00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012 #include <ldns/config.h>
00013
00014 #include <ldns/ldns.h>
00015 #include <ldns/dnssec.h>
00016
00017 #include <strings.h>
00018 #include <time.h>
00019
00020 #ifdef HAVE_SSL
00021 #include <openssl/ssl.h>
00022 #include <openssl/evp.h>
00023 #include <openssl/rand.h>
00024 #include <openssl/err.h>
00025 #include <openssl/md5.h>
00026 #endif
00027
00028 ldns_rr *
00029 ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name,
00030 const ldns_rr_type type,
00031 const ldns_rr_list *rrs)
00032 {
00033 size_t i;
00034 ldns_rr *candidate;
00035
00036 if (!name || !rrs) {
00037 return NULL;
00038 }
00039
00040 for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
00041 candidate = ldns_rr_list_rr(rrs, i);
00042 if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_RRSIG) {
00043 if (ldns_dname_compare(ldns_rr_owner(candidate),
00044 name) == 0 &&
00045 ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(candidate))
00046 == type
00047 ) {
00048 return candidate;
00049 }
00050 }
00051 }
00052
00053 return NULL;
00054 }
00055
00056 ldns_rr *
00057 ldns_dnssec_get_dnskey_for_rrsig(const ldns_rr *rrsig,
00058 const ldns_rr_list *rrs)
00059 {
00060 size_t i;
00061 ldns_rr *candidate;
00062
00063 if (!rrsig || !rrs) {
00064 return NULL;
00065 }
00066
00067 for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
00068 candidate = ldns_rr_list_rr(rrs, i);
00069 if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_DNSKEY) {
00070 if (ldns_dname_compare(ldns_rr_owner(candidate),
00071 ldns_rr_rrsig_signame(rrsig)) == 0 &&
00072 ldns_rdf2native_int16(ldns_rr_rrsig_keytag(rrsig)) ==
00073 ldns_calc_keytag(candidate)
00074 ) {
00075 return candidate;
00076 }
00077 }
00078 }
00079
00080 return NULL;
00081 }
00082
00083 ldns_rdf *
00084 ldns_nsec_get_bitmap(ldns_rr *nsec) {
00085 if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
00086 return ldns_rr_rdf(nsec, 1);
00087 } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
00088 return ldns_rr_rdf(nsec, 5);
00089 } else {
00090 return NULL;
00091 }
00092 }
00093
00094
00095
00096 ldns_rdf *
00097 ldns_dnssec_nsec3_closest_encloser(ldns_rdf *qname,
00098 ATTR_UNUSED(ldns_rr_type qtype),
00099 ldns_rr_list *nsec3s)
00100 {
00101
00102 uint8_t algorithm;
00103 uint32_t iterations;
00104 uint8_t salt_length;
00105 uint8_t *salt;
00106
00107 ldns_rdf *sname, *hashed_sname, *tmp;
00108 bool flag;
00109
00110 bool exact_match_found;
00111 bool in_range_found;
00112
00113 ldns_status status;
00114 ldns_rdf *zone_name;
00115
00116 size_t nsec_i;
00117 ldns_rr *nsec;
00118 ldns_rdf *result = NULL;
00119 qtype = qtype;
00120
00121 if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
00122 return NULL;
00123 }
00124
00125 nsec = ldns_rr_list_rr(nsec3s, 0);
00126 algorithm = ldns_nsec3_algorithm(nsec);
00127 salt_length = ldns_nsec3_salt_length(nsec);
00128 salt = ldns_nsec3_salt_data(nsec);
00129 iterations = ldns_nsec3_iterations(nsec);
00130
00131 sname = ldns_rdf_clone(qname);
00132
00133 flag = false;
00134
00135 zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
00136
00137
00138 while (ldns_dname_label_count(sname) > 0) {
00139 exact_match_found = false;
00140 in_range_found = false;
00141
00142 hashed_sname = ldns_nsec3_hash_name(sname,
00143 algorithm,
00144 iterations,
00145 salt_length,
00146 salt);
00147
00148 status = ldns_dname_cat(hashed_sname, zone_name);
00149 if(status != LDNS_STATUS_OK) {
00150 LDNS_FREE(salt);
00151 ldns_rdf_deep_free(zone_name);
00152 ldns_rdf_deep_free(sname);
00153 return NULL;
00154 }
00155
00156 for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
00157 nsec = ldns_rr_list_rr(nsec3s, nsec_i);
00158
00159
00160
00161
00162 if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
00163 exact_match_found = true;
00164 } else if (ldns_nsec_covers_name(nsec, hashed_sname)) {
00165 in_range_found = true;
00166 }
00167
00168 }
00169 if (!exact_match_found && in_range_found) {
00170 flag = true;
00171 } else if (exact_match_found && flag) {
00172 result = ldns_rdf_clone(sname);
00173
00174 ldns_rdf_deep_free(hashed_sname);
00175 goto done;
00176 } else if (exact_match_found && !flag) {
00177
00178 ldns_rdf_deep_free(hashed_sname);
00179 goto done;
00180 } else {
00181 flag = false;
00182 }
00183
00184 ldns_rdf_deep_free(hashed_sname);
00185 tmp = sname;
00186 sname = ldns_dname_left_chop(sname);
00187 ldns_rdf_deep_free(tmp);
00188 }
00189
00190 done:
00191 LDNS_FREE(salt);
00192 ldns_rdf_deep_free(zone_name);
00193 ldns_rdf_deep_free(sname);
00194
00195 return result;
00196 }
00197
00198 bool
00199 ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt)
00200 {
00201 size_t i;
00202 for (i = 0; i < ldns_pkt_ancount(pkt); i++) {
00203 if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_answer(pkt), i)) ==
00204 LDNS_RR_TYPE_RRSIG) {
00205 return true;
00206 }
00207 }
00208 for (i = 0; i < ldns_pkt_nscount(pkt); i++) {
00209 if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_authority(pkt), i)) ==
00210 LDNS_RR_TYPE_RRSIG) {
00211 return true;
00212 }
00213 }
00214 return false;
00215 }
00216
00217 ldns_rr_list *
00218 ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt,
00219 ldns_rdf *name,
00220 ldns_rr_type type)
00221 {
00222 uint16_t t_netorder;
00223 ldns_rr_list *sigs;
00224 ldns_rr_list *sigs_covered;
00225 ldns_rdf *rdf_t;
00226
00227 sigs = ldns_pkt_rr_list_by_name_and_type(pkt,
00228 name,
00229 LDNS_RR_TYPE_RRSIG,
00230 LDNS_SECTION_ANY_NOQUESTION
00231 );
00232
00233 t_netorder = htons(type);
00234 rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, LDNS_RDF_SIZE_WORD, &t_netorder);
00235 sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
00236
00237 ldns_rdf_free(rdf_t);
00238 ldns_rr_list_deep_free(sigs);
00239
00240 return sigs_covered;
00241
00242 }
00243
00244 ldns_rr_list *
00245 ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type)
00246 {
00247 uint16_t t_netorder;
00248 ldns_rr_list *sigs;
00249 ldns_rr_list *sigs_covered;
00250 ldns_rdf *rdf_t;
00251
00252 sigs = ldns_pkt_rr_list_by_type(pkt,
00253 LDNS_RR_TYPE_RRSIG,
00254 LDNS_SECTION_ANY_NOQUESTION
00255 );
00256
00257 t_netorder = htons(type);
00258 rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE,
00259 2,
00260 &t_netorder);
00261 sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
00262
00263 ldns_rdf_free(rdf_t);
00264 ldns_rr_list_deep_free(sigs);
00265
00266 return sigs_covered;
00267
00268 }
00269
00270
00271 uint16_t
00272 ldns_calc_keytag(const ldns_rr *key)
00273 {
00274 uint16_t ac16;
00275 ldns_buffer *keybuf;
00276 size_t keysize;
00277
00278 if (!key) {
00279 return 0;
00280 }
00281
00282 if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY &&
00283 ldns_rr_get_type(key) != LDNS_RR_TYPE_KEY
00284 ) {
00285 return 0;
00286 }
00287
00288
00289 keybuf = ldns_buffer_new(LDNS_MIN_BUFLEN);
00290 if (!keybuf) {
00291 return 0;
00292 }
00293 (void)ldns_rr_rdata2buffer_wire(keybuf, key);
00294
00295 keysize= ldns_buffer_position(keybuf);
00296
00297 ac16 = ldns_calc_keytag_raw(ldns_buffer_begin(keybuf), keysize);
00298 ldns_buffer_free(keybuf);
00299 return ac16;
00300 }
00301
00302 uint16_t ldns_calc_keytag_raw(uint8_t* key, size_t keysize)
00303 {
00304 unsigned int i;
00305 uint32_t ac32;
00306 uint16_t ac16;
00307
00308 if(keysize < 4) {
00309 return 0;
00310 }
00311
00312 if (key[3] == LDNS_RSAMD5) {
00313 ac16 = 0;
00314 if (keysize > 4) {
00315 memmove(&ac16, key + keysize - 3, 2);
00316 }
00317 ac16 = ntohs(ac16);
00318 return (uint16_t) ac16;
00319 } else {
00320 ac32 = 0;
00321 for (i = 0; (size_t)i < keysize; ++i) {
00322 ac32 += (i & 1) ? key[i] : key[i] << 8;
00323 }
00324 ac32 += (ac32 >> 16) & 0xFFFF;
00325 return (uint16_t) (ac32 & 0xFFFF);
00326 }
00327 }
00328
00329 #ifdef HAVE_SSL
00330 DSA *
00331 ldns_key_buf2dsa(ldns_buffer *key)
00332 {
00333 return ldns_key_buf2dsa_raw((unsigned char*)ldns_buffer_begin(key),
00334 ldns_buffer_position(key));
00335 }
00336
00337 DSA *
00338 ldns_key_buf2dsa_raw(unsigned char* key, size_t len)
00339 {
00340 uint8_t T;
00341 uint16_t length;
00342 uint16_t offset;
00343 DSA *dsa;
00344 BIGNUM *Q; BIGNUM *P;
00345 BIGNUM *G; BIGNUM *Y;
00346
00347 if(len == 0)
00348 return NULL;
00349 T = (uint8_t)key[0];
00350 length = (64 + T * 8);
00351 offset = 1;
00352
00353 if (T > 8) {
00354 return NULL;
00355 }
00356 if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
00357 return NULL;
00358
00359 Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
00360 offset += SHA_DIGEST_LENGTH;
00361
00362 P = BN_bin2bn(key+offset, (int)length, NULL);
00363 offset += length;
00364
00365 G = BN_bin2bn(key+offset, (int)length, NULL);
00366 offset += length;
00367
00368 Y = BN_bin2bn(key+offset, (int)length, NULL);
00369 offset += length;
00370
00371
00372 if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
00373 BN_free(Q);
00374 BN_free(P);
00375 BN_free(G);
00376 BN_free(Y);
00377 return NULL;
00378 }
00379 #ifndef S_SPLINT_S
00380 dsa->p = P;
00381 dsa->q = Q;
00382 dsa->g = G;
00383 dsa->pub_key = Y;
00384 #endif
00385
00386 return dsa;
00387 }
00388
00389 RSA *
00390 ldns_key_buf2rsa(ldns_buffer *key)
00391 {
00392 return ldns_key_buf2rsa_raw((unsigned char*)ldns_buffer_begin(key),
00393 ldns_buffer_position(key));
00394 }
00395
00396 RSA *
00397 ldns_key_buf2rsa_raw(unsigned char* key, size_t len)
00398 {
00399 uint16_t offset;
00400 uint16_t exp;
00401 uint16_t int16;
00402 RSA *rsa;
00403 BIGNUM *modulus;
00404 BIGNUM *exponent;
00405
00406 if (len == 0)
00407 return NULL;
00408 if (key[0] == 0) {
00409 if(len < 3)
00410 return NULL;
00411
00412
00413
00414 memmove(&int16, key+1, 2);
00415 exp = ntohs(int16);
00416 offset = 3;
00417 } else {
00418 exp = key[0];
00419 offset = 1;
00420 }
00421
00422
00423 if(len < (size_t)offset + exp + 1)
00424 return NULL;
00425
00426
00427 exponent = BN_new();
00428 if(!exponent) return NULL;
00429 (void) BN_bin2bn(key+offset, (int)exp, exponent);
00430 offset += exp;
00431
00432
00433 modulus = BN_new();
00434 if(!modulus) {
00435 BN_free(exponent);
00436 return NULL;
00437 }
00438
00439 (void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
00440
00441 rsa = RSA_new();
00442 if(!rsa) {
00443 BN_free(exponent);
00444 BN_free(modulus);
00445 return NULL;
00446 }
00447 #ifndef S_SPLINT_S
00448 rsa->n = modulus;
00449 rsa->e = exponent;
00450 #endif
00451
00452 return rsa;
00453 }
00454
00455 int
00456 ldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
00457 const EVP_MD* md)
00458 {
00459 EVP_MD_CTX* ctx;
00460 ctx = EVP_MD_CTX_create();
00461 if(!ctx)
00462 return false;
00463 if(!EVP_DigestInit_ex(ctx, md, NULL) ||
00464 !EVP_DigestUpdate(ctx, data, len) ||
00465 !EVP_DigestFinal_ex(ctx, dest, NULL)) {
00466 EVP_MD_CTX_destroy(ctx);
00467 return false;
00468 }
00469 EVP_MD_CTX_destroy(ctx);
00470 return true;
00471 }
00472 #endif
00473
00474 ldns_rr *
00475 ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
00476 {
00477 ldns_rdf *tmp;
00478 ldns_rr *ds;
00479 uint16_t keytag;
00480 uint8_t sha1hash;
00481 uint8_t *digest;
00482 ldns_buffer *data_buf;
00483 #ifdef USE_GOST
00484 const EVP_MD* md = NULL;
00485 #endif
00486
00487 if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY) {
00488 return NULL;
00489 }
00490
00491 ds = ldns_rr_new();
00492 if (!ds) {
00493 return NULL;
00494 }
00495 ldns_rr_set_type(ds, LDNS_RR_TYPE_DS);
00496 ldns_rr_set_owner(ds, ldns_rdf_clone(
00497 ldns_rr_owner(key)));
00498 ldns_rr_set_ttl(ds, ldns_rr_ttl(key));
00499 ldns_rr_set_class(ds, ldns_rr_get_class(key));
00500
00501 switch(h) {
00502 default:
00503 case LDNS_SHA1:
00504 digest = LDNS_XMALLOC(uint8_t, LDNS_SHA1_DIGEST_LENGTH);
00505 if (!digest) {
00506 ldns_rr_free(ds);
00507 return NULL;
00508 }
00509 break;
00510 case LDNS_SHA256:
00511 digest = LDNS_XMALLOC(uint8_t, LDNS_SHA256_DIGEST_LENGTH);
00512 if (!digest) {
00513 ldns_rr_free(ds);
00514 return NULL;
00515 }
00516 break;
00517 case LDNS_HASH_GOST:
00518 #ifdef USE_GOST
00519 (void)ldns_key_EVP_load_gost_id();
00520 md = EVP_get_digestbyname("md_gost94");
00521 if(!md) {
00522 ldns_rr_free(ds);
00523 return NULL;
00524 }
00525 digest = LDNS_XMALLOC(uint8_t, EVP_MD_size(md));
00526 if (!digest) {
00527 ldns_rr_free(ds);
00528 return NULL;
00529 }
00530 break;
00531 #else
00532
00533 ldns_rr_free(ds);
00534 return NULL;
00535 #endif
00536 #ifdef USE_ECDSA
00537
00538
00539
00540 case LDNS_SHA384:
00541 digest = LDNS_XMALLOC(uint8_t, SHA384_DIGEST_LENGTH);
00542 if (!digest) {
00543 ldns_rr_free(ds);
00544 return NULL;
00545 }
00546 break;
00547 #endif
00548 }
00549
00550 data_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00551 if (!data_buf) {
00552 LDNS_FREE(digest);
00553 ldns_rr_free(ds);
00554 return NULL;
00555 }
00556
00557
00558 keytag = htons(ldns_calc_keytag((ldns_rr*)key));
00559 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16,
00560 sizeof(uint16_t),
00561 &keytag);
00562 ldns_rr_push_rdf(ds, tmp);
00563
00564
00565 if ((tmp = ldns_rr_rdf(key, 2)) == NULL) {
00566 LDNS_FREE(digest);
00567 ldns_buffer_free(data_buf);
00568 ldns_rr_free(ds);
00569 return NULL;
00570 } else {
00571 ldns_rr_push_rdf(ds, ldns_rdf_clone( tmp ));
00572 }
00573
00574
00575 sha1hash = (uint8_t)h;
00576 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
00577 sizeof(uint8_t),
00578 &sha1hash);
00579 ldns_rr_push_rdf(ds, tmp);
00580
00581
00582
00583 tmp = ldns_rdf_clone(ldns_rr_owner(key));
00584 ldns_dname2canonical(tmp);
00585 if (ldns_rdf2buffer_wire(data_buf, tmp) != LDNS_STATUS_OK) {
00586 LDNS_FREE(digest);
00587 ldns_buffer_free(data_buf);
00588 ldns_rr_free(ds);
00589 ldns_rdf_deep_free(tmp);
00590 return NULL;
00591 }
00592 ldns_rdf_deep_free(tmp);
00593
00594
00595 if (ldns_rr_rdata2buffer_wire(data_buf,
00596 (ldns_rr*)key) != LDNS_STATUS_OK) {
00597 LDNS_FREE(digest);
00598 ldns_buffer_free(data_buf);
00599 ldns_rr_free(ds);
00600 return NULL;
00601 }
00602 switch(h) {
00603 case LDNS_SHA1:
00604 (void) ldns_sha1((unsigned char *) ldns_buffer_begin(data_buf),
00605 (unsigned int) ldns_buffer_position(data_buf),
00606 (unsigned char *) digest);
00607
00608 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00609 LDNS_SHA1_DIGEST_LENGTH,
00610 digest);
00611 ldns_rr_push_rdf(ds, tmp);
00612
00613 break;
00614 case LDNS_SHA256:
00615 (void) ldns_sha256((unsigned char *) ldns_buffer_begin(data_buf),
00616 (unsigned int) ldns_buffer_position(data_buf),
00617 (unsigned char *) digest);
00618 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00619 LDNS_SHA256_DIGEST_LENGTH,
00620 digest);
00621 ldns_rr_push_rdf(ds, tmp);
00622 break;
00623 case LDNS_HASH_GOST:
00624 #ifdef USE_GOST
00625 if(!ldns_digest_evp((unsigned char *) ldns_buffer_begin(data_buf),
00626 (unsigned int) ldns_buffer_position(data_buf),
00627 (unsigned char *) digest, md)) {
00628 LDNS_FREE(digest);
00629 ldns_buffer_free(data_buf);
00630 ldns_rr_free(ds);
00631 return NULL;
00632 }
00633 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00634 (size_t)EVP_MD_size(md),
00635 digest);
00636 ldns_rr_push_rdf(ds, tmp);
00637 #endif
00638 break;
00639 #ifdef USE_ECDSA
00640 case LDNS_SHA384:
00641 (void) SHA384((unsigned char *) ldns_buffer_begin(data_buf),
00642 (unsigned int) ldns_buffer_position(data_buf),
00643 (unsigned char *) digest);
00644 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00645 SHA384_DIGEST_LENGTH,
00646 digest);
00647 ldns_rr_push_rdf(ds, tmp);
00648 break;
00649 #endif
00650 }
00651
00652 LDNS_FREE(digest);
00653 ldns_buffer_free(data_buf);
00654 return ds;
00655 }
00656
00657 ldns_rdf *
00658 ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[],
00659 size_t size,
00660 ldns_rr_type nsec_type)
00661 {
00662 size_t i;
00663 uint8_t *bitmap;
00664 uint16_t bm_len = 0;
00665 uint16_t i_type;
00666 ldns_rdf *bitmap_rdf;
00667
00668 uint8_t *data = NULL;
00669 uint8_t cur_data[32];
00670 uint8_t cur_window = 0;
00671 uint8_t cur_window_max = 0;
00672 uint16_t cur_data_size = 0;
00673
00674 if (nsec_type != LDNS_RR_TYPE_NSEC &&
00675 nsec_type != LDNS_RR_TYPE_NSEC3) {
00676 return NULL;
00677 }
00678
00679 i_type = 0;
00680 for (i = 0; i < size; i++) {
00681 if (i_type < rr_type_list[i])
00682 i_type = rr_type_list[i];
00683 }
00684 if (i_type < nsec_type) {
00685 i_type = nsec_type;
00686 }
00687
00688 bm_len = i_type / 8 + 2;
00689 bitmap = LDNS_XMALLOC(uint8_t, bm_len);
00690 if(!bitmap) return NULL;
00691 for (i = 0; i < bm_len; i++) {
00692 bitmap[i] = 0;
00693 }
00694
00695 for (i = 0; i < size; i++) {
00696 i_type = rr_type_list[i];
00697 ldns_set_bit(bitmap + (int) i_type / 8,
00698 (int) (7 - (i_type % 8)),
00699 true);
00700 }
00701
00702
00703 memset(cur_data, 0, 32);
00704 for (i = 0; i < bm_len; i++) {
00705 if (i / 32 > cur_window) {
00706
00707 if (cur_window_max > 0) {
00708
00709 data = LDNS_XREALLOC(data,
00710 uint8_t,
00711 cur_data_size + cur_window_max + 3);
00712 if(!data) {
00713 LDNS_FREE(bitmap);
00714 return NULL;
00715 }
00716 data[cur_data_size] = cur_window;
00717 data[cur_data_size + 1] = cur_window_max + 1;
00718 memcpy(data + cur_data_size + 2,
00719 cur_data,
00720 cur_window_max+1);
00721 cur_data_size += cur_window_max + 3;
00722 }
00723 cur_window++;
00724 cur_window_max = 0;
00725 memset(cur_data, 0, 32);
00726 }
00727 cur_data[i%32] = bitmap[i];
00728 if (bitmap[i] > 0) {
00729 cur_window_max = i%32;
00730 }
00731 }
00732 if (cur_window_max > 0 || cur_data[0] != 0) {
00733
00734 data = LDNS_XREALLOC(data,
00735 uint8_t,
00736 cur_data_size + cur_window_max + 3);
00737 if(!data) {
00738 LDNS_FREE(bitmap);
00739 return NULL;
00740 }
00741 data[cur_data_size] = cur_window;
00742 data[cur_data_size + 1] = cur_window_max + 1;
00743 memcpy(data + cur_data_size + 2, cur_data, cur_window_max+1);
00744 cur_data_size += cur_window_max + 3;
00745 }
00746
00747 bitmap_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_NSEC,
00748 cur_data_size,
00749 data);
00750
00751 LDNS_FREE(bitmap);
00752 LDNS_FREE(data);
00753
00754 return bitmap_rdf;
00755 }
00756
00757 int
00758 ldns_dnssec_rrsets_contains_type(ldns_dnssec_rrsets *rrsets,
00759 ldns_rr_type type)
00760 {
00761 ldns_dnssec_rrsets *cur_rrset = rrsets;
00762 while (cur_rrset) {
00763 if (cur_rrset->type == type) {
00764 return 1;
00765 }
00766 cur_rrset = cur_rrset->next;
00767 }
00768 return 0;
00769 }
00770
00771 ldns_rr *
00772 ldns_dnssec_create_nsec(ldns_dnssec_name *from,
00773 ldns_dnssec_name *to,
00774 ldns_rr_type nsec_type)
00775 {
00776 ldns_rr *nsec_rr;
00777 ldns_rr_type types[65536];
00778 size_t type_count = 0;
00779 ldns_dnssec_rrsets *cur_rrsets;
00780 int on_delegation_point;
00781
00782 if (!from || !to || (nsec_type != LDNS_RR_TYPE_NSEC)) {
00783 return NULL;
00784 }
00785
00786 nsec_rr = ldns_rr_new();
00787 ldns_rr_set_type(nsec_rr, nsec_type);
00788 ldns_rr_set_owner(nsec_rr, ldns_rdf_clone(ldns_dnssec_name_name(from)));
00789 ldns_rr_push_rdf(nsec_rr, ldns_rdf_clone(ldns_dnssec_name_name(to)));
00790
00791 on_delegation_point = ldns_dnssec_rrsets_contains_type(
00792 from->rrsets, LDNS_RR_TYPE_NS)
00793 && !ldns_dnssec_rrsets_contains_type(
00794 from->rrsets, LDNS_RR_TYPE_SOA);
00795
00796 cur_rrsets = from->rrsets;
00797 while (cur_rrsets) {
00798
00799
00800 if ((on_delegation_point && (
00801 cur_rrsets->type == LDNS_RR_TYPE_NS
00802 || cur_rrsets->type == LDNS_RR_TYPE_DS))
00803 || (!on_delegation_point &&
00804 cur_rrsets->type != LDNS_RR_TYPE_RRSIG
00805 && cur_rrsets->type != LDNS_RR_TYPE_NSEC)) {
00806
00807 types[type_count] = cur_rrsets->type;
00808 type_count++;
00809 }
00810 cur_rrsets = cur_rrsets->next;
00811
00812 }
00813 types[type_count] = LDNS_RR_TYPE_RRSIG;
00814 type_count++;
00815 types[type_count] = LDNS_RR_TYPE_NSEC;
00816 type_count++;
00817
00818 ldns_rr_push_rdf(nsec_rr, ldns_dnssec_create_nsec_bitmap(types,
00819 type_count,
00820 nsec_type));
00821
00822 return nsec_rr;
00823 }
00824
00825 ldns_rr *
00826 ldns_dnssec_create_nsec3(ldns_dnssec_name *from,
00827 ldns_dnssec_name *to,
00828 ldns_rdf *zone_name,
00829 uint8_t algorithm,
00830 uint8_t flags,
00831 uint16_t iterations,
00832 uint8_t salt_length,
00833 uint8_t *salt)
00834 {
00835 ldns_rr *nsec_rr;
00836 ldns_rr_type types[65536];
00837 size_t type_count = 0;
00838 ldns_dnssec_rrsets *cur_rrsets;
00839 ldns_status status;
00840 int on_delegation_point;
00841
00842 flags = flags;
00843
00844 if (!from) {
00845 return NULL;
00846 }
00847
00848 nsec_rr = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3);
00849 ldns_rr_set_owner(nsec_rr,
00850 ldns_nsec3_hash_name(ldns_dnssec_name_name(from),
00851 algorithm,
00852 iterations,
00853 salt_length,
00854 salt));
00855 status = ldns_dname_cat(ldns_rr_owner(nsec_rr), zone_name);
00856 if(status != LDNS_STATUS_OK) {
00857 ldns_rr_free(nsec_rr);
00858 return NULL;
00859 }
00860 ldns_nsec3_add_param_rdfs(nsec_rr,
00861 algorithm,
00862 flags,
00863 iterations,
00864 salt_length,
00865 salt);
00866
00867 on_delegation_point = ldns_dnssec_rrsets_contains_type(
00868 from->rrsets, LDNS_RR_TYPE_NS)
00869 && !ldns_dnssec_rrsets_contains_type(
00870 from->rrsets, LDNS_RR_TYPE_SOA);
00871 cur_rrsets = from->rrsets;
00872 while (cur_rrsets) {
00873
00874
00875
00876
00877
00878
00879 if ((on_delegation_point && (
00880 cur_rrsets->type == LDNS_RR_TYPE_NS
00881 || cur_rrsets->type == LDNS_RR_TYPE_DS))
00882 || (!on_delegation_point &&
00883 cur_rrsets->type != LDNS_RR_TYPE_RRSIG)) {
00884
00885 types[type_count] = cur_rrsets->type;
00886 type_count++;
00887 }
00888 cur_rrsets = cur_rrsets->next;
00889 }
00890
00891
00892
00893 if (type_count > 0 &&
00894 !(type_count == 1 && types[0] == LDNS_RR_TYPE_NS)) {
00895 types[type_count] = LDNS_RR_TYPE_RRSIG;
00896 type_count++;
00897 }
00898
00899
00900 if (to && to->hashed_name) {
00901 (void) ldns_rr_set_rdf(nsec_rr,
00902 ldns_rdf_clone(to->hashed_name),
00903 4);
00904 } else {
00905 (void) ldns_rr_set_rdf(nsec_rr, NULL, 4);
00906 }
00907
00908 ldns_rr_push_rdf(nsec_rr,
00909 ldns_dnssec_create_nsec_bitmap(types,
00910 type_count,
00911 LDNS_RR_TYPE_NSEC3));
00912
00913 return nsec_rr;
00914 }
00915
00916 ldns_rr *
00917 ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
00918 {
00919
00920
00921
00922
00923
00924
00925
00926
00927 uint16_t i;
00928 ldns_rr *i_rr;
00929 uint16_t i_type;
00930
00931 ldns_rr *nsec = NULL;
00932 ldns_rr_type i_type_list[65536];
00933 size_t type_count = 0;
00934
00935 nsec = ldns_rr_new();
00936 ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC);
00937 ldns_rr_set_owner(nsec, ldns_rdf_clone(cur_owner));
00938 ldns_rr_push_rdf(nsec, ldns_rdf_clone(next_owner));
00939
00940 for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
00941 i_rr = ldns_rr_list_rr(rrs, i);
00942 if (ldns_rdf_compare(cur_owner,
00943 ldns_rr_owner(i_rr)) == 0) {
00944 i_type = ldns_rr_get_type(i_rr);
00945 if (i_type != LDNS_RR_TYPE_RRSIG && i_type != LDNS_RR_TYPE_NSEC) {
00946 if (type_count == 0 || i_type_list[type_count-1] != i_type) {
00947 i_type_list[type_count] = i_type;
00948 type_count++;
00949 }
00950 }
00951 }
00952 }
00953
00954 i_type_list[type_count] = LDNS_RR_TYPE_RRSIG;
00955 type_count++;
00956 i_type_list[type_count] = LDNS_RR_TYPE_NSEC;
00957 type_count++;
00958
00959 ldns_rr_push_rdf(nsec,
00960 ldns_dnssec_create_nsec_bitmap(i_type_list,
00961 type_count, LDNS_RR_TYPE_NSEC));
00962
00963 return nsec;
00964 }
00965
00966 ldns_rdf *
00967 ldns_nsec3_hash_name(ldns_rdf *name,
00968 uint8_t algorithm,
00969 uint16_t iterations,
00970 uint8_t salt_length,
00971 uint8_t *salt)
00972 {
00973 size_t hashed_owner_str_len;
00974 ldns_rdf *cann;
00975 ldns_rdf *hashed_owner;
00976 unsigned char *hashed_owner_str;
00977 char *hashed_owner_b32;
00978 size_t hashed_owner_b32_len;
00979 uint32_t cur_it;
00980
00981
00982 unsigned char hash[LDNS_SHA1_DIGEST_LENGTH];
00983 ldns_status status;
00984
00985
00986 if (algorithm != LDNS_SHA1) {
00987 return NULL;
00988 }
00989
00990
00991 cann = ldns_rdf_clone(name);
00992 if(!cann) {
00993 fprintf(stderr, "Memory error\n");
00994 return NULL;
00995 }
00996 ldns_dname2canonical(cann);
00997
00998 hashed_owner_str_len = salt_length + ldns_rdf_size(cann);
00999 hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
01000 if(!hashed_owner_str) {
01001 ldns_rdf_deep_free(cann);
01002 return NULL;
01003 }
01004 memcpy(hashed_owner_str, ldns_rdf_data(cann), ldns_rdf_size(cann));
01005 memcpy(hashed_owner_str + ldns_rdf_size(cann), salt, salt_length);
01006 ldns_rdf_deep_free(cann);
01007
01008 for (cur_it = iterations + 1; cur_it > 0; cur_it--) {
01009 (void) ldns_sha1((unsigned char *) hashed_owner_str,
01010 (unsigned int) hashed_owner_str_len, hash);
01011
01012 LDNS_FREE(hashed_owner_str);
01013 hashed_owner_str_len = salt_length + LDNS_SHA1_DIGEST_LENGTH;
01014 hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
01015 if (!hashed_owner_str) {
01016 return NULL;
01017 }
01018 memcpy(hashed_owner_str, hash, LDNS_SHA1_DIGEST_LENGTH);
01019 memcpy(hashed_owner_str + LDNS_SHA1_DIGEST_LENGTH, salt, salt_length);
01020 hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH + salt_length;
01021 }
01022
01023 LDNS_FREE(hashed_owner_str);
01024 hashed_owner_str = hash;
01025 hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH;
01026
01027 hashed_owner_b32 = LDNS_XMALLOC(char,
01028 ldns_b32_ntop_calculate_size(hashed_owner_str_len) + 1);
01029 if(!hashed_owner_b32) {
01030 return NULL;
01031 }
01032 hashed_owner_b32_len = (size_t) ldns_b32_ntop_extended_hex(
01033 (uint8_t *) hashed_owner_str,
01034 hashed_owner_str_len,
01035 hashed_owner_b32,
01036 ldns_b32_ntop_calculate_size(hashed_owner_str_len)+1);
01037 if (hashed_owner_b32_len < 1) {
01038 fprintf(stderr, "Error in base32 extended hex encoding ");
01039 fprintf(stderr, "of hashed owner name (name: ");
01040 ldns_rdf_print(stderr, name);
01041 fprintf(stderr, ", return code: %u)\n",
01042 (unsigned int) hashed_owner_b32_len);
01043 LDNS_FREE(hashed_owner_b32);
01044 return NULL;
01045 }
01046 hashed_owner_b32[hashed_owner_b32_len] = '\0';
01047
01048 status = ldns_str2rdf_dname(&hashed_owner, hashed_owner_b32);
01049 if (status != LDNS_STATUS_OK) {
01050 fprintf(stderr, "Error creating rdf from %s\n", hashed_owner_b32);
01051 LDNS_FREE(hashed_owner_b32);
01052 return NULL;
01053 }
01054
01055 LDNS_FREE(hashed_owner_b32);
01056 return hashed_owner;
01057 }
01058
01059 void
01060 ldns_nsec3_add_param_rdfs(ldns_rr *rr,
01061 uint8_t algorithm,
01062 uint8_t flags,
01063 uint16_t iterations,
01064 uint8_t salt_length,
01065 uint8_t *salt)
01066 {
01067 ldns_rdf *salt_rdf = NULL;
01068 uint8_t *salt_data = NULL;
01069 ldns_rdf *old;
01070
01071 old = ldns_rr_set_rdf(rr,
01072 ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
01073 1, (void*)&algorithm),
01074 0);
01075 if (old) ldns_rdf_deep_free(old);
01076
01077 old = ldns_rr_set_rdf(rr,
01078 ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
01079 1, (void*)&flags),
01080 1);
01081 if (old) ldns_rdf_deep_free(old);
01082
01083 old = ldns_rr_set_rdf(rr,
01084 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
01085 iterations),
01086 2);
01087 if (old) ldns_rdf_deep_free(old);
01088
01089 salt_data = LDNS_XMALLOC(uint8_t, salt_length + 1);
01090 if(!salt_data) {
01091
01092 return;
01093 }
01094 salt_data[0] = salt_length;
01095 memcpy(salt_data + 1, salt, salt_length);
01096 salt_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_NSEC3_SALT,
01097 salt_length + 1,
01098 salt_data);
01099 if(!salt_rdf) {
01100 LDNS_FREE(salt_data);
01101
01102 return;
01103 }
01104
01105 old = ldns_rr_set_rdf(rr, salt_rdf, 3);
01106 if (old) ldns_rdf_deep_free(old);
01107 LDNS_FREE(salt_data);
01108 }
01109
01110 static int
01111 rr_list_delegation_only(ldns_rdf *origin, ldns_rr_list *rr_list)
01112 {
01113 size_t i;
01114 ldns_rr *cur_rr;
01115 if (!origin || !rr_list) return 0;
01116 for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) {
01117 cur_rr = ldns_rr_list_rr(rr_list, i);
01118 if (ldns_dname_compare(ldns_rr_owner(cur_rr), origin) == 0) {
01119 return 0;
01120 }
01121 if (ldns_rr_get_type(cur_rr) != LDNS_RR_TYPE_NS) {
01122 return 0;
01123 }
01124 }
01125 return 1;
01126 }
01127
01128
01129
01130 ldns_rr *
01131 ldns_create_nsec3(ldns_rdf *cur_owner,
01132 ldns_rdf *cur_zone,
01133 ldns_rr_list *rrs,
01134 uint8_t algorithm,
01135 uint8_t flags,
01136 uint16_t iterations,
01137 uint8_t salt_length,
01138 uint8_t *salt,
01139 bool emptynonterminal)
01140 {
01141 size_t i;
01142 ldns_rr *i_rr;
01143 uint16_t i_type;
01144
01145 ldns_rr *nsec = NULL;
01146 ldns_rdf *hashed_owner = NULL;
01147
01148 ldns_status status;
01149
01150 ldns_rr_type i_type_list[1024];
01151 size_t type_count = 0;
01152
01153 hashed_owner = ldns_nsec3_hash_name(cur_owner,
01154 algorithm,
01155 iterations,
01156 salt_length,
01157 salt);
01158 status = ldns_dname_cat(hashed_owner, cur_zone);
01159 if(status != LDNS_STATUS_OK)
01160 return NULL;
01161
01162 nsec = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3);
01163 if(!nsec)
01164 return NULL;
01165 ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC3);
01166 ldns_rr_set_owner(nsec, hashed_owner);
01167
01168 ldns_nsec3_add_param_rdfs(nsec,
01169 algorithm,
01170 flags,
01171 iterations,
01172 salt_length,
01173 salt);
01174 (void) ldns_rr_set_rdf(nsec, NULL, 4);
01175
01176
01177 for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
01178 i_rr = ldns_rr_list_rr(rrs, i);
01179 if (ldns_rdf_compare(cur_owner,
01180 ldns_rr_owner(i_rr)) == 0) {
01181 i_type = ldns_rr_get_type(i_rr);
01182 if (type_count == 0 || i_type_list[type_count-1] != i_type) {
01183 i_type_list[type_count] = i_type;
01184 type_count++;
01185 }
01186 }
01187 }
01188
01189
01190
01191 if (!emptynonterminal && !rr_list_delegation_only(cur_zone, rrs)) {
01192 i_type_list[type_count] = LDNS_RR_TYPE_RRSIG;
01193 type_count++;
01194 }
01195
01196
01197 if (ldns_dname_compare(cur_zone, cur_owner) == 0) {
01198 i_type_list[type_count] = LDNS_RR_TYPE_SOA;
01199 type_count++;
01200 }
01201
01202 ldns_rr_push_rdf(nsec,
01203 ldns_dnssec_create_nsec_bitmap(i_type_list,
01204 type_count, LDNS_RR_TYPE_NSEC3));
01205
01206 return nsec;
01207 }
01208
01209 uint8_t
01210 ldns_nsec3_algorithm(const ldns_rr *nsec3_rr)
01211 {
01212 if (nsec3_rr &&
01213 (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01214 ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01215 && (ldns_rr_rdf(nsec3_rr, 0) != NULL)
01216 && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 0)) > 0) {
01217 return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 0));
01218 }
01219 return 0;
01220 }
01221
01222 uint8_t
01223 ldns_nsec3_flags(const ldns_rr *nsec3_rr)
01224 {
01225 if (nsec3_rr &&
01226 (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01227 ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01228 && (ldns_rr_rdf(nsec3_rr, 1) != NULL)
01229 && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 1)) > 0) {
01230 return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 1));
01231 }
01232 return 0;
01233 }
01234
01235 bool
01236 ldns_nsec3_optout(const ldns_rr *nsec3_rr)
01237 {
01238 return (ldns_nsec3_flags(nsec3_rr) & LDNS_NSEC3_VARS_OPTOUT_MASK);
01239 }
01240
01241 uint16_t
01242 ldns_nsec3_iterations(const ldns_rr *nsec3_rr)
01243 {
01244 if (nsec3_rr &&
01245 (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01246 ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01247 && (ldns_rr_rdf(nsec3_rr, 2) != NULL)
01248 && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 2)) > 0) {
01249 return ldns_rdf2native_int16(ldns_rr_rdf(nsec3_rr, 2));
01250 }
01251 return 0;
01252
01253 }
01254
01255 ldns_rdf *
01256 ldns_nsec3_salt(const ldns_rr *nsec3_rr)
01257 {
01258 if (nsec3_rr &&
01259 (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01260 ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01261 ) {
01262 return ldns_rr_rdf(nsec3_rr, 3);
01263 }
01264 return NULL;
01265 }
01266
01267 uint8_t
01268 ldns_nsec3_salt_length(const ldns_rr *nsec3_rr)
01269 {
01270 ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
01271 if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
01272 return (uint8_t) ldns_rdf_data(salt_rdf)[0];
01273 }
01274 return 0;
01275 }
01276
01277
01278 uint8_t *
01279 ldns_nsec3_salt_data(const ldns_rr *nsec3_rr)
01280 {
01281 uint8_t salt_length;
01282 uint8_t *salt;
01283
01284 ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
01285 if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
01286 salt_length = ldns_rdf_data(salt_rdf)[0];
01287 salt = LDNS_XMALLOC(uint8_t, salt_length);
01288 if(!salt) return NULL;
01289 memcpy(salt, &ldns_rdf_data(salt_rdf)[1], salt_length);
01290 return salt;
01291 }
01292 return NULL;
01293 }
01294
01295 ldns_rdf *
01296 ldns_nsec3_next_owner(const ldns_rr *nsec3_rr)
01297 {
01298 if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) {
01299 return NULL;
01300 } else {
01301 return ldns_rr_rdf(nsec3_rr, 4);
01302 }
01303 }
01304
01305 ldns_rdf *
01306 ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
01307 {
01308 if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) {
01309 return NULL;
01310 } else {
01311 return ldns_rr_rdf(nsec3_rr, 5);
01312 }
01313 }
01314
01315 ldns_rdf *
01316 ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, ldns_rdf *name)
01317 {
01318 uint8_t algorithm;
01319 uint16_t iterations;
01320 uint8_t salt_length;
01321 uint8_t *salt = 0;
01322
01323 ldns_rdf *hashed_owner;
01324
01325 algorithm = ldns_nsec3_algorithm(nsec);
01326 salt_length = ldns_nsec3_salt_length(nsec);
01327 salt = ldns_nsec3_salt_data(nsec);
01328 iterations = ldns_nsec3_iterations(nsec);
01329
01330 hashed_owner = ldns_nsec3_hash_name(name,
01331 algorithm,
01332 iterations,
01333 salt_length,
01334 salt);
01335
01336 LDNS_FREE(salt);
01337 return hashed_owner;
01338 }
01339
01340 bool
01341 ldns_nsec_bitmap_covers_type(const ldns_rdf *nsec_bitmap, ldns_rr_type type)
01342 {
01343 uint8_t window_block_nr;
01344 uint8_t bitmap_length;
01345 uint16_t cur_type;
01346 uint16_t pos = 0;
01347 uint16_t bit_pos;
01348 uint8_t *data;
01349
01350 if (nsec_bitmap == NULL) {
01351 return false;
01352 }
01353 data = ldns_rdf_data(nsec_bitmap);
01354 while(pos < ldns_rdf_size(nsec_bitmap)) {
01355 window_block_nr = data[pos];
01356 bitmap_length = data[pos + 1];
01357 pos += 2;
01358
01359 for (bit_pos = 0; bit_pos < (bitmap_length) * 8; bit_pos++) {
01360 if (ldns_get_bit(&data[pos], bit_pos)) {
01361 cur_type = 256 * (uint16_t) window_block_nr + bit_pos;
01362 if (cur_type == type) {
01363 return true;
01364 }
01365 }
01366 }
01367
01368 pos += (uint16_t) bitmap_length;
01369 }
01370 return false;
01371 }
01372
01373 bool
01374 ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
01375 {
01376 ldns_rdf *nsec_owner = ldns_rr_owner(nsec);
01377 ldns_rdf *hash_next;
01378 char *next_hash_str;
01379 ldns_rdf *nsec_next = NULL;
01380 ldns_status status;
01381 ldns_rdf *chopped_dname;
01382 bool result;
01383
01384 if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
01385 if (ldns_rr_rdf(nsec, 0) != NULL) {
01386 nsec_next = ldns_rdf_clone(ldns_rr_rdf(nsec, 0));
01387 } else {
01388 return false;
01389 }
01390 } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
01391 hash_next = ldns_nsec3_next_owner(nsec);
01392 next_hash_str = ldns_rdf2str(hash_next);
01393 nsec_next = ldns_dname_new_frm_str(next_hash_str);
01394 LDNS_FREE(next_hash_str);
01395 chopped_dname = ldns_dname_left_chop(nsec_owner);
01396 status = ldns_dname_cat(nsec_next, chopped_dname);
01397 ldns_rdf_deep_free(chopped_dname);
01398 if (status != LDNS_STATUS_OK) {
01399 printf("error catting: %s\n", ldns_get_errorstr_by_id(status));
01400 }
01401 } else {
01402 ldns_rdf_deep_free(nsec_next);
01403 return false;
01404 }
01405
01406
01407 if(ldns_dname_compare(nsec_owner, nsec_next) > 0) {
01408 result = (ldns_dname_compare(nsec_owner, name) <= 0 ||
01409 ldns_dname_compare(name, nsec_next) < 0);
01410 } else {
01411 result = (ldns_dname_compare(nsec_owner, name) <= 0 &&
01412 ldns_dname_compare(name, nsec_next) < 0);
01413 }
01414
01415 ldns_rdf_deep_free(nsec_next);
01416 return result;
01417 }
01418
01419 #ifdef HAVE_SSL
01420
01421
01422 ldns_status
01423 ldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o,
01424 ldns_rr_list *k, ldns_rr_list *s,
01425 time_t check_time, ldns_rr_list *good_keys)
01426 {
01427 ldns_rr_list *rrset;
01428 ldns_rr_list *sigs;
01429 ldns_rr_list *sigs_covered;
01430 ldns_rdf *rdf_t;
01431 ldns_rr_type t_netorder;
01432
01433 if (!k) {
01434 return LDNS_STATUS_ERR;
01435
01436 }
01437
01438 if (t == LDNS_RR_TYPE_RRSIG) {
01439
01440 return LDNS_STATUS_ERR;
01441 }
01442
01443 if (s) {
01444
01445 sigs = s;
01446 } else {
01447
01448 sigs = ldns_pkt_rr_list_by_name_and_type(p, o, LDNS_RR_TYPE_RRSIG,
01449 LDNS_SECTION_ANY_NOQUESTION);
01450 if (!sigs) {
01451
01452 return LDNS_STATUS_ERR;
01453
01454 }
01455 }
01456
01457
01458
01459
01460 t_netorder = htons(t);
01461
01462 rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE,
01463 2,
01464 &t_netorder);
01465 sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
01466
01467 rrset = ldns_pkt_rr_list_by_name_and_type(p,
01468 o,
01469 t,
01470 LDNS_SECTION_ANY_NOQUESTION);
01471
01472 if (!rrset) {
01473 return LDNS_STATUS_ERR;
01474 }
01475
01476 if (!sigs_covered) {
01477 return LDNS_STATUS_ERR;
01478 }
01479
01480 return ldns_verify_time(rrset, sigs, k, check_time, good_keys);
01481 }
01482
01483 ldns_status
01484 ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o,
01485 ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys)
01486 {
01487 return ldns_pkt_verify_time(p, t, o, k, s, ldns_time(NULL), good_keys);
01488 }
01489 #endif
01490
01491 ldns_status
01492 ldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs)
01493 {
01494 size_t i;
01495 char *next_nsec_owner_str;
01496 ldns_rdf *next_nsec_owner_label;
01497 ldns_rdf *next_nsec_rdf;
01498 ldns_status status = LDNS_STATUS_OK;
01499
01500 for (i = 0; i < ldns_rr_list_rr_count(nsec3_rrs); i++) {
01501 if (i == ldns_rr_list_rr_count(nsec3_rrs) - 1) {
01502 next_nsec_owner_label =
01503 ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs,
01504 0)), 0);
01505 next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
01506 if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01507 == '.') {
01508 next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01509 = '\0';
01510 }
01511 status = ldns_str2rdf_b32_ext(&next_nsec_rdf,
01512 next_nsec_owner_str);
01513 if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i),
01514 next_nsec_rdf, 4)) {
01515
01516 }
01517
01518 ldns_rdf_deep_free(next_nsec_owner_label);
01519 LDNS_FREE(next_nsec_owner_str);
01520 } else {
01521 next_nsec_owner_label =
01522 ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs,
01523 i + 1)),
01524 0);
01525 next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
01526 if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01527 == '.') {
01528 next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01529 = '\0';
01530 }
01531 status = ldns_str2rdf_b32_ext(&next_nsec_rdf,
01532 next_nsec_owner_str);
01533 ldns_rdf_deep_free(next_nsec_owner_label);
01534 LDNS_FREE(next_nsec_owner_str);
01535 if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i),
01536 next_nsec_rdf, 4)) {
01537
01538 }
01539 }
01540 }
01541 return status;
01542 }
01543
01544 int
01545 qsort_rr_compare_nsec3(const void *a, const void *b)
01546 {
01547 const ldns_rr *rr1 = * (const ldns_rr **) a;
01548 const ldns_rr *rr2 = * (const ldns_rr **) b;
01549 if (rr1 == NULL && rr2 == NULL) {
01550 return 0;
01551 }
01552 if (rr1 == NULL) {
01553 return -1;
01554 }
01555 if (rr2 == NULL) {
01556 return 1;
01557 }
01558 return ldns_rdf_compare(ldns_rr_owner(rr1), ldns_rr_owner(rr2));
01559 }
01560
01561 void
01562 ldns_rr_list_sort_nsec3(ldns_rr_list *unsorted)
01563 {
01564 qsort(unsorted->_rrs,
01565 ldns_rr_list_rr_count(unsorted),
01566 sizeof(ldns_rr *),
01567 qsort_rr_compare_nsec3);
01568 }
01569
01570 int
01571 ldns_dnssec_default_add_to_signatures(ldns_rr *sig, void *n)
01572 {
01573 sig = sig;
01574 n = n;
01575 return LDNS_SIGNATURE_LEAVE_ADD_NEW;
01576 }
01577
01578 int
01579 ldns_dnssec_default_leave_signatures(ldns_rr *sig, void *n)
01580 {
01581 sig = sig;
01582 n = n;
01583 return LDNS_SIGNATURE_LEAVE_NO_ADD;
01584 }
01585
01586 int
01587 ldns_dnssec_default_delete_signatures(ldns_rr *sig, void *n)
01588 {
01589 sig = sig;
01590 n = n;
01591 return LDNS_SIGNATURE_REMOVE_NO_ADD;
01592 }
01593
01594 int
01595 ldns_dnssec_default_replace_signatures(ldns_rr *sig, void *n)
01596 {
01597 sig = sig;
01598 n = n;
01599 return LDNS_SIGNATURE_REMOVE_ADD_NEW;
01600 }
01601
01602 #ifdef HAVE_SSL
01603 ldns_rdf *
01604 ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig,
01605 const long sig_len)
01606 {
01607 ldns_rdf *sigdata_rdf;
01608 DSA_SIG *dsasig;
01609 unsigned char *dsasig_data = (unsigned char*)ldns_buffer_begin(sig);
01610 size_t byte_offset;
01611
01612 dsasig = d2i_DSA_SIG(NULL,
01613 (const unsigned char **)&dsasig_data,
01614 sig_len);
01615 if (!dsasig) {
01616 DSA_SIG_free(dsasig);
01617 return NULL;
01618 }
01619
01620 dsasig_data = LDNS_XMALLOC(unsigned char, 41);
01621 if(!dsasig_data) {
01622 DSA_SIG_free(dsasig);
01623 return NULL;
01624 }
01625 dsasig_data[0] = 0;
01626 byte_offset = (size_t) (20 - BN_num_bytes(dsasig->r));
01627 if (byte_offset > 20) {
01628 DSA_SIG_free(dsasig);
01629 LDNS_FREE(dsasig_data);
01630 return NULL;
01631 }
01632 memset(&dsasig_data[1], 0, byte_offset);
01633 BN_bn2bin(dsasig->r, &dsasig_data[1 + byte_offset]);
01634 byte_offset = (size_t) (20 - BN_num_bytes(dsasig->s));
01635 if (byte_offset > 20) {
01636 DSA_SIG_free(dsasig);
01637 LDNS_FREE(dsasig_data);
01638 return NULL;
01639 }
01640 memset(&dsasig_data[21], 0, byte_offset);
01641 BN_bn2bin(dsasig->s, &dsasig_data[21 + byte_offset]);
01642
01643 sigdata_rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, 41, dsasig_data);
01644 if(!sigdata_rdf) {
01645 LDNS_FREE(dsasig_data);
01646 }
01647 DSA_SIG_free(dsasig);
01648
01649 return sigdata_rdf;
01650 }
01651
01652 ldns_status
01653 ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
01654 const ldns_rdf *sig_rdf)
01655 {
01656
01657 BIGNUM *R, *S;
01658 DSA_SIG *dsasig;
01659 unsigned char *raw_sig = NULL;
01660 int raw_sig_len;
01661
01662 if(ldns_rdf_size(sig_rdf) < 1 + 2*SHA_DIGEST_LENGTH)
01663 return LDNS_STATUS_SYNTAX_RDATA_ERR;
01664
01665 R = BN_new();
01666 if(!R) return LDNS_STATUS_MEM_ERR;
01667 (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 1,
01668 SHA_DIGEST_LENGTH, R);
01669 S = BN_new();
01670 if(!S) {
01671 BN_free(R);
01672 return LDNS_STATUS_MEM_ERR;
01673 }
01674 (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 21,
01675 SHA_DIGEST_LENGTH, S);
01676
01677 dsasig = DSA_SIG_new();
01678 if (!dsasig) {
01679 BN_free(R);
01680 BN_free(S);
01681 return LDNS_STATUS_MEM_ERR;
01682 }
01683
01684 dsasig->r = R;
01685 dsasig->s = S;
01686
01687 raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig);
01688 if (raw_sig_len < 0) {
01689 DSA_SIG_free(dsasig);
01690 free(raw_sig);
01691 return LDNS_STATUS_SSL_ERR;
01692 }
01693 if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
01694 ldns_buffer_write(target_buffer, raw_sig, (size_t)raw_sig_len);
01695 }
01696
01697 DSA_SIG_free(dsasig);
01698 free(raw_sig);
01699
01700 return ldns_buffer_status(target_buffer);
01701 }
01702
01703 #ifdef USE_ECDSA
01704 #ifndef S_SPLINT_S
01705 ldns_rdf *
01706 ldns_convert_ecdsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len)
01707 {
01708 ECDSA_SIG* ecdsa_sig;
01709 unsigned char *data = (unsigned char*)ldns_buffer_begin(sig);
01710 ldns_rdf* rdf;
01711 ecdsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&data, sig_len);
01712 if(!ecdsa_sig) return NULL;
01713
01714
01715 data = LDNS_XMALLOC(unsigned char,
01716 BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s));
01717 if(!data) {
01718 ECDSA_SIG_free(ecdsa_sig);
01719 return NULL;
01720 }
01721 BN_bn2bin(ecdsa_sig->r, data);
01722 BN_bn2bin(ecdsa_sig->s, data+BN_num_bytes(ecdsa_sig->r));
01723 rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)(
01724 BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s)), data);
01725 ECDSA_SIG_free(ecdsa_sig);
01726 return rdf;
01727 }
01728
01729 ldns_status
01730 ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
01731 const ldns_rdf *sig_rdf)
01732 {
01733 ECDSA_SIG* sig;
01734 int raw_sig_len;
01735 long bnsize = (long)ldns_rdf_size(sig_rdf) / 2;
01736
01737 if(bnsize < 16 || (size_t)bnsize*2 != ldns_rdf_size(sig_rdf))
01738 return LDNS_STATUS_ERR;
01739
01740
01741 sig = ECDSA_SIG_new();
01742 if(!sig) return LDNS_STATUS_MEM_ERR;
01743 sig->r = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf),
01744 bnsize, sig->r);
01745 sig->s = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf)+bnsize,
01746 bnsize, sig->s);
01747 if(!sig->r || !sig->s) {
01748 ECDSA_SIG_free(sig);
01749 return LDNS_STATUS_MEM_ERR;
01750 }
01751
01752 raw_sig_len = i2d_ECDSA_SIG(sig, NULL);
01753 if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
01754 unsigned char* pp = (unsigned char*)
01755 ldns_buffer_current(target_buffer);
01756 raw_sig_len = i2d_ECDSA_SIG(sig, &pp);
01757 ldns_buffer_skip(target_buffer, (ssize_t) raw_sig_len);
01758 }
01759 ECDSA_SIG_free(sig);
01760
01761 return ldns_buffer_status(target_buffer);
01762 }
01763
01764 #endif
01765 #endif
01766 #endif