00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012 #include <ldns/config.h>
00013
00014 #include <ldns/ldns.h>
00015 #include <ldns/dnssec.h>
00016
00017 #include <strings.h>
00018 #include <time.h>
00019
00020 #ifdef HAVE_SSL
00021 #include <openssl/ssl.h>
00022 #include <openssl/evp.h>
00023 #include <openssl/rand.h>
00024 #include <openssl/err.h>
00025 #include <openssl/md5.h>
00026 #endif
00027
00028 ldns_rr *
00029 ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name,
00030 const ldns_rr_type type,
00031 const ldns_rr_list *rrs)
00032 {
00033 size_t i;
00034 ldns_rr *candidate;
00035
00036 if (!name || !rrs) {
00037 return NULL;
00038 }
00039
00040 for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
00041 candidate = ldns_rr_list_rr(rrs, i);
00042 if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_RRSIG) {
00043 if (ldns_dname_compare(ldns_rr_owner(candidate),
00044 name) == 0 &&
00045 ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(candidate))
00046 == type
00047 ) {
00048 return candidate;
00049 }
00050 }
00051 }
00052
00053 return NULL;
00054 }
00055
00056 ldns_rr *
00057 ldns_dnssec_get_dnskey_for_rrsig(const ldns_rr *rrsig,
00058 const ldns_rr_list *rrs)
00059 {
00060 size_t i;
00061 ldns_rr *candidate;
00062
00063 if (!rrsig || !rrs) {
00064 return NULL;
00065 }
00066
00067 for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
00068 candidate = ldns_rr_list_rr(rrs, i);
00069 if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_DNSKEY) {
00070 if (ldns_dname_compare(ldns_rr_owner(candidate),
00071 ldns_rr_rrsig_signame(rrsig)) == 0 &&
00072 ldns_rdf2native_int16(ldns_rr_rrsig_keytag(rrsig)) ==
00073 ldns_calc_keytag(candidate)
00074 ) {
00075 return candidate;
00076 }
00077 }
00078 }
00079
00080 return NULL;
00081 }
00082
00083 ldns_rdf *
00084 ldns_nsec_get_bitmap(ldns_rr *nsec) {
00085 if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
00086 return ldns_rr_rdf(nsec, 1);
00087 } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
00088 return ldns_rr_rdf(nsec, 5);
00089 } else {
00090 return NULL;
00091 }
00092 }
00093
00094
00095
00096 ldns_rdf *
00097 ldns_dnssec_nsec3_closest_encloser(ldns_rdf *qname,
00098 ATTR_UNUSED(ldns_rr_type qtype),
00099 ldns_rr_list *nsec3s)
00100 {
00101
00102 uint8_t algorithm;
00103 uint32_t iterations;
00104 uint8_t salt_length;
00105 uint8_t *salt;
00106
00107 ldns_rdf *sname, *hashed_sname, *tmp;
00108 bool flag;
00109
00110 bool exact_match_found;
00111 bool in_range_found;
00112
00113 ldns_status status;
00114 ldns_rdf *zone_name;
00115
00116 size_t nsec_i;
00117 ldns_rr *nsec;
00118 ldns_rdf *result = NULL;
00119
00120 if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
00121 return NULL;
00122 }
00123
00124 nsec = ldns_rr_list_rr(nsec3s, 0);
00125 algorithm = ldns_nsec3_algorithm(nsec);
00126 salt_length = ldns_nsec3_salt_length(nsec);
00127 salt = ldns_nsec3_salt_data(nsec);
00128 iterations = ldns_nsec3_iterations(nsec);
00129
00130 sname = ldns_rdf_clone(qname);
00131
00132 flag = false;
00133
00134 zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
00135
00136
00137 while (ldns_dname_label_count(sname) > 0) {
00138 exact_match_found = false;
00139 in_range_found = false;
00140
00141 hashed_sname = ldns_nsec3_hash_name(sname,
00142 algorithm,
00143 iterations,
00144 salt_length,
00145 salt);
00146
00147 status = ldns_dname_cat(hashed_sname, zone_name);
00148 if(status != LDNS_STATUS_OK) {
00149 LDNS_FREE(salt);
00150 ldns_rdf_deep_free(zone_name);
00151 ldns_rdf_deep_free(sname);
00152 return NULL;
00153 }
00154
00155 for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
00156 nsec = ldns_rr_list_rr(nsec3s, nsec_i);
00157
00158
00159
00160
00161 if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
00162 exact_match_found = true;
00163 } else if (ldns_nsec_covers_name(nsec, hashed_sname)) {
00164 in_range_found = true;
00165 }
00166
00167 }
00168 if (!exact_match_found && in_range_found) {
00169 flag = true;
00170 } else if (exact_match_found && flag) {
00171 result = ldns_rdf_clone(sname);
00172
00173 ldns_rdf_deep_free(hashed_sname);
00174 goto done;
00175 } else if (exact_match_found && !flag) {
00176
00177 ldns_rdf_deep_free(hashed_sname);
00178 goto done;
00179 } else {
00180 flag = false;
00181 }
00182
00183 ldns_rdf_deep_free(hashed_sname);
00184 tmp = sname;
00185 sname = ldns_dname_left_chop(sname);
00186 ldns_rdf_deep_free(tmp);
00187 }
00188
00189 done:
00190 LDNS_FREE(salt);
00191 ldns_rdf_deep_free(zone_name);
00192 ldns_rdf_deep_free(sname);
00193
00194 return result;
00195 }
00196
00197 bool
00198 ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt)
00199 {
00200 size_t i;
00201 for (i = 0; i < ldns_pkt_ancount(pkt); i++) {
00202 if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_answer(pkt), i)) ==
00203 LDNS_RR_TYPE_RRSIG) {
00204 return true;
00205 }
00206 }
00207 for (i = 0; i < ldns_pkt_nscount(pkt); i++) {
00208 if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_authority(pkt), i)) ==
00209 LDNS_RR_TYPE_RRSIG) {
00210 return true;
00211 }
00212 }
00213 return false;
00214 }
00215
00216 ldns_rr_list *
00217 ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt,
00218 ldns_rdf *name,
00219 ldns_rr_type type)
00220 {
00221 uint16_t t_netorder;
00222 ldns_rr_list *sigs;
00223 ldns_rr_list *sigs_covered;
00224 ldns_rdf *rdf_t;
00225
00226 sigs = ldns_pkt_rr_list_by_name_and_type(pkt,
00227 name,
00228 LDNS_RR_TYPE_RRSIG,
00229 LDNS_SECTION_ANY_NOQUESTION
00230 );
00231
00232 t_netorder = htons(type);
00233 rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, LDNS_RDF_SIZE_WORD, &t_netorder);
00234 sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
00235
00236 ldns_rdf_free(rdf_t);
00237 ldns_rr_list_deep_free(sigs);
00238
00239 return sigs_covered;
00240
00241 }
00242
00243 ldns_rr_list *
00244 ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type)
00245 {
00246 uint16_t t_netorder;
00247 ldns_rr_list *sigs;
00248 ldns_rr_list *sigs_covered;
00249 ldns_rdf *rdf_t;
00250
00251 sigs = ldns_pkt_rr_list_by_type(pkt,
00252 LDNS_RR_TYPE_RRSIG,
00253 LDNS_SECTION_ANY_NOQUESTION
00254 );
00255
00256 t_netorder = htons(type);
00257 rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE,
00258 2,
00259 &t_netorder);
00260 sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
00261
00262 ldns_rdf_free(rdf_t);
00263 ldns_rr_list_deep_free(sigs);
00264
00265 return sigs_covered;
00266
00267 }
00268
00269
00270 uint16_t
00271 ldns_calc_keytag(const ldns_rr *key)
00272 {
00273 uint16_t ac16;
00274 ldns_buffer *keybuf;
00275 size_t keysize;
00276
00277 if (!key) {
00278 return 0;
00279 }
00280
00281 if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY &&
00282 ldns_rr_get_type(key) != LDNS_RR_TYPE_KEY
00283 ) {
00284 return 0;
00285 }
00286
00287
00288 keybuf = ldns_buffer_new(LDNS_MIN_BUFLEN);
00289 if (!keybuf) {
00290 return 0;
00291 }
00292 (void)ldns_rr_rdata2buffer_wire(keybuf, key);
00293
00294 keysize= ldns_buffer_position(keybuf);
00295
00296 ac16 = ldns_calc_keytag_raw(ldns_buffer_begin(keybuf), keysize);
00297 ldns_buffer_free(keybuf);
00298 return ac16;
00299 }
00300
00301 uint16_t ldns_calc_keytag_raw(uint8_t* key, size_t keysize)
00302 {
00303 unsigned int i;
00304 uint32_t ac32;
00305 uint16_t ac16;
00306
00307 if(keysize < 4) {
00308 return 0;
00309 }
00310
00311 if (key[3] == LDNS_RSAMD5) {
00312 ac16 = 0;
00313 if (keysize > 4) {
00314 memmove(&ac16, key + keysize - 3, 2);
00315 }
00316 ac16 = ntohs(ac16);
00317 return (uint16_t) ac16;
00318 } else {
00319 ac32 = 0;
00320 for (i = 0; (size_t)i < keysize; ++i) {
00321 ac32 += (i & 1) ? key[i] : key[i] << 8;
00322 }
00323 ac32 += (ac32 >> 16) & 0xFFFF;
00324 return (uint16_t) (ac32 & 0xFFFF);
00325 }
00326 }
00327
00328 #ifdef HAVE_SSL
00329 DSA *
00330 ldns_key_buf2dsa(ldns_buffer *key)
00331 {
00332 return ldns_key_buf2dsa_raw((unsigned char*)ldns_buffer_begin(key),
00333 ldns_buffer_position(key));
00334 }
00335
00336 DSA *
00337 ldns_key_buf2dsa_raw(unsigned char* key, size_t len)
00338 {
00339 uint8_t T;
00340 uint16_t length;
00341 uint16_t offset;
00342 DSA *dsa;
00343 BIGNUM *Q; BIGNUM *P;
00344 BIGNUM *G; BIGNUM *Y;
00345
00346 if(len == 0)
00347 return NULL;
00348 T = (uint8_t)key[0];
00349 length = (64 + T * 8);
00350 offset = 1;
00351
00352 if (T > 8) {
00353 return NULL;
00354 }
00355 if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
00356 return NULL;
00357
00358 Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
00359 offset += SHA_DIGEST_LENGTH;
00360
00361 P = BN_bin2bn(key+offset, (int)length, NULL);
00362 offset += length;
00363
00364 G = BN_bin2bn(key+offset, (int)length, NULL);
00365 offset += length;
00366
00367 Y = BN_bin2bn(key+offset, (int)length, NULL);
00368 offset += length;
00369
00370
00371 if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
00372 BN_free(Q);
00373 BN_free(P);
00374 BN_free(G);
00375 BN_free(Y);
00376 return NULL;
00377 }
00378 #ifndef S_SPLINT_S
00379 dsa->p = P;
00380 dsa->q = Q;
00381 dsa->g = G;
00382 dsa->pub_key = Y;
00383 #endif
00384
00385 return dsa;
00386 }
00387
00388 RSA *
00389 ldns_key_buf2rsa(ldns_buffer *key)
00390 {
00391 return ldns_key_buf2rsa_raw((unsigned char*)ldns_buffer_begin(key),
00392 ldns_buffer_position(key));
00393 }
00394
00395 RSA *
00396 ldns_key_buf2rsa_raw(unsigned char* key, size_t len)
00397 {
00398 uint16_t offset;
00399 uint16_t exp;
00400 uint16_t int16;
00401 RSA *rsa;
00402 BIGNUM *modulus;
00403 BIGNUM *exponent;
00404
00405 if (len == 0)
00406 return NULL;
00407 if (key[0] == 0) {
00408 if(len < 3)
00409 return NULL;
00410
00411
00412
00413 memmove(&int16, key+1, 2);
00414 exp = ntohs(int16);
00415 offset = 3;
00416 } else {
00417 exp = key[0];
00418 offset = 1;
00419 }
00420
00421
00422 if(len < (size_t)offset + exp + 1)
00423 return NULL;
00424
00425
00426 exponent = BN_new();
00427 if(!exponent) return NULL;
00428 (void) BN_bin2bn(key+offset, (int)exp, exponent);
00429 offset += exp;
00430
00431
00432 modulus = BN_new();
00433 if(!modulus) {
00434 BN_free(exponent);
00435 return NULL;
00436 }
00437
00438 (void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
00439
00440 rsa = RSA_new();
00441 if(!rsa) {
00442 BN_free(exponent);
00443 BN_free(modulus);
00444 return NULL;
00445 }
00446 #ifndef S_SPLINT_S
00447 rsa->n = modulus;
00448 rsa->e = exponent;
00449 #endif
00450
00451 return rsa;
00452 }
00453
00454 int
00455 ldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
00456 const EVP_MD* md)
00457 {
00458 EVP_MD_CTX* ctx;
00459 ctx = EVP_MD_CTX_create();
00460 if(!ctx)
00461 return false;
00462 if(!EVP_DigestInit_ex(ctx, md, NULL) ||
00463 !EVP_DigestUpdate(ctx, data, len) ||
00464 !EVP_DigestFinal_ex(ctx, dest, NULL)) {
00465 EVP_MD_CTX_destroy(ctx);
00466 return false;
00467 }
00468 EVP_MD_CTX_destroy(ctx);
00469 return true;
00470 }
00471 #endif
00472
00473 ldns_rr *
00474 ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
00475 {
00476 ldns_rdf *tmp;
00477 ldns_rr *ds;
00478 uint16_t keytag;
00479 uint8_t sha1hash;
00480 uint8_t *digest;
00481 ldns_buffer *data_buf;
00482 #ifdef USE_GOST
00483 const EVP_MD* md = NULL;
00484 #endif
00485
00486 if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY) {
00487 return NULL;
00488 }
00489
00490 ds = ldns_rr_new();
00491 if (!ds) {
00492 return NULL;
00493 }
00494 ldns_rr_set_type(ds, LDNS_RR_TYPE_DS);
00495 ldns_rr_set_owner(ds, ldns_rdf_clone(
00496 ldns_rr_owner(key)));
00497 ldns_rr_set_ttl(ds, ldns_rr_ttl(key));
00498 ldns_rr_set_class(ds, ldns_rr_get_class(key));
00499
00500 switch(h) {
00501 default:
00502 case LDNS_SHA1:
00503 digest = LDNS_XMALLOC(uint8_t, LDNS_SHA1_DIGEST_LENGTH);
00504 if (!digest) {
00505 ldns_rr_free(ds);
00506 return NULL;
00507 }
00508 break;
00509 case LDNS_SHA256:
00510 digest = LDNS_XMALLOC(uint8_t, LDNS_SHA256_DIGEST_LENGTH);
00511 if (!digest) {
00512 ldns_rr_free(ds);
00513 return NULL;
00514 }
00515 break;
00516 case LDNS_HASH_GOST:
00517 #ifdef USE_GOST
00518 (void)ldns_key_EVP_load_gost_id();
00519 md = EVP_get_digestbyname("md_gost94");
00520 if(!md) {
00521 ldns_rr_free(ds);
00522 return NULL;
00523 }
00524 digest = LDNS_XMALLOC(uint8_t, EVP_MD_size(md));
00525 if (!digest) {
00526 ldns_rr_free(ds);
00527 return NULL;
00528 }
00529 break;
00530 #else
00531
00532 ldns_rr_free(ds);
00533 return NULL;
00534 #endif
00535 case LDNS_SHA384:
00536 #ifdef USE_ECDSA
00537 digest = LDNS_XMALLOC(uint8_t, SHA384_DIGEST_LENGTH);
00538 if (!digest) {
00539 ldns_rr_free(ds);
00540 return NULL;
00541 }
00542 break;
00543 #else
00544
00545 ldns_rr_free(ds);
00546 return NULL;
00547 #endif
00548 }
00549
00550 data_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00551 if (!data_buf) {
00552 LDNS_FREE(digest);
00553 ldns_rr_free(ds);
00554 return NULL;
00555 }
00556
00557
00558 keytag = htons(ldns_calc_keytag((ldns_rr*)key));
00559 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16,
00560 sizeof(uint16_t),
00561 &keytag);
00562 ldns_rr_push_rdf(ds, tmp);
00563
00564
00565 if ((tmp = ldns_rr_rdf(key, 2)) == NULL) {
00566 LDNS_FREE(digest);
00567 ldns_buffer_free(data_buf);
00568 ldns_rr_free(ds);
00569 return NULL;
00570 } else {
00571 ldns_rr_push_rdf(ds, ldns_rdf_clone( tmp ));
00572 }
00573
00574
00575 sha1hash = (uint8_t)h;
00576 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
00577 sizeof(uint8_t),
00578 &sha1hash);
00579 ldns_rr_push_rdf(ds, tmp);
00580
00581
00582
00583 tmp = ldns_rdf_clone(ldns_rr_owner(key));
00584 ldns_dname2canonical(tmp);
00585 if (ldns_rdf2buffer_wire(data_buf, tmp) != LDNS_STATUS_OK) {
00586 LDNS_FREE(digest);
00587 ldns_buffer_free(data_buf);
00588 ldns_rr_free(ds);
00589 ldns_rdf_deep_free(tmp);
00590 return NULL;
00591 }
00592 ldns_rdf_deep_free(tmp);
00593
00594
00595 if (ldns_rr_rdata2buffer_wire(data_buf,
00596 (ldns_rr*)key) != LDNS_STATUS_OK) {
00597 LDNS_FREE(digest);
00598 ldns_buffer_free(data_buf);
00599 ldns_rr_free(ds);
00600 return NULL;
00601 }
00602 switch(h) {
00603 case LDNS_SHA1:
00604 (void) ldns_sha1((unsigned char *) ldns_buffer_begin(data_buf),
00605 (unsigned int) ldns_buffer_position(data_buf),
00606 (unsigned char *) digest);
00607
00608 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00609 LDNS_SHA1_DIGEST_LENGTH,
00610 digest);
00611 ldns_rr_push_rdf(ds, tmp);
00612
00613 break;
00614 case LDNS_SHA256:
00615 (void) ldns_sha256((unsigned char *) ldns_buffer_begin(data_buf),
00616 (unsigned int) ldns_buffer_position(data_buf),
00617 (unsigned char *) digest);
00618 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00619 LDNS_SHA256_DIGEST_LENGTH,
00620 digest);
00621 ldns_rr_push_rdf(ds, tmp);
00622 break;
00623 case LDNS_HASH_GOST:
00624 #ifdef USE_GOST
00625 if(!ldns_digest_evp((unsigned char *) ldns_buffer_begin(data_buf),
00626 (unsigned int) ldns_buffer_position(data_buf),
00627 (unsigned char *) digest, md)) {
00628 LDNS_FREE(digest);
00629 ldns_buffer_free(data_buf);
00630 ldns_rr_free(ds);
00631 return NULL;
00632 }
00633 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00634 (size_t)EVP_MD_size(md),
00635 digest);
00636 ldns_rr_push_rdf(ds, tmp);
00637 #endif
00638 break;
00639 case LDNS_SHA384:
00640 #ifdef USE_ECDSA
00641 (void) SHA384((unsigned char *) ldns_buffer_begin(data_buf),
00642 (unsigned int) ldns_buffer_position(data_buf),
00643 (unsigned char *) digest);
00644 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00645 SHA384_DIGEST_LENGTH,
00646 digest);
00647 ldns_rr_push_rdf(ds, tmp);
00648 #endif
00649 break;
00650 }
00651
00652 LDNS_FREE(digest);
00653 ldns_buffer_free(data_buf);
00654 return ds;
00655 }
00656
00657 ldns_rdf *
00658 ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[],
00659 size_t size,
00660 ldns_rr_type nsec_type)
00661 {
00662 size_t i;
00663 uint8_t *bitmap;
00664 uint16_t bm_len = 0;
00665 uint16_t i_type;
00666 ldns_rdf *bitmap_rdf;
00667
00668 uint8_t *data = NULL;
00669 uint8_t cur_data[32];
00670 uint8_t cur_window = 0;
00671 uint8_t cur_window_max = 0;
00672 uint16_t cur_data_size = 0;
00673
00674 if (nsec_type != LDNS_RR_TYPE_NSEC &&
00675 nsec_type != LDNS_RR_TYPE_NSEC3) {
00676 return NULL;
00677 }
00678
00679 i_type = 0;
00680 for (i = 0; i < size; i++) {
00681 if (i_type < rr_type_list[i])
00682 i_type = rr_type_list[i];
00683 }
00684 if (i_type < nsec_type) {
00685 i_type = nsec_type;
00686 }
00687
00688 bm_len = i_type / 8 + 2;
00689 bitmap = LDNS_XMALLOC(uint8_t, bm_len);
00690 if(!bitmap) return NULL;
00691 for (i = 0; i < bm_len; i++) {
00692 bitmap[i] = 0;
00693 }
00694
00695 for (i = 0; i < size; i++) {
00696 i_type = rr_type_list[i];
00697 ldns_set_bit(bitmap + (int) i_type / 8,
00698 (int) (7 - (i_type % 8)),
00699 true);
00700 }
00701
00702
00703 memset(cur_data, 0, 32);
00704 for (i = 0; i < bm_len; i++) {
00705 if (i / 32 > cur_window) {
00706
00707 if (cur_window_max > 0) {
00708
00709 data = LDNS_XREALLOC(data,
00710 uint8_t,
00711 cur_data_size + cur_window_max + 3);
00712 if(!data) {
00713 LDNS_FREE(bitmap);
00714 return NULL;
00715 }
00716 data[cur_data_size] = cur_window;
00717 data[cur_data_size + 1] = cur_window_max + 1;
00718 memcpy(data + cur_data_size + 2,
00719 cur_data,
00720 cur_window_max+1);
00721 cur_data_size += cur_window_max + 3;
00722 }
00723 cur_window++;
00724 cur_window_max = 0;
00725 memset(cur_data, 0, 32);
00726 }
00727 cur_data[i%32] = bitmap[i];
00728 if (bitmap[i] > 0) {
00729 cur_window_max = i%32;
00730 }
00731 }
00732 if (cur_window_max > 0 || cur_data[0] != 0) {
00733
00734 data = LDNS_XREALLOC(data,
00735 uint8_t,
00736 cur_data_size + cur_window_max + 3);
00737 if(!data) {
00738 LDNS_FREE(bitmap);
00739 return NULL;
00740 }
00741 data[cur_data_size] = cur_window;
00742 data[cur_data_size + 1] = cur_window_max + 1;
00743 memcpy(data + cur_data_size + 2, cur_data, cur_window_max+1);
00744 cur_data_size += cur_window_max + 3;
00745 }
00746 bitmap_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_NSEC,
00747 cur_data_size,
00748 data);
00749
00750 LDNS_FREE(bitmap);
00751 LDNS_FREE(data);
00752
00753 return bitmap_rdf;
00754 }
00755
00756 int
00757 ldns_dnssec_rrsets_contains_type(ldns_dnssec_rrsets *rrsets,
00758 ldns_rr_type type)
00759 {
00760 ldns_dnssec_rrsets *cur_rrset = rrsets;
00761 while (cur_rrset) {
00762 if (cur_rrset->type == type) {
00763 return 1;
00764 }
00765 cur_rrset = cur_rrset->next;
00766 }
00767 return 0;
00768 }
00769
00770 ldns_rr *
00771 ldns_dnssec_create_nsec(ldns_dnssec_name *from,
00772 ldns_dnssec_name *to,
00773 ldns_rr_type nsec_type)
00774 {
00775 ldns_rr *nsec_rr;
00776 ldns_rr_type types[65536];
00777 size_t type_count = 0;
00778 ldns_dnssec_rrsets *cur_rrsets;
00779 int on_delegation_point;
00780
00781 if (!from || !to || (nsec_type != LDNS_RR_TYPE_NSEC)) {
00782 return NULL;
00783 }
00784
00785 nsec_rr = ldns_rr_new();
00786 ldns_rr_set_type(nsec_rr, nsec_type);
00787 ldns_rr_set_owner(nsec_rr, ldns_rdf_clone(ldns_dnssec_name_name(from)));
00788 ldns_rr_push_rdf(nsec_rr, ldns_rdf_clone(ldns_dnssec_name_name(to)));
00789
00790 on_delegation_point = ldns_dnssec_rrsets_contains_type(
00791 from->rrsets, LDNS_RR_TYPE_NS)
00792 && !ldns_dnssec_rrsets_contains_type(
00793 from->rrsets, LDNS_RR_TYPE_SOA);
00794
00795 cur_rrsets = from->rrsets;
00796 while (cur_rrsets) {
00797
00798
00799 if ((on_delegation_point && (
00800 cur_rrsets->type == LDNS_RR_TYPE_NS
00801 || cur_rrsets->type == LDNS_RR_TYPE_DS))
00802 || (!on_delegation_point &&
00803 cur_rrsets->type != LDNS_RR_TYPE_RRSIG
00804 && cur_rrsets->type != LDNS_RR_TYPE_NSEC)) {
00805
00806 types[type_count] = cur_rrsets->type;
00807 type_count++;
00808 }
00809 cur_rrsets = cur_rrsets->next;
00810
00811 }
00812 types[type_count] = LDNS_RR_TYPE_RRSIG;
00813 type_count++;
00814 types[type_count] = LDNS_RR_TYPE_NSEC;
00815 type_count++;
00816
00817 ldns_rr_push_rdf(nsec_rr, ldns_dnssec_create_nsec_bitmap(types,
00818 type_count,
00819 nsec_type));
00820
00821 return nsec_rr;
00822 }
00823
00824 ldns_rr *
00825 ldns_dnssec_create_nsec3(ldns_dnssec_name *from,
00826 ldns_dnssec_name *to,
00827 ldns_rdf *zone_name,
00828 uint8_t algorithm,
00829 uint8_t flags,
00830 uint16_t iterations,
00831 uint8_t salt_length,
00832 uint8_t *salt)
00833 {
00834 ldns_rr *nsec_rr;
00835 ldns_rr_type types[65536];
00836 size_t type_count = 0;
00837 ldns_dnssec_rrsets *cur_rrsets;
00838 ldns_status status;
00839 int on_delegation_point;
00840
00841 if (!from) {
00842 return NULL;
00843 }
00844
00845 nsec_rr = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3);
00846 ldns_rr_set_owner(nsec_rr,
00847 ldns_nsec3_hash_name(ldns_dnssec_name_name(from),
00848 algorithm,
00849 iterations,
00850 salt_length,
00851 salt));
00852 status = ldns_dname_cat(ldns_rr_owner(nsec_rr), zone_name);
00853 if(status != LDNS_STATUS_OK) {
00854 ldns_rr_free(nsec_rr);
00855 return NULL;
00856 }
00857 ldns_nsec3_add_param_rdfs(nsec_rr,
00858 algorithm,
00859 flags,
00860 iterations,
00861 salt_length,
00862 salt);
00863
00864 on_delegation_point = ldns_dnssec_rrsets_contains_type(
00865 from->rrsets, LDNS_RR_TYPE_NS)
00866 && !ldns_dnssec_rrsets_contains_type(
00867 from->rrsets, LDNS_RR_TYPE_SOA);
00868 cur_rrsets = from->rrsets;
00869 while (cur_rrsets) {
00870
00871
00872
00873
00874
00875
00876 if ((on_delegation_point && (
00877 cur_rrsets->type == LDNS_RR_TYPE_NS
00878 || cur_rrsets->type == LDNS_RR_TYPE_DS))
00879 || (!on_delegation_point &&
00880 cur_rrsets->type != LDNS_RR_TYPE_RRSIG)) {
00881
00882 types[type_count] = cur_rrsets->type;
00883 type_count++;
00884 }
00885 cur_rrsets = cur_rrsets->next;
00886 }
00887
00888
00889
00890 if (type_count > 0 &&
00891 !(type_count == 1 && types[0] == LDNS_RR_TYPE_NS)) {
00892 types[type_count] = LDNS_RR_TYPE_RRSIG;
00893 type_count++;
00894 }
00895
00896
00897 if (to && to->hashed_name) {
00898 (void) ldns_rr_set_rdf(nsec_rr,
00899 ldns_rdf_clone(to->hashed_name),
00900 4);
00901 } else {
00902 (void) ldns_rr_set_rdf(nsec_rr, NULL, 4);
00903 }
00904
00905 ldns_rr_push_rdf(nsec_rr,
00906 ldns_dnssec_create_nsec_bitmap(types,
00907 type_count,
00908 LDNS_RR_TYPE_NSEC3));
00909
00910 return nsec_rr;
00911 }
00912
00913 ldns_rr *
00914 ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
00915 {
00916
00917
00918
00919
00920
00921
00922
00923
00924 uint16_t i;
00925 ldns_rr *i_rr;
00926 uint16_t i_type;
00927
00928 ldns_rr *nsec = NULL;
00929 ldns_rr_type i_type_list[65536];
00930 size_t type_count = 0;
00931
00932 nsec = ldns_rr_new();
00933 ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC);
00934 ldns_rr_set_owner(nsec, ldns_rdf_clone(cur_owner));
00935 ldns_rr_push_rdf(nsec, ldns_rdf_clone(next_owner));
00936
00937 for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
00938 i_rr = ldns_rr_list_rr(rrs, i);
00939 if (ldns_rdf_compare(cur_owner,
00940 ldns_rr_owner(i_rr)) == 0) {
00941 i_type = ldns_rr_get_type(i_rr);
00942 if (i_type != LDNS_RR_TYPE_RRSIG && i_type != LDNS_RR_TYPE_NSEC) {
00943 if (type_count == 0 || i_type_list[type_count-1] != i_type) {
00944 i_type_list[type_count] = i_type;
00945 type_count++;
00946 }
00947 }
00948 }
00949 }
00950
00951 i_type_list[type_count] = LDNS_RR_TYPE_RRSIG;
00952 type_count++;
00953 i_type_list[type_count] = LDNS_RR_TYPE_NSEC;
00954 type_count++;
00955
00956 ldns_rr_push_rdf(nsec,
00957 ldns_dnssec_create_nsec_bitmap(i_type_list,
00958 type_count, LDNS_RR_TYPE_NSEC));
00959
00960 return nsec;
00961 }
00962
00963 ldns_rdf *
00964 ldns_nsec3_hash_name(ldns_rdf *name,
00965 uint8_t algorithm,
00966 uint16_t iterations,
00967 uint8_t salt_length,
00968 uint8_t *salt)
00969 {
00970 size_t hashed_owner_str_len;
00971 ldns_rdf *cann;
00972 ldns_rdf *hashed_owner;
00973 unsigned char *hashed_owner_str;
00974 char *hashed_owner_b32;
00975 size_t hashed_owner_b32_len;
00976 uint32_t cur_it;
00977
00978
00979 unsigned char hash[LDNS_SHA1_DIGEST_LENGTH];
00980 ldns_status status;
00981
00982
00983 if (algorithm != LDNS_SHA1) {
00984 return NULL;
00985 }
00986
00987
00988 cann = ldns_rdf_clone(name);
00989 if(!cann) {
00990 fprintf(stderr, "Memory error\n");
00991 return NULL;
00992 }
00993 ldns_dname2canonical(cann);
00994
00995 hashed_owner_str_len = salt_length + ldns_rdf_size(cann);
00996 hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
00997 if(!hashed_owner_str) {
00998 ldns_rdf_deep_free(cann);
00999 return NULL;
01000 }
01001 memcpy(hashed_owner_str, ldns_rdf_data(cann), ldns_rdf_size(cann));
01002 memcpy(hashed_owner_str + ldns_rdf_size(cann), salt, salt_length);
01003 ldns_rdf_deep_free(cann);
01004
01005 for (cur_it = iterations + 1; cur_it > 0; cur_it--) {
01006 (void) ldns_sha1((unsigned char *) hashed_owner_str,
01007 (unsigned int) hashed_owner_str_len, hash);
01008
01009 LDNS_FREE(hashed_owner_str);
01010 hashed_owner_str_len = salt_length + LDNS_SHA1_DIGEST_LENGTH;
01011 hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
01012 if (!hashed_owner_str) {
01013 return NULL;
01014 }
01015 memcpy(hashed_owner_str, hash, LDNS_SHA1_DIGEST_LENGTH);
01016 memcpy(hashed_owner_str + LDNS_SHA1_DIGEST_LENGTH, salt, salt_length);
01017 hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH + salt_length;
01018 }
01019
01020 LDNS_FREE(hashed_owner_str);
01021 hashed_owner_str = hash;
01022 hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH;
01023
01024 hashed_owner_b32 = LDNS_XMALLOC(char,
01025 ldns_b32_ntop_calculate_size(hashed_owner_str_len) + 1);
01026 if(!hashed_owner_b32) {
01027 return NULL;
01028 }
01029 hashed_owner_b32_len = (size_t) ldns_b32_ntop_extended_hex(
01030 (uint8_t *) hashed_owner_str,
01031 hashed_owner_str_len,
01032 hashed_owner_b32,
01033 ldns_b32_ntop_calculate_size(hashed_owner_str_len)+1);
01034 if (hashed_owner_b32_len < 1) {
01035 fprintf(stderr, "Error in base32 extended hex encoding ");
01036 fprintf(stderr, "of hashed owner name (name: ");
01037 ldns_rdf_print(stderr, name);
01038 fprintf(stderr, ", return code: %u)\n",
01039 (unsigned int) hashed_owner_b32_len);
01040 LDNS_FREE(hashed_owner_b32);
01041 return NULL;
01042 }
01043 hashed_owner_b32[hashed_owner_b32_len] = '\0';
01044
01045 status = ldns_str2rdf_dname(&hashed_owner, hashed_owner_b32);
01046 if (status != LDNS_STATUS_OK) {
01047 fprintf(stderr, "Error creating rdf from %s\n", hashed_owner_b32);
01048 LDNS_FREE(hashed_owner_b32);
01049 return NULL;
01050 }
01051
01052 LDNS_FREE(hashed_owner_b32);
01053 return hashed_owner;
01054 }
01055
01056 void
01057 ldns_nsec3_add_param_rdfs(ldns_rr *rr,
01058 uint8_t algorithm,
01059 uint8_t flags,
01060 uint16_t iterations,
01061 uint8_t salt_length,
01062 uint8_t *salt)
01063 {
01064 ldns_rdf *salt_rdf = NULL;
01065 uint8_t *salt_data = NULL;
01066 ldns_rdf *old;
01067
01068 old = ldns_rr_set_rdf(rr,
01069 ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
01070 1, (void*)&algorithm),
01071 0);
01072 if (old) ldns_rdf_deep_free(old);
01073
01074 old = ldns_rr_set_rdf(rr,
01075 ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
01076 1, (void*)&flags),
01077 1);
01078 if (old) ldns_rdf_deep_free(old);
01079
01080 old = ldns_rr_set_rdf(rr,
01081 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
01082 iterations),
01083 2);
01084 if (old) ldns_rdf_deep_free(old);
01085
01086 salt_data = LDNS_XMALLOC(uint8_t, salt_length + 1);
01087 if(!salt_data) {
01088
01089 return;
01090 }
01091 salt_data[0] = salt_length;
01092 memcpy(salt_data + 1, salt, salt_length);
01093 salt_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_NSEC3_SALT,
01094 salt_length + 1,
01095 salt_data);
01096 if(!salt_rdf) {
01097 LDNS_FREE(salt_data);
01098
01099 return;
01100 }
01101
01102 old = ldns_rr_set_rdf(rr, salt_rdf, 3);
01103 if (old) ldns_rdf_deep_free(old);
01104 LDNS_FREE(salt_data);
01105 }
01106
01107 static int
01108 rr_list_delegation_only(ldns_rdf *origin, ldns_rr_list *rr_list)
01109 {
01110 size_t i;
01111 ldns_rr *cur_rr;
01112 if (!origin || !rr_list) return 0;
01113 for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) {
01114 cur_rr = ldns_rr_list_rr(rr_list, i);
01115 if (ldns_dname_compare(ldns_rr_owner(cur_rr), origin) == 0) {
01116 return 0;
01117 }
01118 if (ldns_rr_get_type(cur_rr) != LDNS_RR_TYPE_NS) {
01119 return 0;
01120 }
01121 }
01122 return 1;
01123 }
01124
01125
01126
01127 ldns_rr *
01128 ldns_create_nsec3(ldns_rdf *cur_owner,
01129 ldns_rdf *cur_zone,
01130 ldns_rr_list *rrs,
01131 uint8_t algorithm,
01132 uint8_t flags,
01133 uint16_t iterations,
01134 uint8_t salt_length,
01135 uint8_t *salt,
01136 bool emptynonterminal)
01137 {
01138 size_t i;
01139 ldns_rr *i_rr;
01140 uint16_t i_type;
01141
01142 ldns_rr *nsec = NULL;
01143 ldns_rdf *hashed_owner = NULL;
01144
01145 ldns_status status;
01146
01147 ldns_rr_type i_type_list[1024];
01148 size_t type_count = 0;
01149
01150 hashed_owner = ldns_nsec3_hash_name(cur_owner,
01151 algorithm,
01152 iterations,
01153 salt_length,
01154 salt);
01155 status = ldns_dname_cat(hashed_owner, cur_zone);
01156 if(status != LDNS_STATUS_OK) {
01157 ldns_rdf_deep_free(hashed_owner);
01158 return NULL;
01159 }
01160 nsec = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3);
01161 if(!nsec) {
01162 ldns_rdf_deep_free(hashed_owner);
01163 return NULL;
01164 }
01165 ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC3);
01166 ldns_rr_set_owner(nsec, hashed_owner);
01167
01168 ldns_nsec3_add_param_rdfs(nsec,
01169 algorithm,
01170 flags,
01171 iterations,
01172 salt_length,
01173 salt);
01174 (void) ldns_rr_set_rdf(nsec, NULL, 4);
01175
01176
01177 for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
01178 i_rr = ldns_rr_list_rr(rrs, i);
01179 if (ldns_rdf_compare(cur_owner,
01180 ldns_rr_owner(i_rr)) == 0) {
01181 i_type = ldns_rr_get_type(i_rr);
01182 if (type_count == 0 || i_type_list[type_count-1] != i_type) {
01183 i_type_list[type_count] = i_type;
01184 type_count++;
01185 }
01186 }
01187 }
01188
01189
01190
01191 if (!emptynonterminal && !rr_list_delegation_only(cur_zone, rrs)) {
01192 i_type_list[type_count] = LDNS_RR_TYPE_RRSIG;
01193 type_count++;
01194 }
01195
01196
01197 if (ldns_dname_compare(cur_zone, cur_owner) == 0) {
01198 i_type_list[type_count] = LDNS_RR_TYPE_SOA;
01199 type_count++;
01200 }
01201
01202 ldns_rr_push_rdf(nsec,
01203 ldns_dnssec_create_nsec_bitmap(i_type_list,
01204 type_count, LDNS_RR_TYPE_NSEC3));
01205
01206 return nsec;
01207 }
01208
01209 uint8_t
01210 ldns_nsec3_algorithm(const ldns_rr *nsec3_rr)
01211 {
01212 if (nsec3_rr &&
01213 (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01214 ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01215 && (ldns_rr_rdf(nsec3_rr, 0) != NULL)
01216 && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 0)) > 0) {
01217 return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 0));
01218 }
01219 return 0;
01220 }
01221
01222 uint8_t
01223 ldns_nsec3_flags(const ldns_rr *nsec3_rr)
01224 {
01225 if (nsec3_rr &&
01226 (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01227 ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01228 && (ldns_rr_rdf(nsec3_rr, 1) != NULL)
01229 && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 1)) > 0) {
01230 return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 1));
01231 }
01232 return 0;
01233 }
01234
01235 bool
01236 ldns_nsec3_optout(const ldns_rr *nsec3_rr)
01237 {
01238 return (ldns_nsec3_flags(nsec3_rr) & LDNS_NSEC3_VARS_OPTOUT_MASK);
01239 }
01240
01241 uint16_t
01242 ldns_nsec3_iterations(const ldns_rr *nsec3_rr)
01243 {
01244 if (nsec3_rr &&
01245 (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01246 ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01247 && (ldns_rr_rdf(nsec3_rr, 2) != NULL)
01248 && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 2)) > 0) {
01249 return ldns_rdf2native_int16(ldns_rr_rdf(nsec3_rr, 2));
01250 }
01251 return 0;
01252
01253 }
01254
01255 ldns_rdf *
01256 ldns_nsec3_salt(const ldns_rr *nsec3_rr)
01257 {
01258 if (nsec3_rr &&
01259 (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01260 ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01261 ) {
01262 return ldns_rr_rdf(nsec3_rr, 3);
01263 }
01264 return NULL;
01265 }
01266
01267 uint8_t
01268 ldns_nsec3_salt_length(const ldns_rr *nsec3_rr)
01269 {
01270 ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
01271 if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
01272 return (uint8_t) ldns_rdf_data(salt_rdf)[0];
01273 }
01274 return 0;
01275 }
01276
01277
01278 uint8_t *
01279 ldns_nsec3_salt_data(const ldns_rr *nsec3_rr)
01280 {
01281 uint8_t salt_length;
01282 uint8_t *salt;
01283
01284 ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
01285 if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
01286 salt_length = ldns_rdf_data(salt_rdf)[0];
01287 salt = LDNS_XMALLOC(uint8_t, salt_length);
01288 if(!salt) return NULL;
01289 memcpy(salt, &ldns_rdf_data(salt_rdf)[1], salt_length);
01290 return salt;
01291 }
01292 return NULL;
01293 }
01294
01295 ldns_rdf *
01296 ldns_nsec3_next_owner(const ldns_rr *nsec3_rr)
01297 {
01298 if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) {
01299 return NULL;
01300 } else {
01301 return ldns_rr_rdf(nsec3_rr, 4);
01302 }
01303 }
01304
01305 ldns_rdf *
01306 ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
01307 {
01308 if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) {
01309 return NULL;
01310 } else {
01311 return ldns_rr_rdf(nsec3_rr, 5);
01312 }
01313 }
01314
01315 ldns_rdf *
01316 ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, ldns_rdf *name)
01317 {
01318 uint8_t algorithm;
01319 uint16_t iterations;
01320 uint8_t salt_length;
01321 uint8_t *salt = 0;
01322
01323 ldns_rdf *hashed_owner;
01324
01325 algorithm = ldns_nsec3_algorithm(nsec);
01326 salt_length = ldns_nsec3_salt_length(nsec);
01327 salt = ldns_nsec3_salt_data(nsec);
01328 iterations = ldns_nsec3_iterations(nsec);
01329
01330 hashed_owner = ldns_nsec3_hash_name(name,
01331 algorithm,
01332 iterations,
01333 salt_length,
01334 salt);
01335
01336 LDNS_FREE(salt);
01337 return hashed_owner;
01338 }
01339
01340 bool
01341 ldns_nsec_bitmap_covers_type(const ldns_rdf *nsec_bitmap, ldns_rr_type type)
01342 {
01343 uint8_t window_block_nr;
01344 uint8_t bitmap_length;
01345 uint16_t cur_type;
01346 uint16_t pos = 0;
01347 uint16_t bit_pos;
01348 uint8_t *data;
01349
01350 if (nsec_bitmap == NULL) {
01351 return false;
01352 }
01353 data = ldns_rdf_data(nsec_bitmap);
01354 while(pos < ldns_rdf_size(nsec_bitmap)) {
01355 window_block_nr = data[pos];
01356 bitmap_length = data[pos + 1];
01357 pos += 2;
01358
01359 for (bit_pos = 0; bit_pos < (bitmap_length) * 8; bit_pos++) {
01360 if (ldns_get_bit(&data[pos], bit_pos)) {
01361 cur_type = 256 * (uint16_t) window_block_nr + bit_pos;
01362 if (cur_type == type) {
01363 return true;
01364 }
01365 }
01366 }
01367
01368 pos += (uint16_t) bitmap_length;
01369 }
01370 return false;
01371 }
01372
01373 bool
01374 ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
01375 {
01376 ldns_rdf *nsec_owner = ldns_rr_owner(nsec);
01377 ldns_rdf *hash_next;
01378 char *next_hash_str;
01379 ldns_rdf *nsec_next = NULL;
01380 ldns_status status;
01381 ldns_rdf *chopped_dname;
01382 bool result;
01383
01384 if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
01385 if (ldns_rr_rdf(nsec, 0) != NULL) {
01386 nsec_next = ldns_rdf_clone(ldns_rr_rdf(nsec, 0));
01387 } else {
01388 return false;
01389 }
01390 } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
01391 hash_next = ldns_nsec3_next_owner(nsec);
01392 next_hash_str = ldns_rdf2str(hash_next);
01393 nsec_next = ldns_dname_new_frm_str(next_hash_str);
01394 LDNS_FREE(next_hash_str);
01395 chopped_dname = ldns_dname_left_chop(nsec_owner);
01396 status = ldns_dname_cat(nsec_next, chopped_dname);
01397 ldns_rdf_deep_free(chopped_dname);
01398 if (status != LDNS_STATUS_OK) {
01399 printf("error catting: %s\n", ldns_get_errorstr_by_id(status));
01400 }
01401 } else {
01402 ldns_rdf_deep_free(nsec_next);
01403 return false;
01404 }
01405
01406
01407 if(ldns_dname_compare(nsec_owner, nsec_next) > 0) {
01408 result = (ldns_dname_compare(nsec_owner, name) <= 0 ||
01409 ldns_dname_compare(name, nsec_next) < 0);
01410 } else {
01411 result = (ldns_dname_compare(nsec_owner, name) <= 0 &&
01412 ldns_dname_compare(name, nsec_next) < 0);
01413 }
01414
01415 ldns_rdf_deep_free(nsec_next);
01416 return result;
01417 }
01418
01419 #ifdef HAVE_SSL
01420
01421
01422 ldns_status
01423 ldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o,
01424 ldns_rr_list *k, ldns_rr_list *s,
01425 time_t check_time, ldns_rr_list *good_keys)
01426 {
01427 ldns_rr_list *rrset;
01428 ldns_rr_list *sigs;
01429 ldns_rr_list *sigs_covered;
01430 ldns_rdf *rdf_t;
01431 ldns_rr_type t_netorder;
01432
01433 if (!k) {
01434 return LDNS_STATUS_ERR;
01435
01436 }
01437
01438 if (t == LDNS_RR_TYPE_RRSIG) {
01439
01440 return LDNS_STATUS_ERR;
01441 }
01442
01443 if (s) {
01444
01445 sigs = s;
01446 } else {
01447
01448 sigs = ldns_pkt_rr_list_by_name_and_type(p, o,
01449 LDNS_RR_TYPE_RRSIG,
01450 LDNS_SECTION_ANY_NOQUESTION);
01451 if (!sigs) {
01452
01453 return LDNS_STATUS_ERR;
01454
01455 }
01456 }
01457
01458
01459
01460
01461 t_netorder = htons(t);
01462
01463 rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, 2, &t_netorder);
01464
01465 sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
01466 ldns_rdf_free(rdf_t);
01467 if (! sigs_covered) {
01468 if (! s) {
01469 ldns_rr_list_deep_free(sigs);
01470 }
01471 return LDNS_STATUS_ERR;
01472 }
01473 ldns_rr_list_deep_free(sigs_covered);
01474
01475 rrset = ldns_pkt_rr_list_by_name_and_type(p, o, t,
01476 LDNS_SECTION_ANY_NOQUESTION);
01477 if (!rrset) {
01478 if (! s) {
01479 ldns_rr_list_deep_free(sigs);
01480 }
01481 return LDNS_STATUS_ERR;
01482 }
01483 return ldns_verify_time(rrset, sigs, k, check_time, good_keys);
01484 }
01485
01486 ldns_status
01487 ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o,
01488 ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys)
01489 {
01490 return ldns_pkt_verify_time(p, t, o, k, s, ldns_time(NULL), good_keys);
01491 }
01492 #endif
01493
01494 ldns_status
01495 ldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs)
01496 {
01497 size_t i;
01498 char *next_nsec_owner_str;
01499 ldns_rdf *next_nsec_owner_label;
01500 ldns_rdf *next_nsec_rdf;
01501 ldns_status status = LDNS_STATUS_OK;
01502
01503 for (i = 0; i < ldns_rr_list_rr_count(nsec3_rrs); i++) {
01504 if (i == ldns_rr_list_rr_count(nsec3_rrs) - 1) {
01505 next_nsec_owner_label =
01506 ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs,
01507 0)), 0);
01508 next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
01509 if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01510 == '.') {
01511 next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01512 = '\0';
01513 }
01514 status = ldns_str2rdf_b32_ext(&next_nsec_rdf,
01515 next_nsec_owner_str);
01516 if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i),
01517 next_nsec_rdf, 4)) {
01518
01519 }
01520
01521 ldns_rdf_deep_free(next_nsec_owner_label);
01522 LDNS_FREE(next_nsec_owner_str);
01523 } else {
01524 next_nsec_owner_label =
01525 ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs,
01526 i + 1)),
01527 0);
01528 next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
01529 if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01530 == '.') {
01531 next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01532 = '\0';
01533 }
01534 status = ldns_str2rdf_b32_ext(&next_nsec_rdf,
01535 next_nsec_owner_str);
01536 ldns_rdf_deep_free(next_nsec_owner_label);
01537 LDNS_FREE(next_nsec_owner_str);
01538 if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i),
01539 next_nsec_rdf, 4)) {
01540
01541 }
01542 }
01543 }
01544 return status;
01545 }
01546
01547 int
01548 qsort_rr_compare_nsec3(const void *a, const void *b)
01549 {
01550 const ldns_rr *rr1 = * (const ldns_rr **) a;
01551 const ldns_rr *rr2 = * (const ldns_rr **) b;
01552 if (rr1 == NULL && rr2 == NULL) {
01553 return 0;
01554 }
01555 if (rr1 == NULL) {
01556 return -1;
01557 }
01558 if (rr2 == NULL) {
01559 return 1;
01560 }
01561 return ldns_rdf_compare(ldns_rr_owner(rr1), ldns_rr_owner(rr2));
01562 }
01563
01564 void
01565 ldns_rr_list_sort_nsec3(ldns_rr_list *unsorted)
01566 {
01567 qsort(unsorted->_rrs,
01568 ldns_rr_list_rr_count(unsorted),
01569 sizeof(ldns_rr *),
01570 qsort_rr_compare_nsec3);
01571 }
01572
01573 int
01574 ldns_dnssec_default_add_to_signatures( ATTR_UNUSED(ldns_rr *sig)
01575 , ATTR_UNUSED(void *n)
01576 )
01577 {
01578 return LDNS_SIGNATURE_LEAVE_ADD_NEW;
01579 }
01580
01581 int
01582 ldns_dnssec_default_leave_signatures( ATTR_UNUSED(ldns_rr *sig)
01583 , ATTR_UNUSED(void *n)
01584 )
01585 {
01586 return LDNS_SIGNATURE_LEAVE_NO_ADD;
01587 }
01588
01589 int
01590 ldns_dnssec_default_delete_signatures( ATTR_UNUSED(ldns_rr *sig)
01591 , ATTR_UNUSED(void *n)
01592 )
01593 {
01594 return LDNS_SIGNATURE_REMOVE_NO_ADD;
01595 }
01596
01597 int
01598 ldns_dnssec_default_replace_signatures( ATTR_UNUSED(ldns_rr *sig)
01599 , ATTR_UNUSED(void *n)
01600 )
01601 {
01602 return LDNS_SIGNATURE_REMOVE_ADD_NEW;
01603 }
01604
01605 #ifdef HAVE_SSL
01606 ldns_rdf *
01607 ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig,
01608 const long sig_len)
01609 {
01610 ldns_rdf *sigdata_rdf;
01611 DSA_SIG *dsasig;
01612 unsigned char *dsasig_data = (unsigned char*)ldns_buffer_begin(sig);
01613 size_t byte_offset;
01614
01615 dsasig = d2i_DSA_SIG(NULL,
01616 (const unsigned char **)&dsasig_data,
01617 sig_len);
01618 if (!dsasig) {
01619 DSA_SIG_free(dsasig);
01620 return NULL;
01621 }
01622
01623 dsasig_data = LDNS_XMALLOC(unsigned char, 41);
01624 if(!dsasig_data) {
01625 DSA_SIG_free(dsasig);
01626 return NULL;
01627 }
01628 dsasig_data[0] = 0;
01629 byte_offset = (size_t) (20 - BN_num_bytes(dsasig->r));
01630 if (byte_offset > 20) {
01631 DSA_SIG_free(dsasig);
01632 LDNS_FREE(dsasig_data);
01633 return NULL;
01634 }
01635 memset(&dsasig_data[1], 0, byte_offset);
01636 BN_bn2bin(dsasig->r, &dsasig_data[1 + byte_offset]);
01637 byte_offset = (size_t) (20 - BN_num_bytes(dsasig->s));
01638 if (byte_offset > 20) {
01639 DSA_SIG_free(dsasig);
01640 LDNS_FREE(dsasig_data);
01641 return NULL;
01642 }
01643 memset(&dsasig_data[21], 0, byte_offset);
01644 BN_bn2bin(dsasig->s, &dsasig_data[21 + byte_offset]);
01645
01646 sigdata_rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, 41, dsasig_data);
01647 if(!sigdata_rdf) {
01648 LDNS_FREE(dsasig_data);
01649 }
01650 DSA_SIG_free(dsasig);
01651
01652 return sigdata_rdf;
01653 }
01654
01655 ldns_status
01656 ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
01657 const ldns_rdf *sig_rdf)
01658 {
01659
01660 BIGNUM *R, *S;
01661 DSA_SIG *dsasig;
01662 unsigned char *raw_sig = NULL;
01663 int raw_sig_len;
01664
01665 if(ldns_rdf_size(sig_rdf) < 1 + 2*SHA_DIGEST_LENGTH)
01666 return LDNS_STATUS_SYNTAX_RDATA_ERR;
01667
01668 R = BN_new();
01669 if(!R) return LDNS_STATUS_MEM_ERR;
01670 (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 1,
01671 SHA_DIGEST_LENGTH, R);
01672 S = BN_new();
01673 if(!S) {
01674 BN_free(R);
01675 return LDNS_STATUS_MEM_ERR;
01676 }
01677 (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 21,
01678 SHA_DIGEST_LENGTH, S);
01679
01680 dsasig = DSA_SIG_new();
01681 if (!dsasig) {
01682 BN_free(R);
01683 BN_free(S);
01684 return LDNS_STATUS_MEM_ERR;
01685 }
01686
01687 dsasig->r = R;
01688 dsasig->s = S;
01689
01690 raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig);
01691 if (raw_sig_len < 0) {
01692 DSA_SIG_free(dsasig);
01693 free(raw_sig);
01694 return LDNS_STATUS_SSL_ERR;
01695 }
01696 if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
01697 ldns_buffer_write(target_buffer, raw_sig, (size_t)raw_sig_len);
01698 }
01699
01700 DSA_SIG_free(dsasig);
01701 free(raw_sig);
01702
01703 return ldns_buffer_status(target_buffer);
01704 }
01705
01706 #ifdef USE_ECDSA
01707 #ifndef S_SPLINT_S
01708 ldns_rdf *
01709 ldns_convert_ecdsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len)
01710 {
01711 ECDSA_SIG* ecdsa_sig;
01712 unsigned char *data = (unsigned char*)ldns_buffer_begin(sig);
01713 ldns_rdf* rdf;
01714 ecdsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&data, sig_len);
01715 if(!ecdsa_sig) return NULL;
01716
01717
01718 data = LDNS_XMALLOC(unsigned char,
01719 BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s));
01720 if(!data) {
01721 ECDSA_SIG_free(ecdsa_sig);
01722 return NULL;
01723 }
01724 BN_bn2bin(ecdsa_sig->r, data);
01725 BN_bn2bin(ecdsa_sig->s, data+BN_num_bytes(ecdsa_sig->r));
01726 rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)(
01727 BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s)), data);
01728 ECDSA_SIG_free(ecdsa_sig);
01729 return rdf;
01730 }
01731
01732 ldns_status
01733 ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
01734 const ldns_rdf *sig_rdf)
01735 {
01736 ECDSA_SIG* sig;
01737 int raw_sig_len;
01738 long bnsize = (long)ldns_rdf_size(sig_rdf) / 2;
01739
01740 if(bnsize < 16 || (size_t)bnsize*2 != ldns_rdf_size(sig_rdf))
01741 return LDNS_STATUS_ERR;
01742
01743
01744 sig = ECDSA_SIG_new();
01745 if(!sig) return LDNS_STATUS_MEM_ERR;
01746 sig->r = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf),
01747 bnsize, sig->r);
01748 sig->s = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf)+bnsize,
01749 bnsize, sig->s);
01750 if(!sig->r || !sig->s) {
01751 ECDSA_SIG_free(sig);
01752 return LDNS_STATUS_MEM_ERR;
01753 }
01754
01755 raw_sig_len = i2d_ECDSA_SIG(sig, NULL);
01756 if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
01757 unsigned char* pp = (unsigned char*)
01758 ldns_buffer_current(target_buffer);
01759 raw_sig_len = i2d_ECDSA_SIG(sig, &pp);
01760 ldns_buffer_skip(target_buffer, (ssize_t) raw_sig_len);
01761 }
01762 ECDSA_SIG_free(sig);
01763
01764 return ldns_buffer_status(target_buffer);
01765 }
01766
01767 #endif
01768 #endif
01769 #endif