ldns  1.7.0
dnssec.c
Go to the documentation of this file.
1 /*
2  * dnssec.c
3  *
4  * contains the cryptographic function needed for DNSSEC in ldns
5  * The crypto library used is openssl
6  *
7  * (c) NLnet Labs, 2004-2008
8  *
9  * See the file LICENSE for the license
10  */
11 
12 #include <ldns/config.h>
13 
14 #include <ldns/ldns.h>
15 #include <ldns/dnssec.h>
16 
17 #include <strings.h>
18 #include <time.h>
19 
20 #ifdef HAVE_SSL
21 #include <openssl/ssl.h>
22 #include <openssl/evp.h>
23 #include <openssl/rand.h>
24 #include <openssl/err.h>
25 #include <openssl/md5.h>
26 #endif
27 
28 ldns_rr *
30  const ldns_rr_type type,
31  const ldns_rr_list *rrs)
32 {
33  size_t i;
34  ldns_rr *candidate;
35 
36  if (!name || !rrs) {
37  return NULL;
38  }
39 
40  for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
41  candidate = ldns_rr_list_rr(rrs, i);
42  if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_RRSIG) {
43  if (ldns_dname_compare(ldns_rr_owner(candidate),
44  name) == 0 &&
46  == type
47  ) {
48  return candidate;
49  }
50  }
51  }
52 
53  return NULL;
54 }
55 
56 ldns_rr *
58  const ldns_rr_list *rrs)
59 {
60  size_t i;
61  ldns_rr *candidate;
62 
63  if (!rrsig || !rrs) {
64  return NULL;
65  }
66 
67  for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
68  candidate = ldns_rr_list_rr(rrs, i);
69  if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_DNSKEY) {
70  if (ldns_dname_compare(ldns_rr_owner(candidate),
71  ldns_rr_rrsig_signame(rrsig)) == 0 &&
73  ldns_calc_keytag(candidate)
74  ) {
75  return candidate;
76  }
77  }
78  }
79 
80  return NULL;
81 }
82 
83 ldns_rdf *
85  if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
86  return ldns_rr_rdf(nsec, 1);
87  } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
88  return ldns_rr_rdf(nsec, 5);
89  } else {
90  return NULL;
91  }
92 }
93 
94 /*return the owner name of the closest encloser for name from the list of rrs */
95 /* this is NOT the hash, but the original name! */
96 ldns_rdf *
99  const ldns_rr_list *nsec3s)
100 {
101  /* remember parameters, they must match */
102  uint8_t algorithm;
103  uint32_t iterations;
104  uint8_t salt_length;
105  uint8_t *salt;
106 
107  ldns_rdf *sname, *hashed_sname, *tmp;
108  bool flag;
109 
110  bool exact_match_found;
111  bool in_range_found;
112 
113  ldns_status status;
114  ldns_rdf *zone_name;
115 
116  size_t nsec_i;
117  ldns_rr *nsec;
118  ldns_rdf *result = NULL;
119 
120  if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
121  return NULL;
122  }
123 
124  nsec = ldns_rr_list_rr(nsec3s, 0);
125  algorithm = ldns_nsec3_algorithm(nsec);
126  salt_length = ldns_nsec3_salt_length(nsec);
127  salt = ldns_nsec3_salt_data(nsec);
128  iterations = ldns_nsec3_iterations(nsec);
129 
130  sname = ldns_rdf_clone(qname);
131 
132  flag = false;
133 
134  zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
135 
136  /* algorithm from nsec3-07 8.3 */
137  while (ldns_dname_label_count(sname) > 0) {
138  exact_match_found = false;
139  in_range_found = false;
140 
141  hashed_sname = ldns_nsec3_hash_name(sname,
142  algorithm,
143  iterations,
144  salt_length,
145  salt);
146 
147  status = ldns_dname_cat(hashed_sname, zone_name);
148  if(status != LDNS_STATUS_OK) {
149  LDNS_FREE(salt);
150  ldns_rdf_deep_free(zone_name);
151  ldns_rdf_deep_free(sname);
152  return NULL;
153  }
154 
155  for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
156  nsec = ldns_rr_list_rr(nsec3s, nsec_i);
157 
158  /* check values of iterations etc! */
159 
160  /* exact match? */
161  if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
162  exact_match_found = true;
163  } else if (ldns_nsec_covers_name(nsec, hashed_sname)) {
164  in_range_found = true;
165  }
166 
167  }
168  if (!exact_match_found && in_range_found) {
169  flag = true;
170  } else if (exact_match_found && flag) {
171  result = ldns_rdf_clone(sname);
172  /* RFC 5155: 8.3. 2.** "The proof is complete" */
173  ldns_rdf_deep_free(hashed_sname);
174  goto done;
175  } else if (exact_match_found && !flag) {
176  /* error! */
177  ldns_rdf_deep_free(hashed_sname);
178  goto done;
179  } else {
180  flag = false;
181  }
182 
183  ldns_rdf_deep_free(hashed_sname);
184  tmp = sname;
185  sname = ldns_dname_left_chop(sname);
186  ldns_rdf_deep_free(tmp);
187  }
188 
189  done:
190  LDNS_FREE(salt);
191  ldns_rdf_deep_free(zone_name);
192  ldns_rdf_deep_free(sname);
193 
194  return result;
195 }
196 
197 bool
199 {
200  size_t i;
201  for (i = 0; i < ldns_pkt_ancount(pkt); i++) {
204  return true;
205  }
206  }
207  for (i = 0; i < ldns_pkt_nscount(pkt); i++) {
210  return true;
211  }
212  }
213  return false;
214 }
215 
216 ldns_rr_list *
218  const ldns_rdf *name,
219  ldns_rr_type type)
220 {
221  uint16_t t_netorder;
222  ldns_rr_list *sigs;
223  ldns_rr_list *sigs_covered;
224  ldns_rdf *rdf_t;
225 
227  name,
230  );
231 
232  t_netorder = htons(type); /* rdf are in network order! */
233  rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, LDNS_RDF_SIZE_WORD, &t_netorder);
234  sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
235 
236  ldns_rdf_free(rdf_t);
238 
239  return sigs_covered;
240 
241 }
242 
243 ldns_rr_list *
245 {
246  uint16_t t_netorder;
247  ldns_rr_list *sigs;
248  ldns_rr_list *sigs_covered;
249  ldns_rdf *rdf_t;
250 
251  sigs = ldns_pkt_rr_list_by_type(pkt,
254  );
255 
256  t_netorder = htons(type); /* rdf are in network order! */
258  2,
259  &t_netorder);
260  sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
261 
262  ldns_rdf_free(rdf_t);
264 
265  return sigs_covered;
266 
267 }
268 
269 /* used only on the public key RR */
270 uint16_t
272 {
273  uint16_t ac16;
274  ldns_buffer *keybuf;
275  size_t keysize;
276 
277  if (!key) {
278  return 0;
279  }
280 
283  ) {
284  return 0;
285  }
286 
287  /* rdata to buf - only put the rdata in a buffer */
288  keybuf = ldns_buffer_new(LDNS_MIN_BUFLEN); /* grows */
289  if (!keybuf) {
290  return 0;
291  }
292  (void)ldns_rr_rdata2buffer_wire(keybuf, key);
293  /* the current pos in the buffer is the keysize */
294  keysize= ldns_buffer_position(keybuf);
295 
296  ac16 = ldns_calc_keytag_raw(ldns_buffer_begin(keybuf), keysize);
297  ldns_buffer_free(keybuf);
298  return ac16;
299 }
300 
301 uint16_t ldns_calc_keytag_raw(const uint8_t* key, size_t keysize)
302 {
303  unsigned int i;
304  uint32_t ac32;
305  uint16_t ac16;
306 
307  if(keysize < 4) {
308  return 0;
309  }
310  /* look at the algorithm field, copied from 2535bis */
311  if (key[3] == LDNS_RSAMD5) {
312  ac16 = 0;
313  if (keysize > 4) {
314  memmove(&ac16, key + keysize - 3, 2);
315  }
316  ac16 = ntohs(ac16);
317  return (uint16_t) ac16;
318  } else {
319  ac32 = 0;
320  for (i = 0; (size_t)i < keysize; ++i) {
321  ac32 += (i & 1) ? key[i] : key[i] << 8;
322  }
323  ac32 += (ac32 >> 16) & 0xFFFF;
324  return (uint16_t) (ac32 & 0xFFFF);
325  }
326 }
327 
328 #ifdef HAVE_SSL
329 DSA *
331 {
332  return ldns_key_buf2dsa_raw((const unsigned char*)ldns_buffer_begin(key),
333  ldns_buffer_position(key));
334 }
335 
336 DSA *
337 ldns_key_buf2dsa_raw(const unsigned char* key, size_t len)
338 {
339  uint8_t T;
340  uint16_t length;
341  uint16_t offset;
342  DSA *dsa;
343  BIGNUM *Q; BIGNUM *P;
344  BIGNUM *G; BIGNUM *Y;
345 
346  if(len == 0)
347  return NULL;
348  T = (uint8_t)key[0];
349  length = (64 + T * 8);
350  offset = 1;
351 
352  if (T > 8) {
353  return NULL;
354  }
355  if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
356  return NULL;
357 
358  Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
359  offset += SHA_DIGEST_LENGTH;
360 
361  P = BN_bin2bn(key+offset, (int)length, NULL);
362  offset += length;
363 
364  G = BN_bin2bn(key+offset, (int)length, NULL);
365  offset += length;
366 
367  Y = BN_bin2bn(key+offset, (int)length, NULL);
368  offset += length;
369 
370  /* create the key and set its properties */
371  if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
372  BN_free(Q);
373  BN_free(P);
374  BN_free(G);
375  BN_free(Y);
376  return NULL;
377  }
378 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
379 #ifndef S_SPLINT_S
380  dsa->p = P;
381  dsa->q = Q;
382  dsa->g = G;
383  dsa->pub_key = Y;
384 #endif /* splint */
385 #else /* OPENSSL_VERSION_NUMBER */
386  if (!DSA_set0_pqg(dsa, P, Q, G)) {
387  /* QPG not yet attached, need to free */
388  BN_free(Q);
389  BN_free(P);
390  BN_free(G);
391 
392  DSA_free(dsa);
393  BN_free(Y);
394  return NULL;
395  }
396  if (!DSA_set0_key(dsa, Y, NULL)) {
397  /* QPG attached, cleaned up by DSA_fre() */
398  DSA_free(dsa);
399  BN_free(Y);
400  return NULL;
401  }
402 #endif /* OPENSSL_VERSION_NUMBER */
403  return dsa;
404 }
405 
406 RSA *
408 {
409  return ldns_key_buf2rsa_raw((const unsigned char*)ldns_buffer_begin(key),
410  ldns_buffer_position(key));
411 }
412 
413 RSA *
414 ldns_key_buf2rsa_raw(const unsigned char* key, size_t len)
415 {
416  uint16_t offset;
417  uint16_t exp;
418  uint16_t int16;
419  RSA *rsa;
420  BIGNUM *modulus;
421  BIGNUM *exponent;
422 
423  if (len == 0)
424  return NULL;
425  if (key[0] == 0) {
426  if(len < 3)
427  return NULL;
428  /* need some smart comment here XXX*/
429  /* the exponent is too large so it's places
430  * futher...???? */
431  memmove(&int16, key+1, 2);
432  exp = ntohs(int16);
433  offset = 3;
434  } else {
435  exp = key[0];
436  offset = 1;
437  }
438 
439  /* key length at least one */
440  if(len < (size_t)offset + exp + 1)
441  return NULL;
442 
443  /* Exponent */
444  exponent = BN_new();
445  if(!exponent) return NULL;
446  (void) BN_bin2bn(key+offset, (int)exp, exponent);
447  offset += exp;
448 
449  /* Modulus */
450  modulus = BN_new();
451  if(!modulus) {
452  BN_free(exponent);
453  return NULL;
454  }
455  /* length of the buffer must match the key length! */
456  (void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
457 
458  rsa = RSA_new();
459  if(!rsa) {
460  BN_free(exponent);
461  BN_free(modulus);
462  return NULL;
463  }
464 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
465 #ifndef S_SPLINT_S
466  rsa->n = modulus;
467  rsa->e = exponent;
468 #endif /* splint */
469 #else /* OPENSSL_VERSION_NUMBER */
470  if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
471  BN_free(exponent);
472  BN_free(modulus);
473  RSA_free(rsa);
474  return NULL;
475  }
476 #endif /* OPENSSL_VERSION_NUMBER */
477 
478  return rsa;
479 }
480 
481 int
482 ldns_digest_evp(const unsigned char* data, unsigned int len, unsigned char* dest,
483  const EVP_MD* md)
484 {
485  EVP_MD_CTX* ctx;
486  ctx = EVP_MD_CTX_create();
487  if(!ctx)
488  return false;
489  if(!EVP_DigestInit_ex(ctx, md, NULL) ||
490  !EVP_DigestUpdate(ctx, data, len) ||
491  !EVP_DigestFinal_ex(ctx, dest, NULL)) {
492  EVP_MD_CTX_destroy(ctx);
493  return false;
494  }
495  EVP_MD_CTX_destroy(ctx);
496  return true;
497 }
498 #endif /* HAVE_SSL */
499 
500 ldns_rr *
502 {
503  ldns_rdf *tmp;
504  ldns_rr *ds;
505  uint16_t keytag;
506  uint8_t sha1hash;
507  uint8_t *digest;
508  ldns_buffer *data_buf;
509 #ifdef USE_GOST
510  const EVP_MD* md = NULL;
511 #endif
512 
514  return NULL;
515  }
516 
517  ds = ldns_rr_new();
518  if (!ds) {
519  return NULL;
520  }
523  ldns_rr_owner(key)));
524  ldns_rr_set_ttl(ds, ldns_rr_ttl(key));
526 
527  switch(h) {
528  default:
529  case LDNS_SHA1:
530  digest = LDNS_XMALLOC(uint8_t, LDNS_SHA1_DIGEST_LENGTH);
531  if (!digest) {
532  ldns_rr_free(ds);
533  return NULL;
534  }
535  break;
536  case LDNS_SHA256:
537  digest = LDNS_XMALLOC(uint8_t, LDNS_SHA256_DIGEST_LENGTH);
538  if (!digest) {
539  ldns_rr_free(ds);
540  return NULL;
541  }
542  break;
543  case LDNS_HASH_GOST:
544 #ifdef USE_GOST
546  md = EVP_get_digestbyname("md_gost94");
547  if(!md) {
548  ldns_rr_free(ds);
549  return NULL;
550  }
551  digest = LDNS_XMALLOC(uint8_t, EVP_MD_size(md));
552  if (!digest) {
553  ldns_rr_free(ds);
554  return NULL;
555  }
556  break;
557 #else
558  /* not implemented */
559  ldns_rr_free(ds);
560  return NULL;
561 #endif
562  case LDNS_SHA384:
563 #ifdef USE_ECDSA
564  digest = LDNS_XMALLOC(uint8_t, SHA384_DIGEST_LENGTH);
565  if (!digest) {
566  ldns_rr_free(ds);
567  return NULL;
568  }
569  break;
570 #else
571  /* not implemented */
572  ldns_rr_free(ds);
573  return NULL;
574 #endif
575  }
576 
578  if (!data_buf) {
579  LDNS_FREE(digest);
580  ldns_rr_free(ds);
581  return NULL;
582  }
583 
584  /* keytag */
585  keytag = htons(ldns_calc_keytag((ldns_rr*)key));
587  sizeof(uint16_t),
588  &keytag);
589  ldns_rr_push_rdf(ds, tmp);
590 
591  /* copy the algorithm field */
592  if ((tmp = ldns_rr_rdf(key, 2)) == NULL) {
593  LDNS_FREE(digest);
594  ldns_buffer_free(data_buf);
595  ldns_rr_free(ds);
596  return NULL;
597  } else {
598  ldns_rr_push_rdf(ds, ldns_rdf_clone( tmp ));
599  }
600 
601  /* digest hash type */
602  sha1hash = (uint8_t)h;
604  sizeof(uint8_t),
605  &sha1hash);
606  ldns_rr_push_rdf(ds, tmp);
607 
608  /* digest */
609  /* owner name */
610  tmp = ldns_rdf_clone(ldns_rr_owner(key));
612  if (ldns_rdf2buffer_wire(data_buf, tmp) != LDNS_STATUS_OK) {
613  LDNS_FREE(digest);
614  ldns_buffer_free(data_buf);
615  ldns_rr_free(ds);
616  ldns_rdf_deep_free(tmp);
617  return NULL;
618  }
619  ldns_rdf_deep_free(tmp);
620 
621  /* all the rdata's */
622  if (ldns_rr_rdata2buffer_wire(data_buf,
623  (ldns_rr*)key) != LDNS_STATUS_OK) {
624  LDNS_FREE(digest);
625  ldns_buffer_free(data_buf);
626  ldns_rr_free(ds);
627  return NULL;
628  }
629  switch(h) {
630  case LDNS_SHA1:
631  (void) ldns_sha1((unsigned char *) ldns_buffer_begin(data_buf),
632  (unsigned int) ldns_buffer_position(data_buf),
633  (unsigned char *) digest);
634 
637  digest);
638  ldns_rr_push_rdf(ds, tmp);
639 
640  break;
641  case LDNS_SHA256:
642  (void) ldns_sha256((unsigned char *) ldns_buffer_begin(data_buf),
643  (unsigned int) ldns_buffer_position(data_buf),
644  (unsigned char *) digest);
647  digest);
648  ldns_rr_push_rdf(ds, tmp);
649  break;
650  case LDNS_HASH_GOST:
651 #ifdef USE_GOST
652  if(!ldns_digest_evp((unsigned char *) ldns_buffer_begin(data_buf),
653  (unsigned int) ldns_buffer_position(data_buf),
654  (unsigned char *) digest, md)) {
655  LDNS_FREE(digest);
656  ldns_buffer_free(data_buf);
657  ldns_rr_free(ds);
658  return NULL;
659  }
661  (size_t)EVP_MD_size(md),
662  digest);
663  ldns_rr_push_rdf(ds, tmp);
664 #endif
665  break;
666  case LDNS_SHA384:
667 #ifdef USE_ECDSA
668  (void) SHA384((unsigned char *) ldns_buffer_begin(data_buf),
669  (unsigned int) ldns_buffer_position(data_buf),
670  (unsigned char *) digest);
672  SHA384_DIGEST_LENGTH,
673  digest);
674  ldns_rr_push_rdf(ds, tmp);
675 #endif
676  break;
677  }
678 
679  LDNS_FREE(digest);
680  ldns_buffer_free(data_buf);
681  return ds;
682 }
683 
684 /* From RFC3845:
685  *
686  * 2.1.2. The List of Type Bit Map(s) Field
687  *
688  * The RR type space is split into 256 window blocks, each representing
689  * the low-order 8 bits of the 16-bit RR type space. Each block that
690  * has at least one active RR type is encoded using a single octet
691  * window number (from 0 to 255), a single octet bitmap length (from 1
692  * to 32) indicating the number of octets used for the window block's
693  * bitmap, and up to 32 octets (256 bits) of bitmap.
694  *
695  * Window blocks are present in the NSEC RR RDATA in increasing
696  * numerical order.
697  *
698  * "|" denotes concatenation
699  *
700  * Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
701  *
702  * <cut>
703  *
704  * Blocks with no types present MUST NOT be included. Trailing zero
705  * octets in the bitmap MUST be omitted. The length of each block's
706  * bitmap is determined by the type code with the largest numerical
707  * value within that block, among the set of RR types present at the
708  * NSEC RR's owner name. Trailing zero octets not specified MUST be
709  * interpreted as zero octets.
710  */
711 ldns_rdf *
713  size_t size,
714  ldns_rr_type nsec_type)
715 {
716  uint8_t window; /* most significant octet of type */
717  uint8_t subtype; /* least significant octet of type */
718  int windows[256]; /* Max subtype per window */
719  uint8_t windowpresent[256]; /* bool if window appears in bitmap */
720  ldns_rr_type* d; /* used to traverse rr_type_list*/
721  size_t i; /* used to traverse windows array */
722 
723  size_t sz; /* size needed for type bitmap rdf */
724  uint8_t* data = NULL; /* rdf data */
725  uint8_t* dptr; /* used to itraverse rdf data */
726  ldns_rdf* rdf; /* bitmap rdf to return */
727 
728  if (nsec_type != LDNS_RR_TYPE_NSEC &&
729  nsec_type != LDNS_RR_TYPE_NSEC3) {
730  return NULL;
731  }
732  memset(windows, 0, sizeof(int)*256);
733  memset(windowpresent, 0, 256);
734 
735  /* Which other windows need to be in the bitmap rdf?
736  */
737  for (d = rr_type_list; d < rr_type_list + size; d++) {
738  window = *d >> 8;
739  subtype = *d & 0xff;
740  windowpresent[window] = 1;
741  if (windows[window] < (int)subtype) {
742  windows[window] = (int)subtype;
743  }
744  }
745 
746  /* How much space do we need in the rdf for those windows?
747  */
748  sz = 0;
749  for (i = 0; i < 256; i++) {
750  if (windowpresent[i]) {
751  sz += windows[i] / 8 + 3;
752  }
753  }
754  if (sz > 0) {
755  /* Format rdf data according RFC3845 Section 2.1.2 (see above)
756  */
757  dptr = data = LDNS_CALLOC(uint8_t, sz);
758  if (!data) {
759  return NULL;
760  }
761  for (i = 0; i < 256; i++) {
762  if (windowpresent[i]) {
763  *dptr++ = (uint8_t)i;
764  *dptr++ = (uint8_t)(windows[i] / 8 + 1);
765 
766  /* Now let windows[i] index the bitmap
767  * within data
768  */
769  windows[i] = (int)(dptr - data);
770 
771  dptr += dptr[-1];
772  }
773  }
774  }
775 
776  /* Set the bits?
777  */
778  for (d = rr_type_list; d < rr_type_list + size; d++) {
779  subtype = *d & 0xff;
780  data[windows[*d >> 8] + subtype/8] |= (0x80 >> (subtype % 8));
781  }
782 
783  /* Allocate and return rdf structure for the data
784  */
785  rdf = ldns_rdf_new(LDNS_RDF_TYPE_BITMAP, sz, data);
786  if (!rdf) {
787  LDNS_FREE(data);
788  return NULL;
789  }
790  return rdf;
791 }
792 
793 int
795  ldns_rr_type type)
796 {
797  const ldns_dnssec_rrsets *cur_rrset = rrsets;
798  while (cur_rrset) {
799  if (cur_rrset->type == type) {
800  return 1;
801  }
802  cur_rrset = cur_rrset->next;
803  }
804  return 0;
805 }
806 
807 ldns_rr *
809  const ldns_dnssec_name *to,
810  ldns_rr_type nsec_type)
811 {
812  ldns_rr *nsec_rr;
813  ldns_rr_type types[65536];
814  size_t type_count = 0;
815  ldns_dnssec_rrsets *cur_rrsets;
816  int on_delegation_point;
817 
818  if (!from || !to || (nsec_type != LDNS_RR_TYPE_NSEC)) {
819  return NULL;
820  }
821 
822  nsec_rr = ldns_rr_new();
823  ldns_rr_set_type(nsec_rr, nsec_type);
826 
827  on_delegation_point = ldns_dnssec_rrsets_contains_type(
828  from->rrsets, LDNS_RR_TYPE_NS)
830  from->rrsets, LDNS_RR_TYPE_SOA);
831 
832  cur_rrsets = from->rrsets;
833  while (cur_rrsets) {
834  /* Do not include non-authoritative rrsets on the delegation point
835  * in the type bitmap */
836  if ((on_delegation_point && (
837  cur_rrsets->type == LDNS_RR_TYPE_NS
838  || cur_rrsets->type == LDNS_RR_TYPE_DS))
839  || (!on_delegation_point &&
840  cur_rrsets->type != LDNS_RR_TYPE_RRSIG
841  && cur_rrsets->type != LDNS_RR_TYPE_NSEC)) {
842 
843  types[type_count] = cur_rrsets->type;
844  type_count++;
845  }
846  cur_rrsets = cur_rrsets->next;
847 
848  }
849  types[type_count] = LDNS_RR_TYPE_RRSIG;
850  type_count++;
851  types[type_count] = LDNS_RR_TYPE_NSEC;
852  type_count++;
853 
855  type_count,
856  nsec_type));
857 
858  return nsec_rr;
859 }
860 
861 ldns_rr *
863  const ldns_dnssec_name *to,
864  const ldns_rdf *zone_name,
865  uint8_t algorithm,
866  uint8_t flags,
867  uint16_t iterations,
868  uint8_t salt_length,
869  const uint8_t *salt)
870 {
871  ldns_rr *nsec_rr;
872  ldns_rr_type types[65536];
873  size_t type_count = 0;
874  ldns_dnssec_rrsets *cur_rrsets;
875  ldns_status status;
876  int on_delegation_point;
877 
878  if (!from) {
879  return NULL;
880  }
881 
883  ldns_rr_set_owner(nsec_rr,
885  algorithm,
886  iterations,
887  salt_length,
888  salt));
889  status = ldns_dname_cat(ldns_rr_owner(nsec_rr), zone_name);
890  if(status != LDNS_STATUS_OK) {
891  ldns_rr_free(nsec_rr);
892  return NULL;
893  }
895  algorithm,
896  flags,
897  iterations,
898  salt_length,
899  salt);
900 
901  on_delegation_point = ldns_dnssec_rrsets_contains_type(
902  from->rrsets, LDNS_RR_TYPE_NS)
904  from->rrsets, LDNS_RR_TYPE_SOA);
905  cur_rrsets = from->rrsets;
906  while (cur_rrsets) {
907  /* Do not include non-authoritative rrsets on the delegation point
908  * in the type bitmap. Potentionally not skipping insecure
909  * delegation should have been done earlier, in function
910  * ldns_dnssec_zone_create_nsec3s, or even earlier in:
911  * ldns_dnssec_zone_sign_nsec3_flg .
912  */
913  if ((on_delegation_point && (
914  cur_rrsets->type == LDNS_RR_TYPE_NS
915  || cur_rrsets->type == LDNS_RR_TYPE_DS))
916  || (!on_delegation_point &&
917  cur_rrsets->type != LDNS_RR_TYPE_RRSIG)) {
918 
919  types[type_count] = cur_rrsets->type;
920  type_count++;
921  }
922  cur_rrsets = cur_rrsets->next;
923  }
924  /* always add rrsig type if this is not an unsigned
925  * delegation
926  */
927  if (type_count > 0 &&
928  !(type_count == 1 && types[0] == LDNS_RR_TYPE_NS)) {
929  types[type_count] = LDNS_RR_TYPE_RRSIG;
930  type_count++;
931  }
932 
933  /* leave next rdata empty if they weren't precomputed yet */
934  if (to && to->hashed_name) {
935  (void) ldns_rr_set_rdf(nsec_rr,
937  4);
938  } else {
939  (void) ldns_rr_set_rdf(nsec_rr, NULL, 4);
940  }
941 
942  ldns_rr_push_rdf(nsec_rr,
944  type_count,
946 
947  return nsec_rr;
948 }
949 
950 ldns_rr *
951 ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
952 {
953  /* we do not do any check here - garbage in, garbage out */
954 
955  /* the the start and end names - get the type from the
956  * before rrlist */
957 
958  /* inefficient, just give it a name, a next name, and a list of rrs */
959  /* we make 1 big uberbitmap first, then windows */
960  /* todo: make something more efficient :) */
961  uint16_t i;
962  ldns_rr *i_rr;
963  uint16_t i_type;
964 
965  ldns_rr *nsec = NULL;
966  ldns_rr_type i_type_list[65536];
967  size_t type_count = 0;
968 
969  nsec = ldns_rr_new();
971  ldns_rr_set_owner(nsec, ldns_rdf_clone(cur_owner));
972  ldns_rr_push_rdf(nsec, ldns_rdf_clone(next_owner));
973 
974  for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
975  i_rr = ldns_rr_list_rr(rrs, i);
976  if (ldns_rdf_compare(cur_owner,
977  ldns_rr_owner(i_rr)) == 0) {
978  i_type = ldns_rr_get_type(i_rr);
979  if (i_type != LDNS_RR_TYPE_RRSIG && i_type != LDNS_RR_TYPE_NSEC) {
980  if (type_count == 0 || i_type_list[type_count-1] != i_type) {
981  i_type_list[type_count] = i_type;
982  type_count++;
983  }
984  }
985  }
986  }
987 
988  i_type_list[type_count] = LDNS_RR_TYPE_RRSIG;
989  type_count++;
990  i_type_list[type_count] = LDNS_RR_TYPE_NSEC;
991  type_count++;
992 
993  ldns_rr_push_rdf(nsec,
994  ldns_dnssec_create_nsec_bitmap(i_type_list,
995  type_count, LDNS_RR_TYPE_NSEC));
996 
997  return nsec;
998 }
999 
1000 ldns_rdf *
1002  uint8_t algorithm,
1003  uint16_t iterations,
1004  uint8_t salt_length,
1005  const uint8_t *salt)
1006 {
1007  size_t hashed_owner_str_len;
1008  ldns_rdf *cann;
1009  ldns_rdf *hashed_owner;
1010  unsigned char *hashed_owner_str;
1011  char *hashed_owner_b32;
1012  size_t hashed_owner_b32_len;
1013  uint32_t cur_it;
1014  /* define to contain the largest possible hash, which is
1015  * sha1 at the moment */
1016  unsigned char hash[LDNS_SHA1_DIGEST_LENGTH];
1017  ldns_status status;
1018 
1019  /* TODO: mnemonic list for hash algs SHA-1, default to 1 now (sha1) */
1020  if (algorithm != LDNS_SHA1) {
1021  return NULL;
1022  }
1023 
1024  /* prepare the owner name according to the draft section bla */
1025  cann = ldns_rdf_clone(name);
1026  if(!cann) {
1027 #ifdef STDERR_MSGS
1028  fprintf(stderr, "Memory error\n");
1029 #endif
1030  return NULL;
1031  }
1032  ldns_dname2canonical(cann);
1033 
1034  hashed_owner_str_len = salt_length + ldns_rdf_size(cann);
1035  hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
1036  if(!hashed_owner_str) {
1037  ldns_rdf_deep_free(cann);
1038  return NULL;
1039  }
1040  memcpy(hashed_owner_str, ldns_rdf_data(cann), ldns_rdf_size(cann));
1041  memcpy(hashed_owner_str + ldns_rdf_size(cann), salt, salt_length);
1042  ldns_rdf_deep_free(cann);
1043 
1044  for (cur_it = iterations + 1; cur_it > 0; cur_it--) {
1045  (void) ldns_sha1((unsigned char *) hashed_owner_str,
1046  (unsigned int) hashed_owner_str_len, hash);
1047 
1048  LDNS_FREE(hashed_owner_str);
1049  hashed_owner_str_len = salt_length + LDNS_SHA1_DIGEST_LENGTH;
1050  hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
1051  if (!hashed_owner_str) {
1052  return NULL;
1053  }
1054  memcpy(hashed_owner_str, hash, LDNS_SHA1_DIGEST_LENGTH);
1055  memcpy(hashed_owner_str + LDNS_SHA1_DIGEST_LENGTH, salt, salt_length);
1056  hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH + salt_length;
1057  }
1058 
1059  LDNS_FREE(hashed_owner_str);
1060  hashed_owner_str = hash;
1061  hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH;
1062 
1063  hashed_owner_b32 = LDNS_XMALLOC(char,
1064  ldns_b32_ntop_calculate_size(hashed_owner_str_len) + 1);
1065  if(!hashed_owner_b32) {
1066  return NULL;
1067  }
1068  hashed_owner_b32_len = (size_t) ldns_b32_ntop_extended_hex(
1069  (uint8_t *) hashed_owner_str,
1070  hashed_owner_str_len,
1071  hashed_owner_b32,
1072  ldns_b32_ntop_calculate_size(hashed_owner_str_len)+1);
1073  if (hashed_owner_b32_len < 1) {
1074 #ifdef STDERR_MSGS
1075  fprintf(stderr, "Error in base32 extended hex encoding ");
1076  fprintf(stderr, "of hashed owner name (name: ");
1077  ldns_rdf_print(stderr, name);
1078  fprintf(stderr, ", return code: %u)\n",
1079  (unsigned int) hashed_owner_b32_len);
1080 #endif
1081  LDNS_FREE(hashed_owner_b32);
1082  return NULL;
1083  }
1084  hashed_owner_b32[hashed_owner_b32_len] = '\0';
1085 
1086  status = ldns_str2rdf_dname(&hashed_owner, hashed_owner_b32);
1087  if (status != LDNS_STATUS_OK) {
1088 #ifdef STDERR_MSGS
1089  fprintf(stderr, "Error creating rdf from %s\n", hashed_owner_b32);
1090 #endif
1091  LDNS_FREE(hashed_owner_b32);
1092  return NULL;
1093  }
1094 
1095  LDNS_FREE(hashed_owner_b32);
1096  return hashed_owner;
1097 }
1098 
1099 void
1101  uint8_t algorithm,
1102  uint8_t flags,
1103  uint16_t iterations,
1104  uint8_t salt_length,
1105  const uint8_t *salt)
1106 {
1107  ldns_rdf *salt_rdf = NULL;
1108  uint8_t *salt_data = NULL;
1109  ldns_rdf *old;
1110 
1111  old = ldns_rr_set_rdf(rr,
1113  1, (void*)&algorithm),
1114  0);
1115  if (old) ldns_rdf_deep_free(old);
1116 
1117  old = ldns_rr_set_rdf(rr,
1119  1, (void*)&flags),
1120  1);
1121  if (old) ldns_rdf_deep_free(old);
1122 
1123  old = ldns_rr_set_rdf(rr,
1125  iterations),
1126  2);
1127  if (old) ldns_rdf_deep_free(old);
1128 
1129  salt_data = LDNS_XMALLOC(uint8_t, salt_length + 1);
1130  if(!salt_data) {
1131  /* no way to return error */
1132  return;
1133  }
1134  salt_data[0] = salt_length;
1135  memcpy(salt_data + 1, salt, salt_length);
1137  salt_length + 1,
1138  salt_data);
1139  if(!salt_rdf) {
1140  LDNS_FREE(salt_data);
1141  /* no way to return error */
1142  return;
1143  }
1144 
1145  old = ldns_rr_set_rdf(rr, salt_rdf, 3);
1146  if (old) ldns_rdf_deep_free(old);
1147  LDNS_FREE(salt_data);
1148 }
1149 
1150 static int
1151 rr_list_delegation_only(const ldns_rdf *origin, const ldns_rr_list *rr_list)
1152 {
1153  size_t i;
1154  ldns_rr *cur_rr;
1155  if (!origin || !rr_list) return 0;
1156  for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) {
1157  cur_rr = ldns_rr_list_rr(rr_list, i);
1158  if (ldns_dname_compare(ldns_rr_owner(cur_rr), origin) == 0) {
1159  return 0;
1160  }
1161  if (ldns_rr_get_type(cur_rr) != LDNS_RR_TYPE_NS) {
1162  return 0;
1163  }
1164  }
1165  return 1;
1166 }
1167 
1168 /* this will NOT return the NSEC3 completed, you will have to run the
1169  finalize function on the rrlist later! */
1170 ldns_rr *
1171 ldns_create_nsec3(const ldns_rdf *cur_owner,
1172  const ldns_rdf *cur_zone,
1173  const ldns_rr_list *rrs,
1174  uint8_t algorithm,
1175  uint8_t flags,
1176  uint16_t iterations,
1177  uint8_t salt_length,
1178  const uint8_t *salt,
1179  bool emptynonterminal)
1180 {
1181  size_t i;
1182  ldns_rr *i_rr;
1183  uint16_t i_type;
1184 
1185  ldns_rr *nsec = NULL;
1186  ldns_rdf *hashed_owner = NULL;
1187 
1188  ldns_status status;
1189 
1190  ldns_rr_type i_type_list[1024];
1191  size_t type_count = 0;
1192 
1193  hashed_owner = ldns_nsec3_hash_name(cur_owner,
1194  algorithm,
1195  iterations,
1196  salt_length,
1197  salt);
1198  status = ldns_dname_cat(hashed_owner, cur_zone);
1199  if(status != LDNS_STATUS_OK) {
1200  ldns_rdf_deep_free(hashed_owner);
1201  return NULL;
1202  }
1204  if(!nsec) {
1205  ldns_rdf_deep_free(hashed_owner);
1206  return NULL;
1207  }
1209  ldns_rr_set_owner(nsec, hashed_owner);
1210 
1212  algorithm,
1213  flags,
1214  iterations,
1215  salt_length,
1216  salt);
1217  (void) ldns_rr_set_rdf(nsec, NULL, 4);
1218 
1219 
1220  for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
1221  i_rr = ldns_rr_list_rr(rrs, i);
1222  if (ldns_rdf_compare(cur_owner,
1223  ldns_rr_owner(i_rr)) == 0) {
1224  i_type = ldns_rr_get_type(i_rr);
1225  if (type_count == 0 || i_type_list[type_count-1] != i_type) {
1226  i_type_list[type_count] = i_type;
1227  type_count++;
1228  }
1229  }
1230  }
1231 
1232  /* add RRSIG anyway, but only if this is not an ENT or
1233  * an unsigned delegation */
1234  if (!emptynonterminal && !rr_list_delegation_only(cur_zone, rrs)) {
1235  i_type_list[type_count] = LDNS_RR_TYPE_RRSIG;
1236  type_count++;
1237  }
1238 
1239  /* and SOA if owner == zone */
1240  if (ldns_dname_compare(cur_zone, cur_owner) == 0) {
1241  i_type_list[type_count] = LDNS_RR_TYPE_SOA;
1242  type_count++;
1243  }
1244 
1245  ldns_rr_push_rdf(nsec,
1246  ldns_dnssec_create_nsec_bitmap(i_type_list,
1247  type_count, LDNS_RR_TYPE_NSEC3));
1248 
1249  return nsec;
1250 }
1251 
1252 uint8_t
1254 {
1255  if (nsec3_rr &&
1256  (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
1258  && (ldns_rr_rdf(nsec3_rr, 0) != NULL)
1259  && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 0)) > 0) {
1260  return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 0));
1261  }
1262  return 0;
1263 }
1264 
1265 uint8_t
1266 ldns_nsec3_flags(const ldns_rr *nsec3_rr)
1267 {
1268  if (nsec3_rr &&
1269  (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
1271  && (ldns_rr_rdf(nsec3_rr, 1) != NULL)
1272  && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 1)) > 0) {
1273  return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 1));
1274  }
1275  return 0;
1276 }
1277 
1278 bool
1279 ldns_nsec3_optout(const ldns_rr *nsec3_rr)
1280 {
1281  return (ldns_nsec3_flags(nsec3_rr) & LDNS_NSEC3_VARS_OPTOUT_MASK);
1282 }
1283 
1284 uint16_t
1286 {
1287  if (nsec3_rr &&
1288  (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
1290  && (ldns_rr_rdf(nsec3_rr, 2) != NULL)
1291  && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 2)) > 0) {
1292  return ldns_rdf2native_int16(ldns_rr_rdf(nsec3_rr, 2));
1293  }
1294  return 0;
1295 
1296 }
1297 
1298 ldns_rdf *
1299 ldns_nsec3_salt(const ldns_rr *nsec3_rr)
1300 {
1301  if (nsec3_rr &&
1302  (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
1304  ) {
1305  return ldns_rr_rdf(nsec3_rr, 3);
1306  }
1307  return NULL;
1308 }
1309 
1310 uint8_t
1312 {
1313  ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
1314  if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
1315  return (uint8_t) ldns_rdf_data(salt_rdf)[0];
1316  }
1317  return 0;
1318 }
1319 
1320 /* allocs data, free with LDNS_FREE() */
1321 uint8_t *
1323 {
1324  uint8_t salt_length;
1325  uint8_t *salt;
1326 
1327  ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
1328  if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
1329  salt_length = ldns_rdf_data(salt_rdf)[0];
1330  salt = LDNS_XMALLOC(uint8_t, salt_length);
1331  if(!salt) return NULL;
1332  memcpy(salt, &ldns_rdf_data(salt_rdf)[1], salt_length);
1333  return salt;
1334  }
1335  return NULL;
1336 }
1337 
1338 ldns_rdf *
1340 {
1341  if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) {
1342  return NULL;
1343  } else {
1344  return ldns_rr_rdf(nsec3_rr, 4);
1345  }
1346 }
1347 
1348 ldns_rdf *
1349 ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
1350 {
1351  if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) {
1352  return NULL;
1353  } else {
1354  return ldns_rr_rdf(nsec3_rr, 5);
1355  }
1356 }
1357 
1358 ldns_rdf *
1360 {
1361  uint8_t algorithm;
1362  uint16_t iterations;
1363  uint8_t salt_length;
1364  uint8_t *salt = 0;
1365 
1366  ldns_rdf *hashed_owner;
1367 
1368  algorithm = ldns_nsec3_algorithm(nsec);
1369  salt_length = ldns_nsec3_salt_length(nsec);
1370  salt = ldns_nsec3_salt_data(nsec);
1371  iterations = ldns_nsec3_iterations(nsec);
1372 
1373  hashed_owner = ldns_nsec3_hash_name(name,
1374  algorithm,
1375  iterations,
1376  salt_length,
1377  salt);
1378 
1379  LDNS_FREE(salt);
1380  return hashed_owner;
1381 }
1382 
1383 bool
1385 {
1386  uint8_t* dptr;
1387  uint8_t* dend;
1388 
1389  /* From RFC3845 Section 2.1.2:
1390  *
1391  * "The RR type space is split into 256 window blocks, each re-
1392  * presenting the low-order 8 bits of the 16-bit RR type space."
1393  */
1394  uint8_t window = type >> 8;
1395  uint8_t subtype = type & 0xff;
1396 
1397  if (! bitmap) {
1398  return false;
1399  }
1400  assert(ldns_rdf_get_type(bitmap) == LDNS_RDF_TYPE_BITMAP);
1401 
1402  dptr = ldns_rdf_data(bitmap);
1403  dend = ldns_rdf_data(bitmap) + ldns_rdf_size(bitmap);
1404 
1405  /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) +
1406  * dptr[0] dptr[1] dptr[2:]
1407  */
1408  while (dptr < dend && dptr[0] <= window) {
1409 
1410  if (dptr[0] == window && subtype / 8 < dptr[1] &&
1411  dptr + dptr[1] + 2 <= dend) {
1412 
1413  return dptr[2 + subtype / 8] & (0x80 >> (subtype % 8));
1414  }
1415  dptr += dptr[1] + 2; /* next window */
1416  }
1417  return false;
1418 }
1419 
1422 {
1423  uint8_t* dptr;
1424  uint8_t* dend;
1425 
1426  /* From RFC3845 Section 2.1.2:
1427  *
1428  * "The RR type space is split into 256 window blocks, each re-
1429  * presenting the low-order 8 bits of the 16-bit RR type space."
1430  */
1431  uint8_t window = type >> 8;
1432  uint8_t subtype = type & 0xff;
1433 
1434  if (! bitmap) {
1435  return false;
1436  }
1437  assert(ldns_rdf_get_type(bitmap) == LDNS_RDF_TYPE_BITMAP);
1438 
1439  dptr = ldns_rdf_data(bitmap);
1440  dend = ldns_rdf_data(bitmap) + ldns_rdf_size(bitmap);
1441 
1442  /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) +
1443  * dptr[0] dptr[1] dptr[2:]
1444  */
1445  while (dptr < dend && dptr[0] <= window) {
1446 
1447  if (dptr[0] == window && subtype / 8 < dptr[1] &&
1448  dptr + dptr[1] + 2 <= dend) {
1449 
1450  dptr[2 + subtype / 8] |= (0x80 >> (subtype % 8));
1451  return LDNS_STATUS_OK;
1452  }
1453  dptr += dptr[1] + 2; /* next window */
1454  }
1456 }
1457 
1460 {
1461  uint8_t* dptr;
1462  uint8_t* dend;
1463 
1464  /* From RFC3845 Section 2.1.2:
1465  *
1466  * "The RR type space is split into 256 window blocks, each re-
1467  * presenting the low-order 8 bits of the 16-bit RR type space."
1468  */
1469  uint8_t window = type >> 8;
1470  uint8_t subtype = type & 0xff;
1471 
1472  if (! bitmap) {
1473  return false;
1474  }
1475 
1476  assert(ldns_rdf_get_type(bitmap) == LDNS_RDF_TYPE_BITMAP);
1477 
1478  dptr = ldns_rdf_data(bitmap);
1479  dend = ldns_rdf_data(bitmap) + ldns_rdf_size(bitmap);
1480 
1481  /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) +
1482  * dptr[0] dptr[1] dptr[2:]
1483  */
1484  while (dptr < dend && dptr[0] <= window) {
1485 
1486  if (dptr[0] == window && subtype / 8 < dptr[1] &&
1487  dptr + dptr[1] + 2 <= dend) {
1488 
1489  dptr[2 + subtype / 8] &= ~(0x80 >> (subtype % 8));
1490  return LDNS_STATUS_OK;
1491  }
1492  dptr += dptr[1] + 2; /* next window */
1493  }
1495 }
1496 
1497 
1498 bool
1499 ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
1500 {
1501  ldns_rdf *nsec_owner = ldns_rr_owner(nsec);
1502  ldns_rdf *hash_next;
1503  char *next_hash_str;
1504  ldns_rdf *nsec_next = NULL;
1505  ldns_status status;
1506  ldns_rdf *chopped_dname;
1507  bool result;
1508 
1509  if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
1510  if (ldns_rr_rdf(nsec, 0) != NULL) {
1511  nsec_next = ldns_rdf_clone(ldns_rr_rdf(nsec, 0));
1512  } else {
1513  return false;
1514  }
1515  } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
1516  hash_next = ldns_nsec3_next_owner(nsec);
1517  next_hash_str = ldns_rdf2str(hash_next);
1518  nsec_next = ldns_dname_new_frm_str(next_hash_str);
1519  LDNS_FREE(next_hash_str);
1520  chopped_dname = ldns_dname_left_chop(nsec_owner);
1521  status = ldns_dname_cat(nsec_next, chopped_dname);
1522  ldns_rdf_deep_free(chopped_dname);
1523  if (status != LDNS_STATUS_OK) {
1524  printf("error catting: %s\n", ldns_get_errorstr_by_id(status));
1525  }
1526  } else {
1527  ldns_rdf_deep_free(nsec_next);
1528  return false;
1529  }
1530 
1531  /* in the case of the last nsec */
1532  if(ldns_dname_compare(nsec_owner, nsec_next) > 0) {
1533  result = (ldns_dname_compare(nsec_owner, name) <= 0 ||
1534  ldns_dname_compare(name, nsec_next) < 0);
1535  } else if(ldns_dname_compare(nsec_owner, nsec_next) < 0) {
1536  result = (ldns_dname_compare(nsec_owner, name) <= 0 &&
1537  ldns_dname_compare(name, nsec_next) < 0);
1538  } else {
1539  result = true;
1540  }
1541 
1542  ldns_rdf_deep_free(nsec_next);
1543  return result;
1544 }
1545 
1546 #ifdef HAVE_SSL
1547 /* sig may be null - if so look in the packet */
1548 
1551  const ldns_rr_list *k, const ldns_rr_list *s,
1552  time_t check_time, ldns_rr_list *good_keys)
1553 {
1554  ldns_rr_list *rrset;
1555  ldns_rr_list *sigs;
1556  ldns_rr_list *sigs_covered;
1557  ldns_rdf *rdf_t;
1558  ldns_rr_type t_netorder;
1559 
1560  if (!k) {
1561  return LDNS_STATUS_ERR;
1562  /* return LDNS_STATUS_CRYPTO_NO_DNSKEY; */
1563  }
1564 
1565  if (t == LDNS_RR_TYPE_RRSIG) {
1566  /* we don't have RRSIG(RRSIG) (yet? ;-) ) */
1567  return LDNS_STATUS_ERR;
1568  }
1569 
1570  if (s) {
1571  /* if s is not NULL, the sigs are given to use */
1572  sigs = (ldns_rr_list *)s;
1573  } else {
1574  /* otherwise get them from the packet */
1578  if (!sigs) {
1579  /* no sigs */
1580  return LDNS_STATUS_ERR;
1581  /* return LDNS_STATUS_CRYPTO_NO_RRSIG; */
1582  }
1583  }
1584 
1585  /* rrsig are subtyped, so now we need to find the correct
1586  * sigs for the type t
1587  */
1588  t_netorder = htons(t); /* rdf are in network order! */
1589  /* a type identifier is a 16-bit number, so the size is 2 bytes */
1590  rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, 2, &t_netorder);
1591 
1592  sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
1593  ldns_rdf_free(rdf_t);
1594  if (! sigs_covered) {
1595  if (! s) {
1596  ldns_rr_list_deep_free(sigs);
1597  }
1598  return LDNS_STATUS_ERR;
1599  }
1600  ldns_rr_list_deep_free(sigs_covered);
1601 
1602  rrset = ldns_pkt_rr_list_by_name_and_type(p, o, t,
1604  if (!rrset) {
1605  if (! s) {
1606  ldns_rr_list_deep_free(sigs);
1607  }
1608  return LDNS_STATUS_ERR;
1609  }
1610  return ldns_verify_time(rrset, sigs, k, check_time, good_keys);
1611 }
1612 
1615  const ldns_rr_list *k, const ldns_rr_list *s, ldns_rr_list *good_keys)
1616 {
1617  return ldns_pkt_verify_time(p, t, o, k, s, ldns_time(NULL), good_keys);
1618 }
1619 #endif /* HAVE_SSL */
1620 
1623 {
1624  size_t i;
1625  char *next_nsec_owner_str;
1626  ldns_rdf *next_nsec_owner_label;
1627  ldns_rdf *next_nsec_rdf;
1628  ldns_status status = LDNS_STATUS_OK;
1629 
1630  for (i = 0; i < ldns_rr_list_rr_count(nsec3_rrs); i++) {
1631  if (i == ldns_rr_list_rr_count(nsec3_rrs) - 1) {
1632  next_nsec_owner_label =
1634  0)), 0);
1635  next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
1636  if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
1637  == '.') {
1638  next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
1639  = '\0';
1640  }
1641  status = ldns_str2rdf_b32_ext(&next_nsec_rdf,
1642  next_nsec_owner_str);
1643  if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i),
1644  next_nsec_rdf, 4)) {
1645  /* todo: error */
1646  }
1647 
1648  ldns_rdf_deep_free(next_nsec_owner_label);
1649  LDNS_FREE(next_nsec_owner_str);
1650  } else {
1651  next_nsec_owner_label =
1653  i + 1)),
1654  0);
1655  next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
1656  if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
1657  == '.') {
1658  next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
1659  = '\0';
1660  }
1661  status = ldns_str2rdf_b32_ext(&next_nsec_rdf,
1662  next_nsec_owner_str);
1663  ldns_rdf_deep_free(next_nsec_owner_label);
1664  LDNS_FREE(next_nsec_owner_str);
1665  if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i),
1666  next_nsec_rdf, 4)) {
1667  /* todo: error */
1668  }
1669  }
1670  }
1671  return status;
1672 }
1673 
1674 int
1675 qsort_rr_compare_nsec3(const void *a, const void *b)
1676 {
1677  const ldns_rr *rr1 = * (const ldns_rr **) a;
1678  const ldns_rr *rr2 = * (const ldns_rr **) b;
1679  if (rr1 == NULL && rr2 == NULL) {
1680  return 0;
1681  }
1682  if (rr1 == NULL) {
1683  return -1;
1684  }
1685  if (rr2 == NULL) {
1686  return 1;
1687  }
1688  return ldns_rdf_compare(ldns_rr_owner(rr1), ldns_rr_owner(rr2));
1689 }
1690 
1691 void
1693 {
1694  qsort(unsorted->_rrs,
1695  ldns_rr_list_rr_count(unsorted),
1696  sizeof(ldns_rr *),
1698 }
1699 
1700 int
1702  , ATTR_UNUSED(void *n)
1703  )
1704 {
1706 }
1707 
1708 int
1710  , ATTR_UNUSED(void *n)
1711  )
1712 {
1714 }
1715 
1716 int
1718  , ATTR_UNUSED(void *n)
1719  )
1720 {
1722 }
1723 
1724 int
1726  , ATTR_UNUSED(void *n)
1727  )
1728 {
1730 }
1731 
1732 #ifdef HAVE_SSL
1733 ldns_rdf *
1735  const long sig_len)
1736 {
1737 #ifdef USE_DSA
1738  ldns_rdf *sigdata_rdf;
1739  DSA_SIG *dsasig;
1740  const BIGNUM *R, *S;
1741  unsigned char *dsasig_data = (unsigned char*)ldns_buffer_begin(sig);
1742  size_t byte_offset;
1743 
1744  dsasig = d2i_DSA_SIG(NULL,
1745  (const unsigned char **)&dsasig_data,
1746  sig_len);
1747  if (!dsasig) {
1748  DSA_SIG_free(dsasig);
1749  return NULL;
1750  }
1751 
1752  dsasig_data = LDNS_XMALLOC(unsigned char, 41);
1753  if(!dsasig_data) {
1754  DSA_SIG_free(dsasig);
1755  return NULL;
1756  }
1757  dsasig_data[0] = 0;
1758 # ifdef HAVE_DSA_SIG_GET0
1759  DSA_SIG_get0(dsasig, &R, &S);
1760 # else
1761  R = dsasig->r;
1762  S = dsasig->s;
1763 # endif
1764  byte_offset = (size_t) (20 - BN_num_bytes(R));
1765  if (byte_offset > 20) {
1766  DSA_SIG_free(dsasig);
1767  LDNS_FREE(dsasig_data);
1768  return NULL;
1769  }
1770  memset(&dsasig_data[1], 0, byte_offset);
1771  BN_bn2bin(R, &dsasig_data[1 + byte_offset]);
1772  byte_offset = (size_t) (20 - BN_num_bytes(S));
1773  if (byte_offset > 20) {
1774  DSA_SIG_free(dsasig);
1775  LDNS_FREE(dsasig_data);
1776  return NULL;
1777  }
1778  memset(&dsasig_data[21], 0, byte_offset);
1779  BN_bn2bin(S, &dsasig_data[21 + byte_offset]);
1780 
1781  sigdata_rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, 41, dsasig_data);
1782  if(!sigdata_rdf) {
1783  LDNS_FREE(dsasig_data);
1784  }
1785  DSA_SIG_free(dsasig);
1786 
1787  return sigdata_rdf;
1788 #else
1789  (void)sig; (void)sig_len;
1790  return NULL;
1791 #endif
1792 }
1793 
1796  const ldns_rdf *sig_rdf)
1797 {
1798 #ifdef USE_DSA
1799  /* the EVP api wants the DER encoding of the signature... */
1800  BIGNUM *R, *S;
1801  DSA_SIG *dsasig;
1802  unsigned char *raw_sig = NULL;
1803  int raw_sig_len;
1804 
1805  if(ldns_rdf_size(sig_rdf) < 1 + 2*SHA_DIGEST_LENGTH)
1807  /* extract the R and S field from the sig buffer */
1808  R = BN_new();
1809  if(!R) return LDNS_STATUS_MEM_ERR;
1810  (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 1,
1811  SHA_DIGEST_LENGTH, R);
1812  S = BN_new();
1813  if(!S) {
1814  BN_free(R);
1815  return LDNS_STATUS_MEM_ERR;
1816  }
1817  (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 21,
1818  SHA_DIGEST_LENGTH, S);
1819 
1820  dsasig = DSA_SIG_new();
1821  if (!dsasig) {
1822  BN_free(R);
1823  BN_free(S);
1824  return LDNS_STATUS_MEM_ERR;
1825  }
1826 # ifdef HAVE_DSA_SIG_SET0
1827  if (! DSA_SIG_set0(dsasig, R, S))
1828  return LDNS_STATUS_SSL_ERR;
1829 # else
1830  dsasig->r = R;
1831  dsasig->s = S;
1832 # endif
1833 
1834  raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig);
1835  if (raw_sig_len < 0) {
1836  DSA_SIG_free(dsasig);
1837  free(raw_sig);
1838  return LDNS_STATUS_SSL_ERR;
1839  }
1840  if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
1841  ldns_buffer_write(target_buffer, raw_sig, (size_t)raw_sig_len);
1842  }
1843 
1844  DSA_SIG_free(dsasig);
1845  free(raw_sig);
1846 
1847  return ldns_buffer_status(target_buffer);
1848 #else
1849  (void)target_buffer; (void)sig_rdf;
1851 #endif
1852 }
1853 
1854 #ifdef USE_ECDSA
1855 #ifndef S_SPLINT_S
1856 ldns_rdf *
1858  const long sig_len, int num_bytes)
1859 {
1860  ECDSA_SIG* ecdsa_sig;
1861  const BIGNUM *r, *s;
1862  unsigned char *data = (unsigned char*)ldns_buffer_begin(sig);
1863  ldns_rdf* rdf;
1864  ecdsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&data, sig_len);
1865  if(!ecdsa_sig) return NULL;
1866 
1867 #ifdef HAVE_ECDSA_SIG_GET0
1868  ECDSA_SIG_get0(ecdsa_sig, &r, &s);
1869 #else
1870  r = ecdsa_sig->r;
1871  s = ecdsa_sig->s;
1872 #endif
1873  /* "r | s". */
1874  if(BN_num_bytes(r) > num_bytes ||
1875  BN_num_bytes(s) > num_bytes) {
1876  ECDSA_SIG_free(ecdsa_sig);
1877  return NULL; /* numbers too big for passed curve size */
1878  }
1879  data = LDNS_XMALLOC(unsigned char, num_bytes*2);
1880  if(!data) {
1881  ECDSA_SIG_free(ecdsa_sig);
1882  return NULL;
1883  }
1884  /* write the bignums (in big-endian) a little offset if the BN code
1885  * wants to write a shorter number of bytes, with zeroes prefixed */
1886  memset(data, 0, num_bytes*2);
1887  BN_bn2bin(r, data+num_bytes-BN_num_bytes(r));
1888  BN_bn2bin(s, data+num_bytes*2-BN_num_bytes(s));
1889  rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)(num_bytes*2), data);
1890  ECDSA_SIG_free(ecdsa_sig);
1891  return rdf;
1892 }
1893 
1896  const ldns_rdf *sig_rdf)
1897 {
1898  /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
1899  * ASN preable: 30440220 <R 32bytefor256> 0220 <S 32bytefor256>
1900  * the '20' is the length of that field (=bnsize).
1901  * the '44' is the total remaining length.
1902  * if negative, start with leading zero.
1903  * if starts with 00s, remove them from the number.
1904  */
1905  uint8_t pre[] = {0x30, 0x44, 0x02, 0x20};
1906  int pre_len = 4;
1907  uint8_t mid[] = {0x02, 0x20};
1908  int mid_len = 2;
1909  int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0;
1910  long bnsize = (long)ldns_rdf_size(sig_rdf) / 2;
1911  uint8_t* d = ldns_rdf_data(sig_rdf);
1912  /* if too short, or not even length, do not bother */
1913  if(bnsize < 16 || (size_t)bnsize*2 != ldns_rdf_size(sig_rdf))
1914  return LDNS_STATUS_ERR;
1915  /* strip leading zeroes from r (but not last one) */
1916  while(r_rem < bnsize-1 && d[r_rem] == 0)
1917  r_rem++;
1918  /* strip leading zeroes from s (but not last one) */
1919  while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0)
1920  s_rem++;
1921 
1922  r_high = ((d[0+r_rem]&0x80)?1:0);
1923  s_high = ((d[bnsize+s_rem]&0x80)?1:0);
1924  raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len +
1925  s_high + bnsize - s_rem;
1926  if(ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
1927  ldns_buffer_write_u8(target_buffer, pre[0]);
1928  ldns_buffer_write_u8(target_buffer, raw_sig_len-2);
1929  ldns_buffer_write_u8(target_buffer, pre[2]);
1930  ldns_buffer_write_u8(target_buffer, bnsize + r_high - r_rem);
1931  if(r_high)
1932  ldns_buffer_write_u8(target_buffer, 0);
1933  ldns_buffer_write(target_buffer, d+r_rem, bnsize-r_rem);
1934  ldns_buffer_write(target_buffer, mid, mid_len-1);
1935  ldns_buffer_write_u8(target_buffer, bnsize + s_high - s_rem);
1936  if(s_high)
1937  ldns_buffer_write_u8(target_buffer, 0);
1938  ldns_buffer_write(target_buffer, d+bnsize+s_rem, bnsize-s_rem);
1939  }
1940  return ldns_buffer_status(target_buffer);
1941 }
1942 
1943 #endif /* S_SPLINT_S */
1944 #endif /* USE_ECDSA */
1945 
1946 #if defined(USE_ED25519) || defined(USE_ED448)
1947 /* debug printout routine */
1948 static void print_hex(const char* str, uint8_t* d, int len)
1949 {
1950  const char hex[] = "0123456789abcdef";
1951  int i;
1952  printf("%s [len=%d]: ", str, len);
1953  for(i=0; i<len; i++) {
1954  int x = (d[i]&0xf0)>>4;
1955  int y = (d[i]&0x0f);
1956  printf("%c%c", hex[x], hex[y]);
1957  }
1958  printf("\n");
1959 }
1960 #endif
1961 
1962 #ifdef USE_ED25519
1963 ldns_rdf *
1964 ldns_convert_ed25519_rrsig_asn12rdf(const ldns_buffer *sig, long sig_len)
1965 {
1966  unsigned char *data = (unsigned char*)ldns_buffer_begin(sig);
1967  ldns_rdf* rdf = NULL;
1968 
1969  /* TODO when Openssl supports signing and you can test this */
1970  print_hex("sig in ASN", data, sig_len);
1971 
1972  return rdf;
1973 }
1974 
1977  const ldns_rdf *sig_rdf)
1978 {
1979  /* TODO when Openssl supports signing and you can test this. */
1980  /* convert sig_buf into ASN1 into the target_buffer */
1981  print_hex("sig raw", ldns_rdf_data(sig_rdf), ldns_rdf_size(sig_rdf));
1982  return ldns_buffer_status(target_buffer);
1983 }
1984 #endif /* USE_ED25519 */
1985 
1986 #ifdef USE_ED448
1987 ldns_rdf *
1988 ldns_convert_ed448_rrsig_asn12rdf(const ldns_buffer *sig, long sig_len)
1989 {
1990  unsigned char *data = (unsigned char*)ldns_buffer_begin(sig);
1991  ldns_rdf* rdf = NULL;
1992 
1993  /* TODO when Openssl supports signing and you can test this */
1994  print_hex("sig in ASN", data, sig_len);
1995 
1996  return rdf;
1997 }
1998 
2001  const ldns_rdf *sig_rdf)
2002 {
2003  /* TODO when Openssl supports signing and you can test this. */
2004  /* convert sig_buf into ASN1 into the target_buffer */
2005  print_hex("sig raw", ldns_rdf_data(sig_rdf), ldns_rdf_size(sig_rdf));
2006  return ldns_buffer_status(target_buffer);
2007 }
2008 #endif /* USE_ED448 */
2009 
2010 #endif /* HAVE_SSL */
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
Definition: rr.c:895
implementation of buffers to ease operations
Definition: buffer.h:50
bool ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
Checks coverage of NSEC(3) RR name span Remember that nsec and name must both be in canonical form (i...
Definition: dnssec.c:1499
ldns_rdf * ldns_convert_ed25519_rrsig_asn12rdf(const ldns_buffer *sig, long sig_len)
Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as u...
#define R(b, x)
Definition: sha2.c:191
ldns_rdf * ldns_rr_set_rdf(ldns_rr *rr, const ldns_rdf *f, size_t position)
sets a rdf member, it will be set on the position given.
Definition: rr.c:826
#define LDNS_SIGNATURE_LEAVE_ADD_NEW
return values for the old-signature callback
Definition: dnssec.h:47
ldns_rr * ldns_dnssec_create_nsec(const ldns_dnssec_name *from, const ldns_dnssec_name *to, ldns_rr_type nsec_type)
Creates NSEC.
Definition: dnssec.c:808
void ldns_rdf_deep_free(ldns_rdf *rd)
frees a rdf structure and frees the data.
Definition: rdata.c:230
void ldns_rr_set_type(ldns_rr *rr, ldns_rr_type rr_type)
sets the type in the rr.
Definition: rr.c:814
uint8_t ldns_dname_label_count(const ldns_rdf *r)
count the number of labels inside a LDNS_RDF_DNAME type rdf.
Definition: dname.c:214
ldns_rr * ldns_dnssec_create_nsec3(const ldns_dnssec_name *from, const ldns_dnssec_name *to, const ldns_rdf *zone_name, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Creates NSEC3.
Definition: dnssec.c:862
RSA * ldns_key_buf2rsa_raw(const unsigned char *key, size_t len)
Like ldns_key_buf2rsa, but uses raw buffer.
Definition: dnssec.c:414
ldns_rr_type ldns_rdf2rr_type(const ldns_rdf *rd)
convert an rdf of type LDNS_RDF_TYPE_TYPE to an actual LDNS_RR_TYPE.
Definition: rr.c:2687
DNSSEC.
Definition: rr.h:173
b64 string
Definition: rdata.h:68
ldns_rr_list * ldns_pkt_rr_list_by_name_and_type(const ldns_pkt *packet, const ldns_rdf *ownername, ldns_rr_type type, ldns_pkt_section sec)
return all the rr with a specific type and type from a packet.
Definition: packet.c:326
int ldns_dname_compare(const ldns_rdf *dname1, const ldns_rdf *dname2)
Compares the two dname rdf&#39;s according to the algorithm for ordering in RFC4034 Section 6...
Definition: dname.c:359
ldns_rdf * ldns_native2rdf_int16(ldns_rdf_type type, uint16_t value)
returns the rdf containing the native uint16_t representation.
Definition: rdata.c:132
bool ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt)
Checks whether the packet contains rrsigs.
Definition: dnssec.c:198
uint16_t ldns_nsec3_iterations(const ldns_rr *nsec3_rr)
Returns the number of hash iterations used in the given NSEC3 RR.
Definition: dnssec.c:1285
uint8_t * ldns_nsec3_salt_data(const ldns_rr *nsec3_rr)
Returns the salt bytes used in the given NSEC3 RR.
Definition: dnssec.c:1322
List or Set of Resource Records.
Definition: rr.h:330
ldns_status ldns_str2rdf_dname(ldns_rdf **d, const char *str)
convert a dname string into wireformat
Definition: str2host.c:311
ldns_rdf * ldns_nsec3_salt(const ldns_rr *nsec3_rr)
Returns the salt used in the given NSEC3 RR.
Definition: dnssec.c:1299
ldns_status ldns_convert_ed448_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (from DNS) to a buffer with the signature in ASN1 format as openssl ...
ldns_rr * ldns_dnssec_get_dnskey_for_rrsig(const ldns_rr *rrsig, const ldns_rr_list *rrs)
Returns the DNSKEY that corresponds to the given RRSIG rr from the list, if any.
Definition: dnssec.c:57
uint8_t ldns_rdf2native_int8(const ldns_rdf *rd)
returns the native uint8_t representation from the rdf.
Definition: rdata.c:70
ldns_status ldns_verify_time(const ldns_rr_list *rrset, const ldns_rr_list *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
ldns_dnssec_rrsets * rrsets
The rrsets for this name.
Definition: dnssec_zone.h:63
a RR type
Definition: rdata.h:74
#define LDNS_CALLOC(type, count)
Definition: util.h:53
#define LDNS_XMALLOC(type, count)
Definition: util.h:51
#define LDNS_MIN_BUFLEN
number of initial bytes in buffer of which we cannot tell the size before hand
Definition: buffer.h:33
size_t ldns_rdf_size(const ldns_rdf *rd)
returns the size of the rdf.
Definition: rdata.c:24
ldns_status ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (in rfc2536 format) to a buffer with the signature in rfc2459 format...
Definition: dnssec.c:1795
ldns_status ldns_str2rdf_b32_ext(ldns_rdf **rd, const char *str)
convert the string with the b32 ext hex data into wireformat
Definition: str2host.c:607
enum ldns_enum_hash ldns_hash
Definition: keys.h:84
#define LDNS_SHA256_DIGEST_LENGTH
Definition: sha2.h:70
void ldns_rr_list_deep_free(ldns_rr_list *rr_list)
frees an rr_list structure and all rrs contained therein.
Definition: rr.c:1006
void ldns_buffer_free(ldns_buffer *buffer)
frees the buffer.
Definition: buffer.c:137
ldns_rr * ldns_rr_new_frm_type(ldns_rr_type t)
creates a new rr structure, based on the given type.
Definition: rr.c:42
ldns_rdf * ldns_dnssec_nsec3_closest_encloser(const ldns_rdf *qname, ldns_rr_type qtype __attribute__((unused)), const ldns_rr_list *nsec3s)
Definition: dnssec.c:97
ldns_rdf * ldns_rdf_clone(const ldns_rdf *rd)
clones a rdf structure.
Definition: rdata.c:222
void ldns_dname2canonical(const ldns_rdf *rd)
Put a dname into canonical fmt - ie.
Definition: dname.c:280
ldns_status ldns_convert_ed25519_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (from DNS) to a buffer with the signature in ASN1 format as openssl ...
ldns_rdf * ldns_rr_rrsig_keytag(const ldns_rr *r)
returns the keytag of a LDNS_RR_TYPE_RRSIG RR
Definition: rr_functions.c:183
#define LDNS_MAX_PACKETLEN
Definition: packet.h:24
void ldns_rr_free(ldns_rr *rr)
frees an RR structure
Definition: rr.c:75
ldns_rdf * ldns_dname_left_chop(const ldns_rdf *d)
chop one label off the left side of a dname.
Definition: dname.c:189
ldns_status ldns_nsec_bitmap_set_type(ldns_rdf *bitmap, ldns_rr_type type)
Checks if RR type t is enumerated in the type bitmap rdf and sets the bit.
Definition: dnssec.c:1421
2535typecode
Definition: rr.h:131
unsigned char * ldns_sha256(unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
Definition: sha2.c:620
DSA * ldns_key_buf2dsa_raw(const unsigned char *key, size_t len)
Like ldns_key_buf2dsa, but uses raw buffer.
Definition: dnssec.c:337
ldns_rr_list * ldns_pkt_rr_list_by_type(const ldns_pkt *packet, ldns_rr_type type, ldns_pkt_section sec)
return all the rr with a specific type from a packet.
Definition: packet.c:290
ldns_status ldns_nsec_bitmap_clear_type(ldns_rdf *bitmap, ldns_rr_type type)
Checks if RR type t is enumerated in the type bitmap rdf and clears the bit.
Definition: dnssec.c:1459
Resource Record.
Definition: rr.h:302
void ldns_rdf_free(ldns_rdf *rd)
frees a rdf structure, leaving the data pointer intact.
Definition: rdata.c:241
ldns_status ldns_rdf2buffer_wire(ldns_buffer *buffer, const ldns_rdf *rdf)
Copies the rdata data to the buffer in wire format.
Definition: host2wire.c:99
ldns_rdf * ldns_nsec_get_bitmap(const ldns_rr *nsec)
Returns the rdata field that contains the bitmap of the covered types of the given NSEC record...
Definition: dnssec.c:84
ldns_rdf * ldns_convert_ecdsa_rrsig_asn1len2rdf(const ldns_buffer *sig, const long sig_len, int num_bytes)
Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as u...
Definition: dnssec.c:1857
Including this file will include all ldns files, and define some lookup tables.
ldns_rdf * ldns_dname_new_frm_str(const char *str)
creates a new dname rdf from a string.
Definition: dname.c:268
marks the start of a zone of authority
Definition: rr.h:93
ldns_rr_list * ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type)
Returns a ldns_rr_list containing the signatures covering the given type.
Definition: dnssec.c:244
uint8_t ldns_nsec3_salt_length(const ldns_rr *nsec3_rr)
Returns the length of the salt used in the given NSEC3 RR.
Definition: dnssec.c:1311
uint16_t ldns_pkt_nscount(const ldns_pkt *packet)
Return the packet&#39;s ns count.
Definition: packet.c:111
uint8_t * ldns_rdf_data(const ldns_rdf *rd)
returns the data of the rdf.
Definition: rdata.c:38
ldns_rdf * ldns_nsec3_next_owner(const ldns_rr *nsec3_rr)
Returns the first label of the next ownername in the NSEC3 chain (ie.
Definition: dnssec.c:1339
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
Definition: rr.c:976
int ldns_key_EVP_load_gost_id(void)
Get the PKEY id for GOST, loads GOST into openssl as a side effect.
Definition: keys.c:132
ldns_rr * ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
Create a NSEC record.
Definition: dnssec.c:951
void ldns_rr_set_class(ldns_rr *rr, ldns_rr_class rr_class)
sets the class in the rr.
Definition: rr.c:820
#define LDNS_SIGNATURE_REMOVE_NO_ADD
Definition: dnssec.h:50
16 bits
Definition: rdata.h:54
void ldns_nsec3_add_param_rdfs(ldns_rr *rr, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Sets all the NSEC3 options.
Definition: dnssec.c:1100
#define ATTR_UNUSED(x)
Definition: common.h:69
ldns_rr_list * ldns_rr_list_subtype_by_rdf(const ldns_rr_list *l, const ldns_rdf *r, size_t pos)
Return the rr_list which matches the rdf at position field.
Definition: rr.c:1084
uint16_t ldns_pkt_ancount(const ldns_pkt *packet)
Return the packet&#39;s an count.
Definition: packet.c:105
uint16_t ldns_rdf2native_int16(const ldns_rdf *rd)
returns the native uint16_t representation from the rdf.
Definition: rdata.c:84
int ldns_dnssec_default_delete_signatures(ldns_rr *sig __attribute__((unused)), void *n __attribute__((unused)))
Definition: dnssec.c:1717
#define LDNS_NSEC3_VARS_OPTOUT_MASK
Definition: rdata.h:40
int ldns_dnssec_rrsets_contains_type(const ldns_dnssec_rrsets *rrsets, ldns_rr_type type)
returns whether a rrset of the given type is found in the rrsets.
Definition: dnssec.c:794
ldns_rdf * ldns_convert_ed448_rrsig_asn12rdf(const ldns_buffer *sig, long sig_len)
Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as u...
uint16_t ldns_calc_keytag_raw(const uint8_t *key, size_t keysize)
Calculates keytag of DNSSEC key, operates on wireformat rdata.
Definition: dnssec.c:301
int ldns_dnssec_default_add_to_signatures(ldns_rr *sig __attribute__((unused)), void *n __attribute__((unused)))
Definition: dnssec.c:1701
bool ldns_nsec3_optout(const ldns_rr *nsec3_rr)
Returns true if the opt-out flag has been set in the given NSEC3 RR.
Definition: dnssec.c:1279
uint16_t ldns_calc_keytag(const ldns_rr *key)
calculates a keytag of a key for use in DNSSEC.
Definition: dnssec.c:271
ldns_status ldns_rr_rdata2buffer_wire(ldns_buffer *buffer, const ldns_rr *rr)
Converts an rr&#39;s rdata to wireformat, while excluding the ownername and all the stuff before the rdat...
Definition: host2wire.c:304
ldns_rr * ldns_create_nsec3(const ldns_rdf *cur_owner, const ldns_rdf *cur_zone, const ldns_rr_list *rrs, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt, bool emptynonterminal)
Definition: dnssec.c:1171
RFC4034, RFC3658.
Definition: rr.h:167
bool ldns_nsec_bitmap_covers_type(const ldns_rdf *bitmap, ldns_rr_type type)
Check if RR type t is enumerated and set in the RR type bitmap rdf.
Definition: dnssec.c:1384
hex string
Definition: rdata.h:70
ldns_rdf * ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
Returns the bitmap specifying the covered types of the given NSEC3 RR.
Definition: dnssec.c:1349
ldns_rdf_type ldns_rdf_get_type(const ldns_rdf *rd)
returns the type of the rdf.
Definition: rdata.c:31
DNS packet.
Definition: packet.h:233
void ldns_rr_set_owner(ldns_rr *rr, ldns_rdf *owner)
sets the owner in the rr structure.
Definition: rr.c:790
#define LDNS_SIGNATURE_REMOVE_ADD_NEW
Definition: dnssec.h:49
void ldns_rdf_print(FILE *output, const ldns_rdf *rdf)
Prints the data in the rdata field to the given file stream (in presentation format) ...
Definition: host2str.c:2406
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
Definition: rr.c:929
DSA * ldns_key_buf2dsa(const ldns_buffer *key)
converts a buffer holding key material to a DSA key in openssl.
Definition: dnssec.c:330
ldns_rr * ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name, const ldns_rr_type type, const ldns_rr_list *rrs)
Returns the first RRSIG rr that corresponds to the rrset with the given name and type.
Definition: dnssec.c:29
ldns_rdf * ldns_rr_rrsig_typecovered(const ldns_rr *r)
returns the type covered of a LDNS_RR_TYPE_RRSIG rr
Definition: rr_functions.c:111
int ldns_digest_evp(const unsigned char *data, unsigned int len, unsigned char *dest, const EVP_MD *md)
Utility function to calculate hash using generic EVP_MD pointer.
Definition: dnssec.c:482
void ldns_rr_set_ttl(ldns_rr *rr, uint32_t ttl)
sets the ttl in the rr structure.
Definition: rr.c:802
enum ldns_enum_status ldns_status
Definition: error.h:134
ldns_rdf * ldns_rdf_new_frm_data(ldns_rdf_type type, size_t size, const void *data)
allocates a new rdf structure and fills it.
Definition: rdata.c:193
uint8_t ldns_nsec3_flags(const ldns_rr *nsec3_rr)
Returns flags field.
Definition: dnssec.c:1266
ldns_rdf * hashed_name
pointer to store the hashed name (only used when in an NSEC3 zone
Definition: dnssec_zone.h:85
ldns_buffer * ldns_buffer_new(size_t capacity)
creates a new buffer with the specified capacity.
Definition: buffer.c:16
This module contains base functions for DNSSEC operations (RFC4033 t/m RFC4035).
ldns_rdf * ldns_rdf_new(ldns_rdf_type type, size_t size, void *data)
allocates a new rdf structure and fills it.
Definition: rdata.c:179
ldns_rr ** _rrs
Definition: rr.h:334
int ldns_b32_ntop_extended_hex(const uint8_t *src, size_t src_sz, char *dst, size_t dst_sz)
Definition: util.c:588
#define LDNS_RDF_SIZE_WORD
Definition: rdata.h:34
bool ldns_buffer_reserve(ldns_buffer *buffer, size_t amount)
ensures BUFFER can contain at least AMOUNT more bytes.
Definition: buffer.c:79
Definition: keys.h:79
RSA * ldns_key_buf2rsa(const ldns_buffer *key)
converts a buffer holding key material to a RSA key in openssl.
Definition: dnssec.c:407
ldns_rdf * ldns_dnssec_name_name(const ldns_dnssec_name *name)
Returns the domain name of the given dnssec_name structure.
Definition: dnssec_zone.c:394
int ldns_dnssec_default_leave_signatures(ldns_rr *sig __attribute__((unused)), void *n __attribute__((unused)))
Definition: dnssec.c:1709
ldns_rdf * ldns_rr_rrsig_signame(const ldns_rr *r)
returns the signers name of a LDNS_RR_TYPE_RRSIG RR
Definition: rr_functions.c:195
char * ldns_rdf2str(const ldns_rdf *rdf)
Converts the data in the rdata field to presentation format and returns that as a char *...
Definition: host2str.c:2288
bool ldns_rr_push_rdf(ldns_rr *rr, const ldns_rdf *f)
sets rd_field member, it will be placed in the next available spot.
Definition: rr.c:843
Resource record data field.
Definition: rdata.h:174
ldns_dnssec_rrsets * next
Definition: dnssec_zone.h:37
nsec3 hash salt
Definition: rdata.h:109
8 bits
Definition: rdata.h:52
ldns_rdf * ldns_rr_owner(const ldns_rr *rr)
returns the owner name of an rr structure.
Definition: rr.c:905
ldns_rr * ldns_rr_new(void)
creates a new rr structure.
Definition: rr.c:24
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr&#39;s in an rr_list.
Definition: rr.c:943
#define LDNS_SIGNATURE_LEAVE_NO_ADD
Definition: dnssec.h:48
enum ldns_enum_rr_type ldns_rr_type
Definition: rr.h:239
#define LDNS_FREE(ptr)
Definition: util.h:60
ldns_status ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (from DNS) to a buffer with the signature in ASN1 format as openssl ...
Definition: dnssec.c:1895
ldns_status ldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs)
chains nsec3 list
Definition: dnssec.c:1622
ldns_rr_list * ldns_pkt_authority(const ldns_pkt *packet)
Return the packet&#39;s authority section.
Definition: packet.c:135
an authoritative name server
Definition: rr.h:85
ldns_rdf * ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[], size_t size, ldns_rr_type nsec_type)
Create the type bitmap for an NSEC(3) record.
Definition: dnssec.c:712
ldns_rdf * ldns_dname_label(const ldns_rdf *rdf, uint8_t labelpos)
look inside the rdf and if it is an LDNS_RDF_TYPE_DNAME try and retrieve a specific label...
Definition: dname.c:560
const char * ldns_get_errorstr_by_id(ldns_status err)
look up a descriptive text by each error.
Definition: error.c:164
uint32_t ldns_rr_ttl(const ldns_rr *rr)
returns the ttl of an rr structure.
Definition: rr.c:917
ldns_rr_class ldns_rr_get_class(const ldns_rr *rr)
returns the class of the rr.
Definition: rr.c:935
int ldns_dnssec_default_replace_signatures(ldns_rr *sig __attribute__((unused)), void *n __attribute__((unused)))
Definition: dnssec.c:1725
used to get all non-question rrs from a packet
Definition: packet.h:282
ldns_status ldns_pkt_verify(const ldns_pkt *p, ldns_rr_type t, const ldns_rdf *o, const ldns_rr_list *k, const ldns_rr_list *s, ldns_rr_list *good_keys)
verify a packet
Definition: dnssec.c:1614
ldns_status ldns_dname_cat(ldns_rdf *rd1, const ldns_rdf *rd2)
concatenates rd2 after rd1 (rd2 is copied, rd1 is modified)
Definition: dname.c:90
ldns_rr_list * ldns_pkt_answer(const ldns_pkt *packet)
Return the packet&#39;s answer section.
Definition: packet.c:129
int qsort_rr_compare_nsec3(const void *a, const void *b)
compare for nsec3 sort
Definition: dnssec.c:1675
unsigned char * ldns_sha1(unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
Definition: sha1.c:170
ldns_status ldns_pkt_verify_time(const ldns_pkt *p, ldns_rr_type t, const ldns_rdf *o, const ldns_rr_list *k, const ldns_rr_list *s, time_t check_time, ldns_rr_list *good_keys)
verify a packet
Definition: dnssec.c:1550
ldns_rdf * ldns_nsec3_hash_name(const ldns_rdf *name, uint8_t algorithm, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Calculates the hashed name using the given parameters.
Definition: dnssec.c:1001
uint8_t ldns_nsec3_algorithm(const ldns_rr *nsec3_rr)
Returns the hash algorithm used in the given NSEC3 RR.
Definition: dnssec.c:1253
ldns_rdf * ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len)
Converts the DSA signature from ASN1 representation (RFC2459, as used by OpenSSL) to raw signature da...
Definition: dnssec.c:1734
void ldns_rr_list_sort_nsec3(ldns_rr_list *unsorted)
sort nsec3 list
Definition: dnssec.c:1692
int ldns_rdf_compare(const ldns_rdf *rd1, const ldns_rdf *rd2)
compares two rdf&#39;s on their wire formats.
Definition: rdata.c:651
#define LDNS_SHA1_DIGEST_LENGTH
Definition: sha1.h:9
ldns_rdf * ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, const ldns_rdf *name)
Calculates the hashed name using the parameters of the given NSEC3 RR.
Definition: dnssec.c:1359
ldns_rr_list * ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt, const ldns_rdf *name, ldns_rr_type type)
Returns a ldns_rr_list containing the signatures covering the given name and type.
Definition: dnssec.c:217
ldns_rr * ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
returns a new DS rr that represents the given key rr.
Definition: dnssec.c:501