1 /*
2 * validator/val_sigcrypt.c - validator signature crypto functions.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 /**
37 * \file
38 *
39 * This file contains helper functions for the validator module.
40 * The functions help with signature verification and checking, the
41 * bridging between RR wireformat data and crypto calls.
42 */
43 #include "config.h"
44 #include "validator/val_sigcrypt.h"
45 #include "validator/val_secalgo.h"
46 #include "validator/validator.h"
47 #include "util/data/msgreply.h"
48 #include "util/data/msgparse.h"
49 #include "util/data/dname.h"
50 #include "util/rbtree.h"
51 #include "util/rfc_1982.h"
52 #include "util/module.h"
53 #include "util/net_help.h"
54 #include "util/regional.h"
55 #include "util/config_file.h"
56 #include "sldns/keyraw.h"
57 #include "sldns/sbuffer.h"
58 #include "sldns/parseutil.h"
59 #include "sldns/wire2str.h"
60
61 #include <ctype.h>
62 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
63 #error "Need crypto library to do digital signature cryptography"
64 #endif
65
66 #ifdef HAVE_OPENSSL_ERR_H
67 #include <openssl/err.h>
68 #endif
69
70 #ifdef HAVE_OPENSSL_RAND_H
71 #include <openssl/rand.h>
72 #endif
73
74 #ifdef HAVE_OPENSSL_CONF_H
75 #include <openssl/conf.h>
76 #endif
77
78 #ifdef HAVE_OPENSSL_ENGINE_H
79 #include <openssl/engine.h>
80 #endif
81
82 /** return number of rrs in an rrset */
83 static size_t
rrset_get_count(struct ub_packed_rrset_key * rrset)84 rrset_get_count(struct ub_packed_rrset_key* rrset)
85 {
86 struct packed_rrset_data* d = (struct packed_rrset_data*)
87 rrset->entry.data;
88 if(!d) return 0;
89 return d->count;
90 }
91
92 /**
93 * Get RR signature count
94 */
95 static size_t
rrset_get_sigcount(struct ub_packed_rrset_key * k)96 rrset_get_sigcount(struct ub_packed_rrset_key* k)
97 {
98 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
99 return d->rrsig_count;
100 }
101
102 /**
103 * Get signature keytag value
104 * @param k: rrset (with signatures)
105 * @param sig_idx: signature index.
106 * @return keytag or 0 if malformed rrsig.
107 */
108 static uint16_t
rrset_get_sig_keytag(struct ub_packed_rrset_key * k,size_t sig_idx)109 rrset_get_sig_keytag(struct ub_packed_rrset_key* k, size_t sig_idx)
110 {
111 uint16_t t;
112 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
113 log_assert(sig_idx < d->rrsig_count);
114 if(d->rr_len[d->count + sig_idx] < 2+18)
115 return 0;
116 memmove(&t, d->rr_data[d->count + sig_idx]+2+16, 2);
117 return ntohs(t);
118 }
119
120 /**
121 * Get signature signing algorithm value
122 * @param k: rrset (with signatures)
123 * @param sig_idx: signature index.
124 * @return algo or 0 if malformed rrsig.
125 */
126 static int
rrset_get_sig_algo(struct ub_packed_rrset_key * k,size_t sig_idx)127 rrset_get_sig_algo(struct ub_packed_rrset_key* k, size_t sig_idx)
128 {
129 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
130 log_assert(sig_idx < d->rrsig_count);
131 if(d->rr_len[d->count + sig_idx] < 2+3)
132 return 0;
133 return (int)d->rr_data[d->count + sig_idx][2+2];
134 }
135
136 /** get rdata pointer and size */
137 static void
rrset_get_rdata(struct ub_packed_rrset_key * k,size_t idx,uint8_t ** rdata,size_t * len)138 rrset_get_rdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** rdata,
139 size_t* len)
140 {
141 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
142 log_assert(d && idx < (d->count + d->rrsig_count));
143 *rdata = d->rr_data[idx];
144 *len = d->rr_len[idx];
145 }
146
147 uint16_t
dnskey_get_flags(struct ub_packed_rrset_key * k,size_t idx)148 dnskey_get_flags(struct ub_packed_rrset_key* k, size_t idx)
149 {
150 uint8_t* rdata;
151 size_t len;
152 uint16_t f;
153 rrset_get_rdata(k, idx, &rdata, &len);
154 if(len < 2+2)
155 return 0;
156 memmove(&f, rdata+2, 2);
157 f = ntohs(f);
158 return f;
159 }
160
161 /**
162 * Get DNSKEY protocol value from rdata
163 * @param k: DNSKEY rrset.
164 * @param idx: which key.
165 * @return protocol octet value
166 */
167 static int
dnskey_get_protocol(struct ub_packed_rrset_key * k,size_t idx)168 dnskey_get_protocol(struct ub_packed_rrset_key* k, size_t idx)
169 {
170 uint8_t* rdata;
171 size_t len;
172 rrset_get_rdata(k, idx, &rdata, &len);
173 if(len < 2+4)
174 return 0;
175 return (int)rdata[2+2];
176 }
177
178 int
dnskey_get_algo(struct ub_packed_rrset_key * k,size_t idx)179 dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx)
180 {
181 uint8_t* rdata;
182 size_t len;
183 rrset_get_rdata(k, idx, &rdata, &len);
184 if(len < 2+4)
185 return 0;
186 return (int)rdata[2+3];
187 }
188
189 /** get public key rdata field from a dnskey RR and do some checks */
190 static void
dnskey_get_pubkey(struct ub_packed_rrset_key * k,size_t idx,unsigned char ** pk,unsigned int * pklen)191 dnskey_get_pubkey(struct ub_packed_rrset_key* k, size_t idx,
192 unsigned char** pk, unsigned int* pklen)
193 {
194 uint8_t* rdata;
195 size_t len;
196 rrset_get_rdata(k, idx, &rdata, &len);
197 if(len < 2+5) {
198 *pk = NULL;
199 *pklen = 0;
200 return;
201 }
202 *pk = (unsigned char*)rdata+2+4;
203 *pklen = (unsigned)len-2-4;
204 }
205
206 int
ds_get_key_algo(struct ub_packed_rrset_key * k,size_t idx)207 ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx)
208 {
209 uint8_t* rdata;
210 size_t len;
211 rrset_get_rdata(k, idx, &rdata, &len);
212 if(len < 2+3)
213 return 0;
214 return (int)rdata[2+2];
215 }
216
217 int
ds_get_digest_algo(struct ub_packed_rrset_key * k,size_t idx)218 ds_get_digest_algo(struct ub_packed_rrset_key* k, size_t idx)
219 {
220 uint8_t* rdata;
221 size_t len;
222 rrset_get_rdata(k, idx, &rdata, &len);
223 if(len < 2+4)
224 return 0;
225 return (int)rdata[2+3];
226 }
227
228 uint16_t
ds_get_keytag(struct ub_packed_rrset_key * ds_rrset,size_t ds_idx)229 ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx)
230 {
231 uint16_t t;
232 uint8_t* rdata;
233 size_t len;
234 rrset_get_rdata(ds_rrset, ds_idx, &rdata, &len);
235 if(len < 2+2)
236 return 0;
237 memmove(&t, rdata+2, 2);
238 return ntohs(t);
239 }
240
241 /**
242 * Return pointer to the digest in a DS RR.
243 * @param k: DS rrset.
244 * @param idx: which DS.
245 * @param digest: digest data is returned.
246 * on error, this is NULL.
247 * @param len: length of digest is returned.
248 * on error, the length is 0.
249 */
250 static void
ds_get_sigdata(struct ub_packed_rrset_key * k,size_t idx,uint8_t ** digest,size_t * len)251 ds_get_sigdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** digest,
252 size_t* len)
253 {
254 uint8_t* rdata;
255 size_t rdlen;
256 rrset_get_rdata(k, idx, &rdata, &rdlen);
257 if(rdlen < 2+5) {
258 *digest = NULL;
259 *len = 0;
260 return;
261 }
262 *digest = rdata + 2 + 4;
263 *len = rdlen - 2 - 4;
264 }
265
266 /**
267 * Return size of DS digest according to its hash algorithm.
268 * @param k: DS rrset.
269 * @param idx: which DS.
270 * @return size in bytes of digest, or 0 if not supported.
271 */
272 static size_t
ds_digest_size_algo(struct ub_packed_rrset_key * k,size_t idx)273 ds_digest_size_algo(struct ub_packed_rrset_key* k, size_t idx)
274 {
275 return ds_digest_size_supported(ds_get_digest_algo(k, idx));
276 }
277
278 /**
279 * Create a DS digest for a DNSKEY entry.
280 *
281 * @param env: module environment. Uses scratch space.
282 * @param dnskey_rrset: DNSKEY rrset.
283 * @param dnskey_idx: index of RR in rrset.
284 * @param ds_rrset: DS rrset
285 * @param ds_idx: index of RR in DS rrset.
286 * @param digest: digest is returned in here (must be correctly sized).
287 * @return false on error.
288 */
289 static int
ds_create_dnskey_digest(struct module_env * env,struct ub_packed_rrset_key * dnskey_rrset,size_t dnskey_idx,struct ub_packed_rrset_key * ds_rrset,size_t ds_idx,uint8_t * digest)290 ds_create_dnskey_digest(struct module_env* env,
291 struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx,
292 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx,
293 uint8_t* digest)
294 {
295 sldns_buffer* b = env->scratch_buffer;
296 uint8_t* dnskey_rdata;
297 size_t dnskey_len;
298 rrset_get_rdata(dnskey_rrset, dnskey_idx, &dnskey_rdata, &dnskey_len);
299
300 /* create digest source material in buffer
301 * digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
302 * DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key. */
303 sldns_buffer_clear(b);
304 sldns_buffer_write(b, dnskey_rrset->rk.dname,
305 dnskey_rrset->rk.dname_len);
306 query_dname_tolower(sldns_buffer_begin(b));
307 sldns_buffer_write(b, dnskey_rdata+2, dnskey_len-2); /* skip rdatalen*/
308 sldns_buffer_flip(b);
309
310 return secalgo_ds_digest(ds_get_digest_algo(ds_rrset, ds_idx),
311 (unsigned char*)sldns_buffer_begin(b), sldns_buffer_limit(b),
312 (unsigned char*)digest);
313 }
314
ds_digest_match_dnskey(struct module_env * env,struct ub_packed_rrset_key * dnskey_rrset,size_t dnskey_idx,struct ub_packed_rrset_key * ds_rrset,size_t ds_idx)315 int ds_digest_match_dnskey(struct module_env* env,
316 struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx,
317 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx)
318 {
319 uint8_t* ds; /* DS digest */
320 size_t dslen;
321 uint8_t* digest; /* generated digest */
322 size_t digestlen = ds_digest_size_algo(ds_rrset, ds_idx);
323
324 if(digestlen == 0) {
325 verbose(VERB_QUERY, "DS fail: not supported, or DS RR "
326 "format error");
327 return 0; /* not supported, or DS RR format error */
328 }
329 #ifndef USE_SHA1
330 if(fake_sha1 && ds_get_digest_algo(ds_rrset, ds_idx)==LDNS_SHA1)
331 return 1;
332 #endif
333
334 /* check digest length in DS with length from hash function */
335 ds_get_sigdata(ds_rrset, ds_idx, &ds, &dslen);
336 if(!ds || dslen != digestlen) {
337 verbose(VERB_QUERY, "DS fail: DS RR algo and digest do not "
338 "match each other");
339 return 0; /* DS algorithm and digest do not match */
340 }
341
342 digest = regional_alloc(env->scratch, digestlen);
343 if(!digest) {
344 verbose(VERB_QUERY, "DS fail: out of memory");
345 return 0; /* mem error */
346 }
347 if(!ds_create_dnskey_digest(env, dnskey_rrset, dnskey_idx, ds_rrset,
348 ds_idx, digest)) {
349 verbose(VERB_QUERY, "DS fail: could not calc key digest");
350 return 0; /* digest algo failed */
351 }
352 if(memcmp(digest, ds, dslen) != 0) {
353 verbose(VERB_QUERY, "DS fail: digest is different");
354 return 0; /* digest different */
355 }
356 return 1;
357 }
358
359 int
ds_digest_algo_is_supported(struct ub_packed_rrset_key * ds_rrset,size_t ds_idx)360 ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
361 size_t ds_idx)
362 {
363 return (ds_digest_size_algo(ds_rrset, ds_idx) != 0);
364 }
365
366 int
ds_key_algo_is_supported(struct ub_packed_rrset_key * ds_rrset,size_t ds_idx)367 ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
368 size_t ds_idx)
369 {
370 return dnskey_algo_id_is_supported(ds_get_key_algo(ds_rrset, ds_idx));
371 }
372
373 uint16_t
dnskey_calc_keytag(struct ub_packed_rrset_key * dnskey_rrset,size_t dnskey_idx)374 dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx)
375 {
376 uint8_t* data;
377 size_t len;
378 rrset_get_rdata(dnskey_rrset, dnskey_idx, &data, &len);
379 /* do not pass rdatalen to ldns */
380 return sldns_calc_keytag_raw(data+2, len-2);
381 }
382
dnskey_algo_is_supported(struct ub_packed_rrset_key * dnskey_rrset,size_t dnskey_idx)383 int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
384 size_t dnskey_idx)
385 {
386 return dnskey_algo_id_is_supported(dnskey_get_algo(dnskey_rrset,
387 dnskey_idx));
388 }
389
dnskey_size_is_supported(struct ub_packed_rrset_key * dnskey_rrset,size_t dnskey_idx)390 int dnskey_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
391 size_t dnskey_idx)
392 {
393 #ifdef DEPRECATE_RSA_1024
394 uint8_t* rdata;
395 size_t len;
396 int alg = dnskey_get_algo(dnskey_rrset, dnskey_idx);
397 size_t keysize;
398
399 rrset_get_rdata(dnskey_rrset, dnskey_idx, &rdata, &len);
400 if(len < 2+4)
401 return 0;
402 keysize = sldns_rr_dnskey_key_size_raw(rdata+2+4, len-2-4, alg);
403
404 switch((sldns_algorithm)alg) {
405 case LDNS_RSAMD5:
406 case LDNS_RSASHA1:
407 case LDNS_RSASHA1_NSEC3:
408 case LDNS_RSASHA256:
409 case LDNS_RSASHA512:
410 /* reject RSA keys of 1024 bits and shorter */
411 if(keysize <= 1024)
412 return 0;
413 break;
414 default:
415 break;
416 }
417 #else
418 (void)dnskey_rrset; (void)dnskey_idx;
419 #endif /* DEPRECATE_RSA_1024 */
420 return 1;
421 }
422
dnskeyset_size_is_supported(struct ub_packed_rrset_key * dnskey_rrset)423 int dnskeyset_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset)
424 {
425 size_t i, num = rrset_get_count(dnskey_rrset);
426 for(i=0; i<num; i++) {
427 if(!dnskey_size_is_supported(dnskey_rrset, i))
428 return 0;
429 }
430 return 1;
431 }
432
algo_needs_init_dnskey_add(struct algo_needs * n,struct ub_packed_rrset_key * dnskey,uint8_t * sigalg)433 void algo_needs_init_dnskey_add(struct algo_needs* n,
434 struct ub_packed_rrset_key* dnskey, uint8_t* sigalg)
435 {
436 uint8_t algo;
437 size_t i, total = n->num;
438 size_t num = rrset_get_count(dnskey);
439
440 for(i=0; i<num; i++) {
441 algo = (uint8_t)dnskey_get_algo(dnskey, i);
442 if(!dnskey_algo_id_is_supported((int)algo))
443 continue;
444 if(n->needs[algo] == 0) {
445 n->needs[algo] = 1;
446 sigalg[total] = algo;
447 total++;
448 }
449 }
450 sigalg[total] = 0;
451 n->num = total;
452 }
453
algo_needs_init_list(struct algo_needs * n,uint8_t * sigalg)454 void algo_needs_init_list(struct algo_needs* n, uint8_t* sigalg)
455 {
456 uint8_t algo;
457 size_t total = 0;
458
459 memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX);
460 while( (algo=*sigalg++) != 0) {
461 log_assert(dnskey_algo_id_is_supported((int)algo));
462 log_assert(n->needs[algo] == 0);
463 n->needs[algo] = 1;
464 total++;
465 }
466 n->num = total;
467 }
468
algo_needs_init_ds(struct algo_needs * n,struct ub_packed_rrset_key * ds,int fav_ds_algo,uint8_t * sigalg)469 void algo_needs_init_ds(struct algo_needs* n, struct ub_packed_rrset_key* ds,
470 int fav_ds_algo, uint8_t* sigalg)
471 {
472 uint8_t algo;
473 size_t i, total = 0;
474 size_t num = rrset_get_count(ds);
475
476 memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX);
477 for(i=0; i<num; i++) {
478 if(ds_get_digest_algo(ds, i) != fav_ds_algo)
479 continue;
480 algo = (uint8_t)ds_get_key_algo(ds, i);
481 if(!dnskey_algo_id_is_supported((int)algo))
482 continue;
483 log_assert(algo != 0); /* we do not support 0 and is EOS */
484 if(n->needs[algo] == 0) {
485 n->needs[algo] = 1;
486 sigalg[total] = algo;
487 total++;
488 }
489 }
490 sigalg[total] = 0;
491 n->num = total;
492 }
493
algo_needs_set_secure(struct algo_needs * n,uint8_t algo)494 int algo_needs_set_secure(struct algo_needs* n, uint8_t algo)
495 {
496 if(n->needs[algo]) {
497 n->needs[algo] = 0;
498 n->num --;
499 if(n->num == 0) /* done! */
500 return 1;
501 }
502 return 0;
503 }
504
algo_needs_set_bogus(struct algo_needs * n,uint8_t algo)505 void algo_needs_set_bogus(struct algo_needs* n, uint8_t algo)
506 {
507 if(n->needs[algo]) n->needs[algo] = 2; /* need it, but bogus */
508 }
509
algo_needs_num_missing(struct algo_needs * n)510 size_t algo_needs_num_missing(struct algo_needs* n)
511 {
512 return n->num;
513 }
514
algo_needs_missing(struct algo_needs * n)515 int algo_needs_missing(struct algo_needs* n)
516 {
517 int i, miss = -1;
518 /* check if a needed algo was bogus - report that;
519 * check the first missing algo - report that;
520 * or return 0 */
521 for(i=0; i<ALGO_NEEDS_MAX; i++) {
522 if(n->needs[i] == 2)
523 return 0;
524 if(n->needs[i] == 1 && miss == -1)
525 miss = i;
526 }
527 if(miss != -1) return miss;
528 return 0;
529 }
530
531 /**
532 * verify rrset, with dnskey rrset, for a specific rrsig in rrset
533 * @param env: module environment, scratch space is used.
534 * @param ve: validator environment, date settings.
535 * @param now: current time for validation (can be overridden).
536 * @param rrset: to be validated.
537 * @param dnskey: DNSKEY rrset, keyset to try.
538 * @param sig_idx: which signature to try to validate.
539 * @param sortree: reused sorted order. Stored in region. Pass NULL at start,
540 * and for a new rrset.
541 * @param reason: if bogus, a string returned, fixed or alloced in scratch.
542 * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
543 * @param section: section of packet where this rrset comes from.
544 * @param qstate: qstate with region.
545 * @return secure if any key signs *this* signature. bogus if no key signs it,
546 * unchecked on error, or indeterminate if all keys are not supported by
547 * the crypto library (openssl3+ only).
548 */
549 static enum sec_status
dnskeyset_verify_rrset_sig(struct module_env * env,struct val_env * ve,time_t now,struct ub_packed_rrset_key * rrset,struct ub_packed_rrset_key * dnskey,size_t sig_idx,struct rbtree_type ** sortree,char ** reason,sldns_ede_code * reason_bogus,sldns_pkt_section section,struct module_qstate * qstate)550 dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
551 time_t now, struct ub_packed_rrset_key* rrset,
552 struct ub_packed_rrset_key* dnskey, size_t sig_idx,
553 struct rbtree_type** sortree,
554 char** reason, sldns_ede_code *reason_bogus,
555 sldns_pkt_section section, struct module_qstate* qstate)
556 {
557 /* find matching keys and check them */
558 enum sec_status sec = sec_status_bogus;
559 uint16_t tag = rrset_get_sig_keytag(rrset, sig_idx);
560 int algo = rrset_get_sig_algo(rrset, sig_idx);
561 size_t i, num = rrset_get_count(dnskey);
562 size_t numchecked = 0;
563 size_t numindeterminate = 0;
564 int buf_canon = 0;
565 verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo);
566 if(!dnskey_algo_id_is_supported(algo)) {
567 if(reason_bogus)
568 *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
569 verbose(VERB_QUERY, "verify sig: unknown algorithm");
570 return sec_status_insecure;
571 }
572
573 for(i=0; i<num; i++) {
574 /* see if key matches keytag and algo */
575 if(algo != dnskey_get_algo(dnskey, i) ||
576 tag != dnskey_calc_keytag(dnskey, i))
577 continue;
578 numchecked ++;
579
580 /* see if key verifies */
581 sec = dnskey_verify_rrset_sig(env->scratch,
582 env->scratch_buffer, ve, now, rrset, dnskey, i,
583 sig_idx, sortree, &buf_canon, reason, reason_bogus,
584 section, qstate);
585 if(sec == sec_status_secure)
586 return sec;
587 else if(sec == sec_status_indeterminate)
588 numindeterminate ++;
589 }
590 if(numchecked == 0) {
591 *reason = "signatures from unknown keys";
592 if(reason_bogus)
593 *reason_bogus = LDNS_EDE_DNSKEY_MISSING;
594 verbose(VERB_QUERY, "verify: could not find appropriate key");
595 return sec_status_bogus;
596 }
597 if(numindeterminate == numchecked) {
598 *reason = "unsupported algorithm by crypto library";
599 if(reason_bogus)
600 *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
601 verbose(VERB_ALGO, "verify sig: unsupported algorithm by "
602 "crypto library");
603 return sec_status_indeterminate;
604 }
605 return sec_status_bogus;
606 }
607
608 enum sec_status
dnskeyset_verify_rrset(struct module_env * env,struct val_env * ve,struct ub_packed_rrset_key * rrset,struct ub_packed_rrset_key * dnskey,uint8_t * sigalg,char ** reason,sldns_ede_code * reason_bogus,sldns_pkt_section section,struct module_qstate * qstate)609 dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
610 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
611 uint8_t* sigalg, char** reason, sldns_ede_code *reason_bogus,
612 sldns_pkt_section section, struct module_qstate* qstate)
613 {
614 enum sec_status sec;
615 size_t i, num;
616 rbtree_type* sortree = NULL;
617 /* make sure that for all DNSKEY algorithms there are valid sigs */
618 struct algo_needs needs;
619 int alg;
620
621 num = rrset_get_sigcount(rrset);
622 if(num == 0) {
623 verbose(VERB_QUERY, "rrset failed to verify due to a lack of "
624 "signatures");
625 *reason = "no signatures";
626 if(reason_bogus)
627 *reason_bogus = LDNS_EDE_RRSIGS_MISSING;
628 return sec_status_bogus;
629 }
630
631 if(sigalg) {
632 algo_needs_init_list(&needs, sigalg);
633 if(algo_needs_num_missing(&needs) == 0) {
634 verbose(VERB_QUERY, "zone has no known algorithms");
635 *reason = "zone has no known algorithms";
636 if(reason_bogus)
637 *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
638 return sec_status_insecure;
639 }
640 }
641 for(i=0; i<num; i++) {
642 sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset,
643 dnskey, i, &sortree, reason, reason_bogus,
644 section, qstate);
645 /* see which algorithm has been fixed up */
646 if(sec == sec_status_secure) {
647 if(!sigalg)
648 return sec; /* done! */
649 else if(algo_needs_set_secure(&needs,
650 (uint8_t)rrset_get_sig_algo(rrset, i)))
651 return sec; /* done! */
652 } else if(sigalg && sec == sec_status_bogus) {
653 algo_needs_set_bogus(&needs,
654 (uint8_t)rrset_get_sig_algo(rrset, i));
655 }
656 }
657 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
658 verbose(VERB_ALGO, "rrset failed to verify: "
659 "no valid signatures for %d algorithms",
660 (int)algo_needs_num_missing(&needs));
661 algo_needs_reason(env, alg, reason, "no signatures");
662 } else {
663 verbose(VERB_ALGO, "rrset failed to verify: "
664 "no valid signatures");
665 }
666 return sec_status_bogus;
667 }
668
algo_needs_reason(struct module_env * env,int alg,char ** reason,char * s)669 void algo_needs_reason(struct module_env* env, int alg, char** reason, char* s)
670 {
671 char buf[256];
672 sldns_lookup_table *t = sldns_lookup_by_id(sldns_algorithms, alg);
673 if(t&&t->name)
674 snprintf(buf, sizeof(buf), "%s with algorithm %s", s, t->name);
675 else snprintf(buf, sizeof(buf), "%s with algorithm ALG%u", s,
676 (unsigned)alg);
677 *reason = regional_strdup(env->scratch, buf);
678 if(!*reason)
679 *reason = s;
680 }
681
682 enum sec_status
dnskey_verify_rrset(struct module_env * env,struct val_env * ve,struct ub_packed_rrset_key * rrset,struct ub_packed_rrset_key * dnskey,size_t dnskey_idx,char ** reason,sldns_ede_code * reason_bogus,sldns_pkt_section section,struct module_qstate * qstate)683 dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
684 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
685 size_t dnskey_idx, char** reason, sldns_ede_code *reason_bogus,
686 sldns_pkt_section section, struct module_qstate* qstate)
687 {
688 enum sec_status sec;
689 size_t i, num, numchecked = 0, numindeterminate = 0;
690 rbtree_type* sortree = NULL;
691 int buf_canon = 0;
692 uint16_t tag = dnskey_calc_keytag(dnskey, dnskey_idx);
693 int algo = dnskey_get_algo(dnskey, dnskey_idx);
694
695 num = rrset_get_sigcount(rrset);
696 if(num == 0) {
697 verbose(VERB_QUERY, "rrset failed to verify due to a lack of "
698 "signatures");
699 *reason = "no signatures";
700 if(reason_bogus)
701 *reason_bogus = LDNS_EDE_RRSIGS_MISSING;
702 return sec_status_bogus;
703 }
704 for(i=0; i<num; i++) {
705 /* see if sig matches keytag and algo */
706 if(algo != rrset_get_sig_algo(rrset, i) ||
707 tag != rrset_get_sig_keytag(rrset, i))
708 continue;
709 buf_canon = 0;
710 sec = dnskey_verify_rrset_sig(env->scratch,
711 env->scratch_buffer, ve, *env->now, rrset,
712 dnskey, dnskey_idx, i, &sortree, &buf_canon, reason,
713 reason_bogus, section, qstate);
714 if(sec == sec_status_secure)
715 return sec;
716 numchecked ++;
717 if(sec == sec_status_indeterminate)
718 numindeterminate ++;
719 }
720 verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
721 if(!numchecked) {
722 *reason = "signature for expected key and algorithm missing";
723 if(reason_bogus)
724 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
725 } else if(numchecked == numindeterminate) {
726 verbose(VERB_ALGO, "rrset failed to verify due to algorithm "
727 "refusal by cryptolib");
728 if(reason_bogus)
729 *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
730 *reason = "algorithm refused by cryptolib";
731 return sec_status_indeterminate;
732 }
733 return sec_status_bogus;
734 }
735
736 /**
737 * RR entries in a canonical sorted tree of RRs
738 */
739 struct canon_rr {
740 /** rbtree node, key is this structure */
741 rbnode_type node;
742 /** rrset the RR is in */
743 struct ub_packed_rrset_key* rrset;
744 /** which RR in the rrset */
745 size_t rr_idx;
746 };
747
748 /**
749 * Compare two RR for canonical order, in a field-style sweep.
750 * @param d: rrset data
751 * @param desc: ldns wireformat descriptor.
752 * @param i: first RR to compare
753 * @param j: first RR to compare
754 * @return comparison code.
755 */
756 static int
canonical_compare_byfield(struct packed_rrset_data * d,const sldns_rr_descriptor * desc,size_t i,size_t j)757 canonical_compare_byfield(struct packed_rrset_data* d,
758 const sldns_rr_descriptor* desc, size_t i, size_t j)
759 {
760 /* sweep across rdata, keep track of some state:
761 * which rr field, and bytes left in field.
762 * current position in rdata, length left.
763 * are we in a dname, length left in a label.
764 */
765 int wfi = -1; /* current wireformat rdata field (rdf) */
766 int wfj = -1;
767 uint8_t* di = d->rr_data[i]+2; /* ptr to current rdata byte */
768 uint8_t* dj = d->rr_data[j]+2;
769 size_t ilen = d->rr_len[i]-2; /* length left in rdata */
770 size_t jlen = d->rr_len[j]-2;
771 int dname_i = 0; /* true if these bytes are part of a name */
772 int dname_j = 0;
773 size_t lablen_i = 0; /* 0 for label length byte,for first byte of rdf*/
774 size_t lablen_j = 0; /* otherwise remaining length of rdf or label */
775 int dname_num_i = (int)desc->_dname_count; /* decreased at root label */
776 int dname_num_j = (int)desc->_dname_count;
777
778 /* loop while there are rdata bytes available for both rrs,
779 * and still some lowercasing needs to be done; either the dnames
780 * have not been reached yet, or they are currently being processed */
781 while(ilen > 0 && jlen > 0 && (dname_num_i > 0 || dname_num_j > 0)) {
782 /* compare these two bytes */
783 /* lowercase if in a dname and not a label length byte */
784 if( ((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di)
785 != ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj)
786 ) {
787 if(((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di)
788 < ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj))
789 return -1;
790 return 1;
791 }
792 ilen--;
793 jlen--;
794 /* bytes are equal */
795
796 /* advance field i */
797 /* lablen 0 means that this byte is the first byte of the
798 * next rdata field; inspect this rdata field and setup
799 * to process the rest of this rdata field.
800 * The reason to first read the byte, then setup the rdf,
801 * is that we are then sure the byte is available and short
802 * rdata is handled gracefully (even if it is a formerr). */
803 if(lablen_i == 0) {
804 if(dname_i) {
805 /* scan this dname label */
806 /* capture length to lowercase */
807 lablen_i = (size_t)*di;
808 if(lablen_i == 0) {
809 /* end root label */
810 dname_i = 0;
811 dname_num_i--;
812 /* if dname num is 0, then the
813 * remainder is binary only */
814 if(dname_num_i == 0)
815 lablen_i = ilen;
816 }
817 } else {
818 /* scan this rdata field */
819 wfi++;
820 if(desc->_wireformat[wfi]
821 == LDNS_RDF_TYPE_DNAME) {
822 dname_i = 1;
823 lablen_i = (size_t)*di;
824 if(lablen_i == 0) {
825 dname_i = 0;
826 dname_num_i--;
827 if(dname_num_i == 0)
828 lablen_i = ilen;
829 }
830 } else if(desc->_wireformat[wfi]
831 == LDNS_RDF_TYPE_STR)
832 lablen_i = (size_t)*di;
833 else lablen_i = get_rdf_size(
834 desc->_wireformat[wfi]) - 1;
835 }
836 } else lablen_i--;
837
838 /* advance field j; same as for i */
839 if(lablen_j == 0) {
840 if(dname_j) {
841 lablen_j = (size_t)*dj;
842 if(lablen_j == 0) {
843 dname_j = 0;
844 dname_num_j--;
845 if(dname_num_j == 0)
846 lablen_j = jlen;
847 }
848 } else {
849 wfj++;
850 if(desc->_wireformat[wfj]
851 == LDNS_RDF_TYPE_DNAME) {
852 dname_j = 1;
853 lablen_j = (size_t)*dj;
854 if(lablen_j == 0) {
855 dname_j = 0;
856 dname_num_j--;
857 if(dname_num_j == 0)
858 lablen_j = jlen;
859 }
860 } else if(desc->_wireformat[wfj]
861 == LDNS_RDF_TYPE_STR)
862 lablen_j = (size_t)*dj;
863 else lablen_j = get_rdf_size(
864 desc->_wireformat[wfj]) - 1;
865 }
866 } else lablen_j--;
867 di++;
868 dj++;
869 }
870 /* end of the loop; because we advanced byte by byte; now we have
871 * that the rdata has ended, or that there is a binary remainder */
872 /* shortest first */
873 if(ilen == 0 && jlen == 0)
874 return 0;
875 if(ilen == 0)
876 return -1;
877 if(jlen == 0)
878 return 1;
879 /* binary remainder, capture comparison in wfi variable */
880 if((wfi = memcmp(di, dj, (ilen<jlen)?ilen:jlen)) != 0)
881 return wfi;
882 if(ilen < jlen)
883 return -1;
884 if(jlen < ilen)
885 return 1;
886 return 0;
887 }
888
889 /**
890 * Compare two RRs in the same RRset and determine their relative
891 * canonical order.
892 * @param rrset: the rrset in which to perform compares.
893 * @param i: first RR to compare
894 * @param j: first RR to compare
895 * @return 0 if RR i== RR j, -1 if <, +1 if >.
896 */
897 static int
canonical_compare(struct ub_packed_rrset_key * rrset,size_t i,size_t j)898 canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j)
899 {
900 struct packed_rrset_data* d = (struct packed_rrset_data*)
901 rrset->entry.data;
902 const sldns_rr_descriptor* desc;
903 uint16_t type = ntohs(rrset->rk.type);
904 size_t minlen;
905 int c;
906
907 if(i==j)
908 return 0;
909
910 switch(type) {
911 /* These RR types have only a name as RDATA.
912 * This name has to be canonicalized.*/
913 case LDNS_RR_TYPE_NS:
914 case LDNS_RR_TYPE_MD:
915 case LDNS_RR_TYPE_MF:
916 case LDNS_RR_TYPE_CNAME:
917 case LDNS_RR_TYPE_MB:
918 case LDNS_RR_TYPE_MG:
919 case LDNS_RR_TYPE_MR:
920 case LDNS_RR_TYPE_PTR:
921 case LDNS_RR_TYPE_DNAME:
922 /* the wireread function has already checked these
923 * dname's for correctness, and this double checks */
924 if(!dname_valid(d->rr_data[i]+2, d->rr_len[i]-2) ||
925 !dname_valid(d->rr_data[j]+2, d->rr_len[j]-2))
926 return 0;
927 return query_dname_compare(d->rr_data[i]+2,
928 d->rr_data[j]+2);
929
930 /* These RR types have STR and fixed size rdata fields
931 * before one or more name fields that need canonicalizing,
932 * and after that a byte-for byte remainder can be compared.
933 */
934 /* type starts with the name; remainder is binary compared */
935 case LDNS_RR_TYPE_NXT:
936 /* use rdata field formats */
937 case LDNS_RR_TYPE_MINFO:
938 case LDNS_RR_TYPE_RP:
939 case LDNS_RR_TYPE_SOA:
940 case LDNS_RR_TYPE_RT:
941 case LDNS_RR_TYPE_AFSDB:
942 case LDNS_RR_TYPE_KX:
943 case LDNS_RR_TYPE_MX:
944 case LDNS_RR_TYPE_SIG:
945 /* RRSIG signer name has to be downcased */
946 case LDNS_RR_TYPE_RRSIG:
947 case LDNS_RR_TYPE_PX:
948 case LDNS_RR_TYPE_NAPTR:
949 case LDNS_RR_TYPE_SRV:
950 desc = sldns_rr_descript(type);
951 log_assert(desc);
952 /* this holds for the types that need canonicalizing */
953 log_assert(desc->_minimum == desc->_maximum);
954 return canonical_compare_byfield(d, desc, i, j);
955
956 case LDNS_RR_TYPE_HINFO: /* no longer downcased */
957 case LDNS_RR_TYPE_NSEC:
958 default:
959 /* For unknown RR types, or types not listed above,
960 * no canonicalization is needed, do binary compare */
961 /* byte for byte compare, equal means shortest first*/
962 minlen = d->rr_len[i]-2;
963 if(minlen > d->rr_len[j]-2)
964 minlen = d->rr_len[j]-2;
965 c = memcmp(d->rr_data[i]+2, d->rr_data[j]+2, minlen);
966 if(c!=0)
967 return c;
968 /* rdata equal, shortest is first */
969 if(d->rr_len[i] < d->rr_len[j])
970 return -1;
971 if(d->rr_len[i] > d->rr_len[j])
972 return 1;
973 /* rdata equal, length equal */
974 break;
975 }
976 return 0;
977 }
978
979 int
canonical_tree_compare(const void * k1,const void * k2)980 canonical_tree_compare(const void* k1, const void* k2)
981 {
982 struct canon_rr* r1 = (struct canon_rr*)k1;
983 struct canon_rr* r2 = (struct canon_rr*)k2;
984 log_assert(r1->rrset == r2->rrset);
985 return canonical_compare(r1->rrset, r1->rr_idx, r2->rr_idx);
986 }
987
988 /**
989 * Sort RRs for rrset in canonical order.
990 * Does not actually canonicalize the RR rdatas.
991 * Does not touch rrsigs.
992 * @param rrset: to sort.
993 * @param d: rrset data.
994 * @param sortree: tree to sort into.
995 * @param rrs: rr storage.
996 */
997 static void
canonical_sort(struct ub_packed_rrset_key * rrset,struct packed_rrset_data * d,rbtree_type * sortree,struct canon_rr * rrs)998 canonical_sort(struct ub_packed_rrset_key* rrset, struct packed_rrset_data* d,
999 rbtree_type* sortree, struct canon_rr* rrs)
1000 {
1001 size_t i;
1002 /* insert into rbtree to sort and detect duplicates */
1003 for(i=0; i<d->count; i++) {
1004 rrs[i].node.key = &rrs[i];
1005 rrs[i].rrset = rrset;
1006 rrs[i].rr_idx = i;
1007 if(!rbtree_insert(sortree, &rrs[i].node)) {
1008 /* this was a duplicate */
1009 }
1010 }
1011 }
1012
1013 /**
1014 * Insert canonical owner name into buffer.
1015 * @param buf: buffer to insert into at current position.
1016 * @param k: rrset with its owner name.
1017 * @param sig: signature with signer name and label count.
1018 * must be length checked, at least 18 bytes long.
1019 * @param can_owner: position in buffer returned for future use.
1020 * @param can_owner_len: length of canonical owner name.
1021 */
1022 static void
insert_can_owner(sldns_buffer * buf,struct ub_packed_rrset_key * k,uint8_t * sig,uint8_t ** can_owner,size_t * can_owner_len)1023 insert_can_owner(sldns_buffer* buf, struct ub_packed_rrset_key* k,
1024 uint8_t* sig, uint8_t** can_owner, size_t* can_owner_len)
1025 {
1026 int rrsig_labels = (int)sig[3];
1027 int fqdn_labels = dname_signame_label_count(k->rk.dname);
1028 *can_owner = sldns_buffer_current(buf);
1029 if(rrsig_labels == fqdn_labels) {
1030 /* no change */
1031 sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len);
1032 query_dname_tolower(*can_owner);
1033 *can_owner_len = k->rk.dname_len;
1034 return;
1035 }
1036 log_assert(rrsig_labels < fqdn_labels);
1037 /* *. | fqdn(rightmost rrsig_labels) */
1038 if(rrsig_labels < fqdn_labels) {
1039 int i;
1040 uint8_t* nm = k->rk.dname;
1041 size_t len = k->rk.dname_len;
1042 /* so skip fqdn_labels-rrsig_labels */
1043 for(i=0; i<fqdn_labels-rrsig_labels; i++) {
1044 dname_remove_label(&nm, &len);
1045 }
1046 *can_owner_len = len+2;
1047 sldns_buffer_write(buf, (uint8_t*)"\001*", 2);
1048 sldns_buffer_write(buf, nm, len);
1049 query_dname_tolower(*can_owner);
1050 }
1051 }
1052
1053 /**
1054 * Canonicalize Rdata in buffer.
1055 * @param buf: buffer at position just after the rdata.
1056 * @param rrset: rrset with type.
1057 * @param len: length of the rdata (including rdatalen uint16).
1058 */
1059 static void
canonicalize_rdata(sldns_buffer * buf,struct ub_packed_rrset_key * rrset,size_t len)1060 canonicalize_rdata(sldns_buffer* buf, struct ub_packed_rrset_key* rrset,
1061 size_t len)
1062 {
1063 uint8_t* datstart = sldns_buffer_current(buf)-len+2;
1064 switch(ntohs(rrset->rk.type)) {
1065 case LDNS_RR_TYPE_NXT:
1066 case LDNS_RR_TYPE_NS:
1067 case LDNS_RR_TYPE_MD:
1068 case LDNS_RR_TYPE_MF:
1069 case LDNS_RR_TYPE_CNAME:
1070 case LDNS_RR_TYPE_MB:
1071 case LDNS_RR_TYPE_MG:
1072 case LDNS_RR_TYPE_MR:
1073 case LDNS_RR_TYPE_PTR:
1074 case LDNS_RR_TYPE_DNAME:
1075 /* type only has a single argument, the name */
1076 query_dname_tolower(datstart);
1077 return;
1078 case LDNS_RR_TYPE_MINFO:
1079 case LDNS_RR_TYPE_RP:
1080 case LDNS_RR_TYPE_SOA:
1081 /* two names after another */
1082 query_dname_tolower(datstart);
1083 query_dname_tolower(datstart +
1084 dname_valid(datstart, len-2));
1085 return;
1086 case LDNS_RR_TYPE_RT:
1087 case LDNS_RR_TYPE_AFSDB:
1088 case LDNS_RR_TYPE_KX:
1089 case LDNS_RR_TYPE_MX:
1090 /* skip fixed part */
1091 if(len < 2+2+1) /* rdlen, skiplen, 1byteroot */
1092 return;
1093 datstart += 2;
1094 query_dname_tolower(datstart);
1095 return;
1096 case LDNS_RR_TYPE_SIG:
1097 /* downcase the RRSIG, compat with BIND (kept it from SIG) */
1098 case LDNS_RR_TYPE_RRSIG:
1099 /* skip fixed part */
1100 if(len < 2+18+1)
1101 return;
1102 datstart += 18;
1103 query_dname_tolower(datstart);
1104 return;
1105 case LDNS_RR_TYPE_PX:
1106 /* skip, then two names after another */
1107 if(len < 2+2+1)
1108 return;
1109 datstart += 2;
1110 query_dname_tolower(datstart);
1111 query_dname_tolower(datstart +
1112 dname_valid(datstart, len-2-2));
1113 return;
1114 case LDNS_RR_TYPE_NAPTR:
1115 if(len < 2+4)
1116 return;
1117 len -= 2+4;
1118 datstart += 4;
1119 if(len < (size_t)datstart[0]+1) /* skip text field */
1120 return;
1121 len -= (size_t)datstart[0]+1;
1122 datstart += (size_t)datstart[0]+1;
1123 if(len < (size_t)datstart[0]+1) /* skip text field */
1124 return;
1125 len -= (size_t)datstart[0]+1;
1126 datstart += (size_t)datstart[0]+1;
1127 if(len < (size_t)datstart[0]+1) /* skip text field */
1128 return;
1129 len -= (size_t)datstart[0]+1;
1130 datstart += (size_t)datstart[0]+1;
1131 if(len < 1) /* check name is at least 1 byte*/
1132 return;
1133 query_dname_tolower(datstart);
1134 return;
1135 case LDNS_RR_TYPE_SRV:
1136 /* skip fixed part */
1137 if(len < 2+6+1)
1138 return;
1139 datstart += 6;
1140 query_dname_tolower(datstart);
1141 return;
1142
1143 /* do not canonicalize NSEC rdata name, compat with
1144 * from bind 9.4 signer, where it does not do so */
1145 case LDNS_RR_TYPE_NSEC: /* type starts with the name */
1146 case LDNS_RR_TYPE_HINFO: /* not downcased */
1147 /* A6 not supported */
1148 default:
1149 /* nothing to do for unknown types */
1150 return;
1151 }
1152 }
1153
rrset_canonical_equal(struct regional * region,struct ub_packed_rrset_key * k1,struct ub_packed_rrset_key * k2)1154 int rrset_canonical_equal(struct regional* region,
1155 struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2)
1156 {
1157 struct rbtree_type sortree1, sortree2;
1158 struct canon_rr *rrs1, *rrs2, *p1, *p2;
1159 struct packed_rrset_data* d1=(struct packed_rrset_data*)k1->entry.data;
1160 struct packed_rrset_data* d2=(struct packed_rrset_data*)k2->entry.data;
1161 struct ub_packed_rrset_key fk;
1162 struct packed_rrset_data fd;
1163 size_t flen[2];
1164 uint8_t* fdata[2];
1165
1166 /* basic compare */
1167 if(k1->rk.dname_len != k2->rk.dname_len ||
1168 k1->rk.flags != k2->rk.flags ||
1169 k1->rk.type != k2->rk.type ||
1170 k1->rk.rrset_class != k2->rk.rrset_class ||
1171 query_dname_compare(k1->rk.dname, k2->rk.dname) != 0)
1172 return 0;
1173 if(d1->ttl != d2->ttl ||
1174 d1->count != d2->count ||
1175 d1->rrsig_count != d2->rrsig_count ||
1176 d1->trust != d2->trust ||
1177 d1->security != d2->security)
1178 return 0;
1179
1180 /* init */
1181 memset(&fk, 0, sizeof(fk));
1182 memset(&fd, 0, sizeof(fd));
1183 fk.entry.data = &fd;
1184 fd.count = 2;
1185 fd.rr_len = flen;
1186 fd.rr_data = fdata;
1187 rbtree_init(&sortree1, &canonical_tree_compare);
1188 rbtree_init(&sortree2, &canonical_tree_compare);
1189 if(d1->count > RR_COUNT_MAX || d2->count > RR_COUNT_MAX)
1190 return 1; /* protection against integer overflow */
1191 rrs1 = regional_alloc(region, sizeof(struct canon_rr)*d1->count);
1192 rrs2 = regional_alloc(region, sizeof(struct canon_rr)*d2->count);
1193 if(!rrs1 || !rrs2) return 1; /* alloc failure */
1194
1195 /* sort */
1196 canonical_sort(k1, d1, &sortree1, rrs1);
1197 canonical_sort(k2, d2, &sortree2, rrs2);
1198
1199 /* compare canonical-sorted RRs for canonical-equality */
1200 if(sortree1.count != sortree2.count)
1201 return 0;
1202 p1 = (struct canon_rr*)rbtree_first(&sortree1);
1203 p2 = (struct canon_rr*)rbtree_first(&sortree2);
1204 while(p1 != (struct canon_rr*)RBTREE_NULL &&
1205 p2 != (struct canon_rr*)RBTREE_NULL) {
1206 flen[0] = d1->rr_len[p1->rr_idx];
1207 flen[1] = d2->rr_len[p2->rr_idx];
1208 fdata[0] = d1->rr_data[p1->rr_idx];
1209 fdata[1] = d2->rr_data[p2->rr_idx];
1210
1211 if(canonical_compare(&fk, 0, 1) != 0)
1212 return 0;
1213 p1 = (struct canon_rr*)rbtree_next(&p1->node);
1214 p2 = (struct canon_rr*)rbtree_next(&p2->node);
1215 }
1216 return 1;
1217 }
1218
1219 /**
1220 * Create canonical form of rrset in the scratch buffer.
1221 * @param region: temporary region.
1222 * @param buf: the buffer to use.
1223 * @param k: the rrset to insert.
1224 * @param sig: RRSIG rdata to include.
1225 * @param siglen: RRSIG rdata len excluding signature field, but inclusive
1226 * signer name length.
1227 * @param sortree: if NULL is passed a new sorted rrset tree is built.
1228 * Otherwise it is reused.
1229 * @param section: section of packet where this rrset comes from.
1230 * @param qstate: qstate with region.
1231 * @return false on alloc error.
1232 */
1233 static int
rrset_canonical(struct regional * region,sldns_buffer * buf,struct ub_packed_rrset_key * k,uint8_t * sig,size_t siglen,struct rbtree_type ** sortree,sldns_pkt_section section,struct module_qstate * qstate)1234 rrset_canonical(struct regional* region, sldns_buffer* buf,
1235 struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen,
1236 struct rbtree_type** sortree, sldns_pkt_section section,
1237 struct module_qstate* qstate)
1238 {
1239 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
1240 uint8_t* can_owner = NULL;
1241 size_t can_owner_len = 0;
1242 struct canon_rr* walk;
1243 struct canon_rr* rrs;
1244
1245 if(!*sortree) {
1246 *sortree = (struct rbtree_type*)regional_alloc(region,
1247 sizeof(rbtree_type));
1248 if(!*sortree)
1249 return 0;
1250 if(d->count > RR_COUNT_MAX)
1251 return 0; /* integer overflow protection */
1252 rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count);
1253 if(!rrs) {
1254 *sortree = NULL;
1255 return 0;
1256 }
1257 rbtree_init(*sortree, &canonical_tree_compare);
1258 canonical_sort(k, d, *sortree, rrs);
1259 }
1260
1261 sldns_buffer_clear(buf);
1262 sldns_buffer_write(buf, sig, siglen);
1263 /* canonicalize signer name */
1264 query_dname_tolower(sldns_buffer_begin(buf)+18);
1265 RBTREE_FOR(walk, struct canon_rr*, (*sortree)) {
1266 /* see if there is enough space left in the buffer */
1267 if(sldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4
1268 + d->rr_len[walk->rr_idx]) {
1269 log_err("verify: failed to canonicalize, "
1270 "rrset too big");
1271 return 0;
1272 }
1273 /* determine canonical owner name */
1274 if(can_owner)
1275 sldns_buffer_write(buf, can_owner, can_owner_len);
1276 else insert_can_owner(buf, k, sig, &can_owner,
1277 &can_owner_len);
1278 sldns_buffer_write(buf, &k->rk.type, 2);
1279 sldns_buffer_write(buf, &k->rk.rrset_class, 2);
1280 sldns_buffer_write(buf, sig+4, 4);
1281 sldns_buffer_write(buf, d->rr_data[walk->rr_idx],
1282 d->rr_len[walk->rr_idx]);
1283 canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]);
1284 }
1285 sldns_buffer_flip(buf);
1286
1287 /* Replace RR owner with canonical owner for NSEC records in authority
1288 * section, to prevent that a wildcard synthesized NSEC can be used in
1289 * the non-existence proves. */
1290 if(ntohs(k->rk.type) == LDNS_RR_TYPE_NSEC &&
1291 section == LDNS_SECTION_AUTHORITY && qstate) {
1292 k->rk.dname = regional_alloc_init(qstate->region, can_owner,
1293 can_owner_len);
1294 if(!k->rk.dname)
1295 return 0;
1296 k->rk.dname_len = can_owner_len;
1297 }
1298
1299
1300 return 1;
1301 }
1302
1303 int
rrset_canonicalize_to_buffer(struct regional * region,sldns_buffer * buf,struct ub_packed_rrset_key * k)1304 rrset_canonicalize_to_buffer(struct regional* region, sldns_buffer* buf,
1305 struct ub_packed_rrset_key* k)
1306 {
1307 struct rbtree_type* sortree = NULL;
1308 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
1309 uint8_t* can_owner = NULL;
1310 size_t can_owner_len = 0;
1311 struct canon_rr* walk;
1312 struct canon_rr* rrs;
1313
1314 sortree = (struct rbtree_type*)regional_alloc(region,
1315 sizeof(rbtree_type));
1316 if(!sortree)
1317 return 0;
1318 if(d->count > RR_COUNT_MAX)
1319 return 0; /* integer overflow protection */
1320 rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count);
1321 if(!rrs) {
1322 return 0;
1323 }
1324 rbtree_init(sortree, &canonical_tree_compare);
1325 canonical_sort(k, d, sortree, rrs);
1326
1327 sldns_buffer_clear(buf);
1328 RBTREE_FOR(walk, struct canon_rr*, sortree) {
1329 /* see if there is enough space left in the buffer */
1330 if(sldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4
1331 + d->rr_len[walk->rr_idx]) {
1332 log_err("verify: failed to canonicalize, "
1333 "rrset too big");
1334 return 0;
1335 }
1336 /* determine canonical owner name */
1337 if(can_owner)
1338 sldns_buffer_write(buf, can_owner, can_owner_len);
1339 else {
1340 can_owner = sldns_buffer_current(buf);
1341 sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len);
1342 query_dname_tolower(can_owner);
1343 can_owner_len = k->rk.dname_len;
1344 }
1345 sldns_buffer_write(buf, &k->rk.type, 2);
1346 sldns_buffer_write(buf, &k->rk.rrset_class, 2);
1347 sldns_buffer_write_u32(buf, d->rr_ttl[walk->rr_idx]);
1348 sldns_buffer_write(buf, d->rr_data[walk->rr_idx],
1349 d->rr_len[walk->rr_idx]);
1350 canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]);
1351 }
1352 sldns_buffer_flip(buf);
1353 return 1;
1354 }
1355
1356 /** pretty print rrsig error with dates */
1357 static void
sigdate_error(const char * str,int32_t expi,int32_t incep,int32_t now)1358 sigdate_error(const char* str, int32_t expi, int32_t incep, int32_t now)
1359 {
1360 struct tm tm;
1361 char expi_buf[16];
1362 char incep_buf[16];
1363 char now_buf[16];
1364 time_t te, ti, tn;
1365
1366 if(verbosity < VERB_QUERY)
1367 return;
1368 te = (time_t)expi;
1369 ti = (time_t)incep;
1370 tn = (time_t)now;
1371 memset(&tm, 0, sizeof(tm));
1372 if(gmtime_r(&te, &tm) && strftime(expi_buf, 15, "%Y%m%d%H%M%S", &tm)
1373 &&gmtime_r(&ti, &tm) && strftime(incep_buf, 15, "%Y%m%d%H%M%S", &tm)
1374 &&gmtime_r(&tn, &tm) && strftime(now_buf, 15, "%Y%m%d%H%M%S", &tm)) {
1375 log_info("%s expi=%s incep=%s now=%s", str, expi_buf,
1376 incep_buf, now_buf);
1377 } else
1378 log_info("%s expi=%u incep=%u now=%u", str, (unsigned)expi,
1379 (unsigned)incep, (unsigned)now);
1380 }
1381
1382 /** check rrsig dates */
1383 static int
check_dates(struct val_env * ve,uint32_t unow,uint8_t * expi_p,uint8_t * incep_p,char ** reason,sldns_ede_code * reason_bogus)1384 check_dates(struct val_env* ve, uint32_t unow, uint8_t* expi_p,
1385 uint8_t* incep_p, char** reason, sldns_ede_code *reason_bogus)
1386 {
1387 /* read out the dates */
1388 uint32_t expi, incep, now;
1389 memmove(&expi, expi_p, sizeof(expi));
1390 memmove(&incep, incep_p, sizeof(incep));
1391 expi = ntohl(expi);
1392 incep = ntohl(incep);
1393
1394 /* get current date */
1395 if(ve->date_override) {
1396 if(ve->date_override == -1) {
1397 verbose(VERB_ALGO, "date override: ignore date");
1398 return 1;
1399 }
1400 now = ve->date_override;
1401 verbose(VERB_ALGO, "date override option %d", (int)now);
1402 } else now = unow;
1403
1404 /* check them */
1405 if(compare_1982(incep, expi) > 0) {
1406 sigdate_error("verify: inception after expiration, "
1407 "signature bad", expi, incep, now);
1408 *reason = "signature inception after expiration";
1409 if(reason_bogus){
1410 /* from RFC8914 on Signature Not Yet Valid: The resolver
1411 * attempted to perform DNSSEC validation, but no
1412 * signatures are presently valid and at least some are
1413 * not yet valid. */
1414 *reason_bogus = LDNS_EDE_SIGNATURE_NOT_YET_VALID;
1415 }
1416
1417 return 0;
1418 }
1419 if(compare_1982(incep, now) > 0) {
1420 /* within skew ? (calc here to avoid calculation normally) */
1421 uint32_t skew = subtract_1982(incep, expi)/10;
1422 if(skew < (uint32_t)ve->skew_min) skew = ve->skew_min;
1423 if(skew > (uint32_t)ve->skew_max) skew = ve->skew_max;
1424 if(subtract_1982(now, incep) > skew) {
1425 sigdate_error("verify: signature bad, current time is"
1426 " before inception date", expi, incep, now);
1427 *reason = "signature before inception date";
1428 if(reason_bogus)
1429 *reason_bogus = LDNS_EDE_SIGNATURE_NOT_YET_VALID;
1430 return 0;
1431 }
1432 sigdate_error("verify warning suspicious signature inception "
1433 " or bad local clock", expi, incep, now);
1434 }
1435 if(compare_1982(now, expi) > 0) {
1436 uint32_t skew = subtract_1982(incep, expi)/10;
1437 if(skew < (uint32_t)ve->skew_min) skew = ve->skew_min;
1438 if(skew > (uint32_t)ve->skew_max) skew = ve->skew_max;
1439 if(subtract_1982(expi, now) > skew) {
1440 sigdate_error("verify: signature expired", expi,
1441 incep, now);
1442 *reason = "signature expired";
1443 if(reason_bogus)
1444 *reason_bogus = LDNS_EDE_SIGNATURE_EXPIRED;
1445 return 0;
1446 }
1447 sigdate_error("verify warning suspicious signature expiration "
1448 " or bad local clock", expi, incep, now);
1449 }
1450 return 1;
1451 }
1452
1453 /** adjust rrset TTL for verified rrset, compare to original TTL and expi */
1454 static void
adjust_ttl(struct val_env * ve,uint32_t unow,struct ub_packed_rrset_key * rrset,uint8_t * orig_p,uint8_t * expi_p,uint8_t * incep_p)1455 adjust_ttl(struct val_env* ve, uint32_t unow,
1456 struct ub_packed_rrset_key* rrset, uint8_t* orig_p,
1457 uint8_t* expi_p, uint8_t* incep_p)
1458 {
1459 struct packed_rrset_data* d =
1460 (struct packed_rrset_data*)rrset->entry.data;
1461 /* read out the dates */
1462 int32_t origttl, expittl, expi, incep, now;
1463 memmove(&origttl, orig_p, sizeof(origttl));
1464 memmove(&expi, expi_p, sizeof(expi));
1465 memmove(&incep, incep_p, sizeof(incep));
1466 expi = ntohl(expi);
1467 incep = ntohl(incep);
1468 origttl = ntohl(origttl);
1469
1470 /* get current date */
1471 if(ve->date_override) {
1472 now = ve->date_override;
1473 } else now = (int32_t)unow;
1474 expittl = (int32_t)((uint32_t)expi - (uint32_t)now);
1475
1476 /* so now:
1477 * d->ttl: rrset ttl read from message or cache. May be reduced
1478 * origttl: original TTL from signature, authoritative TTL max.
1479 * MIN_TTL: minimum TTL from config.
1480 * expittl: TTL until the signature expires.
1481 *
1482 * Use the smallest of these, but don't let origttl set the TTL
1483 * below the minimum.
1484 */
1485 if(MIN_TTL > (time_t)origttl && d->ttl > MIN_TTL) {
1486 verbose(VERB_QUERY, "rrset TTL larger than original and minimum"
1487 " TTL, adjusting TTL downwards to minimum ttl");
1488 d->ttl = MIN_TTL;
1489 }
1490 else if(MIN_TTL <= origttl && d->ttl > (time_t)origttl) {
1491 verbose(VERB_QUERY, "rrset TTL larger than original TTL, "
1492 "adjusting TTL downwards to original ttl");
1493 d->ttl = origttl;
1494 }
1495
1496 if(expittl > 0 && d->ttl > (time_t)expittl) {
1497 verbose(VERB_ALGO, "rrset TTL larger than sig expiration ttl,"
1498 " adjusting TTL downwards");
1499 d->ttl = expittl;
1500 }
1501 }
1502
1503 enum sec_status
dnskey_verify_rrset_sig(struct regional * region,sldns_buffer * buf,struct val_env * ve,time_t now,struct ub_packed_rrset_key * rrset,struct ub_packed_rrset_key * dnskey,size_t dnskey_idx,size_t sig_idx,struct rbtree_type ** sortree,int * buf_canon,char ** reason,sldns_ede_code * reason_bogus,sldns_pkt_section section,struct module_qstate * qstate)1504 dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
1505 struct val_env* ve, time_t now,
1506 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
1507 size_t dnskey_idx, size_t sig_idx,
1508 struct rbtree_type** sortree, int* buf_canon,
1509 char** reason, sldns_ede_code *reason_bogus,
1510 sldns_pkt_section section, struct module_qstate* qstate)
1511 {
1512 enum sec_status sec;
1513 uint8_t* sig; /* RRSIG rdata */
1514 size_t siglen;
1515 size_t rrnum = rrset_get_count(rrset);
1516 uint8_t* signer; /* rrsig signer name */
1517 size_t signer_len;
1518 unsigned char* sigblock; /* signature rdata field */
1519 unsigned int sigblock_len;
1520 uint16_t ktag; /* DNSKEY key tag */
1521 unsigned char* key; /* public key rdata field */
1522 unsigned int keylen;
1523 rrset_get_rdata(rrset, rrnum + sig_idx, &sig, &siglen);
1524 /* min length of rdatalen, fixed rrsig, root signer, 1 byte sig */
1525 if(siglen < 2+20) {
1526 verbose(VERB_QUERY, "verify: signature too short");
1527 *reason = "signature too short";
1528 if(reason_bogus)
1529 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1530 return sec_status_bogus;
1531 }
1532
1533 if(!(dnskey_get_flags(dnskey, dnskey_idx) & DNSKEY_BIT_ZSK)) {
1534 verbose(VERB_QUERY, "verify: dnskey without ZSK flag");
1535 *reason = "dnskey without ZSK flag";
1536 if(reason_bogus)
1537 *reason_bogus = LDNS_EDE_NO_ZONE_KEY_BIT_SET;
1538 return sec_status_bogus;
1539 }
1540
1541 if(dnskey_get_protocol(dnskey, dnskey_idx) != LDNS_DNSSEC_KEYPROTO) {
1542 /* RFC 4034 says DNSKEY PROTOCOL MUST be 3 */
1543 verbose(VERB_QUERY, "verify: dnskey has wrong key protocol");
1544 *reason = "dnskey has wrong protocolnumber";
1545 if(reason_bogus)
1546 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1547 return sec_status_bogus;
1548 }
1549
1550 /* verify as many fields in rrsig as possible */
1551 signer = sig+2+18;
1552 signer_len = dname_valid(signer, siglen-2-18);
1553 if(!signer_len) {
1554 verbose(VERB_QUERY, "verify: malformed signer name");
1555 *reason = "signer name malformed";
1556 if(reason_bogus)
1557 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1558 return sec_status_bogus; /* signer name invalid */
1559 }
1560 if(!dname_subdomain_c(rrset->rk.dname, signer)) {
1561 verbose(VERB_QUERY, "verify: signer name is off-tree");
1562 *reason = "signer name off-tree";
1563 if(reason_bogus)
1564 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1565 return sec_status_bogus; /* signer name offtree */
1566 }
1567 sigblock = (unsigned char*)signer+signer_len;
1568 if(siglen < 2+18+signer_len+1) {
1569 verbose(VERB_QUERY, "verify: too short, no signature data");
1570 *reason = "signature too short, no signature data";
1571 if(reason_bogus)
1572 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1573 return sec_status_bogus; /* sig rdf is < 1 byte */
1574 }
1575 sigblock_len = (unsigned int)(siglen - 2 - 18 - signer_len);
1576
1577 /* verify key dname == sig signer name */
1578 if(query_dname_compare(signer, dnskey->rk.dname) != 0) {
1579 verbose(VERB_QUERY, "verify: wrong key for rrsig");
1580 log_nametypeclass(VERB_QUERY, "RRSIG signername is",
1581 signer, 0, 0);
1582 log_nametypeclass(VERB_QUERY, "the key name is",
1583 dnskey->rk.dname, 0, 0);
1584 *reason = "signer name mismatches key name";
1585 if(reason_bogus)
1586 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1587 return sec_status_bogus;
1588 }
1589
1590 /* verify covered type */
1591 /* memcmp works because type is in network format for rrset */
1592 if(memcmp(sig+2, &rrset->rk.type, 2) != 0) {
1593 verbose(VERB_QUERY, "verify: wrong type covered");
1594 *reason = "signature covers wrong type";
1595 if(reason_bogus)
1596 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1597 return sec_status_bogus;
1598 }
1599 /* verify keytag and sig algo (possibly again) */
1600 if((int)sig[2+2] != dnskey_get_algo(dnskey, dnskey_idx)) {
1601 verbose(VERB_QUERY, "verify: wrong algorithm");
1602 *reason = "signature has wrong algorithm";
1603 if(reason_bogus)
1604 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1605 return sec_status_bogus;
1606 }
1607 ktag = htons(dnskey_calc_keytag(dnskey, dnskey_idx));
1608 if(memcmp(sig+2+16, &ktag, 2) != 0) {
1609 verbose(VERB_QUERY, "verify: wrong keytag");
1610 *reason = "signature has wrong keytag";
1611 if(reason_bogus)
1612 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1613 return sec_status_bogus;
1614 }
1615
1616 /* verify labels is in a valid range */
1617 if((int)sig[2+3] > dname_signame_label_count(rrset->rk.dname)) {
1618 verbose(VERB_QUERY, "verify: labelcount out of range");
1619 *reason = "signature labelcount out of range";
1620 if(reason_bogus)
1621 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1622 return sec_status_bogus;
1623 }
1624
1625 /* original ttl, always ok */
1626
1627 if(!*buf_canon) {
1628 /* create rrset canonical format in buffer, ready for
1629 * signature */
1630 if(!rrset_canonical(region, buf, rrset, sig+2,
1631 18 + signer_len, sortree, section, qstate)) {
1632 log_err("verify: failed due to alloc error");
1633 return sec_status_unchecked;
1634 }
1635 *buf_canon = 1;
1636 }
1637
1638 /* check that dnskey is available */
1639 dnskey_get_pubkey(dnskey, dnskey_idx, &key, &keylen);
1640 if(!key) {
1641 verbose(VERB_QUERY, "verify: short DNSKEY RR");
1642 return sec_status_unchecked;
1643 }
1644
1645 /* verify */
1646 sec = verify_canonrrset(buf, (int)sig[2+2],
1647 sigblock, sigblock_len, key, keylen, reason);
1648
1649 if(sec == sec_status_secure) {
1650 /* check if TTL is too high - reduce if so */
1651 adjust_ttl(ve, now, rrset, sig+2+4, sig+2+8, sig+2+12);
1652
1653 /* verify inception, expiration dates
1654 * Do this last so that if you ignore expired-sigs the
1655 * rest is sure to be OK. */
1656 if(!check_dates(ve, now, sig+2+8, sig+2+12,
1657 reason, reason_bogus)) {
1658 return sec_status_bogus;
1659 }
1660 }
1661
1662 return sec;
1663 }
1664