00001 #include <ldns/config.h>
00002
00003 #include <ldns/ldns.h>
00004
00005 #include <ldns/dnssec.h>
00006 #include <ldns/dnssec_sign.h>
00007
00008 #include <strings.h>
00009 #include <time.h>
00010
00011 #ifdef HAVE_SSL
00012
00013
00014
00015 #include <openssl/ssl.h>
00016 #include <openssl/evp.h>
00017 #include <openssl/rand.h>
00018 #include <openssl/err.h>
00019 #include <openssl/md5.h>
00020
00021
00026 ldns_rr_list *
00027 ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
00028 {
00029 ldns_rr_list *signatures;
00030 ldns_rr_list *rrset_clone;
00031 ldns_rr *current_sig;
00032 ldns_rdf *b64rdf;
00033 ldns_key *current_key;
00034 size_t key_count;
00035 uint16_t i;
00036 ldns_buffer *sign_buf;
00037 uint32_t orig_ttl;
00038 time_t now;
00039 uint8_t label_count;
00040 ldns_rdf *first_label;
00041 ldns_rdf *wildcard_label;
00042 ldns_rdf *new_owner;
00043
00044 if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) {
00045 return NULL;
00046 }
00047
00048 key_count = 0;
00049 signatures = ldns_rr_list_new();
00050
00051
00052
00053 rrset_clone = ldns_rr_list_clone(rrset);
00054 if (!rrset_clone) {
00055 return NULL;
00056 }
00057
00058
00059 label_count = ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset, 0)));
00060 (void) ldns_str2rdf_dname(&wildcard_label, "*");
00061 first_label = ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(rrset, 0)), 0);
00062 if (ldns_rdf_compare(first_label, wildcard_label) == 0) {
00063 label_count--;
00064 for (i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
00065 new_owner = ldns_dname_cat_clone(wildcard_label,
00066 ldns_dname_left_chop(ldns_rr_owner(ldns_rr_list_rr(rrset_clone, i))));
00067 ldns_rr_set_owner(ldns_rr_list_rr(rrset_clone, i), new_owner);
00068 }
00069 }
00070 ldns_rdf_deep_free(wildcard_label);
00071 ldns_rdf_deep_free(first_label);
00072
00073
00074 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
00075 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
00076 }
00077
00078 ldns_rr_list_sort(rrset_clone);
00079
00080 for (key_count = 0; key_count < ldns_key_list_key_count(keys); key_count++) {
00081 if (!ldns_key_use(ldns_key_list_key(keys, key_count))) {
00082 continue;
00083 }
00084 sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00085 if (!sign_buf) {
00086 printf("[XX]ERROR NO SIGN BUG, OUT OF MEM?\n");
00087 ldns_rr_list_print(stdout, rrset_clone);
00088 while(true) {
00089 sleep(1);
00090 printf(".");
00091 fflush(stdout);
00092 }
00093 exit(123);
00094 }
00095 b64rdf = NULL;
00096
00097 current_key = ldns_key_list_key(keys, key_count);
00098
00099
00100 if (
00101 ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY &&
00102 (!(ldns_key_flags(current_key) & LDNS_KEY_SEP_KEY) ||
00103 ldns_rr_get_type(ldns_rr_list_rr(rrset, 0)) == LDNS_RR_TYPE_DNSKEY)
00104 ) {
00105 current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
00106
00107
00108 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
00109
00110 ldns_rr_set_ttl(current_sig, orig_ttl);
00111 ldns_rr_set_owner(current_sig,
00112 ldns_rdf_clone(ldns_rr_owner(ldns_rr_list_rr(rrset_clone, 0))));
00113
00114
00115
00116
00117 (void)ldns_rr_rrsig_set_origttl(current_sig,
00118 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, orig_ttl));
00119
00120
00121 (void)ldns_rr_rrsig_set_signame(current_sig,
00122 ldns_rdf_clone(ldns_key_pubkey_owner(current_key)));
00123
00124 (void)ldns_rr_rrsig_set_labels(current_sig,
00125 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, label_count));
00126
00127 now = time(NULL);
00128 if (ldns_key_inception(current_key) != 0) {
00129 (void)ldns_rr_rrsig_set_inception(current_sig,
00130 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME,
00131 ldns_key_inception(current_key)));
00132 } else {
00133 (void)ldns_rr_rrsig_set_inception(current_sig,
00134 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
00135 }
00136 if (ldns_key_expiration(current_key) != 0) {
00137 (void)ldns_rr_rrsig_set_expiration(current_sig,
00138 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME,
00139 ldns_key_expiration(current_key)));
00140 } else {
00141 (void)ldns_rr_rrsig_set_expiration(current_sig,
00142 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME,
00143 now + LDNS_DEFAULT_EXP_TIME));
00144 }
00145
00146
00147
00148 (void)ldns_rr_rrsig_set_keytag(current_sig,
00149 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
00150 ldns_key_keytag(current_key)));
00151
00152
00153 (void)ldns_rr_rrsig_set_algorithm(current_sig,
00154 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG,
00155 ldns_key_algorithm(current_key)));
00156
00157 (void)ldns_rr_rrsig_set_typecovered(current_sig,
00158 ldns_native2rdf_int16(LDNS_RDF_TYPE_TYPE,
00159 ldns_rr_get_type(ldns_rr_list_rr(rrset_clone, 0))));
00160
00161
00162
00163
00164 if (ldns_rrsig2buffer_wire(sign_buf, current_sig) != LDNS_STATUS_OK) {
00165 ldns_buffer_free(sign_buf);
00166
00167 ldns_rr_list_deep_free(rrset_clone);
00168 return NULL;
00169 }
00170
00171
00172 if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone) != LDNS_STATUS_OK) {
00173 ldns_buffer_free(sign_buf);
00174 ldns_rr_list_deep_free(rrset_clone);
00175 return NULL;
00176 }
00177
00178 switch(ldns_key_algorithm(current_key)) {
00179 case LDNS_SIGN_DSA:
00180 case LDNS_DSA_NSEC3:
00181 b64rdf = ldns_sign_public_evp(sign_buf, ldns_key_evp_key(current_key), EVP_dss1());
00182
00183 break;
00184 case LDNS_SIGN_RSASHA1:
00185 case LDNS_SIGN_RSASHA1_NSEC3:
00186 b64rdf = ldns_sign_public_evp(sign_buf, ldns_key_evp_key(current_key), EVP_sha1());
00187 break;
00188 #ifdef SHA256_DIGEST_LENGTH
00189 case LDNS_SIGN_RSASHA256:
00190 case LDNS_SIGN_RSASHA256_NSEC3:
00191 b64rdf = ldns_sign_public_evp(sign_buf, ldns_key_evp_key(current_key), EVP_sha256());
00192 break;
00193 #endif
00194 #ifdef SHA512_DIGEST_LENGTH
00195 case LDNS_SIGN_RSASHA512:
00196 case LDNS_SIGN_RSASHA512_NSEC3:
00197 b64rdf = ldns_sign_public_evp(sign_buf, ldns_key_evp_key(current_key), EVP_sha512());
00198
00199 break;
00200 #endif
00201 case LDNS_SIGN_RSAMD5:
00202 b64rdf = ldns_sign_public_evp(sign_buf, ldns_key_evp_key(current_key), EVP_md5());
00203 break;
00204 default:
00205
00206 printf("unknown algorithm, is the one used available on this system?\n");
00207 break;
00208 }
00209 if (!b64rdf) {
00210
00211 ldns_rr_list_deep_free(rrset_clone);
00212 return NULL;
00213 }
00214 ldns_rr_rrsig_set_sig(current_sig, b64rdf);
00215
00216
00217 ldns_rr_list_push_rr(signatures, current_sig);
00218 }
00219 ldns_buffer_free(sign_buf);
00220 }
00221 ldns_rr_list_deep_free(rrset_clone);
00222
00223 return signatures;
00224 }
00225
00234 ldns_rdf *
00235 ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
00236 {
00237 unsigned char *sha1_hash;
00238 ldns_rdf *sigdata_rdf;
00239 ldns_buffer *b64sig;
00240
00241 DSA_SIG *sig;
00242 uint8_t *data;
00243 size_t pad;
00244
00245 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00246 if (!b64sig) {
00247 return NULL;
00248 }
00249
00250 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
00251 ldns_buffer_position(to_sign), NULL);
00252 if (!sha1_hash) {
00253 ldns_buffer_free(b64sig);
00254 return NULL;
00255 }
00256
00257
00258 sig = DSA_do_sign(sha1_hash, SHA_DIGEST_LENGTH, key);
00259
00260 data = LDNS_XMALLOC(uint8_t, 1 + 2 * SHA_DIGEST_LENGTH);
00261
00262 data[0] = 1;
00263 pad = 20 - (size_t) BN_num_bytes(sig->r);
00264 if (pad > 0) {
00265 memset(data + 1, 0, pad);
00266 }
00267 BN_bn2bin(sig->r, (unsigned char *) (data + 1) + pad);
00268
00269 pad = 20 - (size_t) BN_num_bytes(sig->s);
00270 if (pad > 0) {
00271 memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad);
00272 }
00273 BN_bn2bin(sig->s, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad));
00274
00275 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, 1 + 2 * SHA_DIGEST_LENGTH, data);
00276
00277 ldns_buffer_free(b64sig);
00278 LDNS_FREE(data);
00279
00280 return sigdata_rdf;
00281 }
00282
00283 ldns_rdf *
00284 ldns_sign_public_evp(ldns_buffer *to_sign,
00285 EVP_PKEY *key,
00286 const EVP_MD *digest_type)
00287 {
00288 unsigned int siglen;
00289 ldns_rdf *sigdata_rdf;
00290 ldns_buffer *b64sig;
00291 EVP_MD_CTX ctx;
00292 const EVP_MD *md_type;
00293 int r;
00294
00295 siglen = 0;
00296 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00297 if (!b64sig) {
00298 return NULL;
00299 }
00300
00301
00302 md_type = digest_type;
00303 if(!md_type) {
00304 printf("Unknown message digest");
00305 exit(1);
00306 }
00307
00308 EVP_MD_CTX_init(&ctx);
00309 r = EVP_SignInit(&ctx, md_type);
00310 if(r == 1)
00311 r = EVP_SignUpdate(&ctx, (unsigned char*)
00312 ldns_buffer_begin(to_sign),
00313 ldns_buffer_position(to_sign));
00314 if(r == 1)
00315 r = EVP_SignFinal(&ctx, (unsigned char*)
00316 ldns_buffer_begin(b64sig), &siglen, key);
00317 if(r != 1) {
00318 ldns_buffer_free(b64sig);
00319 return NULL;
00320 }
00321
00322 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
00323 ldns_buffer_begin(b64sig));
00324 ldns_buffer_free(b64sig);
00325 EVP_MD_CTX_cleanup(&ctx);
00326 return sigdata_rdf;
00327 }
00328
00329
00330 ldns_rdf *
00331 ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key)
00332 {
00333 unsigned char *sha1_hash;
00334 unsigned int siglen;
00335 ldns_rdf *sigdata_rdf;
00336 ldns_buffer *b64sig;
00337 int result;
00338
00339 siglen = 0;
00340 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00341 if (!b64sig) {
00342 return NULL;
00343 }
00344
00345 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
00346 ldns_buffer_position(to_sign), NULL);
00347 if (!sha1_hash) {
00348 ldns_buffer_free(b64sig);
00349 return NULL;
00350 }
00351
00352 result = RSA_sign(NID_sha1, sha1_hash, SHA_DIGEST_LENGTH,
00353 (unsigned char*)ldns_buffer_begin(b64sig),
00354 &siglen, key);
00355 if (result != 1) {
00356 return NULL;
00357 }
00358
00359 if (result != 1) {
00360 return NULL;
00361 }
00362
00363 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
00364 ldns_buffer_begin(b64sig));
00365 ldns_buffer_free(b64sig);
00366 return sigdata_rdf;
00367 }
00368
00369 ldns_rdf *
00370 ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key)
00371 {
00372 unsigned char *md5_hash;
00373 unsigned int siglen;
00374 ldns_rdf *sigdata_rdf;
00375 ldns_buffer *b64sig;
00376
00377 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00378 if (!b64sig) {
00379 return NULL;
00380 }
00381
00382 md5_hash = MD5((unsigned char*)ldns_buffer_begin(to_sign),
00383 ldns_buffer_position(to_sign), NULL);
00384 if (!md5_hash) {
00385 ldns_buffer_free(b64sig);
00386 return NULL;
00387 }
00388
00389 RSA_sign(NID_md5, md5_hash, MD5_DIGEST_LENGTH,
00390 (unsigned char*)ldns_buffer_begin(b64sig),
00391 &siglen, key);
00392
00393 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
00394 ldns_buffer_begin(b64sig));
00395 ldns_buffer_free(b64sig);
00396 return sigdata_rdf;
00397 }
00398
00399 ldns_status
00400 ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
00401 ldns_rr_list *new_rrs)
00402 {
00403 ldns_rbnode_t *first_name_node;
00404 ldns_rbnode_t *current_name_node;
00405 ldns_dnssec_name *first_name;
00406 ldns_dnssec_name *current_name;
00407 ldns_status result = LDNS_STATUS_OK;
00408 ldns_rr *nsec_rr;
00409
00410 if (!zone || !new_rrs || !zone->names) {
00411 return LDNS_STATUS_ERR;
00412 }
00413
00414 first_name_node = ldns_rbtree_first(zone->names);
00415 first_name = (ldns_dnssec_name *) first_name_node->data;
00416
00417 current_name_node = first_name_node;
00418 current_name = first_name;
00419
00420 while (ldns_rbtree_next(current_name_node) != LDNS_RBTREE_NULL) {
00421 nsec_rr = ldns_dnssec_create_nsec(current_name,
00422 (ldns_dnssec_name *) ldns_rbtree_next(current_name_node)->data,
00423 LDNS_RR_TYPE_NSEC);
00424 ldns_dnssec_name_add_rr(current_name, nsec_rr);
00425 ldns_rr_list_push_rr(new_rrs, nsec_rr);
00426 current_name_node = ldns_rbtree_next(current_name_node);
00427 current_name = (ldns_dnssec_name *) current_name_node->data;
00428 }
00429 nsec_rr = ldns_dnssec_create_nsec(current_name,
00430 first_name,
00431 LDNS_RR_TYPE_NSEC);
00432 result = ldns_dnssec_name_add_rr(current_name, nsec_rr);
00433 if (result != LDNS_STATUS_OK) {
00434 return result;
00435 }
00436 ldns_rr_list_push_rr(new_rrs, nsec_rr);
00437
00438
00439 return result;
00440 }
00441
00442 ldns_dnssec_rrs *
00443 ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures,
00444 ldns_key_list *key_list,
00445 int (*func)(ldns_rr *, void *),
00446 void *arg)
00447 {
00448 ldns_dnssec_rrs *base_rrs = signatures;
00449 ldns_dnssec_rrs *cur_rr = base_rrs;
00450 ldns_dnssec_rrs *prev_rr = NULL;
00451 ldns_dnssec_rrs *next_rr;
00452
00453 uint16_t keytag;
00454 size_t i;
00455 int v;
00456
00457 key_list = key_list;
00458
00459 if (!cur_rr) {
00460 switch(func(NULL, arg)) {
00461 case LDNS_SIGNATURE_LEAVE_ADD_NEW:
00462 case LDNS_SIGNATURE_REMOVE_ADD_NEW:
00463 break;
00464 case LDNS_SIGNATURE_LEAVE_NO_ADD:
00465 case LDNS_SIGNATURE_REMOVE_NO_ADD:
00466 ldns_key_list_set_use(key_list, false);
00467 break;
00468 default:
00469 fprintf(stderr, "[XX] unknown return value from callback\n");
00470 break;
00471 }
00472 return NULL;
00473 }
00474 v = func(cur_rr->rr, arg);
00475
00476 while (cur_rr) {
00477 next_rr = cur_rr->next;
00478
00479 switch (func(cur_rr->rr, arg)) {
00480 case LDNS_SIGNATURE_LEAVE_ADD_NEW:
00481 prev_rr = cur_rr;
00482 break;
00483 case LDNS_SIGNATURE_LEAVE_NO_ADD:
00484 keytag = ldns_rdf2native_int16(ldns_rr_rrsig_keytag(cur_rr->rr));
00485 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
00486 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) ==
00487 keytag) {
00488 ldns_key_set_use(ldns_key_list_key(key_list, i),
00489 false);
00490 }
00491 }
00492 prev_rr = cur_rr;
00493 break;
00494 case LDNS_SIGNATURE_REMOVE_NO_ADD:
00495 keytag = ldns_rdf2native_int16(ldns_rr_rrsig_keytag(cur_rr->rr));
00496 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
00497 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) ==
00498 keytag) {
00499 ldns_key_set_use(ldns_key_list_key(key_list, i),
00500 false);
00501 }
00502 }
00503 if (prev_rr) {
00504 prev_rr->next = next_rr;
00505 } else {
00506 base_rrs = next_rr;
00507 }
00508 LDNS_FREE(cur_rr);
00509 break;
00510 case LDNS_SIGNATURE_REMOVE_ADD_NEW:
00511 if (prev_rr) {
00512 prev_rr->next = next_rr;
00513 } else {
00514 base_rrs = next_rr;
00515 }
00516 LDNS_FREE(cur_rr);
00517 break;
00518 default:
00519 fprintf(stderr, "[XX] unknown return value from callback\n");
00520 break;
00521 }
00522 cur_rr = next_rr;
00523 }
00524
00525 return base_rrs;
00526 }
00527
00528 ldns_status
00529 ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
00530 ldns_rr_list *new_rrs,
00531 ldns_key_list *key_list,
00532 int (*func)(ldns_rr *, void*),
00533 void *arg)
00534 {
00535 ldns_status result = LDNS_STATUS_OK;
00536
00537 ldns_rbnode_t *cur_node;
00538 ldns_rr_list *rr_list;
00539
00540 ldns_dnssec_name *cur_name;
00541 ldns_dnssec_rrsets *cur_rrset;
00542 ldns_dnssec_rrs *cur_rr;
00543
00544 ldns_rr_list *siglist;
00545
00546 size_t i;
00547
00548 ldns_rr_list *pubkey_list = ldns_rr_list_new();
00549 zone = zone;
00550 new_rrs = new_rrs;
00551 key_list = key_list;
00552 for (i = 0; i<ldns_key_list_key_count(key_list); i++) {
00553 ldns_rr_list_push_rr(pubkey_list, ldns_key2rr(ldns_key_list_key(key_list, i)));
00554 }
00555
00556
00557 cur_node = ldns_rbtree_first(zone->names);
00558 while (cur_node != LDNS_RBTREE_NULL) {
00559 cur_name = (ldns_dnssec_name *) cur_node->data;
00560
00561 cur_rrset = cur_name->rrsets;
00562 while (cur_rrset) {
00563
00564 ldns_key_list_set_use(key_list, true);
00565
00566
00567 cur_rrset->signatures = ldns_dnssec_remove_signatures(cur_rrset->signatures,
00568 key_list,
00569 func,
00570 arg);
00571
00572
00573 rr_list = ldns_rr_list_new();
00574
00575 cur_rr = cur_rrset->rrs;
00576 while (cur_rr) {
00577 ldns_rr_list_push_rr(rr_list, cur_rr->rr);
00578 cur_rr = cur_rr->next;
00579 }
00580
00581 siglist = ldns_sign_public(rr_list, key_list);
00582 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
00583 if (cur_rrset->signatures) {
00584 ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
00585 ldns_rr_list_rr(siglist, i));
00586 } else {
00587 cur_rrset->signatures = ldns_dnssec_rrs_new();
00588 cur_rrset->signatures->rr = ldns_rr_list_rr(siglist, i);
00589 ldns_rr_list_push_rr(new_rrs, ldns_rr_list_rr(siglist, i));
00590 }
00591 }
00592
00593
00594 ldns_rr_list_free(siglist);
00595 ldns_rr_list_free(rr_list);
00596
00597 cur_rrset = cur_rrset->next;
00598 }
00599
00600
00601 cur_name->nsec_signatures = ldns_dnssec_remove_signatures(cur_name->nsec_signatures,
00602 key_list,
00603 func,
00604 arg);
00605
00606 rr_list = ldns_rr_list_new();
00607 ldns_rr_list_push_rr(rr_list, cur_name->nsec);
00608 siglist = ldns_sign_public(rr_list, key_list);
00609
00610 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
00611 if (cur_name->nsec_signatures) {
00612 ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
00613 ldns_rr_list_rr(siglist, i));
00614 } else {
00615 cur_name->nsec_signatures = ldns_dnssec_rrs_new();
00616 cur_name->nsec_signatures->rr = ldns_rr_list_rr(siglist, i);
00617 ldns_rr_list_push_rr(new_rrs, ldns_rr_list_rr(siglist, i));
00618 }
00619 }
00620
00621
00622
00623
00624
00625
00626
00627
00628
00629 ldns_rr_list_free(siglist);
00630 ldns_rr_list_free(rr_list);
00631
00632 cur_node = ldns_rbtree_next(cur_node);
00633 }
00634
00635 return result;
00636 }
00637
00638 ldns_status
00639 ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
00640 ldns_rr_list *new_rrs,
00641 ldns_key_list *key_list,
00642 int (*func)(ldns_rr *, void *),
00643 void *arg)
00644 {
00645 ldns_status result = LDNS_STATUS_OK;
00646
00647 if (!zone || !new_rrs || !key_list) {
00648 return LDNS_STATUS_ERR;
00649 }
00650
00651
00652
00653
00654 if (zone->names && !((ldns_dnssec_name *)zone->names->root->data)->nsec) {
00655 result = ldns_dnssec_zone_create_nsecs(zone, new_rrs);
00656 if (result != LDNS_STATUS_OK) {
00657 return result;
00658 }
00659 }
00660
00661 printf("[XX] Create signatures!\n");
00662 result = ldns_dnssec_zone_create_rrsigs(zone,
00663 new_rrs,
00664 key_list,
00665 func,
00666 arg);
00667 printf("[XX] done\n");
00668
00669 return result;
00670 }
00671
00672 ldns_status
00673 ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
00674 ldns_rr_list *new_rrs,
00675 ldns_key_list *key_list,
00676 int (*func)(ldns_rr *, void *),
00677 void *arg,
00678 uint8_t algorithm,
00679 uint8_t flags,
00680 uint16_t iterations,
00681 uint8_t salt_length,
00682 uint8_t *salt)
00683 {
00684 ldns_rr *nsec3, *nsec3params;
00685 ldns_status result = LDNS_STATUS_OK;
00686
00687
00688
00689
00690 if (zone->names) {
00691
00692 ldns_dnssec_zone_add_empty_nonterminals(zone);
00693
00694 nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec;
00695 if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) {
00696
00697 } else {
00698 if (!ldns_dnssec_zone_find_rrset(zone,
00699 zone->soa->name,
00700 LDNS_RR_TYPE_NSEC3PARAMS)) {
00701
00702 nsec3params = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAMS);
00703 ldns_rr_set_owner(nsec3params, ldns_rdf_clone(zone->soa->name));
00704 ldns_nsec3_add_param_rdfs(nsec3params, algorithm, flags, iterations, salt_length, salt);
00705 ldns_dnssec_zone_add_rr(zone, nsec3params);
00706 ldns_rr_list_push_rr(new_rrs, nsec3params);
00707 }
00708 result = ldns_dnssec_zone_create_nsec3s(zone,
00709 new_rrs,
00710 algorithm,
00711 flags,
00712 iterations,
00713 salt_length,
00714 salt);
00715 if (result != LDNS_STATUS_OK) {
00716 return result;
00717 }
00718 }
00719
00720 result = ldns_dnssec_zone_create_rrsigs(zone,
00721 new_rrs,
00722 key_list,
00723 func,
00724 arg);
00725 }
00726
00727 return result;
00728 }
00729
00730
00731 ldns_zone *
00732 ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list)
00733 {
00734
00735
00736
00737
00738
00739
00740
00741
00742
00743
00744 zone = zone;
00745 key_list = key_list;
00746 return NULL;
00747 #if 0
00748
00749 ldns_zone *signed_zone;
00750
00751
00752
00753 ldns_rr_list *cur_rrsigs;
00754
00755 ldns_rr_list *orig_zone_rrs;
00756 ldns_rr_list *signed_zone_rrs;
00757 ldns_rr_list *pubkeys;
00758 ldns_rr_list *glue_rrs;
00759 ldns_rr_list *rrsig_rrs = NULL;
00760
00761
00762
00763
00764
00765
00766
00767
00768 ldns_rr *ckey;
00769 uint16_t i;
00770
00771 signed_zone = ldns_zone_new();
00772
00773
00774 cur_rrsigs = NULL;
00775 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
00776 ldns_rr2canonical(ldns_zone_soa(signed_zone));
00777
00778 orig_zone_rrs = ldns_rr_list_clone(ldns_zone_rrs(zone));
00779
00780 ldns_rr_list_push_rr(orig_zone_rrs, ldns_rr_clone(ldns_zone_soa(zone)));
00781
00782
00783 for (i = 0; i < ldns_rr_list_rr_count(orig_zone_rrs); i++) {
00784 ldns_rr2canonical(ldns_rr_list_rr(orig_zone_rrs, i));
00785 }
00786 glue_rrs = ldns_zone_glue_rr_list(zone);
00787
00788
00789 pubkeys = ldns_rr_list_new();
00790 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
00791 ckey = ldns_key2rr(ldns_key_list_key(key_list, i));
00792 ldns_rr_list_push_rr(pubkeys, ckey);
00793 }
00794
00795 signed_zone_rrs = ldns_rr_list_strip_dnssec(orig_zone_rrs, NULL);
00796
00797 ldns_rr_list_deep_free(orig_zone_rrs);
00798
00799 if (!signed_zone_rrs) {
00800 printf("error!\n");
00801 exit(1);
00802 }
00803
00804
00805 ldns_rr_list_sort(signed_zone_rrs);
00806
00807
00808
00809
00810
00811
00812
00813
00814
00815
00816
00817
00818
00819
00820
00821
00822
00823 ldns_rr_list_cat(signed_zone_rrs, rrsig_rrs);
00824 ldns_rr_list_free(rrsig_rrs);
00825
00826 ldns_rr_list_deep_free(ldns_zone_rrs(signed_zone));
00827 ldns_zone_set_rrs(signed_zone, ldns_rr_list_clone(signed_zone_rrs));
00828
00829 ldns_rr_list_deep_free(signed_zone_rrs);
00830 ldns_rr_list_deep_free(pubkeys);
00831 ldns_rr_list_free(glue_rrs);
00832
00833 return signed_zone;
00834 #endif
00835 }
00836
00837 ldns_zone *
00838 ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
00839 {
00840 zone = zone;
00841 key_list = key_list;
00842 algorithm = algorithm;
00843 flags = flags;
00844 iterations = iterations;
00845 salt_length = salt_length;
00846 salt = salt;
00847 return NULL;
00848 #if 0
00849
00850
00851
00852
00853
00854
00855
00856
00857
00858
00859
00860
00861 ldns_zone *signed_zone;
00862 ldns_rr_list *cur_rrset;
00863 ldns_rr_list *cur_rrsigs;
00864 ldns_rr_list *orig_zone_rrs;
00865 ldns_rr_list *signed_zone_rrs;
00866 ldns_rr_list *pubkeys;
00867 ldns_rr_list *glue_rrs;
00868 ldns_rr_list *nsec3_rrs;
00869 ldns_rr *nsec3params;
00870
00871 ldns_status status;
00872
00873 ldns_rdf *start_dname = NULL;
00874 ldns_rdf *cur_dname = NULL;
00875 ldns_rr *next_rr = NULL;
00876 ldns_rdf *next_dname = NULL;
00877 char *next_nsec_owner_str = NULL;
00878 ldns_rdf *next_nsec_rdf = NULL;
00879 ldns_rr *nsec;
00880 ldns_rr *ckey;
00881 uint16_t i;
00882 uint16_t next_label_count;
00883 uint16_t cur_label_count;
00884
00885
00886 uint16_t j;
00887 ldns_rdf *l1, *l2, *post, *post2;
00888 bool found_difference;
00889
00890 ldns_rr_type cur_rrset_type;
00891
00892 signed_zone = ldns_zone_new();
00893
00894
00895 cur_rrsigs = NULL;
00896 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
00897
00898
00899 orig_zone_rrs = ldns_rr_list_clone(ldns_zone_rrs(zone));
00900
00901 ldns_rr_list_push_rr(orig_zone_rrs, ldns_rr_clone(ldns_zone_soa(zone)));
00902
00903
00904
00905
00906
00907
00908
00909 glue_rrs = ldns_zone_glue_rr_list(zone);
00910
00911
00912 nsec3params = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAMS);
00913 ldns_rr_set_owner(nsec3params, ldns_rdf_clone(ldns_rr_owner(ldns_zone_soa(signed_zone))));
00914 ldns_nsec3_add_param_rdfs(nsec3params, algorithm, flags, iterations, salt_length, salt);
00915
00916 ldns_rr_list_push_rr(orig_zone_rrs, nsec3params);
00917
00918
00919
00920
00921
00922 pubkeys = ldns_rr_list_new();
00923 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
00924 ckey = ldns_key2rr(ldns_key_list_key(key_list, i));
00925 ldns_rr_list_push_rr(pubkeys, ckey);
00926 }
00927
00928 signed_zone_rrs = ldns_rr_list_new();
00929
00930 ldns_rr_list_sort(orig_zone_rrs);
00931
00932 nsec3_rrs = ldns_rr_list_new();
00933
00934
00935 for (i = 0; i < ldns_rr_list_rr_count(orig_zone_rrs); i++) {
00936 if (!start_dname) {
00937
00938 start_dname = ldns_rr_owner(ldns_rr_list_rr(orig_zone_rrs, i));
00939 cur_dname = start_dname;
00940 } else {
00941
00942 next_rr = ldns_rr_list_rr(orig_zone_rrs, i);
00943 next_dname = ldns_rr_owner(next_rr);
00944 if (ldns_rdf_compare(cur_dname, next_dname) != 0) {
00945
00946
00947
00948
00949
00950
00951
00952
00953
00954 cur_label_count = ldns_dname_label_count(cur_dname);
00955 next_label_count = ldns_dname_label_count(next_dname);
00956 post = ldns_dname_new_frm_str(".");
00957 found_difference = false;
00958 for (j = 1; j <= cur_label_count && j <= next_label_count && !found_difference; j++) {
00959 l1 = ldns_dname_label(cur_dname, cur_label_count - j);
00960 l2 = ldns_dname_label(next_dname, next_label_count - j);
00961
00962 post2 = ldns_dname_cat_clone(l2, post);
00963 ldns_rdf_deep_free(post);
00964 post = post2;
00965
00966 if (ldns_dname_compare(l1, l2) != 0 &&
00967
00968 j < next_label_count
00969 ) {
00970
00971
00972
00973
00974
00975 found_difference = true;
00976 nsec = ldns_create_nsec3(post,
00977 ldns_rr_owner(ldns_zone_soa(zone)),
00978 orig_zone_rrs,
00979 algorithm,
00980 false,
00981 iterations,
00982 salt_length,
00983 salt,
00984 true);
00985
00986
00987
00988
00989
00990
00991 ldns_rr_set_ttl(nsec, ldns_rdf2native_int32(ldns_rr_rdf(ldns_zone_soa(zone), 6)));
00992 ldns_rr_list_push_rr(nsec3_rrs, nsec);
00993 }
00994 ldns_rdf_deep_free(l1);
00995 ldns_rdf_deep_free(l2);
00996 }
00997
00998
00999 if (!found_difference && j < cur_label_count && j < next_label_count) {
01000 l2 = ldns_dname_label(next_dname, next_label_count - j);
01001 post2 = ldns_dname_cat_clone(l2, post);
01002 ldns_rdf_deep_free(post);
01003 post = post2;
01004 j++;
01005 }
01006 while (j < next_label_count) {
01007 l2 = ldns_dname_label(next_dname, next_label_count - j);
01008 post2 = ldns_dname_cat_clone(l2, post);
01009 ldns_rdf_deep_free(post);
01010 post = post2;
01011
01012
01013
01014
01015
01016 ldns_rdf_deep_free(l2);
01017 j++;
01018 nsec = ldns_create_nsec3(post,
01019 ldns_rr_owner(ldns_zone_soa(zone)),
01020 orig_zone_rrs,
01021 algorithm,
01022 false,
01023 iterations,
01024 salt_length,
01025 salt,
01026 true);
01027
01028
01029
01030
01031
01032
01033 ldns_rr_set_ttl(nsec, ldns_rdf2native_int32(ldns_rr_rdf(ldns_zone_soa(zone), 6)));
01034 ldns_rr_list_push_rr(nsec3_rrs, nsec);
01035 }
01036 ldns_rdf_deep_free(post);
01037
01038
01039 if (ldns_rr_list_contains_rr(glue_rrs, next_rr)) {
01040
01041 printf("Skip glue: ");
01042 ldns_rdf_print(stdout, cur_dname);
01043 printf("\n");
01044 } else {
01045 nsec = ldns_create_nsec3(cur_dname,
01046 ldns_rr_owner(ldns_zone_soa(zone)),
01047 orig_zone_rrs,
01048 algorithm,
01049 false,
01050 iterations,
01051 salt_length,
01052 salt,
01053 false);
01054
01055
01056
01057
01058
01059
01060
01061 ldns_rr_set_ttl(nsec, ldns_rdf2native_int32(ldns_rr_rdf(ldns_zone_soa(zone), 6)));
01062 ldns_rr_list_push_rr(nsec3_rrs, nsec);
01063
01064 cur_dname = next_dname;
01065 }
01066 }
01067 }
01068 ldns_rr_list_push_rr(signed_zone_rrs, ldns_rr_list_rr(orig_zone_rrs, i));
01069 }
01070 nsec = ldns_create_nsec3(cur_dname,
01071 ldns_rr_owner(ldns_zone_soa(zone)),
01072 orig_zone_rrs,
01073 algorithm,
01074 false,
01075 iterations,
01076 salt_length,
01077 salt,
01078 false);
01079 ldns_rr_list_set_rr(nsec3_rrs, nsec, 4);
01080 ldns_rr_list_free(orig_zone_rrs);
01081 ldns_rr_set_ttl(nsec, ldns_rdf2native_int32(ldns_rr_rdf(ldns_zone_soa(zone), 6)));
01082 ldns_rr_list_push_rr(nsec3_rrs, nsec);
01083
01084
01085
01086
01087
01088
01089
01090
01091 ldns_rr_list_sort_nsec3(nsec3_rrs);
01092 for (i = 0; i < ldns_rr_list_rr_count(nsec3_rrs); i++) {
01093 if (i == ldns_rr_list_rr_count(nsec3_rrs) - 1) {
01094 next_nsec_owner_str = ldns_rdf2str(ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs, 0)), 0));
01095 if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1] == '.') {
01096 next_nsec_owner_str[strlen(next_nsec_owner_str) - 1] = '\0';
01097 }
01098 status = ldns_str2rdf_b32_ext(&next_nsec_rdf, next_nsec_owner_str);
01099 if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i), next_nsec_rdf, 4)) {
01100
01101 }
01102 } else {
01103 next_nsec_owner_str = ldns_rdf2str(ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs, i + 1)), 0));
01104 if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1] == '.') {
01105 next_nsec_owner_str[strlen(next_nsec_owner_str) - 1] = '\0';
01106 }
01107 status = ldns_str2rdf_b32_ext(&next_nsec_rdf, next_nsec_owner_str);
01108 if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i), next_nsec_rdf, 4)) {
01109
01110 }
01111 }
01112 }
01113
01114 ldns_rr_list_cat(signed_zone_rrs, nsec3_rrs);
01115
01116
01117
01118
01119 ldns_rr_list_sort(signed_zone_rrs);
01120
01121
01122 cur_rrset = ldns_rr_list_pop_rrset(signed_zone_rrs);
01123 while (cur_rrset) {
01124
01125 cur_rrset_type = ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0));
01126 cur_dname = ldns_rr_owner(ldns_rr_list_rr(cur_rrset, 0));
01127
01128
01129
01130
01131 if (cur_rrset_type != LDNS_RR_TYPE_RRSIG &&
01132 ((ldns_dname_is_subdomain(cur_dname, ldns_rr_owner(ldns_zone_soa(signed_zone)))
01133 && cur_rrset_type != LDNS_RR_TYPE_NS
01134 ) ||
01135 ldns_rdf_compare(cur_dname, ldns_rr_owner(ldns_zone_soa(signed_zone))) == 0
01136 ) &&
01137 !(ldns_rr_list_contains_rr(glue_rrs, ldns_rr_list_rr(cur_rrset, 0)))
01138 ) {
01139
01140
01141
01142
01143 cur_rrsigs = ldns_sign_public(cur_rrset, key_list);
01144
01145
01146
01147
01148
01149
01150
01151
01152
01153
01154
01155
01156
01157
01158
01159
01160
01161 ldns_zone_push_rr_list(signed_zone, cur_rrset);
01162 ldns_zone_push_rr_list(signed_zone, cur_rrsigs);
01163 ldns_rr_list_free(cur_rrsigs);
01164 } else {
01165
01166 ldns_zone_push_rr_list(signed_zone, cur_rrset);
01167 }
01168 ldns_rr_list_free(cur_rrset);
01169 cur_rrset = ldns_rr_list_pop_rrset(signed_zone_rrs);
01170 }
01171 ldns_rr_list_deep_free(signed_zone_rrs);
01172 ldns_rr_list_deep_free(pubkeys);
01173 ldns_rr_list_free(glue_rrs);
01174 return signed_zone;
01175 #endif
01176 }
01177
01178 #endif