1 #include <ldns/config.h> 2 3 #include <ldns/ldns.h> 4 5 #include <ldns/dnssec.h> 6 #include <ldns/dnssec_sign.h> 7 8 #include <strings.h> 9 #include <time.h> 10 11 #ifdef HAVE_SSL 12 /* this entire file is rather useless when you don't have 13 * crypto... 14 */ 15 #include <openssl/ssl.h> 16 #include <openssl/evp.h> 17 #include <openssl/rand.h> 18 #include <openssl/err.h> 19 #include <openssl/md5.h> 20 #endif /* HAVE_SSL */ 21 22 ldns_rr * 23 ldns_create_empty_rrsig(const ldns_rr_list *rrset, 24 const ldns_key *current_key) 25 { 26 uint32_t orig_ttl; 27 ldns_rr_class orig_class; 28 time_t now; 29 ldns_rr *current_sig; 30 uint8_t label_count; 31 ldns_rdf *signame; 32 33 label_count = ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset, 34 0))); 35 /* RFC4035 2.2: not counting the leftmost label if it is a wildcard */ 36 if(ldns_dname_is_wildcard(ldns_rr_owner(ldns_rr_list_rr(rrset, 0)))) 37 label_count --; 38 39 current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG); 40 41 /* set the type on the new signature */ 42 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)); 43 orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0)); 44 45 ldns_rr_set_ttl(current_sig, orig_ttl); 46 ldns_rr_set_class(current_sig, orig_class); 47 ldns_rr_set_owner(current_sig, 48 ldns_rdf_clone( 49 ldns_rr_owner( 50 ldns_rr_list_rr(rrset, 51 0)))); 52 53 /* fill in what we know of the signature */ 54 55 /* set the orig_ttl */ 56 (void)ldns_rr_rrsig_set_origttl( 57 current_sig, 58 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, 59 orig_ttl)); 60 /* the signers name */ 61 signame = ldns_rdf_clone(ldns_key_pubkey_owner(current_key)); 62 ldns_dname2canonical(signame); 63 (void)ldns_rr_rrsig_set_signame( 64 current_sig, 65 signame); 66 /* label count - get it from the first rr in the rr_list */ 67 (void)ldns_rr_rrsig_set_labels( 68 current_sig, 69 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, 70 label_count)); 71 /* inception, expiration */ 72 now = time(NULL); 73 if (ldns_key_inception(current_key) != 0) { 74 (void)ldns_rr_rrsig_set_inception( 75 current_sig, 76 ldns_native2rdf_int32( 77 LDNS_RDF_TYPE_TIME, 78 ldns_key_inception(current_key))); 79 } else { 80 (void)ldns_rr_rrsig_set_inception( 81 current_sig, 82 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now)); 83 } 84 if (ldns_key_expiration(current_key) != 0) { 85 (void)ldns_rr_rrsig_set_expiration( 86 current_sig, 87 ldns_native2rdf_int32( 88 LDNS_RDF_TYPE_TIME, 89 ldns_key_expiration(current_key))); 90 } else { 91 (void)ldns_rr_rrsig_set_expiration( 92 current_sig, 93 ldns_native2rdf_int32( 94 LDNS_RDF_TYPE_TIME, 95 now + LDNS_DEFAULT_EXP_TIME)); 96 } 97 98 (void)ldns_rr_rrsig_set_keytag( 99 current_sig, 100 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 101 ldns_key_keytag(current_key))); 102 103 (void)ldns_rr_rrsig_set_algorithm( 104 current_sig, 105 ldns_native2rdf_int8( 106 LDNS_RDF_TYPE_ALG, 107 ldns_key_algorithm(current_key))); 108 109 (void)ldns_rr_rrsig_set_typecovered( 110 current_sig, 111 ldns_native2rdf_int16( 112 LDNS_RDF_TYPE_TYPE, 113 ldns_rr_get_type(ldns_rr_list_rr(rrset, 114 0)))); 115 return current_sig; 116 } 117 118 #ifdef HAVE_SSL 119 ldns_rdf * 120 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key) 121 { 122 ldns_rdf *b64rdf = NULL; 123 124 switch(ldns_key_algorithm(current_key)) { 125 #ifdef USE_DSA 126 case LDNS_SIGN_DSA: 127 case LDNS_SIGN_DSA_NSEC3: 128 b64rdf = ldns_sign_public_evp( 129 sign_buf, 130 ldns_key_evp_key(current_key), 131 # ifdef HAVE_EVP_DSS1 132 EVP_dss1() 133 # else 134 EVP_sha1() 135 # endif 136 ); 137 break; 138 #endif /* USE_DSA */ 139 case LDNS_SIGN_RSASHA1: 140 case LDNS_SIGN_RSASHA1_NSEC3: 141 b64rdf = ldns_sign_public_evp( 142 sign_buf, 143 ldns_key_evp_key(current_key), 144 EVP_sha1()); 145 break; 146 #ifdef USE_SHA2 147 case LDNS_SIGN_RSASHA256: 148 b64rdf = ldns_sign_public_evp( 149 sign_buf, 150 ldns_key_evp_key(current_key), 151 EVP_sha256()); 152 break; 153 case LDNS_SIGN_RSASHA512: 154 b64rdf = ldns_sign_public_evp( 155 sign_buf, 156 ldns_key_evp_key(current_key), 157 EVP_sha512()); 158 break; 159 #endif /* USE_SHA2 */ 160 #ifdef USE_GOST 161 case LDNS_SIGN_ECC_GOST: 162 b64rdf = ldns_sign_public_evp( 163 sign_buf, 164 ldns_key_evp_key(current_key), 165 EVP_get_digestbyname("md_gost94")); 166 break; 167 #endif /* USE_GOST */ 168 #ifdef USE_ECDSA 169 case LDNS_SIGN_ECDSAP256SHA256: 170 b64rdf = ldns_sign_public_evp( 171 sign_buf, 172 ldns_key_evp_key(current_key), 173 EVP_sha256()); 174 break; 175 case LDNS_SIGN_ECDSAP384SHA384: 176 b64rdf = ldns_sign_public_evp( 177 sign_buf, 178 ldns_key_evp_key(current_key), 179 EVP_sha384()); 180 break; 181 #endif 182 #ifdef USE_ED25519 183 case LDNS_SIGN_ED25519: 184 b64rdf = ldns_sign_public_evp( 185 sign_buf, 186 ldns_key_evp_key(current_key), 187 EVP_sha512()); 188 break; 189 #endif 190 #ifdef USE_ED448 191 case LDNS_SIGN_ED448: 192 b64rdf = ldns_sign_public_evp( 193 sign_buf, 194 ldns_key_evp_key(current_key), 195 EVP_sha512()); 196 break; 197 #endif 198 case LDNS_SIGN_RSAMD5: 199 b64rdf = ldns_sign_public_evp( 200 sign_buf, 201 ldns_key_evp_key(current_key), 202 EVP_md5()); 203 break; 204 default: 205 /* do _you_ know this alg? */ 206 printf("unknown algorithm, "); 207 printf("is the one used available on this system?\n"); 208 break; 209 } 210 211 return b64rdf; 212 } 213 214 /** 215 * use this function to sign with a public/private key alg 216 * return the created signatures 217 */ 218 ldns_rr_list * 219 ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys) 220 { 221 ldns_rr_list *signatures; 222 ldns_rr_list *rrset_clone; 223 ldns_rr *current_sig; 224 ldns_rdf *b64rdf; 225 ldns_key *current_key; 226 size_t key_count; 227 uint16_t i; 228 ldns_buffer *sign_buf; 229 ldns_rdf *new_owner; 230 231 if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) { 232 return NULL; 233 } 234 235 new_owner = NULL; 236 237 signatures = ldns_rr_list_new(); 238 239 /* prepare a signature and add all the know data 240 * prepare the rrset. Sign this together. */ 241 rrset_clone = ldns_rr_list_clone(rrset); 242 if (!rrset_clone) { 243 return NULL; 244 } 245 246 /* make it canonical */ 247 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) { 248 ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i), 249 ldns_rr_ttl(ldns_rr_list_rr(rrset, 0))); 250 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i)); 251 } 252 /* sort */ 253 ldns_rr_list_sort(rrset_clone); 254 255 for (key_count = 0; 256 key_count < ldns_key_list_key_count(keys); 257 key_count++) { 258 if (!ldns_key_use(ldns_key_list_key(keys, key_count))) { 259 continue; 260 } 261 sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN); 262 if (!sign_buf) { 263 ldns_rr_list_free(rrset_clone); 264 ldns_rr_list_free(signatures); 265 ldns_rdf_free(new_owner); 266 return NULL; 267 } 268 b64rdf = NULL; 269 270 current_key = ldns_key_list_key(keys, key_count); 271 /* sign all RRs with keys that have ZSKbit, !SEPbit. 272 sign DNSKEY RRs with keys that have ZSKbit&SEPbit */ 273 if (ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY) { 274 current_sig = ldns_create_empty_rrsig(rrset_clone, 275 current_key); 276 277 /* right now, we have: a key, a semi-sig and an rrset. For 278 * which we can create the sig and base64 encode that and 279 * add that to the signature */ 280 281 if (ldns_rrsig2buffer_wire(sign_buf, current_sig) 282 != LDNS_STATUS_OK) { 283 ldns_buffer_free(sign_buf); 284 /* ERROR */ 285 ldns_rr_list_deep_free(rrset_clone); 286 ldns_rr_free(current_sig); 287 ldns_rr_list_deep_free(signatures); 288 return NULL; 289 } 290 291 /* add the rrset in sign_buf */ 292 if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone) 293 != LDNS_STATUS_OK) { 294 ldns_buffer_free(sign_buf); 295 ldns_rr_list_deep_free(rrset_clone); 296 ldns_rr_free(current_sig); 297 ldns_rr_list_deep_free(signatures); 298 return NULL; 299 } 300 301 b64rdf = ldns_sign_public_buffer(sign_buf, current_key); 302 303 if (!b64rdf) { 304 /* signing went wrong */ 305 ldns_rr_list_deep_free(rrset_clone); 306 ldns_rr_free(current_sig); 307 ldns_rr_list_deep_free(signatures); 308 return NULL; 309 } 310 311 ldns_rr_rrsig_set_sig(current_sig, b64rdf); 312 313 /* push the signature to the signatures list */ 314 ldns_rr_list_push_rr(signatures, current_sig); 315 } 316 ldns_buffer_free(sign_buf); /* restart for the next key */ 317 } 318 ldns_rr_list_deep_free(rrset_clone); 319 320 return signatures; 321 } 322 323 /** 324 * Sign data with DSA 325 * 326 * \param[in] to_sign The ldns_buffer containing raw data that is 327 * to be signed 328 * \param[in] key The DSA key structure to sign with 329 * \return ldns_rdf for the RRSIG ldns_rr 330 */ 331 ldns_rdf * 332 ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key) 333 { 334 #ifdef USE_DSA 335 unsigned char *sha1_hash; 336 ldns_rdf *sigdata_rdf; 337 ldns_buffer *b64sig; 338 339 DSA_SIG *sig; 340 const BIGNUM *R, *S; 341 uint8_t *data; 342 size_t pad; 343 344 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); 345 if (!b64sig) { 346 return NULL; 347 } 348 349 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign), 350 ldns_buffer_position(to_sign), NULL); 351 if (!sha1_hash) { 352 ldns_buffer_free(b64sig); 353 return NULL; 354 } 355 356 sig = DSA_do_sign(sha1_hash, SHA_DIGEST_LENGTH, key); 357 if(!sig) { 358 ldns_buffer_free(b64sig); 359 return NULL; 360 } 361 362 data = LDNS_XMALLOC(uint8_t, 1 + 2 * SHA_DIGEST_LENGTH); 363 if(!data) { 364 ldns_buffer_free(b64sig); 365 DSA_SIG_free(sig); 366 return NULL; 367 } 368 369 data[0] = 1; 370 # ifdef HAVE_DSA_SIG_GET0 371 DSA_SIG_get0(sig, &R, &S); 372 # else 373 R = sig->r; 374 S = sig->s; 375 # endif 376 pad = 20 - (size_t) BN_num_bytes(R); 377 if (pad > 0) { 378 memset(data + 1, 0, pad); 379 } 380 BN_bn2bin(R, (unsigned char *) (data + 1) + pad); 381 382 pad = 20 - (size_t) BN_num_bytes(S); 383 if (pad > 0) { 384 memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad); 385 } 386 BN_bn2bin(S, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad)); 387 388 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, 389 1 + 2 * SHA_DIGEST_LENGTH, 390 data); 391 392 ldns_buffer_free(b64sig); 393 LDNS_FREE(data); 394 DSA_SIG_free(sig); 395 396 return sigdata_rdf; 397 #else 398 (void)to_sign; (void)key; 399 return NULL; 400 #endif 401 } 402 403 #ifdef USE_ECDSA 404 #ifndef S_SPLINT_S 405 /** returns the number of bytes per signature-component (i.e. bits/8), or 0. */ 406 static int 407 ldns_pkey_is_ecdsa(EVP_PKEY* pkey) 408 { 409 EC_KEY* ec; 410 const EC_GROUP* g; 411 #ifdef HAVE_EVP_PKEY_BASE_ID 412 if(EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) 413 return 0; 414 #else 415 if(EVP_PKEY_type(key->type) != EVP_PKEY_EC) 416 return 0; 417 #endif 418 ec = EVP_PKEY_get1_EC_KEY(pkey); 419 g = EC_KEY_get0_group(ec); 420 if(!g) { 421 EC_KEY_free(ec); 422 return 0; 423 } 424 if(EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1) { 425 EC_KEY_free(ec); 426 return 32; /* 256/8 */ 427 } 428 if(EC_GROUP_get_curve_name(g) == NID_secp384r1) { 429 EC_KEY_free(ec); 430 return 48; /* 384/8 */ 431 } 432 /* downref the eckey, the original is still inside the pkey */ 433 EC_KEY_free(ec); 434 return 0; 435 } 436 #endif /* splint */ 437 #endif /* USE_ECDSA */ 438 439 ldns_rdf * 440 ldns_sign_public_evp(ldns_buffer *to_sign, 441 EVP_PKEY *key, 442 const EVP_MD *digest_type) 443 { 444 unsigned int siglen; 445 ldns_rdf *sigdata_rdf = NULL; 446 ldns_buffer *b64sig; 447 EVP_MD_CTX *ctx; 448 const EVP_MD *md_type; 449 int r; 450 451 siglen = 0; 452 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); 453 if (!b64sig) { 454 return NULL; 455 } 456 457 /* initializes a signing context */ 458 md_type = digest_type; 459 if(!md_type) { 460 /* unknown message difest */ 461 ldns_buffer_free(b64sig); 462 return NULL; 463 } 464 465 #ifdef HAVE_EVP_MD_CTX_NEW 466 ctx = EVP_MD_CTX_new(); 467 #else 468 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx)); 469 if(ctx) EVP_MD_CTX_init(ctx); 470 #endif 471 if(!ctx) { 472 ldns_buffer_free(b64sig); 473 return NULL; 474 } 475 476 r = EVP_SignInit(ctx, md_type); 477 if(r == 1) { 478 r = EVP_SignUpdate(ctx, (unsigned char*) 479 ldns_buffer_begin(to_sign), 480 ldns_buffer_position(to_sign)); 481 } else { 482 ldns_buffer_free(b64sig); 483 EVP_MD_CTX_destroy(ctx); 484 return NULL; 485 } 486 if(r == 1) { 487 r = EVP_SignFinal(ctx, (unsigned char*) 488 ldns_buffer_begin(b64sig), &siglen, key); 489 } else { 490 ldns_buffer_free(b64sig); 491 EVP_MD_CTX_destroy(ctx); 492 return NULL; 493 } 494 if(r != 1) { 495 ldns_buffer_free(b64sig); 496 EVP_MD_CTX_destroy(ctx); 497 return NULL; 498 } 499 500 /* OpenSSL output is different, convert it */ 501 r = 0; 502 #ifdef USE_DSA 503 #ifndef S_SPLINT_S 504 /* unfortunately, OpenSSL output is different from DNS DSA format */ 505 # ifdef HAVE_EVP_PKEY_BASE_ID 506 if (EVP_PKEY_base_id(key) == EVP_PKEY_DSA) { 507 # else 508 if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) { 509 # endif 510 r = 1; 511 sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen); 512 } 513 #endif 514 #endif 515 #if defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448) 516 if( 517 # ifdef HAVE_EVP_PKEY_BASE_ID 518 EVP_PKEY_base_id(key) 519 # else 520 EVP_PKEY_type(key->type) 521 # endif 522 == EVP_PKEY_EC) { 523 # ifdef USE_ECDSA 524 if(ldns_pkey_is_ecdsa(key)) { 525 r = 1; 526 sigdata_rdf = ldns_convert_ecdsa_rrsig_asn1len2rdf( 527 b64sig, (long)siglen, ldns_pkey_is_ecdsa(key)); 528 } 529 # endif /* USE_ECDSA */ 530 # ifdef USE_ED25519 531 if(EVP_PKEY_id(key) == NID_X25519) { 532 r = 1; 533 sigdata_rdf = ldns_convert_ed25519_rrsig_asn12rdf( 534 b64sig, siglen); 535 } 536 # endif /* USE_ED25519 */ 537 # ifdef USE_ED448 538 if(EVP_PKEY_id(key) == NID_X448) { 539 r = 1; 540 sigdata_rdf = ldns_convert_ed448_rrsig_asn12rdf( 541 b64sig, siglen); 542 } 543 # endif /* USE_ED448 */ 544 } 545 #endif /* PKEY_EC */ 546 if(r == 0) { 547 /* ok output for other types is the same */ 548 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen, 549 ldns_buffer_begin(b64sig)); 550 } 551 ldns_buffer_free(b64sig); 552 EVP_MD_CTX_destroy(ctx); 553 return sigdata_rdf; 554 } 555 556 ldns_rdf * 557 ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key) 558 { 559 unsigned char *sha1_hash; 560 unsigned int siglen; 561 ldns_rdf *sigdata_rdf; 562 ldns_buffer *b64sig; 563 int result; 564 565 siglen = 0; 566 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); 567 if (!b64sig) { 568 return NULL; 569 } 570 571 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign), 572 ldns_buffer_position(to_sign), NULL); 573 if (!sha1_hash) { 574 ldns_buffer_free(b64sig); 575 return NULL; 576 } 577 578 result = RSA_sign(NID_sha1, sha1_hash, SHA_DIGEST_LENGTH, 579 (unsigned char*)ldns_buffer_begin(b64sig), 580 &siglen, key); 581 if (result != 1) { 582 ldns_buffer_free(b64sig); 583 return NULL; 584 } 585 586 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen, 587 ldns_buffer_begin(b64sig)); 588 ldns_buffer_free(b64sig); /* can't free this buffer ?? */ 589 return sigdata_rdf; 590 } 591 592 ldns_rdf * 593 ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key) 594 { 595 unsigned char *md5_hash; 596 unsigned int siglen; 597 ldns_rdf *sigdata_rdf; 598 ldns_buffer *b64sig; 599 600 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); 601 if (!b64sig) { 602 return NULL; 603 } 604 605 md5_hash = MD5((unsigned char*)ldns_buffer_begin(to_sign), 606 ldns_buffer_position(to_sign), NULL); 607 if (!md5_hash) { 608 ldns_buffer_free(b64sig); 609 return NULL; 610 } 611 612 RSA_sign(NID_md5, md5_hash, MD5_DIGEST_LENGTH, 613 (unsigned char*)ldns_buffer_begin(b64sig), 614 &siglen, key); 615 616 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen, 617 ldns_buffer_begin(b64sig)); 618 ldns_buffer_free(b64sig); 619 return sigdata_rdf; 620 } 621 #endif /* HAVE_SSL */ 622 623 /** 624 * Pushes all rrs from the rrsets of type A and AAAA on gluelist. 625 */ 626 static ldns_status 627 ldns_dnssec_addresses_on_glue_list( 628 ldns_dnssec_rrsets *cur_rrset, 629 ldns_rr_list *glue_list) 630 { 631 ldns_dnssec_rrs *cur_rrs; 632 while (cur_rrset) { 633 if (cur_rrset->type == LDNS_RR_TYPE_A 634 || cur_rrset->type == LDNS_RR_TYPE_AAAA) { 635 for (cur_rrs = cur_rrset->rrs; 636 cur_rrs; 637 cur_rrs = cur_rrs->next) { 638 if (cur_rrs->rr) { 639 if (!ldns_rr_list_push_rr(glue_list, 640 cur_rrs->rr)) { 641 return LDNS_STATUS_MEM_ERR; 642 /* ldns_rr_list_push_rr() 643 * returns false when unable 644 * to increase the capacity 645 * of the ldsn_rr_list 646 */ 647 } 648 } 649 } 650 } 651 cur_rrset = cur_rrset->next; 652 } 653 return LDNS_STATUS_OK; 654 } 655 656 /** 657 * Marks the names in the zone that are occluded. Those names will be skipped 658 * when walking the tree with the ldns_dnssec_name_node_next_nonglue() 659 * function. But watch out! Names that are partially occluded (like glue with 660 * the same name as the delegation) will not be marked and should specifically 661 * be taken into account separately. 662 * 663 * When glue_list is given (not NULL), in the process of marking the names, all 664 * glue resource records will be pushed to that list, even glue at delegation names. 665 * 666 * \param[in] zone the zone in which to mark the names 667 * \param[in] glue_list the list to which to push the glue rrs 668 * \return LDNS_STATUS_OK on success, an error code otherwise 669 */ 670 ldns_status 671 ldns_dnssec_zone_mark_and_get_glue(ldns_dnssec_zone *zone, 672 ldns_rr_list *glue_list) 673 { 674 ldns_rbnode_t *node; 675 ldns_dnssec_name *name; 676 ldns_rdf *owner; 677 ldns_rdf *cut = NULL; /* keeps track of zone cuts */ 678 /* When the cut is caused by a delegation, below_delegation will be 1. 679 * When caused by a DNAME, below_delegation will be 0. 680 */ 681 int below_delegation = -1; /* init suppresses comiler warning */ 682 ldns_status s; 683 684 if (!zone || !zone->names) { 685 return LDNS_STATUS_NULL; 686 } 687 for (node = ldns_rbtree_first(zone->names); 688 node != LDNS_RBTREE_NULL; 689 node = ldns_rbtree_next(node)) { 690 name = (ldns_dnssec_name *) node->data; 691 owner = ldns_dnssec_name_name(name); 692 693 if (cut) { 694 /* The previous node was a zone cut, or a subdomain 695 * below a zone cut. Is this node (still) a subdomain 696 * below the cut? Then the name is occluded. Unless 697 * the name contains a SOA, after which we are 698 * authoritative again. 699 * 700 * FIXME! If there are labels in between the SOA and 701 * the cut, going from the authoritative space (below 702 * the SOA) up into occluded space again, will not be 703 * detected with the contruct below! 704 */ 705 if (ldns_dname_is_subdomain(owner, cut) && 706 !ldns_dnssec_rrsets_contains_type( 707 name->rrsets, LDNS_RR_TYPE_SOA)) { 708 709 if (below_delegation && glue_list) { 710 s = ldns_dnssec_addresses_on_glue_list( 711 name->rrsets, glue_list); 712 if (s != LDNS_STATUS_OK) { 713 return s; 714 } 715 } 716 name->is_glue = true; /* Mark occluded name! */ 717 continue; 718 } else { 719 cut = NULL; 720 } 721 } 722 723 /* The node is not below a zone cut. Is it a zone cut itself? 724 * Everything below a SOA is authoritative of course; Except 725 * when the name also contains a DNAME :). 726 */ 727 if (ldns_dnssec_rrsets_contains_type( 728 name->rrsets, LDNS_RR_TYPE_NS) 729 && !ldns_dnssec_rrsets_contains_type( 730 name->rrsets, LDNS_RR_TYPE_SOA)) { 731 cut = owner; 732 below_delegation = 1; 733 if (glue_list) { /* record glue on the zone cut */ 734 s = ldns_dnssec_addresses_on_glue_list( 735 name->rrsets, glue_list); 736 if (s != LDNS_STATUS_OK) { 737 return s; 738 } 739 } 740 } else if (ldns_dnssec_rrsets_contains_type( 741 name->rrsets, LDNS_RR_TYPE_DNAME)) { 742 cut = owner; 743 below_delegation = 0; 744 } 745 } 746 return LDNS_STATUS_OK; 747 } 748 749 /** 750 * Marks the names in the zone that are occluded. Those names will be skipped 751 * when walking the tree with the ldns_dnssec_name_node_next_nonglue() 752 * function. But watch out! Names that are partially occluded (like glue with 753 * the same name as the delegation) will not be marked and should specifically 754 * be taken into account separately. 755 * 756 * \param[in] zone the zone in which to mark the names 757 * \return LDNS_STATUS_OK on success, an error code otherwise 758 */ 759 ldns_status 760 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone) 761 { 762 return ldns_dnssec_zone_mark_and_get_glue(zone, NULL); 763 } 764 765 ldns_rbnode_t * 766 ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node) 767 { 768 ldns_rbnode_t *next_node = NULL; 769 ldns_dnssec_name *next_name = NULL; 770 bool done = false; 771 772 if (node == LDNS_RBTREE_NULL) { 773 return NULL; 774 } 775 next_node = node; 776 while (!done) { 777 if (next_node == LDNS_RBTREE_NULL) { 778 return NULL; 779 } else { 780 next_name = (ldns_dnssec_name *)next_node->data; 781 if (!next_name->is_glue) { 782 done = true; 783 } else { 784 next_node = ldns_rbtree_next(next_node); 785 } 786 } 787 } 788 return next_node; 789 } 790 791 ldns_status 792 ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone, 793 ldns_rr_list *new_rrs) 794 { 795 796 ldns_rbnode_t *first_node, *cur_node, *next_node; 797 ldns_dnssec_name *cur_name, *next_name; 798 ldns_rr *nsec_rr; 799 uint32_t nsec_ttl; 800 ldns_dnssec_rrsets *soa; 801 802 /* the TTL of NSEC rrs should be set to the minimum TTL of 803 * the zone SOA (RFC4035 Section 2.3) 804 */ 805 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA); 806 807 /* did the caller actually set it? if not, 808 * fall back to default ttl 809 */ 810 if (soa && soa->rrs && soa->rrs->rr 811 && (ldns_rr_rdf(soa->rrs->rr, 6) != NULL)) { 812 nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6)); 813 } else { 814 nsec_ttl = LDNS_DEFAULT_TTL; 815 } 816 817 first_node = ldns_dnssec_name_node_next_nonglue( 818 ldns_rbtree_first(zone->names)); 819 cur_node = first_node; 820 if (cur_node) { 821 next_node = ldns_dnssec_name_node_next_nonglue( 822 ldns_rbtree_next(cur_node)); 823 } else { 824 next_node = NULL; 825 } 826 827 while (cur_node && next_node) { 828 cur_name = (ldns_dnssec_name *)cur_node->data; 829 next_name = (ldns_dnssec_name *)next_node->data; 830 nsec_rr = ldns_dnssec_create_nsec(cur_name, 831 next_name, 832 LDNS_RR_TYPE_NSEC); 833 ldns_rr_set_ttl(nsec_rr, nsec_ttl); 834 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){ 835 ldns_rr_free(nsec_rr); 836 return LDNS_STATUS_ERR; 837 } 838 ldns_rr_list_push_rr(new_rrs, nsec_rr); 839 cur_node = next_node; 840 if (cur_node) { 841 next_node = ldns_dnssec_name_node_next_nonglue( 842 ldns_rbtree_next(cur_node)); 843 } 844 } 845 846 if (cur_node && !next_node) { 847 cur_name = (ldns_dnssec_name *)cur_node->data; 848 next_name = (ldns_dnssec_name *)first_node->data; 849 nsec_rr = ldns_dnssec_create_nsec(cur_name, 850 next_name, 851 LDNS_RR_TYPE_NSEC); 852 ldns_rr_set_ttl(nsec_rr, nsec_ttl); 853 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){ 854 ldns_rr_free(nsec_rr); 855 return LDNS_STATUS_ERR; 856 } 857 ldns_rr_list_push_rr(new_rrs, nsec_rr); 858 } else { 859 printf("error\n"); 860 } 861 862 return LDNS_STATUS_OK; 863 } 864 865 #ifdef HAVE_SSL 866 static void 867 ldns_hashed_names_node_free(ldns_rbnode_t *node, void *arg) { 868 (void) arg; 869 LDNS_FREE(node); 870 } 871 872 static ldns_status 873 ldns_dnssec_zone_create_nsec3s_mkmap(ldns_dnssec_zone *zone, 874 ldns_rr_list *new_rrs, 875 uint8_t algorithm, 876 uint8_t flags, 877 uint16_t iterations, 878 uint8_t salt_length, 879 uint8_t *salt, 880 ldns_rbtree_t **map) 881 { 882 ldns_rbnode_t *first_name_node; 883 ldns_rbnode_t *current_name_node; 884 ldns_dnssec_name *current_name; 885 ldns_status result = LDNS_STATUS_OK; 886 ldns_rr *nsec_rr; 887 ldns_rr_list *nsec3_list; 888 uint32_t nsec_ttl; 889 ldns_dnssec_rrsets *soa; 890 ldns_rbnode_t *hashmap_node; 891 892 if (!zone || !new_rrs || !zone->names) { 893 return LDNS_STATUS_ERR; 894 } 895 896 /* the TTL of NSEC rrs should be set to the minimum TTL of 897 * the zone SOA (RFC4035 Section 2.3) 898 */ 899 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA); 900 901 /* did the caller actually set it? if not, 902 * fall back to default ttl 903 */ 904 if (soa && soa->rrs && soa->rrs->rr 905 && ldns_rr_rdf(soa->rrs->rr, 6) != NULL) { 906 nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6)); 907 } else { 908 nsec_ttl = LDNS_DEFAULT_TTL; 909 } 910 911 if (ldns_rdf_size(zone->soa->name) > 222) { 912 return LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW; 913 } 914 915 if (zone->hashed_names) { 916 ldns_traverse_postorder(zone->hashed_names, 917 ldns_hashed_names_node_free, NULL); 918 LDNS_FREE(zone->hashed_names); 919 } 920 zone->hashed_names = ldns_rbtree_create(ldns_dname_compare_v); 921 if (zone->hashed_names && map) { 922 *map = zone->hashed_names; 923 } 924 925 first_name_node = ldns_dnssec_name_node_next_nonglue( 926 ldns_rbtree_first(zone->names)); 927 928 current_name_node = first_name_node; 929 930 while (current_name_node && current_name_node != LDNS_RBTREE_NULL && 931 result == LDNS_STATUS_OK) { 932 933 current_name = (ldns_dnssec_name *) current_name_node->data; 934 nsec_rr = ldns_dnssec_create_nsec3(current_name, 935 NULL, 936 zone->soa->name, 937 algorithm, 938 flags, 939 iterations, 940 salt_length, 941 salt); 942 /* by default, our nsec based generator adds rrsigs 943 * remove the bitmap for empty nonterminals */ 944 if (!current_name->rrsets) { 945 ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr)); 946 } 947 ldns_rr_set_ttl(nsec_rr, nsec_ttl); 948 result = ldns_dnssec_name_add_rr(current_name, nsec_rr); 949 ldns_rr_list_push_rr(new_rrs, nsec_rr); 950 if (ldns_rr_owner(nsec_rr)) { 951 hashmap_node = LDNS_MALLOC(ldns_rbnode_t); 952 if (hashmap_node == NULL) { 953 return LDNS_STATUS_MEM_ERR; 954 } 955 current_name->hashed_name = 956 ldns_dname_label(ldns_rr_owner(nsec_rr), 0); 957 958 if (current_name->hashed_name == NULL) { 959 LDNS_FREE(hashmap_node); 960 return LDNS_STATUS_MEM_ERR; 961 } 962 hashmap_node->key = current_name->hashed_name; 963 hashmap_node->data = current_name; 964 965 if (! ldns_rbtree_insert(zone->hashed_names 966 , hashmap_node)) { 967 LDNS_FREE(hashmap_node); 968 } 969 } 970 current_name_node = ldns_dnssec_name_node_next_nonglue( 971 ldns_rbtree_next(current_name_node)); 972 } 973 if (result != LDNS_STATUS_OK) { 974 return result; 975 } 976 977 /* Make sorted list of nsec3s (via zone->hashed_names) 978 */ 979 nsec3_list = ldns_rr_list_new(); 980 if (nsec3_list == NULL) { 981 return LDNS_STATUS_MEM_ERR; 982 } 983 for ( hashmap_node = ldns_rbtree_first(zone->hashed_names) 984 ; hashmap_node != LDNS_RBTREE_NULL 985 ; hashmap_node = ldns_rbtree_next(hashmap_node) 986 ) { 987 current_name = (ldns_dnssec_name *) hashmap_node->data; 988 nsec_rr = ((ldns_dnssec_name *) hashmap_node->data)->nsec; 989 if (nsec_rr) { 990 ldns_rr_list_push_rr(nsec3_list, nsec_rr); 991 } 992 } 993 result = ldns_dnssec_chain_nsec3_list(nsec3_list); 994 ldns_rr_list_free(nsec3_list); 995 996 return result; 997 } 998 999 ldns_status 1000 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone, 1001 ldns_rr_list *new_rrs, 1002 uint8_t algorithm, 1003 uint8_t flags, 1004 uint16_t iterations, 1005 uint8_t salt_length, 1006 uint8_t *salt) 1007 { 1008 return ldns_dnssec_zone_create_nsec3s_mkmap(zone, new_rrs, algorithm, 1009 flags, iterations, salt_length, salt, NULL); 1010 1011 } 1012 #endif /* HAVE_SSL */ 1013 1014 ldns_dnssec_rrs * 1015 ldns_dnssec_remove_signatures( ldns_dnssec_rrs *signatures 1016 , ATTR_UNUSED(ldns_key_list *key_list) 1017 , int (*func)(ldns_rr *, void *) 1018 , void *arg 1019 ) 1020 { 1021 ldns_dnssec_rrs *base_rrs = signatures; 1022 ldns_dnssec_rrs *cur_rr = base_rrs; 1023 ldns_dnssec_rrs *prev_rr = NULL; 1024 ldns_dnssec_rrs *next_rr; 1025 1026 uint16_t keytag; 1027 size_t i; 1028 1029 if (!cur_rr) { 1030 switch(func(NULL, arg)) { 1031 case LDNS_SIGNATURE_LEAVE_ADD_NEW: 1032 case LDNS_SIGNATURE_REMOVE_ADD_NEW: 1033 break; 1034 case LDNS_SIGNATURE_LEAVE_NO_ADD: 1035 case LDNS_SIGNATURE_REMOVE_NO_ADD: 1036 ldns_key_list_set_use(key_list, false); 1037 break; 1038 default: 1039 #ifdef STDERR_MSGS 1040 fprintf(stderr, "[XX] unknown return value from callback\n"); 1041 #endif 1042 break; 1043 } 1044 return NULL; 1045 } 1046 (void)func(cur_rr->rr, arg); 1047 1048 while (cur_rr) { 1049 next_rr = cur_rr->next; 1050 1051 switch (func(cur_rr->rr, arg)) { 1052 case LDNS_SIGNATURE_LEAVE_ADD_NEW: 1053 prev_rr = cur_rr; 1054 break; 1055 case LDNS_SIGNATURE_LEAVE_NO_ADD: 1056 keytag = ldns_rdf2native_int16( 1057 ldns_rr_rrsig_keytag(cur_rr->rr)); 1058 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 1059 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) == 1060 keytag) { 1061 ldns_key_set_use(ldns_key_list_key(key_list, i), 1062 false); 1063 } 1064 } 1065 prev_rr = cur_rr; 1066 break; 1067 case LDNS_SIGNATURE_REMOVE_NO_ADD: 1068 keytag = ldns_rdf2native_int16( 1069 ldns_rr_rrsig_keytag(cur_rr->rr)); 1070 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 1071 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) 1072 == keytag) { 1073 ldns_key_set_use(ldns_key_list_key(key_list, i), 1074 false); 1075 } 1076 } 1077 if (prev_rr) { 1078 prev_rr->next = next_rr; 1079 } else { 1080 base_rrs = next_rr; 1081 } 1082 LDNS_FREE(cur_rr); 1083 break; 1084 case LDNS_SIGNATURE_REMOVE_ADD_NEW: 1085 if (prev_rr) { 1086 prev_rr->next = next_rr; 1087 } else { 1088 base_rrs = next_rr; 1089 } 1090 LDNS_FREE(cur_rr); 1091 break; 1092 default: 1093 #ifdef STDERR_MSGS 1094 fprintf(stderr, "[XX] unknown return value from callback\n"); 1095 #endif 1096 break; 1097 } 1098 cur_rr = next_rr; 1099 } 1100 1101 return base_rrs; 1102 } 1103 1104 #ifdef HAVE_SSL 1105 ldns_status 1106 ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, 1107 ldns_rr_list *new_rrs, 1108 ldns_key_list *key_list, 1109 int (*func)(ldns_rr *, void*), 1110 void *arg) 1111 { 1112 return ldns_dnssec_zone_create_rrsigs_flg(zone, new_rrs, key_list, 1113 func, arg, 0); 1114 } 1115 1116 /** If there are KSKs use only them and mark ZSKs unused */ 1117 static void 1118 ldns_key_list_filter_for_dnskey(ldns_key_list *key_list, int flags) 1119 { 1120 bool algos[256] 1121 #ifndef S_SPLINT_S 1122 = { false } 1123 #endif 1124 ; 1125 ldns_signing_algorithm saw_ksk = 0; 1126 ldns_key *key; 1127 size_t i; 1128 1129 if (!ldns_key_list_key_count(key_list)) 1130 return; 1131 1132 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 1133 key = ldns_key_list_key(key_list, i); 1134 if ((ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_ksk) 1135 saw_ksk = ldns_key_algorithm(key); 1136 algos[ldns_key_algorithm(key)] = true; 1137 } 1138 if (!saw_ksk) 1139 return; 1140 else 1141 algos[saw_ksk] = 0; 1142 1143 for (i =0; i < ldns_key_list_key_count(key_list); i++) { 1144 key = ldns_key_list_key(key_list, i); 1145 if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) { 1146 /* We have a ZSK. 1147 * Still use it if it has a unique algorithm though! 1148 */ 1149 if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) && 1150 algos[ldns_key_algorithm(key)]) 1151 algos[ldns_key_algorithm(key)] = false; 1152 else 1153 ldns_key_set_use(key, 0); 1154 } 1155 } 1156 } 1157 1158 /** If there are no ZSKs use KSK as ZSK */ 1159 static void 1160 ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list, int flags) 1161 { 1162 bool algos[256] 1163 #ifndef S_SPLINT_S 1164 = { false } 1165 #endif 1166 ; 1167 ldns_signing_algorithm saw_zsk = 0; 1168 ldns_key *key; 1169 size_t i; 1170 1171 if (!ldns_key_list_key_count(key_list)) 1172 return; 1173 1174 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 1175 key = ldns_key_list_key(key_list, i); 1176 if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_zsk) 1177 saw_zsk = ldns_key_algorithm(key); 1178 algos[ldns_key_algorithm(key)] = true; 1179 } 1180 if (!saw_zsk) 1181 return; 1182 else 1183 algos[saw_zsk] = 0; 1184 1185 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 1186 key = ldns_key_list_key(key_list, i); 1187 if((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) { 1188 /* We have a KSK. 1189 * Still use it if it has a unique algorithm though! 1190 */ 1191 if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) && 1192 algos[ldns_key_algorithm(key)]) 1193 algos[ldns_key_algorithm(key)] = false; 1194 else 1195 ldns_key_set_use(key, 0); 1196 } 1197 } 1198 } 1199 1200 ldns_status 1201 ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone 1202 , ldns_rr_list *new_rrs 1203 , ldns_key_list *key_list 1204 , int (*func)(ldns_rr *, void*) 1205 , void *arg 1206 , int flags 1207 ) 1208 { 1209 ldns_status result = LDNS_STATUS_OK; 1210 1211 ldns_rbnode_t *cur_node; 1212 ldns_rr_list *rr_list; 1213 1214 ldns_dnssec_name *cur_name; 1215 ldns_dnssec_rrsets *cur_rrset; 1216 ldns_dnssec_rrs *cur_rr; 1217 1218 ldns_rr_list *siglist; 1219 1220 size_t i; 1221 1222 int on_delegation_point = 0; /* handle partially occluded names */ 1223 1224 ldns_rr_list *pubkey_list = ldns_rr_list_new(); 1225 for (i = 0; i<ldns_key_list_key_count(key_list); i++) { 1226 ldns_rr_list_push_rr( pubkey_list 1227 , ldns_key2rr(ldns_key_list_key( 1228 key_list, i)) 1229 ); 1230 } 1231 /* TODO: callback to see is list should be signed */ 1232 /* TODO: remove 'old' signatures from signature list */ 1233 cur_node = ldns_rbtree_first(zone->names); 1234 while (cur_node != LDNS_RBTREE_NULL) { 1235 cur_name = (ldns_dnssec_name *) cur_node->data; 1236 1237 if (!cur_name->is_glue) { 1238 on_delegation_point = ldns_dnssec_rrsets_contains_type( 1239 cur_name->rrsets, LDNS_RR_TYPE_NS) 1240 && !ldns_dnssec_rrsets_contains_type( 1241 cur_name->rrsets, LDNS_RR_TYPE_SOA); 1242 cur_rrset = cur_name->rrsets; 1243 while (cur_rrset) { 1244 /* reset keys to use */ 1245 ldns_key_list_set_use(key_list, true); 1246 1247 /* walk through old sigs, remove the old, 1248 and mark which keys (not) to use) */ 1249 cur_rrset->signatures = 1250 ldns_dnssec_remove_signatures(cur_rrset->signatures, 1251 key_list, 1252 func, 1253 arg); 1254 if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) && 1255 cur_rrset->type == LDNS_RR_TYPE_DNSKEY) 1256 ldns_key_list_filter_for_dnskey(key_list, flags); 1257 1258 if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY) 1259 ldns_key_list_filter_for_non_dnskey(key_list, flags); 1260 1261 /* TODO: just set count to zero? */ 1262 rr_list = ldns_rr_list_new(); 1263 1264 cur_rr = cur_rrset->rrs; 1265 while (cur_rr) { 1266 ldns_rr_list_push_rr(rr_list, cur_rr->rr); 1267 cur_rr = cur_rr->next; 1268 } 1269 1270 /* only sign non-delegation RRsets */ 1271 /* (glue should have been marked earlier, 1272 * except on the delegation points itself) */ 1273 if (!on_delegation_point || 1274 ldns_rr_list_type(rr_list) 1275 == LDNS_RR_TYPE_DS || 1276 ldns_rr_list_type(rr_list) 1277 == LDNS_RR_TYPE_NSEC || 1278 ldns_rr_list_type(rr_list) 1279 == LDNS_RR_TYPE_NSEC3) { 1280 siglist = ldns_sign_public(rr_list, key_list); 1281 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) { 1282 if (cur_rrset->signatures) { 1283 result = ldns_dnssec_rrs_add_rr(cur_rrset->signatures, 1284 ldns_rr_list_rr(siglist, 1285 i)); 1286 } else { 1287 cur_rrset->signatures = ldns_dnssec_rrs_new(); 1288 cur_rrset->signatures->rr = 1289 ldns_rr_list_rr(siglist, i); 1290 } 1291 if (new_rrs) { 1292 ldns_rr_list_push_rr(new_rrs, 1293 ldns_rr_list_rr(siglist, 1294 i)); 1295 } 1296 } 1297 ldns_rr_list_free(siglist); 1298 } 1299 1300 ldns_rr_list_free(rr_list); 1301 1302 cur_rrset = cur_rrset->next; 1303 } 1304 1305 /* sign the nsec */ 1306 ldns_key_list_set_use(key_list, true); 1307 cur_name->nsec_signatures = 1308 ldns_dnssec_remove_signatures(cur_name->nsec_signatures, 1309 key_list, 1310 func, 1311 arg); 1312 ldns_key_list_filter_for_non_dnskey(key_list, flags); 1313 1314 rr_list = ldns_rr_list_new(); 1315 ldns_rr_list_push_rr(rr_list, cur_name->nsec); 1316 siglist = ldns_sign_public(rr_list, key_list); 1317 1318 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) { 1319 if (cur_name->nsec_signatures) { 1320 result = ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures, 1321 ldns_rr_list_rr(siglist, i)); 1322 } else { 1323 cur_name->nsec_signatures = ldns_dnssec_rrs_new(); 1324 cur_name->nsec_signatures->rr = 1325 ldns_rr_list_rr(siglist, i); 1326 } 1327 if (new_rrs) { 1328 ldns_rr_list_push_rr(new_rrs, 1329 ldns_rr_list_rr(siglist, i)); 1330 } 1331 } 1332 1333 ldns_rr_list_free(siglist); 1334 ldns_rr_list_free(rr_list); 1335 } 1336 cur_node = ldns_rbtree_next(cur_node); 1337 } 1338 1339 ldns_rr_list_deep_free(pubkey_list); 1340 return result; 1341 } 1342 1343 ldns_status 1344 ldns_dnssec_zone_sign(ldns_dnssec_zone *zone, 1345 ldns_rr_list *new_rrs, 1346 ldns_key_list *key_list, 1347 int (*func)(ldns_rr *, void *), 1348 void *arg) 1349 { 1350 return ldns_dnssec_zone_sign_flg(zone, new_rrs, key_list, func, arg, 0); 1351 } 1352 1353 ldns_status 1354 ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, 1355 ldns_rr_list *new_rrs, 1356 ldns_key_list *key_list, 1357 int (*func)(ldns_rr *, void *), 1358 void *arg, 1359 int flags) 1360 { 1361 ldns_status result = LDNS_STATUS_OK; 1362 1363 if (!zone || !new_rrs || !key_list) { 1364 return LDNS_STATUS_ERR; 1365 } 1366 1367 /* zone is already sorted */ 1368 result = ldns_dnssec_zone_mark_glue(zone); 1369 if (result != LDNS_STATUS_OK) { 1370 return result; 1371 } 1372 1373 /* check whether we need to add nsecs */ 1374 if (zone->names && !((ldns_dnssec_name *)zone->names->root->data)->nsec) { 1375 result = ldns_dnssec_zone_create_nsecs(zone, new_rrs); 1376 if (result != LDNS_STATUS_OK) { 1377 return result; 1378 } 1379 } 1380 1381 result = ldns_dnssec_zone_create_rrsigs_flg(zone, 1382 new_rrs, 1383 key_list, 1384 func, 1385 arg, 1386 flags); 1387 1388 return result; 1389 } 1390 1391 ldns_status 1392 ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone, 1393 ldns_rr_list *new_rrs, 1394 ldns_key_list *key_list, 1395 int (*func)(ldns_rr *, void *), 1396 void *arg, 1397 uint8_t algorithm, 1398 uint8_t flags, 1399 uint16_t iterations, 1400 uint8_t salt_length, 1401 uint8_t *salt) 1402 { 1403 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list, 1404 func, arg, algorithm, flags, iterations, salt_length, salt, 0, 1405 NULL); 1406 } 1407 1408 ldns_status 1409 ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone, 1410 ldns_rr_list *new_rrs, 1411 ldns_key_list *key_list, 1412 int (*func)(ldns_rr *, void *), 1413 void *arg, 1414 uint8_t algorithm, 1415 uint8_t flags, 1416 uint16_t iterations, 1417 uint8_t salt_length, 1418 uint8_t *salt, 1419 int signflags, 1420 ldns_rbtree_t **map) 1421 { 1422 ldns_rr *nsec3, *nsec3param; 1423 ldns_status result = LDNS_STATUS_OK; 1424 1425 /* zone is already sorted */ 1426 result = ldns_dnssec_zone_mark_glue(zone); 1427 if (result != LDNS_STATUS_OK) { 1428 return result; 1429 } 1430 1431 /* TODO if there are already nsec3s presents and their 1432 * parameters are the same as these, we don't have to recreate 1433 */ 1434 if (zone->names) { 1435 /* add empty nonterminals */ 1436 result = ldns_dnssec_zone_add_empty_nonterminals(zone); 1437 if (result != LDNS_STATUS_OK) { 1438 return result; 1439 } 1440 1441 nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec; 1442 if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) { 1443 /* no need to recreate */ 1444 } else { 1445 if (!ldns_dnssec_zone_find_rrset(zone, 1446 zone->soa->name, 1447 LDNS_RR_TYPE_NSEC3PARAM)) { 1448 /* create and add the nsec3param rr */ 1449 nsec3param = 1450 ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAM); 1451 ldns_rr_set_owner(nsec3param, 1452 ldns_rdf_clone(zone->soa->name)); 1453 ldns_nsec3_add_param_rdfs(nsec3param, 1454 algorithm, 1455 flags, 1456 iterations, 1457 salt_length, 1458 salt); 1459 /* always set bit 7 of the flags to zero, according to 1460 * rfc5155 section 11. The bits are counted from right to left, 1461 * so bit 7 in rfc5155 is bit 0 in ldns */ 1462 ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 0, 0); 1463 result = ldns_dnssec_zone_add_rr(zone, nsec3param); 1464 if (result != LDNS_STATUS_OK) { 1465 return result; 1466 } 1467 ldns_rr_list_push_rr(new_rrs, nsec3param); 1468 } 1469 result = ldns_dnssec_zone_create_nsec3s_mkmap(zone, 1470 new_rrs, 1471 algorithm, 1472 flags, 1473 iterations, 1474 salt_length, 1475 salt, 1476 map); 1477 if (result != LDNS_STATUS_OK) { 1478 return result; 1479 } 1480 } 1481 1482 result = ldns_dnssec_zone_create_rrsigs_flg(zone, 1483 new_rrs, 1484 key_list, 1485 func, 1486 arg, 1487 signflags); 1488 } 1489 1490 return result; 1491 } 1492 1493 ldns_status 1494 ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone, 1495 ldns_rr_list *new_rrs, 1496 ldns_key_list *key_list, 1497 int (*func)(ldns_rr *, void *), 1498 void *arg, 1499 uint8_t algorithm, 1500 uint8_t flags, 1501 uint16_t iterations, 1502 uint8_t salt_length, 1503 uint8_t *salt, 1504 int signflags) 1505 { 1506 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list, 1507 func, arg, algorithm, flags, iterations, salt_length, salt, 1508 signflags, NULL); 1509 } 1510 1511 ldns_zone * 1512 ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list) 1513 { 1514 ldns_dnssec_zone *dnssec_zone; 1515 ldns_zone *signed_zone; 1516 ldns_rr_list *new_rrs; 1517 size_t i; 1518 1519 signed_zone = ldns_zone_new(); 1520 dnssec_zone = ldns_dnssec_zone_new(); 1521 1522 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone)); 1523 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone))); 1524 1525 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) { 1526 (void) ldns_dnssec_zone_add_rr(dnssec_zone, 1527 ldns_rr_list_rr(ldns_zone_rrs(zone), 1528 i)); 1529 ldns_zone_push_rr(signed_zone, 1530 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone), 1531 i))); 1532 } 1533 1534 new_rrs = ldns_rr_list_new(); 1535 (void) ldns_dnssec_zone_sign(dnssec_zone, 1536 new_rrs, 1537 key_list, 1538 ldns_dnssec_default_replace_signatures, 1539 NULL); 1540 1541 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) { 1542 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone), 1543 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i))); 1544 } 1545 1546 ldns_rr_list_deep_free(new_rrs); 1547 ldns_dnssec_zone_free(dnssec_zone); 1548 1549 return signed_zone; 1550 } 1551 1552 ldns_zone * 1553 ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt) 1554 { 1555 ldns_dnssec_zone *dnssec_zone; 1556 ldns_zone *signed_zone; 1557 ldns_rr_list *new_rrs; 1558 size_t i; 1559 1560 signed_zone = ldns_zone_new(); 1561 dnssec_zone = ldns_dnssec_zone_new(); 1562 1563 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone)); 1564 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone))); 1565 1566 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) { 1567 (void) ldns_dnssec_zone_add_rr(dnssec_zone, 1568 ldns_rr_list_rr(ldns_zone_rrs(zone), 1569 i)); 1570 ldns_zone_push_rr(signed_zone, 1571 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone), 1572 i))); 1573 } 1574 1575 new_rrs = ldns_rr_list_new(); 1576 (void) ldns_dnssec_zone_sign_nsec3(dnssec_zone, 1577 new_rrs, 1578 key_list, 1579 ldns_dnssec_default_replace_signatures, 1580 NULL, 1581 algorithm, 1582 flags, 1583 iterations, 1584 salt_length, 1585 salt); 1586 1587 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) { 1588 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone), 1589 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i))); 1590 } 1591 1592 ldns_rr_list_deep_free(new_rrs); 1593 ldns_dnssec_zone_free(dnssec_zone); 1594 1595 return signed_zone; 1596 } 1597 #endif /* HAVE_SSL */ 1598 1599 1600