-/*
+/*
* dnssec.c
*
* contains the cryptographic function needed for DNSSEC in ldns
{
size_t i;
ldns_rr *candidate;
-
+
if (!name || !rrs) {
return NULL;
}
-
+
for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
candidate = ldns_rr_list_rr(rrs, i);
if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_RRSIG) {
}
}
}
-
+
return NULL;
}
{
size_t i;
ldns_rr *candidate;
-
+
if (!rrsig || !rrs) {
return NULL;
}
-
+
for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
candidate = ldns_rr_list_rr(rrs, i);
if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_DNSKEY) {
}
}
}
-
+
return NULL;
}
ldns_rdf *sname, *hashed_sname, *tmp;
ldns_rr *ce;
bool flag;
-
+
bool exact_match_found;
bool in_range_found;
-
+
ldns_status status;
ldns_rdf *zone_name;
-
+
size_t nsec_i;
ldns_rr *nsec;
ldns_rdf *result = NULL;
qtype = qtype;
-
+
if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
return NULL;
}
ce = NULL;
flag = false;
-
+
zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
/* algorithm from nsec3-07 8.3 */
while (ldns_dname_label_count(sname) > 0) {
exact_match_found = false;
in_range_found = false;
-
+
hashed_sname = ldns_nsec3_hash_name(sname,
algorithm,
iterations,
for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
nsec = ldns_rr_list_rr(nsec3s, nsec_i);
-
+
/* check values of iterations etc! */
-
+
/* exact match? */
if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
exact_match_found = true;
} else if (ldns_nsec_covers_name(nsec, hashed_sname)) {
in_range_found = true;
}
-
+
}
if (!exact_match_found && in_range_found) {
flag = true;
} else {
flag = false;
}
-
+
ldns_rdf_deep_free(hashed_sname);
tmp = sname;
sname = ldns_dname_left_chop(sname);
ldns_rr_list *sigs;
ldns_rr_list *sigs_covered;
ldns_rdf *rdf_t;
-
+
sigs = ldns_pkt_rr_list_by_type(pkt,
LDNS_RR_TYPE_RRSIG,
LDNS_SECTION_ANY_NOQUESTION
2,
&t_netorder);
sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
-
+
ldns_rdf_free(rdf_t);
ldns_rr_list_deep_free(sigs);
T = (uint8_t)key[0];
length = (64 + T * 8);
offset = 1;
-
+
if (T > 8) {
return NULL;
}
if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
return NULL;
-
+
Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
offset += SHA_DIGEST_LENGTH;
-
+
P = BN_bin2bn(key+offset, (int)length, NULL);
offset += length;
-
+
G = BN_bin2bn(key+offset, (int)length, NULL);
offset += length;
-
+
Y = BN_bin2bn(key+offset, (int)length, NULL);
offset += length;
-
+
/* create the key and set its properties */
dsa = DSA_new();
dsa->p = P;
/* key length at least one */
if(len < (size_t)offset + exp + 1)
return NULL;
-
+
/* Exponent */
exponent = BN_new();
(void) BN_bin2bn(key+offset, (int)exp, exponent);
{
EVP_MD_CTX* ctx;
ctx = EVP_MD_CTX_create();
- if(!ctx)
+ if(!ctx)
return false;
if(!EVP_DigestInit_ex(ctx, md, NULL) ||
!EVP_DigestUpdate(ctx, data, len) ||
/* all the rdata's */
if (ldns_rr_rdata2buffer_wire(data_buf,
- (ldns_rr*)key) != LDNS_STATUS_OK) {
+ (ldns_rr*)key) != LDNS_STATUS_OK) {
LDNS_FREE(digest);
ldns_buffer_free(data_buf);
ldns_rr_free(ds);
memcpy(data + cur_data_size + 2, cur_data, cur_window_max+1);
cur_data_size += cur_window_max + 3;
}
-
+
bitmap_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_NSEC,
cur_data_size,
data);
type_count++;
cur_rrsets = cur_rrsets->next;
}
- /* always add rrsig type if this is not an unsigned
+ /* always add rrsig type if this is not an unsigned
* delegation
*/
if (type_count > 0 &&
types[type_count] = LDNS_RR_TYPE_RRSIG;
type_count++;
}
-
+
/* leave next rdata empty if they weren't precomputed yet */
if (to && to->hashed_name) {
(void) ldns_rr_set_rdf(nsec_rr,
ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
{
/* we do not do any check here - garbage in, garbage out */
-
+
/* the the start and end names - get the type from the
* before rrlist */
* sha1 at the moment */
unsigned char hash[LDNS_SHA1_DIGEST_LENGTH];
ldns_status status;
-
+
/* prepare the owner name according to the draft section bla */
orig_owner_str = ldns_rdf2str(name);
-
+
/* TODO: mnemonic list for hash algs SHA-1, default to 1 now (sha1) */
algorithm = algorithm;
-
+
hashed_owner_str_len = salt_length + ldns_rdf_size(name);
hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
memcpy(hashed_owner_str, ldns_rdf_data(name), ldns_rdf_size(name));
void
ldns_nsec3_add_param_rdfs(ldns_rr *rr,
- uint8_t algorithm,
+ uint8_t algorithm,
uint8_t flags,
uint16_t iterations,
uint8_t salt_length,
1, (void*)&flags),
1);
if (old) ldns_rdf_deep_free(old);
-
+
old = ldns_rr_set_rdf(rr,
ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
iterations),
2);
if (old) ldns_rdf_deep_free(old);
-
+
salt_data = LDNS_XMALLOC(uint8_t, salt_length + 1);
salt_data[0] = salt_length;
memcpy(salt_data + 1, salt, salt_length);
ldns_rr *nsec = NULL;
ldns_rdf *hashed_owner = NULL;
-
+
uint8_t *data = NULL;
uint8_t cur_data[32];
uint8_t cur_window = 0;
ldns_status status;
-
+
hashed_owner = ldns_nsec3_hash_name(cur_owner,
algorithm,
iterations,
salt_length,
salt);
status = ldns_dname_cat(hashed_owner, cur_zone);
-
+
nsec = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3);
ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC3);
ldns_rr_set_owner(nsec, hashed_owner);
-
+
ldns_nsec3_add_param_rdfs(nsec,
algorithm,
flags,
uint16_t iterations;
uint8_t salt_length;
uint8_t *salt = 0;
-
+
ldns_rdf *hashed_owner;
algorithm = ldns_nsec3_algorithm(nsec);
salt_length = ldns_nsec3_salt_length(nsec);
salt = ldns_nsec3_salt_data(nsec);
iterations = ldns_nsec3_iterations(nsec);
-
+
hashed_owner = ldns_nsec3_hash_name(name,
algorithm,
iterations,
salt_length,
salt);
-
+
LDNS_FREE(salt);
return hashed_owner;
}
uint16_t pos = 0;
uint16_t bit_pos;
uint8_t *data = ldns_rdf_data(nsec_bitmap);
-
+
while(pos < ldns_rdf_size(nsec_bitmap)) {
window_block_nr = data[pos];
bitmap_length = data[pos + 1];
pos += 2;
-
+
for (bit_pos = 0; bit_pos < (bitmap_length) * 8; bit_pos++) {
if (ldns_get_bit(&data[pos], bit_pos)) {
cur_type = 256 * (uint16_t) window_block_nr + bit_pos;
}
}
}
-
+
pos += (uint16_t) bitmap_length;
}
return false;
ldns_status status;
ldns_rdf *chopped_dname;
bool result;
-
+
if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
nsec_next = ldns_rdf_clone(ldns_rr_rdf(nsec, 0));
} else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
ldns_rdf_deep_free(nsec_next);
return false;
}
-
+
/* in the case of the last nsec */
if(ldns_dname_compare(nsec_owner, nsec_next) > 0) {
result = (ldns_dname_compare(nsec_owner, name) <= 0 ||
result = (ldns_dname_compare(nsec_owner, name) <= 0 &&
ldns_dname_compare(name, nsec_next) < 0);
}
-
+
ldns_rdf_deep_free(nsec_next);
return result;
}
#ifdef HAVE_SSL
/* sig may be null - if so look in the packet */
ldns_status
-ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o,
+ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o,
ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys)
{
ldns_rr_list *rrset;
/* we don't have RRSIG(RRSIG) (yet? ;-) ) */
return LDNS_STATUS_ERR;
}
-
+
if (s) {
/* if s is not NULL, the sigs are given to use */
sigs = s;
} else {
/* otherwise get them from the packet */
- sigs = ldns_pkt_rr_list_by_name_and_type(p, o, LDNS_RR_TYPE_RRSIG,
+ sigs = ldns_pkt_rr_list_by_name_and_type(p, o, LDNS_RR_TYPE_RRSIG,
LDNS_SECTION_ANY_NOQUESTION);
if (!sigs) {
/* no sigs */
2,
&t_netorder);
sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
-
+
rrset = ldns_pkt_rr_list_by_name_and_type(p,
o,
t,
for (i = 0; i < ldns_rr_list_rr_count(nsec3_rrs); i++) {
if (i == ldns_rr_list_rr_count(nsec3_rrs) - 1) {
- next_nsec_owner_label =
+ next_nsec_owner_label =
ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs,
0)), 0);
next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
ldns_rdf_deep_free(next_nsec_owner_label);
LDNS_FREE(next_nsec_owner_str);
} else {
- next_nsec_owner_label =
+ next_nsec_owner_label =
ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs,
i + 1)),
0);
}
if (rr1 == NULL) {
return -1;
- }
+ }
if (rr2 == NULL) {
return 1;
}
}
memset(&dsasig_data[21], 0, byte_offset);
BN_bn2bin(dsasig->s, &dsasig_data[21 + byte_offset]);
-
+
sigdata_rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, 41, dsasig_data);
DSA_SIG_free(dsasig);
DSA_SIG *dsasig;
unsigned char *raw_sig = NULL;
int raw_sig_len;
-
+
/* extract the R and S field from the sig buffer */
t = ldns_rdf_data(sig_rdf)[0];
R = BN_new();
dsasig->r = R;
dsasig->s = S;
-
+
raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig);
if (raw_sig_len < 0) {
DSA_SIG_free(dsasig);
projects / thirdparty / ldns.git / commitdiff
