1 #include <ldns/config.h> 2 3 #include <ldns/ldns.h> 4 5 #include <ldns/dnssec.h> 6 #include <ldns/dnssec_sign.h> 7 8 #include <strings.h> 9 #include <time.h> 10 11 #ifdef HAVE_SSL 12 /* this entire file is rather useless when you don't have 13 * crypto... 14 */ 15 #include <openssl/ssl.h> 16 #include <openssl/evp.h> 17 #include <openssl/rand.h> 18 #include <openssl/err.h> 19 #include <openssl/md5.h> 20 #endif /* HAVE_SSL */ 21 22 ldns_rr * 23 ldns_create_empty_rrsig(ldns_rr_list *rrset, 24 ldns_key *current_key) 25 { 26 uint32_t orig_ttl; 27 ldns_rr_class orig_class; 28 time_t now; 29 ldns_rr *current_sig; 30 uint8_t label_count; 31 ldns_rdf *signame; 32 33 label_count = ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset, 34 0))); 35 /* RFC4035 2.2: not counting the leftmost label if it is a wildcard */ 36 if(ldns_dname_is_wildcard(ldns_rr_owner(ldns_rr_list_rr(rrset, 0)))) 37 label_count --; 38 39 current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG); 40 41 /* set the type on the new signature */ 42 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)); 43 orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0)); 44 45 ldns_rr_set_ttl(current_sig, orig_ttl); 46 ldns_rr_set_class(current_sig, orig_class); 47 ldns_rr_set_owner(current_sig, 48 ldns_rdf_clone( 49 ldns_rr_owner( 50 ldns_rr_list_rr(rrset, 51 0)))); 52 53 /* fill in what we know of the signature */ 54 55 /* set the orig_ttl */ 56 (void)ldns_rr_rrsig_set_origttl( 57 current_sig, 58 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, 59 orig_ttl)); 60 /* the signers name */ 61 signame = ldns_rdf_clone(ldns_key_pubkey_owner(current_key)); 62 ldns_dname2canonical(signame); 63 (void)ldns_rr_rrsig_set_signame( 64 current_sig, 65 signame); 66 /* label count - get it from the first rr in the rr_list */ 67 (void)ldns_rr_rrsig_set_labels( 68 current_sig, 69 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, 70 label_count)); 71 /* inception, expiration */ 72 now = time(NULL); 73 if (ldns_key_inception(current_key) != 0) { 74 (void)ldns_rr_rrsig_set_inception( 75 current_sig, 76 ldns_native2rdf_int32( 77 LDNS_RDF_TYPE_TIME, 78 ldns_key_inception(current_key))); 79 } else { 80 (void)ldns_rr_rrsig_set_inception( 81 current_sig, 82 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now)); 83 } 84 if (ldns_key_expiration(current_key) != 0) { 85 (void)ldns_rr_rrsig_set_expiration( 86 current_sig, 87 ldns_native2rdf_int32( 88 LDNS_RDF_TYPE_TIME, 89 ldns_key_expiration(current_key))); 90 } else { 91 (void)ldns_rr_rrsig_set_expiration( 92 current_sig, 93 ldns_native2rdf_int32( 94 LDNS_RDF_TYPE_TIME, 95 now + LDNS_DEFAULT_EXP_TIME)); 96 } 97 98 (void)ldns_rr_rrsig_set_keytag( 99 current_sig, 100 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 101 ldns_key_keytag(current_key))); 102 103 (void)ldns_rr_rrsig_set_algorithm( 104 current_sig, 105 ldns_native2rdf_int8( 106 LDNS_RDF_TYPE_ALG, 107 ldns_key_algorithm(current_key))); 108 109 (void)ldns_rr_rrsig_set_typecovered( 110 current_sig, 111 ldns_native2rdf_int16( 112 LDNS_RDF_TYPE_TYPE, 113 ldns_rr_get_type(ldns_rr_list_rr(rrset, 114 0)))); 115 return current_sig; 116 } 117 118 #ifdef HAVE_SSL 119 ldns_rdf * 120 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key) 121 { 122 ldns_rdf *b64rdf = NULL; 123 124 switch(ldns_key_algorithm(current_key)) { 125 case LDNS_SIGN_DSA: 126 case LDNS_SIGN_DSA_NSEC3: 127 b64rdf = ldns_sign_public_evp( 128 sign_buf, 129 ldns_key_evp_key(current_key), 130 EVP_dss1()); 131 break; 132 case LDNS_SIGN_RSASHA1: 133 case LDNS_SIGN_RSASHA1_NSEC3: 134 b64rdf = ldns_sign_public_evp( 135 sign_buf, 136 ldns_key_evp_key(current_key), 137 EVP_sha1()); 138 break; 139 #ifdef USE_SHA2 140 case LDNS_SIGN_RSASHA256: 141 b64rdf = ldns_sign_public_evp( 142 sign_buf, 143 ldns_key_evp_key(current_key), 144 EVP_sha256()); 145 break; 146 case LDNS_SIGN_RSASHA512: 147 b64rdf = ldns_sign_public_evp( 148 sign_buf, 149 ldns_key_evp_key(current_key), 150 EVP_sha512()); 151 break; 152 #endif /* USE_SHA2 */ 153 #ifdef USE_GOST 154 case LDNS_SIGN_ECC_GOST: 155 b64rdf = ldns_sign_public_evp( 156 sign_buf, 157 ldns_key_evp_key(current_key), 158 EVP_get_digestbyname("md_gost94")); 159 break; 160 #endif /* USE_GOST */ 161 #ifdef USE_ECDSA 162 case LDNS_SIGN_ECDSAP256SHA256: 163 b64rdf = ldns_sign_public_evp( 164 sign_buf, 165 ldns_key_evp_key(current_key), 166 EVP_sha256()); 167 break; 168 case LDNS_SIGN_ECDSAP384SHA384: 169 b64rdf = ldns_sign_public_evp( 170 sign_buf, 171 ldns_key_evp_key(current_key), 172 EVP_sha384()); 173 break; 174 #endif 175 case LDNS_SIGN_RSAMD5: 176 b64rdf = ldns_sign_public_evp( 177 sign_buf, 178 ldns_key_evp_key(current_key), 179 EVP_md5()); 180 break; 181 default: 182 /* do _you_ know this alg? */ 183 printf("unknown algorithm, "); 184 printf("is the one used available on this system?\n"); 185 break; 186 } 187 188 return b64rdf; 189 } 190 191 /** 192 * use this function to sign with a public/private key alg 193 * return the created signatures 194 */ 195 ldns_rr_list * 196 ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys) 197 { 198 ldns_rr_list *signatures; 199 ldns_rr_list *rrset_clone; 200 ldns_rr *current_sig; 201 ldns_rdf *b64rdf; 202 ldns_key *current_key; 203 size_t key_count; 204 uint16_t i; 205 ldns_buffer *sign_buf; 206 ldns_rdf *new_owner; 207 208 if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) { 209 return NULL; 210 } 211 212 new_owner = NULL; 213 214 signatures = ldns_rr_list_new(); 215 216 /* prepare a signature and add all the know data 217 * prepare the rrset. Sign this together. */ 218 rrset_clone = ldns_rr_list_clone(rrset); 219 if (!rrset_clone) { 220 return NULL; 221 } 222 223 /* make it canonical */ 224 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) { 225 ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i), 226 ldns_rr_ttl(ldns_rr_list_rr(rrset, 0))); 227 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i)); 228 } 229 /* sort */ 230 ldns_rr_list_sort(rrset_clone); 231 232 for (key_count = 0; 233 key_count < ldns_key_list_key_count(keys); 234 key_count++) { 235 if (!ldns_key_use(ldns_key_list_key(keys, key_count))) { 236 continue; 237 } 238 sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN); 239 if (!sign_buf) { 240 ldns_rr_list_free(rrset_clone); 241 ldns_rr_list_free(signatures); 242 ldns_rdf_free(new_owner); 243 return NULL; 244 } 245 b64rdf = NULL; 246 247 current_key = ldns_key_list_key(keys, key_count); 248 /* sign all RRs with keys that have ZSKbit, !SEPbit. 249 sign DNSKEY RRs with keys that have ZSKbit&SEPbit */ 250 if (ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY) { 251 current_sig = ldns_create_empty_rrsig(rrset_clone, 252 current_key); 253 254 /* right now, we have: a key, a semi-sig and an rrset. For 255 * which we can create the sig and base64 encode that and 256 * add that to the signature */ 257 258 if (ldns_rrsig2buffer_wire(sign_buf, current_sig) 259 != LDNS_STATUS_OK) { 260 ldns_buffer_free(sign_buf); 261 /* ERROR */ 262 ldns_rr_list_deep_free(rrset_clone); 263 ldns_rr_free(current_sig); 264 ldns_rr_list_deep_free(signatures); 265 return NULL; 266 } 267 268 /* add the rrset in sign_buf */ 269 if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone) 270 != LDNS_STATUS_OK) { 271 ldns_buffer_free(sign_buf); 272 ldns_rr_list_deep_free(rrset_clone); 273 ldns_rr_free(current_sig); 274 ldns_rr_list_deep_free(signatures); 275 return NULL; 276 } 277 278 b64rdf = ldns_sign_public_buffer(sign_buf, current_key); 279 280 if (!b64rdf) { 281 /* signing went wrong */ 282 ldns_rr_list_deep_free(rrset_clone); 283 ldns_rr_free(current_sig); 284 ldns_rr_list_deep_free(signatures); 285 return NULL; 286 } 287 288 ldns_rr_rrsig_set_sig(current_sig, b64rdf); 289 290 /* push the signature to the signatures list */ 291 ldns_rr_list_push_rr(signatures, current_sig); 292 } 293 ldns_buffer_free(sign_buf); /* restart for the next key */ 294 } 295 ldns_rr_list_deep_free(rrset_clone); 296 297 return signatures; 298 } 299 300 /** 301 * Sign data with DSA 302 * 303 * \param[in] to_sign The ldns_buffer containing raw data that is 304 * to be signed 305 * \param[in] key The DSA key structure to sign with 306 * \return ldns_rdf for the RRSIG ldns_rr 307 */ 308 ldns_rdf * 309 ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key) 310 { 311 unsigned char *sha1_hash; 312 ldns_rdf *sigdata_rdf; 313 ldns_buffer *b64sig; 314 315 DSA_SIG *sig; 316 uint8_t *data; 317 size_t pad; 318 319 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); 320 if (!b64sig) { 321 return NULL; 322 } 323 324 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign), 325 ldns_buffer_position(to_sign), NULL); 326 if (!sha1_hash) { 327 ldns_buffer_free(b64sig); 328 return NULL; 329 } 330 331 sig = DSA_do_sign(sha1_hash, SHA_DIGEST_LENGTH, key); 332 if(!sig) { 333 ldns_buffer_free(b64sig); 334 return NULL; 335 } 336 337 data = LDNS_XMALLOC(uint8_t, 1 + 2 * SHA_DIGEST_LENGTH); 338 if(!data) { 339 ldns_buffer_free(b64sig); 340 DSA_SIG_free(sig); 341 return NULL; 342 } 343 344 data[0] = 1; 345 pad = 20 - (size_t) BN_num_bytes(sig->r); 346 if (pad > 0) { 347 memset(data + 1, 0, pad); 348 } 349 BN_bn2bin(sig->r, (unsigned char *) (data + 1) + pad); 350 351 pad = 20 - (size_t) BN_num_bytes(sig->s); 352 if (pad > 0) { 353 memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad); 354 } 355 BN_bn2bin(sig->s, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad)); 356 357 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, 358 1 + 2 * SHA_DIGEST_LENGTH, 359 data); 360 361 ldns_buffer_free(b64sig); 362 LDNS_FREE(data); 363 DSA_SIG_free(sig); 364 365 return sigdata_rdf; 366 } 367 368 #ifdef USE_ECDSA 369 #ifndef S_SPLINT_S 370 static int 371 ldns_pkey_is_ecdsa(EVP_PKEY* pkey) 372 { 373 EC_KEY* ec; 374 const EC_GROUP* g; 375 if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC) 376 return 0; 377 ec = EVP_PKEY_get1_EC_KEY(pkey); 378 g = EC_KEY_get0_group(ec); 379 if(!g) { 380 EC_KEY_free(ec); 381 return 0; 382 } 383 if(EC_GROUP_get_curve_name(g) == NID_secp224r1 || 384 EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1 || 385 EC_GROUP_get_curve_name(g) == NID_secp384r1) { 386 EC_KEY_free(ec); 387 return 1; 388 } 389 /* downref the eckey, the original is still inside the pkey */ 390 EC_KEY_free(ec); 391 return 0; 392 } 393 #endif /* splint */ 394 #endif /* USE_ECDSA */ 395 396 ldns_rdf * 397 ldns_sign_public_evp(ldns_buffer *to_sign, 398 EVP_PKEY *key, 399 const EVP_MD *digest_type) 400 { 401 unsigned int siglen; 402 ldns_rdf *sigdata_rdf; 403 ldns_buffer *b64sig; 404 EVP_MD_CTX ctx; 405 const EVP_MD *md_type; 406 int r; 407 408 siglen = 0; 409 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); 410 if (!b64sig) { 411 return NULL; 412 } 413 414 /* initializes a signing context */ 415 md_type = digest_type; 416 if(!md_type) { 417 /* unknown message difest */ 418 ldns_buffer_free(b64sig); 419 return NULL; 420 } 421 422 EVP_MD_CTX_init(&ctx); 423 r = EVP_SignInit(&ctx, md_type); 424 if(r == 1) { 425 r = EVP_SignUpdate(&ctx, (unsigned char*) 426 ldns_buffer_begin(to_sign), 427 ldns_buffer_position(to_sign)); 428 } else { 429 ldns_buffer_free(b64sig); 430 return NULL; 431 } 432 if(r == 1) { 433 r = EVP_SignFinal(&ctx, (unsigned char*) 434 ldns_buffer_begin(b64sig), &siglen, key); 435 } else { 436 ldns_buffer_free(b64sig); 437 return NULL; 438 } 439 if(r != 1) { 440 ldns_buffer_free(b64sig); 441 return NULL; 442 } 443 444 /* unfortunately, OpenSSL output is differenct from DNS DSA format */ 445 #ifndef S_SPLINT_S 446 if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) { 447 sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen); 448 #ifdef USE_ECDSA 449 } else if(EVP_PKEY_type(key->type) == EVP_PKEY_EC && 450 ldns_pkey_is_ecdsa(key)) { 451 sigdata_rdf = ldns_convert_ecdsa_rrsig_asn12rdf(b64sig, siglen); 452 #endif 453 } else { 454 /* ok output for other types is the same */ 455 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen, 456 ldns_buffer_begin(b64sig)); 457 } 458 #endif /* splint */ 459 ldns_buffer_free(b64sig); 460 EVP_MD_CTX_cleanup(&ctx); 461 return sigdata_rdf; 462 } 463 464 ldns_rdf * 465 ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key) 466 { 467 unsigned char *sha1_hash; 468 unsigned int siglen; 469 ldns_rdf *sigdata_rdf; 470 ldns_buffer *b64sig; 471 int result; 472 473 siglen = 0; 474 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); 475 if (!b64sig) { 476 return NULL; 477 } 478 479 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign), 480 ldns_buffer_position(to_sign), NULL); 481 if (!sha1_hash) { 482 ldns_buffer_free(b64sig); 483 return NULL; 484 } 485 486 result = RSA_sign(NID_sha1, sha1_hash, SHA_DIGEST_LENGTH, 487 (unsigned char*)ldns_buffer_begin(b64sig), 488 &siglen, key); 489 if (result != 1) { 490 ldns_buffer_free(b64sig); 491 return NULL; 492 } 493 494 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen, 495 ldns_buffer_begin(b64sig)); 496 ldns_buffer_free(b64sig); /* can't free this buffer ?? */ 497 return sigdata_rdf; 498 } 499 500 ldns_rdf * 501 ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key) 502 { 503 unsigned char *md5_hash; 504 unsigned int siglen; 505 ldns_rdf *sigdata_rdf; 506 ldns_buffer *b64sig; 507 508 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); 509 if (!b64sig) { 510 return NULL; 511 } 512 513 md5_hash = MD5((unsigned char*)ldns_buffer_begin(to_sign), 514 ldns_buffer_position(to_sign), NULL); 515 if (!md5_hash) { 516 ldns_buffer_free(b64sig); 517 return NULL; 518 } 519 520 RSA_sign(NID_md5, md5_hash, MD5_DIGEST_LENGTH, 521 (unsigned char*)ldns_buffer_begin(b64sig), 522 &siglen, key); 523 524 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen, 525 ldns_buffer_begin(b64sig)); 526 ldns_buffer_free(b64sig); 527 return sigdata_rdf; 528 } 529 #endif /* HAVE_SSL */ 530 531 /** 532 * Pushes all rrs from the rrsets of type A and AAAA on gluelist. 533 */ 534 static ldns_status 535 ldns_dnssec_addresses_on_glue_list( 536 ldns_dnssec_rrsets *cur_rrset, 537 ldns_rr_list *glue_list) 538 { 539 ldns_dnssec_rrs *cur_rrs; 540 while (cur_rrset) { 541 if (cur_rrset->type == LDNS_RR_TYPE_A 542 || cur_rrset->type == LDNS_RR_TYPE_AAAA) { 543 for (cur_rrs = cur_rrset->rrs; 544 cur_rrs; 545 cur_rrs = cur_rrs->next) { 546 if (cur_rrs->rr) { 547 if (!ldns_rr_list_push_rr(glue_list, 548 cur_rrs->rr)) { 549 return LDNS_STATUS_MEM_ERR; 550 /* ldns_rr_list_push_rr() 551 * returns false when unable 552 * to increase the capacity 553 * of the ldsn_rr_list 554 */ 555 } 556 } 557 } 558 } 559 cur_rrset = cur_rrset->next; 560 } 561 return LDNS_STATUS_OK; 562 } 563 564 /** 565 * Marks the names in the zone that are occluded. Those names will be skipped 566 * when walking the tree with the ldns_dnssec_name_node_next_nonglue() 567 * function. But watch out! Names that are partially occluded (like glue with 568 * the same name as the delegation) will not be marked and should specifically 569 * be taken into account seperately. 570 * 571 * When glue_list is given (not NULL), in the process of marking the names, all 572 * glue resource records will be pushed to that list, even glue at delegation names. 573 * 574 * \param[in] zone the zone in which to mark the names 575 * \param[in] glue_list the list to which to push the glue rrs 576 * \return LDNS_STATUS_OK on success, an error code otherwise 577 */ 578 ldns_status 579 ldns_dnssec_zone_mark_and_get_glue(ldns_dnssec_zone *zone, 580 ldns_rr_list *glue_list) 581 { 582 ldns_rbnode_t *node; 583 ldns_dnssec_name *name; 584 ldns_rdf *owner; 585 ldns_rdf *cut = NULL; /* keeps track of zone cuts */ 586 /* When the cut is caused by a delegation, below_delegation will be 1. 587 * When caused by a DNAME, below_delegation will be 0. 588 */ 589 int below_delegation = -1; /* init suppresses comiler warning */ 590 ldns_status s; 591 592 if (!zone || !zone->names) { 593 return LDNS_STATUS_NULL; 594 } 595 for (node = ldns_rbtree_first(zone->names); 596 node != LDNS_RBTREE_NULL; 597 node = ldns_rbtree_next(node)) { 598 name = (ldns_dnssec_name *) node->data; 599 owner = ldns_dnssec_name_name(name); 600 601 if (cut) { 602 /* The previous node was a zone cut, or a subdomain 603 * below a zone cut. Is this node (still) a subdomain 604 * below the cut? Then the name is occluded. Unless 605 * the name contains a SOA, after which we are 606 * authoritative again. 607 * 608 * FIXME! If there are labels in between the SOA and 609 * the cut, going from the authoritative space (below 610 * the SOA) up into occluded space again, will not be 611 * detected with the contruct below! 612 */ 613 if (ldns_dname_is_subdomain(owner, cut) && 614 !ldns_dnssec_rrsets_contains_type( 615 name->rrsets, LDNS_RR_TYPE_SOA)) { 616 617 if (below_delegation && glue_list) { 618 s = ldns_dnssec_addresses_on_glue_list( 619 name->rrsets, glue_list); 620 if (s != LDNS_STATUS_OK) { 621 return s; 622 } 623 } 624 name->is_glue = true; /* Mark occluded name! */ 625 continue; 626 } else { 627 cut = NULL; 628 } 629 } 630 631 /* The node is not below a zone cut. Is it a zone cut itself? 632 * Everything below a SOA is authoritative of course; Except 633 * when the name also contains a DNAME :). 634 */ 635 if (ldns_dnssec_rrsets_contains_type( 636 name->rrsets, LDNS_RR_TYPE_NS) 637 && !ldns_dnssec_rrsets_contains_type( 638 name->rrsets, LDNS_RR_TYPE_SOA)) { 639 cut = owner; 640 below_delegation = 1; 641 if (glue_list) { /* record glue on the zone cut */ 642 s = ldns_dnssec_addresses_on_glue_list( 643 name->rrsets, glue_list); 644 if (s != LDNS_STATUS_OK) { 645 return s; 646 } 647 } 648 } else if (ldns_dnssec_rrsets_contains_type( 649 name->rrsets, LDNS_RR_TYPE_DNAME)) { 650 cut = owner; 651 below_delegation = 0; 652 } 653 } 654 return LDNS_STATUS_OK; 655 } 656 657 /** 658 * Marks the names in the zone that are occluded. Those names will be skipped 659 * when walking the tree with the ldns_dnssec_name_node_next_nonglue() 660 * function. But watch out! Names that are partially occluded (like glue with 661 * the same name as the delegation) will not be marked and should specifically 662 * be taken into account seperately. 663 * 664 * \param[in] zone the zone in which to mark the names 665 * \return LDNS_STATUS_OK on success, an error code otherwise 666 */ 667 ldns_status 668 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone) 669 { 670 return ldns_dnssec_zone_mark_and_get_glue(zone, NULL); 671 } 672 673 ldns_rbnode_t * 674 ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node) 675 { 676 ldns_rbnode_t *next_node = NULL; 677 ldns_dnssec_name *next_name = NULL; 678 bool done = false; 679 680 if (node == LDNS_RBTREE_NULL) { 681 return NULL; 682 } 683 next_node = node; 684 while (!done) { 685 if (next_node == LDNS_RBTREE_NULL) { 686 return NULL; 687 } else { 688 next_name = (ldns_dnssec_name *)next_node->data; 689 if (!next_name->is_glue) { 690 done = true; 691 } else { 692 next_node = ldns_rbtree_next(next_node); 693 } 694 } 695 } 696 return next_node; 697 } 698 699 ldns_status 700 ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone, 701 ldns_rr_list *new_rrs) 702 { 703 704 ldns_rbnode_t *first_node, *cur_node, *next_node; 705 ldns_dnssec_name *cur_name, *next_name; 706 ldns_rr *nsec_rr; 707 uint32_t nsec_ttl; 708 ldns_dnssec_rrsets *soa; 709 710 /* the TTL of NSEC rrs should be set to the minimum TTL of 711 * the zone SOA (RFC4035 Section 2.3) 712 */ 713 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA); 714 715 /* did the caller actually set it? if not, 716 * fall back to default ttl 717 */ 718 if (soa && soa->rrs && soa->rrs->rr 719 && (ldns_rr_rdf(soa->rrs->rr, 6) != NULL)) { 720 nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6)); 721 } else { 722 nsec_ttl = LDNS_DEFAULT_TTL; 723 } 724 725 first_node = ldns_dnssec_name_node_next_nonglue( 726 ldns_rbtree_first(zone->names)); 727 cur_node = first_node; 728 if (cur_node) { 729 next_node = ldns_dnssec_name_node_next_nonglue( 730 ldns_rbtree_next(cur_node)); 731 } else { 732 next_node = NULL; 733 } 734 735 while (cur_node && next_node) { 736 cur_name = (ldns_dnssec_name *)cur_node->data; 737 next_name = (ldns_dnssec_name *)next_node->data; 738 nsec_rr = ldns_dnssec_create_nsec(cur_name, 739 next_name, 740 LDNS_RR_TYPE_NSEC); 741 ldns_rr_set_ttl(nsec_rr, nsec_ttl); 742 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){ 743 ldns_rr_free(nsec_rr); 744 return LDNS_STATUS_ERR; 745 } 746 ldns_rr_list_push_rr(new_rrs, nsec_rr); 747 cur_node = next_node; 748 if (cur_node) { 749 next_node = ldns_dnssec_name_node_next_nonglue( 750 ldns_rbtree_next(cur_node)); 751 } 752 } 753 754 if (cur_node && !next_node) { 755 cur_name = (ldns_dnssec_name *)cur_node->data; 756 next_name = (ldns_dnssec_name *)first_node->data; 757 nsec_rr = ldns_dnssec_create_nsec(cur_name, 758 next_name, 759 LDNS_RR_TYPE_NSEC); 760 ldns_rr_set_ttl(nsec_rr, nsec_ttl); 761 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){ 762 ldns_rr_free(nsec_rr); 763 return LDNS_STATUS_ERR; 764 } 765 ldns_rr_list_push_rr(new_rrs, nsec_rr); 766 } else { 767 printf("error\n"); 768 } 769 770 return LDNS_STATUS_OK; 771 } 772 773 #ifdef HAVE_SSL 774 /* in dnssec_zone.c */ 775 extern int ldns_dname_compare_v(const void *a, const void *b); 776 777 ldns_status 778 ldns_dnssec_zone_create_nsec3s_mkmap(ldns_dnssec_zone *zone, 779 ldns_rr_list *new_rrs, 780 uint8_t algorithm, 781 uint8_t flags, 782 uint16_t iterations, 783 uint8_t salt_length, 784 uint8_t *salt, 785 ldns_rbtree_t **map) 786 { 787 ldns_rbnode_t *first_name_node; 788 ldns_rbnode_t *current_name_node; 789 ldns_dnssec_name *current_name; 790 ldns_status result = LDNS_STATUS_OK; 791 ldns_rr *nsec_rr; 792 ldns_rr_list *nsec3_list; 793 uint32_t nsec_ttl; 794 ldns_dnssec_rrsets *soa; 795 ldns_rbnode_t *hashmap_node; 796 797 if (!zone || !new_rrs || !zone->names) { 798 return LDNS_STATUS_ERR; 799 } 800 801 /* the TTL of NSEC rrs should be set to the minimum TTL of 802 * the zone SOA (RFC4035 Section 2.3) 803 */ 804 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA); 805 806 /* did the caller actually set it? if not, 807 * fall back to default ttl 808 */ 809 if (soa && soa->rrs && soa->rrs->rr 810 && ldns_rr_rdf(soa->rrs->rr, 6) != NULL) { 811 nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6)); 812 } else { 813 nsec_ttl = LDNS_DEFAULT_TTL; 814 } 815 816 if (map) { 817 if ((*map = ldns_rbtree_create(ldns_dname_compare_v)) 818 == NULL) { 819 map = NULL; 820 }; 821 } 822 nsec3_list = ldns_rr_list_new(); 823 824 first_name_node = ldns_dnssec_name_node_next_nonglue( 825 ldns_rbtree_first(zone->names)); 826 827 current_name_node = first_name_node; 828 829 while (current_name_node && 830 current_name_node != LDNS_RBTREE_NULL) { 831 current_name = (ldns_dnssec_name *) current_name_node->data; 832 nsec_rr = ldns_dnssec_create_nsec3(current_name, 833 NULL, 834 zone->soa->name, 835 algorithm, 836 flags, 837 iterations, 838 salt_length, 839 salt); 840 /* by default, our nsec based generator adds rrsigs 841 * remove the bitmap for empty nonterminals */ 842 if (!current_name->rrsets) { 843 ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr)); 844 } 845 ldns_rr_set_ttl(nsec_rr, nsec_ttl); 846 result = ldns_dnssec_name_add_rr(current_name, nsec_rr); 847 ldns_rr_list_push_rr(new_rrs, nsec_rr); 848 ldns_rr_list_push_rr(nsec3_list, nsec_rr); 849 if (map) { 850 hashmap_node = LDNS_MALLOC(ldns_rbnode_t); 851 if (hashmap_node && ldns_rr_owner(nsec_rr)) { 852 hashmap_node->key = ldns_dname_label( 853 ldns_rr_owner(nsec_rr), 0); 854 if (hashmap_node->key) { 855 hashmap_node->data = current_name->name; 856 (void) ldns_rbtree_insert( 857 *map, hashmap_node); 858 } 859 } 860 } 861 current_name_node = ldns_dnssec_name_node_next_nonglue( 862 ldns_rbtree_next(current_name_node)); 863 } 864 if (result != LDNS_STATUS_OK) { 865 ldns_rr_list_free(nsec3_list); 866 return result; 867 } 868 869 ldns_rr_list_sort_nsec3(nsec3_list); 870 result = ldns_dnssec_chain_nsec3_list(nsec3_list); 871 ldns_rr_list_free(nsec3_list); 872 873 return result; 874 } 875 876 ldns_status 877 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone, 878 ldns_rr_list *new_rrs, 879 uint8_t algorithm, 880 uint8_t flags, 881 uint16_t iterations, 882 uint8_t salt_length, 883 uint8_t *salt) 884 { 885 return ldns_dnssec_zone_create_nsec3s_mkmap(zone, new_rrs, algorithm, 886 flags, iterations, salt_length, salt, NULL); 887 888 } 889 #endif /* HAVE_SSL */ 890 891 ldns_dnssec_rrs * 892 ldns_dnssec_remove_signatures( ldns_dnssec_rrs *signatures 893 , ATTR_UNUSED(ldns_key_list *key_list) 894 , int (*func)(ldns_rr *, void *) 895 , void *arg 896 ) 897 { 898 ldns_dnssec_rrs *base_rrs = signatures; 899 ldns_dnssec_rrs *cur_rr = base_rrs; 900 ldns_dnssec_rrs *prev_rr = NULL; 901 ldns_dnssec_rrs *next_rr; 902 903 uint16_t keytag; 904 size_t i; 905 906 if (!cur_rr) { 907 switch(func(NULL, arg)) { 908 case LDNS_SIGNATURE_LEAVE_ADD_NEW: 909 case LDNS_SIGNATURE_REMOVE_ADD_NEW: 910 break; 911 case LDNS_SIGNATURE_LEAVE_NO_ADD: 912 case LDNS_SIGNATURE_REMOVE_NO_ADD: 913 ldns_key_list_set_use(key_list, false); 914 break; 915 default: 916 fprintf(stderr, "[XX] unknown return value from callback\n"); 917 break; 918 } 919 return NULL; 920 } 921 (void)func(cur_rr->rr, arg); 922 923 while (cur_rr) { 924 next_rr = cur_rr->next; 925 926 switch (func(cur_rr->rr, arg)) { 927 case LDNS_SIGNATURE_LEAVE_ADD_NEW: 928 prev_rr = cur_rr; 929 break; 930 case LDNS_SIGNATURE_LEAVE_NO_ADD: 931 keytag = ldns_rdf2native_int16( 932 ldns_rr_rrsig_keytag(cur_rr->rr)); 933 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 934 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) == 935 keytag) { 936 ldns_key_set_use(ldns_key_list_key(key_list, i), 937 false); 938 } 939 } 940 prev_rr = cur_rr; 941 break; 942 case LDNS_SIGNATURE_REMOVE_NO_ADD: 943 keytag = ldns_rdf2native_int16( 944 ldns_rr_rrsig_keytag(cur_rr->rr)); 945 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 946 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) 947 == keytag) { 948 ldns_key_set_use(ldns_key_list_key(key_list, i), 949 false); 950 } 951 } 952 if (prev_rr) { 953 prev_rr->next = next_rr; 954 } else { 955 base_rrs = next_rr; 956 } 957 LDNS_FREE(cur_rr); 958 break; 959 case LDNS_SIGNATURE_REMOVE_ADD_NEW: 960 if (prev_rr) { 961 prev_rr->next = next_rr; 962 } else { 963 base_rrs = next_rr; 964 } 965 LDNS_FREE(cur_rr); 966 break; 967 default: 968 fprintf(stderr, "[XX] unknown return value from callback\n"); 969 break; 970 } 971 cur_rr = next_rr; 972 } 973 974 return base_rrs; 975 } 976 977 #ifdef HAVE_SSL 978 ldns_status 979 ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, 980 ldns_rr_list *new_rrs, 981 ldns_key_list *key_list, 982 int (*func)(ldns_rr *, void*), 983 void *arg) 984 { 985 return ldns_dnssec_zone_create_rrsigs_flg(zone, new_rrs, key_list, 986 func, arg, 0); 987 } 988 989 /** If there are KSKs use only them and mark ZSKs unused */ 990 static void 991 ldns_key_list_filter_for_dnskey(ldns_key_list *key_list) 992 { 993 int saw_ksk = 0; 994 size_t i; 995 for(i=0; i<ldns_key_list_key_count(key_list); i++) 996 if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) { 997 saw_ksk = 1; 998 break; 999 } 1000 if(!saw_ksk) 1001 return; 1002 for(i=0; i<ldns_key_list_key_count(key_list); i++) 1003 if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) 1004 ldns_key_set_use(ldns_key_list_key(key_list, i), 0); 1005 } 1006 1007 /** If there are no ZSKs use KSK as ZSK */ 1008 static void 1009 ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list) 1010 { 1011 int saw_zsk = 0; 1012 size_t i; 1013 for(i=0; i<ldns_key_list_key_count(key_list); i++) 1014 if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) { 1015 saw_zsk = 1; 1016 break; 1017 } 1018 if(!saw_zsk) 1019 return; 1020 /* else filter all KSKs */ 1021 for(i=0; i<ldns_key_list_key_count(key_list); i++) 1022 if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) 1023 ldns_key_set_use(ldns_key_list_key(key_list, i), 0); 1024 } 1025 1026 ldns_status 1027 ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone 1028 , ldns_rr_list *new_rrs 1029 , ldns_key_list *key_list 1030 , int (*func)(ldns_rr *, void*) 1031 , void *arg 1032 , int flags 1033 ) 1034 { 1035 ldns_status result = LDNS_STATUS_OK; 1036 1037 ldns_rbnode_t *cur_node; 1038 ldns_rr_list *rr_list; 1039 1040 ldns_dnssec_name *cur_name; 1041 ldns_dnssec_rrsets *cur_rrset; 1042 ldns_dnssec_rrs *cur_rr; 1043 1044 ldns_rr_list *siglist; 1045 1046 size_t i; 1047 1048 int on_delegation_point = 0; /* handle partially occluded names */ 1049 1050 ldns_rr_list *pubkey_list = ldns_rr_list_new(); 1051 for (i = 0; i<ldns_key_list_key_count(key_list); i++) { 1052 ldns_rr_list_push_rr( pubkey_list 1053 , ldns_key2rr(ldns_key_list_key( 1054 key_list, i)) 1055 ); 1056 } 1057 /* TODO: callback to see is list should be signed */ 1058 /* TODO: remove 'old' signatures from signature list */ 1059 cur_node = ldns_rbtree_first(zone->names); 1060 while (cur_node != LDNS_RBTREE_NULL) { 1061 cur_name = (ldns_dnssec_name *) cur_node->data; 1062 1063 if (!cur_name->is_glue) { 1064 on_delegation_point = ldns_dnssec_rrsets_contains_type( 1065 cur_name->rrsets, LDNS_RR_TYPE_NS) 1066 && !ldns_dnssec_rrsets_contains_type( 1067 cur_name->rrsets, LDNS_RR_TYPE_SOA); 1068 cur_rrset = cur_name->rrsets; 1069 while (cur_rrset) { 1070 /* reset keys to use */ 1071 ldns_key_list_set_use(key_list, true); 1072 1073 /* walk through old sigs, remove the old, 1074 and mark which keys (not) to use) */ 1075 cur_rrset->signatures = 1076 ldns_dnssec_remove_signatures(cur_rrset->signatures, 1077 key_list, 1078 func, 1079 arg); 1080 if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) && 1081 cur_rrset->type == LDNS_RR_TYPE_DNSKEY) 1082 ldns_key_list_filter_for_dnskey(key_list); 1083 1084 if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY) 1085 ldns_key_list_filter_for_non_dnskey(key_list); 1086 1087 /* TODO: just set count to zero? */ 1088 rr_list = ldns_rr_list_new(); 1089 1090 cur_rr = cur_rrset->rrs; 1091 while (cur_rr) { 1092 ldns_rr_list_push_rr(rr_list, cur_rr->rr); 1093 cur_rr = cur_rr->next; 1094 } 1095 1096 /* only sign non-delegation RRsets */ 1097 /* (glue should have been marked earlier, 1098 * except on the delegation points itself) */ 1099 if (!on_delegation_point || 1100 ldns_rr_list_type(rr_list) 1101 == LDNS_RR_TYPE_DS || 1102 ldns_rr_list_type(rr_list) 1103 == LDNS_RR_TYPE_NSEC || 1104 ldns_rr_list_type(rr_list) 1105 == LDNS_RR_TYPE_NSEC3) { 1106 siglist = ldns_sign_public(rr_list, key_list); 1107 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) { 1108 if (cur_rrset->signatures) { 1109 result = ldns_dnssec_rrs_add_rr(cur_rrset->signatures, 1110 ldns_rr_list_rr(siglist, 1111 i)); 1112 } else { 1113 cur_rrset->signatures = ldns_dnssec_rrs_new(); 1114 cur_rrset->signatures->rr = 1115 ldns_rr_list_rr(siglist, i); 1116 } 1117 if (new_rrs) { 1118 ldns_rr_list_push_rr(new_rrs, 1119 ldns_rr_list_rr(siglist, 1120 i)); 1121 } 1122 } 1123 ldns_rr_list_free(siglist); 1124 } 1125 1126 ldns_rr_list_free(rr_list); 1127 1128 cur_rrset = cur_rrset->next; 1129 } 1130 1131 /* sign the nsec */ 1132 ldns_key_list_set_use(key_list, true); 1133 cur_name->nsec_signatures = 1134 ldns_dnssec_remove_signatures(cur_name->nsec_signatures, 1135 key_list, 1136 func, 1137 arg); 1138 ldns_key_list_filter_for_non_dnskey(key_list); 1139 1140 rr_list = ldns_rr_list_new(); 1141 ldns_rr_list_push_rr(rr_list, cur_name->nsec); 1142 siglist = ldns_sign_public(rr_list, key_list); 1143 1144 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) { 1145 if (cur_name->nsec_signatures) { 1146 result = ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures, 1147 ldns_rr_list_rr(siglist, i)); 1148 } else { 1149 cur_name->nsec_signatures = ldns_dnssec_rrs_new(); 1150 cur_name->nsec_signatures->rr = 1151 ldns_rr_list_rr(siglist, i); 1152 } 1153 if (new_rrs) { 1154 ldns_rr_list_push_rr(new_rrs, 1155 ldns_rr_list_rr(siglist, i)); 1156 } 1157 } 1158 1159 ldns_rr_list_free(siglist); 1160 ldns_rr_list_free(rr_list); 1161 } 1162 cur_node = ldns_rbtree_next(cur_node); 1163 } 1164 1165 ldns_rr_list_deep_free(pubkey_list); 1166 return result; 1167 } 1168 1169 ldns_status 1170 ldns_dnssec_zone_sign(ldns_dnssec_zone *zone, 1171 ldns_rr_list *new_rrs, 1172 ldns_key_list *key_list, 1173 int (*func)(ldns_rr *, void *), 1174 void *arg) 1175 { 1176 return ldns_dnssec_zone_sign_flg(zone, new_rrs, key_list, func, arg, 0); 1177 } 1178 1179 ldns_status 1180 ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, 1181 ldns_rr_list *new_rrs, 1182 ldns_key_list *key_list, 1183 int (*func)(ldns_rr *, void *), 1184 void *arg, 1185 int flags) 1186 { 1187 ldns_status result = LDNS_STATUS_OK; 1188 1189 if (!zone || !new_rrs || !key_list) { 1190 return LDNS_STATUS_ERR; 1191 } 1192 1193 /* zone is already sorted */ 1194 result = ldns_dnssec_zone_mark_glue(zone); 1195 if (result != LDNS_STATUS_OK) { 1196 return result; 1197 } 1198 1199 /* check whether we need to add nsecs */ 1200 if (zone->names && !((ldns_dnssec_name *)zone->names->root->data)->nsec) { 1201 result = ldns_dnssec_zone_create_nsecs(zone, new_rrs); 1202 if (result != LDNS_STATUS_OK) { 1203 return result; 1204 } 1205 } 1206 1207 result = ldns_dnssec_zone_create_rrsigs_flg(zone, 1208 new_rrs, 1209 key_list, 1210 func, 1211 arg, 1212 flags); 1213 1214 return result; 1215 } 1216 1217 ldns_status 1218 ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone, 1219 ldns_rr_list *new_rrs, 1220 ldns_key_list *key_list, 1221 int (*func)(ldns_rr *, void *), 1222 void *arg, 1223 uint8_t algorithm, 1224 uint8_t flags, 1225 uint16_t iterations, 1226 uint8_t salt_length, 1227 uint8_t *salt) 1228 { 1229 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list, 1230 func, arg, algorithm, flags, iterations, salt_length, salt, 0, 1231 NULL); 1232 } 1233 1234 ldns_status 1235 ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone, 1236 ldns_rr_list *new_rrs, 1237 ldns_key_list *key_list, 1238 int (*func)(ldns_rr *, void *), 1239 void *arg, 1240 uint8_t algorithm, 1241 uint8_t flags, 1242 uint16_t iterations, 1243 uint8_t salt_length, 1244 uint8_t *salt, 1245 int signflags, 1246 ldns_rbtree_t **map) 1247 { 1248 ldns_rr *nsec3, *nsec3param; 1249 ldns_status result = LDNS_STATUS_OK; 1250 1251 /* zone is already sorted */ 1252 result = ldns_dnssec_zone_mark_glue(zone); 1253 if (result != LDNS_STATUS_OK) { 1254 return result; 1255 } 1256 1257 /* TODO if there are already nsec3s presents and their 1258 * parameters are the same as these, we don't have to recreate 1259 */ 1260 if (zone->names) { 1261 /* add empty nonterminals */ 1262 result = ldns_dnssec_zone_add_empty_nonterminals(zone); 1263 if (result != LDNS_STATUS_OK) { 1264 return result; 1265 } 1266 1267 nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec; 1268 if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) { 1269 /* no need to recreate */ 1270 } else { 1271 if (!ldns_dnssec_zone_find_rrset(zone, 1272 zone->soa->name, 1273 LDNS_RR_TYPE_NSEC3PARAM)) { 1274 /* create and add the nsec3param rr */ 1275 nsec3param = 1276 ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAM); 1277 ldns_rr_set_owner(nsec3param, 1278 ldns_rdf_clone(zone->soa->name)); 1279 ldns_nsec3_add_param_rdfs(nsec3param, 1280 algorithm, 1281 flags, 1282 iterations, 1283 salt_length, 1284 salt); 1285 /* always set bit 7 of the flags to zero, according to 1286 * rfc5155 section 11. The bits are counted from right to left, 1287 * so bit 7 in rfc5155 is bit 0 in ldns */ 1288 ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 0, 0); 1289 result = ldns_dnssec_zone_add_rr(zone, nsec3param); 1290 if (result != LDNS_STATUS_OK) { 1291 return result; 1292 } 1293 ldns_rr_list_push_rr(new_rrs, nsec3param); 1294 } 1295 result = ldns_dnssec_zone_create_nsec3s_mkmap(zone, 1296 new_rrs, 1297 algorithm, 1298 flags, 1299 iterations, 1300 salt_length, 1301 salt, 1302 map); 1303 if (result != LDNS_STATUS_OK) { 1304 return result; 1305 } 1306 } 1307 1308 result = ldns_dnssec_zone_create_rrsigs_flg(zone, 1309 new_rrs, 1310 key_list, 1311 func, 1312 arg, 1313 signflags); 1314 } 1315 1316 return result; 1317 } 1318 1319 ldns_status 1320 ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone, 1321 ldns_rr_list *new_rrs, 1322 ldns_key_list *key_list, 1323 int (*func)(ldns_rr *, void *), 1324 void *arg, 1325 uint8_t algorithm, 1326 uint8_t flags, 1327 uint16_t iterations, 1328 uint8_t salt_length, 1329 uint8_t *salt, 1330 int signflags) 1331 { 1332 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list, 1333 func, arg, algorithm, flags, iterations, salt_length, salt, 1334 signflags, NULL); 1335 } 1336 1337 ldns_zone * 1338 ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list) 1339 { 1340 ldns_dnssec_zone *dnssec_zone; 1341 ldns_zone *signed_zone; 1342 ldns_rr_list *new_rrs; 1343 size_t i; 1344 1345 signed_zone = ldns_zone_new(); 1346 dnssec_zone = ldns_dnssec_zone_new(); 1347 1348 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone)); 1349 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone))); 1350 1351 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) { 1352 (void) ldns_dnssec_zone_add_rr(dnssec_zone, 1353 ldns_rr_list_rr(ldns_zone_rrs(zone), 1354 i)); 1355 ldns_zone_push_rr(signed_zone, 1356 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone), 1357 i))); 1358 } 1359 1360 new_rrs = ldns_rr_list_new(); 1361 (void) ldns_dnssec_zone_sign(dnssec_zone, 1362 new_rrs, 1363 key_list, 1364 ldns_dnssec_default_replace_signatures, 1365 NULL); 1366 1367 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) { 1368 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone), 1369 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i))); 1370 } 1371 1372 ldns_rr_list_deep_free(new_rrs); 1373 ldns_dnssec_zone_free(dnssec_zone); 1374 1375 return signed_zone; 1376 } 1377 1378 ldns_zone * 1379 ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt) 1380 { 1381 ldns_dnssec_zone *dnssec_zone; 1382 ldns_zone *signed_zone; 1383 ldns_rr_list *new_rrs; 1384 size_t i; 1385 1386 signed_zone = ldns_zone_new(); 1387 dnssec_zone = ldns_dnssec_zone_new(); 1388 1389 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone)); 1390 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone))); 1391 1392 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) { 1393 (void) ldns_dnssec_zone_add_rr(dnssec_zone, 1394 ldns_rr_list_rr(ldns_zone_rrs(zone), 1395 i)); 1396 ldns_zone_push_rr(signed_zone, 1397 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone), 1398 i))); 1399 } 1400 1401 new_rrs = ldns_rr_list_new(); 1402 (void) ldns_dnssec_zone_sign_nsec3(dnssec_zone, 1403 new_rrs, 1404 key_list, 1405 ldns_dnssec_default_replace_signatures, 1406 NULL, 1407 algorithm, 1408 flags, 1409 iterations, 1410 salt_length, 1411 salt); 1412 1413 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) { 1414 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone), 1415 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i))); 1416 } 1417 1418 ldns_rr_list_deep_free(new_rrs); 1419 ldns_dnssec_zone_free(dnssec_zone); 1420 1421 return signed_zone; 1422 } 1423 #endif /* HAVE_SSL */ 1424 1425 1426