dnssec.c

Go to the documentation of this file.
00001 /*
00002  * dnssec.c
00003  *
00004  * contains the cryptographic function needed for DNSSEC in ldns
00005  * The crypto library used is openssl
00006  *
00007  * (c) NLnet Labs, 2004-2008
00008  *
00009  * See the file LICENSE for the license
00010  */
00011 
00012 #include <ldns/config.h>
00013 
00014 #include <ldns/ldns.h>
00015 #include <ldns/dnssec.h>
00016 
00017 #include <strings.h>
00018 #include <time.h>
00019 
00020 #ifdef HAVE_SSL
00021 #include <openssl/ssl.h>
00022 #include <openssl/evp.h>
00023 #include <openssl/rand.h>
00024 #include <openssl/err.h>
00025 #include <openssl/md5.h>
00026 #endif
00027 
00028 ldns_rr *
00029 ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name,
00030                                         const ldns_rr_type type,
00031                                         const ldns_rr_list *rrs)
00032 {
00033         size_t i;
00034         ldns_rr *candidate;
00035 
00036         if (!name || !rrs) {
00037                 return NULL;
00038         }
00039 
00040         for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
00041                 candidate = ldns_rr_list_rr(rrs, i);
00042                 if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_RRSIG) {
00043                         if (ldns_dname_compare(ldns_rr_owner(candidate),
00044                                                name) == 0 &&
00045                             ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(candidate))
00046                             == type
00047                             ) {
00048                                 return candidate;
00049                         }
00050                 }
00051         }
00052 
00053         return NULL;
00054 }
00055 
00056 ldns_rr *
00057 ldns_dnssec_get_dnskey_for_rrsig(const ldns_rr *rrsig,
00058                                                    const ldns_rr_list *rrs)
00059 {
00060         size_t i;
00061         ldns_rr *candidate;
00062 
00063         if (!rrsig || !rrs) {
00064                 return NULL;
00065         }
00066 
00067         for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
00068                 candidate = ldns_rr_list_rr(rrs, i);
00069                 if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_DNSKEY) {
00070                         if (ldns_dname_compare(ldns_rr_owner(candidate),
00071                                                ldns_rr_rrsig_signame(rrsig)) == 0 &&
00072                             ldns_rdf2native_int16(ldns_rr_rrsig_keytag(rrsig)) ==
00073                             ldns_calc_keytag(candidate)
00074                             ) {
00075                                 return candidate;
00076                         }
00077                 }
00078         }
00079 
00080         return NULL;
00081 }
00082 
00083 ldns_rdf *
00084 ldns_nsec_get_bitmap(ldns_rr *nsec) {
00085         if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
00086                 return ldns_rr_rdf(nsec, 1);
00087         } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
00088                 return ldns_rr_rdf(nsec, 5);
00089         } else {
00090                 return NULL;
00091         }
00092 }
00093 
00094 /*return the owner name of the closest encloser for name from the list of rrs */
00095 /* this is NOT the hash, but the original name! */
00096 ldns_rdf *
00097 ldns_dnssec_nsec3_closest_encloser(ldns_rdf *qname,
00098                                    ATTR_UNUSED(ldns_rr_type qtype),
00099                                    ldns_rr_list *nsec3s)
00100 {
00101         /* remember parameters, they must match */
00102         uint8_t algorithm;
00103         uint32_t iterations;
00104         uint8_t salt_length;
00105         uint8_t *salt;
00106 
00107         ldns_rdf *sname, *hashed_sname, *tmp;
00108         bool flag;
00109 
00110         bool exact_match_found;
00111         bool in_range_found;
00112 
00113         ldns_status status;
00114         ldns_rdf *zone_name;
00115 
00116         size_t nsec_i;
00117         ldns_rr *nsec;
00118         ldns_rdf *result = NULL;
00119         qtype = qtype;
00120 
00121         if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
00122                 return NULL;
00123         }
00124 
00125         nsec = ldns_rr_list_rr(nsec3s, 0);
00126         algorithm = ldns_nsec3_algorithm(nsec);
00127         salt_length = ldns_nsec3_salt_length(nsec);
00128         salt = ldns_nsec3_salt_data(nsec);
00129         iterations = ldns_nsec3_iterations(nsec);
00130 
00131         sname = ldns_rdf_clone(qname);
00132 
00133         flag = false;
00134 
00135         zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
00136 
00137         /* algorithm from nsec3-07 8.3 */
00138         while (ldns_dname_label_count(sname) > 0) {
00139                 exact_match_found = false;
00140                 in_range_found = false;
00141 
00142                 hashed_sname = ldns_nsec3_hash_name(sname,
00143                                                                          algorithm,
00144                                                                          iterations,
00145                                                                          salt_length,
00146                                                                          salt);
00147 
00148                 status = ldns_dname_cat(hashed_sname, zone_name);
00149                 if(status != LDNS_STATUS_OK) {
00150                         LDNS_FREE(salt);
00151                         ldns_rdf_deep_free(zone_name);
00152                         ldns_rdf_deep_free(sname);
00153                         return NULL;
00154                 }
00155 
00156                 for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
00157                         nsec = ldns_rr_list_rr(nsec3s, nsec_i);
00158 
00159                         /* check values of iterations etc! */
00160 
00161                         /* exact match? */
00162                         if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
00163                                 exact_match_found = true;
00164                         } else if (ldns_nsec_covers_name(nsec, hashed_sname)) {
00165                                 in_range_found = true;
00166                         }
00167 
00168                 }
00169                 if (!exact_match_found && in_range_found) {
00170                         flag = true;
00171                 } else if (exact_match_found && flag) {
00172                         result = ldns_rdf_clone(sname);
00173                         /* RFC 5155: 8.3. 2.** "The proof is complete" */
00174                         ldns_rdf_deep_free(hashed_sname);
00175                         goto done;
00176                 } else if (exact_match_found && !flag) {
00177                         /* error! */
00178                         ldns_rdf_deep_free(hashed_sname);
00179                         goto done;
00180                 } else {
00181                         flag = false;
00182                 }
00183 
00184                 ldns_rdf_deep_free(hashed_sname);
00185                 tmp = sname;
00186                 sname = ldns_dname_left_chop(sname);
00187                 ldns_rdf_deep_free(tmp);
00188         }
00189 
00190         done:
00191         LDNS_FREE(salt);
00192         ldns_rdf_deep_free(zone_name);
00193         ldns_rdf_deep_free(sname);
00194 
00195         return result;
00196 }
00197 
00198 bool
00199 ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt)
00200 {
00201         size_t i;
00202         for (i = 0; i < ldns_pkt_ancount(pkt); i++) {
00203                 if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_answer(pkt), i)) ==
00204                     LDNS_RR_TYPE_RRSIG) {
00205                         return true;
00206                 }
00207         }
00208         for (i = 0; i < ldns_pkt_nscount(pkt); i++) {
00209                 if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_authority(pkt), i)) ==
00210                     LDNS_RR_TYPE_RRSIG) {
00211                         return true;
00212                 }
00213         }
00214         return false;
00215 }
00216 
00217 ldns_rr_list *
00218 ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt,
00219                                                                         ldns_rdf *name,
00220                                                                         ldns_rr_type type)
00221 {
00222         uint16_t t_netorder;
00223         ldns_rr_list *sigs;
00224         ldns_rr_list *sigs_covered;
00225         ldns_rdf *rdf_t;
00226         
00227         sigs = ldns_pkt_rr_list_by_name_and_type(pkt,
00228                                                                          name,
00229                                                                          LDNS_RR_TYPE_RRSIG,
00230                                                                          LDNS_SECTION_ANY_NOQUESTION
00231                                                                          );
00232 
00233         t_netorder = htons(type); /* rdf are in network order! */
00234         rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, LDNS_RDF_SIZE_WORD, &t_netorder);
00235         sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
00236         
00237         ldns_rdf_free(rdf_t);
00238         ldns_rr_list_deep_free(sigs);
00239 
00240         return sigs_covered;
00241 
00242 }
00243 
00244 ldns_rr_list *
00245 ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type)
00246 {
00247         uint16_t t_netorder;
00248         ldns_rr_list *sigs;
00249         ldns_rr_list *sigs_covered;
00250         ldns_rdf *rdf_t;
00251 
00252         sigs = ldns_pkt_rr_list_by_type(pkt,
00253                                         LDNS_RR_TYPE_RRSIG,
00254                                         LDNS_SECTION_ANY_NOQUESTION
00255                                                           );
00256 
00257         t_netorder = htons(type); /* rdf are in network order! */
00258         rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE,
00259                                          2,
00260                                          &t_netorder);
00261         sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
00262 
00263         ldns_rdf_free(rdf_t);
00264         ldns_rr_list_deep_free(sigs);
00265 
00266         return sigs_covered;
00267 
00268 }
00269 
00270 /* used only on the public key RR */
00271 uint16_t
00272 ldns_calc_keytag(const ldns_rr *key)
00273 {
00274         uint16_t ac16;
00275         ldns_buffer *keybuf;
00276         size_t keysize;
00277 
00278         if (!key) {
00279                 return 0;
00280         }
00281 
00282         if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY &&
00283             ldns_rr_get_type(key) != LDNS_RR_TYPE_KEY
00284             ) {
00285                 return 0;
00286         }
00287 
00288         /* rdata to buf - only put the rdata in a buffer */
00289         keybuf = ldns_buffer_new(LDNS_MIN_BUFLEN); /* grows */
00290         if (!keybuf) {
00291                 return 0;
00292         }
00293         (void)ldns_rr_rdata2buffer_wire(keybuf, key);
00294         /* the current pos in the buffer is the keysize */
00295         keysize= ldns_buffer_position(keybuf);
00296 
00297         ac16 = ldns_calc_keytag_raw(ldns_buffer_begin(keybuf), keysize);
00298         ldns_buffer_free(keybuf);
00299         return ac16;
00300 }
00301 
00302 uint16_t ldns_calc_keytag_raw(uint8_t* key, size_t keysize)
00303 {
00304         unsigned int i;
00305         uint32_t ac32;
00306         uint16_t ac16;
00307 
00308         if(keysize < 4) {
00309                 return 0;
00310         }
00311         /* look at the algorithm field, copied from 2535bis */
00312         if (key[3] == LDNS_RSAMD5) {
00313                 ac16 = 0;
00314                 if (keysize > 4) {
00315                         memmove(&ac16, key + keysize - 3, 2);
00316                 }
00317                 ac16 = ntohs(ac16);
00318                 return (uint16_t) ac16;
00319         } else {
00320                 ac32 = 0;
00321                 for (i = 0; (size_t)i < keysize; ++i) {
00322                         ac32 += (i & 1) ? key[i] : key[i] << 8;
00323                 }
00324                 ac32 += (ac32 >> 16) & 0xFFFF;
00325                 return (uint16_t) (ac32 & 0xFFFF);
00326         }
00327 }
00328 
00329 #ifdef HAVE_SSL
00330 DSA *
00331 ldns_key_buf2dsa(ldns_buffer *key)
00332 {
00333         return ldns_key_buf2dsa_raw((unsigned char*)ldns_buffer_begin(key),
00334                                                    ldns_buffer_position(key));
00335 }
00336 
00337 DSA *
00338 ldns_key_buf2dsa_raw(unsigned char* key, size_t len)
00339 {
00340         uint8_t T;
00341         uint16_t length;
00342         uint16_t offset;
00343         DSA *dsa;
00344         BIGNUM *Q; BIGNUM *P;
00345         BIGNUM *G; BIGNUM *Y;
00346 
00347         if(len == 0)
00348                 return NULL;
00349         T = (uint8_t)key[0];
00350         length = (64 + T * 8);
00351         offset = 1;
00352 
00353         if (T > 8) {
00354                 return NULL;
00355         }
00356         if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
00357                 return NULL;
00358 
00359         Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
00360         offset += SHA_DIGEST_LENGTH;
00361 
00362         P = BN_bin2bn(key+offset, (int)length, NULL);
00363         offset += length;
00364 
00365         G = BN_bin2bn(key+offset, (int)length, NULL);
00366         offset += length;
00367 
00368         Y = BN_bin2bn(key+offset, (int)length, NULL);
00369         offset += length;
00370 
00371         /* create the key and set its properties */
00372         if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
00373                 BN_free(Q);
00374                 BN_free(P);
00375                 BN_free(G);
00376                 BN_free(Y);
00377                 return NULL;
00378         }
00379 #ifndef S_SPLINT_S
00380         dsa->p = P;
00381         dsa->q = Q;
00382         dsa->g = G;
00383         dsa->pub_key = Y;
00384 #endif /* splint */
00385 
00386         return dsa;
00387 }
00388 
00389 RSA *
00390 ldns_key_buf2rsa(ldns_buffer *key)
00391 {
00392         return ldns_key_buf2rsa_raw((unsigned char*)ldns_buffer_begin(key),
00393                                                    ldns_buffer_position(key));
00394 }
00395 
00396 RSA *
00397 ldns_key_buf2rsa_raw(unsigned char* key, size_t len)
00398 {
00399         uint16_t offset;
00400         uint16_t exp;
00401         uint16_t int16;
00402         RSA *rsa;
00403         BIGNUM *modulus;
00404         BIGNUM *exponent;
00405 
00406         if (len == 0)
00407                 return NULL;
00408         if (key[0] == 0) {
00409                 if(len < 3)
00410                         return NULL;
00411                 /* need some smart comment here XXX*/
00412                 /* the exponent is too large so it's places
00413                  * futher...???? */
00414                 memmove(&int16, key+1, 2);
00415                 exp = ntohs(int16);
00416                 offset = 3;
00417         } else {
00418                 exp = key[0];
00419                 offset = 1;
00420         }
00421 
00422         /* key length at least one */
00423         if(len < (size_t)offset + exp + 1)
00424                 return NULL;
00425 
00426         /* Exponent */
00427         exponent = BN_new();
00428         if(!exponent) return NULL;
00429         (void) BN_bin2bn(key+offset, (int)exp, exponent);
00430         offset += exp;
00431 
00432         /* Modulus */
00433         modulus = BN_new();
00434         if(!modulus) {
00435                 BN_free(exponent);
00436                 return NULL;
00437         }
00438         /* length of the buffer must match the key length! */
00439         (void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
00440 
00441         rsa = RSA_new();
00442         if(!rsa) {
00443                 BN_free(exponent);
00444                 BN_free(modulus);
00445                 return NULL;
00446         }
00447 #ifndef S_SPLINT_S
00448         rsa->n = modulus;
00449         rsa->e = exponent;
00450 #endif /* splint */
00451 
00452         return rsa;
00453 }
00454 
00455 int
00456 ldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
00457         const EVP_MD* md)
00458 {
00459         EVP_MD_CTX* ctx;
00460         ctx = EVP_MD_CTX_create();
00461         if(!ctx)
00462                 return false;
00463         if(!EVP_DigestInit_ex(ctx, md, NULL) ||
00464                 !EVP_DigestUpdate(ctx, data, len) ||
00465                 !EVP_DigestFinal_ex(ctx, dest, NULL)) {
00466                 EVP_MD_CTX_destroy(ctx);
00467                 return false;
00468         }
00469         EVP_MD_CTX_destroy(ctx);
00470         return true;
00471 }
00472 #endif /* HAVE_SSL */
00473 
00474 ldns_rr *
00475 ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
00476 {
00477         ldns_rdf *tmp;
00478         ldns_rr *ds;
00479         uint16_t keytag;
00480         uint8_t  sha1hash;
00481         uint8_t *digest;
00482         ldns_buffer *data_buf;
00483 #ifdef USE_GOST
00484         const EVP_MD* md = NULL;
00485 #endif
00486 
00487         if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY) {
00488                 return NULL;
00489         }
00490 
00491         ds = ldns_rr_new();
00492         if (!ds) {
00493                 return NULL;
00494         }
00495         ldns_rr_set_type(ds, LDNS_RR_TYPE_DS);
00496         ldns_rr_set_owner(ds, ldns_rdf_clone(
00497                                                                   ldns_rr_owner(key)));
00498         ldns_rr_set_ttl(ds, ldns_rr_ttl(key));
00499         ldns_rr_set_class(ds, ldns_rr_get_class(key));
00500 
00501         switch(h) {
00502         default:
00503         case LDNS_SHA1:
00504                 digest = LDNS_XMALLOC(uint8_t, LDNS_SHA1_DIGEST_LENGTH);
00505                 if (!digest) {
00506                         ldns_rr_free(ds);
00507                         return NULL;
00508                 }
00509                 break;
00510         case LDNS_SHA256:
00511                 digest = LDNS_XMALLOC(uint8_t, LDNS_SHA256_DIGEST_LENGTH);
00512                 if (!digest) {
00513                         ldns_rr_free(ds);
00514                         return NULL;
00515                 }
00516                 break;
00517         case LDNS_HASH_GOST:
00518 #ifdef USE_GOST
00519                 (void)ldns_key_EVP_load_gost_id();
00520                 md = EVP_get_digestbyname("md_gost94");
00521                 if(!md) {
00522                         ldns_rr_free(ds);
00523                         return NULL;
00524                 }
00525                 digest = LDNS_XMALLOC(uint8_t, EVP_MD_size(md));
00526                 if (!digest) {
00527                         ldns_rr_free(ds);
00528                         return NULL;
00529                 }
00530                 break;
00531 #else
00532                 /* not implemented */
00533                 ldns_rr_free(ds);
00534                 return NULL;
00535 #endif
00536 #ifdef USE_ECDSA
00537                 /* Make similar ``not implemented'' construct as above when 
00538                    draft-hoffman-dnssec-ecdsa-04 becomes a standard
00539                  */
00540         case LDNS_SHA384:
00541                 digest = LDNS_XMALLOC(uint8_t, SHA384_DIGEST_LENGTH);
00542                 if (!digest) {
00543                         ldns_rr_free(ds);
00544                         return NULL;
00545                 }
00546                 break;
00547 #endif
00548         }
00549 
00550         data_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00551         if (!data_buf) {
00552                 LDNS_FREE(digest);
00553                 ldns_rr_free(ds);
00554                 return NULL;
00555         }
00556 
00557         /* keytag */
00558         keytag = htons(ldns_calc_keytag((ldns_rr*)key));
00559         tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16,
00560                                                    sizeof(uint16_t),
00561                                                    &keytag);
00562         ldns_rr_push_rdf(ds, tmp);
00563 
00564         /* copy the algorithm field */
00565         if ((tmp = ldns_rr_rdf(key, 2)) == NULL) {
00566                 LDNS_FREE(digest);
00567                 ldns_buffer_free(data_buf);
00568                 ldns_rr_free(ds);
00569                 return NULL;
00570         } else {
00571                 ldns_rr_push_rdf(ds, ldns_rdf_clone( tmp )); 
00572         }
00573 
00574         /* digest hash type */
00575         sha1hash = (uint8_t)h;
00576         tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
00577                                                    sizeof(uint8_t),
00578                                                    &sha1hash);
00579         ldns_rr_push_rdf(ds, tmp);
00580 
00581         /* digest */
00582         /* owner name */
00583         tmp = ldns_rdf_clone(ldns_rr_owner(key));
00584         ldns_dname2canonical(tmp);
00585         if (ldns_rdf2buffer_wire(data_buf, tmp) != LDNS_STATUS_OK) {
00586                 LDNS_FREE(digest);
00587                 ldns_buffer_free(data_buf);
00588                 ldns_rr_free(ds);
00589                 ldns_rdf_deep_free(tmp);
00590                 return NULL;
00591         }
00592         ldns_rdf_deep_free(tmp);
00593 
00594         /* all the rdata's */
00595         if (ldns_rr_rdata2buffer_wire(data_buf,
00596                                                         (ldns_rr*)key) != LDNS_STATUS_OK) {
00597                 LDNS_FREE(digest);
00598                 ldns_buffer_free(data_buf);
00599                 ldns_rr_free(ds);
00600                 return NULL;
00601         }
00602         switch(h) {
00603         case LDNS_SHA1:
00604                 (void) ldns_sha1((unsigned char *) ldns_buffer_begin(data_buf),
00605                                  (unsigned int) ldns_buffer_position(data_buf),
00606                                  (unsigned char *) digest);
00607 
00608                 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00609                                             LDNS_SHA1_DIGEST_LENGTH,
00610                                             digest);
00611                 ldns_rr_push_rdf(ds, tmp);
00612 
00613                 break;
00614         case LDNS_SHA256:
00615                 (void) ldns_sha256((unsigned char *) ldns_buffer_begin(data_buf),
00616                                    (unsigned int) ldns_buffer_position(data_buf),
00617                                    (unsigned char *) digest);
00618                 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00619                                             LDNS_SHA256_DIGEST_LENGTH,
00620                                             digest);
00621                 ldns_rr_push_rdf(ds, tmp);
00622                 break;
00623         case LDNS_HASH_GOST:
00624 #ifdef USE_GOST
00625                 if(!ldns_digest_evp((unsigned char *) ldns_buffer_begin(data_buf),
00626                                 (unsigned int) ldns_buffer_position(data_buf),
00627                                 (unsigned char *) digest, md)) {
00628                         LDNS_FREE(digest);
00629                         ldns_buffer_free(data_buf);
00630                         ldns_rr_free(ds);
00631                         return NULL;
00632                 }
00633                 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00634                                             (size_t)EVP_MD_size(md),
00635                                             digest);
00636                 ldns_rr_push_rdf(ds, tmp);
00637 #endif
00638                 break;
00639 #ifdef USE_ECDSA
00640         case LDNS_SHA384:
00641                 (void) SHA384((unsigned char *) ldns_buffer_begin(data_buf),
00642                                  (unsigned int) ldns_buffer_position(data_buf),
00643                                  (unsigned char *) digest);
00644                 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00645                                             SHA384_DIGEST_LENGTH,
00646                                             digest);
00647                 ldns_rr_push_rdf(ds, tmp);
00648                 break;
00649 #endif
00650         }
00651 
00652         LDNS_FREE(digest);
00653         ldns_buffer_free(data_buf);
00654         return ds;
00655 }
00656 
00657 ldns_rdf *
00658 ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[],
00659                                size_t size,
00660                                ldns_rr_type nsec_type)
00661 {
00662         size_t i;
00663         uint8_t *bitmap;
00664         uint16_t bm_len = 0;
00665         uint16_t i_type;
00666         ldns_rdf *bitmap_rdf;
00667 
00668         uint8_t *data = NULL;
00669         uint8_t cur_data[32];
00670         uint8_t cur_window = 0;
00671         uint8_t cur_window_max = 0;
00672         uint16_t cur_data_size = 0;
00673 
00674         if (nsec_type != LDNS_RR_TYPE_NSEC &&
00675             nsec_type != LDNS_RR_TYPE_NSEC3) {
00676                 return NULL;
00677         }
00678 
00679         i_type = 0;
00680         for (i = 0; i < size; i++) {
00681                 if (i_type < rr_type_list[i])
00682                         i_type = rr_type_list[i];
00683         }
00684         if (i_type < nsec_type) {
00685                 i_type = nsec_type;
00686         }
00687 
00688         bm_len = i_type / 8 + 2;
00689         bitmap = LDNS_XMALLOC(uint8_t, bm_len);
00690         if(!bitmap) return NULL;
00691         for (i = 0; i < bm_len; i++) {
00692                 bitmap[i] = 0;
00693         }
00694 
00695         for (i = 0; i < size; i++) {
00696                 i_type = rr_type_list[i];
00697                 ldns_set_bit(bitmap + (int) i_type / 8,
00698                                    (int) (7 - (i_type % 8)),
00699                                    true);
00700         }
00701 
00702         /* fold it into windows TODO: can this be done directly? */
00703         memset(cur_data, 0, 32);
00704         for (i = 0; i < bm_len; i++) {
00705                 if (i / 32 > cur_window) {
00706                         /* check, copy, new */
00707                         if (cur_window_max > 0) {
00708                                 /* this window has stuff, add it */
00709                                 data = LDNS_XREALLOC(data,
00710                                                                  uint8_t,
00711                                                                  cur_data_size + cur_window_max + 3);
00712                                 if(!data) {
00713                                         LDNS_FREE(bitmap);
00714                                         return NULL;
00715                                 }
00716                                 data[cur_data_size] = cur_window;
00717                                 data[cur_data_size + 1] = cur_window_max + 1;
00718                                 memcpy(data + cur_data_size + 2,
00719                                           cur_data,
00720                                           cur_window_max+1);
00721                                 cur_data_size += cur_window_max + 3;
00722                         }
00723                         cur_window++;
00724                         cur_window_max = 0;
00725                         memset(cur_data, 0, 32);
00726                 }
00727                 cur_data[i%32] = bitmap[i];
00728                 if (bitmap[i] > 0) {
00729                         cur_window_max = i%32;
00730                 }
00731         }
00732         if (cur_window_max > 0 || cur_data[0] != 0) {
00733                 /* this window has stuff, add it */
00734                 data = LDNS_XREALLOC(data,
00735                                                  uint8_t,
00736                                                  cur_data_size + cur_window_max + 3);
00737                 if(!data) {
00738                         LDNS_FREE(bitmap);
00739                         return NULL;
00740                 }
00741                 data[cur_data_size] = cur_window;
00742                 data[cur_data_size + 1] = cur_window_max + 1;
00743                 memcpy(data + cur_data_size + 2, cur_data, cur_window_max+1);
00744                 cur_data_size += cur_window_max + 3;
00745         }
00746 
00747         bitmap_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_NSEC,
00748                                                                 cur_data_size,
00749                                                                 data);
00750 
00751         LDNS_FREE(bitmap);
00752         LDNS_FREE(data);
00753 
00754         return bitmap_rdf;
00755 }
00756 
00757 int
00758 ldns_dnssec_rrsets_contains_type(ldns_dnssec_rrsets *rrsets,
00759                                  ldns_rr_type type)
00760 {
00761         ldns_dnssec_rrsets *cur_rrset = rrsets;
00762         while (cur_rrset) {
00763                 if (cur_rrset->type == type) {
00764                         return 1;
00765                 }
00766                 cur_rrset = cur_rrset->next;
00767         }
00768         return 0;
00769 }
00770 
00771 ldns_rr *
00772 ldns_dnssec_create_nsec(ldns_dnssec_name *from,
00773                         ldns_dnssec_name *to,
00774                         ldns_rr_type nsec_type)
00775 {
00776         ldns_rr *nsec_rr;
00777         ldns_rr_type types[65536];
00778         size_t type_count = 0;
00779         ldns_dnssec_rrsets *cur_rrsets;
00780         int on_delegation_point;
00781 
00782         if (!from || !to || (nsec_type != LDNS_RR_TYPE_NSEC)) {
00783                 return NULL;
00784         }
00785 
00786         nsec_rr = ldns_rr_new();
00787         ldns_rr_set_type(nsec_rr, nsec_type);
00788         ldns_rr_set_owner(nsec_rr, ldns_rdf_clone(ldns_dnssec_name_name(from)));
00789         ldns_rr_push_rdf(nsec_rr, ldns_rdf_clone(ldns_dnssec_name_name(to)));
00790 
00791         on_delegation_point = ldns_dnssec_rrsets_contains_type(
00792                         from->rrsets, LDNS_RR_TYPE_NS)
00793                 && !ldns_dnssec_rrsets_contains_type(
00794                         from->rrsets, LDNS_RR_TYPE_SOA);
00795 
00796         cur_rrsets = from->rrsets;
00797         while (cur_rrsets) {
00798                 /* Do not include non-authoritative rrsets on the delegation point
00799                  * in the type bitmap */
00800                 if ((on_delegation_point && (
00801                                 cur_rrsets->type == LDNS_RR_TYPE_NS 
00802                              || cur_rrsets->type == LDNS_RR_TYPE_DS))
00803                         || (!on_delegation_point &&
00804                                 cur_rrsets->type != LDNS_RR_TYPE_RRSIG
00805                              && cur_rrsets->type != LDNS_RR_TYPE_NSEC)) {
00806 
00807                         types[type_count] = cur_rrsets->type;
00808                         type_count++;
00809                 }
00810                 cur_rrsets = cur_rrsets->next;
00811 
00812         }
00813         types[type_count] = LDNS_RR_TYPE_RRSIG;
00814         type_count++;
00815         types[type_count] = LDNS_RR_TYPE_NSEC;
00816         type_count++;
00817 
00818         ldns_rr_push_rdf(nsec_rr, ldns_dnssec_create_nsec_bitmap(types,
00819                                        type_count,
00820                                        nsec_type));
00821 
00822         return nsec_rr;
00823 }
00824 
00825 ldns_rr *
00826 ldns_dnssec_create_nsec3(ldns_dnssec_name *from,
00827                                         ldns_dnssec_name *to,
00828                                         ldns_rdf *zone_name,
00829                                         uint8_t algorithm,
00830                                         uint8_t flags,
00831                                         uint16_t iterations,
00832                                         uint8_t salt_length,
00833                                         uint8_t *salt)
00834 {
00835         ldns_rr *nsec_rr;
00836         ldns_rr_type types[65536];
00837         size_t type_count = 0;
00838         ldns_dnssec_rrsets *cur_rrsets;
00839         ldns_status status;
00840         int on_delegation_point;
00841 
00842         flags = flags;
00843 
00844         if (!from) {
00845                 return NULL;
00846         }
00847 
00848         nsec_rr = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3);
00849         ldns_rr_set_owner(nsec_rr,
00850                           ldns_nsec3_hash_name(ldns_dnssec_name_name(from),
00851                           algorithm,
00852                           iterations,
00853                           salt_length,
00854                           salt));
00855         status = ldns_dname_cat(ldns_rr_owner(nsec_rr), zone_name);
00856         if(status != LDNS_STATUS_OK) {
00857                 ldns_rr_free(nsec_rr);
00858                 return NULL;
00859         }
00860         ldns_nsec3_add_param_rdfs(nsec_rr,
00861                                   algorithm,
00862                                   flags,
00863                                   iterations,
00864                                   salt_length,
00865                                   salt);
00866 
00867         on_delegation_point = ldns_dnssec_rrsets_contains_type(
00868                         from->rrsets, LDNS_RR_TYPE_NS)
00869                 && !ldns_dnssec_rrsets_contains_type(
00870                         from->rrsets, LDNS_RR_TYPE_SOA);
00871         cur_rrsets = from->rrsets;
00872         while (cur_rrsets) {
00873                 /* Do not include non-authoritative rrsets on the delegation point
00874                  * in the type bitmap. Potentionally not skipping insecure
00875                  * delegation should have been done earlier, in function
00876                  * ldns_dnssec_zone_create_nsec3s, or even earlier in:
00877                  * ldns_dnssec_zone_sign_nsec3_flg .
00878                  */
00879                 if ((on_delegation_point && (
00880                                 cur_rrsets->type == LDNS_RR_TYPE_NS
00881                              || cur_rrsets->type == LDNS_RR_TYPE_DS))
00882                         || (!on_delegation_point &&
00883                                 cur_rrsets->type != LDNS_RR_TYPE_RRSIG)) {
00884 
00885                         types[type_count] = cur_rrsets->type;
00886                         type_count++;
00887                 }
00888                 cur_rrsets = cur_rrsets->next;
00889         }
00890         /* always add rrsig type if this is not an unsigned
00891          * delegation
00892          */
00893         if (type_count > 0 &&
00894             !(type_count == 1 && types[0] == LDNS_RR_TYPE_NS)) {
00895                 types[type_count] = LDNS_RR_TYPE_RRSIG;
00896                 type_count++;
00897         }
00898 
00899         /* leave next rdata empty if they weren't precomputed yet */
00900         if (to && to->hashed_name) {
00901                 (void) ldns_rr_set_rdf(nsec_rr,
00902                                        ldns_rdf_clone(to->hashed_name),
00903                                        4);
00904         } else {
00905                 (void) ldns_rr_set_rdf(nsec_rr, NULL, 4);
00906         }
00907 
00908         ldns_rr_push_rdf(nsec_rr,
00909                          ldns_dnssec_create_nsec_bitmap(types,
00910                          type_count,
00911                          LDNS_RR_TYPE_NSEC3));
00912 
00913         return nsec_rr;
00914 }
00915 
00916 ldns_rr *
00917 ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
00918 {
00919         /* we do not do any check here - garbage in, garbage out */
00920 
00921         /* the the start and end names - get the type from the
00922          * before rrlist */
00923 
00924         /* inefficient, just give it a name, a next name, and a list of rrs */
00925         /* we make 1 big uberbitmap first, then windows */
00926         /* todo: make something more efficient :) */
00927         uint16_t i;
00928         ldns_rr *i_rr;
00929         uint16_t i_type;
00930 
00931         ldns_rr *nsec = NULL;
00932         ldns_rr_type i_type_list[65536];
00933         size_t type_count = 0;
00934 
00935         nsec = ldns_rr_new();
00936         ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC);
00937         ldns_rr_set_owner(nsec, ldns_rdf_clone(cur_owner));
00938         ldns_rr_push_rdf(nsec, ldns_rdf_clone(next_owner));
00939 
00940         for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
00941                 i_rr = ldns_rr_list_rr(rrs, i);
00942                 if (ldns_rdf_compare(cur_owner,
00943                                                  ldns_rr_owner(i_rr)) == 0) {
00944                         i_type = ldns_rr_get_type(i_rr);
00945                         if (i_type != LDNS_RR_TYPE_RRSIG && i_type != LDNS_RR_TYPE_NSEC) {
00946                                 if (type_count == 0 || i_type_list[type_count-1] != i_type) {
00947                                         i_type_list[type_count] = i_type;
00948                                         type_count++;
00949                                 }
00950                         }
00951                 }
00952         }
00953 
00954         i_type_list[type_count] = LDNS_RR_TYPE_RRSIG;
00955         type_count++;
00956         i_type_list[type_count] = LDNS_RR_TYPE_NSEC;
00957         type_count++;
00958 
00959         ldns_rr_push_rdf(nsec,
00960                                   ldns_dnssec_create_nsec_bitmap(i_type_list,
00961                                                 type_count, LDNS_RR_TYPE_NSEC));
00962 
00963         return nsec;
00964 }
00965 
00966 ldns_rdf *
00967 ldns_nsec3_hash_name(ldns_rdf *name,
00968                                  uint8_t algorithm,
00969                                  uint16_t iterations,
00970                                  uint8_t salt_length,
00971                                  uint8_t *salt)
00972 {
00973         size_t hashed_owner_str_len;
00974         ldns_rdf *cann;
00975         ldns_rdf *hashed_owner;
00976         unsigned char *hashed_owner_str;
00977         char *hashed_owner_b32;
00978         size_t hashed_owner_b32_len;
00979         uint32_t cur_it;
00980         /* define to contain the largest possible hash, which is
00981          * sha1 at the moment */
00982         unsigned char hash[LDNS_SHA1_DIGEST_LENGTH];
00983         ldns_status status;
00984 
00985         /* TODO: mnemonic list for hash algs SHA-1, default to 1 now (sha1) */
00986         if (algorithm != LDNS_SHA1) {
00987                 return NULL;
00988         }
00989 
00990         /* prepare the owner name according to the draft section bla */
00991         cann = ldns_rdf_clone(name);
00992         if(!cann) {
00993                 fprintf(stderr, "Memory error\n");
00994                 return NULL;
00995         }
00996         ldns_dname2canonical(cann);
00997 
00998         hashed_owner_str_len = salt_length + ldns_rdf_size(cann);
00999         hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
01000         if(!hashed_owner_str) {
01001                 ldns_rdf_deep_free(cann);
01002                 return NULL;
01003         }
01004         memcpy(hashed_owner_str, ldns_rdf_data(cann), ldns_rdf_size(cann));
01005         memcpy(hashed_owner_str + ldns_rdf_size(cann), salt, salt_length);
01006         ldns_rdf_deep_free(cann);
01007 
01008         for (cur_it = iterations + 1; cur_it > 0; cur_it--) {
01009                 (void) ldns_sha1((unsigned char *) hashed_owner_str,
01010                                  (unsigned int) hashed_owner_str_len, hash);
01011 
01012                 LDNS_FREE(hashed_owner_str);
01013                 hashed_owner_str_len = salt_length + LDNS_SHA1_DIGEST_LENGTH;
01014                 hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
01015                 if (!hashed_owner_str) {
01016                         return NULL;
01017                 }
01018                 memcpy(hashed_owner_str, hash, LDNS_SHA1_DIGEST_LENGTH);
01019                 memcpy(hashed_owner_str + LDNS_SHA1_DIGEST_LENGTH, salt, salt_length);
01020                 hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH + salt_length;
01021         }
01022 
01023         LDNS_FREE(hashed_owner_str);
01024         hashed_owner_str = hash;
01025         hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH;
01026 
01027         hashed_owner_b32 = LDNS_XMALLOC(char,
01028                   ldns_b32_ntop_calculate_size(hashed_owner_str_len) + 1);
01029         if(!hashed_owner_b32) {
01030                 return NULL;
01031         }
01032         hashed_owner_b32_len = (size_t) ldns_b32_ntop_extended_hex(
01033                 (uint8_t *) hashed_owner_str,
01034                 hashed_owner_str_len,
01035                 hashed_owner_b32,
01036                 ldns_b32_ntop_calculate_size(hashed_owner_str_len)+1);
01037         if (hashed_owner_b32_len < 1) {
01038                 fprintf(stderr, "Error in base32 extended hex encoding ");
01039                 fprintf(stderr, "of hashed owner name (name: ");
01040                 ldns_rdf_print(stderr, name);
01041                 fprintf(stderr, ", return code: %u)\n",
01042                         (unsigned int) hashed_owner_b32_len);
01043                 LDNS_FREE(hashed_owner_b32);
01044                 return NULL;
01045         }
01046         hashed_owner_b32[hashed_owner_b32_len] = '\0';
01047 
01048         status = ldns_str2rdf_dname(&hashed_owner, hashed_owner_b32);
01049         if (status != LDNS_STATUS_OK) {
01050                 fprintf(stderr, "Error creating rdf from %s\n", hashed_owner_b32);
01051                 LDNS_FREE(hashed_owner_b32);
01052                 return NULL;
01053         }
01054 
01055         LDNS_FREE(hashed_owner_b32);
01056         return hashed_owner;
01057 }
01058 
01059 void
01060 ldns_nsec3_add_param_rdfs(ldns_rr *rr,
01061                                          uint8_t algorithm,
01062                                          uint8_t flags,
01063                                          uint16_t iterations,
01064                                          uint8_t salt_length,
01065                                          uint8_t *salt)
01066 {
01067         ldns_rdf *salt_rdf = NULL;
01068         uint8_t *salt_data = NULL;
01069         ldns_rdf *old;
01070 
01071         old = ldns_rr_set_rdf(rr,
01072                               ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
01073                                                     1, (void*)&algorithm),
01074                               0);
01075         if (old) ldns_rdf_deep_free(old);
01076 
01077         old = ldns_rr_set_rdf(rr,
01078                               ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
01079                                                     1, (void*)&flags),
01080                               1);
01081         if (old) ldns_rdf_deep_free(old);
01082 
01083         old = ldns_rr_set_rdf(rr,
01084                           ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
01085                                                 iterations),
01086                               2);
01087         if (old) ldns_rdf_deep_free(old);
01088 
01089         salt_data = LDNS_XMALLOC(uint8_t, salt_length + 1);
01090         if(!salt_data) {
01091                 /* no way to return error */
01092                 return;
01093         }
01094         salt_data[0] = salt_length;
01095         memcpy(salt_data + 1, salt, salt_length);
01096         salt_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_NSEC3_SALT,
01097                                                            salt_length + 1,
01098                                                            salt_data);
01099         if(!salt_rdf) {
01100                 LDNS_FREE(salt_data);
01101                 /* no way to return error */
01102                 return;
01103         }
01104 
01105         old = ldns_rr_set_rdf(rr, salt_rdf, 3);
01106         if (old) ldns_rdf_deep_free(old);
01107         LDNS_FREE(salt_data);
01108 }
01109 
01110 static int
01111 rr_list_delegation_only(ldns_rdf *origin, ldns_rr_list *rr_list)
01112 {
01113         size_t i;
01114         ldns_rr *cur_rr;
01115         if (!origin || !rr_list) return 0;
01116         for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) {
01117                 cur_rr = ldns_rr_list_rr(rr_list, i);
01118                 if (ldns_dname_compare(ldns_rr_owner(cur_rr), origin) == 0) {
01119                         return 0;
01120                 }
01121                 if (ldns_rr_get_type(cur_rr) != LDNS_RR_TYPE_NS) {
01122                         return 0;
01123                 }
01124         }
01125         return 1;
01126 }
01127 
01128 /* this will NOT return the NSEC3  completed, you will have to run the
01129    finalize function on the rrlist later! */
01130 ldns_rr *
01131 ldns_create_nsec3(ldns_rdf *cur_owner,
01132                   ldns_rdf *cur_zone,
01133                   ldns_rr_list *rrs,
01134                   uint8_t algorithm,
01135                   uint8_t flags,
01136                   uint16_t iterations,
01137                   uint8_t salt_length,
01138                   uint8_t *salt,
01139                   bool emptynonterminal)
01140 {
01141         size_t i;
01142         ldns_rr *i_rr;
01143         uint16_t i_type;
01144 
01145         ldns_rr *nsec = NULL;
01146         ldns_rdf *hashed_owner = NULL;
01147 
01148         ldns_status status;
01149 
01150     ldns_rr_type i_type_list[1024];
01151         size_t type_count = 0;
01152 
01153         hashed_owner = ldns_nsec3_hash_name(cur_owner,
01154                                                                  algorithm,
01155                                                                  iterations,
01156                                                                  salt_length,
01157                                                                  salt);
01158         status = ldns_dname_cat(hashed_owner, cur_zone);
01159         if(status != LDNS_STATUS_OK)
01160                 return NULL;
01161 
01162         nsec = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3);
01163         if(!nsec)
01164                 return NULL;
01165         ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC3);
01166         ldns_rr_set_owner(nsec, hashed_owner);
01167 
01168         ldns_nsec3_add_param_rdfs(nsec,
01169                                                  algorithm,
01170                                                  flags,
01171                                                  iterations,
01172                                                  salt_length,
01173                                                  salt);
01174         (void) ldns_rr_set_rdf(nsec, NULL, 4);
01175 
01176 
01177         for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
01178                 i_rr = ldns_rr_list_rr(rrs, i);
01179                 if (ldns_rdf_compare(cur_owner,
01180                                                  ldns_rr_owner(i_rr)) == 0) {
01181                         i_type = ldns_rr_get_type(i_rr);
01182                         if (type_count == 0 || i_type_list[type_count-1] != i_type) {
01183                                 i_type_list[type_count] = i_type;
01184                                 type_count++;
01185                         }
01186                 }
01187         }
01188 
01189         /* add RRSIG anyway, but only if this is not an ENT or
01190          * an unsigned delegation */
01191         if (!emptynonterminal && !rr_list_delegation_only(cur_zone, rrs)) {
01192                 i_type_list[type_count] = LDNS_RR_TYPE_RRSIG;
01193                 type_count++;
01194         }
01195 
01196         /* and SOA if owner == zone */
01197         if (ldns_dname_compare(cur_zone, cur_owner) == 0) {
01198                 i_type_list[type_count] = LDNS_RR_TYPE_SOA;
01199                 type_count++;
01200         }
01201 
01202         ldns_rr_push_rdf(nsec,
01203                                   ldns_dnssec_create_nsec_bitmap(i_type_list,
01204                                                 type_count, LDNS_RR_TYPE_NSEC3));
01205 
01206         return nsec;
01207 }
01208 
01209 uint8_t
01210 ldns_nsec3_algorithm(const ldns_rr *nsec3_rr)
01211 {
01212         if (nsec3_rr && 
01213               (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01214                ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01215             && (ldns_rr_rdf(nsec3_rr, 0) != NULL)
01216             && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 0)) > 0) {
01217                 return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 0));
01218         }
01219         return 0;
01220 }
01221 
01222 uint8_t
01223 ldns_nsec3_flags(const ldns_rr *nsec3_rr)
01224 {
01225         if (nsec3_rr && 
01226               (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01227                ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01228             && (ldns_rr_rdf(nsec3_rr, 1) != NULL)
01229             && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 1)) > 0) {
01230                 return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 1));
01231         }
01232         return 0;
01233 }
01234 
01235 bool
01236 ldns_nsec3_optout(const ldns_rr *nsec3_rr)
01237 {
01238         return (ldns_nsec3_flags(nsec3_rr) & LDNS_NSEC3_VARS_OPTOUT_MASK);
01239 }
01240 
01241 uint16_t
01242 ldns_nsec3_iterations(const ldns_rr *nsec3_rr)
01243 {
01244         if (nsec3_rr &&
01245               (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01246                ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01247             && (ldns_rr_rdf(nsec3_rr, 2) != NULL)
01248             && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 2)) > 0) {
01249                 return ldns_rdf2native_int16(ldns_rr_rdf(nsec3_rr, 2));
01250         }
01251         return 0;
01252         
01253 }
01254 
01255 ldns_rdf *
01256 ldns_nsec3_salt(const ldns_rr *nsec3_rr)
01257 {
01258         if (nsec3_rr && 
01259               (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01260                ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01261             ) {
01262                 return ldns_rr_rdf(nsec3_rr, 3);
01263         }
01264         return NULL;
01265 }
01266 
01267 uint8_t
01268 ldns_nsec3_salt_length(const ldns_rr *nsec3_rr)
01269 {
01270         ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
01271         if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
01272                 return (uint8_t) ldns_rdf_data(salt_rdf)[0];
01273         }
01274         return 0;
01275 }
01276 
01277 /* allocs data, free with LDNS_FREE() */
01278 uint8_t *
01279 ldns_nsec3_salt_data(const ldns_rr *nsec3_rr)
01280 {
01281         uint8_t salt_length;
01282         uint8_t *salt;
01283 
01284         ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
01285         if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
01286                 salt_length = ldns_rdf_data(salt_rdf)[0];
01287                 salt = LDNS_XMALLOC(uint8_t, salt_length);
01288                 if(!salt) return NULL;
01289                 memcpy(salt, &ldns_rdf_data(salt_rdf)[1], salt_length);
01290                 return salt;
01291         }
01292         return NULL;
01293 }
01294 
01295 ldns_rdf *
01296 ldns_nsec3_next_owner(const ldns_rr *nsec3_rr)
01297 {
01298         if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) {
01299                 return NULL;
01300         } else {
01301                 return ldns_rr_rdf(nsec3_rr, 4);
01302         }
01303 }
01304 
01305 ldns_rdf *
01306 ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
01307 {
01308         if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) {
01309                 return NULL;
01310         } else {
01311                 return ldns_rr_rdf(nsec3_rr, 5);
01312         }
01313 }
01314 
01315 ldns_rdf *
01316 ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, ldns_rdf *name)
01317 {
01318         uint8_t algorithm;
01319         uint16_t iterations;
01320         uint8_t salt_length;
01321         uint8_t *salt = 0;
01322 
01323         ldns_rdf *hashed_owner;
01324 
01325         algorithm = ldns_nsec3_algorithm(nsec);
01326         salt_length = ldns_nsec3_salt_length(nsec);
01327         salt = ldns_nsec3_salt_data(nsec);
01328         iterations = ldns_nsec3_iterations(nsec);
01329 
01330         hashed_owner = ldns_nsec3_hash_name(name,
01331                                                                  algorithm,
01332                                                                  iterations,
01333                                                                  salt_length,
01334                                                                  salt);
01335 
01336         LDNS_FREE(salt);
01337         return hashed_owner;
01338 }
01339 
01340 bool
01341 ldns_nsec_bitmap_covers_type(const ldns_rdf *nsec_bitmap, ldns_rr_type type)
01342 {
01343         uint8_t window_block_nr;
01344         uint8_t bitmap_length;
01345         uint16_t cur_type;
01346         uint16_t pos = 0;
01347         uint16_t bit_pos;
01348         uint8_t *data;
01349 
01350         if (nsec_bitmap == NULL) {
01351                 return false;
01352         }
01353         data = ldns_rdf_data(nsec_bitmap);
01354         while(pos < ldns_rdf_size(nsec_bitmap)) {
01355                 window_block_nr = data[pos];
01356                 bitmap_length = data[pos + 1];
01357                 pos += 2;
01358 
01359                 for (bit_pos = 0; bit_pos < (bitmap_length) * 8; bit_pos++) {
01360                         if (ldns_get_bit(&data[pos], bit_pos)) {
01361                                 cur_type = 256 * (uint16_t) window_block_nr + bit_pos;
01362                                 if (cur_type == type) {
01363                                         return true;
01364                                 }
01365                         }
01366                 }
01367 
01368                 pos += (uint16_t) bitmap_length;
01369         }
01370         return false;
01371 }
01372 
01373 bool
01374 ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
01375 {
01376         ldns_rdf *nsec_owner = ldns_rr_owner(nsec);
01377         ldns_rdf *hash_next;
01378         char *next_hash_str;
01379         ldns_rdf *nsec_next = NULL;
01380         ldns_status status;
01381         ldns_rdf *chopped_dname;
01382         bool result;
01383 
01384         if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
01385                 if (ldns_rr_rdf(nsec, 0) != NULL) {
01386                         nsec_next = ldns_rdf_clone(ldns_rr_rdf(nsec, 0));
01387                 } else {
01388                         return false;
01389                 }
01390         } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
01391                 hash_next = ldns_nsec3_next_owner(nsec);
01392                 next_hash_str = ldns_rdf2str(hash_next);
01393                 nsec_next = ldns_dname_new_frm_str(next_hash_str);
01394                 LDNS_FREE(next_hash_str);
01395                 chopped_dname = ldns_dname_left_chop(nsec_owner);
01396                 status = ldns_dname_cat(nsec_next, chopped_dname);
01397                 ldns_rdf_deep_free(chopped_dname);
01398                 if (status != LDNS_STATUS_OK) {
01399                         printf("error catting: %s\n", ldns_get_errorstr_by_id(status));
01400                 }
01401         } else {
01402                 ldns_rdf_deep_free(nsec_next);
01403                 return false;
01404         }
01405 
01406         /* in the case of the last nsec */
01407         if(ldns_dname_compare(nsec_owner, nsec_next) > 0) {
01408                 result = (ldns_dname_compare(nsec_owner, name) <= 0 ||
01409                                 ldns_dname_compare(name, nsec_next) < 0);
01410         } else {
01411                 result = (ldns_dname_compare(nsec_owner, name) <= 0 &&
01412                           ldns_dname_compare(name, nsec_next) < 0);
01413         }
01414 
01415         ldns_rdf_deep_free(nsec_next);
01416         return result;
01417 }
01418 
01419 #ifdef HAVE_SSL
01420 /* sig may be null - if so look in the packet */
01421 
01422 ldns_status
01423 ldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, 
01424                 ldns_rr_list *k, ldns_rr_list *s, 
01425                 time_t check_time, ldns_rr_list *good_keys)
01426 {
01427         ldns_rr_list *rrset;
01428         ldns_rr_list *sigs;
01429         ldns_rr_list *sigs_covered;
01430         ldns_rdf *rdf_t;
01431         ldns_rr_type t_netorder;
01432 
01433         if (!k) {
01434                 return LDNS_STATUS_ERR;
01435                 /* return LDNS_STATUS_CRYPTO_NO_DNSKEY; */
01436         }
01437 
01438         if (t == LDNS_RR_TYPE_RRSIG) {
01439                 /* we don't have RRSIG(RRSIG) (yet? ;-) ) */
01440                 return LDNS_STATUS_ERR;
01441         }
01442 
01443         if (s) {
01444                 /* if s is not NULL, the sigs are given to use */
01445                 sigs = s;
01446         } else {
01447                 /* otherwise get them from the packet */
01448                 sigs = ldns_pkt_rr_list_by_name_and_type(p, o, LDNS_RR_TYPE_RRSIG,
01449                                                                           LDNS_SECTION_ANY_NOQUESTION);
01450                 if (!sigs) {
01451                         /* no sigs */
01452                         return LDNS_STATUS_ERR;
01453                         /* return LDNS_STATUS_CRYPTO_NO_RRSIG; */
01454                 }
01455         }
01456 
01457         /* rrsig are subtyped, so now we need to find the correct
01458          * sigs for the type t
01459          */
01460         t_netorder = htons(t); /* rdf are in network order! */
01461         /* a type identifier is a 16-bit number, so the size is 2 bytes */
01462         rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE,
01463                                          2,
01464                                          &t_netorder);
01465         sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
01466 
01467         rrset = ldns_pkt_rr_list_by_name_and_type(p,
01468                                                                           o,
01469                                                                           t,
01470                                                                           LDNS_SECTION_ANY_NOQUESTION);
01471 
01472         if (!rrset) {
01473                 return LDNS_STATUS_ERR;
01474         }
01475 
01476         if (!sigs_covered) {
01477                 return LDNS_STATUS_ERR;
01478         }
01479 
01480         return ldns_verify_time(rrset, sigs, k, check_time, good_keys);
01481 }
01482 
01483 ldns_status
01484 ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, 
01485                 ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys)
01486 {
01487         return ldns_pkt_verify_time(p, t, o, k, s, ldns_time(NULL), good_keys);
01488 }
01489 #endif /* HAVE_SSL */
01490 
01491 ldns_status
01492 ldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs)
01493 {
01494         size_t i;
01495         char *next_nsec_owner_str;
01496         ldns_rdf *next_nsec_owner_label;
01497         ldns_rdf *next_nsec_rdf;
01498         ldns_status status = LDNS_STATUS_OK;
01499 
01500         for (i = 0; i < ldns_rr_list_rr_count(nsec3_rrs); i++) {
01501                 if (i == ldns_rr_list_rr_count(nsec3_rrs) - 1) {
01502                         next_nsec_owner_label =
01503                                 ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs,
01504                                                                                                           0)), 0);
01505                         next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
01506                         if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01507                             == '.') {
01508                                 next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01509                                         = '\0';
01510                         }
01511                         status = ldns_str2rdf_b32_ext(&next_nsec_rdf,
01512                                                                         next_nsec_owner_str);
01513                         if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i),
01514                                                          next_nsec_rdf, 4)) {
01515                                 /* todo: error */
01516                         }
01517 
01518                         ldns_rdf_deep_free(next_nsec_owner_label);
01519                         LDNS_FREE(next_nsec_owner_str);
01520                 } else {
01521                         next_nsec_owner_label =
01522                                 ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs,
01523                                                                                                           i + 1)),
01524                                                           0);
01525                         next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
01526                         if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01527                             == '.') {
01528                                 next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01529                                         = '\0';
01530                         }
01531                         status = ldns_str2rdf_b32_ext(&next_nsec_rdf,
01532                                                                         next_nsec_owner_str);
01533                         ldns_rdf_deep_free(next_nsec_owner_label);
01534                         LDNS_FREE(next_nsec_owner_str);
01535                         if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i),
01536                                                          next_nsec_rdf, 4)) {
01537                                 /* todo: error */
01538                         }
01539                 }
01540         }
01541         return status;
01542 }
01543 
01544 int
01545 qsort_rr_compare_nsec3(const void *a, const void *b)
01546 {
01547         const ldns_rr *rr1 = * (const ldns_rr **) a;
01548         const ldns_rr *rr2 = * (const ldns_rr **) b;
01549         if (rr1 == NULL && rr2 == NULL) {
01550                 return 0;
01551         }
01552         if (rr1 == NULL) {
01553                 return -1;
01554         }
01555         if (rr2 == NULL) {
01556                 return 1;
01557         }
01558         return ldns_rdf_compare(ldns_rr_owner(rr1), ldns_rr_owner(rr2));
01559 }
01560 
01561 void
01562 ldns_rr_list_sort_nsec3(ldns_rr_list *unsorted)
01563 {
01564         qsort(unsorted->_rrs,
01565               ldns_rr_list_rr_count(unsorted),
01566               sizeof(ldns_rr *),
01567               qsort_rr_compare_nsec3);
01568 }
01569 
01570 int
01571 ldns_dnssec_default_add_to_signatures(ldns_rr *sig, void *n)
01572 {
01573         sig = sig;
01574         n = n;
01575         return LDNS_SIGNATURE_LEAVE_ADD_NEW;
01576 }
01577 
01578 int
01579 ldns_dnssec_default_leave_signatures(ldns_rr *sig, void *n)
01580 {
01581         sig = sig;
01582         n = n;
01583         return LDNS_SIGNATURE_LEAVE_NO_ADD;
01584 }
01585 
01586 int
01587 ldns_dnssec_default_delete_signatures(ldns_rr *sig, void *n)
01588 {
01589         sig = sig;
01590         n = n;
01591         return LDNS_SIGNATURE_REMOVE_NO_ADD;
01592 }
01593 
01594 int
01595 ldns_dnssec_default_replace_signatures(ldns_rr *sig, void *n)
01596 {
01597         sig = sig;
01598         n = n;
01599         return LDNS_SIGNATURE_REMOVE_ADD_NEW;
01600 }
01601 
01602 #ifdef HAVE_SSL
01603 ldns_rdf *
01604 ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig,
01605                                                   const long sig_len)
01606 {
01607         ldns_rdf *sigdata_rdf;
01608         DSA_SIG *dsasig;
01609         unsigned char *dsasig_data = (unsigned char*)ldns_buffer_begin(sig);
01610         size_t byte_offset;
01611 
01612         dsasig = d2i_DSA_SIG(NULL,
01613                                          (const unsigned char **)&dsasig_data,
01614                                          sig_len);
01615         if (!dsasig) {
01616                 DSA_SIG_free(dsasig);
01617                 return NULL;
01618         }
01619 
01620         dsasig_data = LDNS_XMALLOC(unsigned char, 41);
01621         if(!dsasig_data) {
01622                 DSA_SIG_free(dsasig);
01623                 return NULL;
01624         }
01625         dsasig_data[0] = 0;
01626         byte_offset = (size_t) (20 - BN_num_bytes(dsasig->r));
01627         if (byte_offset > 20) {
01628                 DSA_SIG_free(dsasig);
01629                 LDNS_FREE(dsasig_data);
01630                 return NULL;
01631         }
01632         memset(&dsasig_data[1], 0, byte_offset);
01633         BN_bn2bin(dsasig->r, &dsasig_data[1 + byte_offset]);
01634         byte_offset = (size_t) (20 - BN_num_bytes(dsasig->s));
01635         if (byte_offset > 20) {
01636                 DSA_SIG_free(dsasig);
01637                 LDNS_FREE(dsasig_data);
01638                 return NULL;
01639         }
01640         memset(&dsasig_data[21], 0, byte_offset);
01641         BN_bn2bin(dsasig->s, &dsasig_data[21 + byte_offset]);
01642 
01643         sigdata_rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, 41, dsasig_data);
01644         if(!sigdata_rdf) {
01645                 LDNS_FREE(dsasig_data);
01646         }
01647         DSA_SIG_free(dsasig);
01648 
01649         return sigdata_rdf;
01650 }
01651 
01652 ldns_status
01653 ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
01654                                                   const ldns_rdf *sig_rdf)
01655 {
01656         /* the EVP api wants the DER encoding of the signature... */
01657         BIGNUM *R, *S;
01658         DSA_SIG *dsasig;
01659         unsigned char *raw_sig = NULL;
01660         int raw_sig_len;
01661 
01662         if(ldns_rdf_size(sig_rdf) < 1 + 2*SHA_DIGEST_LENGTH)
01663                 return LDNS_STATUS_SYNTAX_RDATA_ERR;
01664         /* extract the R and S field from the sig buffer */
01665         R = BN_new();
01666         if(!R) return LDNS_STATUS_MEM_ERR;
01667         (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 1,
01668                          SHA_DIGEST_LENGTH, R);
01669         S = BN_new();
01670         if(!S) {
01671                 BN_free(R);
01672                 return LDNS_STATUS_MEM_ERR;
01673         }
01674         (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 21,
01675                          SHA_DIGEST_LENGTH, S);
01676 
01677         dsasig = DSA_SIG_new();
01678         if (!dsasig) {
01679                 BN_free(R);
01680                 BN_free(S);
01681                 return LDNS_STATUS_MEM_ERR;
01682         }
01683 
01684         dsasig->r = R;
01685         dsasig->s = S;
01686 
01687         raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig);
01688         if (raw_sig_len < 0) {
01689                 DSA_SIG_free(dsasig);
01690                 free(raw_sig);
01691                 return LDNS_STATUS_SSL_ERR;
01692         }
01693         if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
01694                 ldns_buffer_write(target_buffer, raw_sig, (size_t)raw_sig_len);
01695         }
01696 
01697         DSA_SIG_free(dsasig);
01698         free(raw_sig);
01699 
01700         return ldns_buffer_status(target_buffer);
01701 }
01702 
01703 #ifdef USE_ECDSA
01704 #ifndef S_SPLINT_S
01705 ldns_rdf *
01706 ldns_convert_ecdsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len)
01707 {
01708         ECDSA_SIG* ecdsa_sig;
01709         unsigned char *data = (unsigned char*)ldns_buffer_begin(sig);
01710         ldns_rdf* rdf;
01711         ecdsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&data, sig_len);
01712         if(!ecdsa_sig) return NULL;
01713 
01714         /* "r | s". */
01715         data = LDNS_XMALLOC(unsigned char,
01716                 BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s));
01717         if(!data) {
01718                 ECDSA_SIG_free(ecdsa_sig);
01719                 return NULL;
01720         }
01721         BN_bn2bin(ecdsa_sig->r, data);
01722         BN_bn2bin(ecdsa_sig->s, data+BN_num_bytes(ecdsa_sig->r));
01723         rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)(
01724                 BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s)), data);
01725         ECDSA_SIG_free(ecdsa_sig);
01726         return rdf;
01727 }
01728 
01729 ldns_status
01730 ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
01731         const ldns_rdf *sig_rdf)
01732 {
01733         ECDSA_SIG* sig;
01734         int raw_sig_len;
01735         long bnsize = (long)ldns_rdf_size(sig_rdf) / 2;
01736         /* if too short, or not even length, do not bother */
01737         if(bnsize < 16 || (size_t)bnsize*2 != ldns_rdf_size(sig_rdf))
01738                 return LDNS_STATUS_ERR;
01739         
01740         /* use the raw data to parse two evenly long BIGNUMs, "r | s". */
01741         sig = ECDSA_SIG_new();
01742         if(!sig) return LDNS_STATUS_MEM_ERR;
01743         sig->r = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf),
01744                 bnsize, sig->r);
01745         sig->s = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf)+bnsize,
01746                 bnsize, sig->s);
01747         if(!sig->r || !sig->s) {
01748                 ECDSA_SIG_free(sig);
01749                 return LDNS_STATUS_MEM_ERR;
01750         }
01751 
01752         raw_sig_len = i2d_ECDSA_SIG(sig, NULL);
01753         if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
01754                 unsigned char* pp = (unsigned char*)
01755                         ldns_buffer_current(target_buffer);
01756                 raw_sig_len = i2d_ECDSA_SIG(sig, &pp);
01757                 ldns_buffer_skip(target_buffer, (ssize_t) raw_sig_len);
01758         }
01759         ECDSA_SIG_free(sig);
01760 
01761         return ldns_buffer_status(target_buffer);
01762 }
01763 
01764 #endif /* S_SPLINT_S */
01765 #endif /* USE_ECDSA */
01766 #endif /* HAVE_SSL */

Generated on Thu Apr 5 23:05:30 2012 for ldns by  doxygen 1.4.7