1 /* 2 * validator/val_sigcrypt.c - validator signature crypto functions. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE 27 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 30 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions help with signature verification and checking, the 41 * bridging between RR wireformat data and crypto calls. 42 */ 43 #include "config.h" 44 #include <ldns/ldns.h> 45 #include "validator/val_sigcrypt.h" 46 #include "validator/validator.h" 47 #include "util/data/msgreply.h" 48 #include "util/data/msgparse.h" 49 #include "util/data/dname.h" 50 #include "util/rbtree.h" 51 #include "util/module.h" 52 #include "util/net_help.h" 53 #include "util/regional.h" 54 55 #ifndef HAVE_SSL 56 #error "Need SSL library to do digital signature cryptography" 57 #endif 58 59 #ifdef HAVE_OPENSSL_ERR_H 60 #include <openssl/err.h> 61 #endif 62 63 #ifdef HAVE_OPENSSL_RAND_H 64 #include <openssl/rand.h> 65 #endif 66 67 #ifdef HAVE_OPENSSL_CONF_H 68 #include <openssl/conf.h> 69 #endif 70 71 #ifdef HAVE_OPENSSL_ENGINE_H 72 #include <openssl/engine.h> 73 #endif 74 75 /** return number of rrs in an rrset */ 76 static size_t 77 rrset_get_count(struct ub_packed_rrset_key* rrset) 78 { 79 struct packed_rrset_data* d = (struct packed_rrset_data*) 80 rrset->entry.data; 81 if(!d) return 0; 82 return d->count; 83 } 84 85 /** 86 * Get RR signature count 87 */ 88 static size_t 89 rrset_get_sigcount(struct ub_packed_rrset_key* k) 90 { 91 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 92 return d->rrsig_count; 93 } 94 95 /** 96 * Get signature keytag value 97 * @param k: rrset (with signatures) 98 * @param sig_idx: signature index. 99 * @return keytag or 0 if malformed rrsig. 100 */ 101 static uint16_t 102 rrset_get_sig_keytag(struct ub_packed_rrset_key* k, size_t sig_idx) 103 { 104 uint16_t t; 105 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 106 log_assert(sig_idx < d->rrsig_count); 107 if(d->rr_len[d->count + sig_idx] < 2+18) 108 return 0; 109 memmove(&t, d->rr_data[d->count + sig_idx]+2+16, 2); 110 return ntohs(t); 111 } 112 113 /** 114 * Get signature signing algorithm value 115 * @param k: rrset (with signatures) 116 * @param sig_idx: signature index. 117 * @return algo or 0 if malformed rrsig. 118 */ 119 static int 120 rrset_get_sig_algo(struct ub_packed_rrset_key* k, size_t sig_idx) 121 { 122 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 123 log_assert(sig_idx < d->rrsig_count); 124 if(d->rr_len[d->count + sig_idx] < 2+3) 125 return 0; 126 return (int)d->rr_data[d->count + sig_idx][2+2]; 127 } 128 129 /** get rdata pointer and size */ 130 static void 131 rrset_get_rdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** rdata, 132 size_t* len) 133 { 134 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 135 log_assert(d && idx < (d->count + d->rrsig_count)); 136 *rdata = d->rr_data[idx]; 137 *len = d->rr_len[idx]; 138 } 139 140 uint16_t 141 dnskey_get_flags(struct ub_packed_rrset_key* k, size_t idx) 142 { 143 uint8_t* rdata; 144 size_t len; 145 uint16_t f; 146 rrset_get_rdata(k, idx, &rdata, &len); 147 if(len < 2+2) 148 return 0; 149 memmove(&f, rdata+2, 2); 150 f = ntohs(f); 151 return f; 152 } 153 154 /** 155 * Get DNSKEY protocol value from rdata 156 * @param k: DNSKEY rrset. 157 * @param idx: which key. 158 * @return protocol octet value 159 */ 160 static int 161 dnskey_get_protocol(struct ub_packed_rrset_key* k, size_t idx) 162 { 163 uint8_t* rdata; 164 size_t len; 165 rrset_get_rdata(k, idx, &rdata, &len); 166 if(len < 2+4) 167 return 0; 168 return (int)rdata[2+2]; 169 } 170 171 int 172 dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx) 173 { 174 uint8_t* rdata; 175 size_t len; 176 rrset_get_rdata(k, idx, &rdata, &len); 177 if(len < 2+4) 178 return 0; 179 return (int)rdata[2+3]; 180 } 181 182 /** get public key rdata field from a dnskey RR and do some checks */ 183 static void 184 dnskey_get_pubkey(struct ub_packed_rrset_key* k, size_t idx, 185 unsigned char** pk, unsigned int* pklen) 186 { 187 uint8_t* rdata; 188 size_t len; 189 rrset_get_rdata(k, idx, &rdata, &len); 190 if(len < 2+5) { 191 *pk = NULL; 192 *pklen = 0; 193 return; 194 } 195 *pk = (unsigned char*)rdata+2+4; 196 *pklen = (unsigned)len-2-4; 197 } 198 199 int 200 ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx) 201 { 202 uint8_t* rdata; 203 size_t len; 204 rrset_get_rdata(k, idx, &rdata, &len); 205 if(len < 2+3) 206 return 0; 207 return (int)rdata[2+2]; 208 } 209 210 int 211 ds_get_digest_algo(struct ub_packed_rrset_key* k, size_t idx) 212 { 213 uint8_t* rdata; 214 size_t len; 215 rrset_get_rdata(k, idx, &rdata, &len); 216 if(len < 2+4) 217 return 0; 218 return (int)rdata[2+3]; 219 } 220 221 uint16_t 222 ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx) 223 { 224 uint16_t t; 225 uint8_t* rdata; 226 size_t len; 227 rrset_get_rdata(ds_rrset, ds_idx, &rdata, &len); 228 if(len < 2+2) 229 return 0; 230 memmove(&t, rdata+2, 2); 231 return ntohs(t); 232 } 233 234 /** 235 * Return pointer to the digest in a DS RR. 236 * @param k: DS rrset. 237 * @param idx: which DS. 238 * @param digest: digest data is returned. 239 * on error, this is NULL. 240 * @param len: length of digest is returned. 241 * on error, the length is 0. 242 */ 243 static void 244 ds_get_sigdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** digest, 245 size_t* len) 246 { 247 uint8_t* rdata; 248 size_t rdlen; 249 rrset_get_rdata(k, idx, &rdata, &rdlen); 250 if(rdlen < 2+5) { 251 *digest = NULL; 252 *len = 0; 253 return; 254 } 255 *digest = rdata + 2 + 4; 256 *len = rdlen - 2 - 4; 257 } 258 259 /** 260 * Return size of DS digest according to its hash algorithm. 261 * @param k: DS rrset. 262 * @param idx: which DS. 263 * @return size in bytes of digest, or 0 if not supported. 264 */ 265 static size_t 266 ds_digest_size_algo(struct ub_packed_rrset_key* k, size_t idx) 267 { 268 switch(ds_get_digest_algo(k, idx)) { 269 #ifdef HAVE_EVP_SHA1 270 case LDNS_SHA1: 271 return SHA_DIGEST_LENGTH; 272 #endif 273 #ifdef HAVE_EVP_SHA256 274 case LDNS_SHA256: 275 return SHA256_DIGEST_LENGTH; 276 #endif 277 #ifdef USE_GOST 278 case LDNS_HASH_GOST: 279 if(EVP_get_digestbyname("md_gost94")) 280 return 32; 281 else return 0; 282 #endif 283 default: break; 284 } 285 return 0; 286 } 287 288 #ifdef USE_GOST 289 /** Perform GOST hash */ 290 static int 291 do_gost94(unsigned char* data, size_t len, unsigned char* dest) 292 { 293 const EVP_MD* md = EVP_get_digestbyname("md_gost94"); 294 if(!md) 295 return 0; 296 return ldns_digest_evp(data, (unsigned int)len, dest, md); 297 } 298 #endif 299 300 /** 301 * Create a DS digest for a DNSKEY entry. 302 * 303 * @param env: module environment. Uses scratch space. 304 * @param dnskey_rrset: DNSKEY rrset. 305 * @param dnskey_idx: index of RR in rrset. 306 * @param ds_rrset: DS rrset 307 * @param ds_idx: index of RR in DS rrset. 308 * @param digest: digest is returned in here (must be correctly sized). 309 * @return false on error. 310 */ 311 static int 312 ds_create_dnskey_digest(struct module_env* env, 313 struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx, 314 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, 315 uint8_t* digest) 316 { 317 ldns_buffer* b = env->scratch_buffer; 318 uint8_t* dnskey_rdata; 319 size_t dnskey_len; 320 rrset_get_rdata(dnskey_rrset, dnskey_idx, &dnskey_rdata, &dnskey_len); 321 322 /* create digest source material in buffer 323 * digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA); 324 * DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key. */ 325 ldns_buffer_clear(b); 326 ldns_buffer_write(b, dnskey_rrset->rk.dname, 327 dnskey_rrset->rk.dname_len); 328 query_dname_tolower(ldns_buffer_begin(b)); 329 ldns_buffer_write(b, dnskey_rdata+2, dnskey_len-2); /* skip rdatalen*/ 330 ldns_buffer_flip(b); 331 332 switch(ds_get_digest_algo(ds_rrset, ds_idx)) { 333 #ifdef HAVE_EVP_SHA1 334 case LDNS_SHA1: 335 (void)SHA1((unsigned char*)ldns_buffer_begin(b), 336 ldns_buffer_limit(b), (unsigned char*)digest); 337 return 1; 338 #endif 339 #ifdef HAVE_EVP_SHA256 340 case LDNS_SHA256: 341 (void)SHA256((unsigned char*)ldns_buffer_begin(b), 342 ldns_buffer_limit(b), (unsigned char*)digest); 343 return 1; 344 #endif 345 #ifdef USE_GOST 346 case LDNS_HASH_GOST: 347 if(do_gost94((unsigned char*)ldns_buffer_begin(b), 348 ldns_buffer_limit(b), (unsigned char*)digest)) 349 return 1; 350 #endif 351 default: 352 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 353 (int) ds_get_digest_algo(ds_rrset, ds_idx)); 354 break; 355 } 356 return 0; 357 } 358 359 int ds_digest_match_dnskey(struct module_env* env, 360 struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx, 361 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx) 362 { 363 uint8_t* ds; /* DS digest */ 364 size_t dslen; 365 uint8_t* digest; /* generated digest */ 366 size_t digestlen = ds_digest_size_algo(ds_rrset, ds_idx); 367 368 if(digestlen == 0) { 369 verbose(VERB_QUERY, "DS fail: not supported, or DS RR " 370 "format error"); 371 return 0; /* not supported, or DS RR format error */ 372 } 373 /* check digest length in DS with length from hash function */ 374 ds_get_sigdata(ds_rrset, ds_idx, &ds, &dslen); 375 if(!ds || dslen != digestlen) { 376 verbose(VERB_QUERY, "DS fail: DS RR algo and digest do not " 377 "match each other"); 378 return 0; /* DS algorithm and digest do not match */ 379 } 380 381 digest = regional_alloc(env->scratch, digestlen); 382 if(!digest) { 383 verbose(VERB_QUERY, "DS fail: out of memory"); 384 return 0; /* mem error */ 385 } 386 if(!ds_create_dnskey_digest(env, dnskey_rrset, dnskey_idx, ds_rrset, 387 ds_idx, digest)) { 388 verbose(VERB_QUERY, "DS fail: could not calc key digest"); 389 return 0; /* digest algo failed */ 390 } 391 if(memcmp(digest, ds, dslen) != 0) { 392 verbose(VERB_QUERY, "DS fail: digest is different"); 393 return 0; /* digest different */ 394 } 395 return 1; 396 } 397 398 int 399 ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, 400 size_t ds_idx) 401 { 402 return (ds_digest_size_algo(ds_rrset, ds_idx) != 0); 403 } 404 405 /** return true if DNSKEY algorithm id is supported */ 406 static int 407 dnskey_algo_id_is_supported(int id) 408 { 409 switch(id) { 410 case LDNS_DSA: 411 case LDNS_DSA_NSEC3: 412 case LDNS_RSASHA1: 413 case LDNS_RSASHA1_NSEC3: 414 case LDNS_RSAMD5: 415 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 416 case LDNS_RSASHA256: 417 #endif 418 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 419 case LDNS_RSASHA512: 420 #endif 421 return 1; 422 #ifdef USE_GOST 423 case LDNS_ECC_GOST: 424 /* we support GOST if it can be loaded */ 425 return ldns_key_EVP_load_gost_id(); 426 #endif 427 default: 428 return 0; 429 } 430 } 431 432 int 433 ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, 434 size_t ds_idx) 435 { 436 return dnskey_algo_id_is_supported(ds_get_key_algo(ds_rrset, ds_idx)); 437 } 438 439 uint16_t 440 dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx) 441 { 442 uint8_t* data; 443 size_t len; 444 rrset_get_rdata(dnskey_rrset, dnskey_idx, &data, &len); 445 /* do not pass rdatalen to ldns */ 446 return ldns_calc_keytag_raw(data+2, len-2); 447 } 448 449 int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset, 450 size_t dnskey_idx) 451 { 452 return dnskey_algo_id_is_supported(dnskey_get_algo(dnskey_rrset, 453 dnskey_idx)); 454 } 455 456 void algo_needs_init_dnskey_add(struct algo_needs* n, 457 struct ub_packed_rrset_key* dnskey, uint8_t* sigalg) 458 { 459 uint8_t algo; 460 size_t i, total = n->num; 461 size_t num = rrset_get_count(dnskey); 462 463 for(i=0; i<num; i++) { 464 algo = (uint8_t)dnskey_get_algo(dnskey, i); 465 if(!dnskey_algo_id_is_supported((int)algo)) 466 continue; 467 if(n->needs[algo] == 0) { 468 n->needs[algo] = 1; 469 sigalg[total] = algo; 470 total++; 471 } 472 } 473 sigalg[total] = 0; 474 n->num = total; 475 } 476 477 void algo_needs_init_list(struct algo_needs* n, uint8_t* sigalg) 478 { 479 uint8_t algo; 480 size_t total = 0; 481 482 memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX); 483 while( (algo=*sigalg++) != 0) { 484 log_assert(dnskey_algo_id_is_supported((int)algo)); 485 log_assert(n->needs[algo] == 0); 486 n->needs[algo] = 1; 487 total++; 488 } 489 n->num = total; 490 } 491 492 void algo_needs_init_ds(struct algo_needs* n, struct ub_packed_rrset_key* ds, 493 int fav_ds_algo, uint8_t* sigalg) 494 { 495 uint8_t algo; 496 size_t i, total = 0; 497 size_t num = rrset_get_count(ds); 498 499 memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX); 500 for(i=0; i<num; i++) { 501 if(ds_get_digest_algo(ds, i) != fav_ds_algo) 502 continue; 503 algo = (uint8_t)ds_get_key_algo(ds, i); 504 if(!dnskey_algo_id_is_supported((int)algo)) 505 continue; 506 log_assert(algo != 0); /* we do not support 0 and is EOS */ 507 if(n->needs[algo] == 0) { 508 n->needs[algo] = 1; 509 sigalg[total] = algo; 510 total++; 511 } 512 } 513 sigalg[total] = 0; 514 n->num = total; 515 } 516 517 int algo_needs_set_secure(struct algo_needs* n, uint8_t algo) 518 { 519 if(n->needs[algo]) { 520 n->needs[algo] = 0; 521 n->num --; 522 if(n->num == 0) /* done! */ 523 return 1; 524 } 525 return 0; 526 } 527 528 void algo_needs_set_bogus(struct algo_needs* n, uint8_t algo) 529 { 530 if(n->needs[algo]) n->needs[algo] = 2; /* need it, but bogus */ 531 } 532 533 size_t algo_needs_num_missing(struct algo_needs* n) 534 { 535 return n->num; 536 } 537 538 int algo_needs_missing(struct algo_needs* n) 539 { 540 int i; 541 /* first check if a needed algo was bogus - report that */ 542 for(i=0; i<ALGO_NEEDS_MAX; i++) 543 if(n->needs[i] == 2) 544 return 0; 545 /* now check which algo is missing */ 546 for(i=0; i<ALGO_NEEDS_MAX; i++) 547 if(n->needs[i] == 1) 548 return i; 549 return 0; 550 } 551 552 enum sec_status 553 dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve, 554 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, 555 uint8_t* sigalg, char** reason) 556 { 557 enum sec_status sec; 558 size_t i, num; 559 rbtree_t* sortree = NULL; 560 /* make sure that for all DNSKEY algorithms there are valid sigs */ 561 struct algo_needs needs; 562 int alg; 563 564 num = rrset_get_sigcount(rrset); 565 if(num == 0) { 566 verbose(VERB_QUERY, "rrset failed to verify due to a lack of " 567 "signatures"); 568 *reason = "no signatures"; 569 return sec_status_bogus; 570 } 571 572 if(sigalg) { 573 algo_needs_init_list(&needs, sigalg); 574 if(algo_needs_num_missing(&needs) == 0) { 575 verbose(VERB_QUERY, "zone has no known algorithms"); 576 *reason = "zone has no known algorithms"; 577 return sec_status_insecure; 578 } 579 } 580 for(i=0; i<num; i++) { 581 sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset, 582 dnskey, i, &sortree, reason); 583 /* see which algorithm has been fixed up */ 584 if(sec == sec_status_secure) { 585 if(!sigalg) 586 return sec; /* done! */ 587 else if(algo_needs_set_secure(&needs, 588 (uint8_t)rrset_get_sig_algo(rrset, i))) 589 return sec; /* done! */ 590 } else if(sigalg && sec == sec_status_bogus) { 591 algo_needs_set_bogus(&needs, 592 (uint8_t)rrset_get_sig_algo(rrset, i)); 593 } 594 } 595 verbose(VERB_ALGO, "rrset failed to verify: no valid signatures for " 596 "%d algorithms", (int)algo_needs_num_missing(&needs)); 597 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { 598 algo_needs_reason(env, alg, reason, "no signatures"); 599 } 600 return sec_status_bogus; 601 } 602 603 void algo_needs_reason(struct module_env* env, int alg, char** reason, char* s) 604 { 605 char buf[256]; 606 ldns_lookup_table *t = ldns_lookup_by_id(ldns_algorithms, alg); 607 if(t&&t->name) 608 snprintf(buf, sizeof(buf), "%s with algorithm %s", s, t->name); 609 else snprintf(buf, sizeof(buf), "%s with algorithm ALG%u", s, 610 (unsigned)alg); 611 *reason = regional_strdup(env->scratch, buf); 612 if(!*reason) 613 *reason = s; 614 } 615 616 enum sec_status 617 dnskey_verify_rrset(struct module_env* env, struct val_env* ve, 618 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, 619 size_t dnskey_idx, char** reason) 620 { 621 enum sec_status sec; 622 size_t i, num, numchecked = 0; 623 rbtree_t* sortree = NULL; 624 int buf_canon = 0; 625 uint16_t tag = dnskey_calc_keytag(dnskey, dnskey_idx); 626 int algo = dnskey_get_algo(dnskey, dnskey_idx); 627 628 num = rrset_get_sigcount(rrset); 629 if(num == 0) { 630 verbose(VERB_QUERY, "rrset failed to verify due to a lack of " 631 "signatures"); 632 *reason = "no signatures"; 633 return sec_status_bogus; 634 } 635 for(i=0; i<num; i++) { 636 /* see if sig matches keytag and algo */ 637 if(algo != rrset_get_sig_algo(rrset, i) || 638 tag != rrset_get_sig_keytag(rrset, i)) 639 continue; 640 buf_canon = 0; 641 sec = dnskey_verify_rrset_sig(env->scratch, 642 env->scratch_buffer, ve, *env->now, rrset, 643 dnskey, dnskey_idx, i, &sortree, &buf_canon, reason); 644 if(sec == sec_status_secure) 645 return sec; 646 numchecked ++; 647 } 648 verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus"); 649 if(!numchecked) *reason = "signature missing"; 650 return sec_status_bogus; 651 } 652 653 enum sec_status 654 dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve, 655 uint32_t now, struct ub_packed_rrset_key* rrset, 656 struct ub_packed_rrset_key* dnskey, size_t sig_idx, 657 struct rbtree_t** sortree, char** reason) 658 { 659 /* find matching keys and check them */ 660 enum sec_status sec = sec_status_bogus; 661 uint16_t tag = rrset_get_sig_keytag(rrset, sig_idx); 662 int algo = rrset_get_sig_algo(rrset, sig_idx); 663 size_t i, num = rrset_get_count(dnskey); 664 size_t numchecked = 0; 665 int buf_canon = 0; 666 verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo); 667 if(!dnskey_algo_id_is_supported(algo)) { 668 verbose(VERB_QUERY, "verify sig: unknown algorithm"); 669 return sec_status_insecure; 670 } 671 672 for(i=0; i<num; i++) { 673 /* see if key matches keytag and algo */ 674 if(algo != dnskey_get_algo(dnskey, i) || 675 tag != dnskey_calc_keytag(dnskey, i)) 676 continue; 677 numchecked ++; 678 679 /* see if key verifies */ 680 sec = dnskey_verify_rrset_sig(env->scratch, 681 env->scratch_buffer, ve, now, rrset, dnskey, i, 682 sig_idx, sortree, &buf_canon, reason); 683 if(sec == sec_status_secure) 684 return sec; 685 } 686 if(numchecked == 0) { 687 *reason = "signatures from unknown keys"; 688 verbose(VERB_QUERY, "verify: could not find appropriate key"); 689 return sec_status_bogus; 690 } 691 return sec_status_bogus; 692 } 693 694 /** 695 * RR entries in a canonical sorted tree of RRs 696 */ 697 struct canon_rr { 698 /** rbtree node, key is this structure */ 699 rbnode_t node; 700 /** rrset the RR is in */ 701 struct ub_packed_rrset_key* rrset; 702 /** which RR in the rrset */ 703 size_t rr_idx; 704 }; 705 706 /** 707 * Compare two RR for canonical order, in a field-style sweep. 708 * @param d: rrset data 709 * @param desc: ldns wireformat descriptor. 710 * @param i: first RR to compare 711 * @param j: first RR to compare 712 * @return comparison code. 713 */ 714 static int 715 canonical_compare_byfield(struct packed_rrset_data* d, 716 const ldns_rr_descriptor* desc, size_t i, size_t j) 717 { 718 /* sweep across rdata, keep track of some state: 719 * which rr field, and bytes left in field. 720 * current position in rdata, length left. 721 * are we in a dname, length left in a label. 722 */ 723 int wfi = -1; /* current wireformat rdata field (rdf) */ 724 int wfj = -1; 725 uint8_t* di = d->rr_data[i]+2; /* ptr to current rdata byte */ 726 uint8_t* dj = d->rr_data[j]+2; 727 size_t ilen = d->rr_len[i]-2; /* length left in rdata */ 728 size_t jlen = d->rr_len[j]-2; 729 int dname_i = 0; /* true if these bytes are part of a name */ 730 int dname_j = 0; 731 size_t lablen_i = 0; /* 0 for label length byte,for first byte of rdf*/ 732 size_t lablen_j = 0; /* otherwise remaining length of rdf or label */ 733 int dname_num_i = (int)desc->_dname_count; /* decreased at root label */ 734 int dname_num_j = (int)desc->_dname_count; 735 736 /* loop while there are rdata bytes available for both rrs, 737 * and still some lowercasing needs to be done; either the dnames 738 * have not been reached yet, or they are currently being processed */ 739 while(ilen > 0 && jlen > 0 && (dname_num_i > 0 || dname_num_j > 0)) { 740 /* compare these two bytes */ 741 /* lowercase if in a dname and not a label length byte */ 742 if( ((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di) 743 != ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj) 744 ) { 745 if(((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di) 746 < ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj)) 747 return -1; 748 return 1; 749 } 750 ilen--; 751 jlen--; 752 /* bytes are equal */ 753 754 /* advance field i */ 755 /* lablen 0 means that this byte is the first byte of the 756 * next rdata field; inspect this rdata field and setup 757 * to process the rest of this rdata field. 758 * The reason to first read the byte, then setup the rdf, 759 * is that we are then sure the byte is available and short 760 * rdata is handled gracefully (even if it is a formerr). */ 761 if(lablen_i == 0) { 762 if(dname_i) { 763 /* scan this dname label */ 764 /* capture length to lowercase */ 765 lablen_i = (size_t)*di; 766 if(lablen_i == 0) { 767 /* end root label */ 768 dname_i = 0; 769 dname_num_i--; 770 /* if dname num is 0, then the 771 * remainder is binary only */ 772 if(dname_num_i == 0) 773 lablen_i = ilen; 774 } 775 } else { 776 /* scan this rdata field */ 777 wfi++; 778 if(desc->_wireformat[wfi] 779 == LDNS_RDF_TYPE_DNAME) { 780 dname_i = 1; 781 lablen_i = (size_t)*di; 782 if(lablen_i == 0) { 783 dname_i = 0; 784 dname_num_i--; 785 if(dname_num_i == 0) 786 lablen_i = ilen; 787 } 788 } else if(desc->_wireformat[wfi] 789 == LDNS_RDF_TYPE_STR) 790 lablen_i = (size_t)*di; 791 else lablen_i = get_rdf_size( 792 desc->_wireformat[wfi]) - 1; 793 } 794 } else lablen_i--; 795 796 /* advance field j; same as for i */ 797 if(lablen_j == 0) { 798 if(dname_j) { 799 lablen_j = (size_t)*dj; 800 if(lablen_j == 0) { 801 dname_j = 0; 802 dname_num_j--; 803 if(dname_num_j == 0) 804 lablen_j = jlen; 805 } 806 } else { 807 wfj++; 808 if(desc->_wireformat[wfj] 809 == LDNS_RDF_TYPE_DNAME) { 810 dname_j = 1; 811 lablen_j = (size_t)*dj; 812 if(lablen_j == 0) { 813 dname_j = 0; 814 dname_num_j--; 815 if(dname_num_j == 0) 816 lablen_j = jlen; 817 } 818 } else if(desc->_wireformat[wfj] 819 == LDNS_RDF_TYPE_STR) 820 lablen_j = (size_t)*dj; 821 else lablen_j = get_rdf_size( 822 desc->_wireformat[wfj]) - 1; 823 } 824 } else lablen_j--; 825 di++; 826 dj++; 827 } 828 /* end of the loop; because we advanced byte by byte; now we have 829 * that the rdata has ended, or that there is a binary remainder */ 830 /* shortest first */ 831 if(ilen == 0 && jlen == 0) 832 return 0; 833 if(ilen == 0) 834 return -1; 835 if(jlen == 0) 836 return 1; 837 /* binary remainder, capture comparison in wfi variable */ 838 if((wfi = memcmp(di, dj, (ilen<jlen)?ilen:jlen)) != 0) 839 return wfi; 840 if(ilen < jlen) 841 return -1; 842 if(jlen < ilen) 843 return 1; 844 return 0; 845 } 846 847 /** 848 * Compare two RRs in the same RRset and determine their relative 849 * canonical order. 850 * @param rrset: the rrset in which to perform compares. 851 * @param i: first RR to compare 852 * @param j: first RR to compare 853 * @return 0 if RR i== RR j, -1 if <, +1 if >. 854 */ 855 static int 856 canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j) 857 { 858 struct packed_rrset_data* d = (struct packed_rrset_data*) 859 rrset->entry.data; 860 const ldns_rr_descriptor* desc; 861 uint16_t type = ntohs(rrset->rk.type); 862 size_t minlen; 863 int c; 864 865 if(i==j) 866 return 0; 867 /* in case rdata-len is to be compared for canonical order 868 c = memcmp(d->rr_data[i], d->rr_data[j], 2); 869 if(c != 0) 870 return c; */ 871 872 switch(type) { 873 /* These RR types have only a name as RDATA. 874 * This name has to be canonicalized.*/ 875 case LDNS_RR_TYPE_NS: 876 case LDNS_RR_TYPE_MD: 877 case LDNS_RR_TYPE_MF: 878 case LDNS_RR_TYPE_CNAME: 879 case LDNS_RR_TYPE_MB: 880 case LDNS_RR_TYPE_MG: 881 case LDNS_RR_TYPE_MR: 882 case LDNS_RR_TYPE_PTR: 883 case LDNS_RR_TYPE_DNAME: 884 return query_dname_compare(d->rr_data[i]+2, 885 d->rr_data[j]+2); 886 887 /* These RR types have STR and fixed size rdata fields 888 * before one or more name fields that need canonicalizing, 889 * and after that a byte-for byte remainder can be compared. 890 */ 891 /* type starts with the name; remainder is binary compared */ 892 case LDNS_RR_TYPE_NXT: 893 /* use rdata field formats */ 894 case LDNS_RR_TYPE_MINFO: 895 case LDNS_RR_TYPE_RP: 896 case LDNS_RR_TYPE_SOA: 897 case LDNS_RR_TYPE_RT: 898 case LDNS_RR_TYPE_AFSDB: 899 case LDNS_RR_TYPE_KX: 900 case LDNS_RR_TYPE_MX: 901 case LDNS_RR_TYPE_SIG: 902 /* RRSIG signer name has to be downcased */ 903 case LDNS_RR_TYPE_RRSIG: 904 case LDNS_RR_TYPE_PX: 905 case LDNS_RR_TYPE_NAPTR: 906 case LDNS_RR_TYPE_SRV: 907 desc = ldns_rr_descript(type); 908 log_assert(desc); 909 /* this holds for the types that need canonicalizing */ 910 log_assert(desc->_minimum == desc->_maximum); 911 return canonical_compare_byfield(d, desc, i, j); 912 913 case LDNS_RR_TYPE_HINFO: /* no longer downcased */ 914 case LDNS_RR_TYPE_NSEC: 915 default: 916 /* For unknown RR types, or types not listed above, 917 * no canonicalization is needed, do binary compare */ 918 /* byte for byte compare, equal means shortest first*/ 919 minlen = d->rr_len[i]-2; 920 if(minlen > d->rr_len[j]-2) 921 minlen = d->rr_len[j]-2; 922 c = memcmp(d->rr_data[i]+2, d->rr_data[j]+2, minlen); 923 if(c!=0) 924 return c; 925 /* rdata equal, shortest is first */ 926 if(d->rr_len[i] < d->rr_len[j]) 927 return -1; 928 if(d->rr_len[i] > d->rr_len[j]) 929 return 1; 930 /* rdata equal, length equal */ 931 break; 932 } 933 return 0; 934 } 935 936 int 937 canonical_tree_compare(const void* k1, const void* k2) 938 { 939 struct canon_rr* r1 = (struct canon_rr*)k1; 940 struct canon_rr* r2 = (struct canon_rr*)k2; 941 log_assert(r1->rrset == r2->rrset); 942 return canonical_compare(r1->rrset, r1->rr_idx, r2->rr_idx); 943 } 944 945 /** 946 * Sort RRs for rrset in canonical order. 947 * Does not actually canonicalize the RR rdatas. 948 * Does not touch rrsigs. 949 * @param rrset: to sort. 950 * @param d: rrset data. 951 * @param sortree: tree to sort into. 952 * @param rrs: rr storage. 953 */ 954 static void 955 canonical_sort(struct ub_packed_rrset_key* rrset, struct packed_rrset_data* d, 956 rbtree_t* sortree, struct canon_rr* rrs) 957 { 958 size_t i; 959 /* insert into rbtree to sort and detect duplicates */ 960 for(i=0; i<d->count; i++) { 961 rrs[i].node.key = &rrs[i]; 962 rrs[i].rrset = rrset; 963 rrs[i].rr_idx = i; 964 if(!rbtree_insert(sortree, &rrs[i].node)) { 965 /* this was a duplicate */ 966 } 967 } 968 } 969 970 /** 971 * Inser canonical owner name into buffer. 972 * @param buf: buffer to insert into at current position. 973 * @param k: rrset with its owner name. 974 * @param sig: signature with signer name and label count. 975 * must be length checked, at least 18 bytes long. 976 * @param can_owner: position in buffer returned for future use. 977 * @param can_owner_len: length of canonical owner name. 978 */ 979 static void 980 insert_can_owner(ldns_buffer* buf, struct ub_packed_rrset_key* k, 981 uint8_t* sig, uint8_t** can_owner, size_t* can_owner_len) 982 { 983 int rrsig_labels = (int)sig[3]; 984 int fqdn_labels = dname_signame_label_count(k->rk.dname); 985 *can_owner = ldns_buffer_current(buf); 986 if(rrsig_labels == fqdn_labels) { 987 /* no change */ 988 ldns_buffer_write(buf, k->rk.dname, k->rk.dname_len); 989 query_dname_tolower(*can_owner); 990 *can_owner_len = k->rk.dname_len; 991 return; 992 } 993 log_assert(rrsig_labels < fqdn_labels); 994 /* *. | fqdn(rightmost rrsig_labels) */ 995 if(rrsig_labels < fqdn_labels) { 996 int i; 997 uint8_t* nm = k->rk.dname; 998 size_t len = k->rk.dname_len; 999 /* so skip fqdn_labels-rrsig_labels */ 1000 for(i=0; i<fqdn_labels-rrsig_labels; i++) { 1001 dname_remove_label(&nm, &len); 1002 } 1003 *can_owner_len = len+2; 1004 ldns_buffer_write(buf, (uint8_t*)"\001*", 2); 1005 ldns_buffer_write(buf, nm, len); 1006 query_dname_tolower(*can_owner); 1007 } 1008 } 1009 1010 /** 1011 * Canonicalize Rdata in buffer. 1012 * @param buf: buffer at position just after the rdata. 1013 * @param rrset: rrset with type. 1014 * @param len: length of the rdata (including rdatalen uint16). 1015 */ 1016 static void 1017 canonicalize_rdata(ldns_buffer* buf, struct ub_packed_rrset_key* rrset, 1018 size_t len) 1019 { 1020 uint8_t* datstart = ldns_buffer_current(buf)-len+2; 1021 switch(ntohs(rrset->rk.type)) { 1022 case LDNS_RR_TYPE_NXT: 1023 case LDNS_RR_TYPE_NS: 1024 case LDNS_RR_TYPE_MD: 1025 case LDNS_RR_TYPE_MF: 1026 case LDNS_RR_TYPE_CNAME: 1027 case LDNS_RR_TYPE_MB: 1028 case LDNS_RR_TYPE_MG: 1029 case LDNS_RR_TYPE_MR: 1030 case LDNS_RR_TYPE_PTR: 1031 case LDNS_RR_TYPE_DNAME: 1032 /* type only has a single argument, the name */ 1033 query_dname_tolower(datstart); 1034 return; 1035 case LDNS_RR_TYPE_MINFO: 1036 case LDNS_RR_TYPE_RP: 1037 case LDNS_RR_TYPE_SOA: 1038 /* two names after another */ 1039 query_dname_tolower(datstart); 1040 query_dname_tolower(datstart + 1041 dname_valid(datstart, len-2)); 1042 return; 1043 case LDNS_RR_TYPE_RT: 1044 case LDNS_RR_TYPE_AFSDB: 1045 case LDNS_RR_TYPE_KX: 1046 case LDNS_RR_TYPE_MX: 1047 /* skip fixed part */ 1048 if(len < 2+2+1) /* rdlen, skiplen, 1byteroot */ 1049 return; 1050 datstart += 2; 1051 query_dname_tolower(datstart); 1052 return; 1053 case LDNS_RR_TYPE_SIG: 1054 /* downcase the RRSIG, compat with BIND (kept it from SIG) */ 1055 case LDNS_RR_TYPE_RRSIG: 1056 /* skip fixed part */ 1057 if(len < 2+18+1) 1058 return; 1059 datstart += 18; 1060 query_dname_tolower(datstart); 1061 return; 1062 case LDNS_RR_TYPE_PX: 1063 /* skip, then two names after another */ 1064 if(len < 2+2+1) 1065 return; 1066 datstart += 2; 1067 query_dname_tolower(datstart); 1068 query_dname_tolower(datstart + 1069 dname_valid(datstart, len-2-2)); 1070 return; 1071 case LDNS_RR_TYPE_NAPTR: 1072 if(len < 2+4) 1073 return; 1074 len -= 2+4; 1075 datstart += 4; 1076 if(len < (size_t)datstart[0]+1) /* skip text field */ 1077 return; 1078 len -= (size_t)datstart[0]+1; 1079 datstart += (size_t)datstart[0]+1; 1080 if(len < (size_t)datstart[0]+1) /* skip text field */ 1081 return; 1082 len -= (size_t)datstart[0]+1; 1083 datstart += (size_t)datstart[0]+1; 1084 if(len < (size_t)datstart[0]+1) /* skip text field */ 1085 return; 1086 len -= (size_t)datstart[0]+1; 1087 datstart += (size_t)datstart[0]+1; 1088 if(len < 1) /* check name is at least 1 byte*/ 1089 return; 1090 query_dname_tolower(datstart); 1091 return; 1092 case LDNS_RR_TYPE_SRV: 1093 /* skip fixed part */ 1094 if(len < 2+6+1) 1095 return; 1096 datstart += 6; 1097 query_dname_tolower(datstart); 1098 return; 1099 1100 /* do not canonicalize NSEC rdata name, compat with 1101 * from bind 9.4 signer, where it does not do so */ 1102 case LDNS_RR_TYPE_NSEC: /* type starts with the name */ 1103 case LDNS_RR_TYPE_HINFO: /* not downcased */ 1104 /* A6 not supported */ 1105 default: 1106 /* nothing to do for unknown types */ 1107 return; 1108 } 1109 } 1110 1111 /** 1112 * Create canonical form of rrset in the scratch buffer. 1113 * @param region: temporary region. 1114 * @param buf: the buffer to use. 1115 * @param k: the rrset to insert. 1116 * @param sig: RRSIG rdata to include. 1117 * @param siglen: RRSIG rdata len excluding signature field, but inclusive 1118 * signer name length. 1119 * @param sortree: if NULL is passed a new sorted rrset tree is built. 1120 * Otherwise it is reused. 1121 * @return false on alloc error. 1122 */ 1123 static int 1124 rrset_canonical(struct regional* region, ldns_buffer* buf, 1125 struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen, 1126 struct rbtree_t** sortree) 1127 { 1128 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 1129 uint8_t* can_owner = NULL; 1130 size_t can_owner_len = 0; 1131 struct canon_rr* walk; 1132 struct canon_rr* rrs; 1133 1134 if(!*sortree) { 1135 *sortree = (struct rbtree_t*)regional_alloc(region, 1136 sizeof(rbtree_t)); 1137 if(!*sortree) 1138 return 0; 1139 rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count); 1140 if(!rrs) { 1141 *sortree = NULL; 1142 return 0; 1143 } 1144 rbtree_init(*sortree, &canonical_tree_compare); 1145 canonical_sort(k, d, *sortree, rrs); 1146 } 1147 1148 ldns_buffer_clear(buf); 1149 ldns_buffer_write(buf, sig, siglen); 1150 /* canonicalize signer name */ 1151 query_dname_tolower(ldns_buffer_begin(buf)+18); 1152 RBTREE_FOR(walk, struct canon_rr*, (*sortree)) { 1153 /* see if there is enough space left in the buffer */ 1154 if(ldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4 1155 + d->rr_len[walk->rr_idx]) { 1156 log_err("verify: failed to canonicalize, " 1157 "rrset too big"); 1158 return 0; 1159 } 1160 /* determine canonical owner name */ 1161 if(can_owner) 1162 ldns_buffer_write(buf, can_owner, can_owner_len); 1163 else insert_can_owner(buf, k, sig, &can_owner, 1164 &can_owner_len); 1165 ldns_buffer_write(buf, &k->rk.type, 2); 1166 ldns_buffer_write(buf, &k->rk.rrset_class, 2); 1167 ldns_buffer_write(buf, sig+4, 4); 1168 ldns_buffer_write(buf, d->rr_data[walk->rr_idx], 1169 d->rr_len[walk->rr_idx]); 1170 canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]); 1171 } 1172 ldns_buffer_flip(buf); 1173 return 1; 1174 } 1175 1176 /** pretty print rrsig error with dates */ 1177 static void 1178 sigdate_error(const char* str, int32_t expi, int32_t incep, int32_t now) 1179 { 1180 struct tm tm; 1181 char expi_buf[16]; 1182 char incep_buf[16]; 1183 char now_buf[16]; 1184 time_t te, ti, tn; 1185 1186 if(verbosity < VERB_QUERY) 1187 return; 1188 te = (time_t)expi; 1189 ti = (time_t)incep; 1190 tn = (time_t)now; 1191 memset(&tm, 0, sizeof(tm)); 1192 if(gmtime_r(&te, &tm) && strftime(expi_buf, 15, "%Y%m%d%H%M%S", &tm) 1193 &&gmtime_r(&ti, &tm) && strftime(incep_buf, 15, "%Y%m%d%H%M%S", &tm) 1194 &&gmtime_r(&tn, &tm) && strftime(now_buf, 15, "%Y%m%d%H%M%S", &tm)) { 1195 log_info("%s expi=%s incep=%s now=%s", str, expi_buf, 1196 incep_buf, now_buf); 1197 } else 1198 log_info("%s expi=%u incep=%u now=%u", str, (unsigned)expi, 1199 (unsigned)incep, (unsigned)now); 1200 } 1201 1202 /** check rrsig dates */ 1203 static int 1204 check_dates(struct val_env* ve, uint32_t unow, 1205 uint8_t* expi_p, uint8_t* incep_p, char** reason) 1206 { 1207 /* read out the dates */ 1208 int32_t expi, incep, now; 1209 memmove(&expi, expi_p, sizeof(expi)); 1210 memmove(&incep, incep_p, sizeof(incep)); 1211 expi = ntohl(expi); 1212 incep = ntohl(incep); 1213 1214 /* get current date */ 1215 if(ve->date_override) { 1216 if(ve->date_override == -1) { 1217 verbose(VERB_ALGO, "date override: ignore date"); 1218 return 1; 1219 } 1220 now = ve->date_override; 1221 verbose(VERB_ALGO, "date override option %d", (int)now); 1222 } else now = (int32_t)unow; 1223 1224 /* check them */ 1225 if(incep - expi > 0) { 1226 sigdate_error("verify: inception after expiration, " 1227 "signature bad", expi, incep, now); 1228 *reason = "signature inception after expiration"; 1229 return 0; 1230 } 1231 if(incep - now > 0) { 1232 /* within skew ? (calc here to avoid calculation normally) */ 1233 int32_t skew = (expi-incep)/10; 1234 if(skew < ve->skew_min) skew = ve->skew_min; 1235 if(skew > ve->skew_max) skew = ve->skew_max; 1236 if(incep - now > skew) { 1237 sigdate_error("verify: signature bad, current time is" 1238 " before inception date", expi, incep, now); 1239 *reason = "signature before inception date"; 1240 return 0; 1241 } 1242 sigdate_error("verify warning suspicious signature inception " 1243 " or bad local clock", expi, incep, now); 1244 } 1245 if(now - expi > 0) { 1246 int32_t skew = (expi-incep)/10; 1247 if(skew < ve->skew_min) skew = ve->skew_min; 1248 if(skew > ve->skew_max) skew = ve->skew_max; 1249 if(now - expi > skew) { 1250 sigdate_error("verify: signature expired", expi, 1251 incep, now); 1252 *reason = "signature expired"; 1253 return 0; 1254 } 1255 sigdate_error("verify warning suspicious signature expiration " 1256 " or bad local clock", expi, incep, now); 1257 } 1258 return 1; 1259 } 1260 1261 /** adjust rrset TTL for verified rrset, compare to original TTL and expi */ 1262 static void 1263 adjust_ttl(struct val_env* ve, uint32_t unow, 1264 struct ub_packed_rrset_key* rrset, uint8_t* orig_p, 1265 uint8_t* expi_p, uint8_t* incep_p) 1266 { 1267 struct packed_rrset_data* d = 1268 (struct packed_rrset_data*)rrset->entry.data; 1269 /* read out the dates */ 1270 int32_t origttl, expittl, expi, incep, now; 1271 memmove(&origttl, orig_p, sizeof(origttl)); 1272 memmove(&expi, expi_p, sizeof(expi)); 1273 memmove(&incep, incep_p, sizeof(incep)); 1274 expi = ntohl(expi); 1275 incep = ntohl(incep); 1276 origttl = ntohl(origttl); 1277 1278 /* get current date */ 1279 if(ve->date_override) { 1280 now = ve->date_override; 1281 } else now = (int32_t)unow; 1282 expittl = expi - now; 1283 1284 /* so now: 1285 * d->ttl: rrset ttl read from message or cache. May be reduced 1286 * origttl: original TTL from signature, authoritative TTL max. 1287 * expittl: TTL until the signature expires. 1288 * 1289 * Use the smallest of these. 1290 */ 1291 if(d->ttl > (uint32_t)origttl) { 1292 verbose(VERB_QUERY, "rrset TTL larger than original TTL," 1293 " adjusting TTL downwards"); 1294 d->ttl = origttl; 1295 } 1296 if(expittl > 0 && d->ttl > (uint32_t)expittl) { 1297 verbose(VERB_ALGO, "rrset TTL larger than sig expiration ttl," 1298 " adjusting TTL downwards"); 1299 d->ttl = expittl; 1300 } 1301 } 1302 1303 1304 /** 1305 * Output a libcrypto openssl error to the logfile. 1306 * @param str: string to add to it. 1307 * @param e: the error to output, error number from ERR_get_error(). 1308 */ 1309 static void 1310 log_crypto_error(const char* str, unsigned long e) 1311 { 1312 char buf[128]; 1313 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ 1314 ERR_error_string_n(e, buf, sizeof(buf)); 1315 /* buf now contains */ 1316 /* error:[error code]:[library name]:[function name]:[reason string] */ 1317 log_err("%s crypto %s", str, buf); 1318 } 1319 1320 /** 1321 * Setup DSA key digest in DER encoding ... 1322 * @param sig: input is signature output alloced ptr (unless failure). 1323 * caller must free alloced ptr if this routine returns true. 1324 * @param len: intput is initial siglen, output is output len. 1325 * @return false on failure. 1326 */ 1327 static int 1328 setup_dsa_sig(unsigned char** sig, unsigned int* len) 1329 { 1330 unsigned char* orig = *sig; 1331 unsigned int origlen = *len; 1332 int newlen; 1333 BIGNUM *R, *S; 1334 DSA_SIG *dsasig; 1335 1336 /* extract the R and S field from the sig buffer */ 1337 if(origlen < 1 + 2*SHA_DIGEST_LENGTH) 1338 return 0; 1339 R = BN_new(); 1340 if(!R) return 0; 1341 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); 1342 S = BN_new(); 1343 if(!S) return 0; 1344 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); 1345 dsasig = DSA_SIG_new(); 1346 if(!dsasig) return 0; 1347 1348 dsasig->r = R; 1349 dsasig->s = S; 1350 *sig = NULL; 1351 newlen = i2d_DSA_SIG(dsasig, sig); 1352 if(newlen < 0) { 1353 free(*sig); 1354 return 0; 1355 } 1356 *len = (unsigned int)newlen; 1357 DSA_SIG_free(dsasig); 1358 return 1; 1359 } 1360 1361 /** 1362 * Setup key and digest for verification. Adjust sig if necessary. 1363 * 1364 * @param algo: key algorithm 1365 * @param evp_key: EVP PKEY public key to create. 1366 * @param digest_type: digest type to use 1367 * @param key: key to setup for. 1368 * @param keylen: length of key. 1369 * @return false on failure. 1370 */ 1371 static int 1372 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 1373 unsigned char* key, size_t keylen) 1374 { 1375 DSA* dsa; 1376 RSA* rsa; 1377 1378 switch(algo) { 1379 case LDNS_DSA: 1380 case LDNS_DSA_NSEC3: 1381 *evp_key = EVP_PKEY_new(); 1382 if(!*evp_key) { 1383 log_err("verify: malloc failure in crypto"); 1384 return sec_status_unchecked; 1385 } 1386 dsa = ldns_key_buf2dsa_raw(key, keylen); 1387 if(!dsa) { 1388 verbose(VERB_QUERY, "verify: " 1389 "ldns_key_buf2dsa_raw failed"); 1390 return 0; 1391 } 1392 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { 1393 verbose(VERB_QUERY, "verify: " 1394 "EVP_PKEY_assign_DSA failed"); 1395 return 0; 1396 } 1397 *digest_type = EVP_dss1(); 1398 1399 break; 1400 case LDNS_RSASHA1: 1401 case LDNS_RSASHA1_NSEC3: 1402 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 1403 case LDNS_RSASHA256: 1404 #endif 1405 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 1406 case LDNS_RSASHA512: 1407 #endif 1408 *evp_key = EVP_PKEY_new(); 1409 if(!*evp_key) { 1410 log_err("verify: malloc failure in crypto"); 1411 return sec_status_unchecked; 1412 } 1413 rsa = ldns_key_buf2rsa_raw(key, keylen); 1414 if(!rsa) { 1415 verbose(VERB_QUERY, "verify: " 1416 "ldns_key_buf2rsa_raw SHA failed"); 1417 return 0; 1418 } 1419 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 1420 verbose(VERB_QUERY, "verify: " 1421 "EVP_PKEY_assign_RSA SHA failed"); 1422 return 0; 1423 } 1424 1425 /* select SHA version */ 1426 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 1427 if(algo == LDNS_RSASHA256) 1428 *digest_type = EVP_sha256(); 1429 else 1430 #endif 1431 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 1432 if(algo == LDNS_RSASHA512) 1433 *digest_type = EVP_sha512(); 1434 else 1435 #endif 1436 *digest_type = EVP_sha1(); 1437 1438 break; 1439 case LDNS_RSAMD5: 1440 *evp_key = EVP_PKEY_new(); 1441 if(!*evp_key) { 1442 log_err("verify: malloc failure in crypto"); 1443 return sec_status_unchecked; 1444 } 1445 rsa = ldns_key_buf2rsa_raw(key, keylen); 1446 if(!rsa) { 1447 verbose(VERB_QUERY, "verify: " 1448 "ldns_key_buf2rsa_raw MD5 failed"); 1449 return 0; 1450 } 1451 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 1452 verbose(VERB_QUERY, "verify: " 1453 "EVP_PKEY_assign_RSA MD5 failed"); 1454 return 0; 1455 } 1456 *digest_type = EVP_md5(); 1457 1458 break; 1459 #ifdef USE_GOST 1460 case LDNS_ECC_GOST: 1461 *evp_key = ldns_gost2pkey_raw(key, keylen); 1462 if(!*evp_key) { 1463 verbose(VERB_QUERY, "verify: " 1464 "ldns_gost2pkey_raw failed"); 1465 return 0; 1466 } 1467 *digest_type = EVP_get_digestbyname("md_gost94"); 1468 if(!*digest_type) { 1469 verbose(VERB_QUERY, "verify: " 1470 "EVP_getdigest md_gost94 failed"); 1471 return 0; 1472 } 1473 break; 1474 #endif 1475 default: 1476 verbose(VERB_QUERY, "verify: unknown algorithm %d", 1477 algo); 1478 return 0; 1479 } 1480 return 1; 1481 } 1482 1483 /** 1484 * Check a canonical sig+rrset and signature against a dnskey 1485 * @param buf: buffer with data to verify, the first rrsig part and the 1486 * canonicalized rrset. 1487 * @param algo: DNSKEY algorithm. 1488 * @param sigblock: signature rdata field from RRSIG 1489 * @param sigblock_len: length of sigblock data. 1490 * @param key: public key data from DNSKEY RR. 1491 * @param keylen: length of keydata. 1492 * @param reason: bogus reason in more detail. 1493 * @return secure if verification succeeded, bogus on crypto failure, 1494 * unchecked on format errors and alloc failures. 1495 */ 1496 static enum sec_status 1497 verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, 1498 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1499 char** reason) 1500 { 1501 const EVP_MD *digest_type; 1502 EVP_MD_CTX ctx; 1503 int res, dofree = 0; 1504 EVP_PKEY *evp_key = NULL; 1505 1506 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { 1507 verbose(VERB_QUERY, "verify: failed to setup key"); 1508 *reason = "use of key for crypto failed"; 1509 EVP_PKEY_free(evp_key); 1510 return sec_status_bogus; 1511 } 1512 /* if it is a DSA signature in bind format, convert to DER format */ 1513 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 1514 sigblock_len == 1+2*SHA_DIGEST_LENGTH) { 1515 if(!setup_dsa_sig(&sigblock, &sigblock_len)) { 1516 verbose(VERB_QUERY, "verify: failed to setup DSA sig"); 1517 *reason = "use of key for DSA crypto failed"; 1518 EVP_PKEY_free(evp_key); 1519 return sec_status_bogus; 1520 } 1521 dofree = 1; 1522 } 1523 1524 /* do the signature cryptography work */ 1525 EVP_MD_CTX_init(&ctx); 1526 if(EVP_VerifyInit(&ctx, digest_type) == 0) { 1527 verbose(VERB_QUERY, "verify: EVP_VerifyInit failed"); 1528 EVP_PKEY_free(evp_key); 1529 if(dofree) free(sigblock); 1530 return sec_status_unchecked; 1531 } 1532 if(EVP_VerifyUpdate(&ctx, (unsigned char*)ldns_buffer_begin(buf), 1533 (unsigned int)ldns_buffer_limit(buf)) == 0) { 1534 verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed"); 1535 EVP_PKEY_free(evp_key); 1536 if(dofree) free(sigblock); 1537 return sec_status_unchecked; 1538 } 1539 1540 res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key); 1541 if(EVP_MD_CTX_cleanup(&ctx) == 0) { 1542 verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed"); 1543 EVP_PKEY_free(evp_key); 1544 if(dofree) free(sigblock); 1545 return sec_status_unchecked; 1546 } 1547 EVP_PKEY_free(evp_key); 1548 1549 if(dofree) 1550 free(sigblock); 1551 1552 if(res == 1) { 1553 return sec_status_secure; 1554 } else if(res == 0) { 1555 verbose(VERB_QUERY, "verify: signature mismatch"); 1556 *reason = "signature crypto failed"; 1557 return sec_status_bogus; 1558 } 1559 1560 log_crypto_error("verify:", ERR_get_error()); 1561 return sec_status_unchecked; 1562 } 1563 1564 enum sec_status 1565 dnskey_verify_rrset_sig(struct regional* region, ldns_buffer* buf, 1566 struct val_env* ve, uint32_t now, 1567 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, 1568 size_t dnskey_idx, size_t sig_idx, 1569 struct rbtree_t** sortree, int* buf_canon, char** reason) 1570 { 1571 enum sec_status sec; 1572 uint8_t* sig; /* RRSIG rdata */ 1573 size_t siglen; 1574 size_t rrnum = rrset_get_count(rrset); 1575 uint8_t* signer; /* rrsig signer name */ 1576 size_t signer_len; 1577 unsigned char* sigblock; /* signature rdata field */ 1578 unsigned int sigblock_len; 1579 uint16_t ktag; /* DNSKEY key tag */ 1580 unsigned char* key; /* public key rdata field */ 1581 unsigned int keylen; 1582 rrset_get_rdata(rrset, rrnum + sig_idx, &sig, &siglen); 1583 /* min length of rdatalen, fixed rrsig, root signer, 1 byte sig */ 1584 if(siglen < 2+20) { 1585 verbose(VERB_QUERY, "verify: signature too short"); 1586 *reason = "signature too short"; 1587 return sec_status_bogus; 1588 } 1589 1590 if(!(dnskey_get_flags(dnskey, dnskey_idx) & DNSKEY_BIT_ZSK)) { 1591 verbose(VERB_QUERY, "verify: dnskey without ZSK flag"); 1592 *reason = "dnskey without ZSK flag"; 1593 return sec_status_bogus; 1594 } 1595 1596 if(dnskey_get_protocol(dnskey, dnskey_idx) != LDNS_DNSSEC_KEYPROTO) { 1597 /* RFC 4034 says DNSKEY PROTOCOL MUST be 3 */ 1598 verbose(VERB_QUERY, "verify: dnskey has wrong key protocol"); 1599 *reason = "dnskey has wrong protocolnumber"; 1600 return sec_status_bogus; 1601 } 1602 1603 /* verify as many fields in rrsig as possible */ 1604 signer = sig+2+18; 1605 signer_len = dname_valid(signer, siglen-2-18); 1606 if(!signer_len) { 1607 verbose(VERB_QUERY, "verify: malformed signer name"); 1608 *reason = "signer name malformed"; 1609 return sec_status_bogus; /* signer name invalid */ 1610 } 1611 if(!dname_subdomain_c(rrset->rk.dname, signer)) { 1612 verbose(VERB_QUERY, "verify: signer name is off-tree"); 1613 *reason = "signer name off-tree"; 1614 return sec_status_bogus; /* signer name offtree */ 1615 } 1616 sigblock = (unsigned char*)signer+signer_len; 1617 if(siglen < 2+18+signer_len+1) { 1618 verbose(VERB_QUERY, "verify: too short, no signature data"); 1619 *reason = "signature too short, no signature data"; 1620 return sec_status_bogus; /* sig rdf is < 1 byte */ 1621 } 1622 sigblock_len = (unsigned int)(siglen - 2 - 18 - signer_len); 1623 1624 /* verify key dname == sig signer name */ 1625 if(query_dname_compare(signer, dnskey->rk.dname) != 0) { 1626 verbose(VERB_QUERY, "verify: wrong key for rrsig"); 1627 log_nametypeclass(VERB_QUERY, "RRSIG signername is", 1628 signer, 0, 0); 1629 log_nametypeclass(VERB_QUERY, "the key name is", 1630 dnskey->rk.dname, 0, 0); 1631 *reason = "signer name mismatches key name"; 1632 return sec_status_bogus; 1633 } 1634 1635 /* verify covered type */ 1636 /* memcmp works because type is in network format for rrset */ 1637 if(memcmp(sig+2, &rrset->rk.type, 2) != 0) { 1638 verbose(VERB_QUERY, "verify: wrong type covered"); 1639 *reason = "signature covers wrong type"; 1640 return sec_status_bogus; 1641 } 1642 /* verify keytag and sig algo (possibly again) */ 1643 if((int)sig[2+2] != dnskey_get_algo(dnskey, dnskey_idx)) { 1644 verbose(VERB_QUERY, "verify: wrong algorithm"); 1645 *reason = "signature has wrong algorithm"; 1646 return sec_status_bogus; 1647 } 1648 ktag = htons(dnskey_calc_keytag(dnskey, dnskey_idx)); 1649 if(memcmp(sig+2+16, &ktag, 2) != 0) { 1650 verbose(VERB_QUERY, "verify: wrong keytag"); 1651 *reason = "signature has wrong keytag"; 1652 return sec_status_bogus; 1653 } 1654 1655 /* verify labels is in a valid range */ 1656 if((int)sig[2+3] > dname_signame_label_count(rrset->rk.dname)) { 1657 verbose(VERB_QUERY, "verify: labelcount out of range"); 1658 *reason = "signature labelcount out of range"; 1659 return sec_status_bogus; 1660 } 1661 1662 /* original ttl, always ok */ 1663 1664 if(!*buf_canon) { 1665 /* create rrset canonical format in buffer, ready for 1666 * signature */ 1667 if(!rrset_canonical(region, buf, rrset, sig+2, 1668 18 + signer_len, sortree)) { 1669 log_err("verify: failed due to alloc error"); 1670 return sec_status_unchecked; 1671 } 1672 *buf_canon = 1; 1673 } 1674 1675 /* check that dnskey is available */ 1676 dnskey_get_pubkey(dnskey, dnskey_idx, &key, &keylen); 1677 if(!key) { 1678 verbose(VERB_QUERY, "verify: short DNSKEY RR"); 1679 return sec_status_unchecked; 1680 } 1681 1682 /* verify */ 1683 sec = verify_canonrrset(buf, (int)sig[2+2], 1684 sigblock, sigblock_len, key, keylen, reason); 1685 1686 if(sec == sec_status_secure) { 1687 /* check if TTL is too high - reduce if so */ 1688 adjust_ttl(ve, now, rrset, sig+2+4, sig+2+8, sig+2+12); 1689 1690 /* verify inception, expiration dates 1691 * Do this last so that if you ignore expired-sigs the 1692 * rest is sure to be OK. */ 1693 if(!check_dates(ve, now, sig+2+8, sig+2+12, reason)) { 1694 return sec_status_bogus; 1695 } 1696 } 1697 1698 return sec; 1699 } 1700