dnssec.c
Go to the documentation of this file.
00001 /*
00002  * dnssec.c
00003  *
00004  * contains the cryptographic function needed for DNSSEC in ldns
00005  * The crypto library used is openssl
00006  *
00007  * (c) NLnet Labs, 2004-2008
00008  *
00009  * See the file LICENSE for the license
00010  */
00011 
00012 #include <ldns/config.h>
00013 
00014 #include <ldns/ldns.h>
00015 #include <ldns/dnssec.h>
00016 
00017 #include <strings.h>
00018 #include <time.h>
00019 
00020 #ifdef HAVE_SSL
00021 #include <openssl/ssl.h>
00022 #include <openssl/evp.h>
00023 #include <openssl/rand.h>
00024 #include <openssl/err.h>
00025 #include <openssl/md5.h>
00026 #endif
00027 
00028 ldns_rr *
00029 ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name,
00030                                         const ldns_rr_type type,
00031                                         const ldns_rr_list *rrs)
00032 {
00033         size_t i;
00034         ldns_rr *candidate;
00035 
00036         if (!name || !rrs) {
00037                 return NULL;
00038         }
00039 
00040         for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
00041                 candidate = ldns_rr_list_rr(rrs, i);
00042                 if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_RRSIG) {
00043                         if (ldns_dname_compare(ldns_rr_owner(candidate),
00044                                                name) == 0 &&
00045                             ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(candidate))
00046                             == type
00047                             ) {
00048                                 return candidate;
00049                         }
00050                 }
00051         }
00052 
00053         return NULL;
00054 }
00055 
00056 ldns_rr *
00057 ldns_dnssec_get_dnskey_for_rrsig(const ldns_rr *rrsig,
00058                                                    const ldns_rr_list *rrs)
00059 {
00060         size_t i;
00061         ldns_rr *candidate;
00062 
00063         if (!rrsig || !rrs) {
00064                 return NULL;
00065         }
00066 
00067         for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
00068                 candidate = ldns_rr_list_rr(rrs, i);
00069                 if (ldns_rr_get_type(candidate) == LDNS_RR_TYPE_DNSKEY) {
00070                         if (ldns_dname_compare(ldns_rr_owner(candidate),
00071                                                ldns_rr_rrsig_signame(rrsig)) == 0 &&
00072                             ldns_rdf2native_int16(ldns_rr_rrsig_keytag(rrsig)) ==
00073                             ldns_calc_keytag(candidate)
00074                             ) {
00075                                 return candidate;
00076                         }
00077                 }
00078         }
00079 
00080         return NULL;
00081 }
00082 
00083 ldns_rdf *
00084 ldns_nsec_get_bitmap(ldns_rr *nsec) {
00085         if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
00086                 return ldns_rr_rdf(nsec, 1);
00087         } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
00088                 return ldns_rr_rdf(nsec, 5);
00089         } else {
00090                 return NULL;
00091         }
00092 }
00093 
00094 /*return the owner name of the closest encloser for name from the list of rrs */
00095 /* this is NOT the hash, but the original name! */
00096 ldns_rdf *
00097 ldns_dnssec_nsec3_closest_encloser(ldns_rdf *qname,
00098                                    ATTR_UNUSED(ldns_rr_type qtype),
00099                                    ldns_rr_list *nsec3s)
00100 {
00101         /* remember parameters, they must match */
00102         uint8_t algorithm;
00103         uint32_t iterations;
00104         uint8_t salt_length;
00105         uint8_t *salt;
00106 
00107         ldns_rdf *sname, *hashed_sname, *tmp;
00108         bool flag;
00109 
00110         bool exact_match_found;
00111         bool in_range_found;
00112 
00113         ldns_status status;
00114         ldns_rdf *zone_name;
00115 
00116         size_t nsec_i;
00117         ldns_rr *nsec;
00118         ldns_rdf *result = NULL;
00119 
00120         if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) {
00121                 return NULL;
00122         }
00123 
00124         nsec = ldns_rr_list_rr(nsec3s, 0);
00125         algorithm = ldns_nsec3_algorithm(nsec);
00126         salt_length = ldns_nsec3_salt_length(nsec);
00127         salt = ldns_nsec3_salt_data(nsec);
00128         iterations = ldns_nsec3_iterations(nsec);
00129 
00130         sname = ldns_rdf_clone(qname);
00131 
00132         flag = false;
00133 
00134         zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
00135 
00136         /* algorithm from nsec3-07 8.3 */
00137         while (ldns_dname_label_count(sname) > 0) {
00138                 exact_match_found = false;
00139                 in_range_found = false;
00140 
00141                 hashed_sname = ldns_nsec3_hash_name(sname,
00142                                                                          algorithm,
00143                                                                          iterations,
00144                                                                          salt_length,
00145                                                                          salt);
00146 
00147                 status = ldns_dname_cat(hashed_sname, zone_name);
00148                 if(status != LDNS_STATUS_OK) {
00149                         LDNS_FREE(salt);
00150                         ldns_rdf_deep_free(zone_name);
00151                         ldns_rdf_deep_free(sname);
00152                         return NULL;
00153                 }
00154 
00155                 for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) {
00156                         nsec = ldns_rr_list_rr(nsec3s, nsec_i);
00157 
00158                         /* check values of iterations etc! */
00159 
00160                         /* exact match? */
00161                         if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) {
00162                                 exact_match_found = true;
00163                         } else if (ldns_nsec_covers_name(nsec, hashed_sname)) {
00164                                 in_range_found = true;
00165                         }
00166 
00167                 }
00168                 if (!exact_match_found && in_range_found) {
00169                         flag = true;
00170                 } else if (exact_match_found && flag) {
00171                         result = ldns_rdf_clone(sname);
00172                         /* RFC 5155: 8.3. 2.** "The proof is complete" */
00173                         ldns_rdf_deep_free(hashed_sname);
00174                         goto done;
00175                 } else if (exact_match_found && !flag) {
00176                         /* error! */
00177                         ldns_rdf_deep_free(hashed_sname);
00178                         goto done;
00179                 } else {
00180                         flag = false;
00181                 }
00182 
00183                 ldns_rdf_deep_free(hashed_sname);
00184                 tmp = sname;
00185                 sname = ldns_dname_left_chop(sname);
00186                 ldns_rdf_deep_free(tmp);
00187         }
00188 
00189         done:
00190         LDNS_FREE(salt);
00191         ldns_rdf_deep_free(zone_name);
00192         ldns_rdf_deep_free(sname);
00193 
00194         return result;
00195 }
00196 
00197 bool
00198 ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt)
00199 {
00200         size_t i;
00201         for (i = 0; i < ldns_pkt_ancount(pkt); i++) {
00202                 if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_answer(pkt), i)) ==
00203                     LDNS_RR_TYPE_RRSIG) {
00204                         return true;
00205                 }
00206         }
00207         for (i = 0; i < ldns_pkt_nscount(pkt); i++) {
00208                 if (ldns_rr_get_type(ldns_rr_list_rr(ldns_pkt_authority(pkt), i)) ==
00209                     LDNS_RR_TYPE_RRSIG) {
00210                         return true;
00211                 }
00212         }
00213         return false;
00214 }
00215 
00216 ldns_rr_list *
00217 ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt,
00218                                                                         ldns_rdf *name,
00219                                                                         ldns_rr_type type)
00220 {
00221         uint16_t t_netorder;
00222         ldns_rr_list *sigs;
00223         ldns_rr_list *sigs_covered;
00224         ldns_rdf *rdf_t;
00225         
00226         sigs = ldns_pkt_rr_list_by_name_and_type(pkt,
00227                                                                          name,
00228                                                                          LDNS_RR_TYPE_RRSIG,
00229                                                                          LDNS_SECTION_ANY_NOQUESTION
00230                                                                          );
00231 
00232         t_netorder = htons(type); /* rdf are in network order! */
00233         rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, LDNS_RDF_SIZE_WORD, &t_netorder);
00234         sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
00235         
00236         ldns_rdf_free(rdf_t);
00237         ldns_rr_list_deep_free(sigs);
00238 
00239         return sigs_covered;
00240 
00241 }
00242 
00243 ldns_rr_list *
00244 ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type)
00245 {
00246         uint16_t t_netorder;
00247         ldns_rr_list *sigs;
00248         ldns_rr_list *sigs_covered;
00249         ldns_rdf *rdf_t;
00250 
00251         sigs = ldns_pkt_rr_list_by_type(pkt,
00252                                         LDNS_RR_TYPE_RRSIG,
00253                                         LDNS_SECTION_ANY_NOQUESTION
00254                                                           );
00255 
00256         t_netorder = htons(type); /* rdf are in network order! */
00257         rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE,
00258                                          2,
00259                                          &t_netorder);
00260         sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
00261 
00262         ldns_rdf_free(rdf_t);
00263         ldns_rr_list_deep_free(sigs);
00264 
00265         return sigs_covered;
00266 
00267 }
00268 
00269 /* used only on the public key RR */
00270 uint16_t
00271 ldns_calc_keytag(const ldns_rr *key)
00272 {
00273         uint16_t ac16;
00274         ldns_buffer *keybuf;
00275         size_t keysize;
00276 
00277         if (!key) {
00278                 return 0;
00279         }
00280 
00281         if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY &&
00282             ldns_rr_get_type(key) != LDNS_RR_TYPE_KEY
00283             ) {
00284                 return 0;
00285         }
00286 
00287         /* rdata to buf - only put the rdata in a buffer */
00288         keybuf = ldns_buffer_new(LDNS_MIN_BUFLEN); /* grows */
00289         if (!keybuf) {
00290                 return 0;
00291         }
00292         (void)ldns_rr_rdata2buffer_wire(keybuf, key);
00293         /* the current pos in the buffer is the keysize */
00294         keysize= ldns_buffer_position(keybuf);
00295 
00296         ac16 = ldns_calc_keytag_raw(ldns_buffer_begin(keybuf), keysize);
00297         ldns_buffer_free(keybuf);
00298         return ac16;
00299 }
00300 
00301 uint16_t ldns_calc_keytag_raw(uint8_t* key, size_t keysize)
00302 {
00303         unsigned int i;
00304         uint32_t ac32;
00305         uint16_t ac16;
00306 
00307         if(keysize < 4) {
00308                 return 0;
00309         }
00310         /* look at the algorithm field, copied from 2535bis */
00311         if (key[3] == LDNS_RSAMD5) {
00312                 ac16 = 0;
00313                 if (keysize > 4) {
00314                         memmove(&ac16, key + keysize - 3, 2);
00315                 }
00316                 ac16 = ntohs(ac16);
00317                 return (uint16_t) ac16;
00318         } else {
00319                 ac32 = 0;
00320                 for (i = 0; (size_t)i < keysize; ++i) {
00321                         ac32 += (i & 1) ? key[i] : key[i] << 8;
00322                 }
00323                 ac32 += (ac32 >> 16) & 0xFFFF;
00324                 return (uint16_t) (ac32 & 0xFFFF);
00325         }
00326 }
00327 
00328 #ifdef HAVE_SSL
00329 DSA *
00330 ldns_key_buf2dsa(ldns_buffer *key)
00331 {
00332         return ldns_key_buf2dsa_raw((unsigned char*)ldns_buffer_begin(key),
00333                                                    ldns_buffer_position(key));
00334 }
00335 
00336 DSA *
00337 ldns_key_buf2dsa_raw(unsigned char* key, size_t len)
00338 {
00339         uint8_t T;
00340         uint16_t length;
00341         uint16_t offset;
00342         DSA *dsa;
00343         BIGNUM *Q; BIGNUM *P;
00344         BIGNUM *G; BIGNUM *Y;
00345 
00346         if(len == 0)
00347                 return NULL;
00348         T = (uint8_t)key[0];
00349         length = (64 + T * 8);
00350         offset = 1;
00351 
00352         if (T > 8) {
00353                 return NULL;
00354         }
00355         if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
00356                 return NULL;
00357 
00358         Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
00359         offset += SHA_DIGEST_LENGTH;
00360 
00361         P = BN_bin2bn(key+offset, (int)length, NULL);
00362         offset += length;
00363 
00364         G = BN_bin2bn(key+offset, (int)length, NULL);
00365         offset += length;
00366 
00367         Y = BN_bin2bn(key+offset, (int)length, NULL);
00368         offset += length;
00369 
00370         /* create the key and set its properties */
00371         if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
00372                 BN_free(Q);
00373                 BN_free(P);
00374                 BN_free(G);
00375                 BN_free(Y);
00376                 return NULL;
00377         }
00378 #ifndef S_SPLINT_S
00379         dsa->p = P;
00380         dsa->q = Q;
00381         dsa->g = G;
00382         dsa->pub_key = Y;
00383 #endif /* splint */
00384 
00385         return dsa;
00386 }
00387 
00388 RSA *
00389 ldns_key_buf2rsa(ldns_buffer *key)
00390 {
00391         return ldns_key_buf2rsa_raw((unsigned char*)ldns_buffer_begin(key),
00392                                                    ldns_buffer_position(key));
00393 }
00394 
00395 RSA *
00396 ldns_key_buf2rsa_raw(unsigned char* key, size_t len)
00397 {
00398         uint16_t offset;
00399         uint16_t exp;
00400         uint16_t int16;
00401         RSA *rsa;
00402         BIGNUM *modulus;
00403         BIGNUM *exponent;
00404 
00405         if (len == 0)
00406                 return NULL;
00407         if (key[0] == 0) {
00408                 if(len < 3)
00409                         return NULL;
00410                 /* need some smart comment here XXX*/
00411                 /* the exponent is too large so it's places
00412                  * futher...???? */
00413                 memmove(&int16, key+1, 2);
00414                 exp = ntohs(int16);
00415                 offset = 3;
00416         } else {
00417                 exp = key[0];
00418                 offset = 1;
00419         }
00420 
00421         /* key length at least one */
00422         if(len < (size_t)offset + exp + 1)
00423                 return NULL;
00424 
00425         /* Exponent */
00426         exponent = BN_new();
00427         if(!exponent) return NULL;
00428         (void) BN_bin2bn(key+offset, (int)exp, exponent);
00429         offset += exp;
00430 
00431         /* Modulus */
00432         modulus = BN_new();
00433         if(!modulus) {
00434                 BN_free(exponent);
00435                 return NULL;
00436         }
00437         /* length of the buffer must match the key length! */
00438         (void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
00439 
00440         rsa = RSA_new();
00441         if(!rsa) {
00442                 BN_free(exponent);
00443                 BN_free(modulus);
00444                 return NULL;
00445         }
00446 #ifndef S_SPLINT_S
00447         rsa->n = modulus;
00448         rsa->e = exponent;
00449 #endif /* splint */
00450 
00451         return rsa;
00452 }
00453 
00454 int
00455 ldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
00456         const EVP_MD* md)
00457 {
00458         EVP_MD_CTX* ctx;
00459         ctx = EVP_MD_CTX_create();
00460         if(!ctx)
00461                 return false;
00462         if(!EVP_DigestInit_ex(ctx, md, NULL) ||
00463                 !EVP_DigestUpdate(ctx, data, len) ||
00464                 !EVP_DigestFinal_ex(ctx, dest, NULL)) {
00465                 EVP_MD_CTX_destroy(ctx);
00466                 return false;
00467         }
00468         EVP_MD_CTX_destroy(ctx);
00469         return true;
00470 }
00471 #endif /* HAVE_SSL */
00472 
00473 ldns_rr *
00474 ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
00475 {
00476         ldns_rdf *tmp;
00477         ldns_rr *ds;
00478         uint16_t keytag;
00479         uint8_t  sha1hash;
00480         uint8_t *digest;
00481         ldns_buffer *data_buf;
00482 #ifdef USE_GOST
00483         const EVP_MD* md = NULL;
00484 #endif
00485 
00486         if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY) {
00487                 return NULL;
00488         }
00489 
00490         ds = ldns_rr_new();
00491         if (!ds) {
00492                 return NULL;
00493         }
00494         ldns_rr_set_type(ds, LDNS_RR_TYPE_DS);
00495         ldns_rr_set_owner(ds, ldns_rdf_clone(
00496                                                                   ldns_rr_owner(key)));
00497         ldns_rr_set_ttl(ds, ldns_rr_ttl(key));
00498         ldns_rr_set_class(ds, ldns_rr_get_class(key));
00499 
00500         switch(h) {
00501         default:
00502         case LDNS_SHA1:
00503                 digest = LDNS_XMALLOC(uint8_t, LDNS_SHA1_DIGEST_LENGTH);
00504                 if (!digest) {
00505                         ldns_rr_free(ds);
00506                         return NULL;
00507                 }
00508                 break;
00509         case LDNS_SHA256:
00510                 digest = LDNS_XMALLOC(uint8_t, LDNS_SHA256_DIGEST_LENGTH);
00511                 if (!digest) {
00512                         ldns_rr_free(ds);
00513                         return NULL;
00514                 }
00515                 break;
00516         case LDNS_HASH_GOST:
00517 #ifdef USE_GOST
00518                 (void)ldns_key_EVP_load_gost_id();
00519                 md = EVP_get_digestbyname("md_gost94");
00520                 if(!md) {
00521                         ldns_rr_free(ds);
00522                         return NULL;
00523                 }
00524                 digest = LDNS_XMALLOC(uint8_t, EVP_MD_size(md));
00525                 if (!digest) {
00526                         ldns_rr_free(ds);
00527                         return NULL;
00528                 }
00529                 break;
00530 #else
00531                 /* not implemented */
00532                 ldns_rr_free(ds);
00533                 return NULL;
00534 #endif
00535         case LDNS_SHA384:
00536 #ifdef USE_ECDSA
00537                 digest = LDNS_XMALLOC(uint8_t, SHA384_DIGEST_LENGTH);
00538                 if (!digest) {
00539                         ldns_rr_free(ds);
00540                         return NULL;
00541                 }
00542                 break;
00543 #else
00544                 /* not implemented */
00545                 ldns_rr_free(ds);
00546                 return NULL;
00547 #endif
00548         }
00549 
00550         data_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00551         if (!data_buf) {
00552                 LDNS_FREE(digest);
00553                 ldns_rr_free(ds);
00554                 return NULL;
00555         }
00556 
00557         /* keytag */
00558         keytag = htons(ldns_calc_keytag((ldns_rr*)key));
00559         tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16,
00560                                                    sizeof(uint16_t),
00561                                                    &keytag);
00562         ldns_rr_push_rdf(ds, tmp);
00563 
00564         /* copy the algorithm field */
00565         if ((tmp = ldns_rr_rdf(key, 2)) == NULL) {
00566                 LDNS_FREE(digest);
00567                 ldns_buffer_free(data_buf);
00568                 ldns_rr_free(ds);
00569                 return NULL;
00570         } else {
00571                 ldns_rr_push_rdf(ds, ldns_rdf_clone( tmp )); 
00572         }
00573 
00574         /* digest hash type */
00575         sha1hash = (uint8_t)h;
00576         tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
00577                                                    sizeof(uint8_t),
00578                                                    &sha1hash);
00579         ldns_rr_push_rdf(ds, tmp);
00580 
00581         /* digest */
00582         /* owner name */
00583         tmp = ldns_rdf_clone(ldns_rr_owner(key));
00584         ldns_dname2canonical(tmp);
00585         if (ldns_rdf2buffer_wire(data_buf, tmp) != LDNS_STATUS_OK) {
00586                 LDNS_FREE(digest);
00587                 ldns_buffer_free(data_buf);
00588                 ldns_rr_free(ds);
00589                 ldns_rdf_deep_free(tmp);
00590                 return NULL;
00591         }
00592         ldns_rdf_deep_free(tmp);
00593 
00594         /* all the rdata's */
00595         if (ldns_rr_rdata2buffer_wire(data_buf,
00596                                                         (ldns_rr*)key) != LDNS_STATUS_OK) {
00597                 LDNS_FREE(digest);
00598                 ldns_buffer_free(data_buf);
00599                 ldns_rr_free(ds);
00600                 return NULL;
00601         }
00602         switch(h) {
00603         case LDNS_SHA1:
00604                 (void) ldns_sha1((unsigned char *) ldns_buffer_begin(data_buf),
00605                                  (unsigned int) ldns_buffer_position(data_buf),
00606                                  (unsigned char *) digest);
00607 
00608                 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00609                                             LDNS_SHA1_DIGEST_LENGTH,
00610                                             digest);
00611                 ldns_rr_push_rdf(ds, tmp);
00612 
00613                 break;
00614         case LDNS_SHA256:
00615                 (void) ldns_sha256((unsigned char *) ldns_buffer_begin(data_buf),
00616                                    (unsigned int) ldns_buffer_position(data_buf),
00617                                    (unsigned char *) digest);
00618                 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00619                                             LDNS_SHA256_DIGEST_LENGTH,
00620                                             digest);
00621                 ldns_rr_push_rdf(ds, tmp);
00622                 break;
00623         case LDNS_HASH_GOST:
00624 #ifdef USE_GOST
00625                 if(!ldns_digest_evp((unsigned char *) ldns_buffer_begin(data_buf),
00626                                 (unsigned int) ldns_buffer_position(data_buf),
00627                                 (unsigned char *) digest, md)) {
00628                         LDNS_FREE(digest);
00629                         ldns_buffer_free(data_buf);
00630                         ldns_rr_free(ds);
00631                         return NULL;
00632                 }
00633                 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00634                                             (size_t)EVP_MD_size(md),
00635                                             digest);
00636                 ldns_rr_push_rdf(ds, tmp);
00637 #endif
00638                 break;
00639         case LDNS_SHA384:
00640 #ifdef USE_ECDSA
00641                 (void) SHA384((unsigned char *) ldns_buffer_begin(data_buf),
00642                                  (unsigned int) ldns_buffer_position(data_buf),
00643                                  (unsigned char *) digest);
00644                 tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
00645                                             SHA384_DIGEST_LENGTH,
00646                                             digest);
00647                 ldns_rr_push_rdf(ds, tmp);
00648 #endif
00649                 break;
00650         }
00651 
00652         LDNS_FREE(digest);
00653         ldns_buffer_free(data_buf);
00654         return ds;
00655 }
00656 
00657 /* From RFC3845:
00658  *
00659  * 2.1.2.  The List of Type Bit Map(s) Field
00660  * 
00661  *    The RR type space is split into 256 window blocks, each representing
00662  *    the low-order 8 bits of the 16-bit RR type space.  Each block that
00663  *    has at least one active RR type is encoded using a single octet
00664  *    window number (from 0 to 255), a single octet bitmap length (from 1
00665  *    to 32) indicating the number of octets used for the window block's
00666  *    bitmap, and up to 32 octets (256 bits) of bitmap.
00667  * 
00668  *    Window blocks are present in the NSEC RR RDATA in increasing
00669  *    numerical order.
00670  * 
00671  *    "|" denotes concatenation
00672  * 
00673  *    Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
00674  * 
00675  *    <cut>
00676  * 
00677  *    Blocks with no types present MUST NOT be included.  Trailing zero
00678  *    octets in the bitmap MUST be omitted.  The length of each block's
00679  *    bitmap is determined by the type code with the largest numerical
00680  *    value within that block, among the set of RR types present at the
00681  *    NSEC RR's owner name.  Trailing zero octets not specified MUST be
00682  *    interpreted as zero octets.
00683  */
00684 ldns_rdf *
00685 ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[],
00686                                size_t size,
00687                                ldns_rr_type nsec_type)
00688 {
00689         uint8_t  window;                /*  most significant octet of type */
00690         uint8_t  subtype;               /* least significant octet of type */
00691         uint16_t windows[256]           /* Max subtype per window */
00692 #ifndef S_SPLINT_S
00693                               = { 0 }   /* Initialize ALL elements with 0 */
00694 #endif
00695                                      ;
00696         ldns_rr_type* d;        /* used to traverse rr_type_list*/
00697         size_t i;               /* used to traverse windows array */
00698 
00699         size_t sz;                      /* size needed for type bitmap rdf */
00700         uint8_t* data = NULL;           /* rdf data */
00701         uint8_t* dptr;                  /* used to itraverse rdf data */
00702         ldns_rdf* rdf;                  /* bitmap rdf to return */
00703 
00704         if (nsec_type != LDNS_RR_TYPE_NSEC &&
00705             nsec_type != LDNS_RR_TYPE_NSEC3) {
00706                 return NULL;
00707         }
00708 
00709         /* Which other windows need to be in the bitmap rdf?
00710          */
00711         for (d = rr_type_list; d < rr_type_list + size; d++) {
00712                 window  = *d >> 8;
00713                 subtype = *d & 0xff;
00714                 if (windows[window] < subtype) {
00715                         windows[window] = subtype;
00716                 }
00717         }
00718 
00719         /* How much space do we need in the rdf for those windows?
00720          */
00721         sz = 0;
00722         for (i = 0; i < 256; i++) {
00723                 if (windows[i]) {
00724                         sz += windows[i] / 8 + 3;
00725                 }
00726         }
00727         if (sz > 0) {
00728                 /* Format rdf data according RFC3845 Section 2.1.2 (see above)
00729                  */
00730                 dptr = data = LDNS_CALLOC(uint8_t, sz);
00731                 if (!data) {
00732                         return NULL;
00733                 }
00734                 for (i = 0; i < 256; i++) {
00735                         if (windows[i]) {
00736                                 *dptr++ = (uint8_t)i;
00737                                 *dptr++ = (uint8_t)(windows[i] / 8 + 1);
00738 
00739                                 /* Now let windows[i] index the bitmap
00740                                  * within data
00741                                  */
00742                                 windows[i] = (uint16_t)(dptr - data);
00743 
00744                                 dptr += dptr[-1];
00745                         }
00746                 }
00747         }
00748 
00749         /* Set the bits?
00750          */
00751         for (d = rr_type_list; d < rr_type_list + size; d++) {
00752                 subtype = *d & 0xff;
00753                 data[windows[*d >> 8] + subtype/8] |= (0x80 >> (subtype % 8));
00754         }
00755 
00756         /* Allocate and return rdf structure for the data
00757          */
00758         rdf = ldns_rdf_new(LDNS_RDF_TYPE_BITMAP, sz, data);
00759         if (!rdf) {
00760                 LDNS_FREE(data);
00761                 return NULL;
00762         }
00763         return rdf;
00764 }
00765 
00766 int
00767 ldns_dnssec_rrsets_contains_type(ldns_dnssec_rrsets *rrsets,
00768                                  ldns_rr_type type)
00769 {
00770         ldns_dnssec_rrsets *cur_rrset = rrsets;
00771         while (cur_rrset) {
00772                 if (cur_rrset->type == type) {
00773                         return 1;
00774                 }
00775                 cur_rrset = cur_rrset->next;
00776         }
00777         return 0;
00778 }
00779 
00780 ldns_rr *
00781 ldns_dnssec_create_nsec(ldns_dnssec_name *from,
00782                         ldns_dnssec_name *to,
00783                         ldns_rr_type nsec_type)
00784 {
00785         ldns_rr *nsec_rr;
00786         ldns_rr_type types[65536];
00787         size_t type_count = 0;
00788         ldns_dnssec_rrsets *cur_rrsets;
00789         int on_delegation_point;
00790 
00791         if (!from || !to || (nsec_type != LDNS_RR_TYPE_NSEC)) {
00792                 return NULL;
00793         }
00794 
00795         nsec_rr = ldns_rr_new();
00796         ldns_rr_set_type(nsec_rr, nsec_type);
00797         ldns_rr_set_owner(nsec_rr, ldns_rdf_clone(ldns_dnssec_name_name(from)));
00798         ldns_rr_push_rdf(nsec_rr, ldns_rdf_clone(ldns_dnssec_name_name(to)));
00799 
00800         on_delegation_point = ldns_dnssec_rrsets_contains_type(
00801                         from->rrsets, LDNS_RR_TYPE_NS)
00802                 && !ldns_dnssec_rrsets_contains_type(
00803                         from->rrsets, LDNS_RR_TYPE_SOA);
00804 
00805         cur_rrsets = from->rrsets;
00806         while (cur_rrsets) {
00807                 /* Do not include non-authoritative rrsets on the delegation point
00808                  * in the type bitmap */
00809                 if ((on_delegation_point && (
00810                                 cur_rrsets->type == LDNS_RR_TYPE_NS 
00811                              || cur_rrsets->type == LDNS_RR_TYPE_DS))
00812                         || (!on_delegation_point &&
00813                                 cur_rrsets->type != LDNS_RR_TYPE_RRSIG
00814                              && cur_rrsets->type != LDNS_RR_TYPE_NSEC)) {
00815 
00816                         types[type_count] = cur_rrsets->type;
00817                         type_count++;
00818                 }
00819                 cur_rrsets = cur_rrsets->next;
00820 
00821         }
00822         types[type_count] = LDNS_RR_TYPE_RRSIG;
00823         type_count++;
00824         types[type_count] = LDNS_RR_TYPE_NSEC;
00825         type_count++;
00826 
00827         ldns_rr_push_rdf(nsec_rr, ldns_dnssec_create_nsec_bitmap(types,
00828                                        type_count,
00829                                        nsec_type));
00830 
00831         return nsec_rr;
00832 }
00833 
00834 ldns_rr *
00835 ldns_dnssec_create_nsec3(ldns_dnssec_name *from,
00836                                         ldns_dnssec_name *to,
00837                                         ldns_rdf *zone_name,
00838                                         uint8_t algorithm,
00839                                         uint8_t flags,
00840                                         uint16_t iterations,
00841                                         uint8_t salt_length,
00842                                         uint8_t *salt)
00843 {
00844         ldns_rr *nsec_rr;
00845         ldns_rr_type types[65536];
00846         size_t type_count = 0;
00847         ldns_dnssec_rrsets *cur_rrsets;
00848         ldns_status status;
00849         int on_delegation_point;
00850 
00851         if (!from) {
00852                 return NULL;
00853         }
00854 
00855         nsec_rr = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3);
00856         ldns_rr_set_owner(nsec_rr,
00857                           ldns_nsec3_hash_name(ldns_dnssec_name_name(from),
00858                           algorithm,
00859                           iterations,
00860                           salt_length,
00861                           salt));
00862         status = ldns_dname_cat(ldns_rr_owner(nsec_rr), zone_name);
00863         if(status != LDNS_STATUS_OK) {
00864                 ldns_rr_free(nsec_rr);
00865                 return NULL;
00866         }
00867         ldns_nsec3_add_param_rdfs(nsec_rr,
00868                                   algorithm,
00869                                   flags,
00870                                   iterations,
00871                                   salt_length,
00872                                   salt);
00873 
00874         on_delegation_point = ldns_dnssec_rrsets_contains_type(
00875                         from->rrsets, LDNS_RR_TYPE_NS)
00876                 && !ldns_dnssec_rrsets_contains_type(
00877                         from->rrsets, LDNS_RR_TYPE_SOA);
00878         cur_rrsets = from->rrsets;
00879         while (cur_rrsets) {
00880                 /* Do not include non-authoritative rrsets on the delegation point
00881                  * in the type bitmap. Potentionally not skipping insecure
00882                  * delegation should have been done earlier, in function
00883                  * ldns_dnssec_zone_create_nsec3s, or even earlier in:
00884                  * ldns_dnssec_zone_sign_nsec3_flg .
00885                  */
00886                 if ((on_delegation_point && (
00887                                 cur_rrsets->type == LDNS_RR_TYPE_NS
00888                              || cur_rrsets->type == LDNS_RR_TYPE_DS))
00889                         || (!on_delegation_point &&
00890                                 cur_rrsets->type != LDNS_RR_TYPE_RRSIG)) {
00891 
00892                         types[type_count] = cur_rrsets->type;
00893                         type_count++;
00894                 }
00895                 cur_rrsets = cur_rrsets->next;
00896         }
00897         /* always add rrsig type if this is not an unsigned
00898          * delegation
00899          */
00900         if (type_count > 0 &&
00901             !(type_count == 1 && types[0] == LDNS_RR_TYPE_NS)) {
00902                 types[type_count] = LDNS_RR_TYPE_RRSIG;
00903                 type_count++;
00904         }
00905 
00906         /* leave next rdata empty if they weren't precomputed yet */
00907         if (to && to->hashed_name) {
00908                 (void) ldns_rr_set_rdf(nsec_rr,
00909                                        ldns_rdf_clone(to->hashed_name),
00910                                        4);
00911         } else {
00912                 (void) ldns_rr_set_rdf(nsec_rr, NULL, 4);
00913         }
00914 
00915         ldns_rr_push_rdf(nsec_rr,
00916                          ldns_dnssec_create_nsec_bitmap(types,
00917                          type_count,
00918                          LDNS_RR_TYPE_NSEC3));
00919 
00920         return nsec_rr;
00921 }
00922 
00923 ldns_rr *
00924 ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
00925 {
00926         /* we do not do any check here - garbage in, garbage out */
00927 
00928         /* the the start and end names - get the type from the
00929          * before rrlist */
00930 
00931         /* inefficient, just give it a name, a next name, and a list of rrs */
00932         /* we make 1 big uberbitmap first, then windows */
00933         /* todo: make something more efficient :) */
00934         uint16_t i;
00935         ldns_rr *i_rr;
00936         uint16_t i_type;
00937 
00938         ldns_rr *nsec = NULL;
00939         ldns_rr_type i_type_list[65536];
00940         size_t type_count = 0;
00941 
00942         nsec = ldns_rr_new();
00943         ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC);
00944         ldns_rr_set_owner(nsec, ldns_rdf_clone(cur_owner));
00945         ldns_rr_push_rdf(nsec, ldns_rdf_clone(next_owner));
00946 
00947         for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
00948                 i_rr = ldns_rr_list_rr(rrs, i);
00949                 if (ldns_rdf_compare(cur_owner,
00950                                                  ldns_rr_owner(i_rr)) == 0) {
00951                         i_type = ldns_rr_get_type(i_rr);
00952                         if (i_type != LDNS_RR_TYPE_RRSIG && i_type != LDNS_RR_TYPE_NSEC) {
00953                                 if (type_count == 0 || i_type_list[type_count-1] != i_type) {
00954                                         i_type_list[type_count] = i_type;
00955                                         type_count++;
00956                                 }
00957                         }
00958                 }
00959         }
00960 
00961         i_type_list[type_count] = LDNS_RR_TYPE_RRSIG;
00962         type_count++;
00963         i_type_list[type_count] = LDNS_RR_TYPE_NSEC;
00964         type_count++;
00965 
00966         ldns_rr_push_rdf(nsec,
00967                                   ldns_dnssec_create_nsec_bitmap(i_type_list,
00968                                                 type_count, LDNS_RR_TYPE_NSEC));
00969 
00970         return nsec;
00971 }
00972 
00973 ldns_rdf *
00974 ldns_nsec3_hash_name(ldns_rdf *name,
00975                                  uint8_t algorithm,
00976                                  uint16_t iterations,
00977                                  uint8_t salt_length,
00978                                  uint8_t *salt)
00979 {
00980         size_t hashed_owner_str_len;
00981         ldns_rdf *cann;
00982         ldns_rdf *hashed_owner;
00983         unsigned char *hashed_owner_str;
00984         char *hashed_owner_b32;
00985         size_t hashed_owner_b32_len;
00986         uint32_t cur_it;
00987         /* define to contain the largest possible hash, which is
00988          * sha1 at the moment */
00989         unsigned char hash[LDNS_SHA1_DIGEST_LENGTH];
00990         ldns_status status;
00991 
00992         /* TODO: mnemonic list for hash algs SHA-1, default to 1 now (sha1) */
00993         if (algorithm != LDNS_SHA1) {
00994                 return NULL;
00995         }
00996 
00997         /* prepare the owner name according to the draft section bla */
00998         cann = ldns_rdf_clone(name);
00999         if(!cann) {
01000 #ifdef STDERR_MSGS
01001                 fprintf(stderr, "Memory error\n");
01002 #endif
01003                 return NULL;
01004         }
01005         ldns_dname2canonical(cann);
01006 
01007         hashed_owner_str_len = salt_length + ldns_rdf_size(cann);
01008         hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
01009         if(!hashed_owner_str) {
01010                 ldns_rdf_deep_free(cann);
01011                 return NULL;
01012         }
01013         memcpy(hashed_owner_str, ldns_rdf_data(cann), ldns_rdf_size(cann));
01014         memcpy(hashed_owner_str + ldns_rdf_size(cann), salt, salt_length);
01015         ldns_rdf_deep_free(cann);
01016 
01017         for (cur_it = iterations + 1; cur_it > 0; cur_it--) {
01018                 (void) ldns_sha1((unsigned char *) hashed_owner_str,
01019                                  (unsigned int) hashed_owner_str_len, hash);
01020 
01021                 LDNS_FREE(hashed_owner_str);
01022                 hashed_owner_str_len = salt_length + LDNS_SHA1_DIGEST_LENGTH;
01023                 hashed_owner_str = LDNS_XMALLOC(unsigned char, hashed_owner_str_len);
01024                 if (!hashed_owner_str) {
01025                         return NULL;
01026                 }
01027                 memcpy(hashed_owner_str, hash, LDNS_SHA1_DIGEST_LENGTH);
01028                 memcpy(hashed_owner_str + LDNS_SHA1_DIGEST_LENGTH, salt, salt_length);
01029                 hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH + salt_length;
01030         }
01031 
01032         LDNS_FREE(hashed_owner_str);
01033         hashed_owner_str = hash;
01034         hashed_owner_str_len = LDNS_SHA1_DIGEST_LENGTH;
01035 
01036         hashed_owner_b32 = LDNS_XMALLOC(char,
01037                   ldns_b32_ntop_calculate_size(hashed_owner_str_len) + 1);
01038         if(!hashed_owner_b32) {
01039                 return NULL;
01040         }
01041         hashed_owner_b32_len = (size_t) ldns_b32_ntop_extended_hex(
01042                 (uint8_t *) hashed_owner_str,
01043                 hashed_owner_str_len,
01044                 hashed_owner_b32,
01045                 ldns_b32_ntop_calculate_size(hashed_owner_str_len)+1);
01046         if (hashed_owner_b32_len < 1) {
01047 #ifdef STDERR_MSGS
01048                 fprintf(stderr, "Error in base32 extended hex encoding ");
01049                 fprintf(stderr, "of hashed owner name (name: ");
01050                 ldns_rdf_print(stderr, name);
01051                 fprintf(stderr, ", return code: %u)\n",
01052                         (unsigned int) hashed_owner_b32_len);
01053 #endif
01054                 LDNS_FREE(hashed_owner_b32);
01055                 return NULL;
01056         }
01057         hashed_owner_b32[hashed_owner_b32_len] = '\0';
01058 
01059         status = ldns_str2rdf_dname(&hashed_owner, hashed_owner_b32);
01060         if (status != LDNS_STATUS_OK) {
01061 #ifdef STDERR_MSGS
01062                 fprintf(stderr, "Error creating rdf from %s\n", hashed_owner_b32);
01063 #endif
01064                 LDNS_FREE(hashed_owner_b32);
01065                 return NULL;
01066         }
01067 
01068         LDNS_FREE(hashed_owner_b32);
01069         return hashed_owner;
01070 }
01071 
01072 void
01073 ldns_nsec3_add_param_rdfs(ldns_rr *rr,
01074                                          uint8_t algorithm,
01075                                          uint8_t flags,
01076                                          uint16_t iterations,
01077                                          uint8_t salt_length,
01078                                          uint8_t *salt)
01079 {
01080         ldns_rdf *salt_rdf = NULL;
01081         uint8_t *salt_data = NULL;
01082         ldns_rdf *old;
01083 
01084         old = ldns_rr_set_rdf(rr,
01085                               ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
01086                                                     1, (void*)&algorithm),
01087                               0);
01088         if (old) ldns_rdf_deep_free(old);
01089 
01090         old = ldns_rr_set_rdf(rr,
01091                               ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT8,
01092                                                     1, (void*)&flags),
01093                               1);
01094         if (old) ldns_rdf_deep_free(old);
01095 
01096         old = ldns_rr_set_rdf(rr,
01097                           ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
01098                                                 iterations),
01099                               2);
01100         if (old) ldns_rdf_deep_free(old);
01101 
01102         salt_data = LDNS_XMALLOC(uint8_t, salt_length + 1);
01103         if(!salt_data) {
01104                 /* no way to return error */
01105                 return;
01106         }
01107         salt_data[0] = salt_length;
01108         memcpy(salt_data + 1, salt, salt_length);
01109         salt_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_NSEC3_SALT,
01110                                                            salt_length + 1,
01111                                                            salt_data);
01112         if(!salt_rdf) {
01113                 LDNS_FREE(salt_data);
01114                 /* no way to return error */
01115                 return;
01116         }
01117 
01118         old = ldns_rr_set_rdf(rr, salt_rdf, 3);
01119         if (old) ldns_rdf_deep_free(old);
01120         LDNS_FREE(salt_data);
01121 }
01122 
01123 static int
01124 rr_list_delegation_only(ldns_rdf *origin, ldns_rr_list *rr_list)
01125 {
01126         size_t i;
01127         ldns_rr *cur_rr;
01128         if (!origin || !rr_list) return 0;
01129         for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) {
01130                 cur_rr = ldns_rr_list_rr(rr_list, i);
01131                 if (ldns_dname_compare(ldns_rr_owner(cur_rr), origin) == 0) {
01132                         return 0;
01133                 }
01134                 if (ldns_rr_get_type(cur_rr) != LDNS_RR_TYPE_NS) {
01135                         return 0;
01136                 }
01137         }
01138         return 1;
01139 }
01140 
01141 /* this will NOT return the NSEC3  completed, you will have to run the
01142    finalize function on the rrlist later! */
01143 ldns_rr *
01144 ldns_create_nsec3(ldns_rdf *cur_owner,
01145                   ldns_rdf *cur_zone,
01146                   ldns_rr_list *rrs,
01147                   uint8_t algorithm,
01148                   uint8_t flags,
01149                   uint16_t iterations,
01150                   uint8_t salt_length,
01151                   uint8_t *salt,
01152                   bool emptynonterminal)
01153 {
01154         size_t i;
01155         ldns_rr *i_rr;
01156         uint16_t i_type;
01157 
01158         ldns_rr *nsec = NULL;
01159         ldns_rdf *hashed_owner = NULL;
01160 
01161         ldns_status status;
01162 
01163     ldns_rr_type i_type_list[1024];
01164         size_t type_count = 0;
01165 
01166         hashed_owner = ldns_nsec3_hash_name(cur_owner,
01167                                                                  algorithm,
01168                                                                  iterations,
01169                                                                  salt_length,
01170                                                                  salt);
01171         status = ldns_dname_cat(hashed_owner, cur_zone);
01172         if(status != LDNS_STATUS_OK) {
01173                 ldns_rdf_deep_free(hashed_owner);
01174                 return NULL;
01175         }
01176         nsec = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3);
01177         if(!nsec) {
01178                 ldns_rdf_deep_free(hashed_owner);
01179                 return NULL;
01180         }
01181         ldns_rr_set_type(nsec, LDNS_RR_TYPE_NSEC3);
01182         ldns_rr_set_owner(nsec, hashed_owner);
01183 
01184         ldns_nsec3_add_param_rdfs(nsec,
01185                                                  algorithm,
01186                                                  flags,
01187                                                  iterations,
01188                                                  salt_length,
01189                                                  salt);
01190         (void) ldns_rr_set_rdf(nsec, NULL, 4);
01191 
01192 
01193         for (i = 0; i < ldns_rr_list_rr_count(rrs); i++) {
01194                 i_rr = ldns_rr_list_rr(rrs, i);
01195                 if (ldns_rdf_compare(cur_owner,
01196                                                  ldns_rr_owner(i_rr)) == 0) {
01197                         i_type = ldns_rr_get_type(i_rr);
01198                         if (type_count == 0 || i_type_list[type_count-1] != i_type) {
01199                                 i_type_list[type_count] = i_type;
01200                                 type_count++;
01201                         }
01202                 }
01203         }
01204 
01205         /* add RRSIG anyway, but only if this is not an ENT or
01206          * an unsigned delegation */
01207         if (!emptynonterminal && !rr_list_delegation_only(cur_zone, rrs)) {
01208                 i_type_list[type_count] = LDNS_RR_TYPE_RRSIG;
01209                 type_count++;
01210         }
01211 
01212         /* and SOA if owner == zone */
01213         if (ldns_dname_compare(cur_zone, cur_owner) == 0) {
01214                 i_type_list[type_count] = LDNS_RR_TYPE_SOA;
01215                 type_count++;
01216         }
01217 
01218         ldns_rr_push_rdf(nsec,
01219                                   ldns_dnssec_create_nsec_bitmap(i_type_list,
01220                                                 type_count, LDNS_RR_TYPE_NSEC3));
01221 
01222         return nsec;
01223 }
01224 
01225 uint8_t
01226 ldns_nsec3_algorithm(const ldns_rr *nsec3_rr)
01227 {
01228         if (nsec3_rr && 
01229               (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01230                ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01231             && (ldns_rr_rdf(nsec3_rr, 0) != NULL)
01232             && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 0)) > 0) {
01233                 return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 0));
01234         }
01235         return 0;
01236 }
01237 
01238 uint8_t
01239 ldns_nsec3_flags(const ldns_rr *nsec3_rr)
01240 {
01241         if (nsec3_rr && 
01242               (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01243                ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01244             && (ldns_rr_rdf(nsec3_rr, 1) != NULL)
01245             && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 1)) > 0) {
01246                 return ldns_rdf2native_int8(ldns_rr_rdf(nsec3_rr, 1));
01247         }
01248         return 0;
01249 }
01250 
01251 bool
01252 ldns_nsec3_optout(const ldns_rr *nsec3_rr)
01253 {
01254         return (ldns_nsec3_flags(nsec3_rr) & LDNS_NSEC3_VARS_OPTOUT_MASK);
01255 }
01256 
01257 uint16_t
01258 ldns_nsec3_iterations(const ldns_rr *nsec3_rr)
01259 {
01260         if (nsec3_rr &&
01261               (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01262                ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01263             && (ldns_rr_rdf(nsec3_rr, 2) != NULL)
01264             && ldns_rdf_size(ldns_rr_rdf(nsec3_rr, 2)) > 0) {
01265                 return ldns_rdf2native_int16(ldns_rr_rdf(nsec3_rr, 2));
01266         }
01267         return 0;
01268         
01269 }
01270 
01271 ldns_rdf *
01272 ldns_nsec3_salt(const ldns_rr *nsec3_rr)
01273 {
01274         if (nsec3_rr && 
01275               (ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3 ||
01276                ldns_rr_get_type(nsec3_rr) == LDNS_RR_TYPE_NSEC3PARAM)
01277             ) {
01278                 return ldns_rr_rdf(nsec3_rr, 3);
01279         }
01280         return NULL;
01281 }
01282 
01283 uint8_t
01284 ldns_nsec3_salt_length(const ldns_rr *nsec3_rr)
01285 {
01286         ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
01287         if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
01288                 return (uint8_t) ldns_rdf_data(salt_rdf)[0];
01289         }
01290         return 0;
01291 }
01292 
01293 /* allocs data, free with LDNS_FREE() */
01294 uint8_t *
01295 ldns_nsec3_salt_data(const ldns_rr *nsec3_rr)
01296 {
01297         uint8_t salt_length;
01298         uint8_t *salt;
01299 
01300         ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
01301         if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
01302                 salt_length = ldns_rdf_data(salt_rdf)[0];
01303                 salt = LDNS_XMALLOC(uint8_t, salt_length);
01304                 if(!salt) return NULL;
01305                 memcpy(salt, &ldns_rdf_data(salt_rdf)[1], salt_length);
01306                 return salt;
01307         }
01308         return NULL;
01309 }
01310 
01311 ldns_rdf *
01312 ldns_nsec3_next_owner(const ldns_rr *nsec3_rr)
01313 {
01314         if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) {
01315                 return NULL;
01316         } else {
01317                 return ldns_rr_rdf(nsec3_rr, 4);
01318         }
01319 }
01320 
01321 ldns_rdf *
01322 ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
01323 {
01324         if (!nsec3_rr || ldns_rr_get_type(nsec3_rr) != LDNS_RR_TYPE_NSEC3) {
01325                 return NULL;
01326         } else {
01327                 return ldns_rr_rdf(nsec3_rr, 5);
01328         }
01329 }
01330 
01331 ldns_rdf *
01332 ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, ldns_rdf *name)
01333 {
01334         uint8_t algorithm;
01335         uint16_t iterations;
01336         uint8_t salt_length;
01337         uint8_t *salt = 0;
01338 
01339         ldns_rdf *hashed_owner;
01340 
01341         algorithm = ldns_nsec3_algorithm(nsec);
01342         salt_length = ldns_nsec3_salt_length(nsec);
01343         salt = ldns_nsec3_salt_data(nsec);
01344         iterations = ldns_nsec3_iterations(nsec);
01345 
01346         hashed_owner = ldns_nsec3_hash_name(name,
01347                                                                  algorithm,
01348                                                                  iterations,
01349                                                                  salt_length,
01350                                                                  salt);
01351 
01352         LDNS_FREE(salt);
01353         return hashed_owner;
01354 }
01355 
01356 bool
01357 ldns_nsec_bitmap_covers_type(const  ldns_rdf* bitmap, ldns_rr_type type)
01358 {
01359         uint8_t* dptr;
01360         uint8_t* dend;
01361 
01362         /* From RFC3845 Section 2.1.2:
01363          *
01364          *      "The RR type space is split into 256 window blocks, each re-
01365          *       presenting the low-order 8 bits of the 16-bit RR type space."
01366          */
01367         uint8_t  window = type >> 8;
01368         uint8_t subtype = type & 0xff;
01369 
01370         if (! bitmap) {
01371                 return false;
01372         }
01373         assert(ldns_rdf_get_type(bitmap) == LDNS_RDF_TYPE_BITMAP);
01374 
01375         dptr = ldns_rdf_data(bitmap);
01376         dend = ldns_rdf_data(bitmap) + ldns_rdf_size(bitmap);
01377 
01378         /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) +
01379          *                 dptr[0]          dptr[1]         dptr[2:]
01380          */
01381         while (dptr < dend && dptr[0] <= window) {
01382 
01383                 if (dptr[0] == window && subtype / 8 < dptr[1] &&
01384                                 dptr + dptr[1] + 2 <= dend) {
01385 
01386                         return dptr[2 + subtype / 8] & (0x80 >> (subtype % 8));
01387                 }
01388                 dptr += dptr[1] + 2; /* next window */
01389         }
01390         return false;
01391 }
01392 
01393 ldns_status
01394 ldns_nsec_bitmap_set_type(ldns_rdf* bitmap, ldns_rr_type type)
01395 {
01396         uint8_t* dptr;
01397         uint8_t* dend;
01398 
01399         /* From RFC3845 Section 2.1.2:
01400          *
01401          *      "The RR type space is split into 256 window blocks, each re-
01402          *       presenting the low-order 8 bits of the 16-bit RR type space."
01403          */
01404         uint8_t  window = type >> 8;
01405         uint8_t subtype = type & 0xff;
01406 
01407         if (! bitmap) {
01408                 return false;
01409         }
01410         assert(ldns_rdf_get_type(bitmap) == LDNS_RDF_TYPE_BITMAP);
01411 
01412         dptr = ldns_rdf_data(bitmap);
01413         dend = ldns_rdf_data(bitmap) + ldns_rdf_size(bitmap);
01414 
01415         /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) +
01416          *                 dptr[0]          dptr[1]         dptr[2:]
01417          */
01418         while (dptr < dend && dptr[0] <= window) {
01419 
01420                 if (dptr[0] == window && subtype / 8 < dptr[1] &&
01421                                 dptr + dptr[1] + 2 <= dend) {
01422 
01423                         dptr[2 + subtype / 8] |= (0x80 >> (subtype % 8));
01424                         return LDNS_STATUS_OK;
01425                 }
01426                 dptr += dptr[1] + 2; /* next window */
01427         }
01428         return LDNS_STATUS_TYPE_NOT_IN_BITMAP;
01429 }
01430 
01431 ldns_status
01432 ldns_nsec_bitmap_clear_type(ldns_rdf* bitmap, ldns_rr_type type)
01433 {
01434         uint8_t* dptr;
01435         uint8_t* dend;
01436 
01437         /* From RFC3845 Section 2.1.2:
01438          *
01439          *      "The RR type space is split into 256 window blocks, each re-
01440          *       presenting the low-order 8 bits of the 16-bit RR type space."
01441          */
01442         uint8_t  window = type >> 8;
01443         uint8_t subtype = type & 0xff;
01444 
01445         if (! bitmap) {
01446                 return false;
01447         }
01448 
01449         assert(ldns_rdf_get_type(bitmap) == LDNS_RDF_TYPE_BITMAP);
01450 
01451         dptr = ldns_rdf_data(bitmap);
01452         dend = ldns_rdf_data(bitmap) + ldns_rdf_size(bitmap);
01453 
01454         /* Type Bitmap = ( Window Block # | Bitmap Length | Bitmap ) +
01455          *                 dptr[0]          dptr[1]         dptr[2:]
01456          */
01457         while (dptr < dend && dptr[0] <= window) {
01458 
01459                 if (dptr[0] == window && subtype / 8 < dptr[1] &&
01460                                 dptr + dptr[1] + 2 <= dend) {
01461 
01462                         dptr[2 + subtype / 8] &= ~(0x80 >> (subtype % 8));
01463                         return LDNS_STATUS_OK;
01464                 }
01465                 dptr += dptr[1] + 2; /* next window */
01466         }
01467         return LDNS_STATUS_TYPE_NOT_IN_BITMAP;
01468 }
01469 
01470 
01471 bool
01472 ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
01473 {
01474         ldns_rdf *nsec_owner = ldns_rr_owner(nsec);
01475         ldns_rdf *hash_next;
01476         char *next_hash_str;
01477         ldns_rdf *nsec_next = NULL;
01478         ldns_status status;
01479         ldns_rdf *chopped_dname;
01480         bool result;
01481 
01482         if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC) {
01483                 if (ldns_rr_rdf(nsec, 0) != NULL) {
01484                         nsec_next = ldns_rdf_clone(ldns_rr_rdf(nsec, 0));
01485                 } else {
01486                         return false;
01487                 }
01488         } else if (ldns_rr_get_type(nsec) == LDNS_RR_TYPE_NSEC3) {
01489                 hash_next = ldns_nsec3_next_owner(nsec);
01490                 next_hash_str = ldns_rdf2str(hash_next);
01491                 nsec_next = ldns_dname_new_frm_str(next_hash_str);
01492                 LDNS_FREE(next_hash_str);
01493                 chopped_dname = ldns_dname_left_chop(nsec_owner);
01494                 status = ldns_dname_cat(nsec_next, chopped_dname);
01495                 ldns_rdf_deep_free(chopped_dname);
01496                 if (status != LDNS_STATUS_OK) {
01497                         printf("error catting: %s\n", ldns_get_errorstr_by_id(status));
01498                 }
01499         } else {
01500                 ldns_rdf_deep_free(nsec_next);
01501                 return false;
01502         }
01503 
01504         /* in the case of the last nsec */
01505         if(ldns_dname_compare(nsec_owner, nsec_next) > 0) {
01506                 result = (ldns_dname_compare(nsec_owner, name) <= 0 ||
01507                                 ldns_dname_compare(name, nsec_next) < 0);
01508         } else if(ldns_dname_compare(nsec_owner, nsec_next) < 0) {
01509                 result = (ldns_dname_compare(nsec_owner, name) <= 0 &&
01510                           ldns_dname_compare(name, nsec_next) < 0);
01511         } else {
01512                 result = true;
01513         }
01514 
01515         ldns_rdf_deep_free(nsec_next);
01516         return result;
01517 }
01518 
01519 #ifdef HAVE_SSL
01520 /* sig may be null - if so look in the packet */
01521 
01522 ldns_status
01523 ldns_pkt_verify_time(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, 
01524                 ldns_rr_list *k, ldns_rr_list *s, 
01525                 time_t check_time, ldns_rr_list *good_keys)
01526 {
01527         ldns_rr_list *rrset;
01528         ldns_rr_list *sigs;
01529         ldns_rr_list *sigs_covered;
01530         ldns_rdf *rdf_t;
01531         ldns_rr_type t_netorder;
01532 
01533         if (!k) {
01534                 return LDNS_STATUS_ERR;
01535                 /* return LDNS_STATUS_CRYPTO_NO_DNSKEY; */
01536         }
01537 
01538         if (t == LDNS_RR_TYPE_RRSIG) {
01539                 /* we don't have RRSIG(RRSIG) (yet? ;-) ) */
01540                 return LDNS_STATUS_ERR;
01541         }
01542 
01543         if (s) {
01544                 /* if s is not NULL, the sigs are given to use */
01545                 sigs = s;
01546         } else {
01547                 /* otherwise get them from the packet */
01548                 sigs = ldns_pkt_rr_list_by_name_and_type(p, o,
01549                                 LDNS_RR_TYPE_RRSIG,
01550                                 LDNS_SECTION_ANY_NOQUESTION);
01551                 if (!sigs) {
01552                         /* no sigs */
01553                         return LDNS_STATUS_ERR;
01554                         /* return LDNS_STATUS_CRYPTO_NO_RRSIG; */
01555                 }
01556         }
01557 
01558         /* rrsig are subtyped, so now we need to find the correct
01559          * sigs for the type t
01560          */
01561         t_netorder = htons(t); /* rdf are in network order! */
01562         /* a type identifier is a 16-bit number, so the size is 2 bytes */
01563         rdf_t = ldns_rdf_new(LDNS_RDF_TYPE_TYPE, 2, &t_netorder);
01564 
01565         sigs_covered = ldns_rr_list_subtype_by_rdf(sigs, rdf_t, 0);
01566         ldns_rdf_free(rdf_t);
01567         if (! sigs_covered) {
01568                 if (! s) {
01569                         ldns_rr_list_deep_free(sigs);
01570                 }
01571                 return LDNS_STATUS_ERR;
01572         }
01573         ldns_rr_list_deep_free(sigs_covered);
01574 
01575         rrset = ldns_pkt_rr_list_by_name_and_type(p, o, t,
01576                         LDNS_SECTION_ANY_NOQUESTION);
01577         if (!rrset) {
01578                 if (! s) {
01579                         ldns_rr_list_deep_free(sigs);
01580                 }
01581                 return LDNS_STATUS_ERR;
01582         }
01583         return ldns_verify_time(rrset, sigs, k, check_time, good_keys);
01584 }
01585 
01586 ldns_status
01587 ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, 
01588                 ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys)
01589 {
01590         return ldns_pkt_verify_time(p, t, o, k, s, ldns_time(NULL), good_keys);
01591 }
01592 #endif /* HAVE_SSL */
01593 
01594 ldns_status
01595 ldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs)
01596 {
01597         size_t i;
01598         char *next_nsec_owner_str;
01599         ldns_rdf *next_nsec_owner_label;
01600         ldns_rdf *next_nsec_rdf;
01601         ldns_status status = LDNS_STATUS_OK;
01602 
01603         for (i = 0; i < ldns_rr_list_rr_count(nsec3_rrs); i++) {
01604                 if (i == ldns_rr_list_rr_count(nsec3_rrs) - 1) {
01605                         next_nsec_owner_label =
01606                                 ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs,
01607                                                                                                           0)), 0);
01608                         next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
01609                         if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01610                             == '.') {
01611                                 next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01612                                         = '\0';
01613                         }
01614                         status = ldns_str2rdf_b32_ext(&next_nsec_rdf,
01615                                                                         next_nsec_owner_str);
01616                         if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i),
01617                                                          next_nsec_rdf, 4)) {
01618                                 /* todo: error */
01619                         }
01620 
01621                         ldns_rdf_deep_free(next_nsec_owner_label);
01622                         LDNS_FREE(next_nsec_owner_str);
01623                 } else {
01624                         next_nsec_owner_label =
01625                                 ldns_dname_label(ldns_rr_owner(ldns_rr_list_rr(nsec3_rrs,
01626                                                                                                           i + 1)),
01627                                                           0);
01628                         next_nsec_owner_str = ldns_rdf2str(next_nsec_owner_label);
01629                         if (next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01630                             == '.') {
01631                                 next_nsec_owner_str[strlen(next_nsec_owner_str) - 1]
01632                                         = '\0';
01633                         }
01634                         status = ldns_str2rdf_b32_ext(&next_nsec_rdf,
01635                                                                         next_nsec_owner_str);
01636                         ldns_rdf_deep_free(next_nsec_owner_label);
01637                         LDNS_FREE(next_nsec_owner_str);
01638                         if (!ldns_rr_set_rdf(ldns_rr_list_rr(nsec3_rrs, i),
01639                                                          next_nsec_rdf, 4)) {
01640                                 /* todo: error */
01641                         }
01642                 }
01643         }
01644         return status;
01645 }
01646 
01647 int
01648 qsort_rr_compare_nsec3(const void *a, const void *b)
01649 {
01650         const ldns_rr *rr1 = * (const ldns_rr **) a;
01651         const ldns_rr *rr2 = * (const ldns_rr **) b;
01652         if (rr1 == NULL && rr2 == NULL) {
01653                 return 0;
01654         }
01655         if (rr1 == NULL) {
01656                 return -1;
01657         }
01658         if (rr2 == NULL) {
01659                 return 1;
01660         }
01661         return ldns_rdf_compare(ldns_rr_owner(rr1), ldns_rr_owner(rr2));
01662 }
01663 
01664 void
01665 ldns_rr_list_sort_nsec3(ldns_rr_list *unsorted)
01666 {
01667         qsort(unsorted->_rrs,
01668               ldns_rr_list_rr_count(unsorted),
01669               sizeof(ldns_rr *),
01670               qsort_rr_compare_nsec3);
01671 }
01672 
01673 int
01674 ldns_dnssec_default_add_to_signatures( ATTR_UNUSED(ldns_rr *sig)
01675                                      , ATTR_UNUSED(void *n)
01676                                      )
01677 {
01678         return LDNS_SIGNATURE_LEAVE_ADD_NEW;
01679 }
01680 
01681 int
01682 ldns_dnssec_default_leave_signatures( ATTR_UNUSED(ldns_rr *sig)
01683                                     , ATTR_UNUSED(void *n)
01684                                     )
01685 {
01686         return LDNS_SIGNATURE_LEAVE_NO_ADD;
01687 }
01688 
01689 int
01690 ldns_dnssec_default_delete_signatures( ATTR_UNUSED(ldns_rr *sig)
01691                                      , ATTR_UNUSED(void *n)
01692                                      )
01693 {
01694         return LDNS_SIGNATURE_REMOVE_NO_ADD;
01695 }
01696 
01697 int
01698 ldns_dnssec_default_replace_signatures( ATTR_UNUSED(ldns_rr *sig)
01699                                       , ATTR_UNUSED(void *n)
01700                                       )
01701 {
01702         return LDNS_SIGNATURE_REMOVE_ADD_NEW;
01703 }
01704 
01705 #ifdef HAVE_SSL
01706 ldns_rdf *
01707 ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig,
01708                                                   const long sig_len)
01709 {
01710         ldns_rdf *sigdata_rdf;
01711         DSA_SIG *dsasig;
01712         unsigned char *dsasig_data = (unsigned char*)ldns_buffer_begin(sig);
01713         size_t byte_offset;
01714 
01715         dsasig = d2i_DSA_SIG(NULL,
01716                                          (const unsigned char **)&dsasig_data,
01717                                          sig_len);
01718         if (!dsasig) {
01719                 DSA_SIG_free(dsasig);
01720                 return NULL;
01721         }
01722 
01723         dsasig_data = LDNS_XMALLOC(unsigned char, 41);
01724         if(!dsasig_data) {
01725                 DSA_SIG_free(dsasig);
01726                 return NULL;
01727         }
01728         dsasig_data[0] = 0;
01729         byte_offset = (size_t) (20 - BN_num_bytes(dsasig->r));
01730         if (byte_offset > 20) {
01731                 DSA_SIG_free(dsasig);
01732                 LDNS_FREE(dsasig_data);
01733                 return NULL;
01734         }
01735         memset(&dsasig_data[1], 0, byte_offset);
01736         BN_bn2bin(dsasig->r, &dsasig_data[1 + byte_offset]);
01737         byte_offset = (size_t) (20 - BN_num_bytes(dsasig->s));
01738         if (byte_offset > 20) {
01739                 DSA_SIG_free(dsasig);
01740                 LDNS_FREE(dsasig_data);
01741                 return NULL;
01742         }
01743         memset(&dsasig_data[21], 0, byte_offset);
01744         BN_bn2bin(dsasig->s, &dsasig_data[21 + byte_offset]);
01745 
01746         sigdata_rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, 41, dsasig_data);
01747         if(!sigdata_rdf) {
01748                 LDNS_FREE(dsasig_data);
01749         }
01750         DSA_SIG_free(dsasig);
01751 
01752         return sigdata_rdf;
01753 }
01754 
01755 ldns_status
01756 ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
01757                                                   const ldns_rdf *sig_rdf)
01758 {
01759         /* the EVP api wants the DER encoding of the signature... */
01760         BIGNUM *R, *S;
01761         DSA_SIG *dsasig;
01762         unsigned char *raw_sig = NULL;
01763         int raw_sig_len;
01764 
01765         if(ldns_rdf_size(sig_rdf) < 1 + 2*SHA_DIGEST_LENGTH)
01766                 return LDNS_STATUS_SYNTAX_RDATA_ERR;
01767         /* extract the R and S field from the sig buffer */
01768         R = BN_new();
01769         if(!R) return LDNS_STATUS_MEM_ERR;
01770         (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 1,
01771                          SHA_DIGEST_LENGTH, R);
01772         S = BN_new();
01773         if(!S) {
01774                 BN_free(R);
01775                 return LDNS_STATUS_MEM_ERR;
01776         }
01777         (void) BN_bin2bn((unsigned char *) ldns_rdf_data(sig_rdf) + 21,
01778                          SHA_DIGEST_LENGTH, S);
01779 
01780         dsasig = DSA_SIG_new();
01781         if (!dsasig) {
01782                 BN_free(R);
01783                 BN_free(S);
01784                 return LDNS_STATUS_MEM_ERR;
01785         }
01786 
01787         dsasig->r = R;
01788         dsasig->s = S;
01789 
01790         raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig);
01791         if (raw_sig_len < 0) {
01792                 DSA_SIG_free(dsasig);
01793                 free(raw_sig);
01794                 return LDNS_STATUS_SSL_ERR;
01795         }
01796         if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
01797                 ldns_buffer_write(target_buffer, raw_sig, (size_t)raw_sig_len);
01798         }
01799 
01800         DSA_SIG_free(dsasig);
01801         free(raw_sig);
01802 
01803         return ldns_buffer_status(target_buffer);
01804 }
01805 
01806 #ifdef USE_ECDSA
01807 #ifndef S_SPLINT_S
01808 ldns_rdf *
01809 ldns_convert_ecdsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len)
01810 {
01811         ECDSA_SIG* ecdsa_sig;
01812         unsigned char *data = (unsigned char*)ldns_buffer_begin(sig);
01813         ldns_rdf* rdf;
01814         ecdsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&data, sig_len);
01815         if(!ecdsa_sig) return NULL;
01816 
01817         /* "r | s". */
01818         data = LDNS_XMALLOC(unsigned char,
01819                 BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s));
01820         if(!data) {
01821                 ECDSA_SIG_free(ecdsa_sig);
01822                 return NULL;
01823         }
01824         BN_bn2bin(ecdsa_sig->r, data);
01825         BN_bn2bin(ecdsa_sig->s, data+BN_num_bytes(ecdsa_sig->r));
01826         rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)(
01827                 BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s)), data);
01828         ECDSA_SIG_free(ecdsa_sig);
01829         return rdf;
01830 }
01831 
01832 ldns_status
01833 ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
01834         const ldns_rdf *sig_rdf)
01835 {
01836         ECDSA_SIG* sig;
01837         int raw_sig_len;
01838         long bnsize = (long)ldns_rdf_size(sig_rdf) / 2;
01839         /* if too short, or not even length, do not bother */
01840         if(bnsize < 16 || (size_t)bnsize*2 != ldns_rdf_size(sig_rdf))
01841                 return LDNS_STATUS_ERR;
01842         
01843         /* use the raw data to parse two evenly long BIGNUMs, "r | s". */
01844         sig = ECDSA_SIG_new();
01845         if(!sig) return LDNS_STATUS_MEM_ERR;
01846         sig->r = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf),
01847                 bnsize, sig->r);
01848         sig->s = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf)+bnsize,
01849                 bnsize, sig->s);
01850         if(!sig->r || !sig->s) {
01851                 ECDSA_SIG_free(sig);
01852                 return LDNS_STATUS_MEM_ERR;
01853         }
01854 
01855         raw_sig_len = i2d_ECDSA_SIG(sig, NULL);
01856         if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
01857                 unsigned char* pp = (unsigned char*)
01858                         ldns_buffer_current(target_buffer);
01859                 raw_sig_len = i2d_ECDSA_SIG(sig, &pp);
01860                 ldns_buffer_skip(target_buffer, (ssize_t) raw_sig_len);
01861         }
01862         ECDSA_SIG_free(sig);
01863 
01864         return ldns_buffer_status(target_buffer);
01865 }
01866 
01867 #endif /* S_SPLINT_S */
01868 #endif /* USE_ECDSA */
01869 #endif /* HAVE_SSL */