone(ldns_dnssec_name_name(to))); 799238104Sdes 800238104Sdes on_delegation_point = ldns_dnssec_rrsets_contains_type( 801238104Sdes from->rrsets, LDNS_RR_TYPE_NS) 802238104Sdes && !ldns_dnssec_rrsets_contains_type( 803238104Sdes from->rrsets, LDNS_RR_TYPE_SOA); 804238104Sdes 805238104Sdes cur_rrsets = from->rrsets; 806238104Sdes while (cur_rrsets) { 807238104Sdes /* Do not include non-authoritative rrsets on the delegation point 808238104Sdes * in the type bitmap */ 809238104Sdes if ((on_delegation_point && ( 810238104Sdes cur_rrsets->type == LDNS_RR_TYPE_NS 811238104Sdes || cur_rrsets->type == LDNS_RR_TYPE_DS)) 812238104Sdes || (!on_delegation_point && 813238104Sdes cur_rrsets->type != LDNS_RR_TYPE_RRSIG 814238104Sdes && cur_rrsets->type != LDNS_RR_TYPE_NSEC)) { 815238104Sdes 816238104Sdes types[type_count] = cur_rrsets->type; 817238104Sdes type_count++; 818238104Sdes } 819238104Sdes cur_rrsets = cur_rrsets->next; 820238104Sdes 821238104Sdes } 822238104Sdes types[type_count] = LDNS_RR_TYPE_RRSIG; 823238104Sdes type_count++; 824238104Sdes types[type_count] = LDNS_RR_TYPE_NSEC; 825238104Sdes type_count++; 826238104Sdes 827238104Sdes ldns_rr_push_rdf(nsec_rr, ldns_dnssec_create_nsec_bitmap(types, 828238104Sdes type_count, 829238104Sdes nsec_type)); 830238104Sdes 831238104Sdes return nsec_rr; 832238104Sdes} 833238104Sdes 834238104Sdesldns_rr * 835238104Sdesldns_dnssec_create_nsec3(ldns_dnssec_name *from, 836238104Sdes ldns_dnssec_name *to, 837238104Sdes ldns_rdf *zone_name, 838238104Sdes uint8_t algorithm, 839238104Sdes uint8_t flags, 840238104Sdes uint16_t iterations, 841238104Sdes uint8_t salt_length, 842238104Sdes uint8_t *salt) 843238104Sdes{ 844238104Sdes ldns_rr *nsec_rr; 845238104Sdes ldns_rr_type types[65536]; 846238104Sdes size_t type_count = 0; 847238104Sdes ldns_dnssec_rrsets *cur_rrsets; 848238104Sdes ldns_status status; 849238104Sdes int on_delegation_point; 850238104Sdes 851238104Sdes if (!from) { 852238104Sdes return NULL; 853238104Sdes } 854238104Sdes 855238104Sdes nsec_rr = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3); 856238104Sdes ldns_rr_set_owner(nsec_rr, 857238104Sdes ldns_nsec3_hash_name(ldns_dnssec_name_name(from), 858238104Sdes algorithm, 859238104Sdes iterations, 860238104Sdes salt_length, 861238104Sdes salt)); 862238104Sdes status = ldns_dname_cat(ldns_rr_owner(nsec_rr), zone_name); 863238104Sdes if(status != LDNS_STATUS_OK) { 864238104Sdes ldns_rr_free(nsec_rr); 865238104Sdes return NULL; 866238104Sdes } 867238104Sdes ldns_nsec3_add_param_rdfs(nsec_rr, 868238104Sdes algorithm, 869238104Sdes flags, 870238104Sdes iterations, 871238104Sdes salt_length, 872238104Sdes salt); 873238104Sdes 874238104Sdes on_delegation_point = ldns_dnssec_rrsets_contains_type( 875238104Sdes from->rrsets, LDNS_RR_TYPE_NS) 876238104Sdes && !ldns_dnssec_rrsets_contains_type( 877238104Sdes from->rrsets, LDNS_RR_TYPE_SOA); 878238104Sdes cur_rrsets = from->rrsets; 879238104Sdes while (cur_rrsets) { 880238104Sdes /* Do not include non-authoritative rrsets on the delegation point 881238104Sdes * in the type bitmap. Potentionally not skipping insecure 882238104Sdes * delegation should have been done earlier, in function 883238104Sdes * ldns_dnssec_zone_create_nsec3s, or even earlier in: 884238104Sdes * ldns_dnssec_zone_sign_nsec3_flg . 885238104Sdes */ 886238104Sdes if ((on_delegation_point && ( 887238104Sdes cur_rrsets->type == LDNS_RR_TYPE_NS 888238104Sdes || cur_rrsets->type == LDNS_RR_TYPE_DS)) 889238104Sdes || (!on_delegation_point && 890238104Sdes cur_rrsets->type != LDNS_RR_TYPE_RRSIG)) { 891238104Sdes 892238104Sdes types[type_count] = cur_rrsets->type; 893238104Sdes type_count++; 894238104Sdes } 895238104Sdes cur_rrsets = cur_rrsets->next; 896238104Sdes } 897238104Sdes /* always add rrsig type if this is not an unsigned 898238104Sdes * delegation 899238104Sdes */ 900238104Sdes if (type_count > 0 && 901238104Sdes !(type_count == 1 && types[0] == LDNS_RR_TYPE_NS)) { 902238104Sdes types[type_count] = LDNS_RR_TYPE_RRSIG; 903238104Sdes type_count++; 904238104Sdes } 905238104Sdes 906238104Sdes /* leave next rdata empty if they weren't precomputed yet */ 907238104Sdes if (to && to->hashed_name) { 908238104Sdes (void) ldns_rr_set_rdf(nsec_rr, 909238104Sdes ldns_rdf_clone(to->hashed_name), 910238104Sdes 4); 911238104Sdes } else { 912238104Sdes (void) ldns_rr_set_rdf(nsec_rr, NULL, 4); 913238104Sdes } 914238104Sdes 915238104Sdes ldns_rr_push_rdf(nsec_rr, 916238104Sdes ldns_dnssec_create_nsec_bitmap(types, 917238104Sdes type_count, 918238104Sdes LDNS_RR_TYPE_NSEC3)); 919238104Sdes 920238104Sdes return nsec_rr; 921238104Sdes} 922238104Sdes 923238104Sdesldns_rr * 924238104Sdesldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs) 925238104Sdes{ 926238104Sdes /* we do not do any check here - garbage in, garbage out */ 927238104Sdes 928238104Sdes /* the the start and end names - get the type from the 929238104Sdes * before rrlist */ 930238104Sdes 931238104Sdes /* inefficient, just give it a name, a next name, and a list of rrs */ 932238104Sdes /* we make 1 big uberbitmap first, then windows */ 933238104Sdes /* todo: make something more efficient :) */ 934238104Sdes uint16_t i; 935238104Sdes ldns_rr *i_rr; 936238104Sdes uint16_t i_type; 937238104Sdes 938238104Sdes ldns_rr *nsec = NULL; 939238104Sdes ldns_rr_type i_type_list[65536]; 940238104Sdes size_t type_count = 0; 941238104Sdes 942238104Sdes nsec = ldns_rr_new(); 943238104Sdes ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC); 944238104Sdes ldns_rr_set_owner(nsec, ldns_rdf_clone(cur_owner)); 945238104Sdes ldns_rr_push_rdf(nsec, ldns_rdf_clone(next_owner)); 946238104Sdes 947238104Sdes for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) { 948238104Sdes i_rr = ldns_rr_list_rr(rrs, i); 949238104Sdes if (ldns_rdf_compare(cur_owner, 950238104Sdes ldns_rr_owner(i_rr)) == 0) { 951238104Sdes i_type = ldns_rr_get_type(i_rr); 952238104Sdes if (i_type != LDNS_RR_TYPE_RRSIG && i_type != LDNS_RR_TYPE_NSEC) { 953238104Sdes if (type_count == 0 || i_type_list[type_count-1] != i_type) { 954238104Sdes i_type_list[type_count] = i_type; 955238104Sdes type_count++; 956238104Sdes } 957238104Sdes } 958238104Sdes } 959238104Sdes } 960238104Sdes 961238104Sdes i_type_list[type_count] = LDNS_RR_TYPE_RRSIG; 962238104Sdes type_count++; 963238104Sdes i_type_list[type_count] = LDNS_RR_TYPE_NSEC; 964238104Sdes type_count++; 965238104Sdes 966238104Sdes ldns_rr_push_rdf(nsec, 967238104Sdes ldns_dnssec_create_nsec_bitmap(i_type_list, 968238104Sdes type_count, LDNS_RR_TYPE_NSEC)); 969238104Sdes 970238104Sdes return nsec; 971238104Sdes} 972238104Sdes 973238104Sdesldns_rdf * 974238104Sdesldns_nsec3_hash_name(ldns_rdf *name, 975238104Sdes uint8_t algorithm, 976238104Sdes uint16_t iterations, 977238104Sdes uint8_t salt_length, 978238104Sdes uint8_t *salt) 979238104Sdes{ 980238104Sdes size_t hashed_owner_str_len; 981238104Sdes ldns_rdf *cann; 982238104Sdes ldns_rdf *hashed_owner; 983238104Sdes unsigned char *hashed_owner_str; 984238104Sdes char *hashed_owner_b32; 985238104Sdes size_t hashed_owner_b32_len; 986238104Sdes uint32_t cur_it; 987238104Sdes /* define to contain the largest possible hash, which is 988238104Sdes * sha1 at the moment */ 989238104Sdes unsigned char hash[LDNS_SHA1_DIGEST_LENGTH]; 990238104Sdes ldns_status status; 991238104Sdes 992238104Sdes /* TODO: mnemonic list for hash algs SHA-1, default to 1 now (sha1) */ 993238104Sdes if (algorithm != LDNS_SHA1) { 994238104Sdes return NULL; 995238104Sdes } 996238104Sdes 997238104Sdes /* prepare the owner name according to the draft section bla */ 998238104Sdes cann = ldns_rdf_clone(name); 999238104Sdes if(!cann) { 1000269257Sdes#ifdef STDERR_MSGS 1001238104Sdes fprintf(stderr, "Memory error\n"); 1002269257Sdes#endif 1003238104Sdes return NULL; 1004238104Sdes } 1005238104Sdes ldns_dname2canonical(cann); 1006238104Sdes 1007238104Sdes hashed_owner_str_len = salt_length + ldns_rdf_size(cann); 1008238104Sdes hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len); 1009238104Sdes if(!hashed_owner_str) { 1010238104Sdes ldns_rdf_deep_free(cann); 1011238104Sdes return NULL; 1012238104Sdes } 1013238104Sdes memcpy(hashed_owner_str, ldns_rdf_data(cann), ldns_rdf_size(cann)); 1014238104Sdes memcpy(hashed_owner_str + ldns_rdf_size(cann), salt, salt_length); 1015238104Sdes ldns_rdf_deep_free(cann); 1016238104Sdes 1017238104Sdes for (cur_it = iterations + 1; cur_it > 0; cur_it--) { 1018238104Sdes (void) ldns_sha1((unsigned char *) hashed_owner_str, 1019238104Sdes (unsigned int) hashed_owner_str_len, hash); 1020238104Sdes 1021238104Sdes LDNS_FREE(hashed_owner_str); 1022238104Sdes hashed_owner_str_len = salt_length + LDNS_SHA1_DIGEST_LENGTH; 1023238104Sdes hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len); 1024238104Sdes if (!hashed_owner_str) { 1025238104Sdes return NULL; 1026238104Sdes } 1027238104Sdes memcpy(hashed_owner_str, hash, LDNS_SHA1_DIGEST_LENGTH); 1028238104Sdes memcpy(hashed_owner_str + LDNS_SHA1_DIGEST_LENGTH, salt, salt_length); 1029238104Sdes hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH + salt_length; 1030238104Sdes } 1031238104Sdes 1032238104Sdes LDNS_FREE(hashed_owner_str); 1033238104Sdes hashed_owner_str = hash; 1034238104Sdes hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH; 1035238104Sdes 1036238104Sdes hashed_owner_b32 = LDNS_XMALLOC(char, 1037238104Sdes ldns_b32_ntop_calculate_size(hashed_owner_str_len) + 1); 1038238104Sdes if(!hashed_owner_b32) { 1039238104Sdes return NULL; 1040238104Sdes } 1041238104Sdes hashed_owner_b32_len = (size_t) ldns_b32_ntop_extended_hex( 1042238104Sdes (uint8_t *) hashed_owner_str, 1043238104Sdes hashed_owner_str_len, 1044238104Sdes hashed_owner_b32, 1045238104Sdes ldns_b32_ntop_calculate_size(hashed_owner_str_len)+1); 1046238104Sdes if (hashed_owner_b32_len < 1) { 1047269257Sdes#ifdef STDERR_MSGS 1048238104Sdes fprintf(stderr, "Error in base32 extended hex encoding "); 1049238104Sdes fprintf(stderr, "of hashed owner name (name: "); 1050238104Sdes ldns_rdf_print(stderr, name); 1051238104Sdes fprintf(stderr, ", return code: %u)\n", 1052238104Sdes (unsigned int) hashed_owner_b32_len); 1053269257Sdes#endif 1054238104Sdes LDNS_FREE(hashed_owner_b32); 1055238104Sdes return NULL; 1056238104Sdes } 1057238104Sdes hashed_owner_b32[hashed_owner_b32_len] = '\0'; 1058238104Sdes 1059238104Sdes status = ldns_str2rdf_dname(&hashed_owner, hashed_owner_b32); 1060238104Sdes if (status != LDNS_STATUS_OK) { 1061269257Sdes#ifdef STDERR_MSGS 1062238104Sdes fprintf(stderr, "Error creating rdf from %s\n", hashed_owner_b32); 1063269257Sdes#endif 1064238104Sdes LDNS_FREE(hashed_owner_b32); 1065238104Sdes return NULL; 1066238104Sdes } 1067238104Sdes 1068238104Sdes LDNS_FREE(hashed_owner_b32); 1069238104Sdes return hashed_owner; 1070238104Sdes} 1071238104Sdes 1072238104Sdesvoid 1073238104Sdesldns_nsec3_add_param_rdfs(ldns_rr *rr, 1074238104Sdes uint8_t algorithm, 1075238104Sdes uint8_t flags, 1076238104Sdes uint16_t iterations, 1077238104Sdes uint8_t salt_length, 1078238104Sdes uint8_t *salt) 1079238104Sdes{ 1080238104Sdes ldns_rdf *salt_rdf = NULL; 1081238104Sdes uint8_t *salt_data = NULL; 1082238104Sdes ldns_rdf *old; 1083238104Sdes 1084238104Sdes old = ldns_rr_set_rdf(rr, 1085238104Sdes ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8, 1086238104Sdes 1, (void*)&algorithm), 1087238104Sdes 0); 1088238104Sdes if (old) ldns_rdf_deep_free(old); 1089238104Sdes 1090238104Sdes old = ldns_rr_set_rdf(rr, 1091238104Sdes ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8, 1092238104Sdes 1, (void*)&flags), 1093238104Sdes 1); 1094238104Sdes if (old) ldns_rdf_deep_free(old); 1095238104Sdes 1096238104Sdes old = ldns_rr_set_rdf(rr, 1097238104Sdes ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 1098238104Sdes iterations), 1099238104Sdes 2); 1100238104Sdes if (old) ldns_rdf_deep_free(old); 1101238104Sdes 1102238104Sdes salt_data = LDNS_XMALLOC(uint8_t, salt_length + 1); 1103238104Sdes if(!salt_data) { 1104238104Sdes /* no way to return error */ 1105238104Sdes return; 1106238104Sdes } 1107238104Sdes salt_data[0] = salt_length; 1108238104Sdes memcpy(salt_data + 1, salt, salt_length); 1109238104Sdes salt_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_NSEC3_SALT, 1110238104Sdes salt_length + 1, 1111238104Sdes salt_data); 1112238104Sdes if(!salt_rdf) { 1113238104Sdes LDNS_FREE(salt_data); 1114238104Sdes /* no way to return error */ 1115238104Sdes return; 1116238104Sdes } 1117238104Sdes 1118238104Sdes old = ldns_rr_set_rdf(rr, salt_rdf, 3); 1119238104Sdes if (old) ldns_rdf_deep_free(old); 1120238104Sdes LDNS_FREE(salt_data); 1121238104Sdes} 1122238104Sdes 1123238104Sdesstatic int 1124238104Sdesrr_list_delegation_only(ldns_rdf *origin, ldns_rr_list *rr_list) 1125238104Sdes{ 1126238104Sdes size_t i; 1127238104Sdes ldns_rr *cur_rr; 1128238104Sdes if (!origin || !rr_list) return 0; 1129238104Sdes for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) { 1130238104Sdes cur_rr = ldns_rr_list_rr(rr_list, i); 1131238104Sdes if (ldns_dname_compare(ldns_rr_owner(cur_rr), origin) == 0) { 1132238104Sdes return 0; 1133238104Sdes } 1134238104Sdes if (ldns_rr_get_type(cur_rr) != LDNS_RR_TYPE_NS) { 1135238104Sdes return 0; 1136238104Sdes } 1137238104Sdes } 1138238104Sdes return 1; 1139238104Sdes} 1140238104Sdes 1141238104Sdes/* this will NOT return the NSEC3 completed, you will have to run the 1142238104Sdes finalize function on the rrlist later! */ 1143238104Sdesldns_rr * 1144238104Sdesldns_create_nsec3(ldns_rdf *cur_owner, 1145238104Sdes ldns_rdf *cur_zone, 1146238104Sdes ldns_rr_list *rrs, 1147238104Sdes uint8_t algorithm, 1148238104Sdes uint8_t flags, 1149238104Sdes uint16_t iterations, 1150238104Sdes uint8_t salt_length, 1151238104Sdes uint8_t *salt, 1152238104Sdes bool emptynonterminal) 1153238104Sdes{ 1154238104Sdes size_t i; 1155238104Sdes ldns_rr *i_rr; 1156238104Sdes uint16_t i_type; 1157238104Sdes 1158238104Sdes ldns_rr *nsec = NULL; 1159238104Sdes ldns_rdf *hashed_owner = NULL; 1160238104Sdes 1161238104Sdes ldns_status status; 1162238104Sdes 1163238104Sdes ldns_rr_type i_type_list[1024]; 1164238104Sdes size_t type_count = 0; 1165238104Sdes 1166238104Sdes hashed_owner = ldns_nsec3_hash_name(cur_owner, 1167238104Sdes algorithm, 1168238104Sdes iterations, 1169238104Sdes salt_length, 1170238104Sdes salt); 1171238104Sdes status = ldns_dname_cat(hashed_owner, cur_zone); 1172246854Sdes if(status != LDNS_STATUS_OK) { 1173246854Sdes ldns_rdf_deep_free(hashed_owner); 1174238104Sdes return NULL; 1175246854Sdes } 1176238104Sdes nsec = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3); 1177246854Sdes if(!nsec) { 1178246854Sdes ldns_rdf_deep_free(hashed_owner); 1179238104Sdes return NULL; 1180246854Sdes } 1181238104Sdes ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC3); 1182238104Sdes ldns_rr_set_owner(nsec, hashed_owner); 1183238104Sdes 1184238104Sdes ldns_nsec3_add_param_rdfs(nsec, 1185238104Sdes algorithm, 1186238104Sdes flags, 1187238104Sdes iterations, 1188238104Sdes salt_length, 1189238104Sdes salt); 1190238104Sdes (void) ldns_rr_set_rdf(nsec, NULL, 4); 1191238104Sdes 1192238104Sdes 1193238104Sdes for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) { 1194238104Sdes i_rr = ldns_rr_list_rr(rrs, i); 1195238104Sdes if (ldns_rdf_compare(cur_owner, 1196238104Sdes ldns_rr_owner(i_rr)) == 0) { 1197238104Sdes i_type = ldns_rr_get_type(i_rr); 1198238104Sdes if (type_count == 0 || i_type_list[type_count-1] != i_type) { 1199238104Sdes i_type_list[type_count] = i_type; 1200238104Sdes type_count++; 1201238104Sdes } 1202238104Sdes } 1203238104Sdes } 1204238104Sdes 1205238104Sdes /* add RRSIG anyway, but only if this is not an ENT or 1206238104Sdes * an unsigned delegation */ 1207238104Sdes if (!emptynonterminal && !rr_list_delegation_only(cur_zone, rrs)) { 1208238104Sdes i_type_list[type_count] = LDNS_RR_TYPE_RRSIG; 1209238104Sdes type_count++; 1210238104Sdes } 1211238104Sdes 1212238104Sdes /* and SOA if owner == zone */ 1213238104Sdes if (ldns_dname_compare(cur_zone, cur_owner) == 0) { 1214238104Sdes i_type_list[type_count] = LDNS_RR_TYPE_SOA; 1215238104Sdes type_count++; 1216238104Sdes } 1217238104Sdes 1218238104Sdes ldns_rr_push_rdf(nsec, 1219238104Sdes ldns_dnssec_create_nsec_bitmap(i_type_list, 1220238104Sdes type_count, LDNS_RR_TYPE_NSEC3)); 1221238104Sdes 1222238104Sdes return nsec; 1223238104Sdes} 1224238104Sdes 1225238104Sdesuint8_t 1226238104Sdesldns_nsec3_algorithm(const ldns_rr *nsec3_rr) 1227238104Sdes{ 1228238104Sdes if (nsec3_rr && 1229238104Sdes (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 || 1230238104Sdes ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM) 1231238104Sdes && (ldns_rr_rdf(nsec3_rr, 0) != NULL) 1232238104Sdes && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 0)) > 0) { 1233238104Sdes return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 0)); 1234238104Sdes } 1235238104Sdes return 0; 1236238104Sdes} 1237238104Sdes 1238238104Sdesuint8_t 1239238104Sdesldns_nsec3_flags(const ldns_rr *nsec3_rr) 1240238104Sdes{ 1241238104Sdes if (nsec3_rr && 1242238104Sdes (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 || 1243238104Sdes ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM) 1244238104Sdes && (ldns_rr_rdf(nsec3_rr, 1) != NULL) 1245238104Sdes && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 1)) > 0) { 1246238104Sdes return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 1)); 1247238104Sdes } 1248238104Sdes return 0; 1249238104Sdes} 1250238104Sdes 1251238104Sdesbool 1252238104Sdesldns_nsec3_optout(const ldns_rr *nsec3_rr) 1253238104Sdes{ 1254238104Sdes return (ldns_nsec3_flags(nsec3_rr) & LDNS_NSEC3_VARS_OPTOUT_MASK); 1255238104Sdes} 1256238104Sdes 1257238104Sdesuint16_t 1258238104Sdesldns_nsec3_iterations(const ldns_rr *nsec3_rr) 1259238104Sdes{ 1260238104Sdes if (nsec3_rr && 1261238104Sdes (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 || 1262238104Sdes ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM) 1263238104Sdes && (ldns_rr_rdf(nsec3_rr, 2) != NULL) 1264238104Sdes && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 2)) > 0) { 1265238104Sdes return ldns_rdf2native_int16(ldns_rr_rdf(nsec3_rr, 2)); 1266238104Sdes } 1267238104Sdes return 0; 1268238104Sdes 1269238104Sdes} 1270238104Sdes 1271238104Sdesldns_rdf * 1272238104Sdesldns_nsec3_salt(const ldns_rr *nsec3_rr) 1273238104Sdes{ 1274238104Sdes if (nsec3_rr && 1275238104Sdes (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 || 1276238104Sdes ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM) 1277238104Sdes ) { 1278238104Sdes return ldns_rr_rdf(nsec3_rr, 3); 1279238104Sdes } 1280238104Sdes return NULL; 1281238104Sdes} 1282238104Sdes 1283238104Sdesuint8_t 1284238104Sdesldns_nsec3_salt_length(const ldns_rr *nsec3_rr) 1285238104Sdes{ 1286238104Sdes ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr); 1287238104Sdes if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) { 1288238104Sdes return (uint8_t) ldns_rdf_data(salt_rdf)[0]; 1289238104Sdes } 1290238104Sdes return 0; 1291238104Sdes} 1292238104Sdes 1293238104Sdes/* allocs data, free with LDNS_FREE() */ 1294238104Sdesuint8_t * 1295238104Sdesldns_nsec3_salt_data(const ldns_rr *nsec3_rr) 1296238104Sdes{ 1297238104Sdes uint8_t salt_length; 1298238104Sdes uint8_t *salt; 1299238104Sdes 1300238104Sdes ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr); 1301238104Sdes if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) { 1302238104Sdes salt_length = ldns_rdf_data(salt_rdf)[0]; 1303238104Sdes salt = LDNS_XMALLOC(uint8_t, salt_length); 1304238104Sdes if(!salt) return NULL; 1305238104Sdes memcpy(salt, &ldns_rdf_data(salt_rdf)[1], salt_length); 1306238104Sdes return salt; 1307238104Sdes } 1308238104Sdes return NULL; 1309238104Sdes} 1310238104Sdes 1311238104Sdesldns_rdf * 1312238104Sdesldns_nsec3_next_owner(const ldns_rr *nsec3_rr) 1313238104Sdes{ 1314238104Sdes if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) { 1315238104Sdes return NULL; 1316238104Sdes } else { 1317238104Sdes return ldns_rr_rdf(nsec3_rr, 4); 1318238104Sdes } 1319238104Sdes} 1320238104Sdes 1321238104Sdesldns_rdf * 1322238104Sdesldns_nsec3_bitmap(const ldns_rr *nsec3_rr) 1323238104Sdes{ 1324238104Sdes if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) { 1325238104Sdes return NULL; 1326238104Sdes } else { 1327238104Sdes return ldns_rr_rdf(nsec3_rr, 5); 1328238104Sdes } 1329238104Sdes} 1330238104Sdes 1331238104Sdesldns_rdf * 1332238104Sdesldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, ldns_rdf *name) 1333238104Sdes{ 1334238104Sdes uint8_t algorithm; 1335238104Sdes uint16_t iterations; 1336238104Sdes uint8_t salt_length; 1337238104Sdes uint8_t *salt = 0; 1338238104Sdes 1339238104Sdes ldns_rdf *hashed_owner; 1340238104Sdes 1341238104Sdes algorithm = ldns_nsec3_algorithm(nsec); 1342238104Sdes salt_length = ldns_nsec3_salt_length(nsec); 1343238104Sdes salt = ldns_nsec3_salt_data(nsec); 1344238104Sdes iterations = ldns_nsec3_iterations(nsec); 1345238104Sdes 1346238104Sdes hashed_owner = ldns_nsec3_hash_name(name, 1347238104Sdes algorithm, 1348238104Sdes iterations, 1349238104Sdes salt_length, 1350238104Sdes salt); 1351238104Sdes 1352238104Sdes LDNS_FREE(salt); 1353238104Sdes return hashed_owner; 1354238104Sdes} 1355238104Sdes 1356238104Sdesbool 1357269257Sdesldns_nsec_bitmap_covers_type(const ldns_rdf* bitmap, ldns_rr_type type) 1358238104Sdes{ 1359269257Sdes uint8_t* dptr; 1360269257Sdes uint8_t* dend; 1361238104Sdes 1362269257Sdes /* From RFC3845 Section 2.1.2: 1363269257Sdes * 1364269257Sdes * "The RR type space is split into 256 window blocks, each re- 1365269257Sdes * presenting the low-order 8 bits of the 16-bit RR type space." 1366269257Sdes */ 1367269257Sdes uint8_t window = type >> 8; 1368269257Sdes uint8_t subtype = type & 0xff; 1369269257Sdes 1370269257Sdes if (! bitmap) { 1371238104Sdes return false; 1372238104Sdes } 1373269257Sdes assert(ldns_rdf_get_type(bitmap) == LDNS_RDF_TYPE_BITMAP); 1374238104Sdes 1375269257Sdes dptr = ldns_rdf_data(bitmap); 1376269257Sdes dend = ldns_rdf_data(bitmap) + ldns_rdf_size(bitmap); 1377269257Sdes 1378269257Sdes /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) + 1379269257Sdes * dptr[0] dptr[1] dptr[2:] 1380269257Sdes */ 1381269257Sdes while (dptr < dend && dptr[0] <= window) { 1382269257Sdes 1383269257Sdes if (dptr[0] == window && subtype / 8 < dptr[1] && 1384269257Sdes dptr + dptr[1] + 2 <= dend) { 1385269257Sdes 1386269257Sdes return dptr[2 + subtype / 8] & (0x80 >> (subtype % 8)); 1387238104Sdes } 1388269257Sdes dptr += dptr[1] + 2; /* next window */ 1389238104Sdes } 1390238104Sdes return false; 1391238104Sdes} 1392238104Sdes 1393269257Sdesldns_status 1394269257Sdesldns_nsec_bitmap_set_type(ldns_rdf* bitmap, ldns_rr_type type) 1395269257Sdes{ 1396269257Sdes uint8_t* dptr; 1397269257Sdes uint8_t* dend; 1398269257Sdes 1399269257Sdes /* From RFC3845 Section 2.1.2: 1400269257Sdes * 1401269257Sdes * "The RR type space is split into 256 window blocks, each re- 1402269257Sdes * presenting the low-order 8 bits of the 16-bit RR type space." 1403269257Sdes */ 1404269257Sdes uint8_t window = type >> 8; 1405269257Sdes uint8_t subtype = type & 0xff; 1406269257Sdes 1407269257Sdes if (! bitmap) { 1408269257Sdes return false; 1409269257Sdes } 1410269257Sdes assert(ldns_rdf_get_type(bitmap) == LDNS_RDF_TYPE_BITMAP); 1411269257Sdes 1412269257Sdes dptr = ldns_rdf_data(bitmap); 1413269257Sdes dend = ldns_rdf_data(bitmap) + ldns_rdf_size(bitmap); 1414269257Sdes 1415269257Sdes /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) + 1416269257Sdes * dptr[0] dptr[1] dptr[2:] 1417269257Sdes */ 1418269257Sdes while (dptr < dend && dptr[0] <= window) { 1419269257Sdes 1420269257Sdes if (dptr[0] == window && subtype / 8 < dptr[1] && 1421269257Sdes dptr + dptr[1] + 2 <= dend) { 1422269257Sdes 1423269257Sdes dptr[2 + subtype / 8] |= (0x80 >> (subtype % 8)); 1424269257Sdes return LDNS_STATUS_OK; 1425269257Sdes } 1426269257Sdes dptr += dptr[1] + 2; /* next window */ 1427269257Sdes } 1428269257Sdes return LDNS_STATUS_TYPE_NOT_IN_BITMAP; 1429269257Sdes} 1430269257Sdes 1431269257Sdesldns_status 1432269257Sdesldns_nsec_bitmap_clear_type(ldns_rdf* bitmap, ldns_rr_type type) 1433269257Sdes{ 1434269257Sdes uint8_t* dptr; 1435269257Sdes uint8_t* dend; 1436269257Sdes 1437269257Sdes /* From RFC3845 Section 2.1.2: 1438269257Sdes * 1439269257Sdes * "The RR type space is split into 256 window blocks, each re- 1440269257Sdes * presenting the low-order 8 bits of the 16-bit RR type space." 1441269257Sdes */ 1442269257Sdes uint8_t window = type >> 8; 1443269257Sdes uint8_t subtype = type & 0xff; 1444269257Sdes 1445269257Sdes if (! bitmap) { 1446269257Sdes return false; 1447269257Sdes } 1448269257Sdes 1449269257Sdes assert(ldns_rdf_get_type(bitmap) == LDNS_RDF_TYPE_BITMAP); 1450269257Sdes 1451269257Sdes dptr = ldns_rdf_data(bitmap); 1452269257Sdes dend = ldns_rdf_data(bitmap) + ldns_rdf_size(bitmap); 1453269257Sdes 1454269257Sdes /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) + 1455269257Sdes * dptr[0] dptr[1] dptr[2:] 1456269257Sdes */ 1457269257Sdes while (dptr < dend && dptr[0] <= window) { 1458269257Sdes 1459269257Sdes if (dptr[0] == window && subtype / 8 < dptr[1] && 1460269257Sdes dptr + dptr[1] + 2 <= dend) { 1461269257Sdes 1462269257Sdes dptr[2 + subtype / 8] &= ~(0x80 >> (subtype % 8)); 1463269257Sdes return LDNS_STATUS_OK; 1464269257Sdes } 1465269257Sdes dptr += dptr[1] + 2; /* next window */ 1466269257Sdes } 1467269257Sdes return LDNS_STATUS_TYPE_NOT_IN_BITMAP; 1468269257Sdes} 1469269257Sdes 1470269257Sdes 1471238104Sdesbool 1472238104Sdesldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name) 1473238104Sdes{ 1474238104Sdes ldns_rdf *nsec_owner = ldns_rr_owner(nsec); 1475238104Sdes ldns_rdf *hash_next; 1476238104Sdes char *next_hash_str; 1477238104Sdes ldns_rdf *nsec_next = NULL; 1478238104Sdes ldns_status status; 1479238104Sdes ldns_rdf *chopped_dname; 1480238104Sdes bool result; 1481238104Sdes 1482238104Sdes if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) { 1483238104Sdes if (ldns_rr_rdf(nsec, 0) != NULL) { 1484238104Sdes nsec_next = ldns_rdf_clone(ldns_rr_rdf(nsec, 0)); 1485238104Sdes } else { 1486238104Sdes return false; 1487238104Sdes } 1488238104Sdes } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) { 1489238104Sdes hash_next = ldns_nsec3_next_owner(nsec); 1490238104Sdes next_hash_str = ldns_rdf2str(hash_next); 1491238104Sdes nsec_next = ldns_dname_new_frm_str(next_hash_str); 1492238104Sdes LDNS_FREE(next_hash_str); 1493238104Sdes chopped_dname = ldns_dname_left_chop(nsec_owner); 1494238104Sdes status = ldns_dname_cat(nsec_next, chopped_dname); 1495238104Sdes ldns_rdf_deep_free(chopped_dname); 1496238104Sdes if (status != LDNS_STATUS_OK) { 1497238104Sdes printf("error catting: %s\n", ldns_get_errorstr_by_id(status)); 1498238104Sdes } 1499238104Sdes } else { 1500238104Sdes ldns_rdf_deep_free(nsec_next); 1501238104Sdes return false; 1502238104Sdes } 1503238104Sdes 1504238104Sdes /* in the case of the last nsec */ 1505238104Sdes if(ldns_dname_compare(nsec_owner, nsec_next) > 0) { 1506238104Sdes result = (ldns_dname_compare(nsec_owner, name) <= 0 || 1507238104Sdes ldns_dname_compare(name, nsec_next) < 0); 1508269257Sdes } else if(ldns_dname_compare(nsec_owner, nsec_next) < 0) { 1509238104Sdes result = (ldns_dname_compare(nsec_owner, name) <= 0 && 1510238104Sdes ldns_dname_compare(name, nsec_next) < 0); 1511269257Sdes } else { 1512269257Sdes result = true; 1513238104Sdes } 1514238104Sdes 1515238104Sdes ldns_rdf_deep_free(nsec_next); 1516238104Sdes return result; 1517238104Sdes} 1518238104Sdes 1519238104Sdes#ifdef HAVE_SSL 1520238104Sdes/* sig may be null - if so look in the packet */ 1521238104Sdes 1522238104Sdesldns_status 1523238104Sdesldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, 1524238104Sdes ldns_rr_list *k, ldns_rr_list *s, 1525238104Sdes time_t check_time, ldns_rr_list *good_keys) 1526238104Sdes{ 1527238104Sdes ldns_rr_list *rrset; 1528238104Sdes ldns_rr_list *sigs; 1529238104Sdes ldns_rr_list *sigs_covered; 1530238104Sdes ldns_rdf *rdf_t; 1531238104Sdes ldns_rr_type t_netorder; 1532238104Sdes 1533238104Sdes if (!k) { 1534238104Sdes return LDNS_STATUS_ERR; 1535238104Sdes /* return LDNS_STATUS_CRYPTO_NO_DNSKEY; */ 1536238104Sdes } 1537238104Sdes 1538238104Sdes if (t == LDNS_RR_TYPE_RRSIG) { 1539238104Sdes /* we don't have RRSIG(RRSIG) (yet? ;-) ) */ 1540238104Sdes return LDNS_STATUS_ERR; 1541238104Sdes } 1542238104Sdes 1543238104Sdes if (s) { 1544238104Sdes /* if s is not NULL, the sigs are given to use */ 1545238104Sdes sigs = s; 1546238104Sdes } else { 1547238104Sdes /* otherwise get them from the packet */ 1548246854Sdes sigs = ldns_pkt_rr_list_by_name_and_type(p, o, 1549246854Sdes LDNS_RR_TYPE_RRSIG, 1550246854Sdes LDNS_SECTION_ANY_NOQUESTION); 1551238104Sdes if (!sigs) { 1552238104Sdes /* no sigs */ 1553238104Sdes return LDNS_STATUS_ERR; 1554238104Sdes /* return LDNS_STATUS_CRYPTO_NO_RRSIG; */ 1555238104Sdes } 1556238104Sdes } 1557238104Sdes 1558238104Sdes /* rrsig are subtyped, so now we need to find the correct 1559238104Sdes * sigs for the type t 1560238104Sdes */ 1561238104Sdes t_netorder = htons(t); /* rdf are in network order! */ 1562238104Sdes /* a type identifier is a 16-bit number, so the size is 2 bytes */ 1563246854Sdes rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, 2, &t_netorder); 1564246854Sdes 1565238104Sdes sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0); 1566246854Sdes ldns_rdf_free(rdf_t); 1567246854Sdes if (! sigs_covered) { 1568246854Sdes if (! s) { 1569246854Sdes ldns_rr_list_deep_free(sigs); 1570246854Sdes } 1571238104Sdes return LDNS_STATUS_ERR; 1572238104Sdes } 1573246854Sdes ldns_rr_list_deep_free(sigs_covered); 1574238104Sdes 1575246854Sdes rrset = ldns_pkt_rr_list_by_name_and_type(p, o, t, 1576246854Sdes LDNS_SECTION_ANY_NOQUESTION); 1577246854Sdes if (!rrset) { 1578246854Sdes if (! s) { 1579246854Sdes ldns_rr_list_deep_free(sigs); 1580246854Sdes } 1581238104Sdes return LDNS_STATUS_ERR; 1582238104Sdes } 1583238104Sdes return ldns_verify_time(rrset, sigs, k, check_time, good_keys); 1584238104Sdes} 1585238104Sdes 1586238104Sdesldns_status 1587238104Sdesldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, 1588238104Sdes ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys) 1589238104Sdes{ 1590238104Sdes return ldns_pkt_verify_time(p, t, o, k, s, ldns_time(NULL), good_keys); 1591238104Sdes} 1592238104Sdes#endif /* HAVE_SSL */ 1593238104Sdes 1594238104Sdesldns_status 1595238104Sdesldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs) 1596238104Sdes{ 1597238104Sdes size_t i; 1598238104Sdes char *next_nsec_owner_str; 1599238104Sdes ldns_rdf *next_nsec_owner_label; 1600238104Sdes ldns_rdf *next_nsec_rdf; 1601238104Sdes ldns_status status = LDNS_STATUS_OK; 1602238104Sdes 1603238104Sdes for (i = 0; i < ldns_rr_list_rr_count(nsec3_rrs); i++) { 1604238104Sdes if (i == ldns_rr_list_rr_count(nsec3_rrs) - 1) { 1605238104Sdes next_nsec_owner_label = 1606238104Sdes ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs, 1607238104Sdes 0)), 0); 1608238104Sdes next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label); 1609238104Sdes if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1] 1610238104Sdes == '.') { 1611238104Sdes next_nsec_owner_str[strlen(next_nsec_owner_str) - 1] 1612238104Sdes = '\0'; 1613238104Sdes } 1614238104Sdes status = ldns_str2rdf_b32_ext(&next_nsec_rdf, 1615238104Sdes next_nsec_owner_str); 1616238104Sdes if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i), 1617238104Sdes next_nsec_rdf, 4)) { 1618238104Sdes /* todo: error */ 1619238104Sdes } 1620238104Sdes 1621238104Sdes ldns_rdf_deep_free(next_nsec_owner_label); 1622238104Sdes LDNS_FREE(next_nsec_owner_str); 1623238104Sdes } else { 1624238104Sdes next_nsec_owner_label = 1625238104Sdes ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs, 1626238104Sdes i + 1)), 1627238104Sdes 0); 1628238104Sdes next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label); 1629238104Sdes if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1] 1630238104Sdes == '.') { 1631238104Sdes next_nsec_owner_str[strlen(next_nsec_owner_str) - 1] 1632238104Sdes = '\0'; 1633238104Sdes } 1634238104Sdes status = ldns_str2rdf_b32_ext(&next_nsec_rdf, 1635238104Sdes next_nsec_owner_str); 1636238104Sdes ldns_rdf_deep_free(next_nsec_owner_label); 1637238104Sdes LDNS_FREE(next_nsec_owner_str); 1638238104Sdes if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i), 1639238104Sdes next_nsec_rdf, 4)) { 1640238104Sdes /* todo: error */ 1641238104Sdes } 1642238104Sdes } 1643238104Sdes } 1644238104Sdes return status; 1645238104Sdes} 1646238104Sdes 1647238104Sdesint 1648238104Sdesqsort_rr_compare_nsec3(const void *a, const void *b) 1649238104Sdes{ 1650238104Sdes const ldns_rr *rr1 = * (const ldns_rr **) a; 1651238104Sdes const ldns_rr *rr2 = * (const ldns_rr **) b; 1652238104Sdes if (rr1 == NULL && rr2 == NULL) { 1653238104Sdes return 0; 1654238104Sdes } 1655238104Sdes if (rr1 == NULL) { 1656238104Sdes return -1; 1657238104Sdes } 1658238104Sdes if (rr2 == NULL) { 1659238104Sdes return 1; 1660238104Sdes } 1661238104Sdes return ldns_rdf_compare(ldns_rr_owner(rr1), ldns_rr_owner(rr2)); 1662238104Sdes} 1663238104Sdes 1664238104Sdesvoid 1665238104Sdesldns_rr_list_sort_nsec3(ldns_rr_list *unsorted) 1666238104Sdes{ 1667238104Sdes qsort(unsorted->_rrs, 1668238104Sdes ldns_rr_list_rr_count(unsorted), 1669238104Sdes sizeof(ldns_rr *), 1670238104Sdes qsort_rr_compare_nsec3); 1671238104Sdes} 1672238104Sdes 1673238104Sdesint 1674238104Sdesldns_dnssec_default_add_to_signatures( ATTR_UNUSED(ldns_rr *sig) 1675238104Sdes , ATTR_UNUSED(void *n) 1676238104Sdes ) 1677238104Sdes{ 1678238104Sdes return LDNS_SIGNATURE_LEAVE_ADD_NEW; 1679238104Sdes} 1680238104Sdes 1681238104Sdesint 1682238104Sdesldns_dnssec_default_leave_signatures( ATTR_UNUSED(ldns_rr *sig) 1683238104Sdes , ATTR_UNUSED(void *n) 1684238104Sdes ) 1685238104Sdes{ 1686238104Sdes return LDNS_SIGNATURE_LEAVE_NO_ADD; 1687238104Sdes} 1688238104Sdes 1689238104Sdesint 1690238104Sdesldns_dnssec_default_delete_signatures( ATTR_UNUSED(ldns_rr *sig) 1691238104Sdes , ATTR_UNUSED(void *n) 1692238104Sdes ) 1693238104Sdes{ 1694238104Sdes return LDNS_SIGNATURE_REMOVE_NO_ADD; 1695238104Sdes} 1696238104Sdes 1697238104Sdesint 1698238104Sdesldns_dnssec_default_replace_signatures( ATTR_UNUSED(ldns_rr *sig) 1699238104Sdes , ATTR_UNUSED(void *n) 1700238104Sdes ) 1701238104Sdes{ 1702238104Sdes return LDNS_SIGNATURE_REMOVE_ADD_NEW; 1703238104Sdes} 1704238104Sdes 1705238104Sdes#ifdef HAVE_SSL 1706238104Sdesldns_rdf * 1707238104Sdesldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig, 1708238104Sdes const long sig_len) 1709238104Sdes{ 1710238104Sdes ldns_rdf *sigdata_rdf; 1711238104Sdes DSA_SIG *dsasig; 1712238104Sdes unsigned char *dsasig_data = (unsigned char*)ldns_buffer_begin(sig); 1713238104Sdes size_t byte_offset; 1714238104Sdes 1715238104Sdes dsasig = d2i_DSA_SIG(NULL, 1716238104Sdes (const unsigned char **)&dsasig_data, 1717238104Sdes sig_len); 1718238104Sdes if (!dsasig) { 1719238104Sdes DSA_SIG_free(dsasig); 1720238104Sdes return NULL; 1721238104Sdes } 1722238104Sdes 1723238104Sdes dsasig_data = LDNS_XMALLOC(unsigned char, 41); 1724238104Sdes if(!dsasig_data) { 1725238104Sdes DSA_SIG_free(dsasig); 1726238104Sdes return NULL; 1727238104Sdes } 1728238104Sdes dsasig_data[0] = 0; 1729238104Sdes byte_offset = (size_t) (20 - BN_num_bytes(dsasig->r)); 1730238104Sdes if (byte_offset > 20) { 1731238104Sdes DSA_SIG_free(dsasig); 1732238104Sdes LDNS_FREE(dsasig_data); 1733238104Sdes return NULL; 1734238104Sdes } 1735238104Sdes memset(&dsasig_data[1], 0, byte_offset); 1736238104Sdes BN_bn2bin(dsasig->r, &dsasig_data[1 + byte_offset]); 1737238104Sdes byte_offset = (size_t) (20 - BN_num_bytes(dsasig->s)); 1738238104Sdes if (byte_offset > 20) { 1739238104Sdes DSA_SIG_free(dsasig); 1740238104Sdes LDNS_FREE(dsasig_data); 1741238104Sdes return NULL; 1742238104Sdes } 1743238104Sdes memset(&dsasig_data[21], 0, byte_offset); 1744238104Sdes BN_bn2bin(dsasig->s, &dsasig_data[21 + byte_offset]); 1745238104Sdes 1746238104Sdes sigdata_rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, 41, dsasig_data); 1747238104Sdes if(!sigdata_rdf) { 1748238104Sdes LDNS_FREE(dsasig_data); 1749238104Sdes } 1750238104Sdes DSA_SIG_free(dsasig); 1751238104Sdes 1752238104Sdes return sigdata_rdf; 1753238104Sdes} 1754238104Sdes 1755238104Sdesldns_status 1756238104Sdesldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, 1757238104Sdes const ldns_rdf *sig_rdf) 1758238104Sdes{ 1759238104Sdes /* the EVP api wants the DER encoding of the signature... */ 1760238104Sdes BIGNUM *R, *S; 1761238104Sdes DSA_SIG *dsasig; 1762238104Sdes unsigned char *raw_sig = NULL; 1763238104Sdes int raw_sig_len; 1764238104Sdes 1765238104Sdes if(ldns_rdf_size(sig_rdf) < 1 + 2*SHA_DIGEST_LENGTH) 1766238104Sdes return LDNS_STATUS_SYNTAX_RDATA_ERR; 1767238104Sdes /* extract the R and S field from the sig buffer */ 1768238104Sdes R = BN_new(); 1769238104Sdes if(!R) return LDNS_STATUS_MEM_ERR; 1770238104Sdes (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 1, 1771238104Sdes SHA_DIGEST_LENGTH, R); 1772238104Sdes S = BN_new(); 1773238104Sdes if(!S) { 1774238104Sdes BN_free(R); 1775238104Sdes return LDNS_STATUS_MEM_ERR; 1776238104Sdes } 1777238104Sdes (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 21, 1778238104Sdes SHA_DIGEST_LENGTH, S); 1779238104Sdes 1780238104Sdes dsasig = DSA_SIG_new(); 1781238104Sdes if (!dsasig) { 1782238104Sdes BN_free(R); 1783238104Sdes BN_free(S); 1784238104Sdes return LDNS_STATUS_MEM_ERR; 1785238104Sdes } 1786238104Sdes 1787238104Sdes dsasig->r = R; 1788238104Sdes dsasig->s = S; 1789238104Sdes 1790238104Sdes raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig); 1791238104Sdes if (raw_sig_len < 0) { 1792238104Sdes DSA_SIG_free(dsasig); 1793238104Sdes free(raw_sig); 1794238104Sdes return LDNS_STATUS_SSL_ERR; 1795238104Sdes } 1796238104Sdes if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) { 1797238104Sdes ldns_buffer_write(target_buffer, raw_sig, (size_t)raw_sig_len); 1798238104Sdes } 1799238104Sdes 1800238104Sdes DSA_SIG_free(dsasig); 1801238104Sdes free(raw_sig); 1802238104Sdes 1803238104Sdes return ldns_buffer_status(target_buffer); 1804238104Sdes} 1805238104Sdes 1806238104Sdes#ifdef USE_ECDSA 1807238104Sdes#ifndef S_SPLINT_S 1808238104Sdesldns_rdf * 1809238104Sdesldns_convert_ecdsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len) 1810238104Sdes{ 1811238104Sdes ECDSA_SIG* ecdsa_sig; 1812238104Sdes unsigned char *data = (unsigned char*)ldns_buffer_begin(sig); 1813238104Sdes ldns_rdf* rdf; 1814238104Sdes ecdsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&data, sig_len); 1815238104Sdes if(!ecdsa_sig) return NULL; 1816238104Sdes 1817238104Sdes /* "r | s". */ 1818238104Sdes data = LDNS_XMALLOC(unsigned char, 1819238104Sdes BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s)); 1820238104Sdes if(!data) { 1821238104Sdes ECDSA_SIG_free(ecdsa_sig); 1822238104Sdes return NULL; 1823238104Sdes } 1824238104Sdes BN_bn2bin(ecdsa_sig->r, data); 1825238104Sdes BN_bn2bin(ecdsa_sig->s, data+BN_num_bytes(ecdsa_sig->r)); 1826238104Sdes rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)( 1827238104Sdes BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s)), data); 1828238104Sdes ECDSA_SIG_free(ecdsa_sig); 1829238104Sdes return rdf; 1830238104Sdes} 1831238104Sdes 1832238104Sdesldns_status 1833238104Sdesldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, 1834238104Sdes const ldns_rdf *sig_rdf) 1835238104Sdes{ 1836238104Sdes ECDSA_SIG* sig; 1837238104Sdes int raw_sig_len; 1838238104Sdes long bnsize = (long)ldns_rdf_size(sig_rdf) / 2; 1839238104Sdes /* if too short, or not even length, do not bother */ 1840238104Sdes if(bnsize < 16 || (size_t)bnsize*2 != ldns_rdf_size(sig_rdf)) 1841238104Sdes return LDNS_STATUS_ERR; 1842238104Sdes 1843238104Sdes /* use the raw data to parse two evenly long BIGNUMs, "r | s". */ 1844238104Sdes sig = ECDSA_SIG_new(); 1845238104Sdes if(!sig) return LDNS_STATUS_MEM_ERR; 1846238104Sdes sig->r = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf), 1847238104Sdes bnsize, sig->r); 1848238104Sdes sig->s = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf)+bnsize, 1849238104Sdes bnsize, sig->s); 1850238104Sdes if(!sig->r || !sig->s) { 1851238104Sdes ECDSA_SIG_free(sig); 1852238104Sdes return LDNS_STATUS_MEM_ERR; 1853238104Sdes } 1854238104Sdes 1855238104Sdes raw_sig_len = i2d_ECDSA_SIG(sig, NULL); 1856238104Sdes if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) { 1857238104Sdes unsigned char* pp = (unsigned char*) 1858238104Sdes ldns_buffer_current(target_buffer); 1859238104Sdes raw_sig_len = i2d_ECDSA_SIG(sig, &pp); 1860238104Sdes ldns_buffer_skip(target_buffer, (ssize_t) raw_sig_len); 1861238104Sdes } 1862238104Sdes ECDSA_SIG_free(sig); 1863238104Sdes 1864238104Sdes return ldns_buffer_status(target_buffer); 1865238104Sdes} 1866238104Sdes 1867238104Sdes#endif /* S_SPLINT_S */ 1868238104Sdes#endif /* USE_ECDSA */ 1869238104Sdes#endif /* HAVE_SSL */ 1870