1 #include <ldns/config.h> 2 3 #include <ldns/ldns.h> 4 #include <ldns/internal.h> 5 6 #include <ldns/dnssec.h> 7 #include <ldns/dnssec_sign.h> 8 9 #include <strings.h> 10 #include <time.h> 11 12 #ifdef HAVE_SSL 13 /* this entire file is rather useless when you don't have 14 * crypto... 15 */ 16 #include <openssl/ssl.h> 17 #include <openssl/evp.h> 18 #include <openssl/rand.h> 19 #include <openssl/err.h> 20 #include <openssl/md5.h> 21 #include <openssl/bn.h> 22 #include <openssl/rsa.h> 23 #ifdef USE_DSA 24 #include <openssl/dsa.h> 25 #endif 26 #endif /* HAVE_SSL */ 27 28 #define LDNS_SIGN_WITH_ZONEMD ( LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384 \ 29 | LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512 ) 30 31 ldns_rr * 32 ldns_create_empty_rrsig(const ldns_rr_list *rrset, 33 const ldns_key *current_key) 34 { 35 uint32_t orig_ttl; 36 ldns_rr_class orig_class; 37 time_t now; 38 ldns_rr *current_sig; 39 uint8_t label_count; 40 ldns_rdf *signame; 41 42 label_count = ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset, 43 0))); 44 /* RFC4035 2.2: not counting the leftmost label if it is a wildcard */ 45 if(ldns_dname_is_wildcard(ldns_rr_owner(ldns_rr_list_rr(rrset, 0)))) 46 label_count --; 47 48 current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG); 49 50 /* set the type on the new signature */ 51 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)); 52 orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0)); 53 54 ldns_rr_set_ttl(current_sig, orig_ttl); 55 ldns_rr_set_class(current_sig, orig_class); 56 ldns_rr_set_owner(current_sig, 57 ldns_rdf_clone( 58 ldns_rr_owner( 59 ldns_rr_list_rr(rrset, 60 0)))); 61 62 /* fill in what we know of the signature */ 63 64 /* set the orig_ttl */ 65 (void)ldns_rr_rrsig_set_origttl( 66 current_sig, 67 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, 68 orig_ttl)); 69 /* the signers name */ 70 signame = ldns_rdf_clone(ldns_key_pubkey_owner(current_key)); 71 ldns_dname2canonical(signame); 72 (void)ldns_rr_rrsig_set_signame( 73 current_sig, 74 signame); 75 /* label count - get it from the first rr in the rr_list */ 76 (void)ldns_rr_rrsig_set_labels( 77 current_sig, 78 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, 79 label_count)); 80 /* inception, expiration */ 81 now = time(NULL); 82 if (ldns_key_inception(current_key) != 0) { 83 (void)ldns_rr_rrsig_set_inception( 84 current_sig, 85 ldns_native2rdf_int32( 86 LDNS_RDF_TYPE_TIME, 87 ldns_key_inception(current_key))); 88 } else { 89 (void)ldns_rr_rrsig_set_inception( 90 current_sig, 91 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now)); 92 } 93 if (ldns_key_expiration(current_key) != 0) { 94 (void)ldns_rr_rrsig_set_expiration( 95 current_sig, 96 ldns_native2rdf_int32( 97 LDNS_RDF_TYPE_TIME, 98 ldns_key_expiration(current_key))); 99 } else { 100 (void)ldns_rr_rrsig_set_expiration( 101 current_sig, 102 ldns_native2rdf_int32( 103 LDNS_RDF_TYPE_TIME, 104 now + LDNS_DEFAULT_EXP_TIME)); 105 } 106 107 (void)ldns_rr_rrsig_set_keytag( 108 current_sig, 109 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 110 ldns_key_keytag(current_key))); 111 112 (void)ldns_rr_rrsig_set_algorithm( 113 current_sig, 114 ldns_native2rdf_int8( 115 LDNS_RDF_TYPE_ALG, 116 ldns_key_algorithm(current_key))); 117 118 (void)ldns_rr_rrsig_set_typecovered( 119 current_sig, 120 ldns_native2rdf_int16( 121 LDNS_RDF_TYPE_TYPE, 122 ldns_rr_get_type(ldns_rr_list_rr(rrset, 123 0)))); 124 return current_sig; 125 } 126 127 #ifdef HAVE_SSL 128 ldns_rdf * 129 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key) 130 { 131 ldns_rdf *b64rdf = NULL; 132 133 switch(ldns_key_algorithm(current_key)) { 134 #ifdef USE_DSA 135 case LDNS_SIGN_DSA: 136 case LDNS_SIGN_DSA_NSEC3: 137 b64rdf = ldns_sign_public_evp( 138 sign_buf, 139 ldns_key_evp_key(current_key), 140 # ifdef HAVE_EVP_DSS1 141 EVP_dss1() 142 # else 143 EVP_sha1() 144 # endif 145 ); 146 break; 147 #endif /* USE_DSA */ 148 case LDNS_SIGN_RSASHA1: 149 case LDNS_SIGN_RSASHA1_NSEC3: 150 b64rdf = ldns_sign_public_evp( 151 sign_buf, 152 ldns_key_evp_key(current_key), 153 EVP_sha1()); 154 break; 155 #ifdef USE_SHA2 156 case LDNS_SIGN_RSASHA256: 157 b64rdf = ldns_sign_public_evp( 158 sign_buf, 159 ldns_key_evp_key(current_key), 160 EVP_sha256()); 161 break; 162 case LDNS_SIGN_RSASHA512: 163 b64rdf = ldns_sign_public_evp( 164 sign_buf, 165 ldns_key_evp_key(current_key), 166 EVP_sha512()); 167 break; 168 #endif /* USE_SHA2 */ 169 #ifdef USE_GOST 170 case LDNS_SIGN_ECC_GOST: 171 b64rdf = ldns_sign_public_evp( 172 sign_buf, 173 ldns_key_evp_key(current_key), 174 EVP_get_digestbyname("md_gost94")); 175 break; 176 #endif /* USE_GOST */ 177 #ifdef USE_ECDSA 178 case LDNS_SIGN_ECDSAP256SHA256: 179 b64rdf = ldns_sign_public_evp( 180 sign_buf, 181 ldns_key_evp_key(current_key), 182 EVP_sha256()); 183 break; 184 case LDNS_SIGN_ECDSAP384SHA384: 185 b64rdf = ldns_sign_public_evp( 186 sign_buf, 187 ldns_key_evp_key(current_key), 188 EVP_sha384()); 189 break; 190 #endif 191 #ifdef USE_ED25519 192 case LDNS_SIGN_ED25519: 193 b64rdf = ldns_sign_public_evp( 194 sign_buf, 195 ldns_key_evp_key(current_key), 196 NULL); 197 break; 198 #endif 199 #ifdef USE_ED448 200 case LDNS_SIGN_ED448: 201 b64rdf = ldns_sign_public_evp( 202 sign_buf, 203 ldns_key_evp_key(current_key), 204 NULL); 205 break; 206 #endif 207 case LDNS_SIGN_RSAMD5: 208 b64rdf = ldns_sign_public_evp( 209 sign_buf, 210 ldns_key_evp_key(current_key), 211 EVP_md5()); 212 break; 213 default: 214 /* do _you_ know this alg? */ 215 printf("unknown algorithm, "); 216 printf("is the one used available on this system?\n"); 217 break; 218 } 219 220 return b64rdf; 221 } 222 223 /** 224 * use this function to sign with a public/private key alg 225 * return the created signatures 226 */ 227 ldns_rr_list * 228 ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys) 229 { 230 ldns_rr_list *signatures; 231 ldns_rr_list *rrset_clone; 232 ldns_rr *current_sig; 233 ldns_rdf *b64rdf; 234 ldns_key *current_key; 235 size_t key_count; 236 uint16_t i; 237 ldns_buffer *sign_buf; 238 ldns_rdf *new_owner; 239 240 if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) { 241 return NULL; 242 } 243 244 new_owner = NULL; 245 246 /* prepare a signature and add all the know data 247 * prepare the rrset. Sign this together. */ 248 rrset_clone = ldns_rr_list_clone(rrset); 249 if (!rrset_clone) { 250 return NULL; 251 } 252 253 /* make it canonical */ 254 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) { 255 ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i), 256 ldns_rr_ttl(ldns_rr_list_rr(rrset, 0))); 257 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i)); 258 } 259 /* sort */ 260 ldns_rr_list_sort(rrset_clone); 261 262 signatures = ldns_rr_list_new(); 263 264 for (key_count = 0; 265 key_count < ldns_key_list_key_count(keys); 266 key_count++) { 267 if (!ldns_key_use(ldns_key_list_key(keys, key_count))) { 268 continue; 269 } 270 sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN); 271 if (!sign_buf) { 272 ldns_rr_list_free(rrset_clone); 273 ldns_rr_list_free(signatures); 274 ldns_rdf_free(new_owner); 275 return NULL; 276 } 277 b64rdf = NULL; 278 279 current_key = ldns_key_list_key(keys, key_count); 280 /* sign all RRs with keys that have ZSKbit, !SEPbit. 281 sign DNSKEY RRs with keys that have ZSKbit&SEPbit */ 282 if (ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY) { 283 current_sig = ldns_create_empty_rrsig(rrset_clone, 284 current_key); 285 286 /* right now, we have: a key, a semi-sig and an rrset. For 287 * which we can create the sig and base64 encode that and 288 * add that to the signature */ 289 290 if (ldns_rrsig2buffer_wire(sign_buf, current_sig) 291 != LDNS_STATUS_OK) { 292 ldns_buffer_free(sign_buf); 293 /* ERROR */ 294 ldns_rr_list_deep_free(rrset_clone); 295 ldns_rr_free(current_sig); 296 ldns_rr_list_deep_free(signatures); 297 return NULL; 298 } 299 300 /* add the rrset in sign_buf */ 301 if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone) 302 != LDNS_STATUS_OK) { 303 ldns_buffer_free(sign_buf); 304 ldns_rr_list_deep_free(rrset_clone); 305 ldns_rr_free(current_sig); 306 ldns_rr_list_deep_free(signatures); 307 return NULL; 308 } 309 310 b64rdf = ldns_sign_public_buffer(sign_buf, current_key); 311 312 if (!b64rdf) { 313 /* signing went wrong */ 314 ldns_rr_list_deep_free(rrset_clone); 315 ldns_rr_free(current_sig); 316 ldns_rr_list_deep_free(signatures); 317 return NULL; 318 } 319 320 ldns_rr_rrsig_set_sig(current_sig, b64rdf); 321 322 /* push the signature to the signatures list */ 323 ldns_rr_list_push_rr(signatures, current_sig); 324 } 325 ldns_buffer_free(sign_buf); /* restart for the next key */ 326 } 327 ldns_rr_list_deep_free(rrset_clone); 328 329 return signatures; 330 } 331 332 ldns_rdf * 333 ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key) 334 { 335 #ifdef USE_DSA 336 unsigned char *sha1_hash; 337 ldns_rdf *sigdata_rdf; 338 ldns_buffer *b64sig; 339 340 DSA_SIG *sig; 341 const BIGNUM *R, *S; 342 uint8_t *data; 343 size_t pad; 344 345 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); 346 if (!b64sig) { 347 return NULL; 348 } 349 350 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign), 351 ldns_buffer_position(to_sign), NULL); 352 if (!sha1_hash) { 353 ldns_buffer_free(b64sig); 354 return NULL; 355 } 356 357 sig = DSA_do_sign(sha1_hash, SHA_DIGEST_LENGTH, key); 358 if(!sig) { 359 ldns_buffer_free(b64sig); 360 return NULL; 361 } 362 363 data = LDNS_XMALLOC(uint8_t, 1 + 2 * SHA_DIGEST_LENGTH); 364 if(!data) { 365 ldns_buffer_free(b64sig); 366 DSA_SIG_free(sig); 367 return NULL; 368 } 369 370 data[0] = 1; 371 # ifdef HAVE_DSA_SIG_GET0 372 DSA_SIG_get0(sig, &R, &S); 373 # else 374 R = sig->r; 375 S = sig->s; 376 # endif 377 pad = 20 - (size_t) BN_num_bytes(R); 378 if (pad > 0) { 379 memset(data + 1, 0, pad); 380 } 381 BN_bn2bin(R, (unsigned char *) (data + 1) + pad); 382 383 pad = 20 - (size_t) BN_num_bytes(S); 384 if (pad > 0) { 385 memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad); 386 } 387 BN_bn2bin(S, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad)); 388 389 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, 390 1 + 2 * SHA_DIGEST_LENGTH, 391 data); 392 393 ldns_buffer_free(b64sig); 394 LDNS_FREE(data); 395 DSA_SIG_free(sig); 396 397 return sigdata_rdf; 398 #else 399 (void)to_sign; (void)key; 400 return NULL; 401 #endif 402 } 403 404 #ifdef USE_ECDSA 405 #ifndef S_SPLINT_S 406 /** returns the number of bytes per signature-component (i.e. bits/8), or 0. */ 407 static int 408 ldns_pkey_is_ecdsa(EVP_PKEY* pkey) 409 { 410 EC_KEY* ec; 411 const EC_GROUP* g; 412 #ifdef HAVE_EVP_PKEY_GET_BASE_ID 413 if(EVP_PKEY_get_base_id(pkey) != EVP_PKEY_EC) 414 return 0; 415 #elif defined(HAVE_EVP_PKEY_BASE_ID) 416 if(EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) 417 return 0; 418 #else 419 if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC) 420 return 0; 421 #endif 422 ec = EVP_PKEY_get1_EC_KEY(pkey); 423 g = EC_KEY_get0_group(ec); 424 if(!g) { 425 EC_KEY_free(ec); 426 return 0; 427 } 428 if(EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1) { 429 EC_KEY_free(ec); 430 return 32; /* 256/8 */ 431 } 432 if(EC_GROUP_get_curve_name(g) == NID_secp384r1) { 433 EC_KEY_free(ec); 434 return 48; /* 384/8 */ 435 } 436 /* downref the eckey, the original is still inside the pkey */ 437 EC_KEY_free(ec); 438 return 0; 439 } 440 #endif /* splint */ 441 #endif /* USE_ECDSA */ 442 443 ldns_rdf * 444 ldns_sign_public_evp(ldns_buffer *to_sign, 445 EVP_PKEY *key, 446 const EVP_MD *digest_type) 447 { 448 unsigned int siglen; 449 ldns_rdf *sigdata_rdf = NULL; 450 ldns_buffer *b64sig; 451 EVP_MD_CTX *ctx; 452 const EVP_MD *md_type; 453 int r; 454 455 siglen = 0; 456 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); 457 if (!b64sig) { 458 return NULL; 459 } 460 461 /* initializes a signing context */ 462 md_type = digest_type; 463 #ifdef USE_ED25519 464 if(EVP_PKEY_id(key) == NID_ED25519) { 465 /* digest must be NULL for ED25519 sign and verify */ 466 md_type = NULL; 467 } else 468 #endif 469 #ifdef USE_ED448 470 if(EVP_PKEY_id(key) == NID_ED448) { 471 md_type = NULL; 472 } else 473 #endif 474 if(!md_type) { 475 /* unknown message digest */ 476 ldns_buffer_free(b64sig); 477 return NULL; 478 } 479 480 #ifdef HAVE_EVP_MD_CTX_NEW 481 ctx = EVP_MD_CTX_new(); 482 #else 483 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx)); 484 if(ctx) EVP_MD_CTX_init(ctx); 485 #endif 486 if(!ctx) { 487 ldns_buffer_free(b64sig); 488 return NULL; 489 } 490 491 #if defined(USE_ED25519) || defined(USE_ED448) 492 if(md_type == NULL) { 493 /* for these methods we must use the one-shot DigestSign */ 494 r = EVP_DigestSignInit(ctx, NULL, md_type, NULL, key); 495 if(r == 1) { 496 size_t siglen_sizet = ldns_buffer_capacity(b64sig); 497 r = EVP_DigestSign(ctx, 498 (unsigned char*)ldns_buffer_begin(b64sig), 499 &siglen_sizet, 500 (unsigned char*)ldns_buffer_begin(to_sign), 501 ldns_buffer_position(to_sign)); 502 siglen = (unsigned int)siglen_sizet; 503 } 504 } else { 505 #else 506 r = 0; 507 if(md_type != NULL) { 508 #endif 509 r = EVP_SignInit(ctx, md_type); 510 if(r == 1) { 511 r = EVP_SignUpdate(ctx, (unsigned char*) 512 ldns_buffer_begin(to_sign), 513 ldns_buffer_position(to_sign)); 514 } 515 if(r == 1) { 516 r = EVP_SignFinal(ctx, (unsigned char*) 517 ldns_buffer_begin(b64sig), &siglen, key); 518 } 519 } 520 if(r != 1) { 521 ldns_buffer_free(b64sig); 522 EVP_MD_CTX_destroy(ctx); 523 return NULL; 524 } 525 526 /* OpenSSL output is different, convert it */ 527 r = 0; 528 #ifdef USE_DSA 529 #ifndef S_SPLINT_S 530 /* unfortunately, OpenSSL output is different from DNS DSA format */ 531 # ifdef HAVE_EVP_PKEY_GET_BASE_ID 532 if (EVP_PKEY_get_base_id(key) == EVP_PKEY_DSA) { 533 # elif defined(HAVE_EVP_PKEY_BASE_ID) 534 if (EVP_PKEY_base_id(key) == EVP_PKEY_DSA) { 535 # else 536 if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) { 537 # endif 538 r = 1; 539 sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen); 540 } 541 #endif 542 #endif 543 #if defined(USE_ECDSA) 544 if( 545 # ifdef HAVE_EVP_PKEY_GET_BASE_ID 546 EVP_PKEY_get_base_id(key) 547 # elif defined(HAVE_EVP_PKEY_BASE_ID) 548 EVP_PKEY_base_id(key) 549 # else 550 EVP_PKEY_type(key->type) 551 # endif 552 == EVP_PKEY_EC) { 553 # ifdef USE_ECDSA 554 if(ldns_pkey_is_ecdsa(key)) { 555 r = 1; 556 sigdata_rdf = ldns_convert_ecdsa_rrsig_asn1len2rdf( 557 b64sig, (long)siglen, ldns_pkey_is_ecdsa(key)); 558 } 559 # endif /* USE_ECDSA */ 560 } 561 #endif /* PKEY_EC */ 562 if(r == 0) { 563 /* ok output for other types is the same */ 564 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen, 565 ldns_buffer_begin(b64sig)); 566 } 567 ldns_buffer_free(b64sig); 568 EVP_MD_CTX_destroy(ctx); 569 return sigdata_rdf; 570 } 571 572 ldns_rdf * 573 ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key) 574 { 575 unsigned char *sha1_hash; 576 unsigned int siglen; 577 ldns_rdf *sigdata_rdf; 578 ldns_buffer *b64sig; 579 int result; 580 581 siglen = 0; 582 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); 583 if (!b64sig) { 584 return NULL; 585 } 586 587 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign), 588 ldns_buffer_position(to_sign), NULL); 589 if (!sha1_hash) { 590 ldns_buffer_free(b64sig); 591 return NULL; 592 } 593 594 result = RSA_sign(NID_sha1, sha1_hash, SHA_DIGEST_LENGTH, 595 (unsigned char*)ldns_buffer_begin(b64sig), 596 &siglen, key); 597 if (result != 1) { 598 ldns_buffer_free(b64sig); 599 return NULL; 600 } 601 602 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen, 603 ldns_buffer_begin(b64sig)); 604 ldns_buffer_free(b64sig); /* can't free this buffer ?? */ 605 return sigdata_rdf; 606 } 607 608 ldns_rdf * 609 ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key) 610 { 611 unsigned char *md5_hash; 612 unsigned int siglen; 613 ldns_rdf *sigdata_rdf; 614 ldns_buffer *b64sig; 615 616 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); 617 if (!b64sig) { 618 return NULL; 619 } 620 621 md5_hash = MD5((unsigned char*)ldns_buffer_begin(to_sign), 622 ldns_buffer_position(to_sign), NULL); 623 if (!md5_hash) { 624 ldns_buffer_free(b64sig); 625 return NULL; 626 } 627 628 RSA_sign(NID_md5, md5_hash, MD5_DIGEST_LENGTH, 629 (unsigned char*)ldns_buffer_begin(b64sig), 630 &siglen, key); 631 632 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen, 633 ldns_buffer_begin(b64sig)); 634 ldns_buffer_free(b64sig); 635 return sigdata_rdf; 636 } 637 #endif /* HAVE_SSL */ 638 639 /** 640 * Pushes all rrs from the rrsets of type A and AAAA on gluelist. 641 */ 642 static ldns_status 643 ldns_dnssec_addresses_on_glue_list( 644 ldns_dnssec_rrsets *cur_rrset, 645 ldns_rr_list *glue_list) 646 { 647 ldns_dnssec_rrs *cur_rrs; 648 while (cur_rrset) { 649 if (cur_rrset->type == LDNS_RR_TYPE_A 650 || cur_rrset->type == LDNS_RR_TYPE_AAAA) { 651 for (cur_rrs = cur_rrset->rrs; 652 cur_rrs; 653 cur_rrs = cur_rrs->next) { 654 if (cur_rrs->rr) { 655 if (!ldns_rr_list_push_rr(glue_list, 656 cur_rrs->rr)) { 657 return LDNS_STATUS_MEM_ERR; 658 /* ldns_rr_list_push_rr() 659 * returns false when unable 660 * to increase the capacity 661 * of the ldns_rr_list 662 */ 663 } 664 } 665 } 666 } 667 cur_rrset = cur_rrset->next; 668 } 669 return LDNS_STATUS_OK; 670 } 671 672 ldns_status 673 ldns_dnssec_zone_mark_and_get_glue(ldns_dnssec_zone *zone, 674 ldns_rr_list *glue_list) 675 { 676 ldns_rbnode_t *node; 677 ldns_dnssec_name *name; 678 ldns_rdf *owner; 679 ldns_rdf *cut = NULL; /* keeps track of zone cuts */ 680 /* When the cut is caused by a delegation, below_delegation will be 1. 681 * When caused by a DNAME, below_delegation will be 0. 682 */ 683 int below_delegation = -1; /* init suppresses compiler warning */ 684 ldns_status s; 685 686 if (!zone || !zone->names) { 687 return LDNS_STATUS_NULL; 688 } 689 for (node = ldns_rbtree_first(zone->names); 690 node != LDNS_RBTREE_NULL; 691 node = ldns_rbtree_next(node)) { 692 name = (ldns_dnssec_name *) node->data; 693 owner = ldns_dnssec_name_name(name); 694 695 if (cut) { 696 /* The previous node was a zone cut, or a subdomain 697 * below a zone cut. Is this node (still) a subdomain 698 * below the cut? Then the name is occluded. Unless 699 * the name contains a SOA, after which we are 700 * authoritative again. 701 * 702 * FIXME! If there are labels in between the SOA and 703 * the cut, going from the authoritative space (below 704 * the SOA) up into occluded space again, will not be 705 * detected with the construct below! 706 */ 707 if (ldns_dname_is_subdomain(owner, cut) && 708 !ldns_dnssec_rrsets_contains_type( 709 name->rrsets, LDNS_RR_TYPE_SOA)) { 710 711 if (below_delegation && glue_list) { 712 s = ldns_dnssec_addresses_on_glue_list( 713 name->rrsets, glue_list); 714 if (s != LDNS_STATUS_OK) { 715 return s; 716 } 717 } 718 name->is_glue = true; /* Mark occluded name! */ 719 continue; 720 } else { 721 cut = NULL; 722 } 723 } 724 725 /* The node is not below a zone cut. Is it a zone cut itself? 726 * Everything below a SOA is authoritative of course; Except 727 * when the name also contains a DNAME :). 728 */ 729 if (ldns_dnssec_rrsets_contains_type( 730 name->rrsets, LDNS_RR_TYPE_NS) 731 && !ldns_dnssec_rrsets_contains_type( 732 name->rrsets, LDNS_RR_TYPE_SOA)) { 733 cut = owner; 734 below_delegation = 1; 735 if (glue_list) { /* record glue on the zone cut */ 736 s = ldns_dnssec_addresses_on_glue_list( 737 name->rrsets, glue_list); 738 if (s != LDNS_STATUS_OK) { 739 return s; 740 } 741 } 742 } else if (ldns_dnssec_rrsets_contains_type( 743 name->rrsets, LDNS_RR_TYPE_DNAME)) { 744 cut = owner; 745 below_delegation = 0; 746 } 747 } 748 return LDNS_STATUS_OK; 749 } 750 751 ldns_status 752 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone) 753 { 754 return ldns_dnssec_zone_mark_and_get_glue(zone, NULL); 755 } 756 757 ldns_rbnode_t * 758 ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node) 759 { 760 ldns_rbnode_t *next_node = NULL; 761 ldns_dnssec_name *next_name = NULL; 762 bool done = false; 763 764 if (node == LDNS_RBTREE_NULL) { 765 return NULL; 766 } 767 next_node = node; 768 while (!done) { 769 if (next_node == LDNS_RBTREE_NULL) { 770 return NULL; 771 } else { 772 next_name = (ldns_dnssec_name *)next_node->data; 773 if (!next_name->is_glue) { 774 done = true; 775 } else { 776 next_node = ldns_rbtree_next(next_node); 777 } 778 } 779 } 780 return next_node; 781 } 782 783 ldns_status 784 ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone, 785 ldns_rr_list *new_rrs) 786 { 787 788 ldns_rbnode_t *first_node, *cur_node, *next_node; 789 ldns_dnssec_name *cur_name, *next_name; 790 ldns_rr *nsec_rr; 791 uint32_t nsec_ttl; 792 ldns_dnssec_rrsets *soa; 793 794 /* The TTL value for any NSEC RR SHOULD be the same TTL value as the 795 * lesser of the MINIMUM field of the SOA record and the TTL of the SOA 796 * itself. This matches the definition of the TTL for negative 797 * responses in [RFC2308]. (draft-ietf-dnsop-nsec-ttl-01 update of 798 * RFC4035 Section 2.3) 799 */ 800 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA); 801 802 /* did the caller actually set it? if not, 803 * fall back to default ttl 804 */ 805 if (soa && soa->rrs && soa->rrs->rr) { 806 ldns_rr *soa_rr = soa->rrs->rr; 807 ldns_rdf *min_rdf = ldns_rr_rdf(soa_rr, 6); 808 809 nsec_ttl = min_rdf == NULL 810 || ldns_rr_ttl(soa_rr) < ldns_rdf2native_int32(min_rdf) 811 ? ldns_rr_ttl(soa_rr) : ldns_rdf2native_int32(min_rdf); 812 } else { 813 nsec_ttl = LDNS_DEFAULT_TTL; 814 } 815 816 first_node = ldns_dnssec_name_node_next_nonglue( 817 ldns_rbtree_first(zone->names)); 818 cur_node = first_node; 819 if (cur_node) { 820 next_node = ldns_dnssec_name_node_next_nonglue( 821 ldns_rbtree_next(cur_node)); 822 } else { 823 next_node = NULL; 824 } 825 826 while (cur_node && next_node) { 827 cur_name = (ldns_dnssec_name *)cur_node->data; 828 next_name = (ldns_dnssec_name *)next_node->data; 829 nsec_rr = ldns_dnssec_create_nsec(cur_name, 830 next_name, 831 LDNS_RR_TYPE_NSEC); 832 ldns_rr_set_ttl(nsec_rr, nsec_ttl); 833 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){ 834 ldns_rr_free(nsec_rr); 835 return LDNS_STATUS_ERR; 836 } 837 ldns_rr_list_push_rr(new_rrs, nsec_rr); 838 cur_node = next_node; 839 if (cur_node) { 840 next_node = ldns_dnssec_name_node_next_nonglue( 841 ldns_rbtree_next(cur_node)); 842 } 843 } 844 845 if (cur_node && !next_node) { 846 cur_name = (ldns_dnssec_name *)cur_node->data; 847 next_name = (ldns_dnssec_name *)first_node->data; 848 nsec_rr = ldns_dnssec_create_nsec(cur_name, 849 next_name, 850 LDNS_RR_TYPE_NSEC); 851 ldns_rr_set_ttl(nsec_rr, nsec_ttl); 852 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){ 853 ldns_rr_free(nsec_rr); 854 return LDNS_STATUS_ERR; 855 } 856 ldns_rr_list_push_rr(new_rrs, nsec_rr); 857 } else { 858 printf("error\n"); 859 } 860 861 return LDNS_STATUS_OK; 862 } 863 864 #ifdef HAVE_SSL 865 static void 866 ldns_hashed_names_node_free(ldns_rbnode_t *node, void *arg) { 867 (void) arg; 868 LDNS_FREE(node); 869 } 870 871 static ldns_status 872 ldns_dnssec_zone_create_nsec3s_mkmap(ldns_dnssec_zone *zone, 873 ldns_rr_list *new_rrs, 874 uint8_t algorithm, 875 uint8_t flags, 876 uint16_t iterations, 877 uint8_t salt_length, 878 uint8_t *salt, 879 ldns_rbtree_t **map) 880 { 881 ldns_rbnode_t *first_name_node; 882 ldns_rbnode_t *current_name_node; 883 ldns_dnssec_name *current_name; 884 ldns_status result = LDNS_STATUS_OK; 885 ldns_rr *nsec_rr; 886 ldns_rr_list *nsec3_list; 887 uint32_t nsec_ttl; 888 ldns_dnssec_rrsets *soa; 889 ldns_rbnode_t *hashmap_node; 890 891 if (!zone || !new_rrs || !zone->names) { 892 return LDNS_STATUS_ERR; 893 } 894 895 /* The TTL value for any NSEC RR SHOULD be the same TTL value as the 896 * lesser of the MINIMUM field of the SOA record and the TTL of the SOA 897 * itself. This matches the definition of the TTL for negative 898 * responses in [RFC2308]. (draft-ietf-dnsop-nsec-ttl-01 update of 899 * RFC4035 Section 2.3) 900 */ 901 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA); 902 903 /* did the caller actually set it? if not, 904 * fall back to default ttl 905 */ 906 if (soa && soa->rrs && soa->rrs->rr) { 907 ldns_rr *soa_rr = soa->rrs->rr; 908 ldns_rdf *min_rdf = ldns_rr_rdf(soa_rr, 6); 909 910 nsec_ttl = min_rdf == NULL 911 || ldns_rr_ttl(soa_rr) < ldns_rdf2native_int32(min_rdf) 912 ? ldns_rr_ttl(soa_rr) : ldns_rdf2native_int32(min_rdf); 913 } else { 914 nsec_ttl = LDNS_DEFAULT_TTL; 915 } 916 917 if (ldns_rdf_size(zone->soa->name) > 222) { 918 return LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW; 919 } 920 921 if (zone->hashed_names) { 922 ldns_traverse_postorder(zone->hashed_names, 923 ldns_hashed_names_node_free, NULL); 924 LDNS_FREE(zone->hashed_names); 925 } 926 zone->hashed_names = ldns_rbtree_create(ldns_dname_compare_v); 927 if (zone->hashed_names && map) { 928 *map = zone->hashed_names; 929 } 930 931 first_name_node = ldns_dnssec_name_node_next_nonglue( 932 ldns_rbtree_first(zone->names)); 933 934 current_name_node = first_name_node; 935 936 while (current_name_node && current_name_node != LDNS_RBTREE_NULL && 937 result == LDNS_STATUS_OK) { 938 939 current_name = (ldns_dnssec_name *) current_name_node->data; 940 nsec_rr = ldns_dnssec_create_nsec3(current_name, 941 NULL, 942 zone->soa->name, 943 algorithm, 944 flags, 945 iterations, 946 salt_length, 947 salt); 948 /* by default, our nsec based generator adds rrsigs 949 * remove the bitmap for empty nonterminals */ 950 if (!current_name->rrsets) { 951 ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr)); 952 } 953 ldns_rr_set_ttl(nsec_rr, nsec_ttl); 954 result = ldns_dnssec_name_add_rr(current_name, nsec_rr); 955 ldns_rr_list_push_rr(new_rrs, nsec_rr); 956 if (ldns_rr_owner(nsec_rr)) { 957 hashmap_node = LDNS_MALLOC(ldns_rbnode_t); 958 if (hashmap_node == NULL) { 959 return LDNS_STATUS_MEM_ERR; 960 } 961 current_name->hashed_name = 962 ldns_dname_label(ldns_rr_owner(nsec_rr), 0); 963 964 if (current_name->hashed_name == NULL) { 965 LDNS_FREE(hashmap_node); 966 return LDNS_STATUS_MEM_ERR; 967 } 968 hashmap_node->key = current_name->hashed_name; 969 hashmap_node->data = current_name; 970 971 if (! ldns_rbtree_insert(zone->hashed_names 972 , hashmap_node)) { 973 LDNS_FREE(hashmap_node); 974 } 975 } 976 current_name_node = ldns_dnssec_name_node_next_nonglue( 977 ldns_rbtree_next(current_name_node)); 978 } 979 if (result != LDNS_STATUS_OK) { 980 return result; 981 } 982 983 /* Make sorted list of nsec3s (via zone->hashed_names) 984 */ 985 nsec3_list = ldns_rr_list_new(); 986 if (nsec3_list == NULL) { 987 return LDNS_STATUS_MEM_ERR; 988 } 989 for ( hashmap_node = ldns_rbtree_first(zone->hashed_names) 990 ; hashmap_node != LDNS_RBTREE_NULL 991 ; hashmap_node = ldns_rbtree_next(hashmap_node) 992 ) { 993 nsec_rr = ((ldns_dnssec_name *) hashmap_node->data)->nsec; 994 if (nsec_rr) { 995 ldns_rr_list_push_rr(nsec3_list, nsec_rr); 996 } 997 } 998 result = ldns_dnssec_chain_nsec3_list(nsec3_list); 999 ldns_rr_list_free(nsec3_list); 1000 1001 return result; 1002 } 1003 1004 ldns_status 1005 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone, 1006 ldns_rr_list *new_rrs, 1007 uint8_t algorithm, 1008 uint8_t flags, 1009 uint16_t iterations, 1010 uint8_t salt_length, 1011 uint8_t *salt) 1012 { 1013 return ldns_dnssec_zone_create_nsec3s_mkmap(zone, new_rrs, algorithm, 1014 flags, iterations, salt_length, salt, NULL); 1015 1016 } 1017 #endif /* HAVE_SSL */ 1018 1019 ldns_dnssec_rrs * 1020 ldns_dnssec_remove_signatures( ldns_dnssec_rrs *signatures 1021 , ATTR_UNUSED(ldns_key_list *key_list) 1022 , int (*func)(ldns_rr *, void *) 1023 , void *arg 1024 ) 1025 { 1026 ldns_dnssec_rrs *base_rrs = signatures; 1027 ldns_dnssec_rrs *cur_rr = base_rrs; 1028 ldns_dnssec_rrs *prev_rr = NULL; 1029 ldns_dnssec_rrs *next_rr; 1030 1031 uint16_t keytag; 1032 size_t i; 1033 1034 if (!cur_rr) { 1035 switch(func(NULL, arg)) { 1036 case LDNS_SIGNATURE_LEAVE_ADD_NEW: 1037 case LDNS_SIGNATURE_REMOVE_ADD_NEW: 1038 break; 1039 case LDNS_SIGNATURE_LEAVE_NO_ADD: 1040 case LDNS_SIGNATURE_REMOVE_NO_ADD: 1041 ldns_key_list_set_use(key_list, false); 1042 break; 1043 default: 1044 #ifdef STDERR_MSGS 1045 fprintf(stderr, "[XX] unknown return value from callback\n"); 1046 #endif 1047 break; 1048 } 1049 return NULL; 1050 } 1051 (void)func(cur_rr->rr, arg); 1052 1053 while (cur_rr) { 1054 next_rr = cur_rr->next; 1055 1056 switch (func(cur_rr->rr, arg)) { 1057 case LDNS_SIGNATURE_LEAVE_ADD_NEW: 1058 prev_rr = cur_rr; 1059 break; 1060 case LDNS_SIGNATURE_LEAVE_NO_ADD: 1061 keytag = ldns_rdf2native_int16( 1062 ldns_rr_rrsig_keytag(cur_rr->rr)); 1063 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 1064 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) == 1065 keytag) { 1066 ldns_key_set_use(ldns_key_list_key(key_list, i), 1067 false); 1068 } 1069 } 1070 prev_rr = cur_rr; 1071 break; 1072 case LDNS_SIGNATURE_REMOVE_NO_ADD: 1073 keytag = ldns_rdf2native_int16( 1074 ldns_rr_rrsig_keytag(cur_rr->rr)); 1075 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 1076 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) 1077 == keytag) { 1078 ldns_key_set_use(ldns_key_list_key(key_list, i), 1079 false); 1080 } 1081 } 1082 if (prev_rr) { 1083 prev_rr->next = next_rr; 1084 } else { 1085 base_rrs = next_rr; 1086 } 1087 LDNS_FREE(cur_rr); 1088 break; 1089 case LDNS_SIGNATURE_REMOVE_ADD_NEW: 1090 if (prev_rr) { 1091 prev_rr->next = next_rr; 1092 } else { 1093 base_rrs = next_rr; 1094 } 1095 LDNS_FREE(cur_rr); 1096 break; 1097 default: 1098 #ifdef STDERR_MSGS 1099 fprintf(stderr, "[XX] unknown return value from callback\n"); 1100 #endif 1101 break; 1102 } 1103 cur_rr = next_rr; 1104 } 1105 1106 return base_rrs; 1107 } 1108 1109 #ifdef HAVE_SSL 1110 ldns_status 1111 ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, 1112 ldns_rr_list *new_rrs, 1113 ldns_key_list *key_list, 1114 int (*func)(ldns_rr *, void*), 1115 void *arg) 1116 { 1117 return ldns_dnssec_zone_create_rrsigs_flg(zone, new_rrs, key_list, 1118 func, arg, 0); 1119 } 1120 1121 /** If there are KSKs use only them and mark ZSKs unused */ 1122 static void 1123 ldns_key_list_filter_for_dnskey(ldns_key_list *key_list, int flags) 1124 { 1125 bool algos[256] 1126 #ifndef S_SPLINT_S 1127 = { false } 1128 #endif 1129 ; 1130 ldns_signing_algorithm saw_ksk = 0; 1131 ldns_key *key; 1132 size_t i; 1133 1134 if (!ldns_key_list_key_count(key_list)) 1135 return; 1136 1137 /* Mark all KSKs */ 1138 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 1139 key = ldns_key_list_key(key_list, i); 1140 if ((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) { 1141 if (!saw_ksk) 1142 saw_ksk = ldns_key_algorithm(key); 1143 algos[ldns_key_algorithm(key)] = true; 1144 } 1145 } 1146 if (!saw_ksk) 1147 return; /* No KSKs means sign using all ZSKs */ 1148 1149 /* Deselect the ZSKs so they do not sign DNSKEY RRs. 1150 * Except with the LDNS_SIGN_WITH_ALL_ALGORITHMS flag, then use it, 1151 * but only if it has an algorithm for which there is no KSK 1152 */ 1153 for (i =0; i < ldns_key_list_key_count(key_list); i++) { 1154 key = ldns_key_list_key(key_list, i); 1155 if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) { 1156 /* We have a ZSK. 1157 * Still use it if it has a unique algorithm though! 1158 */ 1159 if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) && 1160 !algos[ldns_key_algorithm(key)]) 1161 algos[ldns_key_algorithm(key)] = true; 1162 else 1163 ldns_key_set_use(key, 0); 1164 } 1165 } 1166 } 1167 1168 /** If there are no ZSKs use KSKs as ZSK too */ 1169 static void 1170 ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list, int flags) 1171 { 1172 bool algos[256] 1173 #ifndef S_SPLINT_S 1174 = { false } 1175 #endif 1176 ; 1177 ldns_signing_algorithm saw_zsk = 0; 1178 ldns_key *key; 1179 size_t i; 1180 1181 if (!ldns_key_list_key_count(key_list)) 1182 return; 1183 1184 /* Mark all ZSKs */ 1185 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 1186 key = ldns_key_list_key(key_list, i); 1187 if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) { 1188 if (!saw_zsk) 1189 saw_zsk = ldns_key_algorithm(key); 1190 algos[ldns_key_algorithm(key)] = true; 1191 } 1192 } 1193 if (!saw_zsk) 1194 return; /* No ZSKs means sign using all KSKs */ 1195 1196 /* Deselect the KSKs so they do not sign non DNSKEY RRs. 1197 * Except with the LDNS_SIGN_WITH_ALL_ALGORITHMS flag, then use it, 1198 * but only if it has an algorithm for which there is no ZSK 1199 */ 1200 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 1201 key = ldns_key_list_key(key_list, i); 1202 if((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) { 1203 /* We have a KSK. 1204 * Still use it if it has a unique algorithm though! 1205 */ 1206 if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) && 1207 !algos[ldns_key_algorithm(key)]) 1208 algos[ldns_key_algorithm(key)] = true; 1209 else 1210 ldns_key_set_use(key, 0); 1211 } 1212 } 1213 } 1214 1215 ldns_status 1216 ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone 1217 , ldns_rr_list *new_rrs 1218 , ldns_key_list *key_list 1219 , int (*func)(ldns_rr *, void*) 1220 , void *arg 1221 , int flags 1222 ) 1223 { 1224 ldns_status result = LDNS_STATUS_OK; 1225 1226 ldns_rbnode_t *cur_node; 1227 ldns_rr_list *rr_list; 1228 1229 ldns_dnssec_name *cur_name; 1230 ldns_dnssec_rrsets *cur_rrset; 1231 ldns_dnssec_rrs *cur_rr; 1232 1233 ldns_rr_list *siglist; 1234 1235 size_t i; 1236 1237 int on_delegation_point = 0; /* handle partially occluded names */ 1238 1239 ldns_rr_list *pubkey_list = ldns_rr_list_new(); 1240 for (i = 0; i<ldns_key_list_key_count(key_list); i++) { 1241 ldns_rr_list_push_rr( pubkey_list 1242 , ldns_key2rr(ldns_key_list_key( 1243 key_list, i)) 1244 ); 1245 } 1246 /* TODO: callback to see is list should be signed */ 1247 /* TODO: remove 'old' signatures from signature list */ 1248 cur_node = ldns_rbtree_first(zone->names); 1249 while (cur_node != LDNS_RBTREE_NULL) { 1250 cur_name = (ldns_dnssec_name *) cur_node->data; 1251 1252 if (!cur_name->is_glue) { 1253 on_delegation_point = ldns_dnssec_rrsets_contains_type( 1254 cur_name->rrsets, LDNS_RR_TYPE_NS) 1255 && !ldns_dnssec_rrsets_contains_type( 1256 cur_name->rrsets, LDNS_RR_TYPE_SOA); 1257 cur_rrset = cur_name->rrsets; 1258 while (cur_rrset) { 1259 /* reset keys to use */ 1260 ldns_key_list_set_use(key_list, true); 1261 1262 /* walk through old sigs, remove the old, 1263 and mark which keys (not) to use) */ 1264 cur_rrset->signatures = 1265 ldns_dnssec_remove_signatures(cur_rrset->signatures, 1266 key_list, 1267 func, 1268 arg); 1269 if(cur_rrset->type == LDNS_RR_TYPE_DNSKEY || 1270 cur_rrset->type == LDNS_RR_TYPE_CDNSKEY || 1271 cur_rrset->type == LDNS_RR_TYPE_CDS) { 1272 if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK)) { 1273 ldns_key_list_filter_for_dnskey(key_list, flags); 1274 } 1275 } else { 1276 ldns_key_list_filter_for_non_dnskey(key_list, flags); 1277 } 1278 1279 /* TODO: just set count to zero? */ 1280 rr_list = ldns_rr_list_new(); 1281 1282 cur_rr = cur_rrset->rrs; 1283 while (cur_rr) { 1284 ldns_rr_list_push_rr(rr_list, cur_rr->rr); 1285 cur_rr = cur_rr->next; 1286 } 1287 1288 /* only sign non-delegation RRsets */ 1289 /* (glue should have been marked earlier, 1290 * except on the delegation points itself) */ 1291 if (!on_delegation_point || 1292 ldns_rr_list_type(rr_list) 1293 == LDNS_RR_TYPE_DS || 1294 ldns_rr_list_type(rr_list) 1295 == LDNS_RR_TYPE_NSEC || 1296 ldns_rr_list_type(rr_list) 1297 == LDNS_RR_TYPE_NSEC3) { 1298 siglist = ldns_sign_public(rr_list, key_list); 1299 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) { 1300 if (cur_rrset->signatures) { 1301 result = ldns_dnssec_rrs_add_rr(cur_rrset->signatures, 1302 ldns_rr_list_rr(siglist, 1303 i)); 1304 } else { 1305 cur_rrset->signatures = ldns_dnssec_rrs_new(); 1306 cur_rrset->signatures->rr = 1307 ldns_rr_list_rr(siglist, i); 1308 } 1309 if (new_rrs) { 1310 ldns_rr_list_push_rr(new_rrs, 1311 ldns_rr_list_rr(siglist, 1312 i)); 1313 } 1314 } 1315 ldns_rr_list_free(siglist); 1316 } 1317 1318 ldns_rr_list_free(rr_list); 1319 1320 cur_rrset = cur_rrset->next; 1321 } 1322 1323 /* sign the nsec */ 1324 ldns_key_list_set_use(key_list, true); 1325 cur_name->nsec_signatures = 1326 ldns_dnssec_remove_signatures(cur_name->nsec_signatures, 1327 key_list, 1328 func, 1329 arg); 1330 ldns_key_list_filter_for_non_dnskey(key_list, flags); 1331 1332 rr_list = ldns_rr_list_new(); 1333 ldns_rr_list_push_rr(rr_list, cur_name->nsec); 1334 siglist = ldns_sign_public(rr_list, key_list); 1335 1336 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) { 1337 if (cur_name->nsec_signatures) { 1338 result = ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures, 1339 ldns_rr_list_rr(siglist, i)); 1340 } else { 1341 cur_name->nsec_signatures = ldns_dnssec_rrs_new(); 1342 cur_name->nsec_signatures->rr = 1343 ldns_rr_list_rr(siglist, i); 1344 } 1345 if (new_rrs) { 1346 ldns_rr_list_push_rr(new_rrs, 1347 ldns_rr_list_rr(siglist, i)); 1348 } 1349 } 1350 1351 ldns_rr_list_free(siglist); 1352 ldns_rr_list_free(rr_list); 1353 } 1354 cur_node = ldns_rbtree_next(cur_node); 1355 } 1356 1357 ldns_rr_list_deep_free(pubkey_list); 1358 return result; 1359 } 1360 1361 ldns_status 1362 ldns_dnssec_zone_sign(ldns_dnssec_zone *zone, 1363 ldns_rr_list *new_rrs, 1364 ldns_key_list *key_list, 1365 int (*func)(ldns_rr *, void *), 1366 void *arg) 1367 { 1368 return ldns_dnssec_zone_sign_flg(zone, new_rrs, key_list, func, arg, 0); 1369 } 1370 1371 ldns_status 1372 ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, 1373 ldns_rr_list *new_rrs, 1374 ldns_key_list *key_list, 1375 int (*func)(ldns_rr *, void *), 1376 void *arg, 1377 int flags) 1378 { 1379 ldns_status result = LDNS_STATUS_OK; 1380 ldns_dnssec_rrsets zonemd_rrset; 1381 bool zonemd_added = false; 1382 1383 if (!zone || !new_rrs || !key_list) { 1384 return LDNS_STATUS_ERR; 1385 } 1386 if (flags & LDNS_SIGN_WITH_ZONEMD) { 1387 ldns_dnssec_rrsets **rrsets_ref = &zone->soa->rrsets; 1388 1389 while (*rrsets_ref 1390 && (*rrsets_ref)->type < LDNS_RR_TYPE_ZONEMD) 1391 rrsets_ref = &(*rrsets_ref)->next; 1392 if (!*rrsets_ref 1393 || (*rrsets_ref)->type > LDNS_RR_TYPE_ZONEMD) { 1394 zonemd_rrset.rrs = NULL; 1395 zonemd_rrset.type = LDNS_RR_TYPE_ZONEMD; 1396 zonemd_rrset.signatures = NULL; 1397 zonemd_rrset.next = *rrsets_ref; 1398 *rrsets_ref = &zonemd_rrset; 1399 zonemd_added = true; 1400 } 1401 } 1402 /* zone is already sorted */ 1403 result = ldns_dnssec_zone_mark_glue(zone); 1404 if (result != LDNS_STATUS_OK) { 1405 return result; 1406 } 1407 /* check whether we need to add nsecs */ 1408 if ((flags & LDNS_SIGN_NO_KEYS_NO_NSECS) 1409 && ldns_key_list_key_count(key_list) < 1) 1410 ; /* pass */ 1411 1412 else if (zone->names 1413 && !((ldns_dnssec_name *)zone->names->root->data)->nsec) { 1414 1415 result = ldns_dnssec_zone_create_nsecs(zone, new_rrs); 1416 if (result != LDNS_STATUS_OK) { 1417 return result; 1418 } 1419 } 1420 result = ldns_dnssec_zone_create_rrsigs_flg(zone, 1421 new_rrs, 1422 key_list, 1423 func, 1424 arg, 1425 flags); 1426 1427 if (zonemd_added) { 1428 ldns_dnssec_rrsets **rrsets_ref 1429 = &zone->soa->rrsets; 1430 1431 while (*rrsets_ref 1432 && (*rrsets_ref)->type < LDNS_RR_TYPE_ZONEMD) 1433 rrsets_ref = &(*rrsets_ref)->next; 1434 *rrsets_ref = zonemd_rrset.next; 1435 } 1436 return flags & LDNS_SIGN_WITH_ZONEMD 1437 ? dnssec_zone_equip_zonemd(zone, new_rrs, key_list, flags) 1438 : result; 1439 } 1440 1441 ldns_status 1442 ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone, 1443 ldns_rr_list *new_rrs, 1444 ldns_key_list *key_list, 1445 int (*func)(ldns_rr *, void *), 1446 void *arg, 1447 uint8_t algorithm, 1448 uint8_t flags, 1449 uint16_t iterations, 1450 uint8_t salt_length, 1451 uint8_t *salt) 1452 { 1453 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list, 1454 func, arg, algorithm, flags, iterations, salt_length, salt, 0, 1455 NULL); 1456 } 1457 1458 ldns_status 1459 ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone, 1460 ldns_rr_list *new_rrs, 1461 ldns_key_list *key_list, 1462 int (*func)(ldns_rr *, void *), 1463 void *arg, 1464 uint8_t algorithm, 1465 uint8_t flags, 1466 uint16_t iterations, 1467 uint8_t salt_length, 1468 uint8_t *salt, 1469 int signflags, 1470 ldns_rbtree_t **map) 1471 { 1472 ldns_rr *nsec3, *nsec3param; 1473 ldns_status result = LDNS_STATUS_OK; 1474 bool zonemd_added = false; 1475 ldns_dnssec_rrsets zonemd_rrset; 1476 1477 /* zone is already sorted */ 1478 result = ldns_dnssec_zone_mark_glue(zone); 1479 if (result != LDNS_STATUS_OK) { 1480 return result; 1481 } 1482 1483 /* TODO if there are already nsec3s presents and their 1484 * parameters are the same as these, we don't have to recreate 1485 */ 1486 if (zone->names) { 1487 /* add empty nonterminals */ 1488 result = ldns_dnssec_zone_add_empty_nonterminals(zone); 1489 if (result != LDNS_STATUS_OK) { 1490 return result; 1491 } 1492 1493 nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec; 1494 1495 /* check whether we need to add nsecs */ 1496 if ((signflags & LDNS_SIGN_NO_KEYS_NO_NSECS) 1497 && ldns_key_list_key_count(key_list) < 1) 1498 ; /* pass */ 1499 1500 else if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) { 1501 /* no need to recreate */ 1502 } else { 1503 if (!ldns_dnssec_zone_find_rrset(zone, 1504 zone->soa->name, 1505 LDNS_RR_TYPE_NSEC3PARAM)) { 1506 /* create and add the nsec3param rr */ 1507 nsec3param = 1508 ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAM); 1509 ldns_rr_set_owner(nsec3param, 1510 ldns_rdf_clone(zone->soa->name)); 1511 ldns_nsec3_add_param_rdfs(nsec3param, 1512 algorithm, 1513 flags, 1514 iterations, 1515 salt_length, 1516 salt); 1517 /* always set bit 7 of the flags to zero, according to 1518 * rfc5155 section 11. The bits are counted from right to left, 1519 * so bit 7 in rfc5155 is bit 0 in ldns */ 1520 ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 0, 0); 1521 result = ldns_dnssec_zone_add_rr(zone, nsec3param); 1522 if (result != LDNS_STATUS_OK) { 1523 return result; 1524 } 1525 ldns_rr_list_push_rr(new_rrs, nsec3param); 1526 } 1527 if (signflags & LDNS_SIGN_WITH_ZONEMD) { 1528 ldns_dnssec_rrsets **rrsets_ref 1529 = &zone->soa->rrsets; 1530 1531 while (*rrsets_ref 1532 && (*rrsets_ref)->type < LDNS_RR_TYPE_ZONEMD) 1533 rrsets_ref = &(*rrsets_ref)->next; 1534 if (!*rrsets_ref 1535 || (*rrsets_ref)->type > LDNS_RR_TYPE_ZONEMD) { 1536 zonemd_rrset.rrs = NULL; 1537 zonemd_rrset.type = LDNS_RR_TYPE_ZONEMD; 1538 zonemd_rrset.signatures = NULL; 1539 zonemd_rrset.next = *rrsets_ref; 1540 *rrsets_ref = &zonemd_rrset; 1541 zonemd_added = true; 1542 } 1543 } 1544 result = ldns_dnssec_zone_create_nsec3s_mkmap(zone, 1545 new_rrs, 1546 algorithm, 1547 flags, 1548 iterations, 1549 salt_length, 1550 salt, 1551 map); 1552 if (zonemd_added) { 1553 ldns_dnssec_rrsets **rrsets_ref 1554 = &zone->soa->rrsets; 1555 1556 while (*rrsets_ref 1557 && (*rrsets_ref)->type < LDNS_RR_TYPE_ZONEMD) 1558 rrsets_ref = &(*rrsets_ref)->next; 1559 *rrsets_ref = zonemd_rrset.next; 1560 } 1561 if (result != LDNS_STATUS_OK) { 1562 return result; 1563 } 1564 } 1565 1566 result = ldns_dnssec_zone_create_rrsigs_flg(zone, 1567 new_rrs, 1568 key_list, 1569 func, 1570 arg, 1571 signflags); 1572 } 1573 if (result || !zone->names) 1574 return result; 1575 1576 return signflags & LDNS_SIGN_WITH_ZONEMD 1577 ? dnssec_zone_equip_zonemd(zone, new_rrs, key_list, signflags) 1578 : result; 1579 } 1580 1581 ldns_status 1582 ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone, 1583 ldns_rr_list *new_rrs, 1584 ldns_key_list *key_list, 1585 int (*func)(ldns_rr *, void *), 1586 void *arg, 1587 uint8_t algorithm, 1588 uint8_t flags, 1589 uint16_t iterations, 1590 uint8_t salt_length, 1591 uint8_t *salt, 1592 int signflags) 1593 { 1594 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list, 1595 func, arg, algorithm, flags, iterations, salt_length, salt, 1596 signflags, NULL); 1597 } 1598 1599 ldns_zone * 1600 ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list) 1601 { 1602 ldns_dnssec_zone *dnssec_zone; 1603 ldns_zone *signed_zone; 1604 ldns_rr_list *new_rrs; 1605 size_t i; 1606 1607 signed_zone = ldns_zone_new(); 1608 dnssec_zone = ldns_dnssec_zone_new(); 1609 1610 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone)); 1611 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone))); 1612 1613 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) { 1614 (void) ldns_dnssec_zone_add_rr(dnssec_zone, 1615 ldns_rr_list_rr(ldns_zone_rrs(zone), 1616 i)); 1617 ldns_zone_push_rr(signed_zone, 1618 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone), 1619 i))); 1620 } 1621 1622 new_rrs = ldns_rr_list_new(); 1623 (void) ldns_dnssec_zone_sign(dnssec_zone, 1624 new_rrs, 1625 key_list, 1626 ldns_dnssec_default_replace_signatures, 1627 NULL); 1628 1629 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) { 1630 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone), 1631 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i))); 1632 } 1633 1634 ldns_rr_list_deep_free(new_rrs); 1635 ldns_dnssec_zone_free(dnssec_zone); 1636 1637 return signed_zone; 1638 } 1639 1640 ldns_zone * 1641 ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt) 1642 { 1643 ldns_dnssec_zone *dnssec_zone; 1644 ldns_zone *signed_zone; 1645 ldns_rr_list *new_rrs; 1646 size_t i; 1647 1648 signed_zone = ldns_zone_new(); 1649 dnssec_zone = ldns_dnssec_zone_new(); 1650 1651 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone)); 1652 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone))); 1653 1654 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) { 1655 (void) ldns_dnssec_zone_add_rr(dnssec_zone, 1656 ldns_rr_list_rr(ldns_zone_rrs(zone), 1657 i)); 1658 ldns_zone_push_rr(signed_zone, 1659 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone), 1660 i))); 1661 } 1662 1663 new_rrs = ldns_rr_list_new(); 1664 (void) ldns_dnssec_zone_sign_nsec3(dnssec_zone, 1665 new_rrs, 1666 key_list, 1667 ldns_dnssec_default_replace_signatures, 1668 NULL, 1669 algorithm, 1670 flags, 1671 iterations, 1672 salt_length, 1673 salt); 1674 1675 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) { 1676 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone), 1677 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i))); 1678 } 1679 1680 ldns_rr_list_deep_free(new_rrs); 1681 ldns_dnssec_zone_free(dnssec_zone); 1682 1683 return signed_zone; 1684 } 1685 #endif /* HAVE_SSL */ 1686 1687 1688