1 /* 2 * validator/val_sigcrypt.c - validator signature crypto functions. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions help with signature verification and checking, the 41 * bridging between RR wireformat data and crypto calls. 42 */ 43 #include "config.h" 44 #include "validator/val_sigcrypt.h" 45 #include "validator/val_secalgo.h" 46 #include "validator/validator.h" 47 #include "util/data/msgreply.h" 48 #include "util/data/msgparse.h" 49 #include "util/data/dname.h" 50 #include "util/rbtree.h" 51 #include "util/rfc_1982.h" 52 #include "util/module.h" 53 #include "util/net_help.h" 54 #include "util/regional.h" 55 #include "util/config_file.h" 56 #include "sldns/keyraw.h" 57 #include "sldns/sbuffer.h" 58 #include "sldns/parseutil.h" 59 #include "sldns/wire2str.h" 60 61 #include <ctype.h> 62 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) 63 #error "Need crypto library to do digital signature cryptography" 64 #endif 65 66 #ifdef HAVE_OPENSSL_ERR_H 67 #include <openssl/err.h> 68 #endif 69 70 #ifdef HAVE_OPENSSL_RAND_H 71 #include <openssl/rand.h> 72 #endif 73 74 #ifdef HAVE_OPENSSL_CONF_H 75 #include <openssl/conf.h> 76 #endif 77 78 #ifdef HAVE_OPENSSL_ENGINE_H 79 #include <openssl/engine.h> 80 #endif 81 82 /** Maximum number of RRSIG validations for an RRset. */ 83 #define MAX_VALIDATE_RRSIGS 8 84 85 /** return number of rrs in an rrset */ 86 static size_t 87 rrset_get_count(struct ub_packed_rrset_key* rrset) 88 { 89 struct packed_rrset_data* d = (struct packed_rrset_data*) 90 rrset->entry.data; 91 if(!d) return 0; 92 return d->count; 93 } 94 95 /** 96 * Get RR signature count 97 */ 98 static size_t 99 rrset_get_sigcount(struct ub_packed_rrset_key* k) 100 { 101 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 102 return d->rrsig_count; 103 } 104 105 /** 106 * Get signature keytag value 107 * @param k: rrset (with signatures) 108 * @param sig_idx: signature index. 109 * @return keytag or 0 if malformed rrsig. 110 */ 111 static uint16_t 112 rrset_get_sig_keytag(struct ub_packed_rrset_key* k, size_t sig_idx) 113 { 114 uint16_t t; 115 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 116 log_assert(sig_idx < d->rrsig_count); 117 if(d->rr_len[d->count + sig_idx] < 2+18) 118 return 0; 119 memmove(&t, d->rr_data[d->count + sig_idx]+2+16, 2); 120 return ntohs(t); 121 } 122 123 /** 124 * Get signature signing algorithm value 125 * @param k: rrset (with signatures) 126 * @param sig_idx: signature index. 127 * @return algo or 0 if malformed rrsig. 128 */ 129 static int 130 rrset_get_sig_algo(struct ub_packed_rrset_key* k, size_t sig_idx) 131 { 132 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 133 log_assert(sig_idx < d->rrsig_count); 134 if(d->rr_len[d->count + sig_idx] < 2+3) 135 return 0; 136 return (int)d->rr_data[d->count + sig_idx][2+2]; 137 } 138 139 /** get rdata pointer and size */ 140 static void 141 rrset_get_rdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** rdata, 142 size_t* len) 143 { 144 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 145 log_assert(d && idx < (d->count + d->rrsig_count)); 146 *rdata = d->rr_data[idx]; 147 *len = d->rr_len[idx]; 148 } 149 150 uint16_t 151 dnskey_get_flags(struct ub_packed_rrset_key* k, size_t idx) 152 { 153 uint8_t* rdata; 154 size_t len; 155 uint16_t f; 156 rrset_get_rdata(k, idx, &rdata, &len); 157 if(len < 2+2) 158 return 0; 159 memmove(&f, rdata+2, 2); 160 f = ntohs(f); 161 return f; 162 } 163 164 /** 165 * Get DNSKEY protocol value from rdata 166 * @param k: DNSKEY rrset. 167 * @param idx: which key. 168 * @return protocol octet value 169 */ 170 static int 171 dnskey_get_protocol(struct ub_packed_rrset_key* k, size_t idx) 172 { 173 uint8_t* rdata; 174 size_t len; 175 rrset_get_rdata(k, idx, &rdata, &len); 176 if(len < 2+4) 177 return 0; 178 return (int)rdata[2+2]; 179 } 180 181 int 182 dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx) 183 { 184 uint8_t* rdata; 185 size_t len; 186 rrset_get_rdata(k, idx, &rdata, &len); 187 if(len < 2+4) 188 return 0; 189 return (int)rdata[2+3]; 190 } 191 192 /** get public key rdata field from a dnskey RR and do some checks */ 193 static void 194 dnskey_get_pubkey(struct ub_packed_rrset_key* k, size_t idx, 195 unsigned char** pk, unsigned int* pklen) 196 { 197 uint8_t* rdata; 198 size_t len; 199 rrset_get_rdata(k, idx, &rdata, &len); 200 if(len < 2+5) { 201 *pk = NULL; 202 *pklen = 0; 203 return; 204 } 205 *pk = (unsigned char*)rdata+2+4; 206 *pklen = (unsigned)len-2-4; 207 } 208 209 int 210 ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx) 211 { 212 uint8_t* rdata; 213 size_t len; 214 rrset_get_rdata(k, idx, &rdata, &len); 215 if(len < 2+3) 216 return 0; 217 return (int)rdata[2+2]; 218 } 219 220 int 221 ds_get_digest_algo(struct ub_packed_rrset_key* k, size_t idx) 222 { 223 uint8_t* rdata; 224 size_t len; 225 rrset_get_rdata(k, idx, &rdata, &len); 226 if(len < 2+4) 227 return 0; 228 return (int)rdata[2+3]; 229 } 230 231 uint16_t 232 ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx) 233 { 234 uint16_t t; 235 uint8_t* rdata; 236 size_t len; 237 rrset_get_rdata(ds_rrset, ds_idx, &rdata, &len); 238 if(len < 2+2) 239 return 0; 240 memmove(&t, rdata+2, 2); 241 return ntohs(t); 242 } 243 244 /** 245 * Return pointer to the digest in a DS RR. 246 * @param k: DS rrset. 247 * @param idx: which DS. 248 * @param digest: digest data is returned. 249 * on error, this is NULL. 250 * @param len: length of digest is returned. 251 * on error, the length is 0. 252 */ 253 static void 254 ds_get_sigdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** digest, 255 size_t* len) 256 { 257 uint8_t* rdata; 258 size_t rdlen; 259 rrset_get_rdata(k, idx, &rdata, &rdlen); 260 if(rdlen < 2+5) { 261 *digest = NULL; 262 *len = 0; 263 return; 264 } 265 *digest = rdata + 2 + 4; 266 *len = rdlen - 2 - 4; 267 } 268 269 /** 270 * Return size of DS digest according to its hash algorithm. 271 * @param k: DS rrset. 272 * @param idx: which DS. 273 * @return size in bytes of digest, or 0 if not supported. 274 */ 275 static size_t 276 ds_digest_size_algo(struct ub_packed_rrset_key* k, size_t idx) 277 { 278 return ds_digest_size_supported(ds_get_digest_algo(k, idx)); 279 } 280 281 /** 282 * Create a DS digest for a DNSKEY entry. 283 * 284 * @param env: module environment. Uses scratch space. 285 * @param dnskey_rrset: DNSKEY rrset. 286 * @param dnskey_idx: index of RR in rrset. 287 * @param ds_rrset: DS rrset 288 * @param ds_idx: index of RR in DS rrset. 289 * @param digest: digest is returned in here (must be correctly sized). 290 * @return false on error. 291 */ 292 static int 293 ds_create_dnskey_digest(struct module_env* env, 294 struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx, 295 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, 296 uint8_t* digest) 297 { 298 sldns_buffer* b = env->scratch_buffer; 299 uint8_t* dnskey_rdata; 300 size_t dnskey_len; 301 rrset_get_rdata(dnskey_rrset, dnskey_idx, &dnskey_rdata, &dnskey_len); 302 303 /* create digest source material in buffer 304 * digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA); 305 * DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key. */ 306 sldns_buffer_clear(b); 307 sldns_buffer_write(b, dnskey_rrset->rk.dname, 308 dnskey_rrset->rk.dname_len); 309 query_dname_tolower(sldns_buffer_begin(b)); 310 sldns_buffer_write(b, dnskey_rdata+2, dnskey_len-2); /* skip rdatalen*/ 311 sldns_buffer_flip(b); 312 313 return secalgo_ds_digest(ds_get_digest_algo(ds_rrset, ds_idx), 314 (unsigned char*)sldns_buffer_begin(b), sldns_buffer_limit(b), 315 (unsigned char*)digest); 316 } 317 318 int ds_digest_match_dnskey(struct module_env* env, 319 struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx, 320 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx) 321 { 322 uint8_t* ds; /* DS digest */ 323 size_t dslen; 324 uint8_t* digest; /* generated digest */ 325 size_t digestlen = ds_digest_size_algo(ds_rrset, ds_idx); 326 327 if(digestlen == 0) { 328 verbose(VERB_QUERY, "DS fail: not supported, or DS RR " 329 "format error"); 330 return 0; /* not supported, or DS RR format error */ 331 } 332 #ifndef USE_SHA1 333 if(fake_sha1 && ds_get_digest_algo(ds_rrset, ds_idx)==LDNS_SHA1) 334 return 1; 335 #endif 336 337 /* check digest length in DS with length from hash function */ 338 ds_get_sigdata(ds_rrset, ds_idx, &ds, &dslen); 339 if(!ds || dslen != digestlen) { 340 verbose(VERB_QUERY, "DS fail: DS RR algo and digest do not " 341 "match each other"); 342 return 0; /* DS algorithm and digest do not match */ 343 } 344 345 digest = regional_alloc(env->scratch, digestlen); 346 if(!digest) { 347 verbose(VERB_QUERY, "DS fail: out of memory"); 348 return 0; /* mem error */ 349 } 350 if(!ds_create_dnskey_digest(env, dnskey_rrset, dnskey_idx, ds_rrset, 351 ds_idx, digest)) { 352 verbose(VERB_QUERY, "DS fail: could not calc key digest"); 353 return 0; /* digest algo failed */ 354 } 355 if(memcmp(digest, ds, dslen) != 0) { 356 verbose(VERB_QUERY, "DS fail: digest is different"); 357 return 0; /* digest different */ 358 } 359 return 1; 360 } 361 362 int 363 ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, 364 size_t ds_idx) 365 { 366 return (ds_digest_size_algo(ds_rrset, ds_idx) != 0); 367 } 368 369 int 370 ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, 371 size_t ds_idx) 372 { 373 return dnskey_algo_id_is_supported(ds_get_key_algo(ds_rrset, ds_idx)); 374 } 375 376 uint16_t 377 dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx) 378 { 379 uint8_t* data; 380 size_t len; 381 rrset_get_rdata(dnskey_rrset, dnskey_idx, &data, &len); 382 /* do not pass rdatalen to ldns */ 383 return sldns_calc_keytag_raw(data+2, len-2); 384 } 385 386 int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset, 387 size_t dnskey_idx) 388 { 389 return dnskey_algo_id_is_supported(dnskey_get_algo(dnskey_rrset, 390 dnskey_idx)); 391 } 392 393 int dnskey_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset, 394 size_t dnskey_idx) 395 { 396 #ifdef DEPRECATE_RSA_1024 397 uint8_t* rdata; 398 size_t len; 399 int alg = dnskey_get_algo(dnskey_rrset, dnskey_idx); 400 size_t keysize; 401 402 rrset_get_rdata(dnskey_rrset, dnskey_idx, &rdata, &len); 403 if(len < 2+4) 404 return 0; 405 keysize = sldns_rr_dnskey_key_size_raw(rdata+2+4, len-2-4, alg); 406 407 switch((sldns_algorithm)alg) { 408 case LDNS_RSAMD5: 409 case LDNS_RSASHA1: 410 case LDNS_RSASHA1_NSEC3: 411 case LDNS_RSASHA256: 412 case LDNS_RSASHA512: 413 /* reject RSA keys of 1024 bits and shorter */ 414 if(keysize <= 1024) 415 return 0; 416 break; 417 default: 418 break; 419 } 420 #else 421 (void)dnskey_rrset; (void)dnskey_idx; 422 #endif /* DEPRECATE_RSA_1024 */ 423 return 1; 424 } 425 426 int dnskeyset_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset) 427 { 428 size_t i, num = rrset_get_count(dnskey_rrset); 429 for(i=0; i<num; i++) { 430 if(!dnskey_size_is_supported(dnskey_rrset, i)) 431 return 0; 432 } 433 return 1; 434 } 435 436 void algo_needs_init_dnskey_add(struct algo_needs* n, 437 struct ub_packed_rrset_key* dnskey, uint8_t* sigalg) 438 { 439 uint8_t algo; 440 size_t i, total = n->num; 441 size_t num = rrset_get_count(dnskey); 442 443 for(i=0; i<num; i++) { 444 algo = (uint8_t)dnskey_get_algo(dnskey, i); 445 if(!dnskey_algo_id_is_supported((int)algo)) 446 continue; 447 if(n->needs[algo] == 0) { 448 n->needs[algo] = 1; 449 sigalg[total] = algo; 450 total++; 451 } 452 } 453 sigalg[total] = 0; 454 n->num = total; 455 } 456 457 void algo_needs_init_list(struct algo_needs* n, uint8_t* sigalg) 458 { 459 uint8_t algo; 460 size_t total = 0; 461 462 memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX); 463 while( (algo=*sigalg++) != 0) { 464 log_assert(dnskey_algo_id_is_supported((int)algo)); 465 log_assert(n->needs[algo] == 0); 466 n->needs[algo] = 1; 467 total++; 468 } 469 n->num = total; 470 } 471 472 void algo_needs_init_ds(struct algo_needs* n, struct ub_packed_rrset_key* ds, 473 int fav_ds_algo, uint8_t* sigalg) 474 { 475 uint8_t algo; 476 size_t i, total = 0; 477 size_t num = rrset_get_count(ds); 478 479 memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX); 480 for(i=0; i<num; i++) { 481 if(ds_get_digest_algo(ds, i) != fav_ds_algo) 482 continue; 483 algo = (uint8_t)ds_get_key_algo(ds, i); 484 if(!dnskey_algo_id_is_supported((int)algo)) 485 continue; 486 log_assert(algo != 0); /* we do not support 0 and is EOS */ 487 if(n->needs[algo] == 0) { 488 n->needs[algo] = 1; 489 sigalg[total] = algo; 490 total++; 491 } 492 } 493 sigalg[total] = 0; 494 n->num = total; 495 } 496 497 int algo_needs_set_secure(struct algo_needs* n, uint8_t algo) 498 { 499 if(n->needs[algo]) { 500 n->needs[algo] = 0; 501 n->num --; 502 if(n->num == 0) /* done! */ 503 return 1; 504 } 505 return 0; 506 } 507 508 void algo_needs_set_bogus(struct algo_needs* n, uint8_t algo) 509 { 510 if(n->needs[algo]) n->needs[algo] = 2; /* need it, but bogus */ 511 } 512 513 size_t algo_needs_num_missing(struct algo_needs* n) 514 { 515 return n->num; 516 } 517 518 int algo_needs_missing(struct algo_needs* n) 519 { 520 int i, miss = -1; 521 /* check if a needed algo was bogus - report that; 522 * check the first missing algo - report that; 523 * or return 0 */ 524 for(i=0; i<ALGO_NEEDS_MAX; i++) { 525 if(n->needs[i] == 2) 526 return 0; 527 if(n->needs[i] == 1 && miss == -1) 528 miss = i; 529 } 530 if(miss != -1) return miss; 531 return 0; 532 } 533 534 /** 535 * verify rrset, with dnskey rrset, for a specific rrsig in rrset 536 * @param env: module environment, scratch space is used. 537 * @param ve: validator environment, date settings. 538 * @param now: current time for validation (can be overridden). 539 * @param rrset: to be validated. 540 * @param dnskey: DNSKEY rrset, keyset to try. 541 * @param sig_idx: which signature to try to validate. 542 * @param sortree: reused sorted order. Stored in region. Pass NULL at start, 543 * and for a new rrset. 544 * @param reason: if bogus, a string returned, fixed or alloced in scratch. 545 * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. 546 * @param section: section of packet where this rrset comes from. 547 * @param qstate: qstate with region. 548 * @param numverified: incremented when the number of RRSIG validations 549 * increases. 550 * @return secure if any key signs *this* signature. bogus if no key signs it, 551 * unchecked on error, or indeterminate if all keys are not supported by 552 * the crypto library (openssl3+ only). 553 */ 554 static enum sec_status 555 dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve, 556 time_t now, struct ub_packed_rrset_key* rrset, 557 struct ub_packed_rrset_key* dnskey, size_t sig_idx, 558 struct rbtree_type** sortree, 559 char** reason, sldns_ede_code *reason_bogus, 560 sldns_pkt_section section, struct module_qstate* qstate, 561 int* numverified) 562 { 563 /* find matching keys and check them */ 564 enum sec_status sec = sec_status_bogus; 565 uint16_t tag = rrset_get_sig_keytag(rrset, sig_idx); 566 int algo = rrset_get_sig_algo(rrset, sig_idx); 567 size_t i, num = rrset_get_count(dnskey); 568 size_t numchecked = 0; 569 size_t numindeterminate = 0; 570 int buf_canon = 0; 571 verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo); 572 if(!dnskey_algo_id_is_supported(algo)) { 573 if(reason_bogus) 574 *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG; 575 verbose(VERB_QUERY, "verify sig: unknown algorithm"); 576 return sec_status_insecure; 577 } 578 579 for(i=0; i<num; i++) { 580 /* see if key matches keytag and algo */ 581 if(algo != dnskey_get_algo(dnskey, i) || 582 tag != dnskey_calc_keytag(dnskey, i)) 583 continue; 584 numchecked ++; 585 (*numverified)++; 586 587 /* see if key verifies */ 588 sec = dnskey_verify_rrset_sig(env->scratch, 589 env->scratch_buffer, ve, now, rrset, dnskey, i, 590 sig_idx, sortree, &buf_canon, reason, reason_bogus, 591 section, qstate); 592 if(sec == sec_status_secure) 593 return sec; 594 else if(sec == sec_status_indeterminate) 595 numindeterminate ++; 596 if(*numverified > MAX_VALIDATE_RRSIGS) { 597 *reason = "too many RRSIG validations"; 598 if(reason_bogus) 599 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 600 verbose(VERB_ALGO, "verify sig: too many RRSIG validations"); 601 return sec_status_bogus; 602 } 603 } 604 if(numchecked == 0) { 605 *reason = "signatures from unknown keys"; 606 if(reason_bogus) 607 *reason_bogus = LDNS_EDE_DNSKEY_MISSING; 608 verbose(VERB_QUERY, "verify: could not find appropriate key"); 609 return sec_status_bogus; 610 } 611 if(numindeterminate == numchecked) { 612 *reason = "unsupported algorithm by crypto library"; 613 if(reason_bogus) 614 *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG; 615 verbose(VERB_ALGO, "verify sig: unsupported algorithm by " 616 "crypto library"); 617 return sec_status_indeterminate; 618 } 619 return sec_status_bogus; 620 } 621 622 enum sec_status 623 dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve, 624 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, 625 uint8_t* sigalg, char** reason, sldns_ede_code *reason_bogus, 626 sldns_pkt_section section, struct module_qstate* qstate, int* verified) 627 { 628 enum sec_status sec; 629 size_t i, num; 630 rbtree_type* sortree = NULL; 631 /* make sure that for all DNSKEY algorithms there are valid sigs */ 632 struct algo_needs needs; 633 int alg; 634 *verified = 0; 635 636 num = rrset_get_sigcount(rrset); 637 if(num == 0) { 638 verbose(VERB_QUERY, "rrset failed to verify due to a lack of " 639 "signatures"); 640 *reason = "no signatures"; 641 if(reason_bogus) 642 *reason_bogus = LDNS_EDE_RRSIGS_MISSING; 643 return sec_status_bogus; 644 } 645 646 if(sigalg) { 647 algo_needs_init_list(&needs, sigalg); 648 if(algo_needs_num_missing(&needs) == 0) { 649 verbose(VERB_QUERY, "zone has no known algorithms"); 650 *reason = "zone has no known algorithms"; 651 if(reason_bogus) 652 *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG; 653 return sec_status_insecure; 654 } 655 } 656 for(i=0; i<num; i++) { 657 sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset, 658 dnskey, i, &sortree, reason, reason_bogus, 659 section, qstate, verified); 660 /* see which algorithm has been fixed up */ 661 if(sec == sec_status_secure) { 662 if(!sigalg) 663 return sec; /* done! */ 664 else if(algo_needs_set_secure(&needs, 665 (uint8_t)rrset_get_sig_algo(rrset, i))) 666 return sec; /* done! */ 667 } else if(sigalg && sec == sec_status_bogus) { 668 algo_needs_set_bogus(&needs, 669 (uint8_t)rrset_get_sig_algo(rrset, i)); 670 } 671 if(*verified > MAX_VALIDATE_RRSIGS) { 672 verbose(VERB_QUERY, "rrset failed to verify, too many RRSIG validations"); 673 *reason = "too many RRSIG validations"; 674 if(reason_bogus) 675 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 676 return sec_status_bogus; 677 } 678 } 679 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { 680 verbose(VERB_ALGO, "rrset failed to verify: " 681 "no valid signatures for %d algorithms", 682 (int)algo_needs_num_missing(&needs)); 683 algo_needs_reason(env, alg, reason, "no signatures"); 684 } else { 685 verbose(VERB_ALGO, "rrset failed to verify: " 686 "no valid signatures"); 687 } 688 return sec_status_bogus; 689 } 690 691 void algo_needs_reason(struct module_env* env, int alg, char** reason, char* s) 692 { 693 char buf[256]; 694 sldns_lookup_table *t = sldns_lookup_by_id(sldns_algorithms, alg); 695 if(t&&t->name) 696 snprintf(buf, sizeof(buf), "%s with algorithm %s", s, t->name); 697 else snprintf(buf, sizeof(buf), "%s with algorithm ALG%u", s, 698 (unsigned)alg); 699 *reason = regional_strdup(env->scratch, buf); 700 if(!*reason) 701 *reason = s; 702 } 703 704 enum sec_status 705 dnskey_verify_rrset(struct module_env* env, struct val_env* ve, 706 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, 707 size_t dnskey_idx, char** reason, sldns_ede_code *reason_bogus, 708 sldns_pkt_section section, struct module_qstate* qstate) 709 { 710 enum sec_status sec; 711 size_t i, num, numchecked = 0, numindeterminate = 0; 712 rbtree_type* sortree = NULL; 713 int buf_canon = 0; 714 uint16_t tag = dnskey_calc_keytag(dnskey, dnskey_idx); 715 int algo = dnskey_get_algo(dnskey, dnskey_idx); 716 int numverified = 0; 717 718 num = rrset_get_sigcount(rrset); 719 if(num == 0) { 720 verbose(VERB_QUERY, "rrset failed to verify due to a lack of " 721 "signatures"); 722 *reason = "no signatures"; 723 if(reason_bogus) 724 *reason_bogus = LDNS_EDE_RRSIGS_MISSING; 725 return sec_status_bogus; 726 } 727 for(i=0; i<num; i++) { 728 /* see if sig matches keytag and algo */ 729 if(algo != rrset_get_sig_algo(rrset, i) || 730 tag != rrset_get_sig_keytag(rrset, i)) 731 continue; 732 buf_canon = 0; 733 sec = dnskey_verify_rrset_sig(env->scratch, 734 env->scratch_buffer, ve, *env->now, rrset, 735 dnskey, dnskey_idx, i, &sortree, &buf_canon, reason, 736 reason_bogus, section, qstate); 737 if(sec == sec_status_secure) 738 return sec; 739 numchecked ++; 740 numverified ++; 741 if(sec == sec_status_indeterminate) 742 numindeterminate ++; 743 if(numverified > MAX_VALIDATE_RRSIGS) { 744 verbose(VERB_QUERY, "rrset failed to verify, too many RRSIG validations"); 745 *reason = "too many RRSIG validations"; 746 if(reason_bogus) 747 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 748 return sec_status_bogus; 749 } 750 } 751 if(!numchecked) { 752 *reason = "signature for expected key and algorithm missing"; 753 if(reason_bogus) 754 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 755 } else if(numchecked == numindeterminate) { 756 verbose(VERB_ALGO, "rrset failed to verify due to algorithm " 757 "refusal by cryptolib"); 758 if(reason_bogus) 759 *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG; 760 *reason = "algorithm refused by cryptolib"; 761 return sec_status_indeterminate; 762 } 763 verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus"); 764 return sec_status_bogus; 765 } 766 767 /** 768 * RR entries in a canonical sorted tree of RRs 769 */ 770 struct canon_rr { 771 /** rbtree node, key is this structure */ 772 rbnode_type node; 773 /** rrset the RR is in */ 774 struct ub_packed_rrset_key* rrset; 775 /** which RR in the rrset */ 776 size_t rr_idx; 777 }; 778 779 /** 780 * Compare two RR for canonical order, in a field-style sweep. 781 * @param d: rrset data 782 * @param desc: ldns wireformat descriptor. 783 * @param i: first RR to compare 784 * @param j: first RR to compare 785 * @return comparison code. 786 */ 787 static int 788 canonical_compare_byfield(struct packed_rrset_data* d, 789 const sldns_rr_descriptor* desc, size_t i, size_t j) 790 { 791 /* sweep across rdata, keep track of some state: 792 * which rr field, and bytes left in field. 793 * current position in rdata, length left. 794 * are we in a dname, length left in a label. 795 */ 796 int wfi = -1; /* current wireformat rdata field (rdf) */ 797 int wfj = -1; 798 uint8_t* di = d->rr_data[i]+2; /* ptr to current rdata byte */ 799 uint8_t* dj = d->rr_data[j]+2; 800 size_t ilen = d->rr_len[i]-2; /* length left in rdata */ 801 size_t jlen = d->rr_len[j]-2; 802 int dname_i = 0; /* true if these bytes are part of a name */ 803 int dname_j = 0; 804 size_t lablen_i = 0; /* 0 for label length byte,for first byte of rdf*/ 805 size_t lablen_j = 0; /* otherwise remaining length of rdf or label */ 806 int dname_num_i = (int)desc->_dname_count; /* decreased at root label */ 807 int dname_num_j = (int)desc->_dname_count; 808 809 /* loop while there are rdata bytes available for both rrs, 810 * and still some lowercasing needs to be done; either the dnames 811 * have not been reached yet, or they are currently being processed */ 812 while(ilen > 0 && jlen > 0 && (dname_num_i > 0 || dname_num_j > 0)) { 813 /* compare these two bytes */ 814 /* lowercase if in a dname and not a label length byte */ 815 if( ((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di) 816 != ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj) 817 ) { 818 if(((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di) 819 < ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj)) 820 return -1; 821 return 1; 822 } 823 ilen--; 824 jlen--; 825 /* bytes are equal */ 826 827 /* advance field i */ 828 /* lablen 0 means that this byte is the first byte of the 829 * next rdata field; inspect this rdata field and setup 830 * to process the rest of this rdata field. 831 * The reason to first read the byte, then setup the rdf, 832 * is that we are then sure the byte is available and short 833 * rdata is handled gracefully (even if it is a formerr). */ 834 if(lablen_i == 0) { 835 if(dname_i) { 836 /* scan this dname label */ 837 /* capture length to lowercase */ 838 lablen_i = (size_t)*di; 839 if(lablen_i == 0) { 840 /* end root label */ 841 dname_i = 0; 842 dname_num_i--; 843 /* if dname num is 0, then the 844 * remainder is binary only */ 845 if(dname_num_i == 0) 846 lablen_i = ilen; 847 } 848 } else { 849 /* scan this rdata field */ 850 wfi++; 851 if(desc->_wireformat[wfi] 852 == LDNS_RDF_TYPE_DNAME) { 853 dname_i = 1; 854 lablen_i = (size_t)*di; 855 if(lablen_i == 0) { 856 dname_i = 0; 857 dname_num_i--; 858 if(dname_num_i == 0) 859 lablen_i = ilen; 860 } 861 } else if(desc->_wireformat[wfi] 862 == LDNS_RDF_TYPE_STR) 863 lablen_i = (size_t)*di; 864 else lablen_i = get_rdf_size( 865 desc->_wireformat[wfi]) - 1; 866 } 867 } else lablen_i--; 868 869 /* advance field j; same as for i */ 870 if(lablen_j == 0) { 871 if(dname_j) { 872 lablen_j = (size_t)*dj; 873 if(lablen_j == 0) { 874 dname_j = 0; 875 dname_num_j--; 876 if(dname_num_j == 0) 877 lablen_j = jlen; 878 } 879 } else { 880 wfj++; 881 if(desc->_wireformat[wfj] 882 == LDNS_RDF_TYPE_DNAME) { 883 dname_j = 1; 884 lablen_j = (size_t)*dj; 885 if(lablen_j == 0) { 886 dname_j = 0; 887 dname_num_j--; 888 if(dname_num_j == 0) 889 lablen_j = jlen; 890 } 891 } else if(desc->_wireformat[wfj] 892 == LDNS_RDF_TYPE_STR) 893 lablen_j = (size_t)*dj; 894 else lablen_j = get_rdf_size( 895 desc->_wireformat[wfj]) - 1; 896 } 897 } else lablen_j--; 898 di++; 899 dj++; 900 } 901 /* end of the loop; because we advanced byte by byte; now we have 902 * that the rdata has ended, or that there is a binary remainder */ 903 /* shortest first */ 904 if(ilen == 0 && jlen == 0) 905 return 0; 906 if(ilen == 0) 907 return -1; 908 if(jlen == 0) 909 return 1; 910 /* binary remainder, capture comparison in wfi variable */ 911 if((wfi = memcmp(di, dj, (ilen<jlen)?ilen:jlen)) != 0) 912 return wfi; 913 if(ilen < jlen) 914 return -1; 915 if(jlen < ilen) 916 return 1; 917 return 0; 918 } 919 920 /** 921 * Compare two RRs in the same RRset and determine their relative 922 * canonical order. 923 * @param rrset: the rrset in which to perform compares. 924 * @param i: first RR to compare 925 * @param j: first RR to compare 926 * @return 0 if RR i== RR j, -1 if <, +1 if >. 927 */ 928 static int 929 canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j) 930 { 931 struct packed_rrset_data* d = (struct packed_rrset_data*) 932 rrset->entry.data; 933 const sldns_rr_descriptor* desc; 934 uint16_t type = ntohs(rrset->rk.type); 935 size_t minlen; 936 int c; 937 938 if(i==j) 939 return 0; 940 941 switch(type) { 942 /* These RR types have only a name as RDATA. 943 * This name has to be canonicalized.*/ 944 case LDNS_RR_TYPE_NS: 945 case LDNS_RR_TYPE_MD: 946 case LDNS_RR_TYPE_MF: 947 case LDNS_RR_TYPE_CNAME: 948 case LDNS_RR_TYPE_MB: 949 case LDNS_RR_TYPE_MG: 950 case LDNS_RR_TYPE_MR: 951 case LDNS_RR_TYPE_PTR: 952 case LDNS_RR_TYPE_DNAME: 953 /* the wireread function has already checked these 954 * dname's for correctness, and this double checks */ 955 if(!dname_valid(d->rr_data[i]+2, d->rr_len[i]-2) || 956 !dname_valid(d->rr_data[j]+2, d->rr_len[j]-2)) 957 return 0; 958 return query_dname_compare(d->rr_data[i]+2, 959 d->rr_data[j]+2); 960 961 /* These RR types have STR and fixed size rdata fields 962 * before one or more name fields that need canonicalizing, 963 * and after that a byte-for byte remainder can be compared. 964 */ 965 /* type starts with the name; remainder is binary compared */ 966 case LDNS_RR_TYPE_NXT: 967 /* use rdata field formats */ 968 case LDNS_RR_TYPE_MINFO: 969 case LDNS_RR_TYPE_RP: 970 case LDNS_RR_TYPE_SOA: 971 case LDNS_RR_TYPE_RT: 972 case LDNS_RR_TYPE_AFSDB: 973 case LDNS_RR_TYPE_KX: 974 case LDNS_RR_TYPE_MX: 975 case LDNS_RR_TYPE_SIG: 976 /* RRSIG signer name has to be downcased */ 977 case LDNS_RR_TYPE_RRSIG: 978 case LDNS_RR_TYPE_PX: 979 case LDNS_RR_TYPE_NAPTR: 980 case LDNS_RR_TYPE_SRV: 981 desc = sldns_rr_descript(type); 982 log_assert(desc); 983 /* this holds for the types that need canonicalizing */ 984 log_assert(desc->_minimum == desc->_maximum); 985 return canonical_compare_byfield(d, desc, i, j); 986 987 case LDNS_RR_TYPE_HINFO: /* no longer downcased */ 988 case LDNS_RR_TYPE_NSEC: 989 default: 990 /* For unknown RR types, or types not listed above, 991 * no canonicalization is needed, do binary compare */ 992 /* byte for byte compare, equal means shortest first*/ 993 minlen = d->rr_len[i]-2; 994 if(minlen > d->rr_len[j]-2) 995 minlen = d->rr_len[j]-2; 996 c = memcmp(d->rr_data[i]+2, d->rr_data[j]+2, minlen); 997 if(c!=0) 998 return c; 999 /* rdata equal, shortest is first */ 1000 if(d->rr_len[i] < d->rr_len[j]) 1001 return -1; 1002 if(d->rr_len[i] > d->rr_len[j]) 1003 return 1; 1004 /* rdata equal, length equal */ 1005 break; 1006 } 1007 return 0; 1008 } 1009 1010 int 1011 canonical_tree_compare(const void* k1, const void* k2) 1012 { 1013 struct canon_rr* r1 = (struct canon_rr*)k1; 1014 struct canon_rr* r2 = (struct canon_rr*)k2; 1015 log_assert(r1->rrset == r2->rrset); 1016 return canonical_compare(r1->rrset, r1->rr_idx, r2->rr_idx); 1017 } 1018 1019 /** 1020 * Sort RRs for rrset in canonical order. 1021 * Does not actually canonicalize the RR rdatas. 1022 * Does not touch rrsigs. 1023 * @param rrset: to sort. 1024 * @param d: rrset data. 1025 * @param sortree: tree to sort into. 1026 * @param rrs: rr storage. 1027 */ 1028 static void 1029 canonical_sort(struct ub_packed_rrset_key* rrset, struct packed_rrset_data* d, 1030 rbtree_type* sortree, struct canon_rr* rrs) 1031 { 1032 size_t i; 1033 /* insert into rbtree to sort and detect duplicates */ 1034 for(i=0; i<d->count; i++) { 1035 rrs[i].node.key = &rrs[i]; 1036 rrs[i].rrset = rrset; 1037 rrs[i].rr_idx = i; 1038 if(!rbtree_insert(sortree, &rrs[i].node)) { 1039 /* this was a duplicate */ 1040 } 1041 } 1042 } 1043 1044 /** 1045 * Insert canonical owner name into buffer. 1046 * @param buf: buffer to insert into at current position. 1047 * @param k: rrset with its owner name. 1048 * @param sig: signature with signer name and label count. 1049 * must be length checked, at least 18 bytes long. 1050 * @param can_owner: position in buffer returned for future use. 1051 * @param can_owner_len: length of canonical owner name. 1052 */ 1053 static void 1054 insert_can_owner(sldns_buffer* buf, struct ub_packed_rrset_key* k, 1055 uint8_t* sig, uint8_t** can_owner, size_t* can_owner_len) 1056 { 1057 int rrsig_labels = (int)sig[3]; 1058 int fqdn_labels = dname_signame_label_count(k->rk.dname); 1059 *can_owner = sldns_buffer_current(buf); 1060 if(rrsig_labels == fqdn_labels) { 1061 /* no change */ 1062 sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len); 1063 query_dname_tolower(*can_owner); 1064 *can_owner_len = k->rk.dname_len; 1065 return; 1066 } 1067 log_assert(rrsig_labels < fqdn_labels); 1068 /* *. | fqdn(rightmost rrsig_labels) */ 1069 if(rrsig_labels < fqdn_labels) { 1070 int i; 1071 uint8_t* nm = k->rk.dname; 1072 size_t len = k->rk.dname_len; 1073 /* so skip fqdn_labels-rrsig_labels */ 1074 for(i=0; i<fqdn_labels-rrsig_labels; i++) { 1075 dname_remove_label(&nm, &len); 1076 } 1077 *can_owner_len = len+2; 1078 sldns_buffer_write(buf, (uint8_t*)"\001*", 2); 1079 sldns_buffer_write(buf, nm, len); 1080 query_dname_tolower(*can_owner); 1081 } 1082 } 1083 1084 /** 1085 * Canonicalize Rdata in buffer. 1086 * @param buf: buffer at position just after the rdata. 1087 * @param rrset: rrset with type. 1088 * @param len: length of the rdata (including rdatalen uint16). 1089 */ 1090 static void 1091 canonicalize_rdata(sldns_buffer* buf, struct ub_packed_rrset_key* rrset, 1092 size_t len) 1093 { 1094 uint8_t* datstart = sldns_buffer_current(buf)-len+2; 1095 switch(ntohs(rrset->rk.type)) { 1096 case LDNS_RR_TYPE_NXT: 1097 case LDNS_RR_TYPE_NS: 1098 case LDNS_RR_TYPE_MD: 1099 case LDNS_RR_TYPE_MF: 1100 case LDNS_RR_TYPE_CNAME: 1101 case LDNS_RR_TYPE_MB: 1102 case LDNS_RR_TYPE_MG: 1103 case LDNS_RR_TYPE_MR: 1104 case LDNS_RR_TYPE_PTR: 1105 case LDNS_RR_TYPE_DNAME: 1106 /* type only has a single argument, the name */ 1107 query_dname_tolower(datstart); 1108 return; 1109 case LDNS_RR_TYPE_MINFO: 1110 case LDNS_RR_TYPE_RP: 1111 case LDNS_RR_TYPE_SOA: 1112 /* two names after another */ 1113 query_dname_tolower(datstart); 1114 query_dname_tolower(datstart + 1115 dname_valid(datstart, len-2)); 1116 return; 1117 case LDNS_RR_TYPE_RT: 1118 case LDNS_RR_TYPE_AFSDB: 1119 case LDNS_RR_TYPE_KX: 1120 case LDNS_RR_TYPE_MX: 1121 /* skip fixed part */ 1122 if(len < 2+2+1) /* rdlen, skiplen, 1byteroot */ 1123 return; 1124 datstart += 2; 1125 query_dname_tolower(datstart); 1126 return; 1127 case LDNS_RR_TYPE_SIG: 1128 /* downcase the RRSIG, compat with BIND (kept it from SIG) */ 1129 case LDNS_RR_TYPE_RRSIG: 1130 /* skip fixed part */ 1131 if(len < 2+18+1) 1132 return; 1133 datstart += 18; 1134 query_dname_tolower(datstart); 1135 return; 1136 case LDNS_RR_TYPE_PX: 1137 /* skip, then two names after another */ 1138 if(len < 2+2+1) 1139 return; 1140 datstart += 2; 1141 query_dname_tolower(datstart); 1142 query_dname_tolower(datstart + 1143 dname_valid(datstart, len-2-2)); 1144 return; 1145 case LDNS_RR_TYPE_NAPTR: 1146 if(len < 2+4) 1147 return; 1148 len -= 2+4; 1149 datstart += 4; 1150 if(len < (size_t)datstart[0]+1) /* skip text field */ 1151 return; 1152 len -= (size_t)datstart[0]+1; 1153 datstart += (size_t)datstart[0]+1; 1154 if(len < (size_t)datstart[0]+1) /* skip text field */ 1155 return; 1156 len -= (size_t)datstart[0]+1; 1157 datstart += (size_t)datstart[0]+1; 1158 if(len < (size_t)datstart[0]+1) /* skip text field */ 1159 return; 1160 len -= (size_t)datstart[0]+1; 1161 datstart += (size_t)datstart[0]+1; 1162 if(len < 1) /* check name is at least 1 byte*/ 1163 return; 1164 query_dname_tolower(datstart); 1165 return; 1166 case LDNS_RR_TYPE_SRV: 1167 /* skip fixed part */ 1168 if(len < 2+6+1) 1169 return; 1170 datstart += 6; 1171 query_dname_tolower(datstart); 1172 return; 1173 1174 /* do not canonicalize NSEC rdata name, compat with 1175 * from bind 9.4 signer, where it does not do so */ 1176 case LDNS_RR_TYPE_NSEC: /* type starts with the name */ 1177 case LDNS_RR_TYPE_HINFO: /* not downcased */ 1178 /* A6 not supported */ 1179 default: 1180 /* nothing to do for unknown types */ 1181 return; 1182 } 1183 } 1184 1185 int rrset_canonical_equal(struct regional* region, 1186 struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2) 1187 { 1188 struct rbtree_type sortree1, sortree2; 1189 struct canon_rr *rrs1, *rrs2, *p1, *p2; 1190 struct packed_rrset_data* d1=(struct packed_rrset_data*)k1->entry.data; 1191 struct packed_rrset_data* d2=(struct packed_rrset_data*)k2->entry.data; 1192 struct ub_packed_rrset_key fk; 1193 struct packed_rrset_data fd; 1194 size_t flen[2]; 1195 uint8_t* fdata[2]; 1196 1197 /* basic compare */ 1198 if(k1->rk.dname_len != k2->rk.dname_len || 1199 k1->rk.flags != k2->rk.flags || 1200 k1->rk.type != k2->rk.type || 1201 k1->rk.rrset_class != k2->rk.rrset_class || 1202 query_dname_compare(k1->rk.dname, k2->rk.dname) != 0) 1203 return 0; 1204 if(d1->ttl != d2->ttl || 1205 d1->count != d2->count || 1206 d1->rrsig_count != d2->rrsig_count || 1207 d1->trust != d2->trust || 1208 d1->security != d2->security) 1209 return 0; 1210 1211 /* init */ 1212 memset(&fk, 0, sizeof(fk)); 1213 memset(&fd, 0, sizeof(fd)); 1214 fk.entry.data = &fd; 1215 fd.count = 2; 1216 fd.rr_len = flen; 1217 fd.rr_data = fdata; 1218 rbtree_init(&sortree1, &canonical_tree_compare); 1219 rbtree_init(&sortree2, &canonical_tree_compare); 1220 if(d1->count > RR_COUNT_MAX || d2->count > RR_COUNT_MAX) 1221 return 1; /* protection against integer overflow */ 1222 rrs1 = regional_alloc(region, sizeof(struct canon_rr)*d1->count); 1223 rrs2 = regional_alloc(region, sizeof(struct canon_rr)*d2->count); 1224 if(!rrs1 || !rrs2) return 1; /* alloc failure */ 1225 1226 /* sort */ 1227 canonical_sort(k1, d1, &sortree1, rrs1); 1228 canonical_sort(k2, d2, &sortree2, rrs2); 1229 1230 /* compare canonical-sorted RRs for canonical-equality */ 1231 if(sortree1.count != sortree2.count) 1232 return 0; 1233 p1 = (struct canon_rr*)rbtree_first(&sortree1); 1234 p2 = (struct canon_rr*)rbtree_first(&sortree2); 1235 while(p1 != (struct canon_rr*)RBTREE_NULL && 1236 p2 != (struct canon_rr*)RBTREE_NULL) { 1237 flen[0] = d1->rr_len[p1->rr_idx]; 1238 flen[1] = d2->rr_len[p2->rr_idx]; 1239 fdata[0] = d1->rr_data[p1->rr_idx]; 1240 fdata[1] = d2->rr_data[p2->rr_idx]; 1241 1242 if(canonical_compare(&fk, 0, 1) != 0) 1243 return 0; 1244 p1 = (struct canon_rr*)rbtree_next(&p1->node); 1245 p2 = (struct canon_rr*)rbtree_next(&p2->node); 1246 } 1247 return 1; 1248 } 1249 1250 /** 1251 * Create canonical form of rrset in the scratch buffer. 1252 * @param region: temporary region. 1253 * @param buf: the buffer to use. 1254 * @param k: the rrset to insert. 1255 * @param sig: RRSIG rdata to include. 1256 * @param siglen: RRSIG rdata len excluding signature field, but inclusive 1257 * signer name length. 1258 * @param sortree: if NULL is passed a new sorted rrset tree is built. 1259 * Otherwise it is reused. 1260 * @param section: section of packet where this rrset comes from. 1261 * @param qstate: qstate with region. 1262 * @return false on alloc error. 1263 */ 1264 static int 1265 rrset_canonical(struct regional* region, sldns_buffer* buf, 1266 struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen, 1267 struct rbtree_type** sortree, sldns_pkt_section section, 1268 struct module_qstate* qstate) 1269 { 1270 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 1271 uint8_t* can_owner = NULL; 1272 size_t can_owner_len = 0; 1273 struct canon_rr* walk; 1274 struct canon_rr* rrs; 1275 1276 if(!*sortree) { 1277 *sortree = (struct rbtree_type*)regional_alloc(region, 1278 sizeof(rbtree_type)); 1279 if(!*sortree) 1280 return 0; 1281 if(d->count > RR_COUNT_MAX) 1282 return 0; /* integer overflow protection */ 1283 rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count); 1284 if(!rrs) { 1285 *sortree = NULL; 1286 return 0; 1287 } 1288 rbtree_init(*sortree, &canonical_tree_compare); 1289 canonical_sort(k, d, *sortree, rrs); 1290 } 1291 1292 sldns_buffer_clear(buf); 1293 sldns_buffer_write(buf, sig, siglen); 1294 /* canonicalize signer name */ 1295 query_dname_tolower(sldns_buffer_begin(buf)+18); 1296 RBTREE_FOR(walk, struct canon_rr*, (*sortree)) { 1297 /* see if there is enough space left in the buffer */ 1298 if(sldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4 1299 + d->rr_len[walk->rr_idx]) { 1300 log_err("verify: failed to canonicalize, " 1301 "rrset too big"); 1302 return 0; 1303 } 1304 /* determine canonical owner name */ 1305 if(can_owner) 1306 sldns_buffer_write(buf, can_owner, can_owner_len); 1307 else insert_can_owner(buf, k, sig, &can_owner, 1308 &can_owner_len); 1309 sldns_buffer_write(buf, &k->rk.type, 2); 1310 sldns_buffer_write(buf, &k->rk.rrset_class, 2); 1311 sldns_buffer_write(buf, sig+4, 4); 1312 sldns_buffer_write(buf, d->rr_data[walk->rr_idx], 1313 d->rr_len[walk->rr_idx]); 1314 canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]); 1315 } 1316 sldns_buffer_flip(buf); 1317 1318 /* Replace RR owner with canonical owner for NSEC records in authority 1319 * section, to prevent that a wildcard synthesized NSEC can be used in 1320 * the non-existence proves. */ 1321 if(ntohs(k->rk.type) == LDNS_RR_TYPE_NSEC && 1322 section == LDNS_SECTION_AUTHORITY && qstate) { 1323 k->rk.dname = regional_alloc_init(qstate->region, can_owner, 1324 can_owner_len); 1325 if(!k->rk.dname) 1326 return 0; 1327 k->rk.dname_len = can_owner_len; 1328 } 1329 1330 1331 return 1; 1332 } 1333 1334 int 1335 rrset_canonicalize_to_buffer(struct regional* region, sldns_buffer* buf, 1336 struct ub_packed_rrset_key* k) 1337 { 1338 struct rbtree_type* sortree = NULL; 1339 struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; 1340 uint8_t* can_owner = NULL; 1341 size_t can_owner_len = 0; 1342 struct canon_rr* walk; 1343 struct canon_rr* rrs; 1344 1345 sortree = (struct rbtree_type*)regional_alloc(region, 1346 sizeof(rbtree_type)); 1347 if(!sortree) 1348 return 0; 1349 if(d->count > RR_COUNT_MAX) 1350 return 0; /* integer overflow protection */ 1351 rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count); 1352 if(!rrs) { 1353 return 0; 1354 } 1355 rbtree_init(sortree, &canonical_tree_compare); 1356 canonical_sort(k, d, sortree, rrs); 1357 1358 sldns_buffer_clear(buf); 1359 RBTREE_FOR(walk, struct canon_rr*, sortree) { 1360 /* see if there is enough space left in the buffer */ 1361 if(sldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4 1362 + d->rr_len[walk->rr_idx]) { 1363 log_err("verify: failed to canonicalize, " 1364 "rrset too big"); 1365 return 0; 1366 } 1367 /* determine canonical owner name */ 1368 if(can_owner) 1369 sldns_buffer_write(buf, can_owner, can_owner_len); 1370 else { 1371 can_owner = sldns_buffer_current(buf); 1372 sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len); 1373 query_dname_tolower(can_owner); 1374 can_owner_len = k->rk.dname_len; 1375 } 1376 sldns_buffer_write(buf, &k->rk.type, 2); 1377 sldns_buffer_write(buf, &k->rk.rrset_class, 2); 1378 sldns_buffer_write_u32(buf, d->rr_ttl[walk->rr_idx]); 1379 sldns_buffer_write(buf, d->rr_data[walk->rr_idx], 1380 d->rr_len[walk->rr_idx]); 1381 canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]); 1382 } 1383 sldns_buffer_flip(buf); 1384 return 1; 1385 } 1386 1387 /** pretty print rrsig error with dates */ 1388 static void 1389 sigdate_error(const char* str, int32_t expi, int32_t incep, int32_t now) 1390 { 1391 struct tm tm; 1392 char expi_buf[16]; 1393 char incep_buf[16]; 1394 char now_buf[16]; 1395 time_t te, ti, tn; 1396 1397 if(verbosity < VERB_QUERY) 1398 return; 1399 te = (time_t)expi; 1400 ti = (time_t)incep; 1401 tn = (time_t)now; 1402 memset(&tm, 0, sizeof(tm)); 1403 if(gmtime_r(&te, &tm) && strftime(expi_buf, 15, "%Y%m%d%H%M%S", &tm) 1404 &&gmtime_r(&ti, &tm) && strftime(incep_buf, 15, "%Y%m%d%H%M%S", &tm) 1405 &&gmtime_r(&tn, &tm) && strftime(now_buf, 15, "%Y%m%d%H%M%S", &tm)) { 1406 log_info("%s expi=%s incep=%s now=%s", str, expi_buf, 1407 incep_buf, now_buf); 1408 } else 1409 log_info("%s expi=%u incep=%u now=%u", str, (unsigned)expi, 1410 (unsigned)incep, (unsigned)now); 1411 } 1412 1413 /** check rrsig dates */ 1414 static int 1415 check_dates(struct val_env* ve, uint32_t unow, uint8_t* expi_p, 1416 uint8_t* incep_p, char** reason, sldns_ede_code *reason_bogus) 1417 { 1418 /* read out the dates */ 1419 uint32_t expi, incep, now; 1420 memmove(&expi, expi_p, sizeof(expi)); 1421 memmove(&incep, incep_p, sizeof(incep)); 1422 expi = ntohl(expi); 1423 incep = ntohl(incep); 1424 1425 /* get current date */ 1426 if(ve->date_override) { 1427 if(ve->date_override == -1) { 1428 verbose(VERB_ALGO, "date override: ignore date"); 1429 return 1; 1430 } 1431 now = ve->date_override; 1432 verbose(VERB_ALGO, "date override option %d", (int)now); 1433 } else now = unow; 1434 1435 /* check them */ 1436 if(compare_1982(incep, expi) > 0) { 1437 sigdate_error("verify: inception after expiration, " 1438 "signature bad", expi, incep, now); 1439 *reason = "signature inception after expiration"; 1440 if(reason_bogus){ 1441 /* from RFC8914 on Signature Not Yet Valid: The resolver 1442 * attempted to perform DNSSEC validation, but no 1443 * signatures are presently valid and at least some are 1444 * not yet valid. */ 1445 *reason_bogus = LDNS_EDE_SIGNATURE_NOT_YET_VALID; 1446 } 1447 1448 return 0; 1449 } 1450 if(compare_1982(incep, now) > 0) { 1451 /* within skew ? (calc here to avoid calculation normally) */ 1452 uint32_t skew = subtract_1982(incep, expi)/10; 1453 if(skew < (uint32_t)ve->skew_min) skew = ve->skew_min; 1454 if(skew > (uint32_t)ve->skew_max) skew = ve->skew_max; 1455 if(subtract_1982(now, incep) > skew) { 1456 sigdate_error("verify: signature bad, current time is" 1457 " before inception date", expi, incep, now); 1458 *reason = "signature before inception date"; 1459 if(reason_bogus) 1460 *reason_bogus = LDNS_EDE_SIGNATURE_NOT_YET_VALID; 1461 return 0; 1462 } 1463 sigdate_error("verify warning suspicious signature inception " 1464 " or bad local clock", expi, incep, now); 1465 } 1466 if(compare_1982(now, expi) > 0) { 1467 uint32_t skew = subtract_1982(incep, expi)/10; 1468 if(skew < (uint32_t)ve->skew_min) skew = ve->skew_min; 1469 if(skew > (uint32_t)ve->skew_max) skew = ve->skew_max; 1470 if(subtract_1982(expi, now) > skew) { 1471 sigdate_error("verify: signature expired", expi, 1472 incep, now); 1473 *reason = "signature expired"; 1474 if(reason_bogus) 1475 *reason_bogus = LDNS_EDE_SIGNATURE_EXPIRED; 1476 return 0; 1477 } 1478 sigdate_error("verify warning suspicious signature expiration " 1479 " or bad local clock", expi, incep, now); 1480 } 1481 return 1; 1482 } 1483 1484 /** adjust rrset TTL for verified rrset, compare to original TTL and expi */ 1485 static void 1486 adjust_ttl(struct val_env* ve, uint32_t unow, 1487 struct ub_packed_rrset_key* rrset, uint8_t* orig_p, 1488 uint8_t* expi_p, uint8_t* incep_p) 1489 { 1490 struct packed_rrset_data* d = 1491 (struct packed_rrset_data*)rrset->entry.data; 1492 /* read out the dates */ 1493 int32_t origttl, expittl, expi, incep, now; 1494 memmove(&origttl, orig_p, sizeof(origttl)); 1495 memmove(&expi, expi_p, sizeof(expi)); 1496 memmove(&incep, incep_p, sizeof(incep)); 1497 expi = ntohl(expi); 1498 incep = ntohl(incep); 1499 origttl = ntohl(origttl); 1500 1501 /* get current date */ 1502 if(ve->date_override) { 1503 now = ve->date_override; 1504 } else now = (int32_t)unow; 1505 expittl = (int32_t)((uint32_t)expi - (uint32_t)now); 1506 1507 /* so now: 1508 * d->ttl: rrset ttl read from message or cache. May be reduced 1509 * origttl: original TTL from signature, authoritative TTL max. 1510 * MIN_TTL: minimum TTL from config. 1511 * expittl: TTL until the signature expires. 1512 * 1513 * Use the smallest of these, but don't let origttl set the TTL 1514 * below the minimum. 1515 */ 1516 if(MIN_TTL > (time_t)origttl && d->ttl > MIN_TTL) { 1517 verbose(VERB_QUERY, "rrset TTL larger than original and minimum" 1518 " TTL, adjusting TTL downwards to minimum ttl"); 1519 d->ttl = MIN_TTL; 1520 } 1521 else if(MIN_TTL <= origttl && d->ttl > (time_t)origttl) { 1522 verbose(VERB_QUERY, "rrset TTL larger than original TTL, " 1523 "adjusting TTL downwards to original ttl"); 1524 d->ttl = origttl; 1525 } 1526 1527 if(expittl > 0 && d->ttl > (time_t)expittl) { 1528 verbose(VERB_ALGO, "rrset TTL larger than sig expiration ttl," 1529 " adjusting TTL downwards"); 1530 d->ttl = expittl; 1531 } 1532 } 1533 1534 enum sec_status 1535 dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf, 1536 struct val_env* ve, time_t now, 1537 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, 1538 size_t dnskey_idx, size_t sig_idx, 1539 struct rbtree_type** sortree, int* buf_canon, 1540 char** reason, sldns_ede_code *reason_bogus, 1541 sldns_pkt_section section, struct module_qstate* qstate) 1542 { 1543 enum sec_status sec; 1544 uint8_t* sig; /* RRSIG rdata */ 1545 size_t siglen; 1546 size_t rrnum = rrset_get_count(rrset); 1547 uint8_t* signer; /* rrsig signer name */ 1548 size_t signer_len; 1549 unsigned char* sigblock; /* signature rdata field */ 1550 unsigned int sigblock_len; 1551 uint16_t ktag; /* DNSKEY key tag */ 1552 unsigned char* key; /* public key rdata field */ 1553 unsigned int keylen; 1554 rrset_get_rdata(rrset, rrnum + sig_idx, &sig, &siglen); 1555 /* min length of rdatalen, fixed rrsig, root signer, 1 byte sig */ 1556 if(siglen < 2+20) { 1557 verbose(VERB_QUERY, "verify: signature too short"); 1558 *reason = "signature too short"; 1559 if(reason_bogus) 1560 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1561 return sec_status_bogus; 1562 } 1563 1564 if(!(dnskey_get_flags(dnskey, dnskey_idx) & DNSKEY_BIT_ZSK)) { 1565 verbose(VERB_QUERY, "verify: dnskey without ZSK flag"); 1566 *reason = "dnskey without ZSK flag"; 1567 if(reason_bogus) 1568 *reason_bogus = LDNS_EDE_NO_ZONE_KEY_BIT_SET; 1569 return sec_status_bogus; 1570 } 1571 1572 if(dnskey_get_protocol(dnskey, dnskey_idx) != LDNS_DNSSEC_KEYPROTO) { 1573 /* RFC 4034 says DNSKEY PROTOCOL MUST be 3 */ 1574 verbose(VERB_QUERY, "verify: dnskey has wrong key protocol"); 1575 *reason = "dnskey has wrong protocolnumber"; 1576 if(reason_bogus) 1577 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1578 return sec_status_bogus; 1579 } 1580 1581 /* verify as many fields in rrsig as possible */ 1582 signer = sig+2+18; 1583 signer_len = dname_valid(signer, siglen-2-18); 1584 if(!signer_len) { 1585 verbose(VERB_QUERY, "verify: malformed signer name"); 1586 *reason = "signer name malformed"; 1587 if(reason_bogus) 1588 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1589 return sec_status_bogus; /* signer name invalid */ 1590 } 1591 if(!dname_subdomain_c(rrset->rk.dname, signer)) { 1592 verbose(VERB_QUERY, "verify: signer name is off-tree"); 1593 *reason = "signer name off-tree"; 1594 if(reason_bogus) 1595 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1596 return sec_status_bogus; /* signer name offtree */ 1597 } 1598 sigblock = (unsigned char*)signer+signer_len; 1599 if(siglen < 2+18+signer_len+1) { 1600 verbose(VERB_QUERY, "verify: too short, no signature data"); 1601 *reason = "signature too short, no signature data"; 1602 if(reason_bogus) 1603 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1604 return sec_status_bogus; /* sig rdf is < 1 byte */ 1605 } 1606 sigblock_len = (unsigned int)(siglen - 2 - 18 - signer_len); 1607 1608 /* verify key dname == sig signer name */ 1609 if(query_dname_compare(signer, dnskey->rk.dname) != 0) { 1610 verbose(VERB_QUERY, "verify: wrong key for rrsig"); 1611 log_nametypeclass(VERB_QUERY, "RRSIG signername is", 1612 signer, 0, 0); 1613 log_nametypeclass(VERB_QUERY, "the key name is", 1614 dnskey->rk.dname, 0, 0); 1615 *reason = "signer name mismatches key name"; 1616 if(reason_bogus) 1617 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1618 return sec_status_bogus; 1619 } 1620 1621 /* verify covered type */ 1622 /* memcmp works because type is in network format for rrset */ 1623 if(memcmp(sig+2, &rrset->rk.type, 2) != 0) { 1624 verbose(VERB_QUERY, "verify: wrong type covered"); 1625 *reason = "signature covers wrong type"; 1626 if(reason_bogus) 1627 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1628 return sec_status_bogus; 1629 } 1630 /* verify keytag and sig algo (possibly again) */ 1631 if((int)sig[2+2] != dnskey_get_algo(dnskey, dnskey_idx)) { 1632 verbose(VERB_QUERY, "verify: wrong algorithm"); 1633 *reason = "signature has wrong algorithm"; 1634 if(reason_bogus) 1635 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1636 return sec_status_bogus; 1637 } 1638 ktag = htons(dnskey_calc_keytag(dnskey, dnskey_idx)); 1639 if(memcmp(sig+2+16, &ktag, 2) != 0) { 1640 verbose(VERB_QUERY, "verify: wrong keytag"); 1641 *reason = "signature has wrong keytag"; 1642 if(reason_bogus) 1643 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1644 return sec_status_bogus; 1645 } 1646 1647 /* verify labels is in a valid range */ 1648 if((int)sig[2+3] > dname_signame_label_count(rrset->rk.dname)) { 1649 verbose(VERB_QUERY, "verify: labelcount out of range"); 1650 *reason = "signature labelcount out of range"; 1651 if(reason_bogus) 1652 *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; 1653 return sec_status_bogus; 1654 } 1655 1656 /* original ttl, always ok */ 1657 1658 if(!*buf_canon) { 1659 /* create rrset canonical format in buffer, ready for 1660 * signature */ 1661 if(!rrset_canonical(region, buf, rrset, sig+2, 1662 18 + signer_len, sortree, section, qstate)) { 1663 log_err("verify: failed due to alloc error"); 1664 return sec_status_unchecked; 1665 } 1666 *buf_canon = 1; 1667 } 1668 1669 /* check that dnskey is available */ 1670 dnskey_get_pubkey(dnskey, dnskey_idx, &key, &keylen); 1671 if(!key) { 1672 verbose(VERB_QUERY, "verify: short DNSKEY RR"); 1673 return sec_status_unchecked; 1674 } 1675 1676 /* verify */ 1677 sec = verify_canonrrset(buf, (int)sig[2+2], 1678 sigblock, sigblock_len, key, keylen, reason); 1679 1680 if(sec == sec_status_secure) { 1681 /* check if TTL is too high - reduce if so */ 1682 adjust_ttl(ve, now, rrset, sig+2+4, sig+2+8, sig+2+12); 1683 1684 /* verify inception, expiration dates 1685 * Do this last so that if you ignore expired-sigs the 1686 * rest is sure to be OK. */ 1687 if(!check_dates(ve, now, sig+2+8, sig+2+12, 1688 reason, reason_bogus)) { 1689 return sec_status_bogus; 1690 } 1691 } 1692 1693 return sec; 1694 } 1695