xref: /freebsd/contrib/unbound/validator/val_sigcrypt.c (revision 907b59d76938e654f0d040a888e8dfca3de1e222)
1 /*
2  * validator/val_sigcrypt.c - validator signature crypto functions.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * The functions help with signature verification and checking, the
41  * bridging between RR wireformat data and crypto calls.
42  */
43 #include "config.h"
44 #include "validator/val_sigcrypt.h"
45 #include "validator/val_secalgo.h"
46 #include "validator/validator.h"
47 #include "util/data/msgreply.h"
48 #include "util/data/msgparse.h"
49 #include "util/data/dname.h"
50 #include "util/rbtree.h"
51 #include "util/module.h"
52 #include "util/net_help.h"
53 #include "util/regional.h"
54 #include "sldns/keyraw.h"
55 #include "sldns/sbuffer.h"
56 #include "sldns/parseutil.h"
57 #include "sldns/wire2str.h"
58 
59 #include <ctype.h>
60 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
61 #error "Need crypto library to do digital signature cryptography"
62 #endif
63 
64 #ifdef HAVE_OPENSSL_ERR_H
65 #include <openssl/err.h>
66 #endif
67 
68 #ifdef HAVE_OPENSSL_RAND_H
69 #include <openssl/rand.h>
70 #endif
71 
72 #ifdef HAVE_OPENSSL_CONF_H
73 #include <openssl/conf.h>
74 #endif
75 
76 #ifdef HAVE_OPENSSL_ENGINE_H
77 #include <openssl/engine.h>
78 #endif
79 
80 /** return number of rrs in an rrset */
81 static size_t
82 rrset_get_count(struct ub_packed_rrset_key* rrset)
83 {
84 	struct packed_rrset_data* d = (struct packed_rrset_data*)
85 	rrset->entry.data;
86 	if(!d) return 0;
87 	return d->count;
88 }
89 
90 /**
91  * Get RR signature count
92  */
93 static size_t
94 rrset_get_sigcount(struct ub_packed_rrset_key* k)
95 {
96 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
97 	return d->rrsig_count;
98 }
99 
100 /**
101  * Get signature keytag value
102  * @param k: rrset (with signatures)
103  * @param sig_idx: signature index.
104  * @return keytag or 0 if malformed rrsig.
105  */
106 static uint16_t
107 rrset_get_sig_keytag(struct ub_packed_rrset_key* k, size_t sig_idx)
108 {
109 	uint16_t t;
110 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
111 	log_assert(sig_idx < d->rrsig_count);
112 	if(d->rr_len[d->count + sig_idx] < 2+18)
113 		return 0;
114 	memmove(&t, d->rr_data[d->count + sig_idx]+2+16, 2);
115 	return ntohs(t);
116 }
117 
118 /**
119  * Get signature signing algorithm value
120  * @param k: rrset (with signatures)
121  * @param sig_idx: signature index.
122  * @return algo or 0 if malformed rrsig.
123  */
124 static int
125 rrset_get_sig_algo(struct ub_packed_rrset_key* k, size_t sig_idx)
126 {
127 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
128 	log_assert(sig_idx < d->rrsig_count);
129 	if(d->rr_len[d->count + sig_idx] < 2+3)
130 		return 0;
131 	return (int)d->rr_data[d->count + sig_idx][2+2];
132 }
133 
134 /** get rdata pointer and size */
135 static void
136 rrset_get_rdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** rdata,
137 	size_t* len)
138 {
139 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
140 	log_assert(d && idx < (d->count + d->rrsig_count));
141 	*rdata = d->rr_data[idx];
142 	*len = d->rr_len[idx];
143 }
144 
145 uint16_t
146 dnskey_get_flags(struct ub_packed_rrset_key* k, size_t idx)
147 {
148 	uint8_t* rdata;
149 	size_t len;
150 	uint16_t f;
151 	rrset_get_rdata(k, idx, &rdata, &len);
152 	if(len < 2+2)
153 		return 0;
154 	memmove(&f, rdata+2, 2);
155 	f = ntohs(f);
156 	return f;
157 }
158 
159 /**
160  * Get DNSKEY protocol value from rdata
161  * @param k: DNSKEY rrset.
162  * @param idx: which key.
163  * @return protocol octet value
164  */
165 static int
166 dnskey_get_protocol(struct ub_packed_rrset_key* k, size_t idx)
167 {
168 	uint8_t* rdata;
169 	size_t len;
170 	rrset_get_rdata(k, idx, &rdata, &len);
171 	if(len < 2+4)
172 		return 0;
173 	return (int)rdata[2+2];
174 }
175 
176 int
177 dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx)
178 {
179 	uint8_t* rdata;
180 	size_t len;
181 	rrset_get_rdata(k, idx, &rdata, &len);
182 	if(len < 2+4)
183 		return 0;
184 	return (int)rdata[2+3];
185 }
186 
187 /** get public key rdata field from a dnskey RR and do some checks */
188 static void
189 dnskey_get_pubkey(struct ub_packed_rrset_key* k, size_t idx,
190 	unsigned char** pk, unsigned int* pklen)
191 {
192 	uint8_t* rdata;
193 	size_t len;
194 	rrset_get_rdata(k, idx, &rdata, &len);
195 	if(len < 2+5) {
196 		*pk = NULL;
197 		*pklen = 0;
198 		return;
199 	}
200 	*pk = (unsigned char*)rdata+2+4;
201 	*pklen = (unsigned)len-2-4;
202 }
203 
204 int
205 ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx)
206 {
207 	uint8_t* rdata;
208 	size_t len;
209 	rrset_get_rdata(k, idx, &rdata, &len);
210 	if(len < 2+3)
211 		return 0;
212 	return (int)rdata[2+2];
213 }
214 
215 int
216 ds_get_digest_algo(struct ub_packed_rrset_key* k, size_t idx)
217 {
218 	uint8_t* rdata;
219 	size_t len;
220 	rrset_get_rdata(k, idx, &rdata, &len);
221 	if(len < 2+4)
222 		return 0;
223 	return (int)rdata[2+3];
224 }
225 
226 uint16_t
227 ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx)
228 {
229 	uint16_t t;
230 	uint8_t* rdata;
231 	size_t len;
232 	rrset_get_rdata(ds_rrset, ds_idx, &rdata, &len);
233 	if(len < 2+2)
234 		return 0;
235 	memmove(&t, rdata+2, 2);
236 	return ntohs(t);
237 }
238 
239 /**
240  * Return pointer to the digest in a DS RR.
241  * @param k: DS rrset.
242  * @param idx: which DS.
243  * @param digest: digest data is returned.
244  *	on error, this is NULL.
245  * @param len: length of digest is returned.
246  *	on error, the length is 0.
247  */
248 static void
249 ds_get_sigdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** digest,
250         size_t* len)
251 {
252 	uint8_t* rdata;
253 	size_t rdlen;
254 	rrset_get_rdata(k, idx, &rdata, &rdlen);
255 	if(rdlen < 2+5) {
256 		*digest = NULL;
257 		*len = 0;
258 		return;
259 	}
260 	*digest = rdata + 2 + 4;
261 	*len = rdlen - 2 - 4;
262 }
263 
264 /**
265  * Return size of DS digest according to its hash algorithm.
266  * @param k: DS rrset.
267  * @param idx: which DS.
268  * @return size in bytes of digest, or 0 if not supported.
269  */
270 static size_t
271 ds_digest_size_algo(struct ub_packed_rrset_key* k, size_t idx)
272 {
273 	return ds_digest_size_supported(ds_get_digest_algo(k, idx));
274 }
275 
276 /**
277  * Create a DS digest for a DNSKEY entry.
278  *
279  * @param env: module environment. Uses scratch space.
280  * @param dnskey_rrset: DNSKEY rrset.
281  * @param dnskey_idx: index of RR in rrset.
282  * @param ds_rrset: DS rrset
283  * @param ds_idx: index of RR in DS rrset.
284  * @param digest: digest is returned in here (must be correctly sized).
285  * @return false on error.
286  */
287 static int
288 ds_create_dnskey_digest(struct module_env* env,
289 	struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx,
290 	struct ub_packed_rrset_key* ds_rrset, size_t ds_idx,
291 	uint8_t* digest)
292 {
293 	sldns_buffer* b = env->scratch_buffer;
294 	uint8_t* dnskey_rdata;
295 	size_t dnskey_len;
296 	rrset_get_rdata(dnskey_rrset, dnskey_idx, &dnskey_rdata, &dnskey_len);
297 
298 	/* create digest source material in buffer
299 	 * digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
300 	 *	DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key. */
301 	sldns_buffer_clear(b);
302 	sldns_buffer_write(b, dnskey_rrset->rk.dname,
303 		dnskey_rrset->rk.dname_len);
304 	query_dname_tolower(sldns_buffer_begin(b));
305 	sldns_buffer_write(b, dnskey_rdata+2, dnskey_len-2); /* skip rdatalen*/
306 	sldns_buffer_flip(b);
307 
308 	return secalgo_ds_digest(ds_get_digest_algo(ds_rrset, ds_idx),
309 		(unsigned char*)sldns_buffer_begin(b), sldns_buffer_limit(b),
310 		(unsigned char*)digest);
311 }
312 
313 int ds_digest_match_dnskey(struct module_env* env,
314 	struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx,
315 	struct ub_packed_rrset_key* ds_rrset, size_t ds_idx)
316 {
317 	uint8_t* ds;	/* DS digest */
318 	size_t dslen;
319 	uint8_t* digest; /* generated digest */
320 	size_t digestlen = ds_digest_size_algo(ds_rrset, ds_idx);
321 
322 	if(digestlen == 0) {
323 		verbose(VERB_QUERY, "DS fail: not supported, or DS RR "
324 			"format error");
325 		return 0; /* not supported, or DS RR format error */
326 	}
327 	/* check digest length in DS with length from hash function */
328 	ds_get_sigdata(ds_rrset, ds_idx, &ds, &dslen);
329 	if(!ds || dslen != digestlen) {
330 		verbose(VERB_QUERY, "DS fail: DS RR algo and digest do not "
331 			"match each other");
332 		return 0; /* DS algorithm and digest do not match */
333 	}
334 
335 	digest = regional_alloc(env->scratch, digestlen);
336 	if(!digest) {
337 		verbose(VERB_QUERY, "DS fail: out of memory");
338 		return 0; /* mem error */
339 	}
340 	if(!ds_create_dnskey_digest(env, dnskey_rrset, dnskey_idx, ds_rrset,
341 		ds_idx, digest)) {
342 		verbose(VERB_QUERY, "DS fail: could not calc key digest");
343 		return 0; /* digest algo failed */
344 	}
345 	if(memcmp(digest, ds, dslen) != 0) {
346 		verbose(VERB_QUERY, "DS fail: digest is different");
347 		return 0; /* digest different */
348 	}
349 	return 1;
350 }
351 
352 int
353 ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
354 	size_t ds_idx)
355 {
356 	return (ds_digest_size_algo(ds_rrset, ds_idx) != 0);
357 }
358 
359 int
360 ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
361 	size_t ds_idx)
362 {
363 	return dnskey_algo_id_is_supported(ds_get_key_algo(ds_rrset, ds_idx));
364 }
365 
366 uint16_t
367 dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx)
368 {
369 	uint8_t* data;
370 	size_t len;
371 	rrset_get_rdata(dnskey_rrset, dnskey_idx, &data, &len);
372 	/* do not pass rdatalen to ldns */
373 	return sldns_calc_keytag_raw(data+2, len-2);
374 }
375 
376 int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
377         size_t dnskey_idx)
378 {
379 	return dnskey_algo_id_is_supported(dnskey_get_algo(dnskey_rrset,
380 		dnskey_idx));
381 }
382 
383 void algo_needs_init_dnskey_add(struct algo_needs* n,
384         struct ub_packed_rrset_key* dnskey, uint8_t* sigalg)
385 {
386 	uint8_t algo;
387 	size_t i, total = n->num;
388 	size_t num = rrset_get_count(dnskey);
389 
390 	for(i=0; i<num; i++) {
391 		algo = (uint8_t)dnskey_get_algo(dnskey, i);
392 		if(!dnskey_algo_id_is_supported((int)algo))
393 			continue;
394 		if(n->needs[algo] == 0) {
395 			n->needs[algo] = 1;
396 			sigalg[total] = algo;
397 			total++;
398 		}
399 	}
400 	sigalg[total] = 0;
401 	n->num = total;
402 }
403 
404 void algo_needs_init_list(struct algo_needs* n, uint8_t* sigalg)
405 {
406 	uint8_t algo;
407 	size_t total = 0;
408 
409 	memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX);
410 	while( (algo=*sigalg++) != 0) {
411 		log_assert(dnskey_algo_id_is_supported((int)algo));
412 		log_assert(n->needs[algo] == 0);
413 		n->needs[algo] = 1;
414 		total++;
415 	}
416 	n->num = total;
417 }
418 
419 void algo_needs_init_ds(struct algo_needs* n, struct ub_packed_rrset_key* ds,
420 	int fav_ds_algo, uint8_t* sigalg)
421 {
422 	uint8_t algo;
423 	size_t i, total = 0;
424 	size_t num = rrset_get_count(ds);
425 
426 	memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX);
427 	for(i=0; i<num; i++) {
428 		if(ds_get_digest_algo(ds, i) != fav_ds_algo)
429 			continue;
430 		algo = (uint8_t)ds_get_key_algo(ds, i);
431 		if(!dnskey_algo_id_is_supported((int)algo))
432 			continue;
433 		log_assert(algo != 0); /* we do not support 0 and is EOS */
434 		if(n->needs[algo] == 0) {
435 			n->needs[algo] = 1;
436 			sigalg[total] = algo;
437 			total++;
438 		}
439 	}
440 	sigalg[total] = 0;
441 	n->num = total;
442 }
443 
444 int algo_needs_set_secure(struct algo_needs* n, uint8_t algo)
445 {
446 	if(n->needs[algo]) {
447 		n->needs[algo] = 0;
448 		n->num --;
449 		if(n->num == 0) /* done! */
450 			return 1;
451 	}
452 	return 0;
453 }
454 
455 void algo_needs_set_bogus(struct algo_needs* n, uint8_t algo)
456 {
457 	if(n->needs[algo]) n->needs[algo] = 2; /* need it, but bogus */
458 }
459 
460 size_t algo_needs_num_missing(struct algo_needs* n)
461 {
462 	return n->num;
463 }
464 
465 int algo_needs_missing(struct algo_needs* n)
466 {
467 	int i;
468 	/* first check if a needed algo was bogus - report that */
469 	for(i=0; i<ALGO_NEEDS_MAX; i++)
470 		if(n->needs[i] == 2)
471 			return 0;
472 	/* now check which algo is missing */
473 	for(i=0; i<ALGO_NEEDS_MAX; i++)
474 		if(n->needs[i] == 1)
475 			return i;
476 	return 0;
477 }
478 
479 enum sec_status
480 dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
481 	struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
482 	uint8_t* sigalg, char** reason)
483 {
484 	enum sec_status sec;
485 	size_t i, num;
486 	rbtree_t* sortree = NULL;
487 	/* make sure that for all DNSKEY algorithms there are valid sigs */
488 	struct algo_needs needs;
489 	int alg;
490 
491 	num = rrset_get_sigcount(rrset);
492 	if(num == 0) {
493 		verbose(VERB_QUERY, "rrset failed to verify due to a lack of "
494 			"signatures");
495 		*reason = "no signatures";
496 		return sec_status_bogus;
497 	}
498 
499 	if(sigalg) {
500 		algo_needs_init_list(&needs, sigalg);
501 		if(algo_needs_num_missing(&needs) == 0) {
502 			verbose(VERB_QUERY, "zone has no known algorithms");
503 			*reason = "zone has no known algorithms";
504 			return sec_status_insecure;
505 		}
506 	}
507 	for(i=0; i<num; i++) {
508 		sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset,
509 			dnskey, i, &sortree, reason);
510 		/* see which algorithm has been fixed up */
511 		if(sec == sec_status_secure) {
512 			if(!sigalg)
513 				return sec; /* done! */
514 			else if(algo_needs_set_secure(&needs,
515 				(uint8_t)rrset_get_sig_algo(rrset, i)))
516 				return sec; /* done! */
517 		} else if(sigalg && sec == sec_status_bogus) {
518 			algo_needs_set_bogus(&needs,
519 				(uint8_t)rrset_get_sig_algo(rrset, i));
520 		}
521 	}
522 	if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
523 		verbose(VERB_ALGO, "rrset failed to verify: "
524 			"no valid signatures for %d algorithms",
525 			(int)algo_needs_num_missing(&needs));
526 		algo_needs_reason(env, alg, reason, "no signatures");
527 	} else {
528 		verbose(VERB_ALGO, "rrset failed to verify: "
529 			"no valid signatures");
530 	}
531 	return sec_status_bogus;
532 }
533 
534 void algo_needs_reason(struct module_env* env, int alg, char** reason, char* s)
535 {
536 	char buf[256];
537 	sldns_lookup_table *t = sldns_lookup_by_id(sldns_algorithms, alg);
538 	if(t&&t->name)
539 		snprintf(buf, sizeof(buf), "%s with algorithm %s", s, t->name);
540 	else	snprintf(buf, sizeof(buf), "%s with algorithm ALG%u", s,
541 			(unsigned)alg);
542 	*reason = regional_strdup(env->scratch, buf);
543 	if(!*reason)
544 		*reason = s;
545 }
546 
547 enum sec_status
548 dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
549         struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
550 	size_t dnskey_idx, char** reason)
551 {
552 	enum sec_status sec;
553 	size_t i, num, numchecked = 0;
554 	rbtree_t* sortree = NULL;
555 	int buf_canon = 0;
556 	uint16_t tag = dnskey_calc_keytag(dnskey, dnskey_idx);
557 	int algo = dnskey_get_algo(dnskey, dnskey_idx);
558 
559 	num = rrset_get_sigcount(rrset);
560 	if(num == 0) {
561 		verbose(VERB_QUERY, "rrset failed to verify due to a lack of "
562 			"signatures");
563 		*reason = "no signatures";
564 		return sec_status_bogus;
565 	}
566 	for(i=0; i<num; i++) {
567 		/* see if sig matches keytag and algo */
568 		if(algo != rrset_get_sig_algo(rrset, i) ||
569 			tag != rrset_get_sig_keytag(rrset, i))
570 			continue;
571 		buf_canon = 0;
572 		sec = dnskey_verify_rrset_sig(env->scratch,
573 			env->scratch_buffer, ve, *env->now, rrset,
574 			dnskey, dnskey_idx, i, &sortree, &buf_canon, reason);
575 		if(sec == sec_status_secure)
576 			return sec;
577 		numchecked ++;
578 	}
579 	verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
580 	if(!numchecked) *reason = "signature missing";
581 	return sec_status_bogus;
582 }
583 
584 enum sec_status
585 dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
586 	time_t now, struct ub_packed_rrset_key* rrset,
587 	struct ub_packed_rrset_key* dnskey, size_t sig_idx,
588 	struct rbtree_t** sortree, char** reason)
589 {
590 	/* find matching keys and check them */
591 	enum sec_status sec = sec_status_bogus;
592 	uint16_t tag = rrset_get_sig_keytag(rrset, sig_idx);
593 	int algo = rrset_get_sig_algo(rrset, sig_idx);
594 	size_t i, num = rrset_get_count(dnskey);
595 	size_t numchecked = 0;
596 	int buf_canon = 0;
597 	verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo);
598 	if(!dnskey_algo_id_is_supported(algo)) {
599 		verbose(VERB_QUERY, "verify sig: unknown algorithm");
600 		return sec_status_insecure;
601 	}
602 
603 	for(i=0; i<num; i++) {
604 		/* see if key matches keytag and algo */
605 		if(algo != dnskey_get_algo(dnskey, i) ||
606 			tag != dnskey_calc_keytag(dnskey, i))
607 			continue;
608 		numchecked ++;
609 
610 		/* see if key verifies */
611 		sec = dnskey_verify_rrset_sig(env->scratch,
612 			env->scratch_buffer, ve, now, rrset, dnskey, i,
613 			sig_idx, sortree, &buf_canon, reason);
614 		if(sec == sec_status_secure)
615 			return sec;
616 	}
617 	if(numchecked == 0) {
618 		*reason = "signatures from unknown keys";
619 		verbose(VERB_QUERY, "verify: could not find appropriate key");
620 		return sec_status_bogus;
621 	}
622 	return sec_status_bogus;
623 }
624 
625 /**
626  * RR entries in a canonical sorted tree of RRs
627  */
628 struct canon_rr {
629 	/** rbtree node, key is this structure */
630 	rbnode_t node;
631 	/** rrset the RR is in */
632 	struct ub_packed_rrset_key* rrset;
633 	/** which RR in the rrset */
634 	size_t rr_idx;
635 };
636 
637 /**
638  * Compare two RR for canonical order, in a field-style sweep.
639  * @param d: rrset data
640  * @param desc: ldns wireformat descriptor.
641  * @param i: first RR to compare
642  * @param j: first RR to compare
643  * @return comparison code.
644  */
645 static int
646 canonical_compare_byfield(struct packed_rrset_data* d,
647 	const sldns_rr_descriptor* desc, size_t i, size_t j)
648 {
649 	/* sweep across rdata, keep track of some state:
650 	 * 	which rr field, and bytes left in field.
651 	 * 	current position in rdata, length left.
652 	 * 	are we in a dname, length left in a label.
653 	 */
654 	int wfi = -1;	/* current wireformat rdata field (rdf) */
655 	int wfj = -1;
656 	uint8_t* di = d->rr_data[i]+2; /* ptr to current rdata byte */
657 	uint8_t* dj = d->rr_data[j]+2;
658 	size_t ilen = d->rr_len[i]-2; /* length left in rdata */
659 	size_t jlen = d->rr_len[j]-2;
660 	int dname_i = 0;  /* true if these bytes are part of a name */
661 	int dname_j = 0;
662 	size_t lablen_i = 0; /* 0 for label length byte,for first byte of rdf*/
663 	size_t lablen_j = 0; /* otherwise remaining length of rdf or label */
664 	int dname_num_i = (int)desc->_dname_count; /* decreased at root label */
665 	int dname_num_j = (int)desc->_dname_count;
666 
667 	/* loop while there are rdata bytes available for both rrs,
668 	 * and still some lowercasing needs to be done; either the dnames
669 	 * have not been reached yet, or they are currently being processed */
670 	while(ilen > 0 && jlen > 0 && (dname_num_i > 0 || dname_num_j > 0)) {
671 		/* compare these two bytes */
672 		/* lowercase if in a dname and not a label length byte */
673 		if( ((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di)
674 		 != ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj)
675 		 ) {
676 		  if(((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di)
677 		  < ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj))
678 		 	return -1;
679 		    return 1;
680 		}
681 		ilen--;
682 		jlen--;
683 		/* bytes are equal */
684 
685 		/* advance field i */
686 		/* lablen 0 means that this byte is the first byte of the
687 		 * next rdata field; inspect this rdata field and setup
688 		 * to process the rest of this rdata field.
689 		 * The reason to first read the byte, then setup the rdf,
690 		 * is that we are then sure the byte is available and short
691 		 * rdata is handled gracefully (even if it is a formerr). */
692 		if(lablen_i == 0) {
693 			if(dname_i) {
694 				/* scan this dname label */
695 				/* capture length to lowercase */
696 				lablen_i = (size_t)*di;
697 				if(lablen_i == 0) {
698 					/* end root label */
699 					dname_i = 0;
700 					dname_num_i--;
701 					/* if dname num is 0, then the
702 					 * remainder is binary only */
703 					if(dname_num_i == 0)
704 						lablen_i = ilen;
705 				}
706 			} else {
707 				/* scan this rdata field */
708 				wfi++;
709 				if(desc->_wireformat[wfi]
710 					== LDNS_RDF_TYPE_DNAME) {
711 					dname_i = 1;
712 					lablen_i = (size_t)*di;
713 					if(lablen_i == 0) {
714 						dname_i = 0;
715 						dname_num_i--;
716 						if(dname_num_i == 0)
717 							lablen_i = ilen;
718 					}
719 				} else if(desc->_wireformat[wfi]
720 					== LDNS_RDF_TYPE_STR)
721 					lablen_i = (size_t)*di;
722 				else	lablen_i = get_rdf_size(
723 					desc->_wireformat[wfi]) - 1;
724 			}
725 		} else	lablen_i--;
726 
727 		/* advance field j; same as for i */
728 		if(lablen_j == 0) {
729 			if(dname_j) {
730 				lablen_j = (size_t)*dj;
731 				if(lablen_j == 0) {
732 					dname_j = 0;
733 					dname_num_j--;
734 					if(dname_num_j == 0)
735 						lablen_j = jlen;
736 				}
737 			} else {
738 				wfj++;
739 				if(desc->_wireformat[wfj]
740 					== LDNS_RDF_TYPE_DNAME) {
741 					dname_j = 1;
742 					lablen_j = (size_t)*dj;
743 					if(lablen_j == 0) {
744 						dname_j = 0;
745 						dname_num_j--;
746 						if(dname_num_j == 0)
747 							lablen_j = jlen;
748 					}
749 				} else if(desc->_wireformat[wfj]
750 					== LDNS_RDF_TYPE_STR)
751 					lablen_j = (size_t)*dj;
752 				else	lablen_j = get_rdf_size(
753 					desc->_wireformat[wfj]) - 1;
754 			}
755 		} else	lablen_j--;
756 		di++;
757 		dj++;
758 	}
759 	/* end of the loop; because we advanced byte by byte; now we have
760 	 * that the rdata has ended, or that there is a binary remainder */
761 	/* shortest first */
762 	if(ilen == 0 && jlen == 0)
763 		return 0;
764 	if(ilen == 0)
765 		return -1;
766 	if(jlen == 0)
767 		return 1;
768 	/* binary remainder, capture comparison in wfi variable */
769 	if((wfi = memcmp(di, dj, (ilen<jlen)?ilen:jlen)) != 0)
770 		return wfi;
771 	if(ilen < jlen)
772 		return -1;
773 	if(jlen < ilen)
774 		return 1;
775 	return 0;
776 }
777 
778 /**
779  * Compare two RRs in the same RRset and determine their relative
780  * canonical order.
781  * @param rrset: the rrset in which to perform compares.
782  * @param i: first RR to compare
783  * @param j: first RR to compare
784  * @return 0 if RR i== RR j, -1 if <, +1 if >.
785  */
786 static int
787 canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j)
788 {
789 	struct packed_rrset_data* d = (struct packed_rrset_data*)
790 		rrset->entry.data;
791 	const sldns_rr_descriptor* desc;
792 	uint16_t type = ntohs(rrset->rk.type);
793 	size_t minlen;
794 	int c;
795 
796 	if(i==j)
797 		return 0;
798 
799 	switch(type) {
800 		/* These RR types have only a name as RDATA.
801 		 * This name has to be canonicalized.*/
802 		case LDNS_RR_TYPE_NS:
803 		case LDNS_RR_TYPE_MD:
804 		case LDNS_RR_TYPE_MF:
805 		case LDNS_RR_TYPE_CNAME:
806 		case LDNS_RR_TYPE_MB:
807 		case LDNS_RR_TYPE_MG:
808 		case LDNS_RR_TYPE_MR:
809 		case LDNS_RR_TYPE_PTR:
810 		case LDNS_RR_TYPE_DNAME:
811 			/* the wireread function has already checked these
812 			 * dname's for correctness, and this double checks */
813 			if(!dname_valid(d->rr_data[i]+2, d->rr_len[i]-2) ||
814 				!dname_valid(d->rr_data[j]+2, d->rr_len[j]-2))
815 				return 0;
816 			return query_dname_compare(d->rr_data[i]+2,
817 				d->rr_data[j]+2);
818 
819 		/* These RR types have STR and fixed size rdata fields
820 		 * before one or more name fields that need canonicalizing,
821 		 * and after that a byte-for byte remainder can be compared.
822 		 */
823 		/* type starts with the name; remainder is binary compared */
824 		case LDNS_RR_TYPE_NXT:
825 		/* use rdata field formats */
826 		case LDNS_RR_TYPE_MINFO:
827 		case LDNS_RR_TYPE_RP:
828 		case LDNS_RR_TYPE_SOA:
829 		case LDNS_RR_TYPE_RT:
830 		case LDNS_RR_TYPE_AFSDB:
831 		case LDNS_RR_TYPE_KX:
832 		case LDNS_RR_TYPE_MX:
833 		case LDNS_RR_TYPE_SIG:
834 		/* RRSIG signer name has to be downcased */
835 		case LDNS_RR_TYPE_RRSIG:
836 		case LDNS_RR_TYPE_PX:
837 		case LDNS_RR_TYPE_NAPTR:
838 		case LDNS_RR_TYPE_SRV:
839 			desc = sldns_rr_descript(type);
840 			log_assert(desc);
841 			/* this holds for the types that need canonicalizing */
842 			log_assert(desc->_minimum == desc->_maximum);
843 			return canonical_compare_byfield(d, desc, i, j);
844 
845 		case LDNS_RR_TYPE_HINFO: /* no longer downcased */
846 		case LDNS_RR_TYPE_NSEC:
847 	default:
848 		/* For unknown RR types, or types not listed above,
849 		 * no canonicalization is needed, do binary compare */
850 		/* byte for byte compare, equal means shortest first*/
851 		minlen = d->rr_len[i]-2;
852 		if(minlen > d->rr_len[j]-2)
853 			minlen = d->rr_len[j]-2;
854 		c = memcmp(d->rr_data[i]+2, d->rr_data[j]+2, minlen);
855 		if(c!=0)
856 			return c;
857 		/* rdata equal, shortest is first */
858 		if(d->rr_len[i] < d->rr_len[j])
859 			return -1;
860 		if(d->rr_len[i] > d->rr_len[j])
861 			return 1;
862 		/* rdata equal, length equal */
863 		break;
864 	}
865 	return 0;
866 }
867 
868 int
869 canonical_tree_compare(const void* k1, const void* k2)
870 {
871 	struct canon_rr* r1 = (struct canon_rr*)k1;
872 	struct canon_rr* r2 = (struct canon_rr*)k2;
873 	log_assert(r1->rrset == r2->rrset);
874 	return canonical_compare(r1->rrset, r1->rr_idx, r2->rr_idx);
875 }
876 
877 /**
878  * Sort RRs for rrset in canonical order.
879  * Does not actually canonicalize the RR rdatas.
880  * Does not touch rrsigs.
881  * @param rrset: to sort.
882  * @param d: rrset data.
883  * @param sortree: tree to sort into.
884  * @param rrs: rr storage.
885  */
886 static void
887 canonical_sort(struct ub_packed_rrset_key* rrset, struct packed_rrset_data* d,
888 	rbtree_t* sortree, struct canon_rr* rrs)
889 {
890 	size_t i;
891 	/* insert into rbtree to sort and detect duplicates */
892 	for(i=0; i<d->count; i++) {
893 		rrs[i].node.key = &rrs[i];
894 		rrs[i].rrset = rrset;
895 		rrs[i].rr_idx = i;
896 		if(!rbtree_insert(sortree, &rrs[i].node)) {
897 			/* this was a duplicate */
898 		}
899 	}
900 }
901 
902 /**
903  * Inser canonical owner name into buffer.
904  * @param buf: buffer to insert into at current position.
905  * @param k: rrset with its owner name.
906  * @param sig: signature with signer name and label count.
907  * 	must be length checked, at least 18 bytes long.
908  * @param can_owner: position in buffer returned for future use.
909  * @param can_owner_len: length of canonical owner name.
910  */
911 static void
912 insert_can_owner(sldns_buffer* buf, struct ub_packed_rrset_key* k,
913 	uint8_t* sig, uint8_t** can_owner, size_t* can_owner_len)
914 {
915 	int rrsig_labels = (int)sig[3];
916 	int fqdn_labels = dname_signame_label_count(k->rk.dname);
917 	*can_owner = sldns_buffer_current(buf);
918 	if(rrsig_labels == fqdn_labels) {
919 		/* no change */
920 		sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len);
921 		query_dname_tolower(*can_owner);
922 		*can_owner_len = k->rk.dname_len;
923 		return;
924 	}
925 	log_assert(rrsig_labels < fqdn_labels);
926 	/* *. | fqdn(rightmost rrsig_labels) */
927 	if(rrsig_labels < fqdn_labels) {
928 		int i;
929 		uint8_t* nm = k->rk.dname;
930 		size_t len = k->rk.dname_len;
931 		/* so skip fqdn_labels-rrsig_labels */
932 		for(i=0; i<fqdn_labels-rrsig_labels; i++) {
933 			dname_remove_label(&nm, &len);
934 		}
935 		*can_owner_len = len+2;
936 		sldns_buffer_write(buf, (uint8_t*)"\001*", 2);
937 		sldns_buffer_write(buf, nm, len);
938 		query_dname_tolower(*can_owner);
939 	}
940 }
941 
942 /**
943  * Canonicalize Rdata in buffer.
944  * @param buf: buffer at position just after the rdata.
945  * @param rrset: rrset with type.
946  * @param len: length of the rdata (including rdatalen uint16).
947  */
948 static void
949 canonicalize_rdata(sldns_buffer* buf, struct ub_packed_rrset_key* rrset,
950 	size_t len)
951 {
952 	uint8_t* datstart = sldns_buffer_current(buf)-len+2;
953 	switch(ntohs(rrset->rk.type)) {
954 		case LDNS_RR_TYPE_NXT:
955 		case LDNS_RR_TYPE_NS:
956 		case LDNS_RR_TYPE_MD:
957 		case LDNS_RR_TYPE_MF:
958 		case LDNS_RR_TYPE_CNAME:
959 		case LDNS_RR_TYPE_MB:
960 		case LDNS_RR_TYPE_MG:
961 		case LDNS_RR_TYPE_MR:
962 		case LDNS_RR_TYPE_PTR:
963 		case LDNS_RR_TYPE_DNAME:
964 			/* type only has a single argument, the name */
965 			query_dname_tolower(datstart);
966 			return;
967 		case LDNS_RR_TYPE_MINFO:
968 		case LDNS_RR_TYPE_RP:
969 		case LDNS_RR_TYPE_SOA:
970 			/* two names after another */
971 			query_dname_tolower(datstart);
972 			query_dname_tolower(datstart +
973 				dname_valid(datstart, len-2));
974 			return;
975 		case LDNS_RR_TYPE_RT:
976 		case LDNS_RR_TYPE_AFSDB:
977 		case LDNS_RR_TYPE_KX:
978 		case LDNS_RR_TYPE_MX:
979 			/* skip fixed part */
980 			if(len < 2+2+1) /* rdlen, skiplen, 1byteroot */
981 				return;
982 			datstart += 2;
983 			query_dname_tolower(datstart);
984 			return;
985 		case LDNS_RR_TYPE_SIG:
986 		/* downcase the RRSIG, compat with BIND (kept it from SIG) */
987 		case LDNS_RR_TYPE_RRSIG:
988 			/* skip fixed part */
989 			if(len < 2+18+1)
990 				return;
991 			datstart += 18;
992 			query_dname_tolower(datstart);
993 			return;
994 		case LDNS_RR_TYPE_PX:
995 			/* skip, then two names after another */
996 			if(len < 2+2+1)
997 				return;
998 			datstart += 2;
999 			query_dname_tolower(datstart);
1000 			query_dname_tolower(datstart +
1001 				dname_valid(datstart, len-2-2));
1002 			return;
1003 		case LDNS_RR_TYPE_NAPTR:
1004 			if(len < 2+4)
1005 				return;
1006 			len -= 2+4;
1007 			datstart += 4;
1008 			if(len < (size_t)datstart[0]+1) /* skip text field */
1009 				return;
1010 			len -= (size_t)datstart[0]+1;
1011 			datstart += (size_t)datstart[0]+1;
1012 			if(len < (size_t)datstart[0]+1) /* skip text field */
1013 				return;
1014 			len -= (size_t)datstart[0]+1;
1015 			datstart += (size_t)datstart[0]+1;
1016 			if(len < (size_t)datstart[0]+1) /* skip text field */
1017 				return;
1018 			len -= (size_t)datstart[0]+1;
1019 			datstart += (size_t)datstart[0]+1;
1020 			if(len < 1)	/* check name is at least 1 byte*/
1021 				return;
1022 			query_dname_tolower(datstart);
1023 			return;
1024 		case LDNS_RR_TYPE_SRV:
1025 			/* skip fixed part */
1026 			if(len < 2+6+1)
1027 				return;
1028 			datstart += 6;
1029 			query_dname_tolower(datstart);
1030 			return;
1031 
1032 		/* do not canonicalize NSEC rdata name, compat with
1033 		 * from bind 9.4 signer, where it does not do so */
1034 		case LDNS_RR_TYPE_NSEC: /* type starts with the name */
1035 		case LDNS_RR_TYPE_HINFO: /* not downcased */
1036 		/* A6 not supported */
1037 		default:
1038 			/* nothing to do for unknown types */
1039 			return;
1040 	}
1041 }
1042 
1043 int rrset_canonical_equal(struct regional* region,
1044 	struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2)
1045 {
1046 	struct rbtree_t sortree1, sortree2;
1047 	struct canon_rr *rrs1, *rrs2, *p1, *p2;
1048 	struct packed_rrset_data* d1=(struct packed_rrset_data*)k1->entry.data;
1049 	struct packed_rrset_data* d2=(struct packed_rrset_data*)k2->entry.data;
1050 	struct ub_packed_rrset_key fk;
1051 	struct packed_rrset_data fd;
1052 	size_t flen[2];
1053 	uint8_t* fdata[2];
1054 
1055 	/* basic compare */
1056 	if(k1->rk.dname_len != k2->rk.dname_len ||
1057 		k1->rk.flags != k2->rk.flags ||
1058 		k1->rk.type != k2->rk.type ||
1059 		k1->rk.rrset_class != k2->rk.rrset_class ||
1060 		query_dname_compare(k1->rk.dname, k2->rk.dname) != 0)
1061 		return 0;
1062 	if(d1->ttl != d2->ttl ||
1063 		d1->count != d2->count ||
1064 		d1->rrsig_count != d2->rrsig_count ||
1065 		d1->trust != d2->trust ||
1066 		d1->security != d2->security)
1067 		return 0;
1068 
1069 	/* init */
1070 	memset(&fk, 0, sizeof(fk));
1071 	memset(&fd, 0, sizeof(fd));
1072 	fk.entry.data = &fd;
1073 	fd.count = 2;
1074 	fd.rr_len = flen;
1075 	fd.rr_data = fdata;
1076 	rbtree_init(&sortree1, &canonical_tree_compare);
1077 	rbtree_init(&sortree2, &canonical_tree_compare);
1078 	if(d1->count > RR_COUNT_MAX || d2->count > RR_COUNT_MAX)
1079 		return 1; /* protection against integer overflow */
1080 	rrs1 = regional_alloc(region, sizeof(struct canon_rr)*d1->count);
1081 	rrs2 = regional_alloc(region, sizeof(struct canon_rr)*d2->count);
1082 	if(!rrs1 || !rrs2) return 1; /* alloc failure */
1083 
1084 	/* sort */
1085 	canonical_sort(k1, d1, &sortree1, rrs1);
1086 	canonical_sort(k2, d2, &sortree2, rrs2);
1087 
1088 	/* compare canonical-sorted RRs for canonical-equality */
1089 	if(sortree1.count != sortree2.count)
1090 		return 0;
1091 	p1 = (struct canon_rr*)rbtree_first(&sortree1);
1092 	p2 = (struct canon_rr*)rbtree_first(&sortree2);
1093 	while(p1 != (struct canon_rr*)RBTREE_NULL &&
1094 		p2 != (struct canon_rr*)RBTREE_NULL) {
1095 		flen[0] = d1->rr_len[p1->rr_idx];
1096 		flen[1] = d2->rr_len[p2->rr_idx];
1097 		fdata[0] = d1->rr_data[p1->rr_idx];
1098 		fdata[1] = d2->rr_data[p2->rr_idx];
1099 
1100 		if(canonical_compare(&fk, 0, 1) != 0)
1101 			return 0;
1102 		p1 = (struct canon_rr*)rbtree_next(&p1->node);
1103 		p2 = (struct canon_rr*)rbtree_next(&p2->node);
1104 	}
1105 	return 1;
1106 }
1107 
1108 /**
1109  * Create canonical form of rrset in the scratch buffer.
1110  * @param region: temporary region.
1111  * @param buf: the buffer to use.
1112  * @param k: the rrset to insert.
1113  * @param sig: RRSIG rdata to include.
1114  * @param siglen: RRSIG rdata len excluding signature field, but inclusive
1115  * 	signer name length.
1116  * @param sortree: if NULL is passed a new sorted rrset tree is built.
1117  * 	Otherwise it is reused.
1118  * @return false on alloc error.
1119  */
1120 static int
1121 rrset_canonical(struct regional* region, sldns_buffer* buf,
1122 	struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen,
1123 	struct rbtree_t** sortree)
1124 {
1125 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
1126 	uint8_t* can_owner = NULL;
1127 	size_t can_owner_len = 0;
1128 	struct canon_rr* walk;
1129 	struct canon_rr* rrs;
1130 
1131 	if(!*sortree) {
1132 		*sortree = (struct rbtree_t*)regional_alloc(region,
1133 			sizeof(rbtree_t));
1134 		if(!*sortree)
1135 			return 0;
1136 		if(d->count > RR_COUNT_MAX)
1137 			return 0; /* integer overflow protection */
1138 		rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count);
1139 		if(!rrs) {
1140 			*sortree = NULL;
1141 			return 0;
1142 		}
1143 		rbtree_init(*sortree, &canonical_tree_compare);
1144 		canonical_sort(k, d, *sortree, rrs);
1145 	}
1146 
1147 	sldns_buffer_clear(buf);
1148 	sldns_buffer_write(buf, sig, siglen);
1149 	/* canonicalize signer name */
1150 	query_dname_tolower(sldns_buffer_begin(buf)+18);
1151 	RBTREE_FOR(walk, struct canon_rr*, (*sortree)) {
1152 		/* see if there is enough space left in the buffer */
1153 		if(sldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4
1154 			+ d->rr_len[walk->rr_idx]) {
1155 			log_err("verify: failed to canonicalize, "
1156 				"rrset too big");
1157 			return 0;
1158 		}
1159 		/* determine canonical owner name */
1160 		if(can_owner)
1161 			sldns_buffer_write(buf, can_owner, can_owner_len);
1162 		else	insert_can_owner(buf, k, sig, &can_owner,
1163 				&can_owner_len);
1164 		sldns_buffer_write(buf, &k->rk.type, 2);
1165 		sldns_buffer_write(buf, &k->rk.rrset_class, 2);
1166 		sldns_buffer_write(buf, sig+4, 4);
1167 		sldns_buffer_write(buf, d->rr_data[walk->rr_idx],
1168 			d->rr_len[walk->rr_idx]);
1169 		canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]);
1170 	}
1171 	sldns_buffer_flip(buf);
1172 	return 1;
1173 }
1174 
1175 /** pretty print rrsig error with dates */
1176 static void
1177 sigdate_error(const char* str, int32_t expi, int32_t incep, int32_t now)
1178 {
1179 	struct tm tm;
1180 	char expi_buf[16];
1181 	char incep_buf[16];
1182 	char now_buf[16];
1183 	time_t te, ti, tn;
1184 
1185 	if(verbosity < VERB_QUERY)
1186 		return;
1187 	te = (time_t)expi;
1188 	ti = (time_t)incep;
1189 	tn = (time_t)now;
1190 	memset(&tm, 0, sizeof(tm));
1191 	if(gmtime_r(&te, &tm) && strftime(expi_buf, 15, "%Y%m%d%H%M%S", &tm)
1192 	 &&gmtime_r(&ti, &tm) && strftime(incep_buf, 15, "%Y%m%d%H%M%S", &tm)
1193 	 &&gmtime_r(&tn, &tm) && strftime(now_buf, 15, "%Y%m%d%H%M%S", &tm)) {
1194 		log_info("%s expi=%s incep=%s now=%s", str, expi_buf,
1195 			incep_buf, now_buf);
1196 	} else
1197 		log_info("%s expi=%u incep=%u now=%u", str, (unsigned)expi,
1198 			(unsigned)incep, (unsigned)now);
1199 }
1200 
1201 /** check rrsig dates */
1202 static int
1203 check_dates(struct val_env* ve, uint32_t unow,
1204 	uint8_t* expi_p, uint8_t* incep_p, char** reason)
1205 {
1206 	/* read out the dates */
1207 	int32_t expi, incep, now;
1208 	memmove(&expi, expi_p, sizeof(expi));
1209 	memmove(&incep, incep_p, sizeof(incep));
1210 	expi = ntohl(expi);
1211 	incep = ntohl(incep);
1212 
1213 	/* get current date */
1214 	if(ve->date_override) {
1215 		if(ve->date_override == -1) {
1216 			verbose(VERB_ALGO, "date override: ignore date");
1217 			return 1;
1218 		}
1219 		now = ve->date_override;
1220 		verbose(VERB_ALGO, "date override option %d", (int)now);
1221 	} else	now = (int32_t)unow;
1222 
1223 	/* check them */
1224 	if(incep - expi > 0) {
1225 		sigdate_error("verify: inception after expiration, "
1226 			"signature bad", expi, incep, now);
1227 		*reason = "signature inception after expiration";
1228 		return 0;
1229 	}
1230 	if(incep - now > 0) {
1231 		/* within skew ? (calc here to avoid calculation normally) */
1232 		int32_t skew = (expi-incep)/10;
1233 		if(skew < ve->skew_min) skew = ve->skew_min;
1234 		if(skew > ve->skew_max) skew = ve->skew_max;
1235 		if(incep - now > skew) {
1236 			sigdate_error("verify: signature bad, current time is"
1237 				" before inception date", expi, incep, now);
1238 			*reason = "signature before inception date";
1239 			return 0;
1240 		}
1241 		sigdate_error("verify warning suspicious signature inception "
1242 			" or bad local clock", expi, incep, now);
1243 	}
1244 	if(now - expi > 0) {
1245 		int32_t skew = (expi-incep)/10;
1246 		if(skew < ve->skew_min) skew = ve->skew_min;
1247 		if(skew > ve->skew_max) skew = ve->skew_max;
1248 		if(now - expi > skew) {
1249 			sigdate_error("verify: signature expired", expi,
1250 				incep, now);
1251 			*reason = "signature expired";
1252 			return 0;
1253 		}
1254 		sigdate_error("verify warning suspicious signature expiration "
1255 			" or bad local clock", expi, incep, now);
1256 	}
1257 	return 1;
1258 }
1259 
1260 /** adjust rrset TTL for verified rrset, compare to original TTL and expi */
1261 static void
1262 adjust_ttl(struct val_env* ve, uint32_t unow,
1263 	struct ub_packed_rrset_key* rrset, uint8_t* orig_p,
1264 	uint8_t* expi_p, uint8_t* incep_p)
1265 {
1266 	struct packed_rrset_data* d =
1267 		(struct packed_rrset_data*)rrset->entry.data;
1268 	/* read out the dates */
1269 	int32_t origttl, expittl, expi, incep, now;
1270 	memmove(&origttl, orig_p, sizeof(origttl));
1271 	memmove(&expi, expi_p, sizeof(expi));
1272 	memmove(&incep, incep_p, sizeof(incep));
1273 	expi = ntohl(expi);
1274 	incep = ntohl(incep);
1275 	origttl = ntohl(origttl);
1276 
1277 	/* get current date */
1278 	if(ve->date_override) {
1279 		now = ve->date_override;
1280 	} else	now = (int32_t)unow;
1281 	expittl = expi - now;
1282 
1283 	/* so now:
1284 	 * d->ttl: rrset ttl read from message or cache. May be reduced
1285 	 * origttl: original TTL from signature, authoritative TTL max.
1286 	 * expittl: TTL until the signature expires.
1287 	 *
1288 	 * Use the smallest of these.
1289 	 */
1290 	if(d->ttl > (time_t)origttl) {
1291 		verbose(VERB_QUERY, "rrset TTL larger than original TTL,"
1292 			" adjusting TTL downwards");
1293 		d->ttl = origttl;
1294 	}
1295 	if(expittl > 0 && d->ttl > (time_t)expittl) {
1296 		verbose(VERB_ALGO, "rrset TTL larger than sig expiration ttl,"
1297 			" adjusting TTL downwards");
1298 		d->ttl = expittl;
1299 	}
1300 }
1301 
1302 enum sec_status
1303 dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
1304 	struct val_env* ve, time_t now,
1305         struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
1306         size_t dnskey_idx, size_t sig_idx,
1307 	struct rbtree_t** sortree, int* buf_canon, char** reason)
1308 {
1309 	enum sec_status sec;
1310 	uint8_t* sig;		/* RRSIG rdata */
1311 	size_t siglen;
1312 	size_t rrnum = rrset_get_count(rrset);
1313 	uint8_t* signer;	/* rrsig signer name */
1314 	size_t signer_len;
1315 	unsigned char* sigblock; /* signature rdata field */
1316 	unsigned int sigblock_len;
1317 	uint16_t ktag;		/* DNSKEY key tag */
1318 	unsigned char* key;	/* public key rdata field */
1319 	unsigned int keylen;
1320 	rrset_get_rdata(rrset, rrnum + sig_idx, &sig, &siglen);
1321 	/* min length of rdatalen, fixed rrsig, root signer, 1 byte sig */
1322 	if(siglen < 2+20) {
1323 		verbose(VERB_QUERY, "verify: signature too short");
1324 		*reason = "signature too short";
1325 		return sec_status_bogus;
1326 	}
1327 
1328 	if(!(dnskey_get_flags(dnskey, dnskey_idx) & DNSKEY_BIT_ZSK)) {
1329 		verbose(VERB_QUERY, "verify: dnskey without ZSK flag");
1330 		*reason = "dnskey without ZSK flag";
1331 		return sec_status_bogus;
1332 	}
1333 
1334 	if(dnskey_get_protocol(dnskey, dnskey_idx) != LDNS_DNSSEC_KEYPROTO) {
1335 		/* RFC 4034 says DNSKEY PROTOCOL MUST be 3 */
1336 		verbose(VERB_QUERY, "verify: dnskey has wrong key protocol");
1337 		*reason = "dnskey has wrong protocolnumber";
1338 		return sec_status_bogus;
1339 	}
1340 
1341 	/* verify as many fields in rrsig as possible */
1342 	signer = sig+2+18;
1343 	signer_len = dname_valid(signer, siglen-2-18);
1344 	if(!signer_len) {
1345 		verbose(VERB_QUERY, "verify: malformed signer name");
1346 		*reason = "signer name malformed";
1347 		return sec_status_bogus; /* signer name invalid */
1348 	}
1349 	if(!dname_subdomain_c(rrset->rk.dname, signer)) {
1350 		verbose(VERB_QUERY, "verify: signer name is off-tree");
1351 		*reason = "signer name off-tree";
1352 		return sec_status_bogus; /* signer name offtree */
1353 	}
1354 	sigblock = (unsigned char*)signer+signer_len;
1355 	if(siglen < 2+18+signer_len+1) {
1356 		verbose(VERB_QUERY, "verify: too short, no signature data");
1357 		*reason = "signature too short, no signature data";
1358 		return sec_status_bogus; /* sig rdf is < 1 byte */
1359 	}
1360 	sigblock_len = (unsigned int)(siglen - 2 - 18 - signer_len);
1361 
1362 	/* verify key dname == sig signer name */
1363 	if(query_dname_compare(signer, dnskey->rk.dname) != 0) {
1364 		verbose(VERB_QUERY, "verify: wrong key for rrsig");
1365 		log_nametypeclass(VERB_QUERY, "RRSIG signername is",
1366 			signer, 0, 0);
1367 		log_nametypeclass(VERB_QUERY, "the key name is",
1368 			dnskey->rk.dname, 0, 0);
1369 		*reason = "signer name mismatches key name";
1370 		return sec_status_bogus;
1371 	}
1372 
1373 	/* verify covered type */
1374 	/* memcmp works because type is in network format for rrset */
1375 	if(memcmp(sig+2, &rrset->rk.type, 2) != 0) {
1376 		verbose(VERB_QUERY, "verify: wrong type covered");
1377 		*reason = "signature covers wrong type";
1378 		return sec_status_bogus;
1379 	}
1380 	/* verify keytag and sig algo (possibly again) */
1381 	if((int)sig[2+2] != dnskey_get_algo(dnskey, dnskey_idx)) {
1382 		verbose(VERB_QUERY, "verify: wrong algorithm");
1383 		*reason = "signature has wrong algorithm";
1384 		return sec_status_bogus;
1385 	}
1386 	ktag = htons(dnskey_calc_keytag(dnskey, dnskey_idx));
1387 	if(memcmp(sig+2+16, &ktag, 2) != 0) {
1388 		verbose(VERB_QUERY, "verify: wrong keytag");
1389 		*reason = "signature has wrong keytag";
1390 		return sec_status_bogus;
1391 	}
1392 
1393 	/* verify labels is in a valid range */
1394 	if((int)sig[2+3] > dname_signame_label_count(rrset->rk.dname)) {
1395 		verbose(VERB_QUERY, "verify: labelcount out of range");
1396 		*reason = "signature labelcount out of range";
1397 		return sec_status_bogus;
1398 	}
1399 
1400 	/* original ttl, always ok */
1401 
1402 	if(!*buf_canon) {
1403 		/* create rrset canonical format in buffer, ready for
1404 		 * signature */
1405 		if(!rrset_canonical(region, buf, rrset, sig+2,
1406 			18 + signer_len, sortree)) {
1407 			log_err("verify: failed due to alloc error");
1408 			return sec_status_unchecked;
1409 		}
1410 		*buf_canon = 1;
1411 	}
1412 
1413 	/* check that dnskey is available */
1414 	dnskey_get_pubkey(dnskey, dnskey_idx, &key, &keylen);
1415 	if(!key) {
1416 		verbose(VERB_QUERY, "verify: short DNSKEY RR");
1417 		return sec_status_unchecked;
1418 	}
1419 
1420 	/* verify */
1421 	sec = verify_canonrrset(buf, (int)sig[2+2],
1422 		sigblock, sigblock_len, key, keylen, reason);
1423 
1424 	if(sec == sec_status_secure) {
1425 		/* check if TTL is too high - reduce if so */
1426 		adjust_ttl(ve, now, rrset, sig+2+4, sig+2+8, sig+2+12);
1427 
1428 		/* verify inception, expiration dates
1429 		 * Do this last so that if you ignore expired-sigs the
1430 		 * rest is sure to be OK. */
1431 		if(!check_dates(ve, now, sig+2+8, sig+2+12, reason)) {
1432 			return sec_status_bogus;
1433 		}
1434 	}
1435 
1436 	return sec;
1437 }
1438