ldns  1.7.0
dnssec_sign.c
Go to the documentation of this file.
1 #include <ldns/config.h>
2 
3 #include <ldns/ldns.h>
4 
5 #include <ldns/dnssec.h>
6 #include <ldns/dnssec_sign.h>
7 
8 #include <strings.h>
9 #include <time.h>
10 
11 #ifdef HAVE_SSL
12 /* this entire file is rather useless when you don't have
13  * crypto...
14  */
15 #include <openssl/ssl.h>
16 #include <openssl/evp.h>
17 #include <openssl/rand.h>
18 #include <openssl/err.h>
19 #include <openssl/md5.h>
20 #endif /* HAVE_SSL */
21 
22 ldns_rr *
23 ldns_create_empty_rrsig(const ldns_rr_list *rrset,
24  const ldns_key *current_key)
25 {
26  uint32_t orig_ttl;
27  ldns_rr_class orig_class;
28  time_t now;
29  ldns_rr *current_sig;
30  uint8_t label_count;
31  ldns_rdf *signame;
32 
33  label_count = ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset,
34  0)));
35  /* RFC4035 2.2: not counting the leftmost label if it is a wildcard */
36  if(ldns_dname_is_wildcard(ldns_rr_owner(ldns_rr_list_rr(rrset, 0))))
37  label_count --;
38 
39  current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
40 
41  /* set the type on the new signature */
42  orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
43  orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0));
44 
45  ldns_rr_set_ttl(current_sig, orig_ttl);
46  ldns_rr_set_class(current_sig, orig_class);
47  ldns_rr_set_owner(current_sig,
48  ldns_rdf_clone(
49  ldns_rr_owner(
50  ldns_rr_list_rr(rrset,
51  0))));
52 
53  /* fill in what we know of the signature */
54 
55  /* set the orig_ttl */
56  (void)ldns_rr_rrsig_set_origttl(
57  current_sig,
58  ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
59  orig_ttl));
60  /* the signers name */
61  signame = ldns_rdf_clone(ldns_key_pubkey_owner(current_key));
62  ldns_dname2canonical(signame);
63  (void)ldns_rr_rrsig_set_signame(
64  current_sig,
65  signame);
66  /* label count - get it from the first rr in the rr_list */
67  (void)ldns_rr_rrsig_set_labels(
68  current_sig,
69  ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
70  label_count));
71  /* inception, expiration */
72  now = time(NULL);
73  if (ldns_key_inception(current_key) != 0) {
74  (void)ldns_rr_rrsig_set_inception(
75  current_sig,
76  ldns_native2rdf_int32(
77  LDNS_RDF_TYPE_TIME,
78  ldns_key_inception(current_key)));
79  } else {
80  (void)ldns_rr_rrsig_set_inception(
81  current_sig,
82  ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
83  }
84  if (ldns_key_expiration(current_key) != 0) {
85  (void)ldns_rr_rrsig_set_expiration(
86  current_sig,
87  ldns_native2rdf_int32(
88  LDNS_RDF_TYPE_TIME,
89  ldns_key_expiration(current_key)));
90  } else {
91  (void)ldns_rr_rrsig_set_expiration(
92  current_sig,
93  ldns_native2rdf_int32(
94  LDNS_RDF_TYPE_TIME,
95  now + LDNS_DEFAULT_EXP_TIME));
96  }
97 
98  (void)ldns_rr_rrsig_set_keytag(
99  current_sig,
100  ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
101  ldns_key_keytag(current_key)));
102 
103  (void)ldns_rr_rrsig_set_algorithm(
104  current_sig,
105  ldns_native2rdf_int8(
106  LDNS_RDF_TYPE_ALG,
107  ldns_key_algorithm(current_key)));
108 
109  (void)ldns_rr_rrsig_set_typecovered(
110  current_sig,
111  ldns_native2rdf_int16(
112  LDNS_RDF_TYPE_TYPE,
113  ldns_rr_get_type(ldns_rr_list_rr(rrset,
114  0))));
115  return current_sig;
116 }
117 
118 #ifdef HAVE_SSL
119 ldns_rdf *
120 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
121 {
122  ldns_rdf *b64rdf = NULL;
123 
124  switch(ldns_key_algorithm(current_key)) {
125 #ifdef USE_DSA
126  case LDNS_SIGN_DSA:
127  case LDNS_SIGN_DSA_NSEC3:
128  b64rdf = ldns_sign_public_evp(
129  sign_buf,
130  ldns_key_evp_key(current_key),
131 # ifdef HAVE_EVP_DSS1
132  EVP_dss1()
133 # else
134  EVP_sha1()
135 # endif
136  );
137  break;
138 #endif /* USE_DSA */
139  case LDNS_SIGN_RSASHA1:
140  case LDNS_SIGN_RSASHA1_NSEC3:
141  b64rdf = ldns_sign_public_evp(
142  sign_buf,
143  ldns_key_evp_key(current_key),
144  EVP_sha1());
145  break;
146 #ifdef USE_SHA2
147  case LDNS_SIGN_RSASHA256:
148  b64rdf = ldns_sign_public_evp(
149  sign_buf,
150  ldns_key_evp_key(current_key),
151  EVP_sha256());
152  break;
153  case LDNS_SIGN_RSASHA512:
154  b64rdf = ldns_sign_public_evp(
155  sign_buf,
156  ldns_key_evp_key(current_key),
157  EVP_sha512());
158  break;
159 #endif /* USE_SHA2 */
160 #ifdef USE_GOST
161  case LDNS_SIGN_ECC_GOST:
162  b64rdf = ldns_sign_public_evp(
163  sign_buf,
164  ldns_key_evp_key(current_key),
165  EVP_get_digestbyname("md_gost94"));
166  break;
167 #endif /* USE_GOST */
168 #ifdef USE_ECDSA
169  case LDNS_SIGN_ECDSAP256SHA256:
170  b64rdf = ldns_sign_public_evp(
171  sign_buf,
172  ldns_key_evp_key(current_key),
173  EVP_sha256());
174  break;
175  case LDNS_SIGN_ECDSAP384SHA384:
176  b64rdf = ldns_sign_public_evp(
177  sign_buf,
178  ldns_key_evp_key(current_key),
179  EVP_sha384());
180  break;
181 #endif
182 #ifdef USE_ED25519
183  case LDNS_SIGN_ED25519:
184  b64rdf = ldns_sign_public_evp(
185  sign_buf,
186  ldns_key_evp_key(current_key),
187  EVP_sha512());
188  break;
189 #endif
190 #ifdef USE_ED448
191  case LDNS_SIGN_ED448:
192  b64rdf = ldns_sign_public_evp(
193  sign_buf,
194  ldns_key_evp_key(current_key),
195  EVP_sha512());
196  break;
197 #endif
198  case LDNS_SIGN_RSAMD5:
199  b64rdf = ldns_sign_public_evp(
200  sign_buf,
201  ldns_key_evp_key(current_key),
202  EVP_md5());
203  break;
204  default:
205  /* do _you_ know this alg? */
206  printf("unknown algorithm, ");
207  printf("is the one used available on this system?\n");
208  break;
209  }
210 
211  return b64rdf;
212 }
213 
218 ldns_rr_list *
219 ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
220 {
221  ldns_rr_list *signatures;
222  ldns_rr_list *rrset_clone;
223  ldns_rr *current_sig;
224  ldns_rdf *b64rdf;
225  ldns_key *current_key;
226  size_t key_count;
227  uint16_t i;
228  ldns_buffer *sign_buf;
229  ldns_rdf *new_owner;
230 
231  if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) {
232  return NULL;
233  }
234 
235  new_owner = NULL;
236 
237  signatures = ldns_rr_list_new();
238 
239  /* prepare a signature and add all the know data
240  * prepare the rrset. Sign this together. */
241  rrset_clone = ldns_rr_list_clone(rrset);
242  if (!rrset_clone) {
243  return NULL;
244  }
245 
246  /* make it canonical */
247  for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
248  ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i),
249  ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)));
250  ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
251  }
252  /* sort */
253  ldns_rr_list_sort(rrset_clone);
254 
255  for (key_count = 0;
256  key_count < ldns_key_list_key_count(keys);
257  key_count++) {
258  if (!ldns_key_use(ldns_key_list_key(keys, key_count))) {
259  continue;
260  }
261  sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
262  if (!sign_buf) {
263  ldns_rr_list_free(rrset_clone);
264  ldns_rr_list_free(signatures);
265  ldns_rdf_free(new_owner);
266  return NULL;
267  }
268  b64rdf = NULL;
269 
270  current_key = ldns_key_list_key(keys, key_count);
271  /* sign all RRs with keys that have ZSKbit, !SEPbit.
272  sign DNSKEY RRs with keys that have ZSKbit&SEPbit */
273  if (ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY) {
274  current_sig = ldns_create_empty_rrsig(rrset_clone,
275  current_key);
276 
277  /* right now, we have: a key, a semi-sig and an rrset. For
278  * which we can create the sig and base64 encode that and
279  * add that to the signature */
280 
281  if (ldns_rrsig2buffer_wire(sign_buf, current_sig)
282  != LDNS_STATUS_OK) {
283  ldns_buffer_free(sign_buf);
284  /* ERROR */
285  ldns_rr_list_deep_free(rrset_clone);
286  ldns_rr_free(current_sig);
287  ldns_rr_list_deep_free(signatures);
288  return NULL;
289  }
290 
291  /* add the rrset in sign_buf */
292  if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone)
293  != LDNS_STATUS_OK) {
294  ldns_buffer_free(sign_buf);
295  ldns_rr_list_deep_free(rrset_clone);
296  ldns_rr_free(current_sig);
297  ldns_rr_list_deep_free(signatures);
298  return NULL;
299  }
300 
301  b64rdf = ldns_sign_public_buffer(sign_buf, current_key);
302 
303  if (!b64rdf) {
304  /* signing went wrong */
305  ldns_rr_list_deep_free(rrset_clone);
306  ldns_rr_free(current_sig);
307  ldns_rr_list_deep_free(signatures);
308  return NULL;
309  }
310 
311  ldns_rr_rrsig_set_sig(current_sig, b64rdf);
312 
313  /* push the signature to the signatures list */
314  ldns_rr_list_push_rr(signatures, current_sig);
315  }
316  ldns_buffer_free(sign_buf); /* restart for the next key */
317  }
318  ldns_rr_list_deep_free(rrset_clone);
319 
320  return signatures;
321 }
322 
331 ldns_rdf *
332 ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
333 {
334 #ifdef USE_DSA
335  unsigned char *sha1_hash;
336  ldns_rdf *sigdata_rdf;
337  ldns_buffer *b64sig;
338 
339  DSA_SIG *sig;
340  const BIGNUM *R, *S;
341  uint8_t *data;
342  size_t pad;
343 
344  b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
345  if (!b64sig) {
346  return NULL;
347  }
348 
349  sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
350  ldns_buffer_position(to_sign), NULL);
351  if (!sha1_hash) {
352  ldns_buffer_free(b64sig);
353  return NULL;
354  }
355 
356  sig = DSA_do_sign(sha1_hash, SHA_DIGEST_LENGTH, key);
357  if(!sig) {
358  ldns_buffer_free(b64sig);
359  return NULL;
360  }
361 
362  data = LDNS_XMALLOC(uint8_t, 1 + 2 * SHA_DIGEST_LENGTH);
363  if(!data) {
364  ldns_buffer_free(b64sig);
365  DSA_SIG_free(sig);
366  return NULL;
367  }
368 
369  data[0] = 1;
370 # ifdef HAVE_DSA_SIG_GET0
371  DSA_SIG_get0(sig, &R, &S);
372 # else
373  R = sig->r;
374  S = sig->s;
375 # endif
376  pad = 20 - (size_t) BN_num_bytes(R);
377  if (pad > 0) {
378  memset(data + 1, 0, pad);
379  }
380  BN_bn2bin(R, (unsigned char *) (data + 1) + pad);
381 
382  pad = 20 - (size_t) BN_num_bytes(S);
383  if (pad > 0) {
384  memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad);
385  }
386  BN_bn2bin(S, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad));
387 
388  sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64,
389  1 + 2 * SHA_DIGEST_LENGTH,
390  data);
391 
392  ldns_buffer_free(b64sig);
393  LDNS_FREE(data);
394  DSA_SIG_free(sig);
395 
396  return sigdata_rdf;
397 #else
398  (void)to_sign; (void)key;
399  return NULL;
400 #endif
401 }
402 
403 #ifdef USE_ECDSA
404 #ifndef S_SPLINT_S
405 
406 static int
407 ldns_pkey_is_ecdsa(EVP_PKEY* pkey)
408 {
409  EC_KEY* ec;
410  const EC_GROUP* g;
411 #ifdef HAVE_EVP_PKEY_BASE_ID
412  if(EVP_PKEY_base_id(pkey) != EVP_PKEY_EC)
413  return 0;
414 #else
415  if(EVP_PKEY_type(key->type) != EVP_PKEY_EC)
416  return 0;
417 #endif
418  ec = EVP_PKEY_get1_EC_KEY(pkey);
419  g = EC_KEY_get0_group(ec);
420  if(!g) {
421  EC_KEY_free(ec);
422  return 0;
423  }
424  if(EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1) {
425  EC_KEY_free(ec);
426  return 32; /* 256/8 */
427  }
428  if(EC_GROUP_get_curve_name(g) == NID_secp384r1) {
429  EC_KEY_free(ec);
430  return 48; /* 384/8 */
431  }
432  /* downref the eckey, the original is still inside the pkey */
433  EC_KEY_free(ec);
434  return 0;
435 }
436 #endif /* splint */
437 #endif /* USE_ECDSA */
438 
439 ldns_rdf *
440 ldns_sign_public_evp(ldns_buffer *to_sign,
441  EVP_PKEY *key,
442  const EVP_MD *digest_type)
443 {
444  unsigned int siglen;
445  ldns_rdf *sigdata_rdf = NULL;
446  ldns_buffer *b64sig;
447  EVP_MD_CTX *ctx;
448  const EVP_MD *md_type;
449  int r;
450 
451  siglen = 0;
452  b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
453  if (!b64sig) {
454  return NULL;
455  }
456 
457  /* initializes a signing context */
458  md_type = digest_type;
459  if(!md_type) {
460  /* unknown message difest */
461  ldns_buffer_free(b64sig);
462  return NULL;
463  }
464 
465 #ifdef HAVE_EVP_MD_CTX_NEW
466  ctx = EVP_MD_CTX_new();
467 #else
468  ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
469  if(ctx) EVP_MD_CTX_init(ctx);
470 #endif
471  if(!ctx) {
472  ldns_buffer_free(b64sig);
473  return NULL;
474  }
475 
476  r = EVP_SignInit(ctx, md_type);
477  if(r == 1) {
478  r = EVP_SignUpdate(ctx, (unsigned char*)
479  ldns_buffer_begin(to_sign),
480  ldns_buffer_position(to_sign));
481  } else {
482  ldns_buffer_free(b64sig);
483  EVP_MD_CTX_destroy(ctx);
484  return NULL;
485  }
486  if(r == 1) {
487  r = EVP_SignFinal(ctx, (unsigned char*)
488  ldns_buffer_begin(b64sig), &siglen, key);
489  } else {
490  ldns_buffer_free(b64sig);
491  EVP_MD_CTX_destroy(ctx);
492  return NULL;
493  }
494  if(r != 1) {
495  ldns_buffer_free(b64sig);
496  EVP_MD_CTX_destroy(ctx);
497  return NULL;
498  }
499 
500  /* OpenSSL output is different, convert it */
501  r = 0;
502 #ifdef USE_DSA
503 #ifndef S_SPLINT_S
504  /* unfortunately, OpenSSL output is different from DNS DSA format */
505 # ifdef HAVE_EVP_PKEY_BASE_ID
506  if (EVP_PKEY_base_id(key) == EVP_PKEY_DSA) {
507 # else
508  if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
509 # endif
510  r = 1;
511  sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen);
512  }
513 #endif
514 #endif
515 #if defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
516  if(
517 # ifdef HAVE_EVP_PKEY_BASE_ID
518  EVP_PKEY_base_id(key)
519 # else
520  EVP_PKEY_type(key->type)
521 # endif
522  == EVP_PKEY_EC) {
523 # ifdef USE_ECDSA
524  if(ldns_pkey_is_ecdsa(key)) {
525  r = 1;
526  sigdata_rdf = ldns_convert_ecdsa_rrsig_asn1len2rdf(
527  b64sig, (long)siglen, ldns_pkey_is_ecdsa(key));
528  }
529 # endif /* USE_ECDSA */
530 # ifdef USE_ED25519
531  if(EVP_PKEY_id(key) == NID_X25519) {
532  r = 1;
533  sigdata_rdf = ldns_convert_ed25519_rrsig_asn12rdf(
534  b64sig, siglen);
535  }
536 # endif /* USE_ED25519 */
537 # ifdef USE_ED448
538  if(EVP_PKEY_id(key) == NID_X448) {
539  r = 1;
540  sigdata_rdf = ldns_convert_ed448_rrsig_asn12rdf(
541  b64sig, siglen);
542  }
543 # endif /* USE_ED448 */
544  }
545 #endif /* PKEY_EC */
546  if(r == 0) {
547  /* ok output for other types is the same */
548  sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
549  ldns_buffer_begin(b64sig));
550  }
551  ldns_buffer_free(b64sig);
552  EVP_MD_CTX_destroy(ctx);
553  return sigdata_rdf;
554 }
555 
556 ldns_rdf *
557 ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key)
558 {
559  unsigned char *sha1_hash;
560  unsigned int siglen;
561  ldns_rdf *sigdata_rdf;
562  ldns_buffer *b64sig;
563  int result;
564 
565  siglen = 0;
566  b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
567  if (!b64sig) {
568  return NULL;
569  }
570 
571  sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
572  ldns_buffer_position(to_sign), NULL);
573  if (!sha1_hash) {
574  ldns_buffer_free(b64sig);
575  return NULL;
576  }
577 
578  result = RSA_sign(NID_sha1, sha1_hash, SHA_DIGEST_LENGTH,
579  (unsigned char*)ldns_buffer_begin(b64sig),
580  &siglen, key);
581  if (result != 1) {
582  ldns_buffer_free(b64sig);
583  return NULL;
584  }
585 
586  sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
587  ldns_buffer_begin(b64sig));
588  ldns_buffer_free(b64sig); /* can't free this buffer ?? */
589  return sigdata_rdf;
590 }
591 
592 ldns_rdf *
593 ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key)
594 {
595  unsigned char *md5_hash;
596  unsigned int siglen;
597  ldns_rdf *sigdata_rdf;
598  ldns_buffer *b64sig;
599 
600  b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
601  if (!b64sig) {
602  return NULL;
603  }
604 
605  md5_hash = MD5((unsigned char*)ldns_buffer_begin(to_sign),
606  ldns_buffer_position(to_sign), NULL);
607  if (!md5_hash) {
608  ldns_buffer_free(b64sig);
609  return NULL;
610  }
611 
612  RSA_sign(NID_md5, md5_hash, MD5_DIGEST_LENGTH,
613  (unsigned char*)ldns_buffer_begin(b64sig),
614  &siglen, key);
615 
616  sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
617  ldns_buffer_begin(b64sig));
618  ldns_buffer_free(b64sig);
619  return sigdata_rdf;
620 }
621 #endif /* HAVE_SSL */
622 
626 static ldns_status
627 ldns_dnssec_addresses_on_glue_list(
628  ldns_dnssec_rrsets *cur_rrset,
629  ldns_rr_list *glue_list)
630 {
631  ldns_dnssec_rrs *cur_rrs;
632  while (cur_rrset) {
633  if (cur_rrset->type == LDNS_RR_TYPE_A
634  || cur_rrset->type == LDNS_RR_TYPE_AAAA) {
635  for (cur_rrs = cur_rrset->rrs;
636  cur_rrs;
637  cur_rrs = cur_rrs->next) {
638  if (cur_rrs->rr) {
639  if (!ldns_rr_list_push_rr(glue_list,
640  cur_rrs->rr)) {
641  return LDNS_STATUS_MEM_ERR;
642  /* ldns_rr_list_push_rr()
643  * returns false when unable
644  * to increase the capacity
645  * of the ldsn_rr_list
646  */
647  }
648  }
649  }
650  }
651  cur_rrset = cur_rrset->next;
652  }
653  return LDNS_STATUS_OK;
654 }
655 
670 ldns_status
671 ldns_dnssec_zone_mark_and_get_glue(ldns_dnssec_zone *zone,
672  ldns_rr_list *glue_list)
673 {
674  ldns_rbnode_t *node;
675  ldns_dnssec_name *name;
676  ldns_rdf *owner;
677  ldns_rdf *cut = NULL; /* keeps track of zone cuts */
678  /* When the cut is caused by a delegation, below_delegation will be 1.
679  * When caused by a DNAME, below_delegation will be 0.
680  */
681  int below_delegation = -1; /* init suppresses comiler warning */
682  ldns_status s;
683 
684  if (!zone || !zone->names) {
685  return LDNS_STATUS_NULL;
686  }
687  for (node = ldns_rbtree_first(zone->names);
688  node != LDNS_RBTREE_NULL;
689  node = ldns_rbtree_next(node)) {
690  name = (ldns_dnssec_name *) node->data;
691  owner = ldns_dnssec_name_name(name);
692 
693  if (cut) {
694  /* The previous node was a zone cut, or a subdomain
695  * below a zone cut. Is this node (still) a subdomain
696  * below the cut? Then the name is occluded. Unless
697  * the name contains a SOA, after which we are
698  * authoritative again.
699  *
700  * FIXME! If there are labels in between the SOA and
701  * the cut, going from the authoritative space (below
702  * the SOA) up into occluded space again, will not be
703  * detected with the contruct below!
704  */
705  if (ldns_dname_is_subdomain(owner, cut) &&
706  !ldns_dnssec_rrsets_contains_type(
707  name->rrsets, LDNS_RR_TYPE_SOA)) {
708 
709  if (below_delegation && glue_list) {
710  s = ldns_dnssec_addresses_on_glue_list(
711  name->rrsets, glue_list);
712  if (s != LDNS_STATUS_OK) {
713  return s;
714  }
715  }
716  name->is_glue = true; /* Mark occluded name! */
717  continue;
718  } else {
719  cut = NULL;
720  }
721  }
722 
723  /* The node is not below a zone cut. Is it a zone cut itself?
724  * Everything below a SOA is authoritative of course; Except
725  * when the name also contains a DNAME :).
726  */
727  if (ldns_dnssec_rrsets_contains_type(
728  name->rrsets, LDNS_RR_TYPE_NS)
729  && !ldns_dnssec_rrsets_contains_type(
730  name->rrsets, LDNS_RR_TYPE_SOA)) {
731  cut = owner;
732  below_delegation = 1;
733  if (glue_list) { /* record glue on the zone cut */
734  s = ldns_dnssec_addresses_on_glue_list(
735  name->rrsets, glue_list);
736  if (s != LDNS_STATUS_OK) {
737  return s;
738  }
739  }
740  } else if (ldns_dnssec_rrsets_contains_type(
741  name->rrsets, LDNS_RR_TYPE_DNAME)) {
742  cut = owner;
743  below_delegation = 0;
744  }
745  }
746  return LDNS_STATUS_OK;
747 }
748 
759 ldns_status
760 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone)
761 {
762  return ldns_dnssec_zone_mark_and_get_glue(zone, NULL);
763 }
764 
765 ldns_rbnode_t *
766 ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node)
767 {
768  ldns_rbnode_t *next_node = NULL;
769  ldns_dnssec_name *next_name = NULL;
770  bool done = false;
771 
772  if (node == LDNS_RBTREE_NULL) {
773  return NULL;
774  }
775  next_node = node;
776  while (!done) {
777  if (next_node == LDNS_RBTREE_NULL) {
778  return NULL;
779  } else {
780  next_name = (ldns_dnssec_name *)next_node->data;
781  if (!next_name->is_glue) {
782  done = true;
783  } else {
784  next_node = ldns_rbtree_next(next_node);
785  }
786  }
787  }
788  return next_node;
789 }
790 
791 ldns_status
792 ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
793  ldns_rr_list *new_rrs)
794 {
795 
796  ldns_rbnode_t *first_node, *cur_node, *next_node;
797  ldns_dnssec_name *cur_name, *next_name;
798  ldns_rr *nsec_rr;
799  uint32_t nsec_ttl;
800  ldns_dnssec_rrsets *soa;
801 
802  /* the TTL of NSEC rrs should be set to the minimum TTL of
803  * the zone SOA (RFC4035 Section 2.3)
804  */
805  soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA);
806 
807  /* did the caller actually set it? if not,
808  * fall back to default ttl
809  */
810  if (soa && soa->rrs && soa->rrs->rr
811  && (ldns_rr_rdf(soa->rrs->rr, 6) != NULL)) {
812  nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6));
813  } else {
814  nsec_ttl = LDNS_DEFAULT_TTL;
815  }
816 
817  first_node = ldns_dnssec_name_node_next_nonglue(
818  ldns_rbtree_first(zone->names));
819  cur_node = first_node;
820  if (cur_node) {
821  next_node = ldns_dnssec_name_node_next_nonglue(
822  ldns_rbtree_next(cur_node));
823  } else {
824  next_node = NULL;
825  }
826 
827  while (cur_node && next_node) {
828  cur_name = (ldns_dnssec_name *)cur_node->data;
829  next_name = (ldns_dnssec_name *)next_node->data;
830  nsec_rr = ldns_dnssec_create_nsec(cur_name,
831  next_name,
832  LDNS_RR_TYPE_NSEC);
833  ldns_rr_set_ttl(nsec_rr, nsec_ttl);
834  if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
835  ldns_rr_free(nsec_rr);
836  return LDNS_STATUS_ERR;
837  }
838  ldns_rr_list_push_rr(new_rrs, nsec_rr);
839  cur_node = next_node;
840  if (cur_node) {
841  next_node = ldns_dnssec_name_node_next_nonglue(
842  ldns_rbtree_next(cur_node));
843  }
844  }
845 
846  if (cur_node && !next_node) {
847  cur_name = (ldns_dnssec_name *)cur_node->data;
848  next_name = (ldns_dnssec_name *)first_node->data;
849  nsec_rr = ldns_dnssec_create_nsec(cur_name,
850  next_name,
851  LDNS_RR_TYPE_NSEC);
852  ldns_rr_set_ttl(nsec_rr, nsec_ttl);
853  if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
854  ldns_rr_free(nsec_rr);
855  return LDNS_STATUS_ERR;
856  }
857  ldns_rr_list_push_rr(new_rrs, nsec_rr);
858  } else {
859  printf("error\n");
860  }
861 
862  return LDNS_STATUS_OK;
863 }
864 
865 #ifdef HAVE_SSL
866 static void
867 ldns_hashed_names_node_free(ldns_rbnode_t *node, void *arg) {
868  (void) arg;
869  LDNS_FREE(node);
870 }
871 
872 static ldns_status
873 ldns_dnssec_zone_create_nsec3s_mkmap(ldns_dnssec_zone *zone,
874  ldns_rr_list *new_rrs,
875  uint8_t algorithm,
876  uint8_t flags,
877  uint16_t iterations,
878  uint8_t salt_length,
879  uint8_t *salt,
880  ldns_rbtree_t **map)
881 {
882  ldns_rbnode_t *first_name_node;
883  ldns_rbnode_t *current_name_node;
884  ldns_dnssec_name *current_name;
885  ldns_status result = LDNS_STATUS_OK;
886  ldns_rr *nsec_rr;
887  ldns_rr_list *nsec3_list;
888  uint32_t nsec_ttl;
889  ldns_dnssec_rrsets *soa;
890  ldns_rbnode_t *hashmap_node;
891 
892  if (!zone || !new_rrs || !zone->names) {
893  return LDNS_STATUS_ERR;
894  }
895 
896  /* the TTL of NSEC rrs should be set to the minimum TTL of
897  * the zone SOA (RFC4035 Section 2.3)
898  */
899  soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA);
900 
901  /* did the caller actually set it? if not,
902  * fall back to default ttl
903  */
904  if (soa && soa->rrs && soa->rrs->rr
905  && ldns_rr_rdf(soa->rrs->rr, 6) != NULL) {
906  nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6));
907  } else {
908  nsec_ttl = LDNS_DEFAULT_TTL;
909  }
910 
911  if (ldns_rdf_size(zone->soa->name) > 222) {
912  return LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW;
913  }
914 
915  if (zone->hashed_names) {
916  ldns_traverse_postorder(zone->hashed_names,
917  ldns_hashed_names_node_free, NULL);
918  LDNS_FREE(zone->hashed_names);
919  }
920  zone->hashed_names = ldns_rbtree_create(ldns_dname_compare_v);
921  if (zone->hashed_names && map) {
922  *map = zone->hashed_names;
923  }
924 
925  first_name_node = ldns_dnssec_name_node_next_nonglue(
926  ldns_rbtree_first(zone->names));
927 
928  current_name_node = first_name_node;
929 
930  while (current_name_node && current_name_node != LDNS_RBTREE_NULL &&
931  result == LDNS_STATUS_OK) {
932 
933  current_name = (ldns_dnssec_name *) current_name_node->data;
934  nsec_rr = ldns_dnssec_create_nsec3(current_name,
935  NULL,
936  zone->soa->name,
937  algorithm,
938  flags,
939  iterations,
940  salt_length,
941  salt);
942  /* by default, our nsec based generator adds rrsigs
943  * remove the bitmap for empty nonterminals */
944  if (!current_name->rrsets) {
945  ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr));
946  }
947  ldns_rr_set_ttl(nsec_rr, nsec_ttl);
948  result = ldns_dnssec_name_add_rr(current_name, nsec_rr);
949  ldns_rr_list_push_rr(new_rrs, nsec_rr);
950  if (ldns_rr_owner(nsec_rr)) {
951  hashmap_node = LDNS_MALLOC(ldns_rbnode_t);
952  if (hashmap_node == NULL) {
953  return LDNS_STATUS_MEM_ERR;
954  }
955  current_name->hashed_name =
956  ldns_dname_label(ldns_rr_owner(nsec_rr), 0);
957 
958  if (current_name->hashed_name == NULL) {
959  LDNS_FREE(hashmap_node);
960  return LDNS_STATUS_MEM_ERR;
961  }
962  hashmap_node->key = current_name->hashed_name;
963  hashmap_node->data = current_name;
964 
965  if (! ldns_rbtree_insert(zone->hashed_names
966  , hashmap_node)) {
967  LDNS_FREE(hashmap_node);
968  }
969  }
970  current_name_node = ldns_dnssec_name_node_next_nonglue(
971  ldns_rbtree_next(current_name_node));
972  }
973  if (result != LDNS_STATUS_OK) {
974  return result;
975  }
976 
977  /* Make sorted list of nsec3s (via zone->hashed_names)
978  */
979  nsec3_list = ldns_rr_list_new();
980  if (nsec3_list == NULL) {
981  return LDNS_STATUS_MEM_ERR;
982  }
983  for ( hashmap_node = ldns_rbtree_first(zone->hashed_names)
984  ; hashmap_node != LDNS_RBTREE_NULL
985  ; hashmap_node = ldns_rbtree_next(hashmap_node)
986  ) {
987  current_name = (ldns_dnssec_name *) hashmap_node->data;
988  nsec_rr = ((ldns_dnssec_name *) hashmap_node->data)->nsec;
989  if (nsec_rr) {
990  ldns_rr_list_push_rr(nsec3_list, nsec_rr);
991  }
992  }
993  result = ldns_dnssec_chain_nsec3_list(nsec3_list);
994  ldns_rr_list_free(nsec3_list);
995 
996  return result;
997 }
998 
999 ldns_status
1000 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
1001  ldns_rr_list *new_rrs,
1002  uint8_t algorithm,
1003  uint8_t flags,
1004  uint16_t iterations,
1005  uint8_t salt_length,
1006  uint8_t *salt)
1007 {
1008  return ldns_dnssec_zone_create_nsec3s_mkmap(zone, new_rrs, algorithm,
1009  flags, iterations, salt_length, salt, NULL);
1010 
1011 }
1012 #endif /* HAVE_SSL */
1013 
1014 ldns_dnssec_rrs *
1015 ldns_dnssec_remove_signatures( ldns_dnssec_rrs *signatures
1016  , ATTR_UNUSED(ldns_key_list *key_list)
1017  , int (*func)(ldns_rr *, void *)
1018  , void *arg
1019  )
1020 {
1021  ldns_dnssec_rrs *base_rrs = signatures;
1022  ldns_dnssec_rrs *cur_rr = base_rrs;
1023  ldns_dnssec_rrs *prev_rr = NULL;
1024  ldns_dnssec_rrs *next_rr;
1025 
1026  uint16_t keytag;
1027  size_t i;
1028 
1029  if (!cur_rr) {
1030  switch(func(NULL, arg)) {
1031  case LDNS_SIGNATURE_LEAVE_ADD_NEW:
1032  case LDNS_SIGNATURE_REMOVE_ADD_NEW:
1033  break;
1034  case LDNS_SIGNATURE_LEAVE_NO_ADD:
1035  case LDNS_SIGNATURE_REMOVE_NO_ADD:
1036  ldns_key_list_set_use(key_list, false);
1037  break;
1038  default:
1039 #ifdef STDERR_MSGS
1040  fprintf(stderr, "[XX] unknown return value from callback\n");
1041 #endif
1042  break;
1043  }
1044  return NULL;
1045  }
1046  (void)func(cur_rr->rr, arg);
1047 
1048  while (cur_rr) {
1049  next_rr = cur_rr->next;
1050 
1051  switch (func(cur_rr->rr, arg)) {
1052  case LDNS_SIGNATURE_LEAVE_ADD_NEW:
1053  prev_rr = cur_rr;
1054  break;
1055  case LDNS_SIGNATURE_LEAVE_NO_ADD:
1056  keytag = ldns_rdf2native_int16(
1057  ldns_rr_rrsig_keytag(cur_rr->rr));
1058  for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1059  if (ldns_key_keytag(ldns_key_list_key(key_list, i)) ==
1060  keytag) {
1061  ldns_key_set_use(ldns_key_list_key(key_list, i),
1062  false);
1063  }
1064  }
1065  prev_rr = cur_rr;
1066  break;
1067  case LDNS_SIGNATURE_REMOVE_NO_ADD:
1068  keytag = ldns_rdf2native_int16(
1069  ldns_rr_rrsig_keytag(cur_rr->rr));
1070  for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1071  if (ldns_key_keytag(ldns_key_list_key(key_list, i))
1072  == keytag) {
1073  ldns_key_set_use(ldns_key_list_key(key_list, i),
1074  false);
1075  }
1076  }
1077  if (prev_rr) {
1078  prev_rr->next = next_rr;
1079  } else {
1080  base_rrs = next_rr;
1081  }
1082  LDNS_FREE(cur_rr);
1083  break;
1084  case LDNS_SIGNATURE_REMOVE_ADD_NEW:
1085  if (prev_rr) {
1086  prev_rr->next = next_rr;
1087  } else {
1088  base_rrs = next_rr;
1089  }
1090  LDNS_FREE(cur_rr);
1091  break;
1092  default:
1093 #ifdef STDERR_MSGS
1094  fprintf(stderr, "[XX] unknown return value from callback\n");
1095 #endif
1096  break;
1097  }
1098  cur_rr = next_rr;
1099  }
1100 
1101  return base_rrs;
1102 }
1103 
1104 #ifdef HAVE_SSL
1105 ldns_status
1106 ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
1107  ldns_rr_list *new_rrs,
1108  ldns_key_list *key_list,
1109  int (*func)(ldns_rr *, void*),
1110  void *arg)
1111 {
1112  return ldns_dnssec_zone_create_rrsigs_flg(zone, new_rrs, key_list,
1113  func, arg, 0);
1114 }
1115 
1117 static void
1118 ldns_key_list_filter_for_dnskey(ldns_key_list *key_list, int flags)
1119 {
1120  bool algos[256]
1121 #ifndef S_SPLINT_S
1122  = { false }
1123 #endif
1124  ;
1125  ldns_signing_algorithm saw_ksk = 0;
1126  ldns_key *key;
1127  size_t i;
1128 
1129  if (!ldns_key_list_key_count(key_list))
1130  return;
1131 
1132  for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1133  key = ldns_key_list_key(key_list, i);
1134  if ((ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_ksk)
1135  saw_ksk = ldns_key_algorithm(key);
1136  algos[ldns_key_algorithm(key)] = true;
1137  }
1138  if (!saw_ksk)
1139  return;
1140  else
1141  algos[saw_ksk] = 0;
1142 
1143  for (i =0; i < ldns_key_list_key_count(key_list); i++) {
1144  key = ldns_key_list_key(key_list, i);
1145  if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
1146  /* We have a ZSK.
1147  * Still use it if it has a unique algorithm though!
1148  */
1149  if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
1150  algos[ldns_key_algorithm(key)])
1151  algos[ldns_key_algorithm(key)] = false;
1152  else
1153  ldns_key_set_use(key, 0);
1154  }
1155  }
1156 }
1157 
1159 static void
1160 ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list, int flags)
1161 {
1162  bool algos[256]
1163 #ifndef S_SPLINT_S
1164  = { false }
1165 #endif
1166  ;
1167  ldns_signing_algorithm saw_zsk = 0;
1168  ldns_key *key;
1169  size_t i;
1170 
1171  if (!ldns_key_list_key_count(key_list))
1172  return;
1173 
1174  for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1175  key = ldns_key_list_key(key_list, i);
1176  if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_zsk)
1177  saw_zsk = ldns_key_algorithm(key);
1178  algos[ldns_key_algorithm(key)] = true;
1179  }
1180  if (!saw_zsk)
1181  return;
1182  else
1183  algos[saw_zsk] = 0;
1184 
1185  for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1186  key = ldns_key_list_key(key_list, i);
1187  if((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
1188  /* We have a KSK.
1189  * Still use it if it has a unique algorithm though!
1190  */
1191  if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
1192  algos[ldns_key_algorithm(key)])
1193  algos[ldns_key_algorithm(key)] = false;
1194  else
1195  ldns_key_set_use(key, 0);
1196  }
1197  }
1198 }
1199 
1200 ldns_status
1201 ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
1202  , ldns_rr_list *new_rrs
1203  , ldns_key_list *key_list
1204  , int (*func)(ldns_rr *, void*)
1205  , void *arg
1206  , int flags
1207  )
1208 {
1209  ldns_status result = LDNS_STATUS_OK;
1210 
1211  ldns_rbnode_t *cur_node;
1212  ldns_rr_list *rr_list;
1213 
1214  ldns_dnssec_name *cur_name;
1215  ldns_dnssec_rrsets *cur_rrset;
1216  ldns_dnssec_rrs *cur_rr;
1217 
1218  ldns_rr_list *siglist;
1219 
1220  size_t i;
1221 
1222  int on_delegation_point = 0; /* handle partially occluded names */
1223 
1224  ldns_rr_list *pubkey_list = ldns_rr_list_new();
1225  for (i = 0; i<ldns_key_list_key_count(key_list); i++) {
1226  ldns_rr_list_push_rr( pubkey_list
1227  , ldns_key2rr(ldns_key_list_key(
1228  key_list, i))
1229  );
1230  }
1231  /* TODO: callback to see is list should be signed */
1232  /* TODO: remove 'old' signatures from signature list */
1233  cur_node = ldns_rbtree_first(zone->names);
1234  while (cur_node != LDNS_RBTREE_NULL) {
1235  cur_name = (ldns_dnssec_name *) cur_node->data;
1236 
1237  if (!cur_name->is_glue) {
1238  on_delegation_point = ldns_dnssec_rrsets_contains_type(
1239  cur_name->rrsets, LDNS_RR_TYPE_NS)
1240  && !ldns_dnssec_rrsets_contains_type(
1241  cur_name->rrsets, LDNS_RR_TYPE_SOA);
1242  cur_rrset = cur_name->rrsets;
1243  while (cur_rrset) {
1244  /* reset keys to use */
1245  ldns_key_list_set_use(key_list, true);
1246 
1247  /* walk through old sigs, remove the old,
1248  and mark which keys (not) to use) */
1249  cur_rrset->signatures =
1250  ldns_dnssec_remove_signatures(cur_rrset->signatures,
1251  key_list,
1252  func,
1253  arg);
1254  if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
1255  cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
1256  ldns_key_list_filter_for_dnskey(key_list, flags);
1257 
1258  if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY)
1259  ldns_key_list_filter_for_non_dnskey(key_list, flags);
1260 
1261  /* TODO: just set count to zero? */
1262  rr_list = ldns_rr_list_new();
1263 
1264  cur_rr = cur_rrset->rrs;
1265  while (cur_rr) {
1266  ldns_rr_list_push_rr(rr_list, cur_rr->rr);
1267  cur_rr = cur_rr->next;
1268  }
1269 
1270  /* only sign non-delegation RRsets */
1271  /* (glue should have been marked earlier,
1272  * except on the delegation points itself) */
1273  if (!on_delegation_point ||
1274  ldns_rr_list_type(rr_list)
1275  == LDNS_RR_TYPE_DS ||
1276  ldns_rr_list_type(rr_list)
1277  == LDNS_RR_TYPE_NSEC ||
1278  ldns_rr_list_type(rr_list)
1279  == LDNS_RR_TYPE_NSEC3) {
1280  siglist = ldns_sign_public(rr_list, key_list);
1281  for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
1282  if (cur_rrset->signatures) {
1283  result = ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
1284  ldns_rr_list_rr(siglist,
1285  i));
1286  } else {
1287  cur_rrset->signatures = ldns_dnssec_rrs_new();
1288  cur_rrset->signatures->rr =
1289  ldns_rr_list_rr(siglist, i);
1290  }
1291  if (new_rrs) {
1292  ldns_rr_list_push_rr(new_rrs,
1293  ldns_rr_list_rr(siglist,
1294  i));
1295  }
1296  }
1297  ldns_rr_list_free(siglist);
1298  }
1299 
1300  ldns_rr_list_free(rr_list);
1301 
1302  cur_rrset = cur_rrset->next;
1303  }
1304 
1305  /* sign the nsec */
1306  ldns_key_list_set_use(key_list, true);
1307  cur_name->nsec_signatures =
1308  ldns_dnssec_remove_signatures(cur_name->nsec_signatures,
1309  key_list,
1310  func,
1311  arg);
1312  ldns_key_list_filter_for_non_dnskey(key_list, flags);
1313 
1314  rr_list = ldns_rr_list_new();
1315  ldns_rr_list_push_rr(rr_list, cur_name->nsec);
1316  siglist = ldns_sign_public(rr_list, key_list);
1317 
1318  for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
1319  if (cur_name->nsec_signatures) {
1320  result = ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
1321  ldns_rr_list_rr(siglist, i));
1322  } else {
1323  cur_name->nsec_signatures = ldns_dnssec_rrs_new();
1324  cur_name->nsec_signatures->rr =
1325  ldns_rr_list_rr(siglist, i);
1326  }
1327  if (new_rrs) {
1328  ldns_rr_list_push_rr(new_rrs,
1329  ldns_rr_list_rr(siglist, i));
1330  }
1331  }
1332 
1333  ldns_rr_list_free(siglist);
1334  ldns_rr_list_free(rr_list);
1335  }
1336  cur_node = ldns_rbtree_next(cur_node);
1337  }
1338 
1339  ldns_rr_list_deep_free(pubkey_list);
1340  return result;
1341 }
1342 
1343 ldns_status
1344 ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
1345  ldns_rr_list *new_rrs,
1346  ldns_key_list *key_list,
1347  int (*func)(ldns_rr *, void *),
1348  void *arg)
1349 {
1350  return ldns_dnssec_zone_sign_flg(zone, new_rrs, key_list, func, arg, 0);
1351 }
1352 
1353 ldns_status
1354 ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
1355  ldns_rr_list *new_rrs,
1356  ldns_key_list *key_list,
1357  int (*func)(ldns_rr *, void *),
1358  void *arg,
1359  int flags)
1360 {
1361  ldns_status result = LDNS_STATUS_OK;
1362 
1363  if (!zone || !new_rrs || !key_list) {
1364  return LDNS_STATUS_ERR;
1365  }
1366 
1367  /* zone is already sorted */
1368  result = ldns_dnssec_zone_mark_glue(zone);
1369  if (result != LDNS_STATUS_OK) {
1370  return result;
1371  }
1372 
1373  /* check whether we need to add nsecs */
1374  if (zone->names && !((ldns_dnssec_name *)zone->names->root->data)->nsec) {
1375  result = ldns_dnssec_zone_create_nsecs(zone, new_rrs);
1376  if (result != LDNS_STATUS_OK) {
1377  return result;
1378  }
1379  }
1380 
1381  result = ldns_dnssec_zone_create_rrsigs_flg(zone,
1382  new_rrs,
1383  key_list,
1384  func,
1385  arg,
1386  flags);
1387 
1388  return result;
1389 }
1390 
1391 ldns_status
1392 ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
1393  ldns_rr_list *new_rrs,
1394  ldns_key_list *key_list,
1395  int (*func)(ldns_rr *, void *),
1396  void *arg,
1397  uint8_t algorithm,
1398  uint8_t flags,
1399  uint16_t iterations,
1400  uint8_t salt_length,
1401  uint8_t *salt)
1402 {
1403  return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list,
1404  func, arg, algorithm, flags, iterations, salt_length, salt, 0,
1405  NULL);
1406 }
1407 
1408 ldns_status
1409 ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone,
1410  ldns_rr_list *new_rrs,
1411  ldns_key_list *key_list,
1412  int (*func)(ldns_rr *, void *),
1413  void *arg,
1414  uint8_t algorithm,
1415  uint8_t flags,
1416  uint16_t iterations,
1417  uint8_t salt_length,
1418  uint8_t *salt,
1419  int signflags,
1420  ldns_rbtree_t **map)
1421 {
1422  ldns_rr *nsec3, *nsec3param;
1423  ldns_status result = LDNS_STATUS_OK;
1424 
1425  /* zone is already sorted */
1426  result = ldns_dnssec_zone_mark_glue(zone);
1427  if (result != LDNS_STATUS_OK) {
1428  return result;
1429  }
1430 
1431  /* TODO if there are already nsec3s presents and their
1432  * parameters are the same as these, we don't have to recreate
1433  */
1434  if (zone->names) {
1435  /* add empty nonterminals */
1436  result = ldns_dnssec_zone_add_empty_nonterminals(zone);
1437  if (result != LDNS_STATUS_OK) {
1438  return result;
1439  }
1440 
1441  nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec;
1442  if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) {
1443  /* no need to recreate */
1444  } else {
1445  if (!ldns_dnssec_zone_find_rrset(zone,
1446  zone->soa->name,
1447  LDNS_RR_TYPE_NSEC3PARAM)) {
1448  /* create and add the nsec3param rr */
1449  nsec3param =
1450  ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAM);
1451  ldns_rr_set_owner(nsec3param,
1452  ldns_rdf_clone(zone->soa->name));
1453  ldns_nsec3_add_param_rdfs(nsec3param,
1454  algorithm,
1455  flags,
1456  iterations,
1457  salt_length,
1458  salt);
1459  /* always set bit 7 of the flags to zero, according to
1460  * rfc5155 section 11. The bits are counted from right to left,
1461  * so bit 7 in rfc5155 is bit 0 in ldns */
1462  ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 0, 0);
1463  result = ldns_dnssec_zone_add_rr(zone, nsec3param);
1464  if (result != LDNS_STATUS_OK) {
1465  return result;
1466  }
1467  ldns_rr_list_push_rr(new_rrs, nsec3param);
1468  }
1469  result = ldns_dnssec_zone_create_nsec3s_mkmap(zone,
1470  new_rrs,
1471  algorithm,
1472  flags,
1473  iterations,
1474  salt_length,
1475  salt,
1476  map);
1477  if (result != LDNS_STATUS_OK) {
1478  return result;
1479  }
1480  }
1481 
1482  result = ldns_dnssec_zone_create_rrsigs_flg(zone,
1483  new_rrs,
1484  key_list,
1485  func,
1486  arg,
1487  signflags);
1488  }
1489 
1490  return result;
1491 }
1492 
1493 ldns_status
1494 ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
1495  ldns_rr_list *new_rrs,
1496  ldns_key_list *key_list,
1497  int (*func)(ldns_rr *, void *),
1498  void *arg,
1499  uint8_t algorithm,
1500  uint8_t flags,
1501  uint16_t iterations,
1502  uint8_t salt_length,
1503  uint8_t *salt,
1504  int signflags)
1505 {
1506  return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list,
1507  func, arg, algorithm, flags, iterations, salt_length, salt,
1508  signflags, NULL);
1509 }
1510 
1511 ldns_zone *
1512 ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list)
1513 {
1514  ldns_dnssec_zone *dnssec_zone;
1515  ldns_zone *signed_zone;
1516  ldns_rr_list *new_rrs;
1517  size_t i;
1518 
1519  signed_zone = ldns_zone_new();
1520  dnssec_zone = ldns_dnssec_zone_new();
1521 
1522  (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1523  ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
1524 
1525  for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1526  (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1527  ldns_rr_list_rr(ldns_zone_rrs(zone),
1528  i));
1529  ldns_zone_push_rr(signed_zone,
1530  ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
1531  i)));
1532  }
1533 
1534  new_rrs = ldns_rr_list_new();
1535  (void) ldns_dnssec_zone_sign(dnssec_zone,
1536  new_rrs,
1537  key_list,
1538  ldns_dnssec_default_replace_signatures,
1539  NULL);
1540 
1541  for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1542  ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
1543  ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1544  }
1545 
1546  ldns_rr_list_deep_free(new_rrs);
1547  ldns_dnssec_zone_free(dnssec_zone);
1548 
1549  return signed_zone;
1550 }
1551 
1552 ldns_zone *
1553 ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
1554 {
1555  ldns_dnssec_zone *dnssec_zone;
1556  ldns_zone *signed_zone;
1557  ldns_rr_list *new_rrs;
1558  size_t i;
1559 
1560  signed_zone = ldns_zone_new();
1561  dnssec_zone = ldns_dnssec_zone_new();
1562 
1563  (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1564  ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
1565 
1566  for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1567  (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1568  ldns_rr_list_rr(ldns_zone_rrs(zone),
1569  i));
1570  ldns_zone_push_rr(signed_zone,
1571  ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
1572  i)));
1573  }
1574 
1575  new_rrs = ldns_rr_list_new();
1576  (void) ldns_dnssec_zone_sign_nsec3(dnssec_zone,
1577  new_rrs,
1578  key_list,
1579  ldns_dnssec_default_replace_signatures,
1580  NULL,
1581  algorithm,
1582  flags,
1583  iterations,
1584  salt_length,
1585  salt);
1586 
1587  for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1588  ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
1589  ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1590  }
1591 
1592  ldns_rr_list_deep_free(new_rrs);
1593  ldns_dnssec_zone_free(dnssec_zone);
1594 
1595  return signed_zone;
1596 }
1597 #endif /* HAVE_SSL */
1598 
1599 
ldns_rr_rdf
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
Definition: rr.c:895
ldns_rr_rrsig_set_sig
bool ldns_rr_rrsig_set_sig(ldns_rr *r, ldns_rdf *f)
sets the signature data of a LDNS_RR_TYPE_RRSIG rr
Definition: rr_functions.c:213
ldns_native2rdf_int16
ldns_rdf * ldns_native2rdf_int16(ldns_rdf_type type, uint16_t value)
returns the rdf containing the native uint16_t representation.
Definition: rdata.c:132
ldns_struct_rr_list
List or Set of Resource Records.
Definition: rr.h:330
ldns_rr_class
enum ldns_enum_rr_class ldns_rr_class
Definition: rr.h:64
ldns_struct_dnssec_name::nsec
ldns_rr * nsec
NSEC pointing to the next name (or NSEC3 pointing to the next NSEC3)
Definition: dnssec_zone.h:67
ldns_rbtree_t
definition for tree struct
Definition: rbtree.h:83
ldns_rdf_size
size_t ldns_rdf_size(const ldns_rdf *rd)
returns the size of the rdf.
Definition: rdata.c:24
ldns_rr_rrsig_set_algorithm
bool ldns_rr_rrsig_set_algorithm(ldns_rr *r, ldns_rdf *f)
sets the algorithm of a LDNS_RR_TYPE_RRSIG rr
Definition: rr_functions.c:129
ldns_struct_dnssec_rrs::rr
ldns_rr * rr
Definition: dnssec_zone.h:24
ldns_struct_buffer
implementation of buffers to ease operations
Definition: buffer.h:50
LDNS_MAX_PACKETLEN
#define LDNS_MAX_PACKETLEN
Definition: packet.h:24
ldns_buffer_new
ldns_buffer * ldns_buffer_new(size_t capacity)
creates a new buffer with the specified capacity.
Definition: buffer.c:16
ldns_dnssec_zone_new
ldns_dnssec_zone * ldns_dnssec_zone_new(void)
Creates a new dnssec_zone structure.
Definition: dnssec_zone.c:569
ldns_rr_rrsig_set_signame
bool ldns_rr_rrsig_set_signame(ldns_rr *r, ldns_rdf *f)
sets the signers name of a LDNS_RR_TYPE_RRSIG rr
Definition: rr_functions.c:201
LDNS_RDF_TYPE_INT32
@ LDNS_RDF_TYPE_INT32
32 bits
Definition: rdata.h:56
ldns_key_evp_key
EVP_PKEY * ldns_key_evp_key(const ldns_key *k)
returns the (openssl) EVP struct contained in the key
Definition: keys.c:1541
ldns_key2rr
ldns_rr * ldns_key2rr(const ldns_key *k)
converts a ldns_key to a public key rr If the key data exists at an external point,...
Definition: keys.c:1816
ldns_native2rdf_int32
ldns_rdf * ldns_native2rdf_int32(ldns_rdf_type type, uint32_t value)
returns an rdf that contains the given int32 value.
Definition: rdata.c:147
ldns_dnssec_zone_sign
ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg)
signs the given zone with the given keys
Definition: dnssec_sign.c:1344
ldns_rbtree_create
ldns_rbtree_t * ldns_rbtree_create(int(*cmpf)(const void *, const void *))
Create new tree (malloced) with given key compare function.
Definition: rbtree.c:80
HAVE_EVP_PKEY_BASE_ID
#define HAVE_EVP_PKEY_BASE_ID
Definition: config.h:93
ldns_zone_new
ldns_zone * ldns_zone_new(void)
create a new ldns_zone structure
Definition: zone.c:165
ldns_native2rdf_int8
ldns_rdf * ldns_native2rdf_int8(ldns_rdf_type type, uint8_t value)
returns the rdf containing the native uint8_t repr.
Definition: rdata.c:126
ldns_struct_rr
Resource Record.
Definition: rr.h:302
ldns_dnssec_zone_mark_and_get_glue
ldns_status ldns_dnssec_zone_mark_and_get_glue(ldns_dnssec_zone *zone, ldns_rr_list *glue_list)
Marks the names in the zone that are occluded.
Definition: dnssec_sign.c:671
ldns_convert_ed448_rrsig_asn12rdf
ldns_rdf * ldns_convert_ed448_rrsig_asn12rdf(const ldns_buffer *sig, long sig_len)
Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as u...
ldns_dnssec_zone_mark_glue
ldns_status ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone)
Marks the names in the zone that are occluded.
Definition: dnssec_sign.c:760
ldns_dnssec_rrs_new
ldns_dnssec_rrs * ldns_dnssec_rrs_new(void)
Creates a new entry for 1 pointer to an rr and 1 pointer to the next rrs.
Definition: dnssec_zone.c:10
LDNS_SIGNATURE_REMOVE_NO_ADD
#define LDNS_SIGNATURE_REMOVE_NO_ADD
Definition: dnssec.h:50
LDNS_FREE
#define LDNS_FREE(ptr)
Definition: util.h:60
ldns_dnssec_zone_add_rr
ldns_status ldns_dnssec_zone_add_rr(ldns_dnssec_zone *zone, ldns_rr *rr)
Adds the given RR to the zone.
Definition: dnssec_zone.c:927
ldns_rr_rrsig_set_keytag
bool ldns_rr_rrsig_set_keytag(ldns_rr *r, ldns_rdf *f)
sets the keytag of a LDNS_RR_TYPE_RRSIG rr
Definition: rr_functions.c:189
LDNS_RDF_TYPE_INT16
@ LDNS_RDF_TYPE_INT16
16 bits
Definition: rdata.h:54
LDNS_STATUS_OK
@ LDNS_STATUS_OK
Definition: error.h:26
ldns_rrsig2buffer_wire
ldns_status ldns_rrsig2buffer_wire(ldns_buffer *buffer, const ldns_rr *rr)
Converts a rrsig to wireformat BUT EXCLUDE the rrsig rdata This is needed in DNSSEC verification.
Definition: host2wire.c:284
LDNS_STATUS_ERR
@ LDNS_STATUS_ERR
Definition: error.h:37
ldns_zone_push_rr
bool ldns_zone_push_rr(ldns_zone *z, ldns_rr *rr)
push an single rr to a zone structure.
Definition: zone.c:53
ldns_sign_public_rsamd5
ldns_rdf * ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key)
Sign a buffer with the RSA key (hash with MD5)
Definition: dnssec_sign.c:593
ldns_rr_pop_rdf
ldns_rdf * ldns_rr_pop_rdf(ldns_rr *rr)
removes a rd_field member, it will be popped from the last position.
Definition: rr.c:866
ldns_dnssec_chain_nsec3_list
ldns_status ldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs)
chains nsec3 list
Definition: dnssec.c:1622
LDNS_KEY_SEP_KEY
#define LDNS_KEY_SEP_KEY
Definition: keys.h:38
ldns_dnssec_rrs_add_rr
ldns_status ldns_dnssec_rrs_add_rr(ldns_dnssec_rrs *rrs, ldns_rr *rr)
Adds an RR to the list of RRs.
Definition: dnssec_zone.c:47
ldns_rr_list_push_rr
bool ldns_rr_list_push_rr(ldns_rr_list *rr_list, const ldns_rr *rr)
pushes an rr to an rrlist.
Definition: rr.c:1118
ldns_dname_label
ldns_rdf * ldns_dname_label(const ldns_rdf *rdf, uint8_t labelpos)
look inside the rdf and if it is an LDNS_RDF_TYPE_DNAME try and retrieve a specific label.
Definition: dname.c:560
ldns_dnssec_rrsets_contains_type
int ldns_dnssec_rrsets_contains_type(const ldns_dnssec_rrsets *rrsets, ldns_rr_type type)
returns whether a rrset of the given type is found in the rrsets.
Definition: dnssec.c:794
LDNS_KEY_ZONE_KEY
#define LDNS_KEY_ZONE_KEY
Definition: keys.h:37
ldns_struct_key_list
Same as rr_list, but now for keys.
Definition: keys.h:176
ldns_rr_set_ttl
void ldns_rr_set_ttl(ldns_rr *rr, uint32_t ttl)
sets the ttl in the rr structure.
Definition: rr.c:802
ldns_rr_set_class
void ldns_rr_set_class(ldns_rr *rr, ldns_rr_class rr_class)
sets the class in the rr.
Definition: rr.c:820
ldns_dnssec_zone_create_nsecs
ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs)
Adds NSEC records to the given dnssec_zone.
Definition: dnssec_sign.c:792
ldns_dnssec_zone_sign_nsec3_flg
ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, int signflags)
signs the given zone with the given new zone, with NSEC3
Definition: dnssec_sign.c:1494
LDNS_SIGN_ECDSAP256SHA256
@ LDNS_SIGN_ECDSAP256SHA256
Definition: keys.h:99
LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW
@ LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW
Definition: error.h:131
ldns_rr_list_deep_free
void ldns_rr_list_deep_free(ldns_rr_list *rr_list)
frees an rr_list structure and all rrs contained therein.
Definition: rr.c:1006
ldns_struct_dnssec_rrs::next
ldns_dnssec_rrs * next
Definition: dnssec_zone.h:25
ldns_dname_is_wildcard
int ldns_dname_is_wildcard(const ldns_rdf *dname)
Check if dname is a wildcard, starts with *.
Definition: dname.c:456
ldns_key_flags
uint16_t ldns_key_flags(const ldns_key *k)
return the flag of the key
Definition: keys.c:1606
ldns_dnssec_zone_sign_flg
ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, int flags)
signs the given zone with the given keys
Definition: dnssec_sign.c:1354
ldns_rr2canonical
void ldns_rr2canonical(ldns_rr *rr)
converts each dname in a rr to its canonical form.
Definition: rr.c:1766
ldns_rr_rrsig_keytag
ldns_rdf * ldns_rr_rrsig_keytag(const ldns_rr *r)
returns the keytag of a LDNS_RR_TYPE_RRSIG RR
Definition: rr_functions.c:183
dnssec_sign.h
ldns_dnssec_remove_signatures
ldns_dnssec_rrs * ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures, ldns_key_list *key_list __attribute__((unused)), int(*func)(ldns_rr *, void *), void *arg)
Definition: dnssec_sign.c:1015
ldns_zone_rrs
ldns_rr_list * ldns_zone_rrs(const ldns_zone *z)
Get a list of a zone's content.
Definition: zone.c:35
ldns_rbnode_t::key
const void * key
pointer to sorting key
Definition: rbtree.h:68
ldns_sign_public_buffer
ldns_rdf * ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
Sign the buffer which contains the wiredata of an rrset, and the corresponding empty rrsig rr with th...
Definition: dnssec_sign.c:120
ldns_set_bit
void ldns_set_bit(uint8_t *byte, int bit_nr, bool value)
Definition: util.c:72
ldns_dnssec_name_node_next_nonglue
ldns_rbnode_t * ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node)
Finds the first dnssec_name node in the rbtree that is not occluded.
Definition: dnssec_sign.c:766
LDNS_RR_TYPE_NSEC3PARAM
@ LDNS_RR_TYPE_NSEC3PARAM
Definition: rr.h:180
ldns_key_use
bool ldns_key_use(const ldns_key *k)
return the use flag
Definition: keys.c:1530
ldns_rr_get_class
ldns_rr_class ldns_rr_get_class(const ldns_rr *rr)
returns the class of the rr.
Definition: rr.c:935
ldns_rr_free
void ldns_rr_free(ldns_rr *rr)
frees an RR structure
Definition: rr.c:75
LDNS_SIGN_ECC_GOST
@ LDNS_SIGN_ECC_GOST
Definition: keys.h:98
ldns_struct_dnssec_name::rrsets
ldns_dnssec_rrsets * rrsets
The rrsets for this name.
Definition: dnssec_zone.h:63
LDNS_SIGN_RSASHA1
@ LDNS_SIGN_RSASHA1
Definition: keys.h:92
ldns_struct_dnssec_name::nsec_signatures
ldns_dnssec_rrs * nsec_signatures
signatures for the NSEC record
Definition: dnssec_zone.h:71
ldns_struct_dnssec_name::name
ldns_rdf * name
pointer to a dname containing the name.
Definition: dnssec_zone.h:51
ldns_dnssec_zone_create_rrsigs
ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg)
Adds signatures to the zone.
Definition: dnssec_sign.c:1106
ldns_sign_public_dsa
ldns_rdf * ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
Sign data with DSA.
Definition: dnssec_sign.c:332
ldns_zone_set_soa
void ldns_zone_set_soa(ldns_zone *z, ldns_rr *soa)
Set the zone's soa record.
Definition: zone.c:29
ldns_rdf_new_frm_data
ldns_rdf * ldns_rdf_new_frm_data(ldns_rdf_type type, size_t size, const void *data)
allocates a new rdf structure and fills it.
Definition: rdata.c:193
ldns_key_set_use
void ldns_key_set_use(ldns_key *k, bool v)
Definition: keys.c:1522
ldns_struct_dnssec_name
Definition: dnssec_zone.h:45
ldns_convert_ed25519_rrsig_asn12rdf
ldns_rdf * ldns_convert_ed25519_rrsig_asn12rdf(const ldns_buffer *sig, long sig_len)
Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as u...
Definition: dnssec.c:1964
LDNS_RR_TYPE_DS
@ LDNS_RR_TYPE_DS
RFC4034, RFC3658.
Definition: rr.h:167
ldns_struct_dnssec_zone
Structure containing a dnssec zone.
Definition: dnssec_zone.h:91
ldns_rdf_free
void ldns_rdf_free(ldns_rdf *rd)
frees a rdf structure, leaving the data pointer intact.
Definition: rdata.c:241
ldns_struct_dnssec_rrsets::signatures
ldns_dnssec_rrs * signatures
Definition: dnssec_zone.h:36
ldns_dnssec_zone_free
void ldns_dnssec_zone_free(ldns_dnssec_zone *zone)
Frees the given zone structure, and its rbtree of dnssec_names Individual ldns_rr RRs within those na...
Definition: dnssec_zone.c:796
ldns_nsec3_add_param_rdfs
void ldns_nsec3_add_param_rdfs(ldns_rr *rr, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Sets all the NSEC3 options.
Definition: dnssec.c:1100
LDNS_SIGN_RSASHA512
@ LDNS_SIGN_RSASHA512
Definition: keys.h:96
LDNS_RR_TYPE_NS
@ LDNS_RR_TYPE_NS
an authoritative name server
Definition: rr.h:85
ldns_key_list_set_use
void ldns_key_list_set_use(ldns_key_list *keys, bool v)
Definition: keys.c:1637
ldns_rr_list_clone
ldns_rr_list * ldns_rr_list_clone(const ldns_rr_list *rrlist)
clones an rrlist.
Definition: rr.c:1416
ldns_rr_list2buffer_wire
ldns_status ldns_rr_list2buffer_wire(ldns_buffer *buffer, const ldns_rr_list *rr_list)
Copies the rr_list data to the buffer in wire format.
Definition: host2wire.c:146
ldns_dnssec_name_name
ldns_rdf * ldns_dnssec_name_name(const ldns_dnssec_name *name)
Returns the domain name of the given dnssec_name structure.
Definition: dnssec_zone.c:394
ldns_buffer_free
void ldns_buffer_free(ldns_buffer *buffer)
frees the buffer.
Definition: buffer.c:137
ldns_struct_dnssec_name::hashed_name
ldns_rdf * hashed_name
pointer to store the hashed name (only used when in an NSEC3 zone
Definition: dnssec_zone.h:85
LDNS_RR_TYPE_SOA
@ LDNS_RR_TYPE_SOA
marks the start of a zone of authority
Definition: rr.h:93
ldns_rr_clone
ldns_rr * ldns_rr_clone(const ldns_rr *rr)
clones a rr and all its data
Definition: rr.c:1385
ldns_struct_key
General key structure, can contain all types of keys that are used in DNSSEC.
Definition: keys.h:126
ldns_dname_is_subdomain
bool ldns_dname_is_subdomain(const ldns_rdf *sub, const ldns_rdf *parent)
test wether the name sub falls under parent (i.e.
Definition: dname.c:296
ldns_dnssec_zone_create_nsec3s
ldns_status ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
Adds NSEC3 records to the zone.
Definition: dnssec_sign.c:1000
ldns_key_list_key_count
size_t ldns_key_list_key_count(const ldns_key_list *key_list)
returns the number of keys in the key list
Definition: keys.c:1500
ldns_rdf_deep_free
void ldns_rdf_deep_free(ldns_rdf *rd)
frees a rdf structure and frees the data.
Definition: rdata.c:230
ldns_dname2canonical
void ldns_dname2canonical(const ldns_rdf *rd)
Put a dname into canonical fmt - ie.
Definition: dname.c:280
ldns_rdf_clone
ldns_rdf * ldns_rdf_clone(const ldns_rdf *rd)
clones a rdf structure.
Definition: rdata.c:222
LDNS_MALLOC
#define LDNS_MALLOC(type)
Memory management macros.
Definition: util.h:49
ldns_rdf2native_int32
uint32_t ldns_rdf2native_int32(const ldns_rdf *rd)
returns the native uint32_t representation from the rdf.
Definition: rdata.c:98
LDNS_RR_TYPE_DNAME
@ LDNS_RR_TYPE_DNAME
RFC2672.
Definition: rr.h:159
ldns_rr_new_frm_type
ldns_rr * ldns_rr_new_frm_type(ldns_rr_type t)
creates a new rr structure, based on the given type.
Definition: rr.c:42
ldns_key_expiration
uint32_t ldns_key_expiration(const ldns_key *k)
return the key's expiration date
Definition: keys.c:1618
ldns_rr_set_owner
void ldns_rr_set_owner(ldns_rr *rr, ldns_rdf *owner)
sets the owner in the rr structure.
Definition: rr.c:790
ldns_dnssec_zone_add_empty_nonterminals
ldns_status ldns_dnssec_zone_add_empty_nonterminals(ldns_dnssec_zone *zone)
Adds explicit dnssec_name structures for the empty nonterminals in this zone.
Definition: dnssec_zone.c:1168
ldns_rr_list_sort
void ldns_rr_list_sort(ldns_rr_list *unsorted)
sorts an rr_list (canonical wire format).
Definition: rr.c:1501
ldns_rr_rrsig_set_typecovered
bool ldns_rr_rrsig_set_typecovered(ldns_rr *r, ldns_rdf *f)
sets the typecovered of a LDNS_RR_TYPE_RRSIG rr
Definition: rr_functions.c:117
ldns_traverse_postorder
void ldns_traverse_postorder(ldns_rbtree_t *tree, void(*func)(ldns_rbnode_t *, void *), void *arg)
Call function for all elements in the redblack tree, such that leaf elements are called before parent...
Definition: rbtree.c:666
ldns_rr_rrsig_set_origttl
bool ldns_rr_rrsig_set_origttl(ldns_rr *r, ldns_rdf *f)
sets the original TTL of a LDNS_RR_TYPE_RRSIG rr
Definition: rr_functions.c:153
ldns_dnssec_zone_create_rrsigs_flg
ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, int flags)
Adds signatures to the zone.
Definition: dnssec_sign.c:1201
ldns_status
enum ldns_enum_status ldns_status
Definition: error.h:134
ATTR_UNUSED
#define ATTR_UNUSED(x)
Definition: common.h:69
ldns_struct_dnssec_rrsets
Definition: dnssec_zone.h:32
ldns_sign_public
ldns_rr_list * ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
use this function to sign with a public/private key alg return the created signatures
Definition: dnssec_sign.c:219
LDNS_RDF_TYPE_B64
@ LDNS_RDF_TYPE_B64
b64 string
Definition: rdata.h:68
LDNS_XMALLOC
#define LDNS_XMALLOC(type, count)
Definition: util.h:51
ldns_struct_dnssec_zone::names
ldns_rbtree_t * names
tree of ldns_dnssec_names
Definition: dnssec_zone.h:95
dnssec.h
ldns_zone_soa
ldns_rr * ldns_zone_soa(const ldns_zone *z)
Return the soa record of a zone.
Definition: zone.c:17
LDNS_SIGN_DSA
@ LDNS_SIGN_DSA
Definition: keys.h:93
config.h
ldns_convert_ecdsa_rrsig_asn1len2rdf
ldns_rdf * ldns_convert_ecdsa_rrsig_asn1len2rdf(const ldns_buffer *sig, const long sig_len, int num_bytes)
Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as u...
Definition: dnssec.c:1857
ldns_struct_dnssec_name::is_glue
signed char is_glue
Unlike what the name is_glue suggests, this field is set to true by ldns_dnssec_zone_mark_glue() or l...
Definition: dnssec_zone.h:81
ldns_struct_rdf
Resource record data field.
Definition: rdata.h:174
ldns_struct_dnssec_rrsets::type
ldns_rr_type type
Definition: dnssec_zone.h:35
ldns_sign_public_evp
ldns_rdf * ldns_sign_public_evp(ldns_buffer *to_sign, EVP_PKEY *key, const EVP_MD *digest_type)
Sign data with EVP (general method for different algorithms)
Definition: dnssec_sign.c:440
ldns_rdf2native_int16
uint16_t ldns_rdf2native_int16(const ldns_rdf *rd)
returns the native uint16_t representation from the rdf.
Definition: rdata.c:84
ldns_rr_ttl
uint32_t ldns_rr_ttl(const ldns_rr *rr)
returns the ttl of an rr structure.
Definition: rr.c:917
LDNS_RDF_TYPE_INT8
@ LDNS_RDF_TYPE_INT8
8 bits
Definition: rdata.h:52
ldns_rr_list_type
ldns_rr_type ldns_rr_list_type(const ldns_rr_list *rr_list)
Returns the type of the first element of the RR If there are no elements present, 0 is returned.
Definition: rr.c:2704
ldns_key_pubkey_owner
ldns_rdf * ldns_key_pubkey_owner(const ldns_key *k)
return the public key's owner
Definition: keys.c:1630
ldns_rdf_data
uint8_t * ldns_rdf_data(const ldns_rdf *rd)
returns the data of the rdf.
Definition: rdata.c:38
ldns_dnssec_name_add_rr
ldns_status ldns_dnssec_name_add_rr(ldns_dnssec_name *name, ldns_rr *rr)
Inserts the given rr at the right place in the current dnssec_name No checking is done whether the na...
Definition: dnssec_zone.c:448
ldns_key_keytag
uint16_t ldns_key_keytag(const ldns_key *k)
return the keytag
Definition: keys.c:1624
ldns_create_empty_rrsig
ldns_rr * ldns_create_empty_rrsig(const ldns_rr_list *rrset, const ldns_key *current_key)
Create an empty RRSIG RR (i.e.
Definition: dnssec_sign.c:23
ldns_dnssec_zone_sign_nsec3_flg_mkmap
ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, int signflags, ldns_rbtree_t **map)
signs the given zone with the given new zone, with NSEC3
Definition: dnssec_sign.c:1409
LDNS_SIGNATURE_LEAVE_NO_ADD
#define LDNS_SIGNATURE_LEAVE_NO_ADD
Definition: dnssec.h:48
ldns.h
ldns_struct_zone
DNS Zone.
Definition: zone.h:42
ldns_dname_label_count
uint8_t ldns_dname_label_count(const ldns_rdf *r)
count the number of labels inside a LDNS_RDF_DNAME type rdf.
Definition: dname.c:214
ldns_struct_dnssec_zone::hashed_names
ldns_rbtree_t * hashed_names
tree of ldns_dnssec_names by nsec3 hashes (when applicible)
Definition: dnssec_zone.h:97
LDNS_DEFAULT_TTL
#define LDNS_DEFAULT_TTL
Definition: ldns.h:135
LDNS_SIGNATURE_REMOVE_ADD_NEW
#define LDNS_SIGNATURE_REMOVE_ADD_NEW
Definition: dnssec.h:49
ldns_rbtree_t::root
ldns_rbnode_t * root
The root of the red-black tree.
Definition: rbtree.h:85
ldns_rr_list_new
ldns_rr_list * ldns_rr_list_new(void)
creates a new rr_list structure.
Definition: rr.c:986
ldns_struct_dnssec_rrsets::next
ldns_dnssec_rrsets * next
Definition: dnssec_zone.h:37
LDNS_RR_TYPE_RRSIG
@ LDNS_RR_TYPE_RRSIG
DNSSEC.
Definition: rr.h:173
LDNS_RR_TYPE_A
@ LDNS_RR_TYPE_A
a host address
Definition: rr.h:83
ldns_dnssec_default_replace_signatures
int ldns_dnssec_default_replace_signatures(ldns_rr *sig __attribute__((unused)), void *n __attribute__((unused)))
Definition: dnssec.c:1725
ldns_key_list_key
ldns_key * ldns_key_list_key(const ldns_key_list *key, size_t nr)
returns a pointer to the key in the list at the given position
Definition: keys.c:1506
ldns_zone_sign_nsec3
ldns_zone * ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
Signs the zone with NSEC3, and returns a newly allocated signed zone.
Definition: dnssec_sign.c:1553
ldns_rr_rrsig_set_inception
bool ldns_rr_rrsig_set_inception(ldns_rr *r, ldns_rdf *f)
sets the inception date of a LDNS_RR_TYPE_RRSIG rr
Definition: rr_functions.c:177
ldns_rbnode_t::data
const void * data
pointer to data
Definition: rbtree.h:70
ldns_dnssec_zone_find_rrset
ldns_dnssec_rrsets * ldns_dnssec_zone_find_rrset(const ldns_dnssec_zone *zone, const ldns_rdf *dname, ldns_rr_type type)
Find the RRset with the given name and type in the zone.
Definition: dnssec_zone.c:508
LDNS_DEFAULT_EXP_TIME
#define LDNS_DEFAULT_EXP_TIME
Definition: dnssec.h:44
LDNS_SIGN_DSA_NSEC3
@ LDNS_SIGN_DSA_NSEC3
Definition: keys.h:97
ldns_dname_compare_v
int ldns_dname_compare_v(const void *a, const void *b)
Given in dnssec_zone.c, also used in dnssec_sign.c:w.
Definition: dnssec_zone.c:827
ldns_sign_public_rsasha1
ldns_rdf * ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key)
Sign a buffer with the RSA key (hash with SHA1)
Definition: dnssec_sign.c:557
ldns_dnssec_name_find_rrset
ldns_dnssec_rrsets * ldns_dnssec_name_find_rrset(const ldns_dnssec_name *name, ldns_rr_type type)
Find the RRset with the given type in within this name structure.
Definition: dnssec_zone.c:492
ldns_rr_list_rr
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
Definition: rr.c:976
LDNS_STATUS_MEM_ERR
@ LDNS_STATUS_MEM_ERR
Definition: error.h:34
LDNS_RR_TYPE_DNSKEY
@ LDNS_RR_TYPE_DNSKEY
Definition: rr.h:175
LDNS_RBTREE_NULL
#define LDNS_RBTREE_NULL
The nullpointer, points to empty node.
Definition: rbtree.h:76
ldns_rr_list_free
void ldns_rr_list_free(ldns_rr_list *rr_list)
frees an rr_list structure.
Definition: rr.c:997
LDNS_RR_TYPE_NSEC
@ LDNS_RR_TYPE_NSEC
Definition: rr.h:174
LDNS_SIGN_RSASHA256
@ LDNS_SIGN_RSASHA256
Definition: keys.h:95
LDNS_SIGN_RSAMD5
@ LDNS_SIGN_RSAMD5
Definition: keys.h:91
LDNS_SIGN_WITH_ALL_ALGORITHMS
#define LDNS_SIGN_WITH_ALL_ALGORITHMS
Definition: dnssec_sign.h:16
LDNS_STATUS_NULL
@ LDNS_STATUS_NULL
Definition: error.h:51
ldns_rbtree_insert
ldns_rbnode_t * ldns_rbtree_insert(ldns_rbtree_t *rbtree, ldns_rbnode_t *data)
Insert data into the tree.
Definition: rbtree.c:242
ldns_signing_algorithm
enum ldns_enum_signing_algorithm ldns_signing_algorithm
Definition: keys.h:114
ldns_struct_dnssec_rrsets::rrs
ldns_dnssec_rrs * rrs
Definition: dnssec_zone.h:34
LDNS_RDF_TYPE_TYPE
@ LDNS_RDF_TYPE_TYPE
a RR type
Definition: rdata.h:74
ldns_rr_rrsig_set_labels
bool ldns_rr_rrsig_set_labels(ldns_rr *r, ldns_rdf *f)
sets the number of labels of a LDNS_RR_TYPE_RRSIG rr
Definition: rr_functions.c:141
R
#define R(b, x)
Definition: sha2.c:191
LDNS_SIGN_RSASHA1_NSEC3
@ LDNS_SIGN_RSASHA1_NSEC3
Definition: keys.h:94
ldns_rbnode_t
The rbnode_t struct definition.
Definition: rbtree.h:60
ldns_zone_sign
ldns_zone * ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list)
Signs the zone, and returns a newly allocated signed zone.
Definition: dnssec_sign.c:1512
ldns_rr_owner
ldns_rdf * ldns_rr_owner(const ldns_rr *rr)
returns the owner name of an rr structure.
Definition: rr.c:905
ldns_key_inception
uint32_t ldns_key_inception(const ldns_key *k)
return the key's inception date
Definition: keys.c:1612
LDNS_SIGN_DNSKEY_WITH_ZSK
#define LDNS_SIGN_DNSKEY_WITH_ZSK
dnssec_verify
Definition: dnssec_sign.h:15
ldns_struct_dnssec_zone::soa
ldns_dnssec_name * soa
points to the name containing the SOA RR
Definition: dnssec_zone.h:93
ldns_convert_dsa_rrsig_asn12rdf
ldns_rdf * ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len)
Converts the DSA signature from ASN1 representation (RFC2459, as used by OpenSSL) to raw signature da...
Definition: dnssec.c:1734
LDNS_RDF_TYPE_TIME
@ LDNS_RDF_TYPE_TIME
time (32 bits)
Definition: rdata.h:84
LDNS_RR_TYPE_NSEC3
@ LDNS_RR_TYPE_NSEC3
Definition: rr.h:179
ldns_dnssec_create_nsec
ldns_rr * ldns_dnssec_create_nsec(const ldns_dnssec_name *from, const ldns_dnssec_name *to, ldns_rr_type nsec_type)
Creates NSEC.
Definition: dnssec.c:808
LDNS_SIGNATURE_LEAVE_ADD_NEW
#define LDNS_SIGNATURE_LEAVE_ADD_NEW
return values for the old-signature callback
Definition: dnssec.h:47
ldns_rbtree_next
ldns_rbnode_t * ldns_rbtree_next(ldns_rbnode_t *node)
Returns next larger node in the tree.
Definition: rbtree.c:574
ldns_rr_rrsig_set_expiration
bool ldns_rr_rrsig_set_expiration(ldns_rr *r, ldns_rdf *f)
sets the expireation date of a LDNS_RR_TYPE_RRSIG rr
Definition: rr_functions.c:165
ldns_dnssec_create_nsec3
ldns_rr * ldns_dnssec_create_nsec3(const ldns_dnssec_name *from, const ldns_dnssec_name *to, const ldns_rdf *zone_name, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Creates NSEC3.
Definition: dnssec.c:862
LDNS_RR_TYPE_AAAA
@ LDNS_RR_TYPE_AAAA
ipv6 address
Definition: rr.h:137
ldns_key_algorithm
ldns_signing_algorithm ldns_key_algorithm(const ldns_key *k)
return the signing alg of the key
Definition: keys.c:1516
ldns_struct_dnssec_rrs
Definition: dnssec_zone.h:22
LDNS_SIGN_ECDSAP384SHA384
@ LDNS_SIGN_ECDSAP384SHA384
Definition: keys.h:100
ldns_rbtree_first
ldns_rbnode_t * ldns_rbtree_first(const ldns_rbtree_t *rbtree)
Returns first (smallest) node in the tree.
Definition: rbtree.c:548
LDNS_RDF_TYPE_ALG
@ LDNS_RDF_TYPE_ALG
a key algorithm
Definition: rdata.h:80
ldns_dnssec_zone_sign_nsec3
ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
signs the given zone with the given new zone, with NSEC3
Definition: dnssec_sign.c:1392
ldns_rr_get_type
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
Definition: rr.c:929
ldns_rr_list_rr_count
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr's in an rr_list.
Definition: rr.c:943
Generated on Mon Apr 13 2020 01:12:45 for ldns by   doxygen 1.8.17