1 /* 2 * validator/val_sigcrypt.c - validator signature crypto functions. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions help with signature verification and checking, the 41 * bridging between RR wireformat data and crypto calls. 42 */ 43 #include "config.h" 44 #include "validator/val_sigcrypt.h" 45 #include "validator/val_secalgo.h" 46 #include "validator/validator.h" 47 #include "util/data/msgreply.h" 48 #include "util/data/msgparse.h" 49 #include "util/data/dname.h" 50 #include "util/rbtree.h" 51 #include "util/rfc_1982.h" 52 #include "util/module.h" 53 #include "util/net_help.h" 54 #include "util/regional.h" 55 #include "util/config_file.h" 56 #include "sldns/keyraw.h" 57 #include "sldns/sbuffer.h" 58 #include "sldns/parseutil.h" 59 #include "sldns/wire2str.h" 60 #include "services/mesh.h" 61 62 #include <ctype.h> 63 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) 64 #error "Need crypto library to do digital signature cryptography" 65 #endif 66 67 #ifdef HAVE_OPENSSL_ERR_H 68 #include <openssl/err.h> 69 #endif 70 71 #ifdef HAVE_OPENSSL_RAND_H 72 #include <openssl/rand.h> 73 #endif 74 75 #ifdef HAVE_OPENSSL_CONF_H 76 #include <openssl/conf.h> 77 #endif 78 79 #ifdef HAVE_OPENSSL_ENGINE_H 80 #include <openssl/engine.h> 81 #endif 82 83 /** Maximum number of RRSIG validations for an RRset. */ 84 #define MAX_VALIDATE_RRSIGS 8 85 86 /** return number of rrs in an rrset */ 87 static size_t 88 rrset_get_count(struct ub_packed_rrset_key* rrset) 89 { 90 struct packed_rrset_data* d = (struct packed_rrset_data*) 91 rrset->entry.data; 92 if(!d) return 0; 93 return d->count; 94 } 95 96 /** 97 * Get RR signature count 98 */ 99 static size_t 100 rrset_get_sigcount(struct ub_packed_rrset_key* k) 101 { 102 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 103 return d->rrsig_count; 104 } 105 106 /** 107 * Get signature keytag value 108 * @param k: rrset (with signatures) 109 * @param sig_idx: signature index. 110 * @return keytag or 0 if malformed rrsig. 111 */ 112 static uint16_t 113 rrset_get_sig_keytag(struct ub_packed_rrset_key* k, size_t sig_idx) 114 { 115 uint16_t t; 116 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 117 log_assert(sig_idx < d->rrsig_count); 118 if(d->rr_len[d->count + sig_idx] < 2+18) 119 return 0; 120 memmove(&t, d->rr_data[d->count + sig_idx]+2+16, 2); 121 return ntohs(t); 122 } 123 124 /** 125 * Get signature signing algorithm value 126 * @param k: rrset (with signatures) 127 * @param sig_idx: signature index. 128 * @return algo or 0 if malformed rrsig. 129 */ 130 static int 131 rrset_get_sig_algo(struct ub_packed_rrset_key* k, size_t sig_idx) 132 { 133 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 134 log_assert(sig_idx < d->rrsig_count); 135 if(d->rr_len[d->count + sig_idx] < 2+3) 136 return 0; 137 return (int)d->rr_data[d->count + sig_idx][2+2]; 138 } 139 140 /** get rdata pointer and size */ 141 static void 142 rrset_get_rdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** rdata, 143 size_t* len) 144 { 145 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 146 log_assert(d && idx < (d->count + d->rrsig_count)); 147 *rdata = d->rr_data[idx]; 148 *len = d->rr_len[idx]; 149 } 150 151 uint16_t 152 dnskey_get_flags(struct ub_packed_rrset_key* k, size_t idx) 153 { 154 uint8_t* rdata; 155 size_t len; 156 uint16_t f; 157 rrset_get_rdata(k, idx, &rdata, &len); 158 if(len < 2+2) 159 return 0; 160 memmove(&f, rdata+2, 2); 161 f = ntohs(f); 162 return f; 163 } 164 165 /** 166 * Get DNSKEY protocol value from rdata 167 * @param k: DNSKEY rrset. 168 * @param idx: which key. 169 * @return protocol octet value 170 */ 171 static int 172 dnskey_get_protocol(struct ub_packed_rrset_key* k, size_t idx) 173 { 174 uint8_t* rdata; 175 size_t len; 176 rrset_get_rdata(k, idx, &rdata, &len); 177 if(len < 2+4) 178 return 0; 179 return (int)rdata[2+2]; 180 } 181 182 int 183 dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx) 184 { 185 uint8_t* rdata; 186 size_t len; 187 rrset_get_rdata(k, idx, &rdata, &len); 188 if(len < 2+4) 189 return 0; 190 return (int)rdata[2+3]; 191 } 192 193 /** get public key rdata field from a dnskey RR and do some checks */ 194 static void 195 dnskey_get_pubkey(struct ub_packed_rrset_key* k, size_t idx, 196 unsigned char** pk, unsigned int* pklen) 197 { 198 uint8_t* rdata; 199 size_t len; 200 rrset_get_rdata(k, idx, &rdata, &len); 201 if(len < 2+5) { 202 *pk = NULL; 203 *pklen = 0; 204 return; 205 } 206 *pk = (unsigned char*)rdata+2+4; 207 *pklen = (unsigned)len-2-4; 208 } 209 210 int 211 ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx) 212 { 213 uint8_t* rdata; 214 size_t len; 215 rrset_get_rdata(k, idx, &rdata, &len); 216 if(len < 2+3) 217 return 0; 218 return (int)rdata[2+2]; 219 } 220 221 int 222 ds_get_digest_algo(struct ub_packed_rrset_key* k, size_t idx) 223 { 224 uint8_t* rdata; 225 size_t len; 226 rrset_get_rdata(k, idx, &rdata, &len); 227 if(len < 2+4) 228 return 0; 229 return (int)rdata[2+3]; 230 } 231 232 uint16_t 233 ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx) 234 { 235 uint16_t t; 236 uint8_t* rdata; 237 size_t len; 238 rrset_get_rdata(ds_rrset, ds_idx, &rdata, &len); 239 if(len < 2+2) 240 return 0; 241 memmove(&t, rdata+2, 2); 242 return ntohs(t); 243 } 244 245 /** 246 * Return pointer to the digest in a DS RR. 247 * @param k: DS rrset. 248 * @param idx: which DS. 249 * @param digest: digest data is returned. 250 * on error, this is NULL. 251 * @param len: length of digest is returned. 252 * on error, the length is 0. 253 */ 254 static void 255 ds_get_sigdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** digest, 256 size_t* len) 257 { 258 uint8_t* rdata; 259 size_t rdlen; 260 rrset_get_rdata(k, idx, &rdata, &rdlen); 261 if(rdlen < 2+5) { 262 *digest = NULL; 263 *len = 0; 264 return; 265 } 266 *digest = rdata + 2 + 4; 267 *len = rdlen - 2 - 4; 268 } 269 270 /** 271 * Return size of DS digest according to its hash algorithm. 272 * @param k: DS rrset. 273 * @param idx: which DS. 274 * @return size in bytes of digest, or 0 if not supported. 275 */ 276 static size_t 277 ds_digest_size_algo(struct ub_packed_rrset_key* k, size_t idx) 278 { 279 return ds_digest_size_supported(ds_get_digest_algo(k, idx)); 280 } 281 282 /** 283 * Create a DS digest for a DNSKEY entry. 284 * 285 * @param env: module environment. Uses scratch space. 286 * @param dnskey_rrset: DNSKEY rrset. 287 * @param dnskey_idx: index of RR in rrset. 288 * @param ds_rrset: DS rrset 289 * @param ds_idx: index of RR in DS rrset. 290 * @param digest: digest is returned in here (must be correctly sized). 291 * @return false on error. 292 */ 293 static int 294 ds_create_dnskey_digest(struct module_env* env, 295 struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx, 296 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, 297 uint8_t* digest) 298 { 299 sldns_buffer* b = env->scratch_buffer; 300 uint8_t* dnskey_rdata; 301 size_t dnskey_len; 302 rrset_get_rdata(dnskey_rrset, dnskey_idx, &dnskey_rdata, &dnskey_len); 303 304 /* create digest source material in buffer 305 * digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA); 306 * DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key. */ 307 sldns_buffer_clear(b); 308 sldns_buffer_write(b, dnskey_rrset->rk.dname, 309 dnskey_rrset->rk.dname_len); 310 query_dname_tolower(sldns_buffer_begin(b)); 311 sldns_buffer_write(b, dnskey_rdata+2, dnskey_len-2); /* skip rdatalen*/ 312 sldns_buffer_flip(b); 313 314 return secalgo_ds_digest(ds_get_digest_algo(ds_rrset, ds_idx), 315 (unsigned char*)sldns_buffer_begin(b), sldns_buffer_limit(b), 316 (unsigned char*)digest); 317 } 318 319 int ds_digest_match_dnskey(struct module_env* env, 320 struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx, 321 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx) 322 { 323 uint8_t* ds; /* DS digest */ 324 size_t dslen; 325 uint8_t* digest; /* generated digest */ 326 size_t digestlen = ds_digest_size_algo(ds_rrset, ds_idx); 327 328 if(digestlen == 0) { 329 verbose(VERB_QUERY, "DS fail: not supported, or DS RR " 330 "format error"); 331 return 0; /* not supported, or DS RR format error */ 332 } 333 #ifndef USE_SHA1 334 if(fake_sha1 && ds_get_digest_algo(ds_rrset, ds_idx)==LDNS_SHA1) 335 return 1; 336 #endif 337 338 /* check digest length in DS with length from hash function */ 339 ds_get_sigdata(ds_rrset, ds_idx, &ds, &dslen); 340 if(!ds || dslen != digestlen) { 341 verbose(VERB_QUERY, "DS fail: DS RR algo and digest do not " 342 "match each other"); 343 return 0; /* DS algorithm and digest do not match */ 344 } 345 346 digest = regional_alloc(env->scratch, digestlen); 347 if(!digest) { 348 verbose(VERB_QUERY, "DS fail: out of memory"); 349 return 0; /* mem error */ 350 } 351 if(!ds_create_dnskey_digest(env, dnskey_rrset, dnskey_idx, ds_rrset, 352 ds_idx, digest)) { 353 verbose(VERB_QUERY, "DS fail: could not calc key digest"); 354 return 0; /* digest algo failed */ 355 } 356 if(memcmp(digest, ds, dslen) != 0) { 357 verbose(VERB_QUERY, "DS fail: digest is different"); 358 return 0; /* digest different */ 359 } 360 return 1; 361 } 362 363 int 364 ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, 365 size_t ds_idx) 366 { 367 return (ds_digest_size_algo(ds_rrset, ds_idx) != 0); 368 } 369 370 int 371 ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, 372 size_t ds_idx) 373 { 374 return dnskey_algo_id_is_supported(ds_get_key_algo(ds_rrset, ds_idx)); 375 } 376 377 uint16_t 378 dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx) 379 { 380 uint8_t* data; 381 size_t len; 382 rrset_get_rdata(dnskey_rrset, dnskey_idx, &data, &len); 383 /* do not pass rdatalen to ldns */ 384 return sldns_calc_keytag_raw(data+2, len-2); 385 } 386 387 int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset, 388 size_t dnskey_idx) 389 { 390 return dnskey_algo_id_is_supported(dnskey_get_algo(dnskey_rrset, 391 dnskey_idx)); 392 } 393 394 int dnskey_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset, 395 size_t dnskey_idx) 396 { 397 #ifdef DEPRECATE_RSA_1024 398 uint8_t* rdata; 399 size_t len; 400 int alg = dnskey_get_algo(dnskey_rrset, dnskey_idx); 401 size_t keysize; 402 403 rrset_get_rdata(dnskey_rrset, dnskey_idx, &rdata, &len); 404 if(len < 2+4) 405 return 0; 406 keysize = sldns_rr_dnskey_key_size_raw(rdata+2+4, len-2-4, alg); 407 408 switch((sldns_algorithm)alg) { 409 case LDNS_RSAMD5: 410 case LDNS_RSASHA1: 411 case LDNS_RSASHA1_NSEC3: 412 case LDNS_RSASHA256: 413 case LDNS_RSASHA512: 414 /* reject RSA keys of 1024 bits and shorter */ 415 if(keysize <= 1024) 416 return 0; 417 break; 418 default: 419 break; 420 } 421 #else 422 (void)dnskey_rrset; (void)dnskey_idx; 423 #endif /* DEPRECATE_RSA_1024 */ 424 return 1; 425 } 426 427 int dnskeyset_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset) 428 { 429 size_t i, num = rrset_get_count(dnskey_rrset); 430 for(i=0; i<num; i++) { 431 if(!dnskey_size_is_supported(dnskey_rrset, i)) 432 return 0; 433 } 434 return 1; 435 } 436 437 void algo_needs_init_dnskey_add(struct algo_needs* n, 438 struct ub_packed_rrset_key* dnskey, uint8_t* sigalg) 439 { 440 uint8_t algo; 441 size_t i, total = n->num; 442 size_t num = rrset_get_count(dnskey); 443 444 for(i=0; i<num; i++) { 445 algo = (uint8_t)dnskey_get_algo(dnskey, i); 446 if(!dnskey_algo_id_is_supported((int)algo)) 447 continue; 448 if(n->needs[algo] == 0) { 449 n->needs[algo] = 1; 450 sigalg[total] = algo; 451 total++; 452 } 453 } 454 sigalg[total] = 0; 455 n->num = total; 456 } 457 458 void algo_needs_init_list(struct algo_needs* n, uint8_t* sigalg) 459 { 460 uint8_t algo; 461 size_t total = 0; 462 463 memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX); 464 while( (algo=*sigalg++) != 0) { 465 log_assert(dnskey_algo_id_is_supported((int)algo)); 466 log_assert(n->needs[algo] == 0); 467 n->needs[algo] = 1; 468 total++; 469 } 470 n->num = total; 471 } 472 473 void algo_needs_init_ds(struct algo_needs* n, struct ub_packed_rrset_key* ds, 474 int fav_ds_algo, uint8_t* sigalg) 475 { 476 uint8_t algo; 477 size_t i, total = 0; 478 size_t num = rrset_get_count(ds); 479 480 memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX); 481 for(i=0; i<num; i++) { 482 if(ds_get_digest_algo(ds, i) != fav_ds_algo) 483 continue; 484 algo = (uint8_t)ds_get_key_algo(ds, i); 485 if(!dnskey_algo_id_is_supported((int)algo)) 486 continue; 487 log_assert(algo != 0); /* we do not support 0 and is EOS */ 488 if(n->needs[algo] == 0) { 489 n->needs[algo] = 1; 490 sigalg[total] = algo; 491 total++; 492 } 493 } 494 sigalg[total] = 0; 495 n->num = total; 496 } 497 498 int algo_needs_set_secure(struct algo_needs* n, uint8_t algo) 499 { 500 if(n->needs[algo]) { 501 n->needs[algo] = 0; 502 n->num --; 503 if(n->num == 0) /* done! */ 504 return 1; 505 } 506 return 0; 507 } 508 509 void algo_needs_set_bogus(struct algo_needs* n, uint8_t algo) 510 { 511 if(n->needs[algo]) n->needs[algo] = 2; /* need it, but bogus */ 512 } 513 514 size_t algo_needs_num_missing(struct algo_needs* n) 515 { 516 return n->num; 517 } 518 519 int algo_needs_missing(struct algo_needs* n) 520 { 521 int i, miss = -1; 522 /* check if a needed algo was bogus - report that; 523 * check the first missing algo - report that; 524 * or return 0 */ 525 for(i=0; i<ALGO_NEEDS_MAX; i++) { 526 if(n->needs[i] == 2) 527 return 0; 528 if(n->needs[i] == 1 && miss == -1) 529 miss = i; 530 } 531 if(miss != -1) return miss; 532 return 0; 533 } 534 535 /** 536 * verify rrset, with dnskey rrset, for a specific rrsig in rrset 537 * @param env: module environment, scratch space is used. 538 * @param ve: validator environment, date settings. 539 * @param now: current time for validation (can be overridden). 540 * @param rrset: to be validated. 541 * @param dnskey: DNSKEY rrset, keyset to try. 542 * @param sig_idx: which signature to try to validate. 543 * @param sortree: reused sorted order. Stored in region. Pass NULL at start, 544 * and for a new rrset. 545 * @param reason: if bogus, a string returned, fixed or alloced in scratch. 546 * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. 547 * @param section: section of packet where this rrset comes from. 548 * @param qstate: qstate with region. 549 * @param numverified: incremented when the number of RRSIG validations 550 * increases. 551 * @return secure if any key signs *this* signature. bogus if no key signs it, 552 * unchecked on error, or indeterminate if all keys are not supported by 553 * the crypto library (openssl3+ only). 554 */ 555 static enum sec_status 556 dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve, 557 time_t now, struct ub_packed_rrset_key* rrset, 558 struct ub_packed_rrset_key* dnskey, size_t sig_idx, 559 struct rbtree_type** sortree, 560 char** reason, sldns_ede_code *reason_bogus, 561 sldns_pkt_section section, struct module_qstate* qstate, 562 int* numverified) 563 { 564 /* find matching keys and check them */ 565 enum sec_status sec = sec_status_bogus; 566 uint16_t tag = rrset_get_sig_keytag(rrset, sig_idx); 567 int algo = rrset_get_sig_algo(rrset, sig_idx); 568 size_t i, num = rrset_get_count(dnskey); 569 size_t numchecked = 0; 570 size_t numindeterminate = 0; 571 int buf_canon = 0; 572 verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo); 573 if(!dnskey_algo_id_is_supported(algo)) { 574 if(reason_bogus) 575 *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG; 576 verbose(VERB_QUERY, "verify sig: unknown algorithm"); 577 return sec_status_insecure; 578 } 579 580 for(i=0; i<num; i++) { 581 /* see if key matches keytag and algo */ 582 if(algo != dnskey_get_algo(dnskey, i) || 583 tag != dnskey_calc_keytag(dnskey, i)) 584 continue; 585 numchecked ++; 586 (*numverified)++; 587 588 /* see if key verifies */ 589 sec = dnskey_verify_rrset_sig(env->scratch, 590 env->scratch_buffer, ve, now, rrset, dnskey, i, 591 sig_idx, sortree, &buf_canon, reason, reason_bogus, 592 section, qstate); 593 if(sec == sec_status_secure) 594 return sec; 595 else if(sec == sec_status_indeterminate) 596 numindeterminate ++; 597 if(*numverified > MAX_VALIDATE_RRSIGS) { 598 *reason = "too many RRSIG validations"; 599 if(reason_bogus) 600 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 601 verbose(VERB_ALGO, "verify sig: too many RRSIG validations"); 602 return sec_status_bogus; 603 } 604 } 605 if(numchecked == 0) { 606 *reason = "signatures from unknown keys"; 607 if(reason_bogus) 608 *reason_bogus = LDNS_EDE_DNSKEY_MISSING; 609 verbose(VERB_QUERY, "verify: could not find appropriate key"); 610 return sec_status_bogus; 611 } 612 if(numindeterminate == numchecked) { 613 *reason = "unsupported algorithm by crypto library"; 614 if(reason_bogus) 615 *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG; 616 verbose(VERB_ALGO, "verify sig: unsupported algorithm by " 617 "crypto library"); 618 return sec_status_indeterminate; 619 } 620 return sec_status_bogus; 621 } 622 623 enum sec_status 624 dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve, 625 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, 626 uint8_t* sigalg, char** reason, sldns_ede_code *reason_bogus, 627 sldns_pkt_section section, struct module_qstate* qstate, int* verified, 628 char* reasonbuf, size_t reasonlen) 629 { 630 enum sec_status sec; 631 size_t i, num; 632 rbtree_type* sortree = NULL; 633 /* make sure that for all DNSKEY algorithms there are valid sigs */ 634 struct algo_needs needs; 635 int alg; 636 *verified = 0; 637 638 num = rrset_get_sigcount(rrset); 639 if(num == 0) { 640 verbose(VERB_QUERY, "rrset failed to verify due to a lack of " 641 "signatures"); 642 *reason = "no signatures"; 643 if(reason_bogus) 644 *reason_bogus = LDNS_EDE_RRSIGS_MISSING; 645 return sec_status_bogus; 646 } 647 648 if(sigalg) { 649 algo_needs_init_list(&needs, sigalg); 650 if(algo_needs_num_missing(&needs) == 0) { 651 verbose(VERB_QUERY, "zone has no known algorithms"); 652 *reason = "zone has no known algorithms"; 653 if(reason_bogus) 654 *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG; 655 return sec_status_insecure; 656 } 657 } 658 for(i=0; i<num; i++) { 659 sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset, 660 dnskey, i, &sortree, reason, reason_bogus, 661 section, qstate, verified); 662 /* see which algorithm has been fixed up */ 663 if(sec == sec_status_secure) { 664 if(!sigalg) 665 return sec; /* done! */ 666 else if(algo_needs_set_secure(&needs, 667 (uint8_t)rrset_get_sig_algo(rrset, i))) 668 return sec; /* done! */ 669 } else if(sigalg && sec == sec_status_bogus) { 670 algo_needs_set_bogus(&needs, 671 (uint8_t)rrset_get_sig_algo(rrset, i)); 672 } 673 if(*verified > MAX_VALIDATE_RRSIGS) { 674 verbose(VERB_QUERY, "rrset failed to verify, too many RRSIG validations"); 675 *reason = "too many RRSIG validations"; 676 if(reason_bogus) 677 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 678 return sec_status_bogus; 679 } 680 } 681 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { 682 verbose(VERB_ALGO, "rrset failed to verify: " 683 "no valid signatures for %d algorithms", 684 (int)algo_needs_num_missing(&needs)); 685 algo_needs_reason(alg, reason, "no signatures", reasonbuf, 686 reasonlen); 687 } else { 688 verbose(VERB_ALGO, "rrset failed to verify: " 689 "no valid signatures"); 690 } 691 return sec_status_bogus; 692 } 693 694 void algo_needs_reason(int alg, char** reason, char* s, char* reasonbuf, 695 size_t reasonlen) 696 { 697 sldns_lookup_table *t = sldns_lookup_by_id(sldns_algorithms, alg); 698 if(t&&t->name) 699 snprintf(reasonbuf, reasonlen, "%s with algorithm %s", s, 700 t->name); 701 else snprintf(reasonbuf, reasonlen, "%s with algorithm ALG%u", s, 702 (unsigned)alg); 703 *reason = reasonbuf; 704 } 705 706 enum sec_status 707 dnskey_verify_rrset(struct module_env* env, struct val_env* ve, 708 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, 709 size_t dnskey_idx, char** reason, sldns_ede_code *reason_bogus, 710 sldns_pkt_section section, struct module_qstate* qstate) 711 { 712 enum sec_status sec; 713 size_t i, num, numchecked = 0, numindeterminate = 0; 714 rbtree_type* sortree = NULL; 715 int buf_canon = 0; 716 uint16_t tag = dnskey_calc_keytag(dnskey, dnskey_idx); 717 int algo = dnskey_get_algo(dnskey, dnskey_idx); 718 int numverified = 0; 719 720 num = rrset_get_sigcount(rrset); 721 if(num == 0) { 722 verbose(VERB_QUERY, "rrset failed to verify due to a lack of " 723 "signatures"); 724 *reason = "no signatures"; 725 if(reason_bogus) 726 *reason_bogus = LDNS_EDE_RRSIGS_MISSING; 727 return sec_status_bogus; 728 } 729 for(i=0; i<num; i++) { 730 /* see if sig matches keytag and algo */ 731 if(algo != rrset_get_sig_algo(rrset, i) || 732 tag != rrset_get_sig_keytag(rrset, i)) 733 continue; 734 buf_canon = 0; 735 sec = dnskey_verify_rrset_sig(env->scratch, 736 env->scratch_buffer, ve, *env->now, rrset, 737 dnskey, dnskey_idx, i, &sortree, &buf_canon, reason, 738 reason_bogus, section, qstate); 739 if(sec == sec_status_secure) 740 return sec; 741 numchecked ++; 742 numverified ++; 743 if(sec == sec_status_indeterminate) 744 numindeterminate ++; 745 if(numverified > MAX_VALIDATE_RRSIGS) { 746 verbose(VERB_QUERY, "rrset failed to verify, too many RRSIG validations"); 747 *reason = "too many RRSIG validations"; 748 if(reason_bogus) 749 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 750 return sec_status_bogus; 751 } 752 } 753 if(!numchecked) { 754 *reason = "signature for expected key and algorithm missing"; 755 if(reason_bogus) 756 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 757 } else if(numchecked == numindeterminate) { 758 verbose(VERB_ALGO, "rrset failed to verify due to algorithm " 759 "refusal by cryptolib"); 760 if(reason_bogus) 761 *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG; 762 *reason = "algorithm refused by cryptolib"; 763 return sec_status_indeterminate; 764 } 765 verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus"); 766 return sec_status_bogus; 767 } 768 769 /** 770 * RR entries in a canonical sorted tree of RRs 771 */ 772 struct canon_rr { 773 /** rbtree node, key is this structure */ 774 rbnode_type node; 775 /** rrset the RR is in */ 776 struct ub_packed_rrset_key* rrset; 777 /** which RR in the rrset */ 778 size_t rr_idx; 779 }; 780 781 /** 782 * Compare two RR for canonical order, in a field-style sweep. 783 * @param d: rrset data 784 * @param desc: ldns wireformat descriptor. 785 * @param i: first RR to compare 786 * @param j: first RR to compare 787 * @return comparison code. 788 */ 789 static int 790 canonical_compare_byfield(struct packed_rrset_data* d, 791 const sldns_rr_descriptor* desc, size_t i, size_t j) 792 { 793 /* sweep across rdata, keep track of some state: 794 * which rr field, and bytes left in field. 795 * current position in rdata, length left. 796 * are we in a dname, length left in a label. 797 */ 798 int wfi = -1; /* current wireformat rdata field (rdf) */ 799 int wfj = -1; 800 uint8_t* di = d->rr_data[i]+2; /* ptr to current rdata byte */ 801 uint8_t* dj = d->rr_data[j]+2; 802 size_t ilen = d->rr_len[i]-2; /* length left in rdata */ 803 size_t jlen = d->rr_len[j]-2; 804 int dname_i = 0; /* true if these bytes are part of a name */ 805 int dname_j = 0; 806 size_t lablen_i = 0; /* 0 for label length byte,for first byte of rdf*/ 807 size_t lablen_j = 0; /* otherwise remaining length of rdf or label */ 808 int dname_num_i = (int)desc->_dname_count; /* decreased at root label */ 809 int dname_num_j = (int)desc->_dname_count; 810 811 /* loop while there are rdata bytes available for both rrs, 812 * and still some lowercasing needs to be done; either the dnames 813 * have not been reached yet, or they are currently being processed */ 814 while(ilen > 0 && jlen > 0 && (dname_num_i > 0 || dname_num_j > 0)) { 815 /* compare these two bytes */ 816 /* lowercase if in a dname and not a label length byte */ 817 if( ((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di) 818 != ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj) 819 ) { 820 if(((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di) 821 < ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj)) 822 return -1; 823 return 1; 824 } 825 ilen--; 826 jlen--; 827 /* bytes are equal */ 828 829 /* advance field i */ 830 /* lablen 0 means that this byte is the first byte of the 831 * next rdata field; inspect this rdata field and setup 832 * to process the rest of this rdata field. 833 * The reason to first read the byte, then setup the rdf, 834 * is that we are then sure the byte is available and short 835 * rdata is handled gracefully (even if it is a formerr). */ 836 if(lablen_i == 0) { 837 if(dname_i) { 838 /* scan this dname label */ 839 /* capture length to lowercase */ 840 lablen_i = (size_t)*di; 841 if(lablen_i == 0) { 842 /* end root label */ 843 dname_i = 0; 844 dname_num_i--; 845 /* if dname num is 0, then the 846 * remainder is binary only */ 847 if(dname_num_i == 0) 848 lablen_i = ilen; 849 } 850 } else { 851 /* scan this rdata field */ 852 wfi++; 853 if(desc->_wireformat[wfi] 854 == LDNS_RDF_TYPE_DNAME) { 855 dname_i = 1; 856 lablen_i = (size_t)*di; 857 if(lablen_i == 0) { 858 dname_i = 0; 859 dname_num_i--; 860 if(dname_num_i == 0) 861 lablen_i = ilen; 862 } 863 } else if(desc->_wireformat[wfi] 864 == LDNS_RDF_TYPE_STR) 865 lablen_i = (size_t)*di; 866 else lablen_i = get_rdf_size( 867 desc->_wireformat[wfi]) - 1; 868 } 869 } else lablen_i--; 870 871 /* advance field j; same as for i */ 872 if(lablen_j == 0) { 873 if(dname_j) { 874 lablen_j = (size_t)*dj; 875 if(lablen_j == 0) { 876 dname_j = 0; 877 dname_num_j--; 878 if(dname_num_j == 0) 879 lablen_j = jlen; 880 } 881 } else { 882 wfj++; 883 if(desc->_wireformat[wfj] 884 == LDNS_RDF_TYPE_DNAME) { 885 dname_j = 1; 886 lablen_j = (size_t)*dj; 887 if(lablen_j == 0) { 888 dname_j = 0; 889 dname_num_j--; 890 if(dname_num_j == 0) 891 lablen_j = jlen; 892 } 893 } else if(desc->_wireformat[wfj] 894 == LDNS_RDF_TYPE_STR) 895 lablen_j = (size_t)*dj; 896 else lablen_j = get_rdf_size( 897 desc->_wireformat[wfj]) - 1; 898 } 899 } else lablen_j--; 900 di++; 901 dj++; 902 } 903 /* end of the loop; because we advanced byte by byte; now we have 904 * that the rdata has ended, or that there is a binary remainder */ 905 /* shortest first */ 906 if(ilen == 0 && jlen == 0) 907 return 0; 908 if(ilen == 0) 909 return -1; 910 if(jlen == 0) 911 return 1; 912 /* binary remainder, capture comparison in wfi variable */ 913 if((wfi = memcmp(di, dj, (ilen<jlen)?ilen:jlen)) != 0) 914 return wfi; 915 if(ilen < jlen) 916 return -1; 917 if(jlen < ilen) 918 return 1; 919 return 0; 920 } 921 922 /** 923 * Compare two RRs in the same RRset and determine their relative 924 * canonical order. 925 * @param rrset: the rrset in which to perform compares. 926 * @param i: first RR to compare 927 * @param j: first RR to compare 928 * @return 0 if RR i== RR j, -1 if <, +1 if >. 929 */ 930 static int 931 canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j) 932 { 933 struct packed_rrset_data* d = (struct packed_rrset_data*) 934 rrset->entry.data; 935 const sldns_rr_descriptor* desc; 936 uint16_t type = ntohs(rrset->rk.type); 937 size_t minlen; 938 int c; 939 940 if(i==j) 941 return 0; 942 943 switch(type) { 944 /* These RR types have only a name as RDATA. 945 * This name has to be canonicalized.*/ 946 case LDNS_RR_TYPE_NS: 947 case LDNS_RR_TYPE_MD: 948 case LDNS_RR_TYPE_MF: 949 case LDNS_RR_TYPE_CNAME: 950 case LDNS_RR_TYPE_MB: 951 case LDNS_RR_TYPE_MG: 952 case LDNS_RR_TYPE_MR: 953 case LDNS_RR_TYPE_PTR: 954 case LDNS_RR_TYPE_DNAME: 955 /* the wireread function has already checked these 956 * dname's for correctness, and this double checks */ 957 if(!dname_valid(d->rr_data[i]+2, d->rr_len[i]-2) || 958 !dname_valid(d->rr_data[j]+2, d->rr_len[j]-2)) 959 return 0; 960 return query_dname_compare(d->rr_data[i]+2, 961 d->rr_data[j]+2); 962 963 /* These RR types have STR and fixed size rdata fields 964 * before one or more name fields that need canonicalizing, 965 * and after that a byte-for byte remainder can be compared. 966 */ 967 /* type starts with the name; remainder is binary compared */ 968 case LDNS_RR_TYPE_NXT: 969 /* use rdata field formats */ 970 case LDNS_RR_TYPE_MINFO: 971 case LDNS_RR_TYPE_RP: 972 case LDNS_RR_TYPE_SOA: 973 case LDNS_RR_TYPE_RT: 974 case LDNS_RR_TYPE_AFSDB: 975 case LDNS_RR_TYPE_KX: 976 case LDNS_RR_TYPE_MX: 977 case LDNS_RR_TYPE_SIG: 978 /* RRSIG signer name has to be downcased */ 979 case LDNS_RR_TYPE_RRSIG: 980 case LDNS_RR_TYPE_PX: 981 case LDNS_RR_TYPE_NAPTR: 982 case LDNS_RR_TYPE_SRV: 983 desc = sldns_rr_descript(type); 984 log_assert(desc); 985 /* this holds for the types that need canonicalizing */ 986 log_assert(desc->_minimum == desc->_maximum); 987 return canonical_compare_byfield(d, desc, i, j); 988 989 case LDNS_RR_TYPE_HINFO: /* no longer downcased */ 990 case LDNS_RR_TYPE_NSEC: 991 default: 992 /* For unknown RR types, or types not listed above, 993 * no canonicalization is needed, do binary compare */ 994 /* byte for byte compare, equal means shortest first*/ 995 minlen = d->rr_len[i]-2; 996 if(minlen > d->rr_len[j]-2) 997 minlen = d->rr_len[j]-2; 998 c = memcmp(d->rr_data[i]+2, d->rr_data[j]+2, minlen); 999 if(c!=0) 1000 return c; 1001 /* rdata equal, shortest is first */ 1002 if(d->rr_len[i] < d->rr_len[j]) 1003 return -1; 1004 if(d->rr_len[i] > d->rr_len[j]) 1005 return 1; 1006 /* rdata equal, length equal */ 1007 break; 1008 } 1009 return 0; 1010 } 1011 1012 int 1013 canonical_tree_compare(const void* k1, const void* k2) 1014 { 1015 struct canon_rr* r1 = (struct canon_rr*)k1; 1016 struct canon_rr* r2 = (struct canon_rr*)k2; 1017 log_assert(r1->rrset == r2->rrset); 1018 return canonical_compare(r1->rrset, r1->rr_idx, r2->rr_idx); 1019 } 1020 1021 /** 1022 * Sort RRs for rrset in canonical order. 1023 * Does not actually canonicalize the RR rdatas. 1024 * Does not touch rrsigs. 1025 * @param rrset: to sort. 1026 * @param d: rrset data. 1027 * @param sortree: tree to sort into. 1028 * @param rrs: rr storage. 1029 */ 1030 static void 1031 canonical_sort(struct ub_packed_rrset_key* rrset, struct packed_rrset_data* d, 1032 rbtree_type* sortree, struct canon_rr* rrs) 1033 { 1034 size_t i; 1035 /* insert into rbtree to sort and detect duplicates */ 1036 for(i=0; i<d->count; i++) { 1037 rrs[i].node.key = &rrs[i]; 1038 rrs[i].rrset = rrset; 1039 rrs[i].rr_idx = i; 1040 if(!rbtree_insert(sortree, &rrs[i].node)) { 1041 /* this was a duplicate */ 1042 } 1043 } 1044 } 1045 1046 /** 1047 * Insert canonical owner name into buffer. 1048 * @param buf: buffer to insert into at current position. 1049 * @param k: rrset with its owner name. 1050 * @param sig: signature with signer name and label count. 1051 * must be length checked, at least 18 bytes long. 1052 * @param can_owner: position in buffer returned for future use. 1053 * @param can_owner_len: length of canonical owner name. 1054 */ 1055 static void 1056 insert_can_owner(sldns_buffer* buf, struct ub_packed_rrset_key* k, 1057 uint8_t* sig, uint8_t** can_owner, size_t* can_owner_len) 1058 { 1059 int rrsig_labels = (int)sig[3]; 1060 int fqdn_labels = dname_signame_label_count(k->rk.dname); 1061 *can_owner = sldns_buffer_current(buf); 1062 if(rrsig_labels == fqdn_labels) { 1063 /* no change */ 1064 sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len); 1065 query_dname_tolower(*can_owner); 1066 *can_owner_len = k->rk.dname_len; 1067 return; 1068 } 1069 log_assert(rrsig_labels < fqdn_labels); 1070 /* *. | fqdn(rightmost rrsig_labels) */ 1071 if(rrsig_labels < fqdn_labels) { 1072 int i; 1073 uint8_t* nm = k->rk.dname; 1074 size_t len = k->rk.dname_len; 1075 /* so skip fqdn_labels-rrsig_labels */ 1076 for(i=0; i<fqdn_labels-rrsig_labels; i++) { 1077 dname_remove_label(&nm, &len); 1078 } 1079 *can_owner_len = len+2; 1080 sldns_buffer_write(buf, (uint8_t*)"\001*", 2); 1081 sldns_buffer_write(buf, nm, len); 1082 query_dname_tolower(*can_owner); 1083 } 1084 } 1085 1086 /** 1087 * Canonicalize Rdata in buffer. 1088 * @param buf: buffer at position just after the rdata. 1089 * @param rrset: rrset with type. 1090 * @param len: length of the rdata (including rdatalen uint16). 1091 */ 1092 static void 1093 canonicalize_rdata(sldns_buffer* buf, struct ub_packed_rrset_key* rrset, 1094 size_t len) 1095 { 1096 uint8_t* datstart = sldns_buffer_current(buf)-len+2; 1097 switch(ntohs(rrset->rk.type)) { 1098 case LDNS_RR_TYPE_NXT: 1099 case LDNS_RR_TYPE_NS: 1100 case LDNS_RR_TYPE_MD: 1101 case LDNS_RR_TYPE_MF: 1102 case LDNS_RR_TYPE_CNAME: 1103 case LDNS_RR_TYPE_MB: 1104 case LDNS_RR_TYPE_MG: 1105 case LDNS_RR_TYPE_MR: 1106 case LDNS_RR_TYPE_PTR: 1107 case LDNS_RR_TYPE_DNAME: 1108 /* type only has a single argument, the name */ 1109 query_dname_tolower(datstart); 1110 return; 1111 case LDNS_RR_TYPE_MINFO: 1112 case LDNS_RR_TYPE_RP: 1113 case LDNS_RR_TYPE_SOA: 1114 /* two names after another */ 1115 query_dname_tolower(datstart); 1116 query_dname_tolower(datstart + 1117 dname_valid(datstart, len-2)); 1118 return; 1119 case LDNS_RR_TYPE_RT: 1120 case LDNS_RR_TYPE_AFSDB: 1121 case LDNS_RR_TYPE_KX: 1122 case LDNS_RR_TYPE_MX: 1123 /* skip fixed part */ 1124 if(len < 2+2+1) /* rdlen, skiplen, 1byteroot */ 1125 return; 1126 datstart += 2; 1127 query_dname_tolower(datstart); 1128 return; 1129 case LDNS_RR_TYPE_SIG: 1130 /* downcase the RRSIG, compat with BIND (kept it from SIG) */ 1131 case LDNS_RR_TYPE_RRSIG: 1132 /* skip fixed part */ 1133 if(len < 2+18+1) 1134 return; 1135 datstart += 18; 1136 query_dname_tolower(datstart); 1137 return; 1138 case LDNS_RR_TYPE_PX: 1139 /* skip, then two names after another */ 1140 if(len < 2+2+1) 1141 return; 1142 datstart += 2; 1143 query_dname_tolower(datstart); 1144 query_dname_tolower(datstart + 1145 dname_valid(datstart, len-2-2)); 1146 return; 1147 case LDNS_RR_TYPE_NAPTR: 1148 if(len < 2+4) 1149 return; 1150 len -= 2+4; 1151 datstart += 4; 1152 if(len < (size_t)datstart[0]+1) /* skip text field */ 1153 return; 1154 len -= (size_t)datstart[0]+1; 1155 datstart += (size_t)datstart[0]+1; 1156 if(len < (size_t)datstart[0]+1) /* skip text field */ 1157 return; 1158 len -= (size_t)datstart[0]+1; 1159 datstart += (size_t)datstart[0]+1; 1160 if(len < (size_t)datstart[0]+1) /* skip text field */ 1161 return; 1162 len -= (size_t)datstart[0]+1; 1163 datstart += (size_t)datstart[0]+1; 1164 if(len < 1) /* check name is at least 1 byte*/ 1165 return; 1166 query_dname_tolower(datstart); 1167 return; 1168 case LDNS_RR_TYPE_SRV: 1169 /* skip fixed part */ 1170 if(len < 2+6+1) 1171 return; 1172 datstart += 6; 1173 query_dname_tolower(datstart); 1174 return; 1175 1176 /* do not canonicalize NSEC rdata name, compat with 1177 * from bind 9.4 signer, where it does not do so */ 1178 case LDNS_RR_TYPE_NSEC: /* type starts with the name */ 1179 case LDNS_RR_TYPE_HINFO: /* not downcased */ 1180 /* A6 not supported */ 1181 default: 1182 /* nothing to do for unknown types */ 1183 return; 1184 } 1185 } 1186 1187 int rrset_canonical_equal(struct regional* region, 1188 struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2) 1189 { 1190 struct rbtree_type sortree1, sortree2; 1191 struct canon_rr *rrs1, *rrs2, *p1, *p2; 1192 struct packed_rrset_data* d1=(struct packed_rrset_data*)k1->entry.data; 1193 struct packed_rrset_data* d2=(struct packed_rrset_data*)k2->entry.data; 1194 struct ub_packed_rrset_key fk; 1195 struct packed_rrset_data fd; 1196 size_t flen[2]; 1197 uint8_t* fdata[2]; 1198 1199 /* basic compare */ 1200 if(k1->rk.dname_len != k2->rk.dname_len || 1201 k1->rk.flags != k2->rk.flags || 1202 k1->rk.type != k2->rk.type || 1203 k1->rk.rrset_class != k2->rk.rrset_class || 1204 query_dname_compare(k1->rk.dname, k2->rk.dname) != 0) 1205 return 0; 1206 if(d1->ttl != d2->ttl || 1207 d1->count != d2->count || 1208 d1->rrsig_count != d2->rrsig_count || 1209 d1->trust != d2->trust || 1210 d1->security != d2->security) 1211 return 0; 1212 1213 /* init */ 1214 memset(&fk, 0, sizeof(fk)); 1215 memset(&fd, 0, sizeof(fd)); 1216 fk.entry.data = &fd; 1217 fd.count = 2; 1218 fd.rr_len = flen; 1219 fd.rr_data = fdata; 1220 rbtree_init(&sortree1, &canonical_tree_compare); 1221 rbtree_init(&sortree2, &canonical_tree_compare); 1222 if(d1->count > RR_COUNT_MAX || d2->count > RR_COUNT_MAX) 1223 return 1; /* protection against integer overflow */ 1224 rrs1 = regional_alloc(region, sizeof(struct canon_rr)*d1->count); 1225 rrs2 = regional_alloc(region, sizeof(struct canon_rr)*d2->count); 1226 if(!rrs1 || !rrs2) return 1; /* alloc failure */ 1227 1228 /* sort */ 1229 canonical_sort(k1, d1, &sortree1, rrs1); 1230 canonical_sort(k2, d2, &sortree2, rrs2); 1231 1232 /* compare canonical-sorted RRs for canonical-equality */ 1233 if(sortree1.count != sortree2.count) 1234 return 0; 1235 p1 = (struct canon_rr*)rbtree_first(&sortree1); 1236 p2 = (struct canon_rr*)rbtree_first(&sortree2); 1237 while(p1 != (struct canon_rr*)RBTREE_NULL && 1238 p2 != (struct canon_rr*)RBTREE_NULL) { 1239 flen[0] = d1->rr_len[p1->rr_idx]; 1240 flen[1] = d2->rr_len[p2->rr_idx]; 1241 fdata[0] = d1->rr_data[p1->rr_idx]; 1242 fdata[1] = d2->rr_data[p2->rr_idx]; 1243 1244 if(canonical_compare(&fk, 0, 1) != 0) 1245 return 0; 1246 p1 = (struct canon_rr*)rbtree_next(&p1->node); 1247 p2 = (struct canon_rr*)rbtree_next(&p2->node); 1248 } 1249 return 1; 1250 } 1251 1252 /** 1253 * Create canonical form of rrset in the scratch buffer. 1254 * @param region: temporary region. 1255 * @param buf: the buffer to use. 1256 * @param k: the rrset to insert. 1257 * @param sig: RRSIG rdata to include. 1258 * @param siglen: RRSIG rdata len excluding signature field, but inclusive 1259 * signer name length. 1260 * @param sortree: if NULL is passed a new sorted rrset tree is built. 1261 * Otherwise it is reused. 1262 * @param section: section of packet where this rrset comes from. 1263 * @param qstate: qstate with region. 1264 * @return false on alloc error. 1265 */ 1266 static int 1267 rrset_canonical(struct regional* region, sldns_buffer* buf, 1268 struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen, 1269 struct rbtree_type** sortree, sldns_pkt_section section, 1270 struct module_qstate* qstate) 1271 { 1272 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 1273 uint8_t* can_owner = NULL; 1274 size_t can_owner_len = 0; 1275 struct canon_rr* walk; 1276 struct canon_rr* rrs; 1277 1278 if(!*sortree) { 1279 *sortree = (struct rbtree_type*)regional_alloc(region, 1280 sizeof(rbtree_type)); 1281 if(!*sortree) 1282 return 0; 1283 if(d->count > RR_COUNT_MAX) 1284 return 0; /* integer overflow protection */ 1285 rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count); 1286 if(!rrs) { 1287 *sortree = NULL; 1288 return 0; 1289 } 1290 rbtree_init(*sortree, &canonical_tree_compare); 1291 canonical_sort(k, d, *sortree, rrs); 1292 } 1293 1294 sldns_buffer_clear(buf); 1295 sldns_buffer_write(buf, sig, siglen); 1296 /* canonicalize signer name */ 1297 query_dname_tolower(sldns_buffer_begin(buf)+18); 1298 RBTREE_FOR(walk, struct canon_rr*, (*sortree)) { 1299 /* see if there is enough space left in the buffer */ 1300 if(sldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4 1301 + d->rr_len[walk->rr_idx]) { 1302 log_err("verify: failed to canonicalize, " 1303 "rrset too big"); 1304 return 0; 1305 } 1306 /* determine canonical owner name */ 1307 if(can_owner) 1308 sldns_buffer_write(buf, can_owner, can_owner_len); 1309 else insert_can_owner(buf, k, sig, &can_owner, 1310 &can_owner_len); 1311 sldns_buffer_write(buf, &k->rk.type, 2); 1312 sldns_buffer_write(buf, &k->rk.rrset_class, 2); 1313 sldns_buffer_write(buf, sig+4, 4); 1314 sldns_buffer_write(buf, d->rr_data[walk->rr_idx], 1315 d->rr_len[walk->rr_idx]); 1316 canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]); 1317 } 1318 sldns_buffer_flip(buf); 1319 1320 /* Replace RR owner with canonical owner for NSEC records in authority 1321 * section, to prevent that a wildcard synthesized NSEC can be used in 1322 * the non-existence proves. */ 1323 if(ntohs(k->rk.type) == LDNS_RR_TYPE_NSEC && 1324 section == LDNS_SECTION_AUTHORITY && qstate) { 1325 k->rk.dname = regional_alloc_init(qstate->region, can_owner, 1326 can_owner_len); 1327 if(!k->rk.dname) 1328 return 0; 1329 k->rk.dname_len = can_owner_len; 1330 } 1331 1332 1333 return 1; 1334 } 1335 1336 int 1337 rrset_canonicalize_to_buffer(struct regional* region, sldns_buffer* buf, 1338 struct ub_packed_rrset_key* k) 1339 { 1340 struct rbtree_type* sortree = NULL; 1341 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 1342 uint8_t* can_owner = NULL; 1343 size_t can_owner_len = 0; 1344 struct canon_rr* walk; 1345 struct canon_rr* rrs; 1346 1347 sortree = (struct rbtree_type*)regional_alloc(region, 1348 sizeof(rbtree_type)); 1349 if(!sortree) 1350 return 0; 1351 if(d->count > RR_COUNT_MAX) 1352 return 0; /* integer overflow protection */ 1353 rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count); 1354 if(!rrs) { 1355 return 0; 1356 } 1357 rbtree_init(sortree, &canonical_tree_compare); 1358 canonical_sort(k, d, sortree, rrs); 1359 1360 sldns_buffer_clear(buf); 1361 RBTREE_FOR(walk, struct canon_rr*, sortree) { 1362 /* see if there is enough space left in the buffer */ 1363 if(sldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4 1364 + d->rr_len[walk->rr_idx]) { 1365 log_err("verify: failed to canonicalize, " 1366 "rrset too big"); 1367 return 0; 1368 } 1369 /* determine canonical owner name */ 1370 if(can_owner) 1371 sldns_buffer_write(buf, can_owner, can_owner_len); 1372 else { 1373 can_owner = sldns_buffer_current(buf); 1374 sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len); 1375 query_dname_tolower(can_owner); 1376 can_owner_len = k->rk.dname_len; 1377 } 1378 sldns_buffer_write(buf, &k->rk.type, 2); 1379 sldns_buffer_write(buf, &k->rk.rrset_class, 2); 1380 sldns_buffer_write_u32(buf, d->rr_ttl[walk->rr_idx]); 1381 sldns_buffer_write(buf, d->rr_data[walk->rr_idx], 1382 d->rr_len[walk->rr_idx]); 1383 canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]); 1384 } 1385 sldns_buffer_flip(buf); 1386 return 1; 1387 } 1388 1389 /** pretty print rrsig error with dates */ 1390 static void 1391 sigdate_error(const char* str, int32_t expi, int32_t incep, int32_t now) 1392 { 1393 struct tm tm; 1394 char expi_buf[16]; 1395 char incep_buf[16]; 1396 char now_buf[16]; 1397 time_t te, ti, tn; 1398 1399 if(verbosity < VERB_QUERY) 1400 return; 1401 te = (time_t)expi; 1402 ti = (time_t)incep; 1403 tn = (time_t)now; 1404 memset(&tm, 0, sizeof(tm)); 1405 if(gmtime_r(&te, &tm) && strftime(expi_buf, 15, "%Y%m%d%H%M%S", &tm) 1406 &&gmtime_r(&ti, &tm) && strftime(incep_buf, 15, "%Y%m%d%H%M%S", &tm) 1407 &&gmtime_r(&tn, &tm) && strftime(now_buf, 15, "%Y%m%d%H%M%S", &tm)) { 1408 log_info("%s expi=%s incep=%s now=%s", str, expi_buf, 1409 incep_buf, now_buf); 1410 } else 1411 log_info("%s expi=%u incep=%u now=%u", str, (unsigned)expi, 1412 (unsigned)incep, (unsigned)now); 1413 } 1414 1415 /** check rrsig dates */ 1416 static int 1417 check_dates(struct val_env* ve, uint32_t unow, uint8_t* expi_p, 1418 uint8_t* incep_p, char** reason, sldns_ede_code *reason_bogus) 1419 { 1420 /* read out the dates */ 1421 uint32_t expi, incep, now; 1422 memmove(&expi, expi_p, sizeof(expi)); 1423 memmove(&incep, incep_p, sizeof(incep)); 1424 expi = ntohl(expi); 1425 incep = ntohl(incep); 1426 1427 /* get current date */ 1428 if(ve->date_override) { 1429 if(ve->date_override == -1) { 1430 verbose(VERB_ALGO, "date override: ignore date"); 1431 return 1; 1432 } 1433 now = ve->date_override; 1434 verbose(VERB_ALGO, "date override option %d", (int)now); 1435 } else now = unow; 1436 1437 /* check them */ 1438 if(compare_1982(incep, expi) > 0) { 1439 sigdate_error("verify: inception after expiration, " 1440 "signature bad", expi, incep, now); 1441 *reason = "signature inception after expiration"; 1442 if(reason_bogus){ 1443 /* from RFC8914 on Signature Not Yet Valid: The resolver 1444 * attempted to perform DNSSEC validation, but no 1445 * signatures are presently valid and at least some are 1446 * not yet valid. */ 1447 *reason_bogus = LDNS_EDE_SIGNATURE_NOT_YET_VALID; 1448 } 1449 1450 return 0; 1451 } 1452 if(compare_1982(incep, now) > 0) { 1453 /* within skew ? (calc here to avoid calculation normally) */ 1454 uint32_t skew = subtract_1982(incep, expi)/10; 1455 if(skew < (uint32_t)ve->skew_min) skew = ve->skew_min; 1456 if(skew > (uint32_t)ve->skew_max) skew = ve->skew_max; 1457 if(subtract_1982(now, incep) > skew) { 1458 sigdate_error("verify: signature bad, current time is" 1459 " before inception date", expi, incep, now); 1460 *reason = "signature before inception date"; 1461 if(reason_bogus) 1462 *reason_bogus = LDNS_EDE_SIGNATURE_NOT_YET_VALID; 1463 return 0; 1464 } 1465 sigdate_error("verify warning suspicious signature inception " 1466 " or bad local clock", expi, incep, now); 1467 } 1468 if(compare_1982(now, expi) > 0) { 1469 uint32_t skew = subtract_1982(incep, expi)/10; 1470 if(skew < (uint32_t)ve->skew_min) skew = ve->skew_min; 1471 if(skew > (uint32_t)ve->skew_max) skew = ve->skew_max; 1472 if(subtract_1982(expi, now) > skew) { 1473 sigdate_error("verify: signature expired", expi, 1474 incep, now); 1475 *reason = "signature expired"; 1476 if(reason_bogus) 1477 *reason_bogus = LDNS_EDE_SIGNATURE_EXPIRED; 1478 return 0; 1479 } 1480 sigdate_error("verify warning suspicious signature expiration " 1481 " or bad local clock", expi, incep, now); 1482 } 1483 return 1; 1484 } 1485 1486 /** adjust rrset TTL for verified rrset, compare to original TTL and expi */ 1487 static void 1488 adjust_ttl(struct val_env* ve, uint32_t unow, 1489 struct ub_packed_rrset_key* rrset, uint8_t* orig_p, 1490 uint8_t* expi_p, uint8_t* incep_p) 1491 { 1492 struct packed_rrset_data* d = 1493 (struct packed_rrset_data*)rrset->entry.data; 1494 /* read out the dates */ 1495 int32_t origttl, expittl, expi, incep, now; 1496 memmove(&origttl, orig_p, sizeof(origttl)); 1497 memmove(&expi, expi_p, sizeof(expi)); 1498 memmove(&incep, incep_p, sizeof(incep)); 1499 expi = ntohl(expi); 1500 incep = ntohl(incep); 1501 origttl = ntohl(origttl); 1502 1503 /* get current date */ 1504 if(ve->date_override) { 1505 now = ve->date_override; 1506 } else now = (int32_t)unow; 1507 expittl = (int32_t)((uint32_t)expi - (uint32_t)now); 1508 1509 /* so now: 1510 * d->ttl: rrset ttl read from message or cache. May be reduced 1511 * origttl: original TTL from signature, authoritative TTL max. 1512 * MIN_TTL: minimum TTL from config. 1513 * expittl: TTL until the signature expires. 1514 * 1515 * Use the smallest of these, but don't let origttl set the TTL 1516 * below the minimum. 1517 */ 1518 if(MIN_TTL > (time_t)origttl && d->ttl > MIN_TTL) { 1519 verbose(VERB_QUERY, "rrset TTL larger than original and minimum" 1520 " TTL, adjusting TTL downwards to minimum ttl"); 1521 d->ttl = MIN_TTL; 1522 } 1523 else if(MIN_TTL <= origttl && d->ttl > (time_t)origttl) { 1524 verbose(VERB_QUERY, "rrset TTL larger than original TTL, " 1525 "adjusting TTL downwards to original ttl"); 1526 d->ttl = origttl; 1527 } 1528 1529 if(expittl > 0 && d->ttl > (time_t)expittl) { 1530 verbose(VERB_ALGO, "rrset TTL larger than sig expiration ttl," 1531 " adjusting TTL downwards"); 1532 d->ttl = expittl; 1533 } 1534 } 1535 1536 enum sec_status 1537 dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf, 1538 struct val_env* ve, time_t now, 1539 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, 1540 size_t dnskey_idx, size_t sig_idx, 1541 struct rbtree_type** sortree, int* buf_canon, 1542 char** reason, sldns_ede_code *reason_bogus, 1543 sldns_pkt_section section, struct module_qstate* qstate) 1544 { 1545 enum sec_status sec; 1546 uint8_t* sig; /* RRSIG rdata */ 1547 size_t siglen; 1548 size_t rrnum = rrset_get_count(rrset); 1549 uint8_t* signer; /* rrsig signer name */ 1550 size_t signer_len; 1551 unsigned char* sigblock; /* signature rdata field */ 1552 unsigned int sigblock_len; 1553 uint16_t ktag; /* DNSKEY key tag */ 1554 unsigned char* key; /* public key rdata field */ 1555 unsigned int keylen; 1556 rrset_get_rdata(rrset, rrnum + sig_idx, &sig, &siglen); 1557 /* min length of rdatalen, fixed rrsig, root signer, 1 byte sig */ 1558 if(siglen < 2+20) { 1559 verbose(VERB_QUERY, "verify: signature too short"); 1560 *reason = "signature too short"; 1561 if(reason_bogus) 1562 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1563 return sec_status_bogus; 1564 } 1565 1566 if(!(dnskey_get_flags(dnskey, dnskey_idx) & DNSKEY_BIT_ZSK)) { 1567 verbose(VERB_QUERY, "verify: dnskey without ZSK flag"); 1568 *reason = "dnskey without ZSK flag"; 1569 if(reason_bogus) 1570 *reason_bogus = LDNS_EDE_NO_ZONE_KEY_BIT_SET; 1571 return sec_status_bogus; 1572 } 1573 1574 if(dnskey_get_protocol(dnskey, dnskey_idx) != LDNS_DNSSEC_KEYPROTO) { 1575 /* RFC 4034 says DNSKEY PROTOCOL MUST be 3 */ 1576 verbose(VERB_QUERY, "verify: dnskey has wrong key protocol"); 1577 *reason = "dnskey has wrong protocolnumber"; 1578 if(reason_bogus) 1579 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1580 return sec_status_bogus; 1581 } 1582 1583 /* verify as many fields in rrsig as possible */ 1584 signer = sig+2+18; 1585 signer_len = dname_valid(signer, siglen-2-18); 1586 if(!signer_len) { 1587 verbose(VERB_QUERY, "verify: malformed signer name"); 1588 *reason = "signer name malformed"; 1589 if(reason_bogus) 1590 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1591 return sec_status_bogus; /* signer name invalid */ 1592 } 1593 if(!dname_subdomain_c(rrset->rk.dname, signer)) { 1594 verbose(VERB_QUERY, "verify: signer name is off-tree"); 1595 *reason = "signer name off-tree"; 1596 if(reason_bogus) 1597 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1598 return sec_status_bogus; /* signer name offtree */ 1599 } 1600 sigblock = (unsigned char*)signer+signer_len; 1601 if(siglen < 2+18+signer_len+1) { 1602 verbose(VERB_QUERY, "verify: too short, no signature data"); 1603 *reason = "signature too short, no signature data"; 1604 if(reason_bogus) 1605 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1606 return sec_status_bogus; /* sig rdf is < 1 byte */ 1607 } 1608 sigblock_len = (unsigned int)(siglen - 2 - 18 - signer_len); 1609 1610 /* verify key dname == sig signer name */ 1611 if(query_dname_compare(signer, dnskey->rk.dname) != 0) { 1612 verbose(VERB_QUERY, "verify: wrong key for rrsig"); 1613 log_nametypeclass(VERB_QUERY, "RRSIG signername is", 1614 signer, 0, 0); 1615 log_nametypeclass(VERB_QUERY, "the key name is", 1616 dnskey->rk.dname, 0, 0); 1617 *reason = "signer name mismatches key name"; 1618 if(reason_bogus) 1619 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1620 return sec_status_bogus; 1621 } 1622 1623 /* verify covered type */ 1624 /* memcmp works because type is in network format for rrset */ 1625 if(memcmp(sig+2, &rrset->rk.type, 2) != 0) { 1626 verbose(VERB_QUERY, "verify: wrong type covered"); 1627 *reason = "signature covers wrong type"; 1628 if(reason_bogus) 1629 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1630 return sec_status_bogus; 1631 } 1632 /* verify keytag and sig algo (possibly again) */ 1633 if((int)sig[2+2] != dnskey_get_algo(dnskey, dnskey_idx)) { 1634 verbose(VERB_QUERY, "verify: wrong algorithm"); 1635 *reason = "signature has wrong algorithm"; 1636 if(reason_bogus) 1637 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1638 return sec_status_bogus; 1639 } 1640 ktag = htons(dnskey_calc_keytag(dnskey, dnskey_idx)); 1641 if(memcmp(sig+2+16, &ktag, 2) != 0) { 1642 verbose(VERB_QUERY, "verify: wrong keytag"); 1643 *reason = "signature has wrong keytag"; 1644 if(reason_bogus) 1645 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1646 return sec_status_bogus; 1647 } 1648 1649 /* verify labels is in a valid range */ 1650 if((int)sig[2+3] > dname_signame_label_count(rrset->rk.dname)) { 1651 verbose(VERB_QUERY, "verify: labelcount out of range"); 1652 *reason = "signature labelcount out of range"; 1653 if(reason_bogus) 1654 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1655 return sec_status_bogus; 1656 } 1657 1658 /* original ttl, always ok */ 1659 1660 if(!*buf_canon) { 1661 /* create rrset canonical format in buffer, ready for 1662 * signature */ 1663 if(!rrset_canonical(region, buf, rrset, sig+2, 1664 18 + signer_len, sortree, section, qstate)) { 1665 log_err("verify: failed due to alloc error"); 1666 return sec_status_unchecked; 1667 } 1668 *buf_canon = 1; 1669 } 1670 1671 /* check that dnskey is available */ 1672 dnskey_get_pubkey(dnskey, dnskey_idx, &key, &keylen); 1673 if(!key) { 1674 verbose(VERB_QUERY, "verify: short DNSKEY RR"); 1675 return sec_status_unchecked; 1676 } 1677 1678 /* verify */ 1679 sec = verify_canonrrset(buf, (int)sig[2+2], 1680 sigblock, sigblock_len, key, keylen, reason); 1681 1682 /* count validation operation */ 1683 if(qstate && qstate->env && qstate->env->mesh) 1684 qstate->env->mesh->val_ops++; 1685 1686 if(sec == sec_status_secure) { 1687 /* check if TTL is too high - reduce if so */ 1688 adjust_ttl(ve, now, rrset, sig+2+4, sig+2+8, sig+2+12); 1689 1690 /* verify inception, expiration dates 1691 * Do this last so that if you ignore expired-sigs the 1692 * rest is sure to be OK. */ 1693 if(!check_dates(ve, now, sig+2+8, sig+2+12, 1694 reason, reason_bogus)) { 1695 return sec_status_bogus; 1696 } 1697 } 1698 1699 return sec; 1700 } 1701