dnssec.c
Go to the documentation of this file.
1/*
2 * dnssec.c
3 *
4 * contains the cryptographic function needed for DNSSEC in ldns
5 * The crypto library used is openssl
6 *
7 * (c) NLnet Labs, 2004-2008
8 *
9 * See the file LICENSE for the license
10 */
11
12#include <ldns/config.h>
13
14#include <ldns/ldns.h>
15#include <ldns/dnssec.h>
16
17#include <strings.h>
18#include <time.h>
19
20#ifdef HAVE_SSL
21#include <openssl/ssl.h>
22#include <openssl/evp.h>
23#include <openssl/rand.h>
24#include <openssl/err.h>
25#include <openssl/md5.h>
26#include <openssl/bn.h>
27#include <openssl/rsa.h>
28#ifdef USE_DSA
29#include <openssl/dsa.h>
30#endif
31#endif
32
33ldns_rr *
34ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name,
35 const ldns_rr_type type,
36 const ldns_rr_list *rrs)
37{
38 size_t i;
39 ldns_rr *candidate;
40
41 if (!name || !rrs) {
42 return NULL;
43 }
44
45 for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
46 candidate = ldns_rr_list_rr(rrs, i);
47 if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_RRSIG) {
48 if (ldns_dname_compare(ldns_rr_owner(candidate),
49 name) == 0 &&
50 ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(candidate))
51 == type
52 ) {
53 return candidate;
54 }
55 }
56 }
57
58 return NULL;
59}
60
61ldns_rr *
62ldns_dnssec_get_dnskey_for_rrsig(const ldns_rr *rrsig,
63 const ldns_rr_list *rrs)
64{
65 size_t i;
66 ldns_rr *candidate;
67
68 if (!rrsig || !rrs) {
69 return NULL;
70 }
71
72 for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
73 candidate = ldns_rr_list_rr(rrs, i);
74 if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_DNSKEY) {
75 if (ldns_dname_compare(ldns_rr_owner(candidate),
76 ldns_rr_rrsig_signame(rrsig)) == 0 &&
77 ldns_rdf2native_int16(ldns_rr_rrsig_keytag(rrsig)) ==
78 ldns_calc_keytag(candidate)
79 ) {
80 return candidate;
81 }
82 }
83 }
84
85 return NULL;
86}
87
88ldns_rdf *
89ldns_nsec_get_bitmap(const ldns_rr *nsec) {
90 if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
91 return ldns_rr_rdf(nsec, 1);
92 } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
93 return ldns_rr_rdf(nsec, 5);
94 } else {
95 return NULL;
96 }
97}
98
99/*return the owner name of the closest encloser for name from the list of rrs */
100/* this is NOT the hash, but the original name! */
101ldns_rdf *
102ldns_dnssec_nsec3_closest_encloser(const ldns_rdf *qname,
103 ATTR_UNUSED(ldns_rr_type qtype),
104 const ldns_rr_list *nsec3s)
105{
106 /* remember parameters, they must match */
107 uint8_t algorithm;
108 uint32_t iterations;
109 uint8_t salt_length;
110 uint8_t *salt;
111
112 ldns_rdf *sname, *hashed_sname, *tmp;
113 bool flag;
114
115 bool exact_match_found;
116 bool in_range_found;
117
118 ldns_status status;
119 ldns_rdf *zone_name;
120
121 size_t nsec_i;
122 ldns_rr *nsec;
123 ldns_rdf *result = NULL;
124
125 if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
126 return NULL;
127 }
128
129 nsec = ldns_rr_list_rr(nsec3s, 0);
130 algorithm = ldns_nsec3_algorithm(nsec);
131 salt_length = ldns_nsec3_salt_length(nsec);
132 salt = ldns_nsec3_salt_data(nsec);
133 iterations = ldns_nsec3_iterations(nsec);
134
135 sname = ldns_rdf_clone(qname);
136
137 flag = false;
138
139 zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
140
141 /* algorithm from nsec3-07 8.3 */
142 while (ldns_dname_label_count(sname) > 0) {
143 exact_match_found = false;
144 in_range_found = false;
145
146 hashed_sname = ldns_nsec3_hash_name(sname,
147 algorithm,
148 iterations,
149 salt_length,
150 salt);
151
152 status = ldns_dname_cat(hashed_sname, zone_name);
153 if(status != LDNS_STATUS_OK) {
154 LDNS_FREE(salt);
155 ldns_rdf_deep_free(zone_name);
156 ldns_rdf_deep_free(sname);
157 ldns_rdf_deep_free(hashed_sname);
158 return NULL;
159 }
160
161 for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
162 nsec = ldns_rr_list_rr(nsec3s, nsec_i);
163
164 /* check values of iterations etc! */
165
166 /* exact match? */
167 if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
168 exact_match_found = true;
169 } else if (ldns_nsec_covers_name(nsec, hashed_sname)) {
170 in_range_found = true;
171 }
172
173 }
174 if (!exact_match_found && in_range_found) {
175 flag = true;
176 } else if (exact_match_found && flag) {
177 result = ldns_rdf_clone(sname);
178 /* RFC 5155: 8.3. 2.** "The proof is complete" */
179 ldns_rdf_deep_free(hashed_sname);
180 goto done;
181 } else if (exact_match_found && !flag) {
182 /* error! */
183 ldns_rdf_deep_free(hashed_sname);
184 goto done;
185 } else {
186 flag = false;
187 }
188
189 ldns_rdf_deep_free(hashed_sname);
190 tmp = sname;
191 sname = ldns_dname_left_chop(sname);
192 ldns_rdf_deep_free(tmp);
193 }
194
195 done:
196 LDNS_FREE(salt);
197 ldns_rdf_deep_free(zone_name);
198 ldns_rdf_deep_free(sname);
199
200 return result;
201}
202
203bool
204ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt)
205{
206 size_t i;
207 for (i = 0; i < ldns_pkt_ancount(pkt); i++) {
208 if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_answer(pkt), i)) ==
209 LDNS_RR_TYPE_RRSIG) {
210 return true;
211 }
212 }
213 for (i = 0; i < ldns_pkt_nscount(pkt); i++) {
214 if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_authority(pkt), i)) ==
215 LDNS_RR_TYPE_RRSIG) {
216 return true;
217 }
218 }
219 return false;
220}
221
222ldns_rr_list *
223ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt,
224 const ldns_rdf *name,
225 ldns_rr_type type)
226{
227 uint16_t t_netorder;
228 ldns_rr_list *sigs;
229 ldns_rr_list *sigs_covered;
230 ldns_rdf *rdf_t;
231
232 sigs = ldns_pkt_rr_list_by_name_and_type(pkt,
233 name,
234 LDNS_RR_TYPE_RRSIG,
235 LDNS_SECTION_ANY_NOQUESTION
236 );
237
238 t_netorder = htons(type); /* rdf are in network order! */
239 rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, LDNS_RDF_SIZE_WORD, &t_netorder);
240 sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
241
242 ldns_rdf_free(rdf_t);
243 ldns_rr_list_deep_free(sigs);
244
245 return sigs_covered;
246
247}
248
249ldns_rr_list *
250ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type)
251{
252 uint16_t t_netorder;
253 ldns_rr_list *sigs;
254 ldns_rr_list *sigs_covered;
255 ldns_rdf *rdf_t;
256
257 sigs = ldns_pkt_rr_list_by_type(pkt,
258 LDNS_RR_TYPE_RRSIG,
259 LDNS_SECTION_ANY_NOQUESTION
260 );
261
262 t_netorder = htons(type); /* rdf are in network order! */
263 rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE,
264 2,
265 &t_netorder);
266 sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
267
268 ldns_rdf_free(rdf_t);
269 ldns_rr_list_deep_free(sigs);
270
271 return sigs_covered;
272
273}
274
275/* used only on the public key RR */
276uint16_t
277ldns_calc_keytag(const ldns_rr *key)
278{
279 uint16_t ac16;
280 ldns_buffer *keybuf;
281 size_t keysize;
282
283 if (!key) {
284 return 0;
285 }
286
287 if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY &&
288 ldns_rr_get_type(key) != LDNS_RR_TYPE_CDNSKEY &&
289 ldns_rr_get_type(key) != LDNS_RR_TYPE_KEY
290 ) {
291 return 0;
292 }
293
294 /* rdata to buf - only put the rdata in a buffer */
295 keybuf = ldns_buffer_new(LDNS_MIN_BUFLEN); /* grows */
296 if (!keybuf) {
297 return 0;
298 }
299 (void)ldns_rr_rdata2buffer_wire(keybuf, key);
300 /* the current pos in the buffer is the keysize */
301 keysize= ldns_buffer_position(keybuf);
302
303 ac16 = ldns_calc_keytag_raw(ldns_buffer_begin(keybuf), keysize);
304 ldns_buffer_free(keybuf);
305 return ac16;
306}
307
308uint16_t ldns_calc_keytag_raw(const uint8_t* key, size_t keysize)
309{
310 unsigned int i;
311 uint32_t ac32;
312 uint16_t ac16;
313
314 if(keysize < 4) {
315 return 0;
316 }
317 /* look at the algorithm field, copied from 2535bis */
318 if (key[3] == LDNS_RSAMD5) {
319 ac16 = 0;
320 if (keysize > 4) {
321 memmove(&ac16, key + keysize - 3, 2);
322 }
323 ac16 = ntohs(ac16);
324 return (uint16_t) ac16;
325 } else {
326 ac32 = 0;
327 for (i = 0; (size_t)i < keysize; ++i) {
328 ac32 += (i & 1) ? key[i] : key[i] << 8;
329 }
330 ac32 += (ac32 >> 16) & 0xFFFF;
331 return (uint16_t) (ac32 & 0xFFFF);
332 }
333}
334
335#ifdef HAVE_SSL
336#ifdef USE_DSA
337DSA *
338ldns_key_buf2dsa(const ldns_buffer *key)
339{
340 return ldns_key_buf2dsa_raw((const unsigned char*)ldns_buffer_begin(key),
341 ldns_buffer_position(key));
342}
343
344DSA *
345ldns_key_buf2dsa_raw(const unsigned char* key, size_t len)
346{
347 uint8_t T;
348 uint16_t length;
349 uint16_t offset;
350 DSA *dsa;
351 BIGNUM *Q; BIGNUM *P;
352 BIGNUM *G; BIGNUM *Y;
353
354 if(len == 0)
355 return NULL;
356 T = (uint8_t)key[0];
357 length = (64 + T * 8);
358 offset = 1;
359
360 if (T > 8) {
361 return NULL;
362 }
363 if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
364 return NULL;
365
366 Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
367 offset += SHA_DIGEST_LENGTH;
368
369 P = BN_bin2bn(key+offset, (int)length, NULL);
370 offset += length;
371
372 G = BN_bin2bn(key+offset, (int)length, NULL);
373 offset += length;
374
375 Y = BN_bin2bn(key+offset, (int)length, NULL);
376
377 /* create the key and set its properties */
378 if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
379 BN_free(Q);
380 BN_free(P);
381 BN_free(G);
382 BN_free(Y);
383 return NULL;
384 }
385#if OPENSSL_VERSION_NUMBER < 0x10100000 || (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x20700000)
386#ifndef S_SPLINT_S
387 dsa->p = P;
388 dsa->q = Q;
389 dsa->g = G;
390 dsa->pub_key = Y;
391#endif /* splint */
392#else /* OPENSSL_VERSION_NUMBER */
393 if (!DSA_set0_pqg(dsa, P, Q, G)) {
394 /* QPG not yet attached, need to free */
395 BN_free(Q);
396 BN_free(P);
397 BN_free(G);
398
399 DSA_free(dsa);
400 BN_free(Y);
401 return NULL;
402 }
403 if (!DSA_set0_key(dsa, Y, NULL)) {
404 /* QPG attached, cleaned up by DSA_fre() */
405 DSA_free(dsa);
406 BN_free(Y);
407 return NULL;
408 }
409#endif /* OPENSSL_VERSION_NUMBER */
410 return dsa;
411}
412#endif /* USE_DSA */
413
414RSA *
415ldns_key_buf2rsa(const ldns_buffer *key)
416{
417 return ldns_key_buf2rsa_raw((const unsigned char*)ldns_buffer_begin(key),
418 ldns_buffer_position(key));
419}
420
421RSA *
422ldns_key_buf2rsa_raw(const unsigned char* key, size_t len)
423{
424 uint16_t offset;
425 uint16_t exp;
426 uint16_t int16;
427 RSA *rsa;
428 BIGNUM *modulus;
429 BIGNUM *exponent;
430
431 if (len == 0)
432 return NULL;
433 if (key[0] == 0) {
434 if(len < 3)
435 return NULL;
436 /* need some smart comment here XXX*/
437 /* the exponent is too large so it's places
438 * further...???? */
439 memmove(&int16, key+1, 2);
440 exp = ntohs(int16);
441 offset = 3;
442 } else {
443 exp = key[0];
444 offset = 1;
445 }
446
447 /* key length at least one */
448 if(len < (size_t)offset + exp + 1)
449 return NULL;
450
451 /* Exponent */
452 exponent = BN_new();
453 if(!exponent) return NULL;
454 (void) BN_bin2bn(key+offset, (int)exp, exponent);
455 offset += exp;
456
457 /* Modulus */
458 modulus = BN_new();
459 if(!modulus) {
460 BN_free(exponent);
461 return NULL;
462 }
463 /* length of the buffer must match the key length! */
464 (void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
465
466 rsa = RSA_new();
467 if(!rsa) {
468 BN_free(exponent);
469 BN_free(modulus);
470 return NULL;
471 }
472#if OPENSSL_VERSION_NUMBER < 0x10100000 || (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x20700000)
473#ifndef S_SPLINT_S
474 rsa->n = modulus;
475 rsa->e = exponent;
476#endif /* splint */
477#else /* OPENSSL_VERSION_NUMBER */
478 if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
479 BN_free(exponent);
480 BN_free(modulus);
481 RSA_free(rsa);
482 return NULL;
483 }
484#endif /* OPENSSL_VERSION_NUMBER */
485
486 return rsa;
487}
488
489int
490ldns_digest_evp(const unsigned char* data, unsigned int len, unsigned char* dest,
491 const EVP_MD* md)
492{
493 EVP_MD_CTX* ctx;
494 ctx = EVP_MD_CTX_create();
495 if(!ctx)
496 return false;
497 if(!EVP_DigestInit_ex(ctx, md, NULL) ||
498 !EVP_DigestUpdate(ctx, data, len) ||
499 !EVP_DigestFinal_ex(ctx, dest, NULL)) {
500 EVP_MD_CTX_destroy(ctx);
501 return false;
502 }
503 EVP_MD_CTX_destroy(ctx);
504 return true;
505}
506#endif /* HAVE_SSL */
507
508ldns_rr *
509ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
510{
511 ldns_rdf *tmp;
512 ldns_rr *ds;
513 uint16_t keytag;
514 uint8_t sha1hash;
515 uint8_t *digest;
516 ldns_buffer *data_buf;
517#ifdef USE_GOST
518 const EVP_MD* md = NULL;
519#endif
520
521 if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY &&
522 ldns_rr_get_type(key) != LDNS_RR_TYPE_CDNSKEY) {
523 return NULL;
524 }
525
526 ds = ldns_rr_new();
527 if (!ds) {
528 return NULL;
529 }
530 ldns_rr_set_type(ds, LDNS_RR_TYPE_DS);
531 ldns_rr_set_owner(ds, ldns_rdf_clone(
532 ldns_rr_owner(key)));
533 ldns_rr_set_ttl(ds, ldns_rr_ttl(key));
534 ldns_rr_set_class(ds, ldns_rr_get_class(key));
535
536 switch(h) {
537 default:
538 case LDNS_SHA1:
539 digest = LDNS_XMALLOC(uint8_t, LDNS_SHA1_DIGEST_LENGTH);
540 if (!digest) {
541 ldns_rr_free(ds);
542 return NULL;
543 }
544 break;
545 case LDNS_SHA256:
546 digest = LDNS_XMALLOC(uint8_t, LDNS_SHA256_DIGEST_LENGTH);
547 if (!digest) {
548 ldns_rr_free(ds);
549 return NULL;
550 }
551 break;
552 case LDNS_HASH_GOST:
553#ifdef USE_GOST
554 (void)ldns_key_EVP_load_gost_id();
555 md = EVP_get_digestbyname("md_gost94");
556 if(!md) {
557 ldns_rr_free(ds);
558 return NULL;
559 }
560 digest = LDNS_XMALLOC(uint8_t, EVP_MD_size(md));
561 if (!digest) {
562 ldns_rr_free(ds);
563 return NULL;
564 }
565 break;
566#else
567 /* not implemented */
568 ldns_rr_free(ds);
569 return NULL;
570#endif
571 case LDNS_SHA384:
572#ifdef USE_ECDSA
573 digest = LDNS_XMALLOC(uint8_t, SHA384_DIGEST_LENGTH);
574 if (!digest) {
575 ldns_rr_free(ds);
576 return NULL;
577 }
578 break;
579#else
580 /* not implemented */
581 ldns_rr_free(ds);
582 return NULL;
583#endif
584 }
585
586 data_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
587 if (!data_buf) {
588 LDNS_FREE(digest);
589 ldns_rr_free(ds);
590 return NULL;
591 }
592
593 /* keytag */
594 keytag = htons(ldns_calc_keytag((ldns_rr*)key));
595 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16,
596 sizeof(uint16_t),
597 &keytag);
598 ldns_rr_push_rdf(ds, tmp);
599
600 /* copy the algorithm field */
601 if ((tmp = ldns_rr_rdf(key, 2)) == NULL) {
602 LDNS_FREE(digest);
603 ldns_buffer_free(data_buf);
604 ldns_rr_free(ds);
605 return NULL;
606 } else {
607 ldns_rr_push_rdf(ds, ldns_rdf_clone( tmp ));
608 }
609
610 /* digest hash type */
611 sha1hash = (uint8_t)h;
612 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
613 sizeof(uint8_t),
614 &sha1hash);
615 ldns_rr_push_rdf(ds, tmp);
616
617 /* digest */
618 /* owner name */
619 tmp = ldns_rdf_clone(ldns_rr_owner(key));
620 ldns_dname2canonical(tmp);
621 if (ldns_rdf2buffer_wire(data_buf, tmp) != LDNS_STATUS_OK) {
622 LDNS_FREE(digest);
623 ldns_buffer_free(data_buf);
624 ldns_rr_free(ds);
625 ldns_rdf_deep_free(tmp);
626 return NULL;
627 }
628 ldns_rdf_deep_free(tmp);
629
630 /* all the rdata's */
631 if (ldns_rr_rdata2buffer_wire(data_buf,
632 (ldns_rr*)key) != LDNS_STATUS_OK) {
633 LDNS_FREE(digest);
634 ldns_buffer_free(data_buf);
635 ldns_rr_free(ds);
636 return NULL;
637 }
638 switch(h) {
639 case LDNS_SHA1:
640 (void) ldns_sha1((unsigned char *) ldns_buffer_begin(data_buf),
641 (unsigned int) ldns_buffer_position(data_buf),
642 (unsigned char *) digest);
643
644 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
645 LDNS_SHA1_DIGEST_LENGTH,
646 digest);
647 ldns_rr_push_rdf(ds, tmp);
648
649 break;
650 case LDNS_SHA256:
651 (void) ldns_sha256((unsigned char *) ldns_buffer_begin(data_buf),
652 (unsigned int) ldns_buffer_position(data_buf),
653 (unsigned char *) digest);
654 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
655 LDNS_SHA256_DIGEST_LENGTH,
656 digest);
657 ldns_rr_push_rdf(ds, tmp);
658 break;
659 case LDNS_HASH_GOST:
660#ifdef USE_GOST
661 if(!ldns_digest_evp((unsigned char *) ldns_buffer_begin(data_buf),
662 (unsigned int) ldns_buffer_position(data_buf),
663 (unsigned char *) digest, md)) {
664 LDNS_FREE(digest);
665 ldns_buffer_free(data_buf);
666 ldns_rr_free(ds);
667 return NULL;
668 }
669 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
670 (size_t)EVP_MD_size(md),
671 digest);
672 ldns_rr_push_rdf(ds, tmp);
673#endif
674 break;
675 case LDNS_SHA384:
676#ifdef USE_ECDSA
677 (void) SHA384((unsigned char *) ldns_buffer_begin(data_buf),
678 (unsigned int) ldns_buffer_position(data_buf),
679 (unsigned char *) digest);
680 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
681 SHA384_DIGEST_LENGTH,
682 digest);
683 ldns_rr_push_rdf(ds, tmp);
684#endif
685 break;
686 }
687
688 LDNS_FREE(digest);
689 ldns_buffer_free(data_buf);
690 return ds;
691}
692
693/* From RFC3845:
694 *
695 * 2.1.2. The List of Type Bit Map(s) Field
696 *
697 * The RR type space is split into 256 window blocks, each representing
698 * the low-order 8 bits of the 16-bit RR type space. Each block that
699 * has at least one active RR type is encoded using a single octet
700 * window number (from 0 to 255), a single octet bitmap length (from 1
701 * to 32) indicating the number of octets used for the window block's
702 * bitmap, and up to 32 octets (256 bits) of bitmap.
703 *
704 * Window blocks are present in the NSEC RR RDATA in increasing
705 * numerical order.
706 *
707 * "|" denotes concatenation
708 *
709 * Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
710 *
711 * <cut>
712 *
713 * Blocks with no types present MUST NOT be included. Trailing zero
714 * octets in the bitmap MUST be omitted. The length of each block's
715 * bitmap is determined by the type code with the largest numerical
716 * value within that block, among the set of RR types present at the
717 * NSEC RR's owner name. Trailing zero octets not specified MUST be
718 * interpreted as zero octets.
719 */
720ldns_rdf *
721ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[],
722 size_t size,
723 ldns_rr_type nsec_type)
724{
725 uint8_t window; /* most significant octet of type */
726 uint8_t subtype; /* least significant octet of type */
727 int windows[256]; /* Max subtype per window */
728 uint8_t windowpresent[256]; /* bool if window appears in bitmap */
729 ldns_rr_type* d; /* used to traverse rr_type_list*/
730 size_t i; /* used to traverse windows array */
731
732 size_t sz; /* size needed for type bitmap rdf */
733 uint8_t* data = NULL; /* rdf data */
734 uint8_t* dptr; /* used to itraverse rdf data */
735 ldns_rdf* rdf; /* bitmap rdf to return */
736
737 if (nsec_type != LDNS_RR_TYPE_NSEC &&
738 nsec_type != LDNS_RR_TYPE_NSEC3) {
739 return NULL;
740 }
741 memset(windows, 0, sizeof(int)*256);
742 memset(windowpresent, 0, 256);
743
744 /* Which other windows need to be in the bitmap rdf?
745 */
746 for (d = rr_type_list; d < rr_type_list + size; d++) {
747 window = *d >> 8;
748 subtype = *d & 0xff;
749 windowpresent[window] = 1;
750 if (windows[window] < (int)subtype) {
751 windows[window] = (int)subtype;
752 }
753 }
754
755 /* How much space do we need in the rdf for those windows?
756 */
757 sz = 0;
758 for (i = 0; i < 256; i++) {
759 if (windowpresent[i]) {
760 sz += windows[i] / 8 + 3;
761 }
762 }
763 if (sz > 0) {
764 /* Format rdf data according RFC3845 Section 2.1.2 (see above)
765 */
766 dptr = data = LDNS_CALLOC(uint8_t, sz);
767 if (!data) {
768 return NULL;
769 }
770 for (i = 0; i < 256; i++) {
771 if (windowpresent[i]) {
772 *dptr++ = (uint8_t)i;
773 *dptr++ = (uint8_t)(windows[i] / 8 + 1);
774
775 /* Now let windows[i] index the bitmap
776 * within data
777 */
778 windows[i] = (int)(dptr - data);
779
780 dptr += dptr[-1];
781 }
782 }
783 }
784
785 /* Set the bits?
786 */
787 for (d = rr_type_list; d < rr_type_list + size; d++) {
788 subtype = *d & 0xff;
789 data[windows[*d >> 8] + subtype/8] |= (0x80 >> (subtype % 8));
790 }
791
792 /* Allocate and return rdf structure for the data
793 */
794 rdf = ldns_rdf_new(LDNS_RDF_TYPE_BITMAP, sz, data);
795 if (!rdf) {
796 LDNS_FREE(data);
797 return NULL;
798 }
799 return rdf;
800}
801
802int
803ldns_dnssec_rrsets_contains_type(const ldns_dnssec_rrsets *rrsets,
804 ldns_rr_type type)
805{
806 const ldns_dnssec_rrsets *cur_rrset = rrsets;
807 while (cur_rrset) {
808 if (cur_rrset->type == type) {
809 return 1;
810 }
811 cur_rrset = cur_rrset->next;
812 }
813 return 0;
814}
815
816ldns_rr *
817ldns_dnssec_create_nsec(const ldns_dnssec_name *from,
818 const ldns_dnssec_name *to,
819 ldns_rr_type nsec_type)
820{
821 ldns_rr *nsec_rr;
822 ldns_rr_type types[65536];
823 size_t type_count = 0;
824 ldns_dnssec_rrsets *cur_rrsets;
825 int on_delegation_point;
826
827 if (!from || !to || (nsec_type != LDNS_RR_TYPE_NSEC)) {
828 return NULL;
829 }
830
831 nsec_rr = ldns_rr_new();
832 ldns_rr_set_type(nsec_rr, nsec_type);
833 ldns_rr_set_owner(nsec_rr, ldns_rdf_clone(ldns_dnssec_name_name(from)));
834 ldns_rr_push_rdf(nsec_rr, ldns_rdf_clone(ldns_dnssec_name_name(to)));
835
836 on_delegation_point = ldns_dnssec_rrsets_contains_type(
837 from->rrsets, LDNS_RR_TYPE_NS)
838 && !ldns_dnssec_rrsets_contains_type(
839 from->rrsets, LDNS_RR_TYPE_SOA);
840
841 cur_rrsets = from->rrsets;
842 while (cur_rrsets) {
843 /* Do not include non-authoritative rrsets on the delegation point
844 * in the type bitmap */
845 if ((on_delegation_point && (
846 cur_rrsets->type == LDNS_RR_TYPE_NS
847 || cur_rrsets->type == LDNS_RR_TYPE_DS))
848 || (!on_delegation_point &&
849 cur_rrsets->type != LDNS_RR_TYPE_RRSIG
850 && cur_rrsets->type != LDNS_RR_TYPE_NSEC)) {
851
852 types[type_count] = cur_rrsets->type;
853 type_count++;
854 }
855 cur_rrsets = cur_rrsets->next;
856
857 }
858 types[type_count] = LDNS_RR_TYPE_RRSIG;
859 type_count++;
860 types[type_count] = LDNS_RR_TYPE_NSEC;
861 type_count++;
862
863 ldns_rr_push_rdf(nsec_rr, ldns_dnssec_create_nsec_bitmap(types,
864 type_count,
865 nsec_type));
866
867 return nsec_rr;
868}
869
870ldns_rr *
871ldns_dnssec_create_nsec3(const ldns_dnssec_name *from,
872 const ldns_dnssec_name *to,
873 const ldns_rdf *zone_name,
874 uint8_t algorithm,
875 uint8_t flags,
876 uint16_t iterations,
877 uint8_t salt_length,
878 const uint8_t *salt)
879{
880 ldns_rr *nsec_rr;
881 ldns_rr_type types[65536];
882 size_t type_count = 0;
883 ldns_dnssec_rrsets *cur_rrsets;
884 ldns_status status;
885 int on_delegation_point;
886
887 if (!from) {
888 return NULL;
889 }
890
891 nsec_rr = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3);
892 ldns_rr_set_owner(nsec_rr,
893 ldns_nsec3_hash_name(ldns_dnssec_name_name(from),
894 algorithm,
895 iterations,
896 salt_length,
897 salt));
898 status = ldns_dname_cat(ldns_rr_owner(nsec_rr), zone_name);
899 if(status != LDNS_STATUS_OK) {
900 ldns_rr_free(nsec_rr);
901 return NULL;
902 }
903 ldns_nsec3_add_param_rdfs(nsec_rr,
904 algorithm,
905 flags,
906 iterations,
907 salt_length,
908 salt);
909
910 on_delegation_point = ldns_dnssec_rrsets_contains_type(
911 from->rrsets, LDNS_RR_TYPE_NS)
912 && !ldns_dnssec_rrsets_contains_type(
913 from->rrsets, LDNS_RR_TYPE_SOA);
914 cur_rrsets = from->rrsets;
915 while (cur_rrsets) {
916 /* Do not include non-authoritative rrsets on the delegation point
917 * in the type bitmap. Potentially not skipping insecure
918 * delegation should have been done earlier, in function
919 * ldns_dnssec_zone_create_nsec3s, or even earlier in:
920 * ldns_dnssec_zone_sign_nsec3_flg .
921 */
922 if ((on_delegation_point && (
923 cur_rrsets->type == LDNS_RR_TYPE_NS
924 || cur_rrsets->type == LDNS_RR_TYPE_DS))
925 || (!on_delegation_point &&
926 cur_rrsets->type != LDNS_RR_TYPE_RRSIG)) {
927
928 types[type_count] = cur_rrsets->type;
929 type_count++;
930 }
931 cur_rrsets = cur_rrsets->next;
932 }
933 /* always add rrsig type if this is not an unsigned
934 * delegation
935 */
936 if (type_count > 0 &&
937 !(type_count == 1 && types[0] == LDNS_RR_TYPE_NS)) {
938 types[type_count] = LDNS_RR_TYPE_RRSIG;
939 type_count++;
940 }
941
942 /* leave next rdata empty if they weren't precomputed yet */
943 if (to && to->hashed_name) {
944 (void) ldns_rr_set_rdf(nsec_rr,
945 ldns_rdf_clone(to->hashed_name),
946 4);
947 } else {
948 (void) ldns_rr_set_rdf(nsec_rr, NULL, 4);
949 }
950
951 ldns_rr_push_rdf(nsec_rr,
952 ldns_dnssec_create_nsec_bitmap(types,
953 type_count,
954 LDNS_RR_TYPE_NSEC3));
955
956 return nsec_rr;
957}
958
959ldns_rr *
960ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
961{
962 /* we do not do any check here - garbage in, garbage out */
963
964 /* the start and end names - get the type from the
965 * before rrlist */
966
967 /* inefficient, just give it a name, a next name, and a list of rrs */
968 /* we make 1 big uberbitmap first, then windows */
969 /* todo: make something more efficient :) */
970 uint16_t i;
971 ldns_rr *i_rr;
972 uint16_t i_type;
973
974 ldns_rr *nsec = NULL;
975 ldns_rr_type i_type_list[65536];
976 size_t type_count = 0;
977
978 nsec = ldns_rr_new();
979 ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC);
980 ldns_rr_set_owner(nsec, ldns_rdf_clone(cur_owner));
981 ldns_rr_push_rdf(nsec, ldns_rdf_clone(next_owner));
982
983 for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
984 i_rr = ldns_rr_list_rr(rrs, i);
985 if (ldns_rdf_compare(cur_owner,
986 ldns_rr_owner(i_rr)) == 0) {
987 i_type = ldns_rr_get_type(i_rr);
988 if (i_type != LDNS_RR_TYPE_RRSIG && i_type != LDNS_RR_TYPE_NSEC) {
989 if (type_count == 0 || i_type_list[type_count-1] != i_type) {
990 i_type_list[type_count] = i_type;
991 type_count++;
992 }
993 }
994 }
995 }
996
997 i_type_list[type_count] = LDNS_RR_TYPE_RRSIG;
998 type_count++;
999 i_type_list[type_count] = LDNS_RR_TYPE_NSEC;
1000 type_count++;
1001
1002 ldns_rr_push_rdf(nsec,
1003 ldns_dnssec_create_nsec_bitmap(i_type_list,
1004 type_count, LDNS_RR_TYPE_NSEC));
1005
1006 return nsec;
1007}
1008
1009ldns_rdf *
1010ldns_nsec3_hash_name(const ldns_rdf *name,
1011 uint8_t algorithm,
1012 uint16_t iterations,
1013 uint8_t salt_length,
1014 const uint8_t *salt)
1015{
1016 size_t hashed_owner_str_len;
1017 ldns_rdf *cann;
1018 ldns_rdf *hashed_owner;
1019 unsigned char *hashed_owner_str;
1020 char *hashed_owner_b32;
1021 size_t hashed_owner_b32_len;
1022 uint32_t cur_it;
1023 /* define to contain the largest possible hash, which is
1024 * sha1 at the moment */
1025 unsigned char hash[LDNS_SHA1_DIGEST_LENGTH];
1026 ldns_status status;
1027
1028 /* TODO: mnemonic list for hash algs SHA-1, default to 1 now (sha1) */
1029 if (algorithm != LDNS_SHA1) {
1030 return NULL;
1031 }
1032
1033 /* prepare the owner name according to the draft section bla */
1034 cann = ldns_rdf_clone(name);
1035 if(!cann) {
1036#ifdef STDERR_MSGS
1037 fprintf(stderr, "Memory error\n");
1038#endif
1039 return NULL;
1040 }
1041 ldns_dname2canonical(cann);
1042
1043 hashed_owner_str_len = salt_length + ldns_rdf_size(cann);
1044 hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
1045 if(!hashed_owner_str) {
1046 ldns_rdf_deep_free(cann);
1047 return NULL;
1048 }
1049 memcpy(hashed_owner_str, ldns_rdf_data(cann), ldns_rdf_size(cann));
1050 memcpy(hashed_owner_str + ldns_rdf_size(cann), salt, salt_length);
1051 ldns_rdf_deep_free(cann);
1052
1053 for (cur_it = iterations + 1; cur_it > 0; cur_it--) {
1054 (void) ldns_sha1((unsigned char *) hashed_owner_str,
1055 (unsigned int) hashed_owner_str_len, hash);
1056
1057 LDNS_FREE(hashed_owner_str);
1058 hashed_owner_str_len = salt_length + LDNS_SHA1_DIGEST_LENGTH;
1059 hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
1060 if (!hashed_owner_str) {
1061 return NULL;
1062 }
1063 memcpy(hashed_owner_str, hash, LDNS_SHA1_DIGEST_LENGTH);
1064 memcpy(hashed_owner_str + LDNS_SHA1_DIGEST_LENGTH, salt, salt_length);
1065 hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH + salt_length;
1066 }
1067
1068 LDNS_FREE(hashed_owner_str);
1069 hashed_owner_str = hash;
1070 hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH;
1071
1072 hashed_owner_b32 = LDNS_XMALLOC(char,
1073 ldns_b32_ntop_calculate_size(hashed_owner_str_len) + 1);
1074 if(!hashed_owner_b32) {
1075 return NULL;
1076 }
1077 hashed_owner_b32_len = (size_t) ldns_b32_ntop_extended_hex(
1078 (uint8_t *) hashed_owner_str,
1079 hashed_owner_str_len,
1080 hashed_owner_b32,
1081 ldns_b32_ntop_calculate_size(hashed_owner_str_len)+1);
1082 if (hashed_owner_b32_len < 1) {
1083#ifdef STDERR_MSGS
1084 fprintf(stderr, "Error in base32 extended hex encoding ");
1085 fprintf(stderr, "of hashed owner name (name: ");
1086 ldns_rdf_print(stderr, name);
1087 fprintf(stderr, ", return code: %u)\n",
1088 (unsigned int) hashed_owner_b32_len);
1089#endif
1090 LDNS_FREE(hashed_owner_b32);
1091 return NULL;
1092 }
1093 hashed_owner_b32[hashed_owner_b32_len] = '\0';
1094
1095 status = ldns_str2rdf_dname(&hashed_owner, hashed_owner_b32);
1096 if (status != LDNS_STATUS_OK) {
1097#ifdef STDERR_MSGS
1098 fprintf(stderr, "Error creating rdf from %s\n", hashed_owner_b32);
1099#endif
1100 LDNS_FREE(hashed_owner_b32);
1101 return NULL;
1102 }
1103
1104 LDNS_FREE(hashed_owner_b32);
1105 return hashed_owner;
1106}
1107
1108void
1109ldns_nsec3_add_param_rdfs(ldns_rr *rr,
1110 uint8_t algorithm,
1111 uint8_t flags,
1112 uint16_t iterations,
1113 uint8_t salt_length,
1114 const uint8_t *salt)
1115{
1116 ldns_rdf *salt_rdf = NULL;
1117 uint8_t *salt_data = NULL;
1118 ldns_rdf *old;
1119
1120 old = ldns_rr_set_rdf(rr,
1121 ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
1122 1, (void*)&algorithm),
1123 0);
1124 if (old) ldns_rdf_deep_free(old);
1125
1126 old = ldns_rr_set_rdf(rr,
1127 ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
1128 1, (void*)&flags),
1129 1);
1130 if (old) ldns_rdf_deep_free(old);
1131
1132 old = ldns_rr_set_rdf(rr,
1133 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
1134 iterations),
1135 2);
1136 if (old) ldns_rdf_deep_free(old);
1137
1138 salt_data = LDNS_XMALLOC(uint8_t, salt_length + 1);
1139 if(!salt_data) {
1140 /* no way to return error */
1141 return;
1142 }
1143 salt_data[0] = salt_length;
1144 memcpy(salt_data + 1, salt, salt_length);
1145 salt_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_NSEC3_SALT,
1146 salt_length + 1,
1147 salt_data);
1148 if(!salt_rdf) {
1149 LDNS_FREE(salt_data);
1150 /* no way to return error */
1151 return;
1152 }
1153
1154 old = ldns_rr_set_rdf(rr, salt_rdf, 3);
1155 if (old) ldns_rdf_deep_free(old);
1156 LDNS_FREE(salt_data);
1157}
1158
1159static int
1160rr_list_delegation_only(const ldns_rdf *origin, const ldns_rr_list *rr_list)
1161{
1162 size_t i;
1163 ldns_rr *cur_rr;
1164 if (!origin || !rr_list) return 0;
1165 for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) {
1166 cur_rr = ldns_rr_list_rr(rr_list, i);
1167 if (ldns_dname_compare(ldns_rr_owner(cur_rr), origin) == 0) {
1168 return 0;
1169 }
1170 if (ldns_rr_get_type(cur_rr) != LDNS_RR_TYPE_NS) {
1171 return 0;
1172 }
1173 }
1174 return 1;
1175}
1176
1177/* this will NOT return the NSEC3 completed, you will have to run the
1178 finalize function on the rrlist later! */
1179ldns_rr *
1180ldns_create_nsec3(const ldns_rdf *cur_owner,
1181 const ldns_rdf *cur_zone,
1182 const ldns_rr_list *rrs,
1183 uint8_t algorithm,
1184 uint8_t flags,
1185 uint16_t iterations,
1186 uint8_t salt_length,
1187 const uint8_t *salt,
1188 bool emptynonterminal)
1189{
1190 size_t i;
1191 ldns_rr *i_rr;
1192 uint16_t i_type;
1193
1194 ldns_rr *nsec = NULL;
1195 ldns_rdf *hashed_owner = NULL;
1196
1197 ldns_status status;
1198
1199 ldns_rr_type i_type_list[1024];
1200 size_t type_count = 0;
1201
1202 hashed_owner = ldns_nsec3_hash_name(cur_owner,
1203 algorithm,
1204 iterations,
1205 salt_length,
1206 salt);
1207 status = ldns_dname_cat(hashed_owner, cur_zone);
1208 if(status != LDNS_STATUS_OK) {
1209 ldns_rdf_deep_free(hashed_owner);
1210 return NULL;
1211 }
1212 nsec = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3);
1213 if(!nsec) {
1214 ldns_rdf_deep_free(hashed_owner);
1215 return NULL;
1216 }
1217 ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC3);
1218 ldns_rr_set_owner(nsec, hashed_owner);
1219
1220 ldns_nsec3_add_param_rdfs(nsec,
1221 algorithm,
1222 flags,
1223 iterations,
1224 salt_length,
1225 salt);
1226 (void) ldns_rr_set_rdf(nsec, NULL, 4);
1227
1228
1229 for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
1230 i_rr = ldns_rr_list_rr(rrs, i);
1231 if (ldns_rdf_compare(cur_owner,
1232 ldns_rr_owner(i_rr)) == 0) {
1233 i_type = ldns_rr_get_type(i_rr);
1234 if (type_count == 0 || i_type_list[type_count-1] != i_type) {
1235 i_type_list[type_count] = i_type;
1236 type_count++;
1237 }
1238 }
1239 }
1240
1241 /* add RRSIG anyway, but only if this is not an ENT or
1242 * an unsigned delegation */
1243 if (!emptynonterminal && !rr_list_delegation_only(cur_zone, rrs)) {
1244 i_type_list[type_count] = LDNS_RR_TYPE_RRSIG;
1245 type_count++;
1246 }
1247
1248 /* and SOA if owner == zone */
1249 if (ldns_dname_compare(cur_zone, cur_owner) == 0) {
1250 i_type_list[type_count] = LDNS_RR_TYPE_SOA;
1251 type_count++;
1252 }
1253
1254 ldns_rr_push_rdf(nsec,
1255 ldns_dnssec_create_nsec_bitmap(i_type_list,
1256 type_count, LDNS_RR_TYPE_NSEC3));
1257
1258 return nsec;
1259}
1260
1261uint8_t
1262ldns_nsec3_algorithm(const ldns_rr *nsec3_rr)
1263{
1264 if (nsec3_rr &&
1265 (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
1266 ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
1267 && (ldns_rr_rdf(nsec3_rr, 0) != NULL)
1268 && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 0)) > 0) {
1269 return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 0));
1270 }
1271 return 0;
1272}
1273
1274uint8_t
1275ldns_nsec3_flags(const ldns_rr *nsec3_rr)
1276{
1277 if (nsec3_rr &&
1278 (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
1279 ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
1280 && (ldns_rr_rdf(nsec3_rr, 1) != NULL)
1281 && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 1)) > 0) {
1282 return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 1));
1283 }
1284 return 0;
1285}
1286
1287bool
1288ldns_nsec3_optout(const ldns_rr *nsec3_rr)
1289{
1290 return (ldns_nsec3_flags(nsec3_rr) & LDNS_NSEC3_VARS_OPTOUT_MASK);
1291}
1292
1293uint16_t
1294ldns_nsec3_iterations(const ldns_rr *nsec3_rr)
1295{
1296 if (nsec3_rr &&
1297 (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
1298 ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
1299 && (ldns_rr_rdf(nsec3_rr, 2) != NULL)
1300 && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 2)) > 0) {
1301 return ldns_rdf2native_int16(ldns_rr_rdf(nsec3_rr, 2));
1302 }
1303 return 0;
1304
1305}
1306
1307ldns_rdf *
1308ldns_nsec3_salt(const ldns_rr *nsec3_rr)
1309{
1310 if (nsec3_rr &&
1311 (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
1312 ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
1313 ) {
1314 return ldns_rr_rdf(nsec3_rr, 3);
1315 }
1316 return NULL;
1317}
1318
1319uint8_t
1320ldns_nsec3_salt_length(const ldns_rr *nsec3_rr)
1321{
1322 ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
1323 if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
1324 return (uint8_t) ldns_rdf_data(salt_rdf)[0];
1325 }
1326 return 0;
1327}
1328
1329/* allocs data, free with LDNS_FREE() */
1330uint8_t *
1331ldns_nsec3_salt_data(const ldns_rr *nsec3_rr)
1332{
1333 uint8_t salt_length;
1334 uint8_t *salt;
1335
1336 ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
1337 if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
1338 salt_length = ldns_rdf_data(salt_rdf)[0];
1339 if((size_t)salt_length+1 > ldns_rdf_size(salt_rdf))
1340 return NULL;
1341 salt = LDNS_XMALLOC(uint8_t, salt_length);
1342 if(!salt) return NULL;
1343 memcpy(salt, &ldns_rdf_data(salt_rdf)[1], salt_length);
1344 return salt;
1345 }
1346 return NULL;
1347}
1348
1349ldns_rdf *
1350ldns_nsec3_next_owner(const ldns_rr *nsec3_rr)
1351{
1352 if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) {
1353 return NULL;
1354 } else {
1355 return ldns_rr_rdf(nsec3_rr, 4);
1356 }
1357}
1358
1359ldns_rdf *
1360ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
1361{
1362 if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) {
1363 return NULL;
1364 } else {
1365 return ldns_rr_rdf(nsec3_rr, 5);
1366 }
1367}
1368
1369ldns_rdf *
1370ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, const ldns_rdf *name)
1371{
1372 uint8_t algorithm;
1373 uint16_t iterations;
1374 uint8_t salt_length;
1375 uint8_t *salt = 0;
1376
1377 ldns_rdf *hashed_owner;
1378
1379 algorithm = ldns_nsec3_algorithm(nsec);
1380 salt_length = ldns_nsec3_salt_length(nsec);
1381 salt = ldns_nsec3_salt_data(nsec);
1382 iterations = ldns_nsec3_iterations(nsec);
1383
1384 hashed_owner = ldns_nsec3_hash_name(name,
1385 algorithm,
1386 iterations,
1387 salt_length,
1388 salt);
1389
1390 LDNS_FREE(salt);
1391 return hashed_owner;
1392}
1393
1394bool
1395ldns_nsec_bitmap_covers_type(const ldns_rdf* bitmap, ldns_rr_type type)
1396{
1397 uint8_t* dptr;
1398 uint8_t* dend;
1399
1400 /* From RFC3845 Section 2.1.2:
1401 *
1402 * "The RR type space is split into 256 window blocks, each re-
1403 * presenting the low-order 8 bits of the 16-bit RR type space."
1404 */
1405 uint8_t window = type >> 8;
1406 uint8_t subtype = type & 0xff;
1407
1408 if (! bitmap) {
1409 return false;
1410 }
1411 assert(ldns_rdf_get_type(bitmap) == LDNS_RDF_TYPE_BITMAP);
1412
1413 dptr = ldns_rdf_data(bitmap);
1414 dend = ldns_rdf_data(bitmap) + ldns_rdf_size(bitmap);
1415
1416 /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) +
1417 * dptr[0] dptr[1] dptr[2:]
1418 */
1419 while (dptr < dend && dptr[0] <= window) {
1420
1421 if (dptr[0] == window && subtype / 8 < dptr[1] &&
1422 dptr + dptr[1] + 2 <= dend) {
1423
1424 return dptr[2 + subtype / 8] & (0x80 >> (subtype % 8));
1425 }
1426 dptr += dptr[1] + 2; /* next window */
1427 }
1428 return false;
1429}
1430
1431ldns_status
1432ldns_nsec_bitmap_set_type(ldns_rdf* bitmap, ldns_rr_type type)
1433{
1434 uint8_t* dptr;
1435 uint8_t* dend;
1436
1437 /* From RFC3845 Section 2.1.2:
1438 *
1439 * "The RR type space is split into 256 window blocks, each re-
1440 * presenting the low-order 8 bits of the 16-bit RR type space."
1441 */
1442 uint8_t window = type >> 8;
1443 uint8_t subtype = type & 0xff;
1444
1445 if (! bitmap) {
1446 return false;
1447 }
1448 assert(ldns_rdf_get_type(bitmap) == LDNS_RDF_TYPE_BITMAP);
1449
1450 dptr = ldns_rdf_data(bitmap);
1451 dend = ldns_rdf_data(bitmap) + ldns_rdf_size(bitmap);
1452
1453 /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) +
1454 * dptr[0] dptr[1] dptr[2:]
1455 */
1456 while (dptr < dend && dptr[0] <= window) {
1457
1458 if (dptr[0] == window && subtype / 8 < dptr[1] &&
1459 dptr + dptr[1] + 2 <= dend) {
1460
1461 dptr[2 + subtype / 8] |= (0x80 >> (subtype % 8));
1462 return LDNS_STATUS_OK;
1463 }
1464 dptr += dptr[1] + 2; /* next window */
1465 }
1466 return LDNS_STATUS_TYPE_NOT_IN_BITMAP;
1467}
1468
1469ldns_status
1470ldns_nsec_bitmap_clear_type(ldns_rdf* bitmap, ldns_rr_type type)
1471{
1472 uint8_t* dptr;
1473 uint8_t* dend;
1474
1475 /* From RFC3845 Section 2.1.2:
1476 *
1477 * "The RR type space is split into 256 window blocks, each re-
1478 * presenting the low-order 8 bits of the 16-bit RR type space."
1479 */
1480 uint8_t window = type >> 8;
1481 uint8_t subtype = type & 0xff;
1482
1483 if (! bitmap) {
1484 return false;
1485 }
1486
1487 assert(ldns_rdf_get_type(bitmap) == LDNS_RDF_TYPE_BITMAP);
1488
1489 dptr = ldns_rdf_data(bitmap);
1490 dend = ldns_rdf_data(bitmap) + ldns_rdf_size(bitmap);
1491
1492 /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) +
1493 * dptr[0] dptr[1] dptr[2:]
1494 */
1495 while (dptr < dend && dptr[0] <= window) {
1496
1497 if (dptr[0] == window && subtype / 8 < dptr[1] &&
1498 dptr + dptr[1] + 2 <= dend) {
1499
1500 dptr[2 + subtype / 8] &= ~(0x80 >> (subtype % 8));
1501 return LDNS_STATUS_OK;
1502 }
1503 dptr += dptr[1] + 2; /* next window */
1504 }
1505 return LDNS_STATUS_TYPE_NOT_IN_BITMAP;
1506}
1507
1508
1509bool
1510ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
1511{
1512 ldns_rdf *nsec_owner = ldns_rr_owner(nsec);
1513 ldns_rdf *hash_next;
1514 char *next_hash_str;
1515 ldns_rdf *nsec_next = NULL;
1516 ldns_status status;
1517 ldns_rdf *chopped_dname;
1518 bool result;
1519
1520 if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
1521 if (ldns_rr_rdf(nsec, 0) != NULL) {
1522 nsec_next = ldns_rdf_clone(ldns_rr_rdf(nsec, 0));
1523 } else {
1524 return false;
1525 }
1526 } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
1527 hash_next = ldns_nsec3_next_owner(nsec);
1528 next_hash_str = ldns_rdf2str(hash_next);
1529 nsec_next = ldns_dname_new_frm_str(next_hash_str);
1530 LDNS_FREE(next_hash_str);
1531 chopped_dname = ldns_dname_left_chop(nsec_owner);
1532 status = ldns_dname_cat(nsec_next, chopped_dname);
1533 ldns_rdf_deep_free(chopped_dname);
1534 if (status != LDNS_STATUS_OK) {
1535 printf("error catting: %s\n", ldns_get_errorstr_by_id(status));
1536 }
1537 } else {
1538 ldns_rdf_deep_free(nsec_next);
1539 return false;
1540 }
1541
1542 /* in the case of the last nsec */
1543 if(ldns_dname_compare(nsec_owner, nsec_next) > 0) {
1544 result = (ldns_dname_compare(nsec_owner, name) <= 0 ||
1545 ldns_dname_compare(name, nsec_next) < 0);
1546 } else if(ldns_dname_compare(nsec_owner, nsec_next) < 0) {
1547 result = (ldns_dname_compare(nsec_owner, name) <= 0 &&
1548 ldns_dname_compare(name, nsec_next) < 0);
1549 } else {
1550 result = true;
1551 }
1552
1553 ldns_rdf_deep_free(nsec_next);
1554 return result;
1555}
1556
1557#ifdef HAVE_SSL
1558/* sig may be null - if so look in the packet */
1559
1560ldns_status
1561ldns_pkt_verify_time(const ldns_pkt *p, ldns_rr_type t, const ldns_rdf *o,
1562 const ldns_rr_list *k, const ldns_rr_list *s,
1563 time_t check_time, ldns_rr_list *good_keys)
1564{
1565 ldns_rr_list *rrset;
1566 ldns_rr_list *sigs;
1567 ldns_rr_list *sigs_covered;
1568 ldns_rdf *rdf_t;
1569 ldns_rr_type t_netorder;
1570 ldns_status status;
1571
1572 if (!k) {
1573 return LDNS_STATUS_ERR;
1574 /* return LDNS_STATUS_CRYPTO_NO_DNSKEY; */
1575 }
1576
1577 if (t == LDNS_RR_TYPE_RRSIG) {
1578 /* we don't have RRSIG(RRSIG) (yet? ;-) ) */
1579 return LDNS_STATUS_ERR;
1580 }
1581
1582 if (s) {
1583 /* if s is not NULL, the sigs are given to use */
1584 sigs = (ldns_rr_list *)s;
1585 } else {
1586 /* otherwise get them from the packet */
1587 sigs = ldns_pkt_rr_list_by_name_and_type(p, o,
1588 LDNS_RR_TYPE_RRSIG,
1589 LDNS_SECTION_ANY_NOQUESTION);
1590 if (!sigs) {
1591 /* no sigs */
1592 return LDNS_STATUS_ERR;
1593 /* return LDNS_STATUS_CRYPTO_NO_RRSIG; */
1594 }
1595 }
1596
1597 /* rrsig are subtyped, so now we need to find the correct
1598 * sigs for the type t
1599 */
1600 t_netorder = htons(t); /* rdf are in network order! */
1601 /* a type identifier is a 16-bit number, so the size is 2 bytes */
1602 rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, 2, &t_netorder);
1603
1604 sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
1605 ldns_rdf_free(rdf_t);
1606 if (! sigs_covered) {
1607 if (! s) {
1608 ldns_rr_list_deep_free(sigs);
1609 }
1610 return LDNS_STATUS_ERR;
1611 }
1612 ldns_rr_list_deep_free(sigs_covered);
1613
1614 rrset = ldns_pkt_rr_list_by_name_and_type(p, o, t,
1615 LDNS_SECTION_ANY_NOQUESTION);
1616 if (!rrset) {
1617 if (! s) {
1618 ldns_rr_list_deep_free(sigs);
1619 }
1620 return LDNS_STATUS_ERR;
1621 }
1622 status = ldns_verify_time(rrset, sigs, k, check_time, good_keys);
1623 ldns_rr_list_deep_free(rrset);
1624 return status;
1625}
1626
1627ldns_status
1628ldns_pkt_verify(const ldns_pkt *p, ldns_rr_type t, const ldns_rdf *o,
1629 const ldns_rr_list *k, const ldns_rr_list *s, ldns_rr_list *good_keys)
1630{
1631 return ldns_pkt_verify_time(p, t, o, k, s, ldns_time(NULL), good_keys);
1632}
1633#endif /* HAVE_SSL */
1634
1635ldns_status
1636ldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs)
1637{
1638 size_t i;
1639 char *next_nsec_owner_str;
1640 ldns_rdf *next_nsec_owner_label;
1641 ldns_rdf *next_nsec_rdf;
1642 ldns_status status = LDNS_STATUS_OK;
1643
1644 for (i = 0; i < ldns_rr_list_rr_count(nsec3_rrs); i++) {
1645 if (i == ldns_rr_list_rr_count(nsec3_rrs) - 1) {
1646 next_nsec_owner_label =
1647 ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs,
1648 0)), 0);
1649 next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
1650 if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
1651 == '.') {
1652 next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
1653 = '\0';
1654 }
1655 status = ldns_str2rdf_b32_ext(&next_nsec_rdf,
1656 next_nsec_owner_str);
1657 if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i),
1658 next_nsec_rdf, 4)) {
1659 /* todo: error */
1660 }
1661
1662 ldns_rdf_deep_free(next_nsec_owner_label);
1663 LDNS_FREE(next_nsec_owner_str);
1664 } else {
1665 next_nsec_owner_label =
1666 ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs,
1667 i + 1)),
1668 0);
1669 next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
1670 if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
1671 == '.') {
1672 next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
1673 = '\0';
1674 }
1675 status = ldns_str2rdf_b32_ext(&next_nsec_rdf,
1676 next_nsec_owner_str);
1677 ldns_rdf_deep_free(next_nsec_owner_label);
1678 LDNS_FREE(next_nsec_owner_str);
1679 if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i),
1680 next_nsec_rdf, 4)) {
1681 /* todo: error */
1682 }
1683 }
1684 }
1685 return status;
1686}
1687
1688int
1689qsort_rr_compare_nsec3(const void *a, const void *b)
1690{
1691 const ldns_rr *rr1 = * (const ldns_rr **) a;
1692 const ldns_rr *rr2 = * (const ldns_rr **) b;
1693 if (rr1 == NULL && rr2 == NULL) {
1694 return 0;
1695 }
1696 if (rr1 == NULL) {
1697 return -1;
1698 }
1699 if (rr2 == NULL) {
1700 return 1;
1701 }
1702 return ldns_rdf_compare(ldns_rr_owner(rr1), ldns_rr_owner(rr2));
1703}
1704
1705void
1706ldns_rr_list_sort_nsec3(ldns_rr_list *unsorted)
1707{
1708 qsort(unsorted->_rrs,
1709 ldns_rr_list_rr_count(unsorted),
1710 sizeof(ldns_rr *),
1711 qsort_rr_compare_nsec3);
1712}
1713
1714int
1721
1722int
1729
1730int
1737
1738int
1745
1746#ifdef HAVE_SSL
1747ldns_rdf *
1748ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig,
1749 const long sig_len)
1750{
1751#ifdef USE_DSA
1752 ldns_rdf *sigdata_rdf;
1753 DSA_SIG *dsasig;
1754 const BIGNUM *R, *S;
1755 unsigned char *dsasig_data = (unsigned char*)ldns_buffer_begin(sig);
1756 size_t byte_offset;
1757
1758 dsasig = d2i_DSA_SIG(NULL,
1759 (const unsigned char **)&dsasig_data,
1760 sig_len);
1761 if (!dsasig) {
1762 DSA_SIG_free(dsasig);
1763 return NULL;
1764 }
1765
1766 dsasig_data = LDNS_XMALLOC(unsigned char, 41);
1767 if(!dsasig_data) {
1768 DSA_SIG_free(dsasig);
1769 return NULL;
1770 }
1771 dsasig_data[0] = 0;
1772# ifdef HAVE_DSA_SIG_GET0
1773 DSA_SIG_get0(dsasig, &R, &S);
1774# else
1775 R = dsasig->r;
1776 S = dsasig->s;
1777# endif
1778 byte_offset = (size_t) (20 - BN_num_bytes(R));
1779 if (byte_offset > 20) {
1780 DSA_SIG_free(dsasig);
1781 LDNS_FREE(dsasig_data);
1782 return NULL;
1783 }
1784 memset(&dsasig_data[1], 0, byte_offset);
1785 BN_bn2bin(R, &dsasig_data[1 + byte_offset]);
1786 byte_offset = (size_t) (20 - BN_num_bytes(S));
1787 if (byte_offset > 20) {
1788 DSA_SIG_free(dsasig);
1789 LDNS_FREE(dsasig_data);
1790 return NULL;
1791 }
1792 memset(&dsasig_data[21], 0, byte_offset);
1793 BN_bn2bin(S, &dsasig_data[21 + byte_offset]);
1794
1795 sigdata_rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, 41, dsasig_data);
1796 if(!sigdata_rdf) {
1797 LDNS_FREE(dsasig_data);
1798 }
1799 DSA_SIG_free(dsasig);
1800
1801 return sigdata_rdf;
1802#else
1803 (void)sig; (void)sig_len;
1804 return NULL;
1805#endif
1806}
1807
1808ldns_status
1809ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
1810 const ldns_rdf *sig_rdf)
1811{
1812#ifdef USE_DSA
1813 /* the EVP api wants the DER encoding of the signature... */
1814 BIGNUM *R, *S;
1815 DSA_SIG *dsasig;
1816 unsigned char *raw_sig = NULL;
1817 int raw_sig_len;
1818
1819 if(ldns_rdf_size(sig_rdf) < 1 + 2*SHA_DIGEST_LENGTH)
1820 return LDNS_STATUS_SYNTAX_RDATA_ERR;
1821 /* extract the R and S field from the sig buffer */
1822 R = BN_new();
1823 if(!R) return LDNS_STATUS_MEM_ERR;
1824 (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 1,
1825 SHA_DIGEST_LENGTH, R);
1826 S = BN_new();
1827 if(!S) {
1828 BN_free(R);
1829 return LDNS_STATUS_MEM_ERR;
1830 }
1831 (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 21,
1832 SHA_DIGEST_LENGTH, S);
1833
1834 dsasig = DSA_SIG_new();
1835 if (!dsasig) {
1836 BN_free(R);
1837 BN_free(S);
1838 return LDNS_STATUS_MEM_ERR;
1839 }
1840# ifdef HAVE_DSA_SIG_SET0
1841 if (! DSA_SIG_set0(dsasig, R, S)) {
1842 DSA_SIG_free(dsasig);
1843 return LDNS_STATUS_SSL_ERR;
1844 }
1845# else
1846 dsasig->r = R;
1847 dsasig->s = S;
1848# endif
1849
1850 raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig);
1851 if (raw_sig_len < 0) {
1852 DSA_SIG_free(dsasig);
1853 free(raw_sig);
1854 return LDNS_STATUS_SSL_ERR;
1855 }
1856 if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
1857 ldns_buffer_write(target_buffer, raw_sig, (size_t)raw_sig_len);
1858 }
1859
1860 DSA_SIG_free(dsasig);
1861 free(raw_sig);
1862
1863 return ldns_buffer_status(target_buffer);
1864#else
1865 (void)target_buffer; (void)sig_rdf;
1866 return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL;
1867#endif
1868}
1869
1870#ifdef USE_ECDSA
1871#ifndef S_SPLINT_S
1872ldns_rdf *
1873ldns_convert_ecdsa_rrsig_asn1len2rdf(const ldns_buffer *sig,
1874 const long sig_len, int num_bytes)
1875{
1876 ECDSA_SIG* ecdsa_sig;
1877 const BIGNUM *r, *s;
1878 unsigned char *data = (unsigned char*)ldns_buffer_begin(sig);
1879 ldns_rdf* rdf;
1880 ecdsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&data, sig_len);
1881 if(!ecdsa_sig) return NULL;
1882
1883#ifdef HAVE_ECDSA_SIG_GET0
1884 ECDSA_SIG_get0(ecdsa_sig, &r, &s);
1885#else
1886 r = ecdsa_sig->r;
1887 s = ecdsa_sig->s;
1888#endif
1889 /* "r | s". */
1890 if(BN_num_bytes(r) > num_bytes ||
1891 BN_num_bytes(s) > num_bytes) {
1892 ECDSA_SIG_free(ecdsa_sig);
1893 return NULL; /* numbers too big for passed curve size */
1894 }
1895 data = LDNS_XMALLOC(unsigned char, num_bytes*2);
1896 if(!data) {
1897 ECDSA_SIG_free(ecdsa_sig);
1898 return NULL;
1899 }
1900 /* write the bignums (in big-endian) a little offset if the BN code
1901 * wants to write a shorter number of bytes, with zeroes prefixed */
1902 memset(data, 0, num_bytes*2);
1903 BN_bn2bin(r, data+num_bytes-BN_num_bytes(r));
1904 BN_bn2bin(s, data+num_bytes*2-BN_num_bytes(s));
1905 rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)(num_bytes*2), data);
1906 ECDSA_SIG_free(ecdsa_sig);
1907 return rdf;
1908}
1909
1910ldns_status
1911ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
1912 const ldns_rdf *sig_rdf)
1913{
1914 /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
1915 * ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256>
1916 * the '20' is the length of that field (=bnsize).
1917 * the '44' is the total remaining length.
1918 * if negative, start with leading zero.
1919 * if starts with 00s, remove them from the number.
1920 */
1921 uint8_t pre[] = {0x30, 0x44, 0x02, 0x20};
1922 int pre_len = 4;
1923 uint8_t mid[] = {0x02, 0x20};
1924 int mid_len = 2;
1925 int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0;
1926 long bnsize = (long)ldns_rdf_size(sig_rdf) / 2;
1927 uint8_t* d = ldns_rdf_data(sig_rdf);
1928 /* if too short, or not even length, do not bother */
1929 if(bnsize < 16 || (size_t)bnsize*2 != ldns_rdf_size(sig_rdf))
1930 return LDNS_STATUS_ERR;
1931 /* strip leading zeroes from r (but not last one) */
1932 while(r_rem < bnsize-1 && d[r_rem] == 0)
1933 r_rem++;
1934 /* strip leading zeroes from s (but not last one) */
1935 while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0)
1936 s_rem++;
1937
1938 r_high = ((d[0+r_rem]&0x80)?1:0);
1939 s_high = ((d[bnsize+s_rem]&0x80)?1:0);
1940 raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len +
1941 s_high + bnsize - s_rem;
1942 if(ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
1943 ldns_buffer_write_u8(target_buffer, pre[0]);
1944 ldns_buffer_write_u8(target_buffer, raw_sig_len-2);
1945 ldns_buffer_write_u8(target_buffer, pre[2]);
1946 ldns_buffer_write_u8(target_buffer, bnsize + r_high - r_rem);
1947 if(r_high)
1948 ldns_buffer_write_u8(target_buffer, 0);
1949 ldns_buffer_write(target_buffer, d+r_rem, bnsize-r_rem);
1950 ldns_buffer_write(target_buffer, mid, mid_len-1);
1951 ldns_buffer_write_u8(target_buffer, bnsize + s_high - s_rem);
1952 if(s_high)
1953 ldns_buffer_write_u8(target_buffer, 0);
1954 ldns_buffer_write(target_buffer, d+bnsize+s_rem, bnsize-s_rem);
1955 }
1956 return ldns_buffer_status(target_buffer);
1957}
1958
1959#endif /* S_SPLINT_S */
1960#endif /* USE_ECDSA */
1961#endif /* HAVE_SSL */
ldns_buffer_free
void ldns_buffer_free(ldns_buffer *buffer)
frees the buffer.
Definition buffer.c:137
ldns_buffer_new
ldns_buffer * ldns_buffer_new(size_t capacity)
creates a new buffer with the specified capacity.
Definition buffer.c:16
ldns_buffer_reserve
signed char ldns_buffer_reserve(ldns_buffer *buffer, size_t amount)
ensures BUFFER can contain at least AMOUNT more bytes.
Definition buffer.c:80
LDNS_MIN_BUFLEN
#define LDNS_MIN_BUFLEN
number of initial bytes in buffer of which we cannot tell the size before hand
Definition buffer.h:33
ATTR_UNUSED
#define ATTR_UNUSED(x)
Definition common.h:72
ldns_dname_compare
int ldns_dname_compare(const ldns_rdf *dname1, const ldns_rdf *dname2)
Compares the two dname rdf's according to the algorithm for ordering in RFC4034 Section 6.
Definition dname.c:359
ldns_dname_left_chop
ldns_rdf * ldns_dname_left_chop(const ldns_rdf *d)
chop one label off the left side of a dname.
Definition dname.c:189
ldns_dname2canonical
void ldns_dname2canonical(const ldns_rdf *rdf)
Put a dname into canonical fmt - ie.
Definition dname.c:280
ldns_dname_label
ldns_rdf * ldns_dname_label(const ldns_rdf *rdf, uint8_t labelpos)
look inside the rdf and if it is an LDNS_RDF_TYPE_DNAME try and retrieve a specific label.
Definition dname.c:560
ldns_dname_label_count
uint8_t ldns_dname_label_count(const ldns_rdf *r)
count the number of labels inside a LDNS_RDF_DNAME type rdf.
Definition dname.c:214
ldns_dname_cat
ldns_status ldns_dname_cat(ldns_rdf *rd1, const ldns_rdf *rd2)
concatenates rd2 after rd1 (rd2 is copied, rd1 is modified)
Definition dname.c:90
ldns_dname_new_frm_str
ldns_rdf * ldns_dname_new_frm_str(const char *str)
creates a new dname rdf from a string.
Definition dname.c:268
ldns_digest_evp
int ldns_digest_evp(const unsigned char *data, unsigned int len, unsigned char *dest, const EVP_MD *md)
Utility function to calculate hash using generic EVP_MD pointer.
Definition dnssec.c:490
ldns_dnssec_default_delete_signatures
int ldns_dnssec_default_delete_signatures(ldns_rr *sig __attribute__((unused)), void *n __attribute__((unused)))
Definition dnssec.c:1731
ldns_dnssec_pkt_get_rrsigs_for_type
ldns_rr_list * ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type)
Returns a ldns_rr_list containing the signatures covering the given type.
Definition dnssec.c:250
ldns_nsec3_next_owner
ldns_rdf * ldns_nsec3_next_owner(const ldns_rr *nsec3_rr)
Returns the first label of the next ownername in the NSEC3 chain (ie.
Definition dnssec.c:1350
ldns_nsec_bitmap_covers_type
signed char ldns_nsec_bitmap_covers_type(const ldns_rdf *bitmap, ldns_rr_type type)
Check if RR type t is enumerated and set in the RR type bitmap rdf.
Definition dnssec.c:1395
ldns_dnssec_nsec3_closest_encloser
ldns_rdf * ldns_dnssec_nsec3_closest_encloser(const ldns_rdf *qname, ldns_rr_type qtype __attribute__((unused)), const ldns_rr_list *nsec3s)
Definition dnssec.c:102
ldns_dnssec_create_nsec3
ldns_rr * ldns_dnssec_create_nsec3(const ldns_dnssec_name *from, const ldns_dnssec_name *to, const ldns_rdf *zone_name, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Creates NSEC3.
Definition dnssec.c:871
ldns_key_buf2dsa
DSA * ldns_key_buf2dsa(const ldns_buffer *key)
converts a buffer holding key material to a DSA key in openssl.
Definition dnssec.c:338
ldns_nsec3_iterations
uint16_t ldns_nsec3_iterations(const ldns_rr *nsec3_rr)
Returns the number of hash iterations used in the given NSEC3 RR.
Definition dnssec.c:1294
ldns_key_rr2ds
ldns_rr * ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
returns a new DS rr that represents the given key rr.
Definition dnssec.c:509
ldns_nsec3_hash_name
ldns_rdf * ldns_nsec3_hash_name(const ldns_rdf *name, uint8_t algorithm, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Calculates the hashed name using the given parameters.
Definition dnssec.c:1010
ldns_dnssec_get_rrsig_for_name_and_type
ldns_rr * ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name, const ldns_rr_type type, const ldns_rr_list *rrs)
Returns the first RRSIG rr that corresponds to the rrset with the given name and type.
Definition dnssec.c:34
ldns_nsec3_salt
ldns_rdf * ldns_nsec3_salt(const ldns_rr *nsec3_rr)
Returns the salt used in the given NSEC3 RR.
Definition dnssec.c:1308
ldns_rr_list_sort_nsec3
void ldns_rr_list_sort_nsec3(ldns_rr_list *unsorted)
sort nsec3 list
Definition dnssec.c:1706
ldns_convert_ecdsa_rrsig_rdf2asn1
ldns_status ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (from DNS) to a buffer with the signature in ASN1 format as openssl ...
Definition dnssec.c:1911
ldns_key_buf2dsa_raw
DSA * ldns_key_buf2dsa_raw(const unsigned char *key, size_t len)
Like ldns_key_buf2dsa, but uses raw buffer.
Definition dnssec.c:345
ldns_dnssec_default_replace_signatures
int ldns_dnssec_default_replace_signatures(ldns_rr *sig __attribute__((unused)), void *n __attribute__((unused)))
Definition dnssec.c:1739
ldns_dnssec_pkt_get_rrsigs_for_name_and_type
ldns_rr_list * ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt, const ldns_rdf *name, ldns_rr_type type)
Returns a ldns_rr_list containing the signatures covering the given name and type.
Definition dnssec.c:223
ldns_create_nsec3
ldns_rr * ldns_create_nsec3(const ldns_rdf *cur_owner, const ldns_rdf *cur_zone, const ldns_rr_list *rrs, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt, signed char emptynonterminal)
Definition dnssec.c:1180
ldns_nsec3_salt_data
uint8_t * ldns_nsec3_salt_data(const ldns_rr *nsec3_rr)
Returns the salt bytes used in the given NSEC3 RR.
Definition dnssec.c:1331
ldns_nsec_get_bitmap
ldns_rdf * ldns_nsec_get_bitmap(const ldns_rr *nsec)
Returns the rdata field that contains the bitmap of the covered types of the given NSEC record.
Definition dnssec.c:89
ldns_dnssec_get_dnskey_for_rrsig
ldns_rr * ldns_dnssec_get_dnskey_for_rrsig(const ldns_rr *rrsig, const ldns_rr_list *rrs)
Returns the DNSKEY that corresponds to the given RRSIG rr from the list, if any.
Definition dnssec.c:62
ldns_nsec3_add_param_rdfs
void ldns_nsec3_add_param_rdfs(ldns_rr *rr, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Sets all the NSEC3 options.
Definition dnssec.c:1109
ldns_nsec_covers_name
signed char ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
Checks coverage of NSEC(3) RR name span Remember that nsec and name must both be in canonical form (i...
Definition dnssec.c:1510
ldns_dnssec_default_add_to_signatures
int ldns_dnssec_default_add_to_signatures(ldns_rr *sig __attribute__((unused)), void *n __attribute__((unused)))
Definition dnssec.c:1715
ldns_dnssec_pkt_has_rrsigs
signed char ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt)
Checks whether the packet contains rrsigs.
Definition dnssec.c:204
ldns_calc_keytag_raw
uint16_t ldns_calc_keytag_raw(const uint8_t *key, size_t keysize)
Calculates keytag of DNSSEC key, operates on wireformat rdata.
Definition dnssec.c:308
ldns_calc_keytag
uint16_t ldns_calc_keytag(const ldns_rr *key)
calculates a keytag of a key for use in DNSSEC.
Definition dnssec.c:277
ldns_dnssec_create_nsec_bitmap
ldns_rdf * ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[], size_t size, ldns_rr_type nsec_type)
Create the type bitmap for an NSEC(3) record.
Definition dnssec.c:721
ldns_nsec3_salt_length
uint8_t ldns_nsec3_salt_length(const ldns_rr *nsec3_rr)
Returns the length of the salt used in the given NSEC3 RR.
Definition dnssec.c:1320
ldns_dnssec_default_leave_signatures
int ldns_dnssec_default_leave_signatures(ldns_rr *sig __attribute__((unused)), void *n __attribute__((unused)))
Definition dnssec.c:1723
ldns_nsec3_flags
uint8_t ldns_nsec3_flags(const ldns_rr *nsec3_rr)
Returns flags field.
Definition dnssec.c:1275
ldns_nsec3_hash_name_frm_nsec3
ldns_rdf * ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, const ldns_rdf *name)
Calculates the hashed name using the parameters of the given NSEC3 RR.
Definition dnssec.c:1370
ldns_key_buf2rsa_raw
RSA * ldns_key_buf2rsa_raw(const unsigned char *key, size_t len)
Like ldns_key_buf2rsa, but uses raw buffer.
Definition dnssec.c:422
ldns_convert_dsa_rrsig_rdf2asn1
ldns_status ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (in rfc2536 format) to a buffer with the signature in rfc2459 format...
Definition dnssec.c:1809
ldns_pkt_verify_time
ldns_status ldns_pkt_verify_time(const ldns_pkt *p, ldns_rr_type t, const ldns_rdf *o, const ldns_rr_list *k, const ldns_rr_list *s, time_t check_time, ldns_rr_list *good_keys)
verify a packet
Definition dnssec.c:1561
ldns_key_buf2rsa
RSA * ldns_key_buf2rsa(const ldns_buffer *key)
converts a buffer holding key material to a RSA key in openssl.
Definition dnssec.c:415
ldns_nsec3_algorithm
uint8_t ldns_nsec3_algorithm(const ldns_rr *nsec3_rr)
Returns the hash algorithm used in the given NSEC3 RR.
Definition dnssec.c:1262
ldns_nsec3_optout
signed char ldns_nsec3_optout(const ldns_rr *nsec3_rr)
Returns true if the opt-out flag has been set in the given NSEC3 RR.
Definition dnssec.c:1288
ldns_nsec_bitmap_set_type
ldns_status ldns_nsec_bitmap_set_type(ldns_rdf *bitmap, ldns_rr_type type)
Checks if RR type t is enumerated in the type bitmap rdf and sets the bit.
Definition dnssec.c:1432
ldns_nsec_bitmap_clear_type
ldns_status ldns_nsec_bitmap_clear_type(ldns_rdf *bitmap, ldns_rr_type type)
Checks if RR type t is enumerated in the type bitmap rdf and clears the bit.
Definition dnssec.c:1470
ldns_pkt_verify
ldns_status ldns_pkt_verify(const ldns_pkt *p, ldns_rr_type t, const ldns_rdf *o, const ldns_rr_list *k, const ldns_rr_list *s, ldns_rr_list *good_keys)
verify a packet
Definition dnssec.c:1628
ldns_dnssec_chain_nsec3_list
ldns_status ldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs)
chains nsec3 list
Definition dnssec.c:1636
ldns_convert_ecdsa_rrsig_asn1len2rdf
ldns_rdf * ldns_convert_ecdsa_rrsig_asn1len2rdf(const ldns_buffer *sig, const long sig_len, int num_bytes)
Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as u...
Definition dnssec.c:1873
qsort_rr_compare_nsec3
int qsort_rr_compare_nsec3(const void *a, const void *b)
compare for nsec3 sort
Definition dnssec.c:1689
ldns_create_nsec
ldns_rr * ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
Create a NSEC record.
Definition dnssec.c:960
ldns_nsec3_bitmap
ldns_rdf * ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
Returns the bitmap specifying the covered types of the given NSEC3 RR.
Definition dnssec.c:1360
ldns_dnssec_create_nsec
ldns_rr * ldns_dnssec_create_nsec(const ldns_dnssec_name *from, const ldns_dnssec_name *to, ldns_rr_type nsec_type)
Creates NSEC.
Definition dnssec.c:817
ldns_dnssec_rrsets_contains_type
int ldns_dnssec_rrsets_contains_type(const ldns_dnssec_rrsets *rrsets, ldns_rr_type type)
returns whether a rrset of the given type is found in the rrsets.
Definition dnssec.c:803
ldns_convert_dsa_rrsig_asn12rdf
ldns_rdf * ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len)
Converts the DSA signature from ASN1 representation (RFC2459, as used by OpenSSL) to raw signature da...
Definition dnssec.c:1748
dnssec.h
This module contains base functions for DNSSEC operations (RFC4033 t/m RFC4035).
LDNS_SIGNATURE_LEAVE_ADD_NEW
#define LDNS_SIGNATURE_LEAVE_ADD_NEW
return values for the old-signature callback
Definition dnssec.h:47
LDNS_SIGNATURE_REMOVE_NO_ADD
#define LDNS_SIGNATURE_REMOVE_NO_ADD
Definition dnssec.h:50
LDNS_SIGNATURE_REMOVE_ADD_NEW
#define LDNS_SIGNATURE_REMOVE_ADD_NEW
Definition dnssec.h:49
LDNS_SIGNATURE_LEAVE_NO_ADD
#define LDNS_SIGNATURE_LEAVE_NO_ADD
Definition dnssec.h:48
ldns_verify_time
ldns_status ldns_verify_time(const ldns_rr_list *rrset, const ldns_rr_list *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
Definition dnssec_verify.c:1098
ldns_dnssec_name_name
ldns_rdf * ldns_dnssec_name_name(const ldns_dnssec_name *name)
Returns the domain name of the given dnssec_name structure.
Definition dnssec_zone.c:396
LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL
@ LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL
Definition error.h:53
LDNS_STATUS_SSL_ERR
@ LDNS_STATUS_SSL_ERR
Definition error.h:36
LDNS_STATUS_ERR
@ LDNS_STATUS_ERR
Definition error.h:37
LDNS_STATUS_MEM_ERR
@ LDNS_STATUS_MEM_ERR
Definition error.h:34
LDNS_STATUS_TYPE_NOT_IN_BITMAP
@ LDNS_STATUS_TYPE_NOT_IN_BITMAP
Definition error.h:127
LDNS_STATUS_SYNTAX_RDATA_ERR
@ LDNS_STATUS_SYNTAX_RDATA_ERR
Definition error.h:83
LDNS_STATUS_OK
@ LDNS_STATUS_OK
Definition error.h:26
ldns_status
enum ldns_enum_status ldns_status
Definition error.h:149
ldns_get_errorstr_by_id
const char * ldns_get_errorstr_by_id(ldns_status err)
look up a descriptive text by each error.
Definition error.c:198
ldns_rdf_print
void ldns_rdf_print(FILE *output, const ldns_rdf *rdf)
Prints the data in the rdata field to the given file stream (in presentation format)
Definition host2str.c:3454
ldns_rdf2str
char * ldns_rdf2str(const ldns_rdf *rdf)
Converts the data in the rdata field to presentation format and returns that as a char *.
Definition host2str.c:3336
ldns_rdf2buffer_wire
ldns_status ldns_rdf2buffer_wire(ldns_buffer *output, const ldns_rdf *rdf)
Copies the rdata data to the buffer in wire format.
Definition host2wire.c:109
ldns_rr_rdata2buffer_wire
ldns_status ldns_rr_rdata2buffer_wire(ldns_buffer *output, const ldns_rr *rr)
Converts an rr's rdata to wireformat, while excluding the ownername and all the stuff before the rdat...
Definition host2wire.c:314
ldns_key_EVP_load_gost_id
int ldns_key_EVP_load_gost_id(void)
Get the PKEY id for GOST, loads GOST into openssl as a side effect.
Definition keys.c:140
LDNS_RSAMD5
@ LDNS_RSAMD5
Definition keys.h:46
ldns_hash
enum ldns_enum_hash ldns_hash
Definition keys.h:76
LDNS_HASH_GOST
@ LDNS_HASH_GOST
Definition keys.h:73
LDNS_SHA256
@ LDNS_SHA256
Definition keys.h:72
LDNS_SHA1
@ LDNS_SHA1
Definition keys.h:71
LDNS_SHA384
@ LDNS_SHA384
Definition keys.h:74
ldns.h
Including this file will include all ldns files, and define some lookup tables.
LDNS_MAX_PACKETLEN
#define LDNS_MAX_PACKETLEN
Definition packet.h:24
ldns_pkt_authority
ldns_rr_list * ldns_pkt_authority(const ldns_pkt *p)
Return the packet's authority section.
Definition packet.c:139
ldns_pkt_rr_list_by_type
ldns_rr_list * ldns_pkt_rr_list_by_type(const ldns_pkt *p, ldns_rr_type t, ldns_pkt_section s)
return all the rr with a specific type from a packet.
Definition packet.c:323
ldns_pkt_ancount
uint16_t ldns_pkt_ancount(const ldns_pkt *p)
Return the packet's an count.
Definition packet.c:109
ldns_pkt_nscount
uint16_t ldns_pkt_nscount(const ldns_pkt *p)
Return the packet's ns count.
Definition packet.c:115
ldns_pkt_answer
ldns_rr_list * ldns_pkt_answer(const ldns_pkt *p)
Return the packet's answer section.
Definition packet.c:133
LDNS_SECTION_ANY_NOQUESTION
@ LDNS_SECTION_ANY_NOQUESTION
used to get all non-question rrs from a packet
Definition packet.h:285
ldns_pkt_rr_list_by_name_and_type
ldns_rr_list * ldns_pkt_rr_list_by_name_and_type(const ldns_pkt *packet, const ldns_rdf *ownername, ldns_rr_type type, ldns_pkt_section sec)
return all the rr with a specific type and type from a packet.
Definition packet.c:359
ldns_rdf_data
uint8_t * ldns_rdf_data(const ldns_rdf *rd)
returns the data of the rdf.
Definition rdata.c:38
ldns_rdf_clone
ldns_rdf * ldns_rdf_clone(const ldns_rdf *rd)
clones a rdf structure.
Definition rdata.c:222
ldns_rdf_get_type
ldns_rdf_type ldns_rdf_get_type(const ldns_rdf *rd)
returns the type of the rdf.
Definition rdata.c:31
ldns_rdf_new_frm_data
ldns_rdf * ldns_rdf_new_frm_data(ldns_rdf_type type, size_t size, const void *data)
allocates a new rdf structure and fills it.
Definition rdata.c:193
LDNS_RDF_SIZE_WORD
#define LDNS_RDF_SIZE_WORD
Definition rdata.h:34
ldns_rdf_deep_free
void ldns_rdf_deep_free(ldns_rdf *rd)
frees a rdf structure and frees the data.
Definition rdata.c:230
ldns_rdf2native_int16
uint16_t ldns_rdf2native_int16(const ldns_rdf *rd)
returns the native uint16_t representation from the rdf.
Definition rdata.c:84
ldns_native2rdf_int16
ldns_rdf * ldns_native2rdf_int16(ldns_rdf_type type, uint16_t value)
returns the rdf containing the native uint16_t representation.
Definition rdata.c:132
ldns_rdf2native_int8
uint8_t ldns_rdf2native_int8(const ldns_rdf *rd)
returns the native uint8_t representation from the rdf.
Definition rdata.c:70
LDNS_RDF_TYPE_B64
@ LDNS_RDF_TYPE_B64
b64 string
Definition rdata.h:70
LDNS_RDF_TYPE_BITMAP
@ LDNS_RDF_TYPE_BITMAP
Definition rdata.h:75
LDNS_RDF_TYPE_NSEC3_SALT
@ LDNS_RDF_TYPE_NSEC3_SALT
nsec3 hash salt
Definition rdata.h:112
LDNS_RDF_TYPE_HEX
@ LDNS_RDF_TYPE_HEX
hex string
Definition rdata.h:72
LDNS_RDF_TYPE_INT8
@ LDNS_RDF_TYPE_INT8
8 bits
Definition rdata.h:52
LDNS_RDF_TYPE_INT16
@ LDNS_RDF_TYPE_INT16
16 bits
Definition rdata.h:54
LDNS_RDF_TYPE_TYPE
@ LDNS_RDF_TYPE_TYPE
a RR type
Definition rdata.h:77
ldns_rdf_size
size_t ldns_rdf_size(const ldns_rdf *rd)
returns the size of the rdf.
Definition rdata.c:24
ldns_rdf_new
ldns_rdf * ldns_rdf_new(ldns_rdf_type type, size_t size, void *data)
allocates a new rdf structure and fills it.
Definition rdata.c:179
ldns_rdf_free
void ldns_rdf_free(ldns_rdf *rd)
frees a rdf structure, leaving the data pointer intact.
Definition rdata.c:241
ldns_rdf_compare
int ldns_rdf_compare(const ldns_rdf *rd1, const ldns_rdf *rd2)
compares two rdf's on their wire formats.
Definition rdata.c:663
LDNS_NSEC3_VARS_OPTOUT_MASK
#define LDNS_NSEC3_VARS_OPTOUT_MASK
Definition rdata.h:40
ldns_rr_ttl
uint32_t ldns_rr_ttl(const ldns_rr *rr)
returns the ttl of an rr structure.
Definition rr.c:929
ldns_rdf2rr_type
ldns_rr_type ldns_rdf2rr_type(const ldns_rdf *rd)
convert an rdf of type LDNS_RDF_TYPE_TYPE to an actual LDNS_RR_TYPE.
Definition rr.c:2855
ldns_rr_list_deep_free
void ldns_rr_list_deep_free(ldns_rr_list *rr_list)
frees an rr_list structure and all rrs contained therein.
Definition rr.c:1018
ldns_rr_free
void ldns_rr_free(ldns_rr *rr)
frees an RR structure
Definition rr.c:81
ldns_rr_set_owner
void ldns_rr_set_owner(ldns_rr *rr, ldns_rdf *owner)
sets the owner in the rr structure.
Definition rr.c:802
ldns_rr_new
ldns_rr * ldns_rr_new(void)
creates a new rr structure.
Definition rr.c:30
ldns_rr_type
enum ldns_enum_rr_type ldns_rr_type
Definition rr.h:260
ldns_rr_new_frm_type
ldns_rr * ldns_rr_new_frm_type(ldns_rr_type t)
creates a new rr structure, based on the given type.
Definition rr.c:48
ldns_rr_set_type
void ldns_rr_set_type(ldns_rr *rr, ldns_rr_type rr_type)
sets the type in the rr.
Definition rr.c:826
LDNS_RR_TYPE_RRSIG
@ LDNS_RR_TYPE_RRSIG
DNSSEC.
Definition rr.h:170
LDNS_RR_TYPE_DNSKEY
@ LDNS_RR_TYPE_DNSKEY
Definition rr.h:172
LDNS_RR_TYPE_SOA
@ LDNS_RR_TYPE_SOA
marks the start of a zone of authority
Definition rr.h:90
LDNS_RR_TYPE_NSEC
@ LDNS_RR_TYPE_NSEC
Definition rr.h:171
LDNS_RR_TYPE_DS
@ LDNS_RR_TYPE_DS
RFC4034, RFC3658.
Definition rr.h:164
LDNS_RR_TYPE_KEY
@ LDNS_RR_TYPE_KEY
2535typecode
Definition rr.h:128
LDNS_RR_TYPE_NSEC3PARAM
@ LDNS_RR_TYPE_NSEC3PARAM
Definition rr.h:177
LDNS_RR_TYPE_NSEC3
@ LDNS_RR_TYPE_NSEC3
Definition rr.h:176
LDNS_RR_TYPE_CDNSKEY
@ LDNS_RR_TYPE_CDNSKEY
Definition rr.h:191
LDNS_RR_TYPE_NS
@ LDNS_RR_TYPE_NS
an authoritative name server
Definition rr.h:82
ldns_rr_rdf
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
Definition rr.c:907
ldns_rr_list_subtype_by_rdf
ldns_rr_list * ldns_rr_list_subtype_by_rdf(const ldns_rr_list *l, const ldns_rdf *r, size_t pos)
Return the rr_list which matches the rdf at position field.
Definition rr.c:1096
ldns_rr_list_rr_count
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr's in an rr_list.
Definition rr.c:955
ldns_rr_get_type
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
Definition rr.c:941
ldns_rr_set_ttl
void ldns_rr_set_ttl(ldns_rr *rr, uint32_t ttl)
sets the ttl in the rr structure.
Definition rr.c:814
ldns_rr_set_rdf
ldns_rdf * ldns_rr_set_rdf(ldns_rr *rr, const ldns_rdf *f, size_t position)
sets a rdf member, it will be set on the position given.
Definition rr.c:838
ldns_rr_get_class
ldns_rr_class ldns_rr_get_class(const ldns_rr *rr)
returns the class of the rr.
Definition rr.c:947
ldns_rr_list_rr
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
Definition rr.c:988
ldns_rr_set_class
void ldns_rr_set_class(ldns_rr *rr, ldns_rr_class rr_class)
sets the class in the rr.
Definition rr.c:832
ldns_rr_push_rdf
signed char ldns_rr_push_rdf(ldns_rr *rr, const ldns_rdf *f)
sets rd_field member, it will be placed in the next available spot.
Definition rr.c:855
ldns_rr_owner
ldns_rdf * ldns_rr_owner(const ldns_rr *rr)
returns the owner name of an rr structure.
Definition rr.c:917
ldns_rr_rrsig_keytag
ldns_rdf * ldns_rr_rrsig_keytag(const ldns_rr *r)
returns the keytag of a LDNS_RR_TYPE_RRSIG RR
Definition rr_functions.c:183
ldns_rr_rrsig_typecovered
ldns_rdf * ldns_rr_rrsig_typecovered(const ldns_rr *r)
returns the type covered of a LDNS_RR_TYPE_RRSIG rr
Definition rr_functions.c:111
ldns_rr_rrsig_signame
ldns_rdf * ldns_rr_rrsig_signame(const ldns_rr *r)
returns the signers name of a LDNS_RR_TYPE_RRSIG RR
Definition rr_functions.c:195
ldns_sha1
unsigned char * ldns_sha1(const unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
Definition sha1.c:171
LDNS_SHA1_DIGEST_LENGTH
#define LDNS_SHA1_DIGEST_LENGTH
Definition sha1.h:16
R
#define R(b, x)
Definition sha2.c:191
ldns_sha256
unsigned char * ldns_sha256(const unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
Definition sha2.c:625
LDNS_SHA256_DIGEST_LENGTH
#define LDNS_SHA256_DIGEST_LENGTH
Definition sha2.h:63
ldns_str2rdf_b32_ext
ldns_status ldns_str2rdf_b32_ext(ldns_rdf **rd, const char *str)
convert the string with the b32 ext hex data into wireformat
Definition str2host.c:676
ldns_str2rdf_dname
ldns_status ldns_str2rdf_dname(ldns_rdf **rd, const char *str)
convert a dname string into wireformat
Definition str2host.c:374
ldns_struct_buffer
implementation of buffers to ease operations
Definition buffer.h:51
ldns_struct_dnssec_name
Definition dnssec_zone.h:46
ldns_struct_dnssec_name::hashed_name
ldns_rdf * hashed_name
pointer to store the hashed name (only used when in an NSEC3 zone
Definition dnssec_zone.h:85
ldns_struct_dnssec_name::rrsets
ldns_dnssec_rrsets * rrsets
The rrsets for this name.
Definition dnssec_zone.h:63
ldns_struct_dnssec_rrsets
Definition dnssec_zone.h:33
ldns_struct_dnssec_rrsets::type
ldns_rr_type type
Definition dnssec_zone.h:35
ldns_struct_dnssec_rrsets::next
ldns_dnssec_rrsets * next
Definition dnssec_zone.h:37
ldns_struct_pkt
DNS packet.
Definition packet.h:235
ldns_struct_rdf
Resource record data field.
Definition rdata.h:203
ldns_struct_rr_list
List or Set of Resource Records.
Definition rr.h:355
ldns_struct_rr_list::_rrs
ldns_rr ** _rrs
Definition rr.h:358
ldns_struct_rr
Resource Record.
Definition rr.h:327
ldns_b32_ntop_extended_hex
int ldns_b32_ntop_extended_hex(const uint8_t *src_data, size_t src_data_length, char *target_text_buffer, size_t target_text_buffer_size)
Definition util.c:611
LDNS_FREE
#define LDNS_FREE(ptr)
Definition util.h:60
LDNS_CALLOC
#define LDNS_CALLOC(type, count)
Definition util.h:53
LDNS_XMALLOC
#define LDNS_XMALLOC(type, count)
Definition util.h:51