00001 #include <ldns/config.h>
00002
00003 #include <ldns/ldns.h>
00004
00005 #include <strings.h>
00006 #include <time.h>
00007
00008 #ifdef HAVE_SSL
00009
00010
00011
00012 #include <openssl/ssl.h>
00013 #include <openssl/evp.h>
00014 #include <openssl/rand.h>
00015 #include <openssl/err.h>
00016 #include <openssl/md5.h>
00017
00018 ldns_dnssec_data_chain *
00019 ldns_dnssec_data_chain_new()
00020 {
00021 ldns_dnssec_data_chain *nc = LDNS_XMALLOC(ldns_dnssec_data_chain, 1);
00022 nc->rrset = NULL;
00023 nc->parent_type = 0;
00024 nc->parent = NULL;
00025 nc->signatures = NULL;
00026 nc->packet_rcode = 0;
00027 nc->packet_qtype = 0;
00028 nc->packet_nodata = false;
00029 return nc;
00030 }
00031
00032 void
00033 ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain)
00034 {
00035 LDNS_FREE(chain);
00036 }
00037
00038 void
00039 ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain)
00040 {
00041 ldns_rr_list_deep_free(chain->rrset);
00042 ldns_rr_list_deep_free(chain->signatures);
00043 if (chain->parent) {
00044 ldns_dnssec_data_chain_deep_free(chain->parent);
00045 }
00046 LDNS_FREE(chain);
00047 }
00048
00049 void
00050 ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain)
00051 {
00052 ldns_lookup_table *rcode;
00053 const ldns_rr_descriptor *rr_descriptor;
00054 if (chain) {
00055 ldns_dnssec_data_chain_print(out, chain->parent);
00056 if (ldns_rr_list_rr_count(chain->rrset) > 0) {
00057 rcode = ldns_lookup_by_id(ldns_rcodes,
00058 (int) chain->packet_rcode);
00059 if (rcode) {
00060 fprintf(out, ";; rcode: %s\n", rcode->name);
00061 }
00062
00063 rr_descriptor = ldns_rr_descript(chain->packet_qtype);
00064 if (rr_descriptor && rr_descriptor->_name) {
00065 fprintf(out, ";; qtype: %s\n", rr_descriptor->_name);
00066 } else if (chain->packet_qtype != 0) {
00067 fprintf(out, "TYPE%u",
00068 chain->packet_qtype);
00069 }
00070 if (chain->packet_nodata) {
00071 fprintf(out, ";; NODATA response\n");
00072 }
00073 fprintf(out, "rrset: %p\n", chain->rrset);
00074 ldns_rr_list_print(out, chain->rrset);
00075 fprintf(out, "sigs: %p\n", chain->signatures);
00076 ldns_rr_list_print(out, chain->signatures);
00077 fprintf(out, "---\n");
00078 } else {
00079 fprintf(out, "<no data>\n");
00080 }
00081 }
00082 }
00083
00084 ldns_dnssec_data_chain *
00085 ldns_dnssec_build_data_chain(ldns_resolver *res, uint16_t qflags, const ldns_rr_list *rrset, const ldns_pkt *pkt, ldns_rr *orig_rr)
00086 {
00087 ldns_rr_list *signatures = NULL, *signatures2 = NULL;
00088 ldns_rr_list *keys;
00089 ldns_rr_list *dss;
00090
00091 ldns_rr_list *my_rrset;
00092
00093 ldns_pkt *my_pkt;
00094
00095 ldns_rdf *name = NULL, *key_name = NULL;
00096 ldns_rdf *possible_parent_name;
00097 ldns_rr_type type = 0;
00098 ldns_rr_class c = 0;
00099
00100 bool other_rrset = false;
00101
00102 ldns_dnssec_data_chain *new_chain = ldns_dnssec_data_chain_new();
00103
00104 printf("[XX] Build data chain for: ");
00105 ldns_rr_print(stdout, orig_rr);
00106 printf("[XX] rrset:\n");
00107 ldns_rr_list_print(stdout, rrset);
00108
00109 ldns_pkt_print(stdout, pkt);
00110
00111 if (!ldns_dnssec_pkt_has_rrsigs(pkt)) {
00112 printf("[XX] unsigned!\n");
00113 return new_chain;
00114 }
00115
00116 if (orig_rr) {
00117 new_chain->rrset = ldns_rr_list_new();
00118 ldns_rr_list_push_rr(new_chain->rrset, orig_rr);
00119 new_chain->parent = ldns_dnssec_build_data_chain(res, qflags, rrset, pkt, NULL);
00120 new_chain->packet_rcode = ldns_pkt_get_rcode(pkt);
00121 new_chain->packet_qtype = ldns_rr_get_type(orig_rr);
00122 if (ldns_pkt_ancount(pkt) == 0) {
00123 new_chain->packet_nodata = true;
00124 }
00125 return new_chain;
00126 }
00127
00128 if (!rrset || ldns_rr_list_rr_count(rrset) < 1) {
00129
00130
00131 new_chain->packet_nodata = true;
00132 if (pkt) {
00133
00134 my_rrset = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC, LDNS_SECTION_ANY_NOQUESTION);
00135 if (my_rrset) {
00136 if (ldns_rr_list_rr_count(my_rrset) > 0) {
00137 type = LDNS_RR_TYPE_NSEC;
00138 other_rrset = true;
00139 } else {
00140 ldns_rr_list_deep_free(my_rrset);
00141 my_rrset = NULL;
00142 }
00143 } else {
00144
00145 my_rrset = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC3, LDNS_SECTION_ANY_NOQUESTION);
00146 if (my_rrset) {
00147 if (ldns_rr_list_rr_count(my_rrset) > 0) {
00148 type = LDNS_RR_TYPE_NSEC3;
00149 other_rrset = true;
00150 } else {
00151 ldns_rr_list_deep_free(my_rrset);
00152 my_rrset = NULL;
00153 }
00154 } else {
00155
00156 return new_chain;
00157 }
00158 }
00159 } else {
00160 return new_chain;
00161 }
00162 } else {
00163 my_rrset = (ldns_rr_list *) rrset;
00164 }
00165
00166 if (my_rrset && ldns_rr_list_rr_count(my_rrset) > 0) {
00167 new_chain->rrset = ldns_rr_list_clone(my_rrset);
00168 name = ldns_rr_owner(ldns_rr_list_rr(my_rrset, 0));
00169 type = ldns_rr_get_type(ldns_rr_list_rr(my_rrset, 0));
00170 c = ldns_rr_get_class(ldns_rr_list_rr(my_rrset, 0));
00171 }
00172
00173 if (other_rrset) {
00174 ldns_rr_list_deep_free(my_rrset);
00175 }
00176
00177
00178
00179
00180
00181 if (type == LDNS_RR_TYPE_NSEC || type == LDNS_RR_TYPE_NSEC3) {
00182
00183
00184 if (pkt) {
00185 signatures = ldns_dnssec_pkt_get_rrsigs_for_type(pkt, type);
00186 } else {
00187 my_pkt = ldns_resolver_query(res, name, type, c, qflags);
00188 signatures = ldns_dnssec_pkt_get_rrsigs_for_type(pkt, type);
00189 ldns_pkt_free(my_pkt);
00190 }
00191 } else {
00192 if (pkt) {
00193 signatures = ldns_dnssec_pkt_get_rrsigs_for_name_and_type(pkt, name, type);
00194 }
00195 if (!signatures) {
00196 my_pkt = ldns_resolver_query(res, name, type, c, qflags);
00197 signatures = ldns_dnssec_pkt_get_rrsigs_for_name_and_type(my_pkt, name, type);
00198 ldns_pkt_free(my_pkt);
00199 }
00200
00201 }
00202
00203 if (signatures && ldns_rr_list_rr_count(signatures) > 0) {
00204 key_name = ldns_rr_rdf(ldns_rr_list_rr(signatures, 0), 7);
00205 } else {
00206 printf("[XX] no sigs :(\n");
00207 }
00208
00209 if (!key_name) {
00210
00211
00212
00213 printf("[XX] chain ends, no key\n");
00214
00215
00216 printf("[XX] data:\norig rr:");
00217 ldns_rr_print(stdout, orig_rr);
00218 printf("[XX] rrset:\n");
00219 ldns_rr_list_print(stdout, rrset);
00220 #if 0
00221 if (orig_rr) {
00222 printf("[XX] BRANCH A\n");
00223 possible_parent_name = ldns_dname_left_chop(ldns_rr_owner(orig_rr));
00224 } else if (rrset && ldns_rr_list_rr_count(rrset) > 0) {
00225 printf("[XX] BRANCH B\n");
00226 possible_parent_name = ldns_dname_left_chop(ldns_rr_owner(ldns_rr_list_rr(rrset, 0)));
00227 } else {
00228
00229 printf("[XX] BRANCH C\n");
00230 return new_chain;
00231 }
00232 #endif
00233 if (orig_rr) {
00234 printf("[XX] BRANCH A\n");
00235 possible_parent_name = ldns_rr_owner(orig_rr);
00236 } else if (rrset && ldns_rr_list_rr_count(rrset) > 0) {
00237 printf("[XX] BRANCH B\n");
00238 possible_parent_name = ldns_rr_owner(ldns_rr_list_rr(rrset, 0));
00239 } else {
00240
00241 printf("[XX] BRANCH C\n");
00242 return new_chain;
00243 }
00244
00245 my_pkt = ldns_resolver_query(res, possible_parent_name, LDNS_RR_TYPE_DS, LDNS_RR_CLASS_IN, qflags);
00246
00247 if (ldns_pkt_ancount(my_pkt) > 0) {
00248
00249 printf("[XX] what to do?\n");
00250 ldns_pkt_print(stdout, my_pkt);
00251 ldns_pkt_free(my_pkt);
00252 } else {
00253
00254 printf("[XX] go on\n");
00255 ldns_pkt_print(stdout, my_pkt);
00256
00257
00258
00259 new_chain->parent = ldns_dnssec_build_data_chain(res,
00260 qflags,
00261 NULL,
00262 my_pkt,
00263 NULL);
00264
00265 new_chain->parent->packet_qtype = LDNS_RR_TYPE_DS;
00266 printf("[XX] GO ON, CHAIN NOW:\n");
00267 ldns_dnssec_data_chain_print(stdout, new_chain);
00268 printf("[xxxxxxx]\n\n");
00269
00270 }
00271 return new_chain;
00272 }
00273
00274 if (type != LDNS_RR_TYPE_DNSKEY) {
00275 if (signatures && ldns_rr_list_rr_count(signatures) > 0) {
00276 new_chain->signatures = ldns_rr_list_clone(signatures);
00277 new_chain->parent_type = 0;
00278
00279 keys = ldns_pkt_rr_list_by_name_and_type(pkt,
00280 key_name,
00281 LDNS_RR_TYPE_DNSKEY,
00282 LDNS_SECTION_ANY_NOQUESTION
00283 );
00284 if (!keys) {
00285 my_pkt = ldns_resolver_query(res, key_name, LDNS_RR_TYPE_DNSKEY, c, qflags);
00286 keys = ldns_pkt_rr_list_by_name_and_type(my_pkt,
00287 key_name,
00288 LDNS_RR_TYPE_DNSKEY,
00289 LDNS_SECTION_ANY_NOQUESTION
00290 );
00291 new_chain->parent = ldns_dnssec_build_data_chain(res, qflags, keys, my_pkt, NULL);
00292 new_chain->parent->packet_qtype = LDNS_RR_TYPE_DNSKEY;
00293 ldns_pkt_free(my_pkt);
00294 } else {
00295 new_chain->parent = ldns_dnssec_build_data_chain(res, qflags, keys, pkt, NULL);
00296 new_chain->parent->packet_qtype = LDNS_RR_TYPE_DNSKEY;
00297 }
00298 ldns_rr_list_deep_free(keys);
00299 }
00300 } else {
00301
00302
00303
00304
00305
00306
00307
00308
00309
00310
00311 new_chain->parent_type = 1;
00312
00313 my_pkt = ldns_resolver_query(res, key_name, LDNS_RR_TYPE_DS, c, qflags);
00314 dss = ldns_pkt_rr_list_by_name_and_type(my_pkt,
00315 key_name,
00316 LDNS_RR_TYPE_DS,
00317 LDNS_SECTION_ANY_NOQUESTION
00318 );
00319 if (dss) {
00320 new_chain->parent = ldns_dnssec_build_data_chain(res, qflags, dss, my_pkt, NULL);
00321 new_chain->parent->packet_qtype = LDNS_RR_TYPE_DS;
00322 ldns_rr_list_deep_free(dss);
00323 }
00324 ldns_pkt_free(my_pkt);
00325
00326
00327 my_pkt = ldns_resolver_query(res, key_name, LDNS_RR_TYPE_DNSKEY, c, qflags);
00328 signatures2 = ldns_pkt_rr_list_by_name_and_type(my_pkt,
00329 key_name,
00330 LDNS_RR_TYPE_RRSIG,
00331 LDNS_SECTION_ANSWER);
00332 if (signatures2) {
00333
00334 new_chain->signatures = signatures2;
00335 }
00336 ldns_pkt_free(my_pkt);
00337 }
00338 if (signatures) {
00339 ldns_rr_list_deep_free(signatures);
00340 }
00341
00342 return new_chain;
00343 }
00344
00345 ldns_dnssec_trust_tree *
00346 ldns_dnssec_trust_tree_new()
00347 {
00348 ldns_dnssec_trust_tree *new_tree = LDNS_XMALLOC(ldns_dnssec_trust_tree,
00349 1);
00350 new_tree->rr = NULL;
00351 new_tree->rrset = NULL;
00352 new_tree->parent_count = 0;
00353
00354 return new_tree;
00355 }
00356
00357 void
00358 ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree)
00359 {
00360 size_t i;
00361 if (tree) {
00362 for (i = 0; i < tree->parent_count; i++) {
00363 ldns_dnssec_trust_tree_free(tree->parents[i]);
00364 }
00365 }
00366 LDNS_FREE(tree);
00367 }
00368
00369 size_t
00370 ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree)
00371 {
00372 size_t result = 0;
00373 size_t parent = 0;
00374 size_t i;
00375
00376 for (i = 0; i < tree->parent_count; i++) {
00377 parent = ldns_dnssec_trust_tree_depth(tree->parents[i]);
00378 if (parent > result) {
00379 result = parent;
00380 }
00381 }
00382 return 1 + result;
00383 }
00384
00385
00386 static void
00387 print_tabs(FILE *out, size_t nr, uint8_t *map, size_t treedepth)
00388 {
00389 size_t i;
00390 for (i = 0; i < nr; i++) {
00391 if (i == nr - 1) {
00392 fprintf(out, "|---");
00393 } else if (map && i < treedepth && map[i] == 1) {
00394 fprintf(out, "| ");
00395 } else {
00396 fprintf(out, " ");
00397 }
00398 }
00399 }
00400
00401 void
00402 ldns_dnssec_trust_tree_print_sm(FILE *out,
00403 ldns_dnssec_trust_tree *tree,
00404 size_t tabs,
00405 bool extended,
00406 uint8_t *sibmap,
00407 size_t treedepth)
00408 {
00409 size_t i;
00410 const ldns_rr_descriptor *descriptor;
00411 bool mapset = false;
00412
00413 if (!sibmap) {
00414 treedepth = ldns_dnssec_trust_tree_depth(tree);
00415 sibmap = malloc(treedepth);
00416 memset(sibmap, 0, treedepth);
00417 mapset = true;
00418 }
00419
00420 if (tree) {
00421 if (tree->rr) {
00422
00423
00424
00425
00426
00427
00428
00429
00430
00431
00432
00433
00434
00435
00436
00437
00438
00439
00440
00441
00442
00443
00444 print_tabs(out, tabs, sibmap, treedepth);
00445 ldns_rdf_print(out, ldns_rr_owner(tree->rr));
00446 descriptor = ldns_rr_descript(ldns_rr_get_type(tree->rr));
00447
00448 if (descriptor->_name) {
00449 fprintf(out, " (%s", descriptor->_name);
00450 } else {
00451 fprintf(out, " (TYPE%d",
00452 ldns_rr_get_type(tree->rr));
00453 }
00454 if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_DNSKEY) {
00455 fprintf(out, " keytag: %u", ldns_calc_keytag(tree->rr));
00456 } else if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_DS) {
00457 fprintf(out, " keytag: ");
00458 ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 0));
00459 }
00460 if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_NSEC) {
00461 fprintf(out, " ");
00462 ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 0));
00463 fprintf(out, " ");
00464 ldns_rdf_print(out, ldns_rr_rdf(tree->rr, 1));
00465 }
00466
00467
00468 fprintf(out, ")\n");
00469 for (i = 0; i < tree->parent_count; i++) {
00470 if (tree->parent_count > 1 && i < tree->parent_count - 1) {
00471 sibmap[tabs] = 1;
00472 } else {
00473 sibmap[tabs] = 0;
00474 }
00475
00476 if (ldns_rr_get_type(tree->parents[i]->rr) ==
00477 LDNS_RR_TYPE_NSEC ||
00478 ldns_rr_get_type(tree->parents[i]->rr) ==
00479 LDNS_RR_TYPE_NSEC3) {
00480 if (tree->parent_status[i] == LDNS_STATUS_OK) {
00481 print_tabs(out, tabs + 1, sibmap, treedepth);
00482 fprintf(out, "Existence is denied by:\n");
00483 } else {
00484 print_tabs(out, tabs + 1, sibmap, treedepth);
00485 fprintf(out, "Error in denial of existence: %s\n", ldns_get_errorstr_by_id(tree->parent_status[i]));
00486 }
00487 } else
00488 if (tree->parent_status[i] != LDNS_STATUS_OK) {
00489 print_tabs(out, tabs + 1, sibmap, treedepth);
00490 fprintf(out, "%s:\n", ldns_get_errorstr_by_id(tree->parent_status[i]));
00491
00492
00493
00494 ldns_rr_print(out, tree->parent_signature[i]);
00495 printf("For RRset:\n");
00496 ldns_rr_list_print(out, tree->rrset);
00497 printf("With key:\n");
00498 ldns_rr_print(out, tree->parents[i]->rr);
00499
00500
00501
00502
00503 }
00504 ldns_dnssec_trust_tree_print_sm(out, tree->parents[i], tabs+1, extended, sibmap, treedepth);
00505 }
00506 } else {
00507 print_tabs(out, tabs, sibmap, treedepth);
00508 fprintf(out, "<no data>\n");
00509 }
00510 } else {
00511 fprintf(out, "<null pointer>\n");
00512 }
00513
00514 if (mapset) {
00515 free(sibmap);
00516 }
00517 }
00518
00519 void
00520 ldns_dnssec_trust_tree_print(FILE *out, ldns_dnssec_trust_tree *tree, size_t tabs, bool extended)
00521 {
00522 ldns_dnssec_trust_tree_print_sm(out, tree, tabs, extended, NULL, 0);
00523 }
00524
00525 ldns_status
00526 ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree,
00527 const ldns_dnssec_trust_tree *parent,
00528 const ldns_rr *signature,
00529 const ldns_status parent_status)
00530 {
00531 if (tree && parent && tree->parent_count < LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS) {
00532
00533
00534
00535
00536
00537
00538 tree->parents[tree->parent_count] = (ldns_dnssec_trust_tree *) parent;
00539 tree->parent_status[tree->parent_count] = parent_status;
00540 tree->parent_signature[tree->parent_count] = (ldns_rr *) signature;
00541 tree->parent_count++;
00542 return LDNS_STATUS_OK;
00543 } else {
00544 return LDNS_STATUS_ERR;
00545 }
00546 }
00547
00548
00549 ldns_dnssec_trust_tree *
00550 ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr)
00551 {
00552 ldns_rr_list *cur_rrset;
00553 ldns_rr_list *cur_sigs;
00554 ldns_rr *cur_rr = NULL;
00555 ldns_rr *cur_sig_rr;
00556 uint16_t cur_keytag;
00557 size_t i, j;
00558
00559 ldns_dnssec_trust_tree *new_tree = ldns_dnssec_trust_tree_new();
00560
00561 if (data_chain && data_chain->rrset) {
00562 cur_rrset = data_chain->rrset;
00563
00564 cur_sigs = data_chain->signatures;
00565
00566 if (rr) {
00567 cur_rr = rr;
00568 }
00569
00570 if (!cur_rr && ldns_rr_list_rr_count(cur_rrset) > 0) {
00571 cur_rr = ldns_rr_list_rr(cur_rrset, 0);
00572 }
00573
00574 if (cur_rr) {
00575 new_tree->rr = cur_rr;
00576 new_tree->rrset = cur_rrset;
00577
00578
00579
00580
00581
00582
00583
00584
00585 if (cur_sigs) {
00586 for (i = 0; i < ldns_rr_list_rr_count(cur_sigs); i++) {
00587
00588 cur_sig_rr = ldns_rr_list_rr(cur_sigs, i);
00589 cur_keytag = ldns_rdf2native_int16(ldns_rr_rrsig_keytag(cur_sig_rr));
00590
00591 if (ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_NSEC) {
00592 if (ldns_dname_compare(ldns_rr_owner(cur_sig_rr),
00593 ldns_rr_owner(cur_rr)))
00594 {
00595
00596
00597 for (j = 0;
00598 j < ldns_rr_list_rr_count(cur_rrset) &&
00599 ldns_dname_compare(ldns_rr_owner(cur_sig_rr),ldns_rr_owner(cur_rr)) != 0;
00600 j++) {
00601 cur_rr = ldns_rr_list_rr(cur_rrset, j);
00602
00603 }
00604 if (ldns_dname_compare(ldns_rr_owner(cur_sig_rr),
00605 ldns_rr_owner(cur_rr)))
00606 {
00607 break;
00608 }
00609 }
00610
00611 }
00612
00613 if (data_chain->parent) {
00614 ldns_dnssec_derive_trust_tree_normal_rrset(new_tree, data_chain, cur_sig_rr);
00615 }
00616
00617
00618 ldns_dnssec_derive_trust_tree_dnskey_rrset(new_tree, data_chain, cur_rr, cur_sig_rr);
00619 }
00620
00621 ldns_dnssec_derive_trust_tree_ds_rrset(new_tree, data_chain, cur_rr);
00622 } else {
00623
00624
00625
00626 ldns_dnssec_derive_trust_tree_no_sig(new_tree, data_chain);
00627 }
00628 }
00629 }
00630
00631 return new_tree;
00632 }
00633
00634 void
00635 ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree,
00636 ldns_dnssec_data_chain *data_chain,
00637 ldns_rr *cur_sig_rr)
00638 {
00639 size_t i, j;
00640 ldns_rr_list *cur_rrset = ldns_rr_list_clone(data_chain->rrset);
00641 ldns_dnssec_trust_tree *cur_parent_tree;
00642 ldns_rr *cur_parent_rr;
00643 int cur_keytag;
00644 ldns_rr_list *tmp_rrset = NULL;
00645 ldns_status cur_status;
00646
00647 cur_keytag = ldns_rdf2native_int16(ldns_rr_rrsig_keytag(cur_sig_rr));
00648
00649 for (j = 0; j < ldns_rr_list_rr_count(data_chain->parent->rrset); j++) {
00650 cur_parent_rr = ldns_rr_list_rr(data_chain->parent->rrset, j);
00651 if (ldns_rr_get_type(cur_parent_rr) == LDNS_RR_TYPE_DNSKEY) {
00652 if (ldns_calc_keytag(cur_parent_rr) == cur_keytag) {
00653
00654
00655 if (cur_rrset && ldns_rr_list_rr_count(cur_rrset) > 0) {
00656 tmp_rrset = cur_rrset;
00657 if (ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0)) == LDNS_RR_TYPE_NSEC ||
00658 ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0)) == LDNS_RR_TYPE_NSEC3) {
00659
00660 ldns_rr_list_sort(cur_rrset);
00661 if (tmp_rrset && tmp_rrset != cur_rrset) {
00662 ldns_rr_list_deep_free(tmp_rrset);
00663 tmp_rrset = NULL;
00664 }
00665 tmp_rrset = ldns_rr_list_pop_rrset(cur_rrset);
00666
00667
00668 while (tmp_rrset &&
00669 ldns_rr_list_rr_count(cur_rrset) > 0 &&
00670 ldns_dname_compare(
00671 ldns_rr_owner(ldns_rr_list_rr(tmp_rrset, 0)),
00672 ldns_rr_owner(cur_sig_rr)) != 0) {
00673 ldns_rr_list_deep_free(tmp_rrset);
00674 tmp_rrset = ldns_rr_list_pop_rrset(cur_rrset);
00675 }
00676 }
00677 printf("[XX] VERIFY RRSET:\n");
00678 ldns_rr_list_print(stdout, tmp_rrset);
00679 cur_status = ldns_verify_rrsig(tmp_rrset, cur_sig_rr, cur_parent_rr);
00680 printf("[XX] RESULT: %s\n", ldns_get_errorstr_by_id(cur_status));
00681 printf("\n\n");
00682
00683 for (i = 0; i < new_tree->parent_count; i++) {
00684 if (cur_parent_rr == new_tree->parents[i]->rr) {
00685 goto done;
00686 }
00687 }
00688
00689 cur_parent_tree = ldns_dnssec_derive_trust_tree(data_chain->parent, cur_parent_rr);
00690 ldns_dnssec_trust_tree_add_parent(new_tree, cur_parent_tree, cur_sig_rr, cur_status);
00691 }
00692
00693
00694 }
00695 }
00696 }
00697 done:
00698 if (tmp_rrset && tmp_rrset != cur_rrset) {
00699 ldns_rr_list_deep_free(tmp_rrset);
00700 }
00701 ldns_rr_list_deep_free(cur_rrset);
00702 }
00703
00704 void
00705 ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree,
00706 ldns_dnssec_data_chain *data_chain,
00707 ldns_rr *cur_rr,
00708 ldns_rr *cur_sig_rr)
00709 {
00710 size_t j;
00711 ldns_rr_list *cur_rrset = data_chain->rrset;
00712 ldns_dnssec_trust_tree *cur_parent_tree;
00713 ldns_rr *cur_parent_rr;
00714 int cur_keytag;
00715 ldns_status cur_status;
00716
00717 cur_keytag = ldns_rdf2native_int16(ldns_rr_rrsig_keytag(cur_sig_rr));
00718
00719 for (j = 0; j < ldns_rr_list_rr_count(cur_rrset); j++) {
00720 cur_parent_rr = ldns_rr_list_rr(cur_rrset, j);
00721 if (cur_parent_rr != cur_rr &&
00722 ldns_rr_get_type(cur_parent_rr) == LDNS_RR_TYPE_DNSKEY) {
00723 if (ldns_calc_keytag(cur_parent_rr) == cur_keytag
00724 ) {
00725
00726 cur_parent_tree = ldns_dnssec_trust_tree_new();
00727 cur_parent_tree->rr = cur_parent_rr;
00728 cur_parent_tree->rrset = cur_rrset;
00729 cur_status = ldns_verify_rrsig(cur_rrset, cur_sig_rr, cur_parent_rr);
00730 ldns_dnssec_trust_tree_add_parent(new_tree, cur_parent_tree, cur_sig_rr, cur_status);
00731 }
00732 }
00733 }
00734 }
00735
00736 void
00737 ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree,
00738 ldns_dnssec_data_chain *data_chain,
00739 ldns_rr *cur_rr)
00740 {
00741 size_t j, h;
00742 ldns_rr_list *cur_rrset = data_chain->rrset;
00743 ldns_dnssec_trust_tree *cur_parent_tree;
00744 ldns_rr *cur_parent_rr;
00745
00746
00747 if (ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_DNSKEY &&
00748 data_chain->parent &&
00749 data_chain->parent->rrset
00750 ) {
00751 for (j = 0; j < ldns_rr_list_rr_count(data_chain->parent->rrset); j++) {
00752 cur_parent_rr = ldns_rr_list_rr(data_chain->parent->rrset, j);
00753 if (ldns_rr_get_type(cur_parent_rr) == LDNS_RR_TYPE_DS) {
00754 for (h = 0; h < ldns_rr_list_rr_count(cur_rrset); h++) {
00755 cur_rr = ldns_rr_list_rr(cur_rrset, h);
00756 if (ldns_rr_compare_ds(cur_rr, cur_parent_rr)) {
00757 cur_parent_tree = ldns_dnssec_derive_trust_tree(data_chain->parent, cur_parent_rr);
00758 ldns_dnssec_trust_tree_add_parent(new_tree, cur_parent_tree, NULL, LDNS_STATUS_OK);
00759 } else {
00760
00761
00762 }
00763 }
00764 cur_rr = ldns_rr_list_rr(cur_rrset, 0);
00765 }
00766 }
00767 }
00768 }
00769
00770 void
00771 ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree,
00772 ldns_dnssec_data_chain *data_chain)
00773 {
00774 size_t i;
00775 ldns_rr_list *cur_rrset;
00776 ldns_rr *cur_parent_rr;
00777 ldns_dnssec_trust_tree *cur_parent_tree;
00778 ldns_status result;
00779
00780 if (data_chain->parent && data_chain->parent->rrset) {
00781 cur_rrset = data_chain->parent->rrset;
00782
00783 if (cur_rrset && ldns_rr_list_rr_count(cur_rrset) > 0) {
00784 printf("[XX} RRSET TO DERIVE WITH:\n");
00785 ldns_rr_list_print(stdout, cur_rrset);
00786 if (ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0)) ==
00787 LDNS_RR_TYPE_NSEC3) {
00788 result = ldns_dnssec_verify_denial_nsec3(new_tree->rr,
00789 cur_rrset,
00790 data_chain->parent->signatures,
00791 data_chain->packet_rcode,
00792 data_chain->packet_qtype,
00793 data_chain->packet_nodata);
00794 } else if (ldns_rr_get_type(ldns_rr_list_rr(cur_rrset, 0)) ==
00795 LDNS_RR_TYPE_NSEC3) {
00796 result = ldns_dnssec_verify_denial(new_tree->rr, cur_rrset, data_chain->parent->signatures);
00797 } else {
00798
00799 result = LDNS_STATUS_OK;
00800 printf("[XX] unsigned kid, unsigned parent\n");
00801 }
00802 } else {
00803 result = LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
00804 }
00805 for (i = 0; i < ldns_rr_list_rr_count(cur_rrset); i++) {
00806 cur_parent_rr = ldns_rr_list_rr(cur_rrset, i);
00807 printf("[XX] cur parnet:\n");
00808 ldns_rr_print(stdout, cur_parent_rr);
00809 printf("[XX] chainparentpointer: %p\n", data_chain->parent);
00810 cur_parent_tree = ldns_dnssec_derive_trust_tree(data_chain->parent, cur_parent_rr);
00811 ldns_dnssec_trust_tree_add_parent(new_tree, cur_parent_tree, NULL, result);
00812 }
00813 }
00814 }
00815
00816
00817
00818
00819
00820
00821 ldns_status
00822 ldns_dnssec_trust_tree_contains_keys(ldns_dnssec_trust_tree *tree, ldns_rr_list *trusted_keys)
00823 {
00824 size_t i;
00825 ldns_status result = LDNS_STATUS_CRYPTO_NO_DNSKEY;
00826 bool equal;
00827 ldns_status parent_result;
00828
00829 if (tree && trusted_keys && ldns_rr_list_rr_count(trusted_keys) > 0)
00830 { if (tree->rr) {
00831 for (i = 0; i < ldns_rr_list_rr_count(trusted_keys); i++) {
00832
00833
00834
00835
00836 equal = ldns_rr_compare_ds(tree->rr,
00837 ldns_rr_list_rr(trusted_keys, i));
00838 if (equal) {
00839 result = LDNS_STATUS_OK;
00840 return result;
00841 }
00842 }
00843 }
00844 for (i = 0; i < tree->parent_count; i++) {
00845 parent_result = ldns_dnssec_trust_tree_contains_keys(tree->parents[i], trusted_keys);
00846 if (parent_result != LDNS_STATUS_CRYPTO_NO_DNSKEY) {
00847 if (tree->parent_status[i] != LDNS_STATUS_OK) {
00848 result = tree->parent_status[i];
00849 } else {
00850 if (ldns_rr_get_type(tree->rr) == LDNS_RR_TYPE_NSEC &&
00851 parent_result == LDNS_STATUS_OK
00852 ) {
00853 result = LDNS_STATUS_DNSSEC_EXISTENCE_DENIED;
00854 } else {
00855 result = parent_result;
00856 }
00857 }
00858 }
00859 }
00860 } else {
00861 result = LDNS_STATUS_ERR;
00862 }
00863
00864 return result;
00865 }
00866
00867 ldns_status
00868 ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys,
00869 ldns_rr_list *good_keys)
00870 {
00871 uint16_t i;
00872 bool valid;
00873 ldns_status verify_result = LDNS_STATUS_ERR;
00874
00875 if (!rrset || !rrsig || !keys) {
00876 return LDNS_STATUS_ERR;
00877 }
00878
00879 valid = false;
00880
00881 if (ldns_rr_list_rr_count(rrset) < 1) {
00882 return LDNS_STATUS_ERR;
00883 }
00884
00885 if (ldns_rr_list_rr_count(rrsig) < 1) {
00886 return LDNS_STATUS_CRYPTO_NO_RRSIG;
00887 }
00888
00889 if (ldns_rr_list_rr_count(keys) < 1) {
00890 verify_result = LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY;
00891 } else {
00892 for (i = 0; i < ldns_rr_list_rr_count(rrsig); i++) {
00893
00894 if (ldns_verify_rrsig_keylist(rrset,
00895 ldns_rr_list_rr(rrsig, i),
00896 keys, good_keys) == LDNS_STATUS_OK) {
00897 verify_result = LDNS_STATUS_OK;
00898 }
00899 }
00900 }
00901 return verify_result;
00902 }
00903
00904 ldns_rr_list *
00905 ldns_fetch_valid_domain_keys(const ldns_resolver *res,
00906 const ldns_rdf *domain,
00907 const ldns_rr_list *keys,
00908 ldns_status *status)
00909 {
00910 ldns_rr_list * trusted_keys = NULL;
00911 ldns_rr_list * ds_keys = NULL;
00912
00913 if (res && domain && keys) {
00914
00915 if ((trusted_keys = ldns_validate_domain_dnskey(res, domain, keys))) {
00916 *status = LDNS_STATUS_OK;
00917 } else {
00918
00919
00920 *status = LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY;
00921
00922 if (ldns_rdf_size(domain) > 1) {
00923 ldns_rr_list * parent_keys;
00924 ldns_rdf * parent_domain = ldns_dname_left_chop(domain);
00925
00926 if ((parent_keys = ldns_fetch_valid_domain_keys(res, parent_domain, keys, status))) {
00927
00928
00929 if ((ds_keys = ldns_validate_domain_ds(res, domain, parent_keys))) {
00930 trusted_keys = ldns_fetch_valid_domain_keys(res, domain, ds_keys, status);
00931 ldns_rr_list_deep_free(ds_keys);
00932 } else {
00933
00934 *status = LDNS_STATUS_CRYPTO_NO_TRUSTED_DS ;
00935 }
00936 ldns_rr_list_deep_free(parent_keys);
00937 }
00938 ldns_rdf_free(parent_domain);
00939 }
00940 }
00941 }
00942 return trusted_keys;
00943 }
00944
00945 ldns_rr_list *
00946 ldns_validate_domain_dnskey(const ldns_resolver * res,
00947 const ldns_rdf * domain,
00948 const ldns_rr_list * keys)
00949 {
00950 ldns_status status;
00951 ldns_pkt * keypkt;
00952 ldns_rr * cur_key;
00953 uint16_t key_i; uint16_t key_j; uint16_t key_k;
00954 uint16_t sig_i; ldns_rr * cur_sig;
00955
00956 ldns_rr_list * domain_keys = NULL;
00957 ldns_rr_list * domain_sigs = NULL;
00958 ldns_rr_list * trusted_keys = NULL;
00959
00960
00961 if ((keypkt = ldns_resolver_query(res, domain, LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, LDNS_RD))) {
00962
00963 domain_keys = ldns_pkt_rr_list_by_type(keypkt, LDNS_RR_TYPE_DNSKEY, LDNS_SECTION_ANSWER);
00964 domain_sigs = ldns_pkt_rr_list_by_type(keypkt, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANSWER);
00965
00966
00967 for (key_i=0; key_i< ldns_rr_list_rr_count(domain_keys); key_i++) {
00968
00969 cur_key = ldns_rr_list_rr(domain_keys, key_i);
00970 for (key_j=0; key_j<ldns_rr_list_rr_count(keys); key_j++) {
00971 if (ldns_rr_compare_ds(ldns_rr_list_rr(keys, key_j), cur_key)) {
00972
00973
00974 trusted_keys = ldns_rr_list_new();
00975
00976 for (sig_i=0; sig_i<ldns_rr_list_rr_count(domain_sigs); sig_i++) {
00977 cur_sig = ldns_rr_list_rr(domain_sigs, sig_i);
00978
00979 if (ldns_rdf2native_int16(ldns_rr_rrsig_keytag(cur_sig)) == ldns_calc_keytag(cur_key)) {
00980 if ((status=ldns_verify_rrsig(domain_keys, cur_sig, cur_key)) == LDNS_STATUS_OK) {
00981
00982
00983 for (key_k=0; key_k<ldns_rr_list_rr_count(domain_keys); key_k++) {
00984 ldns_rr_list_push_rr(trusted_keys, ldns_rr_clone(ldns_rr_list_rr(domain_keys, key_k)));
00985 }
00986
00987 ldns_rr_list_deep_free(domain_keys);
00988 ldns_rr_list_deep_free(domain_sigs);
00989 ldns_pkt_free(keypkt);
00990 return trusted_keys;
00991 }
00992
00993
00994
00995
00996
00997 }
00998 }
00999
01000
01001 ldns_rr_list_push_rr(trusted_keys, ldns_rr_clone(cur_key));
01002 }
01003 }
01004 }
01005
01006 ldns_rr_list_deep_free(domain_keys);
01007 ldns_rr_list_deep_free(domain_sigs);
01008 ldns_pkt_free(keypkt);
01009
01010 } else {
01011 status = LDNS_STATUS_CRYPTO_NO_DNSKEY;
01012 }
01013
01014 return trusted_keys;
01015 }
01016
01017 ldns_rr_list *
01018 ldns_validate_domain_ds(const ldns_resolver *res,
01019 const ldns_rdf * domain,
01020 const ldns_rr_list * keys)
01021 {
01022 ldns_status status;
01023 ldns_pkt * dspkt;
01024 uint16_t key_i;
01025 ldns_rr_list * rrset = NULL;
01026 ldns_rr_list * sigs = NULL;
01027 ldns_rr_list * trusted_keys = NULL;
01028
01029
01030 if ((dspkt = ldns_resolver_query(res, domain, LDNS_RR_TYPE_DS, LDNS_RR_CLASS_IN, LDNS_RD))) {
01031
01032 rrset = ldns_pkt_rr_list_by_type(dspkt, LDNS_RR_TYPE_DS, LDNS_SECTION_ANSWER);
01033 sigs = ldns_pkt_rr_list_by_type(dspkt, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANSWER);
01034
01035
01036 if ((status = ldns_verify(rrset, sigs, keys, NULL)) == LDNS_STATUS_OK) {
01037 trusted_keys = ldns_rr_list_new();
01038 for (key_i=0; key_i<ldns_rr_list_rr_count(rrset); key_i++) {
01039 ldns_rr_list_push_rr(trusted_keys, ldns_rr_clone(ldns_rr_list_rr(rrset, key_i)));
01040 }
01041 }
01042
01043 ldns_rr_list_deep_free(rrset);
01044 ldns_rr_list_deep_free(sigs);
01045 ldns_pkt_free(dspkt);
01046
01047 } else {
01048 status = LDNS_STATUS_CRYPTO_NO_DS;
01049 }
01050
01051 return trusted_keys;
01052 }
01053
01054 ldns_status
01055 ldns_verify_trusted(ldns_resolver *res,
01056 ldns_rr_list *rrset,
01057 ldns_rr_list * rrsigs,
01058 ldns_rr_list * validating_keys)
01059 {
01060
01061 uint16_t sig_i; uint16_t key_i;
01062 ldns_rr * cur_sig; ldns_rr * cur_key;
01063 ldns_rr_list * trusted_keys = NULL;
01064 ldns_status result = LDNS_STATUS_ERR;
01065 printf("[verify_trusted] set default result to %s\n", ldns_get_errorstr_by_id(result));
01066
01067 if (!res || !rrset || !rrsigs) {
01068 return LDNS_STATUS_ERR;
01069 }
01070
01071 if (ldns_rr_list_rr_count(rrset) < 1) {
01072 return LDNS_STATUS_ERR;
01073 }
01074
01075 if (ldns_rr_list_rr_count(rrsigs) < 1) {
01076 return LDNS_STATUS_CRYPTO_NO_RRSIG;
01077 }
01078
01079
01080 for (sig_i=0; sig_i < ldns_rr_list_rr_count(rrsigs); sig_i++) {
01081
01082 cur_sig = ldns_rr_list_rr(rrsigs, sig_i);
01083
01084 if ((trusted_keys = ldns_fetch_valid_domain_keys(res, ldns_rr_rrsig_signame(cur_sig), ldns_resolver_dnssec_anchors(res), &result))) {
01085
01086 for (key_i = 0; key_i < ldns_rr_list_rr_count(trusted_keys); key_i++) {
01087 cur_key = ldns_rr_list_rr(trusted_keys, key_i);
01088 printf("[verify_trusted] trying:\n[verify_trusted] ");
01089
01090 if ((result = ldns_verify_rrsig(rrset, cur_sig, cur_key)) == LDNS_STATUS_OK) {
01091 if (validating_keys) {
01092 ldns_rr_list_push_rr(validating_keys, ldns_rr_clone(cur_key));
01093 }
01094 ldns_rr_list_deep_free(trusted_keys);
01095 printf("[verify_trusted] returning OK\n");
01096 return LDNS_STATUS_OK;
01097 }
01098 else {
01099 printf("RESULT: %s\nFOR:\n", ldns_get_errorstr_by_id(result));
01100 ldns_rr_list_print(stdout, rrset);
01101 ldns_rr_print(stdout, cur_sig);
01102 ldns_rr_print(stdout, cur_key);
01103
01104 }
01105 printf("[verify_trusted] set result to %s\n", ldns_get_errorstr_by_id(result));
01106 }
01107 }
01108 else {
01109 printf("[verify_trusted] no valid domain keys\n");
01110 }
01111 }
01112
01113 ldns_rr_list_deep_free(trusted_keys);
01114 printf("[verify_trusted] returning: %s\n", ldns_get_errorstr_by_id(result));
01115 return result;
01116 }
01117
01118 ldns_status
01119 ldns_dnssec_verify_denial(ldns_rr *rr,
01120 ldns_rr_list *nsecs,
01121 ldns_rr_list *rrsigs)
01122 {
01123 ldns_rdf *rr_name;
01124 ldns_rdf *wildcard_name;
01125 ldns_rdf *chopped_dname;
01126 ldns_rr *cur_nsec;
01127 size_t i;
01128 ldns_status result;
01129
01130 ldns_rr *rrsig;
01131 bool name_covered = false;
01132 bool type_covered = false;
01133 bool wildcard_covered = false;
01134 bool wildcard_type_covered = false;
01135
01136 wildcard_name = ldns_dname_new_frm_str("*");
01137 rr_name = ldns_rr_owner(rr);
01138 chopped_dname = ldns_dname_left_chop(rr_name);
01139 result = ldns_dname_cat(wildcard_name, chopped_dname);
01140 if (result != LDNS_STATUS_OK) {
01141 return result;
01142 }
01143
01144 ldns_rdf_deep_free(chopped_dname);
01145
01146 for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
01147 cur_nsec = ldns_rr_list_rr(nsecs, i);
01148 if (ldns_dname_compare(rr_name, ldns_rr_owner(cur_nsec)) == 0) {
01149
01150
01151
01152 rrsig = ldns_dnssec_get_rrsig_for_name_and_type(ldns_rr_owner(cur_nsec), ldns_rr_get_type(cur_nsec), rrsigs);
01153 if (rrsig && ldns_rdf2native_int8(ldns_rr_rrsig_labels(rrsig)) == ldns_dname_label_count(rr_name)) {
01154 printf("[XX] wildcard covered from label count\n");
01155 wildcard_covered = true;
01156 }
01157
01158 if (ldns_nsec_bitmap_covers_type(ldns_nsec_get_bitmap(cur_nsec), ldns_rr_get_type(rr))) {
01159 printf("[XX] type covered\n");
01160 type_covered = true;
01161 }
01162 }
01163 printf("[XX] Name covered?\n");
01164 if (ldns_nsec_covers_name(cur_nsec, rr_name)) {
01165 printf("[XX] yes!\n");
01166 name_covered = true;
01167 }
01168
01169 if (ldns_dname_compare(wildcard_name, ldns_rr_owner(cur_nsec)) == 0) {
01170 printf("[XX] Wildcard type covered?\n");
01171 if (ldns_nsec_bitmap_covers_type(ldns_nsec_get_bitmap(cur_nsec), ldns_rr_get_type(rr))) {
01172 printf("[XX] yes!\n");
01173 wildcard_type_covered = true;
01174 }
01175 }
01176
01177 printf("[XX] Wildcard covered?\n");
01178 if (ldns_nsec_covers_name(cur_nsec, wildcard_name)) {
01179 printf("[XX] yes!\n");
01180 wildcard_covered = true;
01181 }
01182
01183 }
01184
01185 ldns_rdf_deep_free(wildcard_name);
01186
01187 if (type_covered || !name_covered) {
01188 return LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
01189 }
01190
01191 if (wildcard_type_covered || !wildcard_covered) {
01192 return LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED;
01193 }
01194
01195 return LDNS_STATUS_OK;
01196 }
01197
01198 ldns_status
01199 ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
01200 ldns_rr_list *nsecs,
01201 ldns_rr_list *rrsigs,
01202 ldns_pkt_rcode packet_rcode,
01203 ldns_rr_type packet_qtype,
01204 bool packet_nodata)
01205 {
01206 ldns_rdf *closest_encloser;
01207 ldns_rdf *wildcard;
01208 ldns_rdf *hashed_wildcard_name;
01209 bool wildcard_covered = false;
01210 ldns_rdf *zone_name;
01211 ldns_rdf *hashed_name;
01212 size_t i;
01213 ldns_status result = LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
01214
01215 rrsigs = rrsigs;
01216
01217 zone_name = ldns_dname_left_chop(ldns_rr_owner(ldns_rr_list_rr(nsecs,0)));
01218
01219
01220 if (packet_rcode == LDNS_RCODE_NXDOMAIN) {
01221 closest_encloser = ldns_dnssec_nsec3_closest_encloser(ldns_rr_owner(rr),
01222 ldns_rr_get_type(rr),
01223 nsecs);
01224
01225 printf("[XX} NSEC3 denial for: ");
01226 ldns_rr_print(stdout, rr);
01227 printf("[XX] closest encloser: ");
01228 ldns_rdf_print(stdout, closest_encloser);
01229 printf("\n");
01230
01231 wildcard = ldns_dname_new_frm_str("*");
01232 ldns_dname_cat(wildcard, closest_encloser);
01233
01234 for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
01235 hashed_wildcard_name =
01236 ldns_nsec3_hash_name_frm_nsec3(ldns_rr_list_rr(nsecs, 0),
01237 wildcard
01238 );
01239 ldns_dname_cat(hashed_wildcard_name, zone_name);
01240
01241 if (ldns_nsec_covers_name(ldns_rr_list_rr(nsecs, i),
01242 hashed_wildcard_name)) {
01243 printf("[XX] wildcard covered\n");
01244 wildcard_covered = true;
01245 }
01246 ldns_rdf_deep_free(hashed_wildcard_name);
01247 }
01248
01249 ldns_rdf_deep_free(closest_encloser);
01250 ldns_rdf_deep_free(wildcard);
01251
01252 if (!wildcard_covered) {
01253 result = LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED;
01254 } else if (closest_encloser && wildcard_covered) {
01255 result = LDNS_STATUS_OK;
01256 } else {
01257 result = LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
01258 }
01259 } else if (packet_nodata && packet_qtype != LDNS_RR_TYPE_DS) {
01260
01261 hashed_name = ldns_nsec3_hash_name_frm_nsec3(ldns_rr_list_rr(nsecs, 0),
01262 ldns_rr_owner(rr)
01263 );
01264 ldns_dname_cat(hashed_name, zone_name);
01265 printf("[XX] hashed name: ");
01266 ldns_rdf_print(stdout, hashed_name);
01267 printf("\n");
01268 for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
01269 if (ldns_dname_compare(hashed_name, ldns_rr_owner(ldns_rr_list_rr(nsecs, i))) == 0) {
01270 if (!ldns_nsec_bitmap_covers_type(ldns_nsec3_bitmap(ldns_rr_list_rr(nsecs, i)), packet_qtype) &&
01271 !ldns_nsec_bitmap_covers_type(ldns_nsec3_bitmap(ldns_rr_list_rr(nsecs, i)), LDNS_RR_TYPE_CNAME)) {
01272 printf("exact match!\n");
01273 result = LDNS_STATUS_OK;
01274 goto done;
01275 }
01276 }
01277 }
01278 result = LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
01279 } else if (packet_nodata && packet_qtype == LDNS_RR_TYPE_DS) {
01280
01281
01282 hashed_name = ldns_nsec3_hash_name_frm_nsec3(ldns_rr_list_rr(nsecs, 0),
01283 ldns_rr_owner(rr)
01284 );
01285 ldns_dname_cat(hashed_name, zone_name);
01286 printf("[XX] hashed name: ");
01287 ldns_rdf_print(stdout, hashed_name);
01288 printf("\n");
01289 for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
01290 if (ldns_dname_compare(hashed_name, ldns_rr_owner(ldns_rr_list_rr(nsecs, i))) == 0) {
01291 if (!ldns_nsec_bitmap_covers_type(ldns_nsec3_bitmap(ldns_rr_list_rr(nsecs, i)), LDNS_RR_TYPE_DS) &&
01292 !ldns_nsec_bitmap_covers_type(ldns_nsec3_bitmap(ldns_rr_list_rr(nsecs, i)), LDNS_RR_TYPE_CNAME)) {
01293 printf("exact match!\n");
01294 result = LDNS_STATUS_OK;
01295 goto done;
01296 }
01297 }
01298 }
01299
01300
01301 closest_encloser = ldns_dnssec_nsec3_closest_encloser(ldns_rr_owner(rr),
01302 ldns_rr_get_type(rr),
01303 nsecs);
01304
01305 if (closest_encloser) {
01306 printf("[XX] closest encloser: ");
01307 ldns_rdf_print(stdout, closest_encloser);
01308 printf("\n");
01309 exit(0);
01310 }
01311 result = LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
01312
01313 }
01314
01315 done:
01316 ldns_rdf_deep_free(zone_name);
01317 return result;
01318 }
01319
01320 ldns_status
01321 ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, ldns_buffer *verify_buf,
01322 ldns_buffer *key_buf, uint8_t algo)
01323 {
01324 return ldns_verify_rrsig_buffers_raw((unsigned char*)ldns_buffer_begin(
01325 rawsig_buf), ldns_buffer_position(rawsig_buf), verify_buf,
01326 (unsigned char*)ldns_buffer_begin(key_buf),
01327 ldns_buffer_position(key_buf), algo);
01328 }
01329
01330 ldns_status
01331 ldns_verify_rrsig_buffers_raw(unsigned char* sig, size_t siglen,
01332 ldns_buffer *verify_buf, unsigned char* key, size_t keylen,
01333 uint8_t algo)
01334 {
01335
01336 switch(algo) {
01337 case LDNS_DSA:
01338 case LDNS_DSA_NSEC3:
01339 return ldns_verify_rrsig_dsa_raw(sig, siglen, verify_buf, key, keylen);
01340 break;
01341 case LDNS_RSASHA1:
01342 case LDNS_RSASHA1_NSEC3:
01343 return ldns_verify_rrsig_rsasha1_raw(sig, siglen, verify_buf, key, keylen);
01344 break;
01345 case LDNS_RSASHA256:
01346 case LDNS_RSASHA256_NSEC3:
01347 return ldns_verify_rrsig_rsasha256_raw(sig, siglen, verify_buf, key, keylen);
01348 break;
01349 case LDNS_RSASHA512:
01350 case LDNS_RSASHA512_NSEC3:
01351 return ldns_verify_rrsig_rsasha512_raw(sig, siglen, verify_buf, key, keylen);
01352 break;
01353 case LDNS_RSAMD5:
01354 return ldns_verify_rrsig_rsamd5_raw(sig, siglen, verify_buf, key, keylen);
01355 break;
01356 default:
01357
01358 return LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
01359 }
01360 }
01361
01362
01363
01364
01365
01366
01367
01368
01369
01370
01371
01372 ldns_status
01373 ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys,
01374 ldns_rr_list *good_keys)
01375 {
01376 ldns_buffer *rawsig_buf;
01377 ldns_buffer *verify_buf;
01378 ldns_buffer *key_buf;
01379 uint32_t orig_ttl;
01380 uint16_t i;
01381 uint8_t sig_algo;
01382 ldns_status result;
01383 ldns_rr *current_key;
01384 ldns_rr_list *rrset_clone;
01385 ldns_rr_list *validkeys;
01386 time_t now, inception, expiration;
01387 uint8_t label_count;
01388 ldns_rdf *wildcard_name;
01389 ldns_rdf *wildcard_chopped;
01390 ldns_rdf *wildcard_chopped_tmp;
01391
01392
01393 if (!rrset) {
01394 return LDNS_STATUS_ERR;
01395 }
01396
01397 validkeys = ldns_rr_list_new();
01398 if (!validkeys) {
01399 return LDNS_STATUS_MEM_ERR;
01400 }
01401
01402
01403 ldns_dname2canonical(ldns_rr_owner(rrsig));
01404
01405
01406 rrset_clone = ldns_rr_list_clone(rrset);
01407
01408
01409 if (ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(rrsig)) !=
01410 ldns_rr_get_type(ldns_rr_list_rr(rrset_clone, 0))) {
01411 ldns_rr_list_deep_free(rrset_clone);
01412 ldns_rr_list_deep_free(validkeys);
01413 return LDNS_STATUS_CRYPTO_TYPE_COVERED_ERR;
01414 }
01415
01416
01417 rawsig_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
01418 verify_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
01419
01420 sig_algo = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 1));
01421 result = LDNS_STATUS_ERR;
01422
01423
01424 inception = ldns_rdf2native_time_t(ldns_rr_rrsig_inception(rrsig));
01425 expiration = ldns_rdf2native_time_t(ldns_rr_rrsig_expiration(rrsig));
01426 now = time(NULL);
01427
01428 if (expiration - inception < 0) {
01429
01430 ldns_buffer_free(verify_buf);
01431 ldns_buffer_free(rawsig_buf);
01432 ldns_rr_list_deep_free(rrset_clone);
01433 ldns_rr_list_deep_free(validkeys);
01434 return LDNS_STATUS_CRYPTO_EXPIRATION_BEFORE_INCEPTION;
01435 }
01436 if (now - inception < 0) {
01437
01438 ldns_buffer_free(rawsig_buf);
01439 ldns_buffer_free(verify_buf);
01440 ldns_rr_list_deep_free(rrset_clone);
01441 ldns_rr_list_deep_free(validkeys);
01442 return LDNS_STATUS_CRYPTO_SIG_NOT_INCEPTED;
01443 }
01444 if (expiration - now < 0) {
01445
01446 ldns_buffer_free(rawsig_buf);
01447 ldns_buffer_free(verify_buf);
01448 ldns_rr_list_deep_free(rrset_clone);
01449 ldns_rr_list_deep_free(validkeys);
01450 return LDNS_STATUS_CRYPTO_SIG_EXPIRED;
01451 }
01452
01453
01454 if (ldns_rdf2buffer_wire(rawsig_buf, ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
01455 ldns_buffer_free(rawsig_buf);
01456 ldns_buffer_free(verify_buf);
01457 ldns_rr_list_deep_free(rrset_clone);
01458 ldns_rr_list_deep_free(validkeys);
01459 return LDNS_STATUS_MEM_ERR;
01460 }
01461
01462 orig_ttl = ldns_rdf2native_int32( ldns_rr_rdf(rrsig, 3));
01463 label_count = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 2));
01464
01465
01466
01467 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
01468 if (label_count <
01469 ldns_dname_label_count(
01470 ldns_rr_owner(ldns_rr_list_rr(rrset_clone, i)))) {
01471 (void) ldns_str2rdf_dname(&wildcard_name, "*");
01472 wildcard_chopped = ldns_rdf_clone(ldns_rr_owner(ldns_rr_list_rr(rrset_clone, i)));
01473 while (label_count < ldns_dname_label_count(wildcard_chopped)) {
01474 wildcard_chopped_tmp = ldns_dname_left_chop(wildcard_chopped);
01475 ldns_rdf_deep_free(wildcard_chopped);
01476 wildcard_chopped = wildcard_chopped_tmp;
01477 }
01478 (void) ldns_dname_cat(wildcard_name, wildcard_chopped);
01479 ldns_rdf_deep_free(wildcard_chopped);
01480 ldns_rdf_deep_free(ldns_rr_owner(ldns_rr_list_rr(rrset_clone, i)));
01481 ldns_rr_set_owner(ldns_rr_list_rr(rrset_clone, i),
01482 wildcard_name);
01483
01484 }
01485 ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i), orig_ttl);
01486
01487 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
01488 }
01489
01490
01491 ldns_rr_list_sort(rrset_clone);
01492
01493
01494 if (ldns_rrsig2buffer_wire(verify_buf, rrsig) != LDNS_STATUS_OK) {
01495 ldns_buffer_free(rawsig_buf);
01496 ldns_buffer_free(verify_buf);
01497 ldns_rr_list_deep_free(rrset_clone);
01498 ldns_rr_list_deep_free(validkeys);
01499 return LDNS_STATUS_MEM_ERR;
01500 }
01501
01502
01503 if (ldns_rr_list2buffer_wire(verify_buf, rrset_clone) != LDNS_STATUS_OK) {
01504 ldns_buffer_free(rawsig_buf);
01505 ldns_buffer_free(verify_buf);
01506 ldns_rr_list_deep_free(rrset_clone);
01507 ldns_rr_list_deep_free(validkeys);
01508 return LDNS_STATUS_MEM_ERR;
01509 }
01510
01511 for(i = 0; i < ldns_rr_list_rr_count(keys); i++) {
01512 current_key = ldns_rr_list_rr(keys, i);
01513
01514 if (ldns_calc_keytag(current_key) ==
01515 ldns_rdf2native_int16(ldns_rr_rrsig_keytag(rrsig))) {
01516 key_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
01517
01518
01519
01520 if (ldns_rdf2buffer_wire(key_buf,
01521 ldns_rr_rdf(current_key, 3)) != LDNS_STATUS_OK) {
01522 ldns_buffer_free(rawsig_buf);
01523 ldns_buffer_free(verify_buf);
01524
01525
01526 ldns_rr_list_deep_free(rrset_clone);
01527 ldns_rr_list_deep_free(validkeys);
01528 return LDNS_STATUS_MEM_ERR;
01529 }
01530
01531
01532 if (sig_algo == ldns_rdf2native_int8(ldns_rr_rdf(current_key,
01533 2))) {
01534 result = ldns_verify_rrsig_buffers(rawsig_buf,
01535 verify_buf, key_buf, sig_algo);
01536 } else {
01537 result = LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
01538 }
01539
01540 ldns_buffer_free(key_buf);
01541
01542 if (result == LDNS_STATUS_OK) {
01543
01544
01545
01546
01547 if (!ldns_rr_list_push_rr(validkeys, current_key)) {
01548
01549 ldns_buffer_free(rawsig_buf);
01550 ldns_buffer_free(verify_buf);
01551 ldns_rr_list_deep_free(rrset_clone);
01552 ldns_rr_list_deep_free(validkeys);
01553 return LDNS_STATUS_MEM_ERR;
01554 }
01555 }
01556 } else {
01557 if (result == LDNS_STATUS_ERR) {
01558 result = LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY;
01559 }
01560 }
01561 }
01562
01563
01564 ldns_rr_list_deep_free(rrset_clone);
01565 ldns_buffer_free(rawsig_buf);
01566 ldns_buffer_free(verify_buf);
01567 if (ldns_rr_list_rr_count(validkeys) == 0) {
01568
01569 ldns_rr_list_deep_free(validkeys);
01570 return result;
01571 } else {
01572 ldns_rr_list_cat(good_keys, validkeys);
01573 ldns_rr_list_free(validkeys);
01574 return LDNS_STATUS_OK;
01575 }
01576 }
01577
01578 ldns_status
01579 ldns_convert_dsa_rrsig_rdata(ldns_buffer *target_buffer,
01580 ldns_rdf *sig_rdf)
01581 {
01582
01583 uint8_t t;
01584 BIGNUM *R, *S;
01585 DSA_SIG *dsasig;
01586 unsigned char *raw_sig = NULL;
01587 int raw_sig_len;
01588
01589
01590 t = ldns_rdf_data(sig_rdf)[0];
01591 R = BN_new();
01592 (void) BN_bin2bn(ldns_rdf_data(sig_rdf) + 1, SHA_DIGEST_LENGTH, R);
01593 S = BN_new();
01594 (void) BN_bin2bn(ldns_rdf_data(sig_rdf) + 21, SHA_DIGEST_LENGTH, S);
01595
01596 dsasig = DSA_SIG_new();
01597 if (!dsasig) {
01598 return LDNS_STATUS_MEM_ERR;
01599 }
01600
01601 dsasig->r = R;
01602 dsasig->s = S;
01603
01604 raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig);
01605
01606
01607 if (ldns_buffer_reserve(target_buffer, raw_sig_len)) {
01608 ldns_buffer_write(target_buffer, raw_sig, raw_sig_len);
01609 }
01610 return ldns_buffer_status(target_buffer);
01611 }
01612
01613 #if 0
01614 void
01615 print_dates(time_t now, time_t inception)
01616 {
01617 ldns_rdf *nrdf, *irdf;
01618 char *nstr, *istr;
01619 nrdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_TIME, sizeof(now), &now);
01620 irdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_TIME, sizeof(inception), &inception);
01621 nstr = ldns_rdf2str(nrdf);
01622 istr = ldns_rdf2str(irdf);
01623 printf("Now: %s\n", nstr);
01624 printf("Inception: %s\n", istr);
01625 ldns_rdf_deep_free(nrdf);
01626 ldns_rdf_deep_free(irdf);
01627 LDNS_FREE(nstr);
01628 LDNS_FREE(istr);
01629 return;
01630 }
01631 #endif
01632
01633 ldns_status
01634 ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key)
01635 {
01636 ldns_buffer *rawsig_buf;
01637 ldns_buffer *verify_buf;
01638 ldns_buffer *key_buf;
01639 uint32_t orig_ttl;
01640 uint16_t i;
01641 uint8_t sig_algo;
01642 uint16_t label_count;
01643 ldns_status result;
01644 ldns_rr_list *rrset_clone;
01645 time_t now, inception, expiration;
01646 ldns_rdf *wildcard_name;
01647 ldns_rdf *wildcard_chopped;
01648 ldns_rdf *wildcard_chopped_tmp;
01649
01650 if (!rrset) {
01651 return LDNS_STATUS_NO_DATA;
01652 }
01653
01654
01655 ldns_dname2canonical(ldns_rr_owner(rrsig));
01656
01657
01658 inception = ldns_rdf2native_time_t(ldns_rr_rrsig_inception(rrsig));
01659 expiration = ldns_rdf2native_time_t(ldns_rr_rrsig_expiration(rrsig));
01660 now = time(NULL);
01661
01662 if (expiration - inception < 0) {
01663
01664 return LDNS_STATUS_CRYPTO_EXPIRATION_BEFORE_INCEPTION;
01665 }
01666 if (now - inception < 0) {
01667
01668 return LDNS_STATUS_CRYPTO_SIG_NOT_INCEPTED;
01669 }
01670
01671 if (expiration - now < 0) {
01672
01673 return LDNS_STATUS_CRYPTO_SIG_EXPIRED;
01674 }
01675
01676 rrset_clone = ldns_rr_list_clone(rrset);
01677
01678
01679 rawsig_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
01680 verify_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
01681
01682 sig_algo = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 1));
01683
01684
01685
01686
01687
01688
01689
01690
01691 switch(sig_algo) {
01692 case LDNS_RSAMD5:
01693 case LDNS_RSASHA1:
01694 case LDNS_RSASHA1_NSEC3:
01695 case LDNS_RSASHA256:
01696 case LDNS_RSASHA256_NSEC3:
01697 case LDNS_RSASHA512:
01698 case LDNS_RSASHA512_NSEC3:
01699 if (ldns_rdf2buffer_wire(rawsig_buf,
01700 ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
01701 ldns_buffer_free(rawsig_buf);
01702 ldns_buffer_free(verify_buf);
01703 return LDNS_STATUS_MEM_ERR;
01704 }
01705 break;
01706 case LDNS_DSA:
01707 case LDNS_DSA_NSEC3:
01708 if (ldns_convert_dsa_rrsig_rdata(rawsig_buf,
01709 ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
01710 ldns_buffer_free(rawsig_buf);
01711 ldns_buffer_free(verify_buf);
01712 return LDNS_STATUS_MEM_ERR;
01713 }
01714 break;
01715 break;
01716 case LDNS_DH:
01717 case LDNS_ECC:
01718 case LDNS_INDIRECT:
01719 ldns_buffer_free(rawsig_buf);
01720 ldns_buffer_free(verify_buf);
01721 return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL;
01722 default:
01723 ldns_buffer_free(rawsig_buf);
01724 ldns_buffer_free(verify_buf);
01725 ldns_rr_list_deep_free(rrset_clone);
01726 return LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
01727 }
01728
01729 result = LDNS_STATUS_ERR;
01730
01731
01732
01733 label_count = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 2));
01734
01735 orig_ttl = ldns_rdf2native_int32(
01736 ldns_rr_rdf(rrsig, 3));
01737
01738
01739 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
01740 if (label_count <
01741 ldns_dname_label_count(
01742 ldns_rr_owner(ldns_rr_list_rr(rrset_clone, i)))) {
01743 (void) ldns_str2rdf_dname(&wildcard_name, "*");
01744 wildcard_chopped = ldns_rdf_clone(ldns_rr_owner(ldns_rr_list_rr(rrset_clone, i)));
01745 while (label_count < ldns_dname_label_count(wildcard_chopped)) {
01746 wildcard_chopped_tmp = ldns_dname_left_chop(wildcard_chopped);
01747 ldns_rdf_deep_free(wildcard_chopped);
01748 wildcard_chopped = wildcard_chopped_tmp;
01749 }
01750 (void) ldns_dname_cat(wildcard_name, wildcard_chopped);
01751 ldns_rdf_deep_free(wildcard_chopped);
01752 ldns_rdf_deep_free(ldns_rr_owner(ldns_rr_list_rr(rrset_clone, i)));
01753 ldns_rr_set_owner(ldns_rr_list_rr(rrset_clone, i),
01754 wildcard_name);
01755
01756 }
01757 ldns_rr_set_ttl(
01758 ldns_rr_list_rr(rrset_clone, i),
01759 orig_ttl);
01760
01761 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
01762 }
01763
01764
01765 ldns_rr_list_sort(rrset_clone);
01766
01767
01768 if (ldns_rrsig2buffer_wire(verify_buf, rrsig) != LDNS_STATUS_OK) {
01769 ldns_rr_list_deep_free(rrset_clone);
01770 ldns_buffer_free(rawsig_buf);
01771 ldns_buffer_free(verify_buf);
01772 return LDNS_STATUS_ERR;
01773 }
01774
01775
01776 if (ldns_rr_list2buffer_wire(verify_buf, rrset_clone) != LDNS_STATUS_OK) {
01777 ldns_rr_list_deep_free(rrset_clone);
01778 ldns_buffer_free(rawsig_buf);
01779 ldns_buffer_free(verify_buf);
01780 return LDNS_STATUS_ERR;
01781 }
01782
01783 if (ldns_calc_keytag(key)
01784 ==
01785 ldns_rdf2native_int16(ldns_rr_rrsig_keytag(rrsig))
01786 ) {
01787 key_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
01788
01789
01790
01791
01792
01793 if (ldns_rdf2buffer_wire(key_buf,
01794 ldns_rr_rdf(key, 3)) != LDNS_STATUS_OK) {
01795 ldns_rr_list_deep_free(rrset_clone);
01796 ldns_buffer_free(rawsig_buf);
01797 ldns_buffer_free(verify_buf);
01798
01799
01800
01801 return LDNS_STATUS_ERR;
01802 }
01803
01804 if (sig_algo == ldns_rdf2native_int8(ldns_rr_rdf(key, 2))) {
01805 result = ldns_verify_rrsig_buffers(rawsig_buf, verify_buf, key_buf, sig_algo);
01806 }
01807
01808 ldns_buffer_free(key_buf);
01809 }
01810 else {
01811
01812 if (result == LDNS_STATUS_ERR) {
01813 result = LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY;
01814 }
01815 }
01816
01817 ldns_rr_list_deep_free(rrset_clone);
01818 ldns_buffer_free(rawsig_buf);
01819 ldns_buffer_free(verify_buf);
01820
01821
01822
01823
01824
01825
01826
01827
01828
01829 return result;
01830 }
01831
01832 ldns_status
01833 ldns_verify_rrsig_evp(ldns_buffer *sig, ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
01834 {
01835 return ldns_verify_rrsig_evp_raw((unsigned char*)ldns_buffer_begin(
01836 sig), ldns_buffer_position(sig), rrset, key, digest_type);
01837 }
01838
01839 ldns_status
01840 ldns_verify_rrsig_evp_raw(unsigned char *sig, size_t siglen,
01841 ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
01842 {
01843 EVP_MD_CTX ctx;
01844 int res;
01845
01846 EVP_MD_CTX_init(&ctx);
01847
01848 EVP_VerifyInit(&ctx, digest_type);
01849 EVP_VerifyUpdate(&ctx, ldns_buffer_begin(rrset), ldns_buffer_position(rrset));
01850 res = EVP_VerifyFinal(&ctx, sig, siglen, key);
01851
01852 EVP_MD_CTX_cleanup(&ctx);
01853
01854 if (res == 1) {
01855 return LDNS_STATUS_OK;
01856 } else if (res == 0) {
01857 return LDNS_STATUS_CRYPTO_BOGUS;
01858 }
01859
01860 return LDNS_STATUS_SSL_ERR;
01861 }
01862
01863 ldns_status
01864 ldns_verify_rrsig_dsa(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
01865 {
01866 return ldns_verify_rrsig_dsa_raw((unsigned char*)ldns_buffer_begin(
01867 sig), ldns_buffer_position(sig), rrset, (unsigned char*)
01868 ldns_buffer_begin(key), ldns_buffer_position(key));
01869 }
01870
01871 ldns_status
01872 ldns_verify_rrsig_rsasha1(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
01873 {
01874 return ldns_verify_rrsig_rsasha1_raw((unsigned char*)ldns_buffer_begin(
01875 sig), ldns_buffer_position(sig), rrset, (unsigned char*)
01876 ldns_buffer_begin(key), ldns_buffer_position(key));
01877 }
01878
01879 ldns_status
01880 ldns_verify_rrsig_rsamd5(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
01881 {
01882 return ldns_verify_rrsig_rsamd5_raw((unsigned char*)ldns_buffer_begin(
01883 sig), ldns_buffer_position(sig), rrset, (unsigned char*)
01884 ldns_buffer_begin(key), ldns_buffer_position(key));
01885 }
01886
01887 ldns_status
01888 ldns_verify_rrsig_dsa_raw(unsigned char* sig, size_t siglen,
01889 ldns_buffer* rrset, unsigned char* key, size_t keylen)
01890 {
01891 EVP_PKEY *evp_key;
01892 ldns_status result;
01893
01894 evp_key = EVP_PKEY_new();
01895 EVP_PKEY_assign_DSA(evp_key, ldns_key_buf2dsa_raw(key, keylen));
01896 result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset, evp_key, EVP_dss1());
01897 EVP_PKEY_free(evp_key);
01898 return result;
01899
01900 }
01901
01902 ldns_status
01903 ldns_verify_rrsig_rsasha1_raw(unsigned char* sig, size_t siglen,
01904 ldns_buffer* rrset, unsigned char* key, size_t keylen)
01905 {
01906 EVP_PKEY *evp_key;
01907 ldns_status result;
01908
01909 evp_key = EVP_PKEY_new();
01910 EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen));
01911 result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset, evp_key, EVP_sha1());
01912 EVP_PKEY_free(evp_key);
01913
01914 return result;
01915 }
01916
01917 ldns_status
01918 ldns_verify_rrsig_rsasha256_raw(unsigned char* sig, size_t siglen,
01919 ldns_buffer* rrset, unsigned char* key, size_t keylen)
01920 {
01921 #ifdef SHA256_DIGEST_LENGTH
01922 EVP_PKEY *evp_key;
01923 ldns_status result;
01924
01925 evp_key = EVP_PKEY_new();
01926 EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen));
01927 result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset, evp_key, EVP_sha256());
01928 EVP_PKEY_free(evp_key);
01929
01930 return result;
01931 #else
01932 return LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
01933 #endif
01934 }
01935
01936 ldns_status
01937 ldns_verify_rrsig_rsasha512_raw(unsigned char* sig, size_t siglen,
01938 ldns_buffer* rrset, unsigned char* key, size_t keylen)
01939 {
01940 #ifdef SHA512_DIGEST_LENGTH
01941 EVP_PKEY *evp_key;
01942 ldns_status result;
01943
01944 evp_key = EVP_PKEY_new();
01945 EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen));
01946 result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset, evp_key, EVP_sha512());
01947 EVP_PKEY_free(evp_key);
01948
01949 return result;
01950 #else
01951 return LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
01952 #endif
01953 }
01954
01955
01956
01957 ldns_status
01958 ldns_verify_rrsig_rsamd5_raw(unsigned char* sig, size_t siglen,
01959 ldns_buffer* rrset, unsigned char* key, size_t keylen)
01960 {
01961 EVP_PKEY *evp_key;
01962 ldns_status result;
01963
01964 evp_key = EVP_PKEY_new();
01965 EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen));
01966 result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset, evp_key, EVP_md5());
01967 EVP_PKEY_free(evp_key);
01968
01969 return result;
01970 }
01971
01972 #endif