1 /* 2 * keys.c handle private keys for use in DNSSEC 3 * 4 * This module should hide some of the openSSL complexities 5 * and give a general interface for private keys and hmac 6 * handling 7 * 8 * (c) NLnet Labs, 2004-2006 9 * 10 * See the file LICENSE for the license 11 */ 12 13 #include <ldns/config.h> 14 15 #include <ldns/ldns.h> 16 17 #ifdef HAVE_SSL 18 #include <openssl/ui.h> 19 #include <openssl/ssl.h> 20 #include <openssl/rand.h> 21 #include <openssl/bn.h> 22 #include <openssl/rsa.h> 23 #ifdef USE_DSA 24 #include <openssl/dsa.h> 25 #endif 26 #ifndef OPENSSL_NO_ENGINE 27 #include <openssl/engine.h> 28 #endif 29 #endif /* HAVE_SSL */ 30 31 ldns_lookup_table ldns_signing_algorithms[] = { 32 { LDNS_SIGN_RSAMD5, "RSAMD5" }, 33 { LDNS_SIGN_RSASHA1, "RSASHA1" }, 34 { LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1-NSEC3-SHA1" }, 35 #ifdef USE_SHA2 36 { LDNS_SIGN_RSASHA256, "RSASHA256" }, 37 { LDNS_SIGN_RSASHA512, "RSASHA512" }, 38 #endif 39 #ifdef USE_GOST 40 { LDNS_SIGN_ECC_GOST, "ECC-GOST" }, 41 #endif 42 #ifdef USE_ECDSA 43 { LDNS_SIGN_ECDSAP256SHA256, "ECDSAP256SHA256" }, 44 { LDNS_SIGN_ECDSAP384SHA384, "ECDSAP384SHA384" }, 45 #endif 46 #ifdef USE_ED25519 47 { LDNS_SIGN_ED25519, "ED25519" }, 48 #endif 49 #ifdef USE_ED448 50 { LDNS_SIGN_ED448, "ED448" }, 51 #endif 52 #ifdef USE_DSA 53 { LDNS_SIGN_DSA, "DSA" }, 54 { LDNS_SIGN_DSA_NSEC3, "DSA-NSEC3-SHA1" }, 55 #endif 56 { LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" }, 57 { LDNS_SIGN_HMACSHA1, "hmac-sha1" }, 58 { LDNS_SIGN_HMACSHA256, "hmac-sha256" }, 59 { LDNS_SIGN_HMACSHA224, "hmac-sha224" }, 60 { LDNS_SIGN_HMACSHA384, "hmac-sha384" }, 61 { LDNS_SIGN_HMACSHA512, "hmac-sha512" }, 62 { 0, NULL } 63 }; 64 65 ldns_key_list * 66 ldns_key_list_new(void) 67 { 68 ldns_key_list *key_list = LDNS_MALLOC(ldns_key_list); 69 if (!key_list) { 70 return NULL; 71 } else { 72 key_list->_key_count = 0; 73 key_list->_keys = NULL; 74 return key_list; 75 } 76 } 77 78 ldns_key * 79 ldns_key_new(void) 80 { 81 ldns_key *newkey; 82 83 newkey = LDNS_MALLOC(ldns_key); 84 if (!newkey) { 85 return NULL; 86 } else { 87 /* some defaults - not sure whether to do this */ 88 ldns_key_set_use(newkey, true); 89 ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY); 90 ldns_key_set_origttl(newkey, 0); 91 ldns_key_set_keytag(newkey, 0); 92 ldns_key_set_inception(newkey, 0); 93 ldns_key_set_expiration(newkey, 0); 94 ldns_key_set_pubkey_owner(newkey, NULL); 95 #ifdef HAVE_SSL 96 ldns_key_set_evp_key(newkey, NULL); 97 #endif /* HAVE_SSL */ 98 ldns_key_set_hmac_key(newkey, NULL); 99 ldns_key_set_external_key(newkey, NULL); 100 return newkey; 101 } 102 } 103 104 ldns_status 105 ldns_key_new_frm_fp(ldns_key **k, FILE *fp) 106 { 107 return ldns_key_new_frm_fp_l(k, fp, NULL); 108 } 109 110 #if defined(HAVE_SSL) && !defined(OPENSSL_NO_ENGINE) 111 ldns_status 112 ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldns_algorithm alg) 113 { 114 ldns_key *k; 115 116 k = ldns_key_new(); 117 if(!k) return LDNS_STATUS_MEM_ERR; 118 #ifndef S_SPLINT_S 119 k->_key.key = ENGINE_load_private_key(e, key_id, UI_OpenSSL(), NULL); 120 if(!k->_key.key) { 121 ldns_key_free(k); 122 return LDNS_STATUS_ERR; 123 } 124 ldns_key_set_algorithm(k, (ldns_signing_algorithm) alg); 125 if (!k->_key.key) { 126 ldns_key_free(k); 127 return LDNS_STATUS_ENGINE_KEY_NOT_LOADED; 128 } 129 #endif /* splint */ 130 *key = k; 131 return LDNS_STATUS_OK; 132 } 133 #endif 134 135 #ifdef USE_GOST 136 /** store GOST engine reference loaded into OpenSSL library */ 137 ENGINE* ldns_gost_engine = NULL; 138 139 int 140 ldns_key_EVP_load_gost_id(void) 141 { 142 static int gost_id = 0; 143 const EVP_PKEY_ASN1_METHOD* meth; 144 ENGINE* e; 145 146 if(gost_id) return gost_id; 147 148 /* see if configuration loaded gost implementation from other engine*/ 149 meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1); 150 if(meth) { 151 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); 152 return gost_id; 153 } 154 155 /* see if engine can be loaded already */ 156 e = ENGINE_by_id("gost"); 157 if(!e) { 158 /* load it ourself, in case statically linked */ 159 ENGINE_load_builtin_engines(); 160 ENGINE_load_dynamic(); 161 e = ENGINE_by_id("gost"); 162 } 163 if(!e) { 164 /* no gost engine in openssl */ 165 return 0; 166 } 167 if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { 168 ENGINE_finish(e); 169 ENGINE_free(e); 170 return 0; 171 } 172 173 meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1); 174 if(!meth) { 175 /* algo not found */ 176 ENGINE_finish(e); 177 ENGINE_free(e); 178 return 0; 179 } 180 /* Note: do not ENGINE_finish and ENGINE_free the acquired engine 181 * on some platforms this frees up the meth and unloads gost stuff */ 182 ldns_gost_engine = e; 183 184 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); 185 return gost_id; 186 } 187 188 void ldns_key_EVP_unload_gost(void) 189 { 190 if(ldns_gost_engine) { 191 ENGINE_finish(ldns_gost_engine); 192 ENGINE_free(ldns_gost_engine); 193 ldns_gost_engine = NULL; 194 } 195 } 196 197 /** read GOST private key */ 198 static EVP_PKEY* 199 ldns_key_new_frm_fp_gost_l(FILE* fp, int* line_nr) 200 { 201 char token[16384]; 202 const unsigned char* pp; 203 int gost_id; 204 EVP_PKEY* pkey; 205 ldns_rdf* b64rdf = NULL; 206 207 gost_id = ldns_key_EVP_load_gost_id(); 208 if(!gost_id) 209 return NULL; 210 211 if (ldns_fget_keyword_data_l(fp, "GostAsn1", ": ", token, "\n", 212 sizeof(token), line_nr) == -1) 213 return NULL; 214 while(strlen(token) < 96) { 215 /* read more b64 from the file, b64 split on multiple lines */ 216 if(ldns_fget_token_l(fp, token+strlen(token), "\n", 217 sizeof(token)-strlen(token), line_nr) == -1) 218 return NULL; 219 } 220 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK) 221 return NULL; 222 pp = (unsigned char*)ldns_rdf_data(b64rdf); 223 pkey = d2i_PrivateKey(gost_id, NULL, &pp, (int)ldns_rdf_size(b64rdf)); 224 ldns_rdf_deep_free(b64rdf); 225 return pkey; 226 } 227 #endif 228 229 #ifdef USE_ECDSA 230 /** calculate public key from private key */ 231 static int 232 ldns_EC_KEY_calc_public(EC_KEY* ec) 233 { 234 EC_POINT* pub_key; 235 const EC_GROUP* group; 236 group = EC_KEY_get0_group(ec); 237 pub_key = EC_POINT_new(group); 238 if(!pub_key) return 0; 239 if(!EC_POINT_copy(pub_key, EC_GROUP_get0_generator(group))) { 240 EC_POINT_free(pub_key); 241 return 0; 242 } 243 if(!EC_POINT_mul(group, pub_key, EC_KEY_get0_private_key(ec), 244 NULL, NULL, NULL)) { 245 EC_POINT_free(pub_key); 246 return 0; 247 } 248 if(EC_KEY_set_public_key(ec, pub_key) == 0) { 249 EC_POINT_free(pub_key); 250 return 0; 251 } 252 EC_POINT_free(pub_key); 253 return 1; 254 } 255 256 /** read ECDSA private key */ 257 static EVP_PKEY* 258 ldns_key_new_frm_fp_ecdsa_l(FILE* fp, ldns_algorithm alg, int* line_nr) 259 { 260 char token[16384]; 261 ldns_rdf* b64rdf = NULL; 262 unsigned char* pp; 263 BIGNUM* bn; 264 EVP_PKEY* evp_key; 265 EC_KEY* ec; 266 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n", 267 sizeof(token), line_nr) == -1) 268 return NULL; 269 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK) 270 return NULL; 271 pp = (unsigned char*)ldns_rdf_data(b64rdf); 272 273 if(alg == LDNS_ECDSAP256SHA256) 274 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 275 else if(alg == LDNS_ECDSAP384SHA384) 276 ec = EC_KEY_new_by_curve_name(NID_secp384r1); 277 else ec = NULL; 278 if(!ec) { 279 ldns_rdf_deep_free(b64rdf); 280 return NULL; 281 } 282 bn = BN_bin2bn(pp, (int)ldns_rdf_size(b64rdf), NULL); 283 ldns_rdf_deep_free(b64rdf); 284 if(!bn) { 285 EC_KEY_free(ec); 286 return NULL; 287 } 288 EC_KEY_set_private_key(ec, bn); 289 BN_free(bn); 290 if(!ldns_EC_KEY_calc_public(ec)) { 291 EC_KEY_free(ec); 292 return NULL; 293 } 294 295 evp_key = EVP_PKEY_new(); 296 if(!evp_key) { 297 EC_KEY_free(ec); 298 return NULL; 299 } 300 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) { 301 EVP_PKEY_free(evp_key); 302 EC_KEY_free(ec); 303 return NULL; 304 } 305 return evp_key; 306 } 307 #endif 308 309 #ifdef USE_ED25519 310 /** turn private key buffer into EC_KEY structure */ 311 static EVP_PKEY* 312 ldns_ed25519_priv_raw(uint8_t* pkey, int plen) 313 { 314 const unsigned char* pp; 315 uint8_t buf[256]; 316 int buflen = 0; 317 uint8_t pre[] = {0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 318 0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20}; 319 int pre_len = 16; 320 /* ASN looks like this for ED25519 public key 321 * 302a300506032b6570032100 <32byteskey> 322 * for ED25519 private key 323 * 302e020100300506032b657004220420 <32bytes> 324 * 325 * for X25519 this was 326 * 30320201010420 <32byteskey> 327 * andparameters a00b06092b06010401da470f01 328 * (noparameters, preamble is 30250201010420). 329 * the key is reversed (little endian). 330 */ 331 buflen = pre_len + plen; 332 if((size_t)buflen > sizeof(buf)) 333 return NULL; 334 memmove(buf, pre, pre_len); 335 memmove(buf+pre_len, pkey, plen); 336 /* reverse the pkey into the buf - key is not reversed it seems */ 337 /* for(i=0; i<plen; i++) 338 buf[pre_len+i] = pkey[plen-1-i]; */ 339 pp = buf; 340 return d2i_PrivateKey(NID_ED25519, NULL, &pp, buflen); 341 } 342 343 /** read ED25519 private key */ 344 static EVP_PKEY* 345 ldns_key_new_frm_fp_ed25519_l(FILE* fp, int* line_nr) 346 { 347 char token[16384]; 348 ldns_rdf* b64rdf = NULL; 349 EVP_PKEY* evp_key; 350 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n", 351 sizeof(token), line_nr) == -1) 352 return NULL; 353 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK) 354 return NULL; 355 356 /* we use d2i_ECPrivateKey because it calculates the public key 357 * from the private part, which others, EC_KEY_set_private_key, 358 * and o2i methods, do not do */ 359 /* for that the private key has to be encoded in ASN1 notation 360 * with a ED25519 prefix on it */ 361 362 evp_key = ldns_ed25519_priv_raw(ldns_rdf_data(b64rdf), 363 (int)ldns_rdf_size(b64rdf)); 364 ldns_rdf_deep_free(b64rdf); 365 return evp_key; 366 } 367 #endif 368 369 #ifdef USE_ED448 370 /** turn private key buffer into EC_KEY structure */ 371 static EVP_PKEY* 372 ldns_ed448_priv_raw(uint8_t* pkey, int plen) 373 { 374 const unsigned char* pp; 375 uint8_t buf[256]; 376 int buflen = 0; 377 uint8_t pre[] = {0x30, 0x47, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x71, 0x04, 0x3b, 0x04, 0x39}; 378 int pre_len = 16; 379 /* ASN looks like this for ED448 380 * 3047020100300506032b6571043b0439 <57bytekey> 381 * the key is reversed (little endian). 382 */ 383 buflen = pre_len + plen; 384 if((size_t)buflen > sizeof(buf)) 385 return NULL; 386 memmove(buf, pre, pre_len); 387 memmove(buf+pre_len, pkey, plen); 388 /* reverse the pkey into the buf - key is not reversed it seems */ 389 /* for(i=0; i<plen; i++) 390 buf[pre_len+i] = pkey[plen-1-i]; */ 391 pp = buf; 392 return d2i_PrivateKey(NID_ED448, NULL, &pp, buflen); 393 } 394 395 /** read ED448 private key */ 396 static EVP_PKEY* 397 ldns_key_new_frm_fp_ed448_l(FILE* fp, int* line_nr) 398 { 399 char token[16384]; 400 ldns_rdf* b64rdf = NULL; 401 EVP_PKEY* evp_key; 402 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n", 403 sizeof(token), line_nr) == -1) 404 return NULL; 405 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK) 406 return NULL; 407 408 /* convert private key into ASN notation and then convert that */ 409 evp_key = ldns_ed448_priv_raw(ldns_rdf_data(b64rdf), 410 (int)ldns_rdf_size(b64rdf)); 411 ldns_rdf_deep_free(b64rdf); 412 return evp_key; 413 } 414 #endif 415 416 ldns_status 417 ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr) 418 { 419 ldns_key *k; 420 char *d; 421 ldns_signing_algorithm alg; 422 ldns_rr *key_rr; 423 #ifdef HAVE_SSL 424 RSA *rsa; 425 #ifdef USE_DSA 426 DSA *dsa; 427 #endif 428 unsigned char *hmac; 429 size_t hmac_size; 430 #endif /* HAVE_SSL */ 431 432 k = ldns_key_new(); 433 434 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 435 if (!k || !d) { 436 ldns_key_free(k); 437 LDNS_FREE(d); 438 return LDNS_STATUS_MEM_ERR; 439 } 440 441 alg = 0; 442 443 /* the file is highly structured. Do this in sequence */ 444 /* RSA: 445 * Private-key-format: v1.x. 446 * Algorithm: 1 (RSA) 447 448 */ 449 /* get the key format version number */ 450 if (ldns_fget_keyword_data_l(fp, "Private-key-format", ": ", d, "\n", 451 LDNS_MAX_LINELEN, line_nr) == -1) { 452 /* no version information */ 453 ldns_key_free(k); 454 LDNS_FREE(d); 455 return LDNS_STATUS_SYNTAX_ERR; 456 } 457 if (strncmp(d, "v1.", 3) != 0) { 458 ldns_key_free(k); 459 LDNS_FREE(d); 460 return LDNS_STATUS_SYNTAX_VERSION_ERR; 461 } 462 463 /* get the algorithm type, our file function strip ( ) so there are 464 * not in the return string! */ 465 if (ldns_fget_keyword_data_l(fp, "Algorithm", ": ", d, "\n", 466 LDNS_MAX_LINELEN, line_nr) == -1) { 467 /* no alg information */ 468 ldns_key_free(k); 469 LDNS_FREE(d); 470 return LDNS_STATUS_SYNTAX_ALG_ERR; 471 } 472 473 if (strncmp(d, "1 RSA", 2) == 0) { 474 alg = LDNS_SIGN_RSAMD5; 475 } 476 if (strncmp(d, "2 DH", 2) == 0) { 477 alg = (ldns_signing_algorithm)LDNS_DH; 478 } 479 if (strncmp(d, "3 DSA", 2) == 0) { 480 #ifdef USE_DSA 481 alg = LDNS_SIGN_DSA; 482 #else 483 # ifdef STDERR_MSGS 484 fprintf(stderr, "Warning: DSA not compiled into this "); 485 fprintf(stderr, "version of ldns\n"); 486 # endif 487 #endif 488 } 489 if (strncmp(d, "4 ECC", 2) == 0) { 490 alg = (ldns_signing_algorithm)LDNS_ECC; 491 } 492 if (strncmp(d, "5 RSASHA1", 2) == 0) { 493 alg = LDNS_SIGN_RSASHA1; 494 } 495 if (strncmp(d, "6 DSA", 2) == 0) { 496 #ifdef USE_DSA 497 alg = LDNS_SIGN_DSA_NSEC3; 498 #else 499 # ifdef STDERR_MSGS 500 fprintf(stderr, "Warning: DSA not compiled into this "); 501 fprintf(stderr, "version of ldns\n"); 502 # endif 503 #endif 504 } 505 if (strncmp(d, "7 RSASHA1", 2) == 0) { 506 alg = LDNS_SIGN_RSASHA1_NSEC3; 507 } 508 509 if (strncmp(d, "8 RSASHA256", 2) == 0) { 510 #ifdef USE_SHA2 511 alg = LDNS_SIGN_RSASHA256; 512 #else 513 # ifdef STDERR_MSGS 514 fprintf(stderr, "Warning: SHA256 not compiled into this "); 515 fprintf(stderr, "version of ldns\n"); 516 # endif 517 #endif 518 } 519 if (strncmp(d, "10 RSASHA512", 3) == 0) { 520 #ifdef USE_SHA2 521 alg = LDNS_SIGN_RSASHA512; 522 #else 523 # ifdef STDERR_MSGS 524 fprintf(stderr, "Warning: SHA512 not compiled into this "); 525 fprintf(stderr, "version of ldns\n"); 526 # endif 527 #endif 528 } 529 if (strncmp(d, "12 ECC-GOST", 3) == 0) { 530 #ifdef USE_GOST 531 alg = LDNS_SIGN_ECC_GOST; 532 #else 533 # ifdef STDERR_MSGS 534 fprintf(stderr, "Warning: ECC-GOST not compiled into this "); 535 fprintf(stderr, "version of ldns, use --enable-gost\n"); 536 # endif 537 #endif 538 } 539 if (strncmp(d, "13 ECDSAP256SHA256", 3) == 0) { 540 #ifdef USE_ECDSA 541 alg = LDNS_SIGN_ECDSAP256SHA256; 542 #else 543 # ifdef STDERR_MSGS 544 fprintf(stderr, "Warning: ECDSA not compiled into this "); 545 fprintf(stderr, "version of ldns, use --enable-ecdsa\n"); 546 # endif 547 #endif 548 } 549 if (strncmp(d, "14 ECDSAP384SHA384", 3) == 0) { 550 #ifdef USE_ECDSA 551 alg = LDNS_SIGN_ECDSAP384SHA384; 552 #else 553 # ifdef STDERR_MSGS 554 fprintf(stderr, "Warning: ECDSA not compiled into this "); 555 fprintf(stderr, "version of ldns, use --enable-ecdsa\n"); 556 # endif 557 #endif 558 } 559 if (strncmp(d, "15 ED25519", 3) == 0) { 560 #ifdef USE_ED25519 561 alg = LDNS_SIGN_ED25519; 562 #else 563 # ifdef STDERR_MSGS 564 fprintf(stderr, "Warning: ED25519 not compiled into this "); 565 fprintf(stderr, "version of ldns, use --enable-ed25519\n"); 566 # endif 567 #endif 568 } 569 if (strncmp(d, "16 ED448", 3) == 0) { 570 #ifdef USE_ED448 571 alg = LDNS_SIGN_ED448; 572 #else 573 # ifdef STDERR_MSGS 574 fprintf(stderr, "Warning: ED448 not compiled into this "); 575 fprintf(stderr, "version of ldns, use --enable-ed448\n"); 576 # endif 577 #endif 578 } 579 if (strncmp(d, "157 HMAC-MD5", 4) == 0) { 580 alg = LDNS_SIGN_HMACMD5; 581 } 582 if (strncmp(d, "158 HMAC-SHA1", 4) == 0) { 583 alg = LDNS_SIGN_HMACSHA1; 584 } 585 if (strncmp(d, "159 HMAC-SHA256", 4) == 0) { 586 alg = LDNS_SIGN_HMACSHA256; 587 } 588 /* For compatibility with dnssec-keygen */ 589 if (strncmp(d, "161 ", 4) == 0) { 590 alg = LDNS_SIGN_HMACSHA1; 591 } 592 if (strncmp(d, "162 HMAC-SHA224", 4) == 0) { 593 alg = LDNS_SIGN_HMACSHA224; 594 } 595 /* For compatibility with dnssec-keygen */ 596 if (strncmp(d, "163 ", 4) == 0) { 597 alg = LDNS_SIGN_HMACSHA256; 598 } 599 if (strncmp(d, "164 HMAC-SHA384", 4) == 0) { 600 alg = LDNS_SIGN_HMACSHA384; 601 } 602 if (strncmp(d, "165 HMAC-SHA512", 4) == 0) { 603 alg = LDNS_SIGN_HMACSHA512; 604 } 605 LDNS_FREE(d); 606 607 switch(alg) { 608 case LDNS_SIGN_RSAMD5: 609 case LDNS_SIGN_RSASHA1: 610 case LDNS_SIGN_RSASHA1_NSEC3: 611 #ifdef USE_SHA2 612 case LDNS_SIGN_RSASHA256: 613 case LDNS_SIGN_RSASHA512: 614 #endif 615 ldns_key_set_algorithm(k, alg); 616 #ifdef HAVE_SSL 617 rsa = ldns_key_new_frm_fp_rsa_l(fp, line_nr); 618 if (!rsa) { 619 ldns_key_free(k); 620 return LDNS_STATUS_ERR; 621 } 622 ldns_key_assign_rsa_key(k, rsa); 623 #endif /* HAVE_SSL */ 624 break; 625 #ifdef USE_DSA 626 case LDNS_SIGN_DSA: 627 case LDNS_SIGN_DSA_NSEC3: 628 ldns_key_set_algorithm(k, alg); 629 #ifdef HAVE_SSL 630 dsa = ldns_key_new_frm_fp_dsa_l(fp, line_nr); 631 if (!dsa) { 632 ldns_key_free(k); 633 return LDNS_STATUS_ERR; 634 } 635 ldns_key_assign_dsa_key(k, dsa); 636 #endif /* HAVE_SSL */ 637 break; 638 #endif /* USE_DSA */ 639 case LDNS_SIGN_HMACMD5: 640 case LDNS_SIGN_HMACSHA1: 641 case LDNS_SIGN_HMACSHA224: 642 case LDNS_SIGN_HMACSHA256: 643 case LDNS_SIGN_HMACSHA384: 644 case LDNS_SIGN_HMACSHA512: 645 ldns_key_set_algorithm(k, alg); 646 #ifdef HAVE_SSL 647 hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size); 648 if (!hmac) { 649 ldns_key_free(k); 650 return LDNS_STATUS_ERR; 651 } 652 ldns_key_set_hmac_size(k, hmac_size); 653 ldns_key_set_hmac_key(k, hmac); 654 #endif /* HAVE_SSL */ 655 break; 656 case LDNS_SIGN_ECC_GOST: 657 ldns_key_set_algorithm(k, alg); 658 #if defined(HAVE_SSL) && defined(USE_GOST) 659 if(!ldns_key_EVP_load_gost_id()) { 660 ldns_key_free(k); 661 return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL; 662 } 663 ldns_key_set_evp_key(k, 664 ldns_key_new_frm_fp_gost_l(fp, line_nr)); 665 #ifndef S_SPLINT_S 666 if(!k->_key.key) { 667 ldns_key_free(k); 668 return LDNS_STATUS_ERR; 669 } 670 #endif /* splint */ 671 #endif 672 break; 673 #ifdef USE_ECDSA 674 case LDNS_SIGN_ECDSAP256SHA256: 675 case LDNS_SIGN_ECDSAP384SHA384: 676 ldns_key_set_algorithm(k, alg); 677 ldns_key_set_evp_key(k, 678 ldns_key_new_frm_fp_ecdsa_l(fp, (ldns_algorithm)alg, line_nr)); 679 #ifndef S_SPLINT_S 680 if(!k->_key.key) { 681 ldns_key_free(k); 682 return LDNS_STATUS_ERR; 683 } 684 #endif /* splint */ 685 break; 686 #endif 687 #ifdef USE_ED25519 688 case LDNS_SIGN_ED25519: 689 ldns_key_set_algorithm(k, alg); 690 ldns_key_set_evp_key(k, 691 ldns_key_new_frm_fp_ed25519_l(fp, line_nr)); 692 #ifndef S_SPLINT_S 693 if(!k->_key.key) { 694 ldns_key_free(k); 695 return LDNS_STATUS_ERR; 696 } 697 #endif /* splint */ 698 break; 699 #endif 700 #ifdef USE_ED448 701 case LDNS_SIGN_ED448: 702 ldns_key_set_algorithm(k, alg); 703 ldns_key_set_evp_key(k, 704 ldns_key_new_frm_fp_ed448_l(fp, line_nr)); 705 #ifndef S_SPLINT_S 706 if(!k->_key.key) { 707 ldns_key_free(k); 708 return LDNS_STATUS_ERR; 709 } 710 #endif /* splint */ 711 break; 712 #endif 713 default: 714 ldns_key_free(k); 715 return LDNS_STATUS_SYNTAX_ALG_ERR; 716 } 717 key_rr = ldns_key2rr(k); 718 ldns_key_set_keytag(k, ldns_calc_keytag(key_rr)); 719 ldns_rr_free(key_rr); 720 721 if (key) { 722 *key = k; 723 return LDNS_STATUS_OK; 724 } 725 ldns_key_free(k); 726 return LDNS_STATUS_ERR; 727 } 728 729 #ifdef HAVE_SSL 730 RSA * 731 ldns_key_new_frm_fp_rsa(FILE *f) 732 { 733 return ldns_key_new_frm_fp_rsa_l(f, NULL); 734 } 735 736 RSA * 737 ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) 738 { 739 /* we parse 740 * Modulus: 741 * PublicExponent: 742 * PrivateExponent: 743 * Prime1: 744 * Prime2: 745 * Exponent1: 746 * Exponent2: 747 * Coefficient: 748 * 749 * man 3 RSA: 750 * 751 * struct 752 * { 753 * BIGNUM *n; // public modulus 754 * BIGNUM *e; // public exponent 755 * BIGNUM *d; // private exponent 756 * BIGNUM *p; // secret prime factor 757 * BIGNUM *q; // secret prime factor 758 * BIGNUM *dmp1; // d mod (p-1) 759 * BIGNUM *dmq1; // d mod (q-1) 760 * BIGNUM *iqmp; // q^-1 mod p 761 * // ... 762 * 763 */ 764 char *b; 765 RSA *rsa; 766 uint8_t *buf; 767 int i; 768 BIGNUM *n=NULL, *e=NULL, *d=NULL, *p=NULL, *q=NULL, 769 *dmp1=NULL, *dmq1=NULL, *iqmp=NULL; 770 771 b = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 772 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); 773 rsa = RSA_new(); 774 if (!b || !rsa || !buf) { 775 goto error; 776 } 777 778 /* I could use functions again, but that seems an overkill, 779 * although this also looks tedious 780 */ 781 782 /* Modules, rsa->n */ 783 if (ldns_fget_keyword_data_l(f, "Modulus", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 784 goto error; 785 } 786 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 787 #ifndef S_SPLINT_S 788 n = BN_bin2bn((const char unsigned*)buf, i, NULL); 789 if (!n) { 790 goto error; 791 } 792 793 /* PublicExponent, rsa->e */ 794 if (ldns_fget_keyword_data_l(f, "PublicExponent", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 795 goto error; 796 } 797 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 798 e = BN_bin2bn((const char unsigned*)buf, i, NULL); 799 if (!e) { 800 goto error; 801 } 802 803 /* PrivateExponent, rsa->d */ 804 if (ldns_fget_keyword_data_l(f, "PrivateExponent", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 805 goto error; 806 } 807 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 808 d = BN_bin2bn((const char unsigned*)buf, i, NULL); 809 if (!d) { 810 goto error; 811 } 812 813 /* Prime1, rsa->p */ 814 if (ldns_fget_keyword_data_l(f, "Prime1", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 815 goto error; 816 } 817 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 818 p = BN_bin2bn((const char unsigned*)buf, i, NULL); 819 if (!p) { 820 goto error; 821 } 822 823 /* Prime2, rsa->q */ 824 if (ldns_fget_keyword_data_l(f, "Prime2", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 825 goto error; 826 } 827 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 828 q = BN_bin2bn((const char unsigned*)buf, i, NULL); 829 if (!q) { 830 goto error; 831 } 832 833 /* Exponent1, rsa->dmp1 */ 834 if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 835 goto error; 836 } 837 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 838 dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL); 839 if (!dmp1) { 840 goto error; 841 } 842 843 /* Exponent2, rsa->dmq1 */ 844 if (ldns_fget_keyword_data_l(f, "Exponent2", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 845 goto error; 846 } 847 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 848 dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL); 849 if (!dmq1) { 850 goto error; 851 } 852 853 /* Coefficient, rsa->iqmp */ 854 if (ldns_fget_keyword_data_l(f, "Coefficient", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 855 goto error; 856 } 857 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 858 iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL); 859 if (!iqmp) { 860 goto error; 861 } 862 #endif /* splint */ 863 864 #if OPENSSL_VERSION_NUMBER < 0x10100000 || (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x20700000) 865 # ifndef S_SPLINT_S 866 rsa->n = n; 867 rsa->e = e; 868 rsa->d = d; 869 rsa->p = p; 870 rsa->q = q; 871 rsa->dmp1 = dmp1; 872 rsa->dmq1 = dmq1; 873 rsa->iqmp = iqmp; 874 # endif 875 #else 876 if(!RSA_set0_key(rsa, n, e, d)) 877 goto error; 878 n = NULL; 879 e = NULL; 880 d = NULL; 881 if(!RSA_set0_factors(rsa, p, q)) 882 goto error; 883 p = NULL; 884 q = NULL; 885 if(!RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp)) 886 goto error; 887 #endif 888 889 LDNS_FREE(buf); 890 LDNS_FREE(b); 891 return rsa; 892 893 error: 894 RSA_free(rsa); 895 LDNS_FREE(b); 896 LDNS_FREE(buf); 897 BN_free(n); 898 BN_free(e); 899 BN_free(d); 900 BN_free(p); 901 BN_free(q); 902 BN_free(dmp1); 903 BN_free(dmq1); 904 BN_free(iqmp); 905 return NULL; 906 } 907 908 #ifdef USE_DSA 909 DSA * 910 ldns_key_new_frm_fp_dsa(FILE *f) 911 { 912 return ldns_key_new_frm_fp_dsa_l(f, NULL); 913 } 914 915 DSA * 916 ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) 917 { 918 int i; 919 char *d; 920 DSA *dsa; 921 uint8_t *buf; 922 BIGNUM *p=NULL, *q=NULL, *g=NULL, *priv_key=NULL, *pub_key=NULL; 923 924 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 925 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); 926 dsa = DSA_new(); 927 if (!d || !dsa || !buf) { 928 goto error; 929 } 930 931 /* the line parser removes the () from the input... */ 932 933 /* Prime, dsa->p */ 934 if (ldns_fget_keyword_data_l(f, "Primep", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 935 goto error; 936 } 937 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 938 #ifndef S_SPLINT_S 939 p = BN_bin2bn((const char unsigned*)buf, i, NULL); 940 if (!p) { 941 goto error; 942 } 943 944 /* Subprime, dsa->q */ 945 if (ldns_fget_keyword_data_l(f, "Subprimeq", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 946 goto error; 947 } 948 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 949 q = BN_bin2bn((const char unsigned*)buf, i, NULL); 950 if (!q) { 951 goto error; 952 } 953 954 /* Base, dsa->g */ 955 if (ldns_fget_keyword_data_l(f, "Baseg", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 956 goto error; 957 } 958 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 959 g = BN_bin2bn((const char unsigned*)buf, i, NULL); 960 if (!g) { 961 goto error; 962 } 963 964 /* Private key, dsa->priv_key */ 965 if (ldns_fget_keyword_data_l(f, "Private_valuex", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 966 goto error; 967 } 968 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 969 priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL); 970 if (!priv_key) { 971 goto error; 972 } 973 974 /* Public key, dsa->priv_key */ 975 if (ldns_fget_keyword_data_l(f, "Public_valuey", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 976 goto error; 977 } 978 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 979 pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL); 980 if (!pub_key) { 981 goto error; 982 } 983 #endif /* splint */ 984 985 #if OPENSSL_VERSION_NUMBER < 0x10100000 || (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x20700000) 986 # ifndef S_SPLINT_S 987 dsa->p = p; 988 dsa->q = q; 989 dsa->g = g; 990 dsa->priv_key = priv_key; 991 dsa->pub_key = pub_key; 992 # endif 993 #else 994 if(!DSA_set0_pqg(dsa, p, q, g)) 995 goto error; 996 p = NULL; 997 q = NULL; 998 g = NULL; 999 if(!DSA_set0_key(dsa, pub_key, priv_key)) 1000 goto error; 1001 #endif 1002 1003 LDNS_FREE(buf); 1004 LDNS_FREE(d); 1005 1006 return dsa; 1007 1008 error: 1009 LDNS_FREE(d); 1010 LDNS_FREE(buf); 1011 DSA_free(dsa); 1012 BN_free(p); 1013 BN_free(q); 1014 BN_free(g); 1015 BN_free(priv_key); 1016 BN_free(pub_key); 1017 return NULL; 1018 } 1019 #endif /* USE_DSA */ 1020 1021 unsigned char * 1022 ldns_key_new_frm_fp_hmac(FILE *f, size_t *hmac_size) 1023 { 1024 return ldns_key_new_frm_fp_hmac_l(f, NULL, hmac_size); 1025 } 1026 1027 unsigned char * 1028 ldns_key_new_frm_fp_hmac_l( FILE *f 1029 , ATTR_UNUSED(int *line_nr) 1030 , size_t *hmac_size 1031 ) 1032 { 1033 size_t bufsz; 1034 char d[LDNS_MAX_LINELEN]; 1035 unsigned char *buf = NULL; 1036 1037 *hmac_size = ldns_fget_keyword_data_l(f, "Key", ": ", d, "\n", 1038 LDNS_MAX_LINELEN, line_nr) == -1 1039 ? 0 1040 : (buf = LDNS_XMALLOC( unsigned char, (bufsz = 1041 ldns_b64_ntop_calculate_size(strlen(d))))) == NULL 1042 ? 0 1043 : (size_t) ldns_b64_pton((const char*)d, buf, bufsz); 1044 return buf; 1045 } 1046 #endif /* HAVE_SSL */ 1047 1048 #ifdef USE_GOST 1049 static EVP_PKEY* 1050 ldns_gen_gost_key(void) 1051 { 1052 EVP_PKEY_CTX* ctx; 1053 EVP_PKEY* p = NULL; 1054 int gost_id = ldns_key_EVP_load_gost_id(); 1055 if(!gost_id) 1056 return NULL; 1057 ctx = EVP_PKEY_CTX_new_id(gost_id, NULL); 1058 if(!ctx) { 1059 /* the id should be available now */ 1060 return NULL; 1061 } 1062 if(EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0) { 1063 /* cannot set paramset */ 1064 EVP_PKEY_CTX_free(ctx); 1065 return NULL; 1066 } 1067 1068 if(EVP_PKEY_keygen_init(ctx) <= 0) { 1069 EVP_PKEY_CTX_free(ctx); 1070 return NULL; 1071 } 1072 if(EVP_PKEY_keygen(ctx, &p) <= 0) { 1073 EVP_PKEY_free(p); 1074 EVP_PKEY_CTX_free(ctx); 1075 return NULL; 1076 } 1077 EVP_PKEY_CTX_free(ctx); 1078 return p; 1079 } 1080 #endif 1081 1082 ldns_key * 1083 ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size) 1084 { 1085 ldns_key *k; 1086 #ifdef HAVE_SSL 1087 #ifdef USE_DSA 1088 DSA *d; 1089 #endif /* USE_DSA */ 1090 # ifdef USE_ECDSA 1091 EC_KEY *ec = NULL; 1092 # endif 1093 # ifdef HAVE_EVP_PKEY_KEYGEN 1094 EVP_PKEY_CTX *ctx; 1095 # else 1096 RSA *r; 1097 # endif 1098 #else 1099 int i; 1100 uint16_t offset = 0; 1101 #endif 1102 unsigned char *hmac; 1103 1104 k = ldns_key_new(); 1105 if (!k) { 1106 return NULL; 1107 } 1108 switch(alg) { 1109 case LDNS_SIGN_RSAMD5: 1110 case LDNS_SIGN_RSASHA1: 1111 case LDNS_SIGN_RSASHA1_NSEC3: 1112 case LDNS_SIGN_RSASHA256: 1113 case LDNS_SIGN_RSASHA512: 1114 #ifdef HAVE_SSL 1115 #ifdef HAVE_EVP_PKEY_KEYGEN 1116 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); 1117 if(!ctx) { 1118 ldns_key_free(k); 1119 return NULL; 1120 } 1121 if(EVP_PKEY_keygen_init(ctx) <= 0) { 1122 ldns_key_free(k); 1123 EVP_PKEY_CTX_free(ctx); 1124 return NULL; 1125 } 1126 if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, size) <= 0) { 1127 ldns_key_free(k); 1128 EVP_PKEY_CTX_free(ctx); 1129 return NULL; 1130 } 1131 #ifndef S_SPLINT_S 1132 if (EVP_PKEY_keygen(ctx, &k->_key.key) <= 0) { 1133 ldns_key_free(k); 1134 EVP_PKEY_CTX_free(ctx); 1135 return NULL; 1136 } 1137 #endif 1138 EVP_PKEY_CTX_free(ctx); 1139 #else /* HAVE_EVP_PKEY_KEYGEN */ 1140 r = RSA_generate_key((int)size, RSA_F4, NULL, NULL); 1141 if(!r) { 1142 ldns_key_free(k); 1143 return NULL; 1144 } 1145 if (RSA_check_key(r) != 1) { 1146 ldns_key_free(k); 1147 return NULL; 1148 } 1149 ldns_key_set_rsa_key(k, r); 1150 RSA_free(r); 1151 #endif /* HAVE_EVP_PKEY_KEYGEN */ 1152 #endif /* HAVE_SSL */ 1153 break; 1154 #ifdef USE_DSA 1155 case LDNS_SIGN_DSA: 1156 case LDNS_SIGN_DSA_NSEC3: 1157 #ifdef HAVE_SSL 1158 # if OPENSSL_VERSION_NUMBER < 0x00908000L 1159 d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL); 1160 if (!d) { 1161 ldns_key_free(k); 1162 return NULL; 1163 } 1164 1165 # else 1166 if (! (d = DSA_new())) { 1167 ldns_key_free(k); 1168 return NULL; 1169 } 1170 if (! DSA_generate_parameters_ex(d, (int)size, NULL, 0, NULL, NULL, NULL)) { 1171 DSA_free(d); 1172 ldns_key_free(k); 1173 return NULL; 1174 } 1175 # endif 1176 if (DSA_generate_key(d) != 1) { 1177 ldns_key_free(k); 1178 return NULL; 1179 } 1180 ldns_key_set_dsa_key(k, d); 1181 DSA_free(d); 1182 #endif /* HAVE_SSL */ 1183 #endif /* USE_DSA */ 1184 break; 1185 case LDNS_SIGN_HMACMD5: 1186 case LDNS_SIGN_HMACSHA1: 1187 case LDNS_SIGN_HMACSHA224: 1188 case LDNS_SIGN_HMACSHA256: 1189 case LDNS_SIGN_HMACSHA384: 1190 case LDNS_SIGN_HMACSHA512: 1191 #ifdef HAVE_SSL 1192 #ifndef S_SPLINT_S 1193 k->_key.key = NULL; 1194 #endif /* splint */ 1195 #endif /* HAVE_SSL */ 1196 size = size / 8; 1197 ldns_key_set_hmac_size(k, size); 1198 1199 hmac = LDNS_XMALLOC(unsigned char, size); 1200 if(!hmac) { 1201 ldns_key_free(k); 1202 return NULL; 1203 } 1204 #ifdef HAVE_SSL 1205 if (RAND_bytes(hmac, (int) size) != 1) { 1206 LDNS_FREE(hmac); 1207 ldns_key_free(k); 1208 return NULL; 1209 } 1210 #else 1211 while (offset + sizeof(i) < size) { 1212 i = random(); 1213 memcpy(&hmac[offset], &i, sizeof(i)); 1214 offset += sizeof(i); 1215 } 1216 if (offset < size) { 1217 i = random(); 1218 memcpy(&hmac[offset], &i, size - offset); 1219 } 1220 #endif /* HAVE_SSL */ 1221 ldns_key_set_hmac_key(k, hmac); 1222 1223 ldns_key_set_flags(k, 0); 1224 break; 1225 case LDNS_SIGN_ECC_GOST: 1226 #if defined(HAVE_SSL) && defined(USE_GOST) 1227 ldns_key_set_evp_key(k, ldns_gen_gost_key()); 1228 #ifndef S_SPLINT_S 1229 if(!k->_key.key) { 1230 ldns_key_free(k); 1231 return NULL; 1232 } 1233 #endif /* splint */ 1234 #else 1235 ldns_key_free(k); 1236 return NULL; 1237 #endif /* HAVE_SSL and USE_GOST */ 1238 break; 1239 case LDNS_SIGN_ECDSAP256SHA256: 1240 case LDNS_SIGN_ECDSAP384SHA384: 1241 #ifdef USE_ECDSA 1242 if(alg == LDNS_SIGN_ECDSAP256SHA256) 1243 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 1244 else if(alg == LDNS_SIGN_ECDSAP384SHA384) 1245 ec = EC_KEY_new_by_curve_name(NID_secp384r1); 1246 if(!ec) { 1247 ldns_key_free(k); 1248 return NULL; 1249 } 1250 if(!EC_KEY_generate_key(ec)) { 1251 ldns_key_free(k); 1252 EC_KEY_free(ec); 1253 return NULL; 1254 } 1255 #ifndef S_SPLINT_S 1256 k->_key.key = EVP_PKEY_new(); 1257 if(!k->_key.key) { 1258 ldns_key_free(k); 1259 EC_KEY_free(ec); 1260 return NULL; 1261 } 1262 if (!EVP_PKEY_assign_EC_KEY(k->_key.key, ec)) { 1263 ldns_key_free(k); 1264 EC_KEY_free(ec); 1265 return NULL; 1266 } 1267 #endif /* splint */ 1268 #else 1269 ldns_key_free(k); 1270 return NULL; 1271 #endif /* ECDSA */ 1272 break; 1273 #ifdef USE_ED25519 1274 case LDNS_SIGN_ED25519: 1275 #ifdef HAVE_EVP_PKEY_KEYGEN 1276 ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL); 1277 if(!ctx) { 1278 ldns_key_free(k); 1279 return NULL; 1280 } 1281 if(EVP_PKEY_keygen_init(ctx) <= 0) { 1282 ldns_key_free(k); 1283 EVP_PKEY_CTX_free(ctx); 1284 return NULL; 1285 } 1286 if (EVP_PKEY_keygen(ctx, &k->_key.key) <= 0) { 1287 ldns_key_free(k); 1288 EVP_PKEY_CTX_free(ctx); 1289 return NULL; 1290 } 1291 EVP_PKEY_CTX_free(ctx); 1292 #endif 1293 break; 1294 #endif /* ED25519 */ 1295 #ifdef USE_ED448 1296 case LDNS_SIGN_ED448: 1297 #ifdef HAVE_EVP_PKEY_KEYGEN 1298 ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL); 1299 if(!ctx) { 1300 ldns_key_free(k); 1301 return NULL; 1302 } 1303 if(EVP_PKEY_keygen_init(ctx) <= 0) { 1304 ldns_key_free(k); 1305 EVP_PKEY_CTX_free(ctx); 1306 return NULL; 1307 } 1308 if (EVP_PKEY_keygen(ctx, &k->_key.key) <= 0) { 1309 ldns_key_free(k); 1310 EVP_PKEY_CTX_free(ctx); 1311 return NULL; 1312 } 1313 EVP_PKEY_CTX_free(ctx); 1314 #endif 1315 break; 1316 #endif /* ED448 */ 1317 } 1318 ldns_key_set_algorithm(k, alg); 1319 return k; 1320 } 1321 1322 void 1323 ldns_key_print(FILE *output, const ldns_key *k) 1324 { 1325 char *str = ldns_key2str(k); 1326 if (str) { 1327 fprintf(output, "%s", str); 1328 } else { 1329 fprintf(output, "Unable to convert private key to string\n"); 1330 } 1331 LDNS_FREE(str); 1332 } 1333 1334 1335 void 1336 ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l) 1337 { 1338 k->_alg = l; 1339 } 1340 1341 void 1342 ldns_key_set_flags(ldns_key *k, uint16_t f) 1343 { 1344 k->_extra.dnssec.flags = f; 1345 } 1346 1347 #ifdef HAVE_SSL 1348 #ifndef S_SPLINT_S 1349 void 1350 ldns_key_set_evp_key(ldns_key *k, EVP_PKEY *e) 1351 { 1352 k->_key.key = e; 1353 } 1354 1355 void 1356 ldns_key_set_rsa_key(ldns_key *k, RSA *r) 1357 { 1358 EVP_PKEY *key = EVP_PKEY_new(); 1359 EVP_PKEY_set1_RSA(key, r); 1360 k->_key.key = key; 1361 } 1362 1363 void 1364 ldns_key_set_dsa_key(ldns_key *k, DSA *d) 1365 { 1366 #ifdef USE_DSA 1367 EVP_PKEY *key = EVP_PKEY_new(); 1368 EVP_PKEY_set1_DSA(key, d); 1369 k->_key.key = key; 1370 #else 1371 (void)k; (void)d; 1372 #endif 1373 } 1374 1375 void 1376 ldns_key_assign_rsa_key(ldns_key *k, RSA *r) 1377 { 1378 EVP_PKEY *key = EVP_PKEY_new(); 1379 EVP_PKEY_assign_RSA(key, r); 1380 k->_key.key = key; 1381 } 1382 1383 void 1384 ldns_key_assign_dsa_key(ldns_key *k, DSA *d) 1385 { 1386 #ifdef USE_DSA 1387 EVP_PKEY *key = EVP_PKEY_new(); 1388 EVP_PKEY_assign_DSA(key, d); 1389 k->_key.key = key; 1390 #else 1391 (void)k; (void)d; 1392 #endif 1393 } 1394 #endif /* splint */ 1395 #endif /* HAVE_SSL */ 1396 1397 void 1398 ldns_key_set_hmac_key(ldns_key *k, unsigned char *hmac) 1399 { 1400 k->_key.hmac.key = hmac; 1401 } 1402 1403 void 1404 ldns_key_set_hmac_size(ldns_key *k, size_t hmac_size) 1405 { 1406 k->_key.hmac.size = hmac_size; 1407 } 1408 1409 void 1410 ldns_key_set_external_key(ldns_key *k, void *external_key) 1411 { 1412 k->_key.external_key = external_key; 1413 } 1414 1415 void 1416 ldns_key_set_origttl(ldns_key *k, uint32_t t) 1417 { 1418 k->_extra.dnssec.orig_ttl = t; 1419 } 1420 1421 void 1422 ldns_key_set_inception(ldns_key *k, uint32_t i) 1423 { 1424 k->_extra.dnssec.inception = i; 1425 } 1426 1427 void 1428 ldns_key_set_expiration(ldns_key *k, uint32_t e) 1429 { 1430 k->_extra.dnssec.expiration = e; 1431 } 1432 1433 void 1434 ldns_key_set_pubkey_owner(ldns_key *k, ldns_rdf *r) 1435 { 1436 k->_pubkey_owner = r; 1437 } 1438 1439 void 1440 ldns_key_set_keytag(ldns_key *k, uint16_t tag) 1441 { 1442 k->_extra.dnssec.keytag = tag; 1443 } 1444 1445 /* read */ 1446 size_t 1447 ldns_key_list_key_count(const ldns_key_list *key_list) 1448 { 1449 return key_list ? key_list->_key_count : 0; 1450 } 1451 1452 ldns_key * 1453 ldns_key_list_key(const ldns_key_list *key, size_t nr) 1454 { 1455 if (nr < ldns_key_list_key_count(key)) { 1456 return key->_keys[nr]; 1457 } else { 1458 return NULL; 1459 } 1460 } 1461 1462 ldns_signing_algorithm 1463 ldns_key_algorithm(const ldns_key *k) 1464 { 1465 return k->_alg; 1466 } 1467 1468 void 1469 ldns_key_set_use(ldns_key *k, bool v) 1470 { 1471 if (k) { 1472 k->_use = v; 1473 } 1474 } 1475 1476 bool 1477 ldns_key_use(const ldns_key *k) 1478 { 1479 if (k) { 1480 return k->_use; 1481 } 1482 return false; 1483 } 1484 1485 #ifdef HAVE_SSL 1486 #ifndef S_SPLINT_S 1487 EVP_PKEY * 1488 ldns_key_evp_key(const ldns_key *k) 1489 { 1490 return k->_key.key; 1491 } 1492 1493 RSA * 1494 ldns_key_rsa_key(const ldns_key *k) 1495 { 1496 if (k->_key.key) { 1497 return EVP_PKEY_get1_RSA(k->_key.key); 1498 } else { 1499 return NULL; 1500 } 1501 } 1502 1503 DSA * 1504 ldns_key_dsa_key(const ldns_key *k) 1505 { 1506 #ifdef USE_DSA 1507 if (k->_key.key) { 1508 return EVP_PKEY_get1_DSA(k->_key.key); 1509 } else { 1510 return NULL; 1511 } 1512 #else 1513 (void)k; 1514 return NULL; 1515 #endif 1516 } 1517 #endif /* splint */ 1518 #endif /* HAVE_SSL */ 1519 1520 unsigned char * 1521 ldns_key_hmac_key(const ldns_key *k) 1522 { 1523 if (k->_key.hmac.key) { 1524 return k->_key.hmac.key; 1525 } else { 1526 return NULL; 1527 } 1528 } 1529 1530 size_t 1531 ldns_key_hmac_size(const ldns_key *k) 1532 { 1533 if (k->_key.hmac.size) { 1534 return k->_key.hmac.size; 1535 } else { 1536 return 0; 1537 } 1538 } 1539 1540 void * 1541 ldns_key_external_key(const ldns_key *k) 1542 { 1543 return k->_key.external_key; 1544 } 1545 1546 uint32_t 1547 ldns_key_origttl(const ldns_key *k) 1548 { 1549 return k->_extra.dnssec.orig_ttl; 1550 } 1551 1552 uint16_t 1553 ldns_key_flags(const ldns_key *k) 1554 { 1555 return k->_extra.dnssec.flags; 1556 } 1557 1558 uint32_t 1559 ldns_key_inception(const ldns_key *k) 1560 { 1561 return k->_extra.dnssec.inception; 1562 } 1563 1564 uint32_t 1565 ldns_key_expiration(const ldns_key *k) 1566 { 1567 return k->_extra.dnssec.expiration; 1568 } 1569 1570 uint16_t 1571 ldns_key_keytag(const ldns_key *k) 1572 { 1573 return k->_extra.dnssec.keytag; 1574 } 1575 1576 ldns_rdf * 1577 ldns_key_pubkey_owner(const ldns_key *k) 1578 { 1579 return k->_pubkey_owner; 1580 } 1581 1582 /* write */ 1583 void 1584 ldns_key_list_set_use(ldns_key_list *keys, bool v) 1585 { 1586 size_t i; 1587 1588 for (i = 0; i < ldns_key_list_key_count(keys); i++) { 1589 ldns_key_set_use(ldns_key_list_key(keys, i), v); 1590 } 1591 } 1592 1593 void 1594 ldns_key_list_set_key_count(ldns_key_list *key, size_t count) 1595 { 1596 key->_key_count = count; 1597 } 1598 1599 bool 1600 ldns_key_list_push_key(ldns_key_list *key_list, ldns_key *key) 1601 { 1602 size_t key_count; 1603 ldns_key **keys; 1604 1605 key_count = ldns_key_list_key_count(key_list); 1606 1607 /* grow the array */ 1608 keys = LDNS_XREALLOC( 1609 key_list->_keys, ldns_key *, key_count + 1); 1610 if (!keys) { 1611 return false; 1612 } 1613 1614 /* add the new member */ 1615 key_list->_keys = keys; 1616 key_list->_keys[key_count] = key; 1617 1618 ldns_key_list_set_key_count(key_list, key_count + 1); 1619 return true; 1620 } 1621 1622 ldns_key * 1623 ldns_key_list_pop_key(ldns_key_list *key_list) 1624 { 1625 size_t key_count; 1626 ldns_key** a; 1627 ldns_key *pop; 1628 1629 if (!key_list) { 1630 return NULL; 1631 } 1632 1633 key_count = ldns_key_list_key_count(key_list); 1634 if (key_count == 0) { 1635 return NULL; 1636 } 1637 1638 pop = ldns_key_list_key(key_list, key_count); 1639 1640 /* shrink the array */ 1641 a = LDNS_XREALLOC(key_list->_keys, ldns_key *, key_count - 1); 1642 if(a) { 1643 key_list->_keys = a; 1644 } 1645 1646 ldns_key_list_set_key_count(key_list, key_count - 1); 1647 1648 return pop; 1649 } 1650 1651 #ifdef HAVE_SSL 1652 #ifndef S_SPLINT_S 1653 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */ 1654 static bool 1655 ldns_key_rsa2bin(unsigned char *data, RSA *k, uint16_t *size) 1656 { 1657 int i,j; 1658 const BIGNUM *n=NULL, *e=NULL; 1659 1660 if (!k) { 1661 return false; 1662 } 1663 #if OPENSSL_VERSION_NUMBER < 0x10100000 || (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x20700000) 1664 n = k->n; 1665 e = k->e; 1666 #else 1667 RSA_get0_key(k, &n, &e, NULL); 1668 #endif 1669 1670 if (BN_num_bytes(e) <= 256) { 1671 /* normally only this path is executed (small factors are 1672 * more common 1673 */ 1674 data[0] = (unsigned char) BN_num_bytes(e); 1675 i = BN_bn2bin(e, data + 1); 1676 j = BN_bn2bin(n, data + i + 1); 1677 *size = (uint16_t) i + j; 1678 } else if (BN_num_bytes(e) <= 65536) { 1679 data[0] = 0; 1680 /* BN_bn2bin does bigendian, _uint16 also */ 1681 ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(e)); 1682 1683 BN_bn2bin(e, data + 3); 1684 BN_bn2bin(n, data + 4 + BN_num_bytes(e)); 1685 *size = (uint16_t) BN_num_bytes(n) + 6; 1686 } else { 1687 return false; 1688 } 1689 return true; 1690 } 1691 1692 #ifdef USE_DSA 1693 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */ 1694 static bool 1695 ldns_key_dsa2bin(unsigned char *data, DSA *k, uint16_t *size) 1696 { 1697 uint8_t T; 1698 const BIGNUM *p, *q, *g; 1699 const BIGNUM *pub_key, *priv_key; 1700 1701 if (!k) { 1702 return false; 1703 } 1704 1705 /* See RFC2536 */ 1706 # ifdef HAVE_DSA_GET0_PQG 1707 DSA_get0_pqg(k, &p, &q, &g); 1708 # else 1709 p = k->p; q = k->q; g = k->g; 1710 # endif 1711 # ifdef HAVE_DSA_GET0_KEY 1712 DSA_get0_key(k, &pub_key, &priv_key); 1713 # else 1714 pub_key = k->pub_key; priv_key = k->priv_key; 1715 # endif 1716 (void)priv_key; 1717 *size = (uint16_t)BN_num_bytes(p); 1718 T = (*size - 64) / 8; 1719 1720 if (T > 8) { 1721 #ifdef STDERR_MSGS 1722 fprintf(stderr, "DSA key with T > 8 (ie. > 1024 bits)"); 1723 fprintf(stderr, " not implemented\n"); 1724 #endif 1725 return false; 1726 } 1727 1728 /* size = 64 + (T * 8); */ 1729 memset(data, 0, 21 + *size * 3); 1730 data[0] = (unsigned char)T; 1731 BN_bn2bin(q, data + 1 ); /* 20 octects */ 1732 BN_bn2bin(p, data + 21 ); /* offset octects */ 1733 BN_bn2bin(g, data + 21 + *size * 2 - BN_num_bytes(g)); 1734 BN_bn2bin(pub_key,data + 21 + *size * 3 - BN_num_bytes(pub_key)); 1735 *size = 21 + *size * 3; 1736 return true; 1737 } 1738 #endif /* USE_DSA */ 1739 1740 #ifdef USE_GOST 1741 static bool 1742 ldns_key_gost2bin(unsigned char* data, EVP_PKEY* k, uint16_t* size) 1743 { 1744 int i; 1745 unsigned char* pp = NULL; 1746 if(i2d_PUBKEY(k, &pp) != 37 + 64) { 1747 /* expect 37 byte(ASN header) and 64 byte(X and Y) */ 1748 free(pp); 1749 return false; 1750 } 1751 /* omit ASN header */ 1752 for(i=0; i<64; i++) 1753 data[i] = pp[i+37]; 1754 free(pp); 1755 *size = 64; 1756 return true; 1757 } 1758 #endif /* USE_GOST */ 1759 1760 #ifdef USE_ED25519 1761 static bool 1762 ldns_key_ed255192bin(unsigned char* data, EVP_PKEY* k, uint16_t* size) 1763 { 1764 int i; 1765 unsigned char* pp = NULL; 1766 if(i2d_PUBKEY(k, &pp) != 12 + 32) { 1767 /* expect 12 byte(ASN header) and 32 byte(pubkey) */ 1768 free(pp); 1769 return false; 1770 } 1771 /* omit ASN header */ 1772 for(i=0; i<32; i++) 1773 data[i] = pp[i+12]; 1774 free(pp); 1775 *size = 32; 1776 return true; 1777 } 1778 #endif /* USE_ED25519 */ 1779 1780 #ifdef USE_ED448 1781 static bool 1782 ldns_key_ed4482bin(unsigned char* data, EVP_PKEY* k, uint16_t* size) 1783 { 1784 int i; 1785 unsigned char* pp = NULL; 1786 if(i2d_PUBKEY(k, &pp) != 12 + 57) { 1787 /* expect 12 byte(ASN header) and 57 byte(pubkey) */ 1788 free(pp); 1789 return false; 1790 } 1791 /* omit ASN header */ 1792 for(i=0; i<57; i++) 1793 data[i] = pp[i+12]; 1794 free(pp); 1795 *size = 57; 1796 return true; 1797 } 1798 #endif /* USE_ED448 */ 1799 #endif /* splint */ 1800 #endif /* HAVE_SSL */ 1801 1802 ldns_rr * 1803 ldns_key2rr(const ldns_key *k) 1804 { 1805 /* this function will convert a the keydata contained in 1806 * rsa/dsa pointers to a DNSKEY rr. It will fill in as 1807 * much as it can, but it does not know about key-flags 1808 * for instance 1809 */ 1810 ldns_rr *pubkey; 1811 ldns_rdf *keybin; 1812 unsigned char *bin = NULL; 1813 uint16_t size = 0; 1814 #ifdef HAVE_SSL 1815 RSA *rsa = NULL; 1816 #ifdef USE_DSA 1817 DSA *dsa = NULL; 1818 #endif /* USE_DSA */ 1819 #endif /* HAVE_SSL */ 1820 #ifdef USE_ECDSA 1821 EC_KEY* ec; 1822 #endif 1823 int internal_data = 0; 1824 1825 if (!k) { 1826 return NULL; 1827 } 1828 pubkey = ldns_rr_new(); 1829 1830 switch (ldns_key_algorithm(k)) { 1831 case LDNS_SIGN_HMACMD5: 1832 case LDNS_SIGN_HMACSHA1: 1833 case LDNS_SIGN_HMACSHA224: 1834 case LDNS_SIGN_HMACSHA256: 1835 case LDNS_SIGN_HMACSHA384: 1836 case LDNS_SIGN_HMACSHA512: 1837 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY); 1838 break; 1839 default: 1840 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_DNSKEY); 1841 break; 1842 } 1843 /* zero-th rdf - flags */ 1844 ldns_rr_push_rdf(pubkey, 1845 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 1846 ldns_key_flags(k))); 1847 /* first - proto */ 1848 ldns_rr_push_rdf(pubkey, 1849 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, LDNS_DNSSEC_KEYPROTO)); 1850 1851 if (ldns_key_pubkey_owner(k)) { 1852 ldns_rr_set_owner(pubkey, ldns_rdf_clone(ldns_key_pubkey_owner(k))); 1853 } 1854 1855 /* third - da algorithm */ 1856 switch(ldns_key_algorithm(k)) { 1857 case LDNS_SIGN_RSAMD5: 1858 case LDNS_SIGN_RSASHA1: 1859 case LDNS_SIGN_RSASHA1_NSEC3: 1860 case LDNS_SIGN_RSASHA256: 1861 case LDNS_SIGN_RSASHA512: 1862 ldns_rr_push_rdf(pubkey, 1863 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1864 #ifdef HAVE_SSL 1865 rsa = ldns_key_rsa_key(k); 1866 if (rsa) { 1867 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1868 if (!bin) { 1869 ldns_rr_free(pubkey); 1870 return NULL; 1871 } 1872 if (!ldns_key_rsa2bin(bin, rsa, &size)) { 1873 LDNS_FREE(bin); 1874 ldns_rr_free(pubkey); 1875 return NULL; 1876 } 1877 RSA_free(rsa); 1878 internal_data = 1; 1879 } 1880 #endif 1881 size++; 1882 break; 1883 #ifdef USE_DSA 1884 case LDNS_SIGN_DSA: 1885 ldns_rr_push_rdf(pubkey, 1886 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA)); 1887 #ifdef HAVE_SSL 1888 dsa = ldns_key_dsa_key(k); 1889 if (dsa) { 1890 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1891 if (!bin) { 1892 ldns_rr_free(pubkey); 1893 return NULL; 1894 } 1895 if (!ldns_key_dsa2bin(bin, dsa, &size)) { 1896 LDNS_FREE(bin); 1897 ldns_rr_free(pubkey); 1898 return NULL; 1899 } 1900 DSA_free(dsa); 1901 internal_data = 1; 1902 } 1903 #endif /* HAVE_SSL */ 1904 #endif /* USE_DSA */ 1905 break; 1906 #ifdef USE_DSA 1907 case LDNS_SIGN_DSA_NSEC3: 1908 ldns_rr_push_rdf(pubkey, 1909 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA_NSEC3)); 1910 #ifdef HAVE_SSL 1911 dsa = ldns_key_dsa_key(k); 1912 if (dsa) { 1913 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1914 if (!bin) { 1915 ldns_rr_free(pubkey); 1916 return NULL; 1917 } 1918 if (!ldns_key_dsa2bin(bin, dsa, &size)) { 1919 LDNS_FREE(bin); 1920 ldns_rr_free(pubkey); 1921 return NULL; 1922 } 1923 DSA_free(dsa); 1924 internal_data = 1; 1925 } 1926 #endif /* HAVE_SSL */ 1927 #endif /* USE_DSA */ 1928 break; 1929 case LDNS_SIGN_ECC_GOST: 1930 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8( 1931 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1932 #if defined(HAVE_SSL) && defined(USE_GOST) 1933 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1934 if (!bin) { 1935 ldns_rr_free(pubkey); 1936 return NULL; 1937 } 1938 #ifndef S_SPLINT_S 1939 if (!ldns_key_gost2bin(bin, k->_key.key, &size)) { 1940 LDNS_FREE(bin); 1941 ldns_rr_free(pubkey); 1942 return NULL; 1943 } 1944 #endif /* splint */ 1945 internal_data = 1; 1946 #else 1947 ldns_rr_free(pubkey); 1948 return NULL; 1949 #endif /* HAVE_SSL and USE_GOST */ 1950 break; 1951 case LDNS_SIGN_ECDSAP256SHA256: 1952 case LDNS_SIGN_ECDSAP384SHA384: 1953 #ifdef USE_ECDSA 1954 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8( 1955 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1956 bin = NULL; 1957 #ifndef S_SPLINT_S 1958 ec = EVP_PKEY_get1_EC_KEY(k->_key.key); 1959 #endif 1960 EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED); 1961 size = (uint16_t)i2o_ECPublicKey(ec, NULL); 1962 if(!i2o_ECPublicKey(ec, &bin)) { 1963 EC_KEY_free(ec); 1964 ldns_rr_free(pubkey); 1965 return NULL; 1966 } 1967 if(size > 1) { 1968 /* move back one byte to shave off the 0x02 1969 * 'uncompressed' indicator that openssl made 1970 * Actually its 0x04 (from implementation). 1971 */ 1972 assert(bin[0] == POINT_CONVERSION_UNCOMPRESSED); 1973 size -= 1; 1974 memmove(bin, bin+1, size); 1975 } 1976 /* down the reference count for ec, its still assigned 1977 * to the pkey */ 1978 EC_KEY_free(ec); 1979 internal_data = 1; 1980 #else 1981 ldns_rr_free(pubkey); 1982 return NULL; 1983 #endif /* ECDSA */ 1984 break; 1985 #ifdef USE_ED25519 1986 case LDNS_SIGN_ED25519: 1987 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8( 1988 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1989 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1990 if (!bin) { 1991 ldns_rr_free(pubkey); 1992 return NULL; 1993 } 1994 if (!ldns_key_ed255192bin(bin, k->_key.key, &size)) { 1995 LDNS_FREE(bin); 1996 ldns_rr_free(pubkey); 1997 return NULL; 1998 } 1999 internal_data = 1; 2000 break; 2001 #endif 2002 #ifdef USE_ED448 2003 case LDNS_SIGN_ED448: 2004 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8( 2005 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 2006 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 2007 if (!bin) { 2008 ldns_rr_free(pubkey); 2009 return NULL; 2010 } 2011 if (!ldns_key_ed4482bin(bin, k->_key.key, &size)) { 2012 LDNS_FREE(bin); 2013 ldns_rr_free(pubkey); 2014 return NULL; 2015 } 2016 internal_data = 1; 2017 break; 2018 #endif 2019 case LDNS_SIGN_HMACMD5: 2020 case LDNS_SIGN_HMACSHA1: 2021 case LDNS_SIGN_HMACSHA224: 2022 case LDNS_SIGN_HMACSHA256: 2023 case LDNS_SIGN_HMACSHA384: 2024 case LDNS_SIGN_HMACSHA512: 2025 bin = LDNS_XMALLOC(unsigned char, ldns_key_hmac_size(k)); 2026 if (!bin) { 2027 ldns_rr_free(pubkey); 2028 return NULL; 2029 } 2030 ldns_rr_push_rdf(pubkey, 2031 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, 2032 ldns_key_algorithm(k))); 2033 size = ldns_key_hmac_size(k); 2034 memcpy(bin, ldns_key_hmac_key(k), size); 2035 internal_data = 1; 2036 break; 2037 } 2038 /* fourth the key bin material */ 2039 if (internal_data) { 2040 keybin = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, size, bin); 2041 LDNS_FREE(bin); 2042 ldns_rr_push_rdf(pubkey, keybin); 2043 } 2044 return pubkey; 2045 } 2046 2047 void 2048 ldns_key_free(ldns_key *key) 2049 { 2050 LDNS_FREE(key); 2051 } 2052 2053 void 2054 ldns_key_deep_free(ldns_key *key) 2055 { 2056 unsigned char* hmac; 2057 if (ldns_key_pubkey_owner(key)) { 2058 ldns_rdf_deep_free(ldns_key_pubkey_owner(key)); 2059 } 2060 #ifdef HAVE_SSL 2061 if (ldns_key_evp_key(key)) { 2062 EVP_PKEY_free(ldns_key_evp_key(key)); 2063 } 2064 #endif /* HAVE_SSL */ 2065 if (ldns_key_hmac_key(key)) { 2066 hmac = ldns_key_hmac_key(key); 2067 LDNS_FREE(hmac); 2068 } 2069 LDNS_FREE(key); 2070 } 2071 2072 void 2073 ldns_key_list_free(ldns_key_list *key_list) 2074 { 2075 size_t i; 2076 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 2077 ldns_key_deep_free(ldns_key_list_key(key_list, i)); 2078 } 2079 LDNS_FREE(key_list->_keys); 2080 LDNS_FREE(key_list); 2081 } 2082 2083 ldns_rr * 2084 ldns_read_anchor_file(const char *filename) 2085 { 2086 FILE *fp; 2087 /*char line[LDNS_MAX_PACKETLEN];*/ 2088 char *line = LDNS_XMALLOC(char, LDNS_MAX_PACKETLEN); 2089 int c; 2090 size_t i = 0; 2091 ldns_rr *r; 2092 ldns_status status; 2093 if(!line) { 2094 return NULL; 2095 } 2096 2097 fp = fopen(filename, "r"); 2098 if (!fp) { 2099 #ifdef STDERR_MSGS 2100 fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); 2101 #endif 2102 LDNS_FREE(line); 2103 return NULL; 2104 } 2105 2106 while ((c = fgetc(fp)) && i+1 < LDNS_MAX_PACKETLEN && c != EOF) { 2107 line[i] = c; 2108 i++; 2109 } 2110 line[i] = '\0'; 2111 2112 fclose(fp); 2113 2114 if (i <= 0) { 2115 #ifdef STDERR_MSGS 2116 fprintf(stderr, "nothing read from %s", filename); 2117 #endif 2118 LDNS_FREE(line); 2119 return NULL; 2120 } else { 2121 status = ldns_rr_new_frm_str(&r, line, 0, NULL, NULL); 2122 if (status == LDNS_STATUS_OK && (ldns_rr_get_type(r) == LDNS_RR_TYPE_DNSKEY || ldns_rr_get_type(r) == LDNS_RR_TYPE_DS)) { 2123 LDNS_FREE(line); 2124 return r; 2125 } else { 2126 #ifdef STDERR_MSGS 2127 fprintf(stderr, "Error creating DNSKEY or DS rr from %s: %s\n", filename, ldns_get_errorstr_by_id(status)); 2128 #endif 2129 LDNS_FREE(line); 2130 return NULL; 2131 } 2132 } 2133 } 2134 2135 char * 2136 ldns_key_get_file_base_name(const ldns_key *key) 2137 { 2138 ldns_buffer *buffer; 2139 char *file_base_name; 2140 2141 buffer = ldns_buffer_new(255); 2142 ldns_buffer_printf(buffer, "K"); 2143 (void)ldns_rdf2buffer_str_dname(buffer, ldns_key_pubkey_owner(key)); 2144 ldns_buffer_printf(buffer, 2145 "+%03u+%05u", 2146 ldns_key_algorithm(key), 2147 ldns_key_keytag(key)); 2148 file_base_name = ldns_buffer_export(buffer); 2149 ldns_buffer_free(buffer); 2150 return file_base_name; 2151 } 2152 2153 int ldns_key_algo_supported(int algo) 2154 { 2155 ldns_lookup_table *lt = ldns_signing_algorithms; 2156 while(lt->name) { 2157 if(lt->id == algo) 2158 return 1; 2159 lt++; 2160 } 2161 return 0; 2162 } 2163 2164 ldns_signing_algorithm ldns_get_signing_algorithm_by_name(const char* name) 2165 { 2166 /* list of (signing algorithm id, alias_name) */ 2167 ldns_lookup_table aliases[] = { 2168 /* from bind dnssec-keygen */ 2169 {LDNS_SIGN_HMACMD5, "HMAC-MD5"}, 2170 #ifdef USE_DSA 2171 {LDNS_SIGN_DSA_NSEC3, "NSEC3DSA"}, 2172 #endif /* USE_DSA */ 2173 {LDNS_SIGN_RSASHA1_NSEC3, "NSEC3RSASHA1"}, 2174 /* old ldns usage, now RFC names */ 2175 #ifdef USE_DSA 2176 {LDNS_SIGN_DSA_NSEC3, "DSA_NSEC3" }, 2177 #endif 2178 {LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1_NSEC3" }, 2179 #ifdef USE_GOST 2180 {LDNS_SIGN_ECC_GOST, "GOST"}, 2181 #endif 2182 /* compat with possible output */ 2183 {LDNS_DH, "DH"}, 2184 {LDNS_ECC, "ECC"}, 2185 {LDNS_INDIRECT, "INDIRECT"}, 2186 {LDNS_PRIVATEDNS, "PRIVATEDNS"}, 2187 {LDNS_PRIVATEOID, "PRIVATEOID"}, 2188 {0, NULL}}; 2189 ldns_lookup_table* lt = ldns_signing_algorithms; 2190 ldns_signing_algorithm a; 2191 char *endptr; 2192 2193 while(lt->name) { 2194 if(strcasecmp(lt->name, name) == 0) 2195 return lt->id; 2196 lt++; 2197 } 2198 lt = aliases; 2199 while(lt->name) { 2200 if(strcasecmp(lt->name, name) == 0) 2201 return lt->id; 2202 lt++; 2203 } 2204 a = strtol(name, &endptr, 10); 2205 if (*name && !*endptr) 2206 return a; 2207 2208 return 0; 2209 } 2210