xref: /freebsd/contrib/unbound/validator/val_sigcrypt.c (revision f126890ac5386406dadf7c4cfa9566cbb56537c5)
1 /*
2  * validator/val_sigcrypt.c - validator signature crypto functions.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * The functions help with signature verification and checking, the
41  * bridging between RR wireformat data and crypto calls.
42  */
43 #include "config.h"
44 #include "validator/val_sigcrypt.h"
45 #include "validator/val_secalgo.h"
46 #include "validator/validator.h"
47 #include "util/data/msgreply.h"
48 #include "util/data/msgparse.h"
49 #include "util/data/dname.h"
50 #include "util/rbtree.h"
51 #include "util/rfc_1982.h"
52 #include "util/module.h"
53 #include "util/net_help.h"
54 #include "util/regional.h"
55 #include "util/config_file.h"
56 #include "sldns/keyraw.h"
57 #include "sldns/sbuffer.h"
58 #include "sldns/parseutil.h"
59 #include "sldns/wire2str.h"
60 
61 #include <ctype.h>
62 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
63 #error "Need crypto library to do digital signature cryptography"
64 #endif
65 
66 #ifdef HAVE_OPENSSL_ERR_H
67 #include <openssl/err.h>
68 #endif
69 
70 #ifdef HAVE_OPENSSL_RAND_H
71 #include <openssl/rand.h>
72 #endif
73 
74 #ifdef HAVE_OPENSSL_CONF_H
75 #include <openssl/conf.h>
76 #endif
77 
78 #ifdef HAVE_OPENSSL_ENGINE_H
79 #include <openssl/engine.h>
80 #endif
81 
82 /** Maximum number of RRSIG validations for an RRset. */
83 #define MAX_VALIDATE_RRSIGS 8
84 
85 /** return number of rrs in an rrset */
86 static size_t
87 rrset_get_count(struct ub_packed_rrset_key* rrset)
88 {
89 	struct packed_rrset_data* d = (struct packed_rrset_data*)
90 	rrset->entry.data;
91 	if(!d) return 0;
92 	return d->count;
93 }
94 
95 /**
96  * Get RR signature count
97  */
98 static size_t
99 rrset_get_sigcount(struct ub_packed_rrset_key* k)
100 {
101 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
102 	return d->rrsig_count;
103 }
104 
105 /**
106  * Get signature keytag value
107  * @param k: rrset (with signatures)
108  * @param sig_idx: signature index.
109  * @return keytag or 0 if malformed rrsig.
110  */
111 static uint16_t
112 rrset_get_sig_keytag(struct ub_packed_rrset_key* k, size_t sig_idx)
113 {
114 	uint16_t t;
115 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
116 	log_assert(sig_idx < d->rrsig_count);
117 	if(d->rr_len[d->count + sig_idx] < 2+18)
118 		return 0;
119 	memmove(&t, d->rr_data[d->count + sig_idx]+2+16, 2);
120 	return ntohs(t);
121 }
122 
123 /**
124  * Get signature signing algorithm value
125  * @param k: rrset (with signatures)
126  * @param sig_idx: signature index.
127  * @return algo or 0 if malformed rrsig.
128  */
129 static int
130 rrset_get_sig_algo(struct ub_packed_rrset_key* k, size_t sig_idx)
131 {
132 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
133 	log_assert(sig_idx < d->rrsig_count);
134 	if(d->rr_len[d->count + sig_idx] < 2+3)
135 		return 0;
136 	return (int)d->rr_data[d->count + sig_idx][2+2];
137 }
138 
139 /** get rdata pointer and size */
140 static void
141 rrset_get_rdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** rdata,
142 	size_t* len)
143 {
144 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
145 	log_assert(d && idx < (d->count + d->rrsig_count));
146 	*rdata = d->rr_data[idx];
147 	*len = d->rr_len[idx];
148 }
149 
150 uint16_t
151 dnskey_get_flags(struct ub_packed_rrset_key* k, size_t idx)
152 {
153 	uint8_t* rdata;
154 	size_t len;
155 	uint16_t f;
156 	rrset_get_rdata(k, idx, &rdata, &len);
157 	if(len < 2+2)
158 		return 0;
159 	memmove(&f, rdata+2, 2);
160 	f = ntohs(f);
161 	return f;
162 }
163 
164 /**
165  * Get DNSKEY protocol value from rdata
166  * @param k: DNSKEY rrset.
167  * @param idx: which key.
168  * @return protocol octet value
169  */
170 static int
171 dnskey_get_protocol(struct ub_packed_rrset_key* k, size_t idx)
172 {
173 	uint8_t* rdata;
174 	size_t len;
175 	rrset_get_rdata(k, idx, &rdata, &len);
176 	if(len < 2+4)
177 		return 0;
178 	return (int)rdata[2+2];
179 }
180 
181 int
182 dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx)
183 {
184 	uint8_t* rdata;
185 	size_t len;
186 	rrset_get_rdata(k, idx, &rdata, &len);
187 	if(len < 2+4)
188 		return 0;
189 	return (int)rdata[2+3];
190 }
191 
192 /** get public key rdata field from a dnskey RR and do some checks */
193 static void
194 dnskey_get_pubkey(struct ub_packed_rrset_key* k, size_t idx,
195 	unsigned char** pk, unsigned int* pklen)
196 {
197 	uint8_t* rdata;
198 	size_t len;
199 	rrset_get_rdata(k, idx, &rdata, &len);
200 	if(len < 2+5) {
201 		*pk = NULL;
202 		*pklen = 0;
203 		return;
204 	}
205 	*pk = (unsigned char*)rdata+2+4;
206 	*pklen = (unsigned)len-2-4;
207 }
208 
209 int
210 ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx)
211 {
212 	uint8_t* rdata;
213 	size_t len;
214 	rrset_get_rdata(k, idx, &rdata, &len);
215 	if(len < 2+3)
216 		return 0;
217 	return (int)rdata[2+2];
218 }
219 
220 int
221 ds_get_digest_algo(struct ub_packed_rrset_key* k, size_t idx)
222 {
223 	uint8_t* rdata;
224 	size_t len;
225 	rrset_get_rdata(k, idx, &rdata, &len);
226 	if(len < 2+4)
227 		return 0;
228 	return (int)rdata[2+3];
229 }
230 
231 uint16_t
232 ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx)
233 {
234 	uint16_t t;
235 	uint8_t* rdata;
236 	size_t len;
237 	rrset_get_rdata(ds_rrset, ds_idx, &rdata, &len);
238 	if(len < 2+2)
239 		return 0;
240 	memmove(&t, rdata+2, 2);
241 	return ntohs(t);
242 }
243 
244 /**
245  * Return pointer to the digest in a DS RR.
246  * @param k: DS rrset.
247  * @param idx: which DS.
248  * @param digest: digest data is returned.
249  *	on error, this is NULL.
250  * @param len: length of digest is returned.
251  *	on error, the length is 0.
252  */
253 static void
254 ds_get_sigdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** digest,
255         size_t* len)
256 {
257 	uint8_t* rdata;
258 	size_t rdlen;
259 	rrset_get_rdata(k, idx, &rdata, &rdlen);
260 	if(rdlen < 2+5) {
261 		*digest = NULL;
262 		*len = 0;
263 		return;
264 	}
265 	*digest = rdata + 2 + 4;
266 	*len = rdlen - 2 - 4;
267 }
268 
269 /**
270  * Return size of DS digest according to its hash algorithm.
271  * @param k: DS rrset.
272  * @param idx: which DS.
273  * @return size in bytes of digest, or 0 if not supported.
274  */
275 static size_t
276 ds_digest_size_algo(struct ub_packed_rrset_key* k, size_t idx)
277 {
278 	return ds_digest_size_supported(ds_get_digest_algo(k, idx));
279 }
280 
281 /**
282  * Create a DS digest for a DNSKEY entry.
283  *
284  * @param env: module environment. Uses scratch space.
285  * @param dnskey_rrset: DNSKEY rrset.
286  * @param dnskey_idx: index of RR in rrset.
287  * @param ds_rrset: DS rrset
288  * @param ds_idx: index of RR in DS rrset.
289  * @param digest: digest is returned in here (must be correctly sized).
290  * @return false on error.
291  */
292 static int
293 ds_create_dnskey_digest(struct module_env* env,
294 	struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx,
295 	struct ub_packed_rrset_key* ds_rrset, size_t ds_idx,
296 	uint8_t* digest)
297 {
298 	sldns_buffer* b = env->scratch_buffer;
299 	uint8_t* dnskey_rdata;
300 	size_t dnskey_len;
301 	rrset_get_rdata(dnskey_rrset, dnskey_idx, &dnskey_rdata, &dnskey_len);
302 
303 	/* create digest source material in buffer
304 	 * digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
305 	 *	DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key. */
306 	sldns_buffer_clear(b);
307 	sldns_buffer_write(b, dnskey_rrset->rk.dname,
308 		dnskey_rrset->rk.dname_len);
309 	query_dname_tolower(sldns_buffer_begin(b));
310 	sldns_buffer_write(b, dnskey_rdata+2, dnskey_len-2); /* skip rdatalen*/
311 	sldns_buffer_flip(b);
312 
313 	return secalgo_ds_digest(ds_get_digest_algo(ds_rrset, ds_idx),
314 		(unsigned char*)sldns_buffer_begin(b), sldns_buffer_limit(b),
315 		(unsigned char*)digest);
316 }
317 
318 int ds_digest_match_dnskey(struct module_env* env,
319 	struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx,
320 	struct ub_packed_rrset_key* ds_rrset, size_t ds_idx)
321 {
322 	uint8_t* ds;	/* DS digest */
323 	size_t dslen;
324 	uint8_t* digest; /* generated digest */
325 	size_t digestlen = ds_digest_size_algo(ds_rrset, ds_idx);
326 
327 	if(digestlen == 0) {
328 		verbose(VERB_QUERY, "DS fail: not supported, or DS RR "
329 			"format error");
330 		return 0; /* not supported, or DS RR format error */
331 	}
332 #ifndef USE_SHA1
333 	if(fake_sha1 && ds_get_digest_algo(ds_rrset, ds_idx)==LDNS_SHA1)
334 		return 1;
335 #endif
336 
337 	/* check digest length in DS with length from hash function */
338 	ds_get_sigdata(ds_rrset, ds_idx, &ds, &dslen);
339 	if(!ds || dslen != digestlen) {
340 		verbose(VERB_QUERY, "DS fail: DS RR algo and digest do not "
341 			"match each other");
342 		return 0; /* DS algorithm and digest do not match */
343 	}
344 
345 	digest = regional_alloc(env->scratch, digestlen);
346 	if(!digest) {
347 		verbose(VERB_QUERY, "DS fail: out of memory");
348 		return 0; /* mem error */
349 	}
350 	if(!ds_create_dnskey_digest(env, dnskey_rrset, dnskey_idx, ds_rrset,
351 		ds_idx, digest)) {
352 		verbose(VERB_QUERY, "DS fail: could not calc key digest");
353 		return 0; /* digest algo failed */
354 	}
355 	if(memcmp(digest, ds, dslen) != 0) {
356 		verbose(VERB_QUERY, "DS fail: digest is different");
357 		return 0; /* digest different */
358 	}
359 	return 1;
360 }
361 
362 int
363 ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
364 	size_t ds_idx)
365 {
366 	return (ds_digest_size_algo(ds_rrset, ds_idx) != 0);
367 }
368 
369 int
370 ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
371 	size_t ds_idx)
372 {
373 	return dnskey_algo_id_is_supported(ds_get_key_algo(ds_rrset, ds_idx));
374 }
375 
376 uint16_t
377 dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx)
378 {
379 	uint8_t* data;
380 	size_t len;
381 	rrset_get_rdata(dnskey_rrset, dnskey_idx, &data, &len);
382 	/* do not pass rdatalen to ldns */
383 	return sldns_calc_keytag_raw(data+2, len-2);
384 }
385 
386 int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
387         size_t dnskey_idx)
388 {
389 	return dnskey_algo_id_is_supported(dnskey_get_algo(dnskey_rrset,
390 		dnskey_idx));
391 }
392 
393 int dnskey_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
394 	size_t dnskey_idx)
395 {
396 #ifdef DEPRECATE_RSA_1024
397 	uint8_t* rdata;
398 	size_t len;
399 	int alg = dnskey_get_algo(dnskey_rrset, dnskey_idx);
400 	size_t keysize;
401 
402 	rrset_get_rdata(dnskey_rrset, dnskey_idx, &rdata, &len);
403 	if(len < 2+4)
404 		return 0;
405 	keysize = sldns_rr_dnskey_key_size_raw(rdata+2+4, len-2-4, alg);
406 
407 	switch((sldns_algorithm)alg) {
408 	case LDNS_RSAMD5:
409 	case LDNS_RSASHA1:
410 	case LDNS_RSASHA1_NSEC3:
411 	case LDNS_RSASHA256:
412 	case LDNS_RSASHA512:
413 		/* reject RSA keys of 1024 bits and shorter */
414 		if(keysize <= 1024)
415 			return 0;
416 		break;
417 	default:
418 		break;
419 	}
420 #else
421 	(void)dnskey_rrset; (void)dnskey_idx;
422 #endif /* DEPRECATE_RSA_1024 */
423 	return 1;
424 }
425 
426 int dnskeyset_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset)
427 {
428 	size_t i, num = rrset_get_count(dnskey_rrset);
429 	for(i=0; i<num; i++) {
430 		if(!dnskey_size_is_supported(dnskey_rrset, i))
431 			return 0;
432 	}
433 	return 1;
434 }
435 
436 void algo_needs_init_dnskey_add(struct algo_needs* n,
437         struct ub_packed_rrset_key* dnskey, uint8_t* sigalg)
438 {
439 	uint8_t algo;
440 	size_t i, total = n->num;
441 	size_t num = rrset_get_count(dnskey);
442 
443 	for(i=0; i<num; i++) {
444 		algo = (uint8_t)dnskey_get_algo(dnskey, i);
445 		if(!dnskey_algo_id_is_supported((int)algo))
446 			continue;
447 		if(n->needs[algo] == 0) {
448 			n->needs[algo] = 1;
449 			sigalg[total] = algo;
450 			total++;
451 		}
452 	}
453 	sigalg[total] = 0;
454 	n->num = total;
455 }
456 
457 void algo_needs_init_list(struct algo_needs* n, uint8_t* sigalg)
458 {
459 	uint8_t algo;
460 	size_t total = 0;
461 
462 	memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX);
463 	while( (algo=*sigalg++) != 0) {
464 		log_assert(dnskey_algo_id_is_supported((int)algo));
465 		log_assert(n->needs[algo] == 0);
466 		n->needs[algo] = 1;
467 		total++;
468 	}
469 	n->num = total;
470 }
471 
472 void algo_needs_init_ds(struct algo_needs* n, struct ub_packed_rrset_key* ds,
473 	int fav_ds_algo, uint8_t* sigalg)
474 {
475 	uint8_t algo;
476 	size_t i, total = 0;
477 	size_t num = rrset_get_count(ds);
478 
479 	memset(n->needs, 0, sizeof(uint8_t)*ALGO_NEEDS_MAX);
480 	for(i=0; i<num; i++) {
481 		if(ds_get_digest_algo(ds, i) != fav_ds_algo)
482 			continue;
483 		algo = (uint8_t)ds_get_key_algo(ds, i);
484 		if(!dnskey_algo_id_is_supported((int)algo))
485 			continue;
486 		log_assert(algo != 0); /* we do not support 0 and is EOS */
487 		if(n->needs[algo] == 0) {
488 			n->needs[algo] = 1;
489 			sigalg[total] = algo;
490 			total++;
491 		}
492 	}
493 	sigalg[total] = 0;
494 	n->num = total;
495 }
496 
497 int algo_needs_set_secure(struct algo_needs* n, uint8_t algo)
498 {
499 	if(n->needs[algo]) {
500 		n->needs[algo] = 0;
501 		n->num --;
502 		if(n->num == 0) /* done! */
503 			return 1;
504 	}
505 	return 0;
506 }
507 
508 void algo_needs_set_bogus(struct algo_needs* n, uint8_t algo)
509 {
510 	if(n->needs[algo]) n->needs[algo] = 2; /* need it, but bogus */
511 }
512 
513 size_t algo_needs_num_missing(struct algo_needs* n)
514 {
515 	return n->num;
516 }
517 
518 int algo_needs_missing(struct algo_needs* n)
519 {
520 	int i, miss = -1;
521 	/* check if a needed algo was bogus - report that;
522 	 * check the first missing algo - report that;
523 	 * or return 0 */
524 	for(i=0; i<ALGO_NEEDS_MAX; i++) {
525 		if(n->needs[i] == 2)
526 			return 0;
527 		if(n->needs[i] == 1 && miss == -1)
528 			miss = i;
529 	}
530 	if(miss != -1) return miss;
531 	return 0;
532 }
533 
534 /**
535  * verify rrset, with dnskey rrset, for a specific rrsig in rrset
536  * @param env: module environment, scratch space is used.
537  * @param ve: validator environment, date settings.
538  * @param now: current time for validation (can be overridden).
539  * @param rrset: to be validated.
540  * @param dnskey: DNSKEY rrset, keyset to try.
541  * @param sig_idx: which signature to try to validate.
542  * @param sortree: reused sorted order. Stored in region. Pass NULL at start,
543  * 	and for a new rrset.
544  * @param reason: if bogus, a string returned, fixed or alloced in scratch.
545  * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
546  * @param section: section of packet where this rrset comes from.
547  * @param qstate: qstate with region.
548  * @param numverified: incremented when the number of RRSIG validations
549  * 	increases.
550  * @return secure if any key signs *this* signature. bogus if no key signs it,
551  *	unchecked on error, or indeterminate if all keys are not supported by
552  *	the crypto library (openssl3+ only).
553  */
554 static enum sec_status
555 dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
556 	time_t now, struct ub_packed_rrset_key* rrset,
557 	struct ub_packed_rrset_key* dnskey, size_t sig_idx,
558 	struct rbtree_type** sortree,
559 	char** reason, sldns_ede_code *reason_bogus,
560 	sldns_pkt_section section, struct module_qstate* qstate,
561 	int* numverified)
562 {
563 	/* find matching keys and check them */
564 	enum sec_status sec = sec_status_bogus;
565 	uint16_t tag = rrset_get_sig_keytag(rrset, sig_idx);
566 	int algo = rrset_get_sig_algo(rrset, sig_idx);
567 	size_t i, num = rrset_get_count(dnskey);
568 	size_t numchecked = 0;
569 	size_t numindeterminate = 0;
570 	int buf_canon = 0;
571 	verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo);
572 	if(!dnskey_algo_id_is_supported(algo)) {
573 		if(reason_bogus)
574 			*reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
575 		verbose(VERB_QUERY, "verify sig: unknown algorithm");
576 		return sec_status_insecure;
577 	}
578 
579 	for(i=0; i<num; i++) {
580 		/* see if key matches keytag and algo */
581 		if(algo != dnskey_get_algo(dnskey, i) ||
582 			tag != dnskey_calc_keytag(dnskey, i))
583 			continue;
584 		numchecked ++;
585 		(*numverified)++;
586 
587 		/* see if key verifies */
588 		sec = dnskey_verify_rrset_sig(env->scratch,
589 			env->scratch_buffer, ve, now, rrset, dnskey, i,
590 			sig_idx, sortree, &buf_canon, reason, reason_bogus,
591 			section, qstate);
592 		if(sec == sec_status_secure)
593 			return sec;
594 		else if(sec == sec_status_indeterminate)
595 			numindeterminate ++;
596 		if(*numverified > MAX_VALIDATE_RRSIGS) {
597 			*reason = "too many RRSIG validations";
598 			if(reason_bogus)
599 				*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
600 			verbose(VERB_ALGO, "verify sig: too many RRSIG validations");
601 			return sec_status_bogus;
602 		}
603 	}
604 	if(numchecked == 0) {
605 		*reason = "signatures from unknown keys";
606 		if(reason_bogus)
607 			*reason_bogus = LDNS_EDE_DNSKEY_MISSING;
608 		verbose(VERB_QUERY, "verify: could not find appropriate key");
609 		return sec_status_bogus;
610 	}
611 	if(numindeterminate == numchecked) {
612 		*reason = "unsupported algorithm by crypto library";
613 		if(reason_bogus)
614 			*reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
615 		verbose(VERB_ALGO, "verify sig: unsupported algorithm by "
616 			"crypto library");
617 		return sec_status_indeterminate;
618 	}
619 	return sec_status_bogus;
620 }
621 
622 enum sec_status
623 dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
624 	struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
625 	uint8_t* sigalg, char** reason, sldns_ede_code *reason_bogus,
626 	sldns_pkt_section section, struct module_qstate* qstate, int* verified)
627 {
628 	enum sec_status sec;
629 	size_t i, num;
630 	rbtree_type* sortree = NULL;
631 	/* make sure that for all DNSKEY algorithms there are valid sigs */
632 	struct algo_needs needs;
633 	int alg;
634 	*verified = 0;
635 
636 	num = rrset_get_sigcount(rrset);
637 	if(num == 0) {
638 		verbose(VERB_QUERY, "rrset failed to verify due to a lack of "
639 			"signatures");
640 		*reason = "no signatures";
641 		if(reason_bogus)
642 			*reason_bogus = LDNS_EDE_RRSIGS_MISSING;
643 		return sec_status_bogus;
644 	}
645 
646 	if(sigalg) {
647 		algo_needs_init_list(&needs, sigalg);
648 		if(algo_needs_num_missing(&needs) == 0) {
649 			verbose(VERB_QUERY, "zone has no known algorithms");
650 			*reason = "zone has no known algorithms";
651 			if(reason_bogus)
652 				*reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
653 			return sec_status_insecure;
654 		}
655 	}
656 	for(i=0; i<num; i++) {
657 		sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset,
658 			dnskey, i, &sortree, reason, reason_bogus,
659 			section, qstate, verified);
660 		/* see which algorithm has been fixed up */
661 		if(sec == sec_status_secure) {
662 			if(!sigalg)
663 				return sec; /* done! */
664 			else if(algo_needs_set_secure(&needs,
665 				(uint8_t)rrset_get_sig_algo(rrset, i)))
666 				return sec; /* done! */
667 		} else if(sigalg && sec == sec_status_bogus) {
668 			algo_needs_set_bogus(&needs,
669 				(uint8_t)rrset_get_sig_algo(rrset, i));
670 		}
671 		if(*verified > MAX_VALIDATE_RRSIGS) {
672 			verbose(VERB_QUERY, "rrset failed to verify, too many RRSIG validations");
673 			*reason = "too many RRSIG validations";
674 			if(reason_bogus)
675 				*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
676 			return sec_status_bogus;
677 		}
678 	}
679 	if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
680 		verbose(VERB_ALGO, "rrset failed to verify: "
681 			"no valid signatures for %d algorithms",
682 			(int)algo_needs_num_missing(&needs));
683 		algo_needs_reason(env, alg, reason, "no signatures");
684 	} else {
685 		verbose(VERB_ALGO, "rrset failed to verify: "
686 			"no valid signatures");
687 	}
688 	return sec_status_bogus;
689 }
690 
691 void algo_needs_reason(struct module_env* env, int alg, char** reason, char* s)
692 {
693 	char buf[256];
694 	sldns_lookup_table *t = sldns_lookup_by_id(sldns_algorithms, alg);
695 	if(t&&t->name)
696 		snprintf(buf, sizeof(buf), "%s with algorithm %s", s, t->name);
697 	else	snprintf(buf, sizeof(buf), "%s with algorithm ALG%u", s,
698 			(unsigned)alg);
699 	*reason = regional_strdup(env->scratch, buf);
700 	if(!*reason)
701 		*reason = s;
702 }
703 
704 enum sec_status
705 dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
706         struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
707 	size_t dnskey_idx, char** reason, sldns_ede_code *reason_bogus,
708 	sldns_pkt_section section, struct module_qstate* qstate)
709 {
710 	enum sec_status sec;
711 	size_t i, num, numchecked = 0, numindeterminate = 0;
712 	rbtree_type* sortree = NULL;
713 	int buf_canon = 0;
714 	uint16_t tag = dnskey_calc_keytag(dnskey, dnskey_idx);
715 	int algo = dnskey_get_algo(dnskey, dnskey_idx);
716 	int numverified = 0;
717 
718 	num = rrset_get_sigcount(rrset);
719 	if(num == 0) {
720 		verbose(VERB_QUERY, "rrset failed to verify due to a lack of "
721 			"signatures");
722 		*reason = "no signatures";
723 		if(reason_bogus)
724 			*reason_bogus = LDNS_EDE_RRSIGS_MISSING;
725 		return sec_status_bogus;
726 	}
727 	for(i=0; i<num; i++) {
728 		/* see if sig matches keytag and algo */
729 		if(algo != rrset_get_sig_algo(rrset, i) ||
730 			tag != rrset_get_sig_keytag(rrset, i))
731 			continue;
732 		buf_canon = 0;
733 		sec = dnskey_verify_rrset_sig(env->scratch,
734 			env->scratch_buffer, ve, *env->now, rrset,
735 			dnskey, dnskey_idx, i, &sortree, &buf_canon, reason,
736 			reason_bogus, section, qstate);
737 		if(sec == sec_status_secure)
738 			return sec;
739 		numchecked ++;
740 		numverified ++;
741 		if(sec == sec_status_indeterminate)
742 			numindeterminate ++;
743 		if(numverified > MAX_VALIDATE_RRSIGS) {
744 			verbose(VERB_QUERY, "rrset failed to verify, too many RRSIG validations");
745 			*reason = "too many RRSIG validations";
746 			if(reason_bogus)
747 				*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
748 			return sec_status_bogus;
749 		}
750 	}
751 	if(!numchecked) {
752 		*reason = "signature for expected key and algorithm missing";
753 		if(reason_bogus)
754 			*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
755 	} else if(numchecked == numindeterminate) {
756 		verbose(VERB_ALGO, "rrset failed to verify due to algorithm "
757 			"refusal by cryptolib");
758 		if(reason_bogus)
759 			*reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
760 		*reason = "algorithm refused by cryptolib";
761 		return sec_status_indeterminate;
762 	}
763 	verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
764 	return sec_status_bogus;
765 }
766 
767 /**
768  * RR entries in a canonical sorted tree of RRs
769  */
770 struct canon_rr {
771 	/** rbtree node, key is this structure */
772 	rbnode_type node;
773 	/** rrset the RR is in */
774 	struct ub_packed_rrset_key* rrset;
775 	/** which RR in the rrset */
776 	size_t rr_idx;
777 };
778 
779 /**
780  * Compare two RR for canonical order, in a field-style sweep.
781  * @param d: rrset data
782  * @param desc: ldns wireformat descriptor.
783  * @param i: first RR to compare
784  * @param j: first RR to compare
785  * @return comparison code.
786  */
787 static int
788 canonical_compare_byfield(struct packed_rrset_data* d,
789 	const sldns_rr_descriptor* desc, size_t i, size_t j)
790 {
791 	/* sweep across rdata, keep track of some state:
792 	 * 	which rr field, and bytes left in field.
793 	 * 	current position in rdata, length left.
794 	 * 	are we in a dname, length left in a label.
795 	 */
796 	int wfi = -1;	/* current wireformat rdata field (rdf) */
797 	int wfj = -1;
798 	uint8_t* di = d->rr_data[i]+2; /* ptr to current rdata byte */
799 	uint8_t* dj = d->rr_data[j]+2;
800 	size_t ilen = d->rr_len[i]-2; /* length left in rdata */
801 	size_t jlen = d->rr_len[j]-2;
802 	int dname_i = 0;  /* true if these bytes are part of a name */
803 	int dname_j = 0;
804 	size_t lablen_i = 0; /* 0 for label length byte,for first byte of rdf*/
805 	size_t lablen_j = 0; /* otherwise remaining length of rdf or label */
806 	int dname_num_i = (int)desc->_dname_count; /* decreased at root label */
807 	int dname_num_j = (int)desc->_dname_count;
808 
809 	/* loop while there are rdata bytes available for both rrs,
810 	 * and still some lowercasing needs to be done; either the dnames
811 	 * have not been reached yet, or they are currently being processed */
812 	while(ilen > 0 && jlen > 0 && (dname_num_i > 0 || dname_num_j > 0)) {
813 		/* compare these two bytes */
814 		/* lowercase if in a dname and not a label length byte */
815 		if( ((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di)
816 		 != ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj)
817 		 ) {
818 		  if(((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di)
819 		  < ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj))
820 		 	return -1;
821 		    return 1;
822 		}
823 		ilen--;
824 		jlen--;
825 		/* bytes are equal */
826 
827 		/* advance field i */
828 		/* lablen 0 means that this byte is the first byte of the
829 		 * next rdata field; inspect this rdata field and setup
830 		 * to process the rest of this rdata field.
831 		 * The reason to first read the byte, then setup the rdf,
832 		 * is that we are then sure the byte is available and short
833 		 * rdata is handled gracefully (even if it is a formerr). */
834 		if(lablen_i == 0) {
835 			if(dname_i) {
836 				/* scan this dname label */
837 				/* capture length to lowercase */
838 				lablen_i = (size_t)*di;
839 				if(lablen_i == 0) {
840 					/* end root label */
841 					dname_i = 0;
842 					dname_num_i--;
843 					/* if dname num is 0, then the
844 					 * remainder is binary only */
845 					if(dname_num_i == 0)
846 						lablen_i = ilen;
847 				}
848 			} else {
849 				/* scan this rdata field */
850 				wfi++;
851 				if(desc->_wireformat[wfi]
852 					== LDNS_RDF_TYPE_DNAME) {
853 					dname_i = 1;
854 					lablen_i = (size_t)*di;
855 					if(lablen_i == 0) {
856 						dname_i = 0;
857 						dname_num_i--;
858 						if(dname_num_i == 0)
859 							lablen_i = ilen;
860 					}
861 				} else if(desc->_wireformat[wfi]
862 					== LDNS_RDF_TYPE_STR)
863 					lablen_i = (size_t)*di;
864 				else	lablen_i = get_rdf_size(
865 					desc->_wireformat[wfi]) - 1;
866 			}
867 		} else	lablen_i--;
868 
869 		/* advance field j; same as for i */
870 		if(lablen_j == 0) {
871 			if(dname_j) {
872 				lablen_j = (size_t)*dj;
873 				if(lablen_j == 0) {
874 					dname_j = 0;
875 					dname_num_j--;
876 					if(dname_num_j == 0)
877 						lablen_j = jlen;
878 				}
879 			} else {
880 				wfj++;
881 				if(desc->_wireformat[wfj]
882 					== LDNS_RDF_TYPE_DNAME) {
883 					dname_j = 1;
884 					lablen_j = (size_t)*dj;
885 					if(lablen_j == 0) {
886 						dname_j = 0;
887 						dname_num_j--;
888 						if(dname_num_j == 0)
889 							lablen_j = jlen;
890 					}
891 				} else if(desc->_wireformat[wfj]
892 					== LDNS_RDF_TYPE_STR)
893 					lablen_j = (size_t)*dj;
894 				else	lablen_j = get_rdf_size(
895 					desc->_wireformat[wfj]) - 1;
896 			}
897 		} else	lablen_j--;
898 		di++;
899 		dj++;
900 	}
901 	/* end of the loop; because we advanced byte by byte; now we have
902 	 * that the rdata has ended, or that there is a binary remainder */
903 	/* shortest first */
904 	if(ilen == 0 && jlen == 0)
905 		return 0;
906 	if(ilen == 0)
907 		return -1;
908 	if(jlen == 0)
909 		return 1;
910 	/* binary remainder, capture comparison in wfi variable */
911 	if((wfi = memcmp(di, dj, (ilen<jlen)?ilen:jlen)) != 0)
912 		return wfi;
913 	if(ilen < jlen)
914 		return -1;
915 	if(jlen < ilen)
916 		return 1;
917 	return 0;
918 }
919 
920 /**
921  * Compare two RRs in the same RRset and determine their relative
922  * canonical order.
923  * @param rrset: the rrset in which to perform compares.
924  * @param i: first RR to compare
925  * @param j: first RR to compare
926  * @return 0 if RR i== RR j, -1 if <, +1 if >.
927  */
928 static int
929 canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j)
930 {
931 	struct packed_rrset_data* d = (struct packed_rrset_data*)
932 		rrset->entry.data;
933 	const sldns_rr_descriptor* desc;
934 	uint16_t type = ntohs(rrset->rk.type);
935 	size_t minlen;
936 	int c;
937 
938 	if(i==j)
939 		return 0;
940 
941 	switch(type) {
942 		/* These RR types have only a name as RDATA.
943 		 * This name has to be canonicalized.*/
944 		case LDNS_RR_TYPE_NS:
945 		case LDNS_RR_TYPE_MD:
946 		case LDNS_RR_TYPE_MF:
947 		case LDNS_RR_TYPE_CNAME:
948 		case LDNS_RR_TYPE_MB:
949 		case LDNS_RR_TYPE_MG:
950 		case LDNS_RR_TYPE_MR:
951 		case LDNS_RR_TYPE_PTR:
952 		case LDNS_RR_TYPE_DNAME:
953 			/* the wireread function has already checked these
954 			 * dname's for correctness, and this double checks */
955 			if(!dname_valid(d->rr_data[i]+2, d->rr_len[i]-2) ||
956 				!dname_valid(d->rr_data[j]+2, d->rr_len[j]-2))
957 				return 0;
958 			return query_dname_compare(d->rr_data[i]+2,
959 				d->rr_data[j]+2);
960 
961 		/* These RR types have STR and fixed size rdata fields
962 		 * before one or more name fields that need canonicalizing,
963 		 * and after that a byte-for byte remainder can be compared.
964 		 */
965 		/* type starts with the name; remainder is binary compared */
966 		case LDNS_RR_TYPE_NXT:
967 		/* use rdata field formats */
968 		case LDNS_RR_TYPE_MINFO:
969 		case LDNS_RR_TYPE_RP:
970 		case LDNS_RR_TYPE_SOA:
971 		case LDNS_RR_TYPE_RT:
972 		case LDNS_RR_TYPE_AFSDB:
973 		case LDNS_RR_TYPE_KX:
974 		case LDNS_RR_TYPE_MX:
975 		case LDNS_RR_TYPE_SIG:
976 		/* RRSIG signer name has to be downcased */
977 		case LDNS_RR_TYPE_RRSIG:
978 		case LDNS_RR_TYPE_PX:
979 		case LDNS_RR_TYPE_NAPTR:
980 		case LDNS_RR_TYPE_SRV:
981 			desc = sldns_rr_descript(type);
982 			log_assert(desc);
983 			/* this holds for the types that need canonicalizing */
984 			log_assert(desc->_minimum == desc->_maximum);
985 			return canonical_compare_byfield(d, desc, i, j);
986 
987 		case LDNS_RR_TYPE_HINFO: /* no longer downcased */
988 		case LDNS_RR_TYPE_NSEC:
989 	default:
990 		/* For unknown RR types, or types not listed above,
991 		 * no canonicalization is needed, do binary compare */
992 		/* byte for byte compare, equal means shortest first*/
993 		minlen = d->rr_len[i]-2;
994 		if(minlen > d->rr_len[j]-2)
995 			minlen = d->rr_len[j]-2;
996 		c = memcmp(d->rr_data[i]+2, d->rr_data[j]+2, minlen);
997 		if(c!=0)
998 			return c;
999 		/* rdata equal, shortest is first */
1000 		if(d->rr_len[i] < d->rr_len[j])
1001 			return -1;
1002 		if(d->rr_len[i] > d->rr_len[j])
1003 			return 1;
1004 		/* rdata equal, length equal */
1005 		break;
1006 	}
1007 	return 0;
1008 }
1009 
1010 int
1011 canonical_tree_compare(const void* k1, const void* k2)
1012 {
1013 	struct canon_rr* r1 = (struct canon_rr*)k1;
1014 	struct canon_rr* r2 = (struct canon_rr*)k2;
1015 	log_assert(r1->rrset == r2->rrset);
1016 	return canonical_compare(r1->rrset, r1->rr_idx, r2->rr_idx);
1017 }
1018 
1019 /**
1020  * Sort RRs for rrset in canonical order.
1021  * Does not actually canonicalize the RR rdatas.
1022  * Does not touch rrsigs.
1023  * @param rrset: to sort.
1024  * @param d: rrset data.
1025  * @param sortree: tree to sort into.
1026  * @param rrs: rr storage.
1027  */
1028 static void
1029 canonical_sort(struct ub_packed_rrset_key* rrset, struct packed_rrset_data* d,
1030 	rbtree_type* sortree, struct canon_rr* rrs)
1031 {
1032 	size_t i;
1033 	/* insert into rbtree to sort and detect duplicates */
1034 	for(i=0; i<d->count; i++) {
1035 		rrs[i].node.key = &rrs[i];
1036 		rrs[i].rrset = rrset;
1037 		rrs[i].rr_idx = i;
1038 		if(!rbtree_insert(sortree, &rrs[i].node)) {
1039 			/* this was a duplicate */
1040 		}
1041 	}
1042 }
1043 
1044 /**
1045  * Insert canonical owner name into buffer.
1046  * @param buf: buffer to insert into at current position.
1047  * @param k: rrset with its owner name.
1048  * @param sig: signature with signer name and label count.
1049  * 	must be length checked, at least 18 bytes long.
1050  * @param can_owner: position in buffer returned for future use.
1051  * @param can_owner_len: length of canonical owner name.
1052  */
1053 static void
1054 insert_can_owner(sldns_buffer* buf, struct ub_packed_rrset_key* k,
1055 	uint8_t* sig, uint8_t** can_owner, size_t* can_owner_len)
1056 {
1057 	int rrsig_labels = (int)sig[3];
1058 	int fqdn_labels = dname_signame_label_count(k->rk.dname);
1059 	*can_owner = sldns_buffer_current(buf);
1060 	if(rrsig_labels == fqdn_labels) {
1061 		/* no change */
1062 		sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len);
1063 		query_dname_tolower(*can_owner);
1064 		*can_owner_len = k->rk.dname_len;
1065 		return;
1066 	}
1067 	log_assert(rrsig_labels < fqdn_labels);
1068 	/* *. | fqdn(rightmost rrsig_labels) */
1069 	if(rrsig_labels < fqdn_labels) {
1070 		int i;
1071 		uint8_t* nm = k->rk.dname;
1072 		size_t len = k->rk.dname_len;
1073 		/* so skip fqdn_labels-rrsig_labels */
1074 		for(i=0; i<fqdn_labels-rrsig_labels; i++) {
1075 			dname_remove_label(&nm, &len);
1076 		}
1077 		*can_owner_len = len+2;
1078 		sldns_buffer_write(buf, (uint8_t*)"\001*", 2);
1079 		sldns_buffer_write(buf, nm, len);
1080 		query_dname_tolower(*can_owner);
1081 	}
1082 }
1083 
1084 /**
1085  * Canonicalize Rdata in buffer.
1086  * @param buf: buffer at position just after the rdata.
1087  * @param rrset: rrset with type.
1088  * @param len: length of the rdata (including rdatalen uint16).
1089  */
1090 static void
1091 canonicalize_rdata(sldns_buffer* buf, struct ub_packed_rrset_key* rrset,
1092 	size_t len)
1093 {
1094 	uint8_t* datstart = sldns_buffer_current(buf)-len+2;
1095 	switch(ntohs(rrset->rk.type)) {
1096 		case LDNS_RR_TYPE_NXT:
1097 		case LDNS_RR_TYPE_NS:
1098 		case LDNS_RR_TYPE_MD:
1099 		case LDNS_RR_TYPE_MF:
1100 		case LDNS_RR_TYPE_CNAME:
1101 		case LDNS_RR_TYPE_MB:
1102 		case LDNS_RR_TYPE_MG:
1103 		case LDNS_RR_TYPE_MR:
1104 		case LDNS_RR_TYPE_PTR:
1105 		case LDNS_RR_TYPE_DNAME:
1106 			/* type only has a single argument, the name */
1107 			query_dname_tolower(datstart);
1108 			return;
1109 		case LDNS_RR_TYPE_MINFO:
1110 		case LDNS_RR_TYPE_RP:
1111 		case LDNS_RR_TYPE_SOA:
1112 			/* two names after another */
1113 			query_dname_tolower(datstart);
1114 			query_dname_tolower(datstart +
1115 				dname_valid(datstart, len-2));
1116 			return;
1117 		case LDNS_RR_TYPE_RT:
1118 		case LDNS_RR_TYPE_AFSDB:
1119 		case LDNS_RR_TYPE_KX:
1120 		case LDNS_RR_TYPE_MX:
1121 			/* skip fixed part */
1122 			if(len < 2+2+1) /* rdlen, skiplen, 1byteroot */
1123 				return;
1124 			datstart += 2;
1125 			query_dname_tolower(datstart);
1126 			return;
1127 		case LDNS_RR_TYPE_SIG:
1128 		/* downcase the RRSIG, compat with BIND (kept it from SIG) */
1129 		case LDNS_RR_TYPE_RRSIG:
1130 			/* skip fixed part */
1131 			if(len < 2+18+1)
1132 				return;
1133 			datstart += 18;
1134 			query_dname_tolower(datstart);
1135 			return;
1136 		case LDNS_RR_TYPE_PX:
1137 			/* skip, then two names after another */
1138 			if(len < 2+2+1)
1139 				return;
1140 			datstart += 2;
1141 			query_dname_tolower(datstart);
1142 			query_dname_tolower(datstart +
1143 				dname_valid(datstart, len-2-2));
1144 			return;
1145 		case LDNS_RR_TYPE_NAPTR:
1146 			if(len < 2+4)
1147 				return;
1148 			len -= 2+4;
1149 			datstart += 4;
1150 			if(len < (size_t)datstart[0]+1) /* skip text field */
1151 				return;
1152 			len -= (size_t)datstart[0]+1;
1153 			datstart += (size_t)datstart[0]+1;
1154 			if(len < (size_t)datstart[0]+1) /* skip text field */
1155 				return;
1156 			len -= (size_t)datstart[0]+1;
1157 			datstart += (size_t)datstart[0]+1;
1158 			if(len < (size_t)datstart[0]+1) /* skip text field */
1159 				return;
1160 			len -= (size_t)datstart[0]+1;
1161 			datstart += (size_t)datstart[0]+1;
1162 			if(len < 1)	/* check name is at least 1 byte*/
1163 				return;
1164 			query_dname_tolower(datstart);
1165 			return;
1166 		case LDNS_RR_TYPE_SRV:
1167 			/* skip fixed part */
1168 			if(len < 2+6+1)
1169 				return;
1170 			datstart += 6;
1171 			query_dname_tolower(datstart);
1172 			return;
1173 
1174 		/* do not canonicalize NSEC rdata name, compat with
1175 		 * from bind 9.4 signer, where it does not do so */
1176 		case LDNS_RR_TYPE_NSEC: /* type starts with the name */
1177 		case LDNS_RR_TYPE_HINFO: /* not downcased */
1178 		/* A6 not supported */
1179 		default:
1180 			/* nothing to do for unknown types */
1181 			return;
1182 	}
1183 }
1184 
1185 int rrset_canonical_equal(struct regional* region,
1186 	struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2)
1187 {
1188 	struct rbtree_type sortree1, sortree2;
1189 	struct canon_rr *rrs1, *rrs2, *p1, *p2;
1190 	struct packed_rrset_data* d1=(struct packed_rrset_data*)k1->entry.data;
1191 	struct packed_rrset_data* d2=(struct packed_rrset_data*)k2->entry.data;
1192 	struct ub_packed_rrset_key fk;
1193 	struct packed_rrset_data fd;
1194 	size_t flen[2];
1195 	uint8_t* fdata[2];
1196 
1197 	/* basic compare */
1198 	if(k1->rk.dname_len != k2->rk.dname_len ||
1199 		k1->rk.flags != k2->rk.flags ||
1200 		k1->rk.type != k2->rk.type ||
1201 		k1->rk.rrset_class != k2->rk.rrset_class ||
1202 		query_dname_compare(k1->rk.dname, k2->rk.dname) != 0)
1203 		return 0;
1204 	if(d1->ttl != d2->ttl ||
1205 		d1->count != d2->count ||
1206 		d1->rrsig_count != d2->rrsig_count ||
1207 		d1->trust != d2->trust ||
1208 		d1->security != d2->security)
1209 		return 0;
1210 
1211 	/* init */
1212 	memset(&fk, 0, sizeof(fk));
1213 	memset(&fd, 0, sizeof(fd));
1214 	fk.entry.data = &fd;
1215 	fd.count = 2;
1216 	fd.rr_len = flen;
1217 	fd.rr_data = fdata;
1218 	rbtree_init(&sortree1, &canonical_tree_compare);
1219 	rbtree_init(&sortree2, &canonical_tree_compare);
1220 	if(d1->count > RR_COUNT_MAX || d2->count > RR_COUNT_MAX)
1221 		return 1; /* protection against integer overflow */
1222 	rrs1 = regional_alloc(region, sizeof(struct canon_rr)*d1->count);
1223 	rrs2 = regional_alloc(region, sizeof(struct canon_rr)*d2->count);
1224 	if(!rrs1 || !rrs2) return 1; /* alloc failure */
1225 
1226 	/* sort */
1227 	canonical_sort(k1, d1, &sortree1, rrs1);
1228 	canonical_sort(k2, d2, &sortree2, rrs2);
1229 
1230 	/* compare canonical-sorted RRs for canonical-equality */
1231 	if(sortree1.count != sortree2.count)
1232 		return 0;
1233 	p1 = (struct canon_rr*)rbtree_first(&sortree1);
1234 	p2 = (struct canon_rr*)rbtree_first(&sortree2);
1235 	while(p1 != (struct canon_rr*)RBTREE_NULL &&
1236 		p2 != (struct canon_rr*)RBTREE_NULL) {
1237 		flen[0] = d1->rr_len[p1->rr_idx];
1238 		flen[1] = d2->rr_len[p2->rr_idx];
1239 		fdata[0] = d1->rr_data[p1->rr_idx];
1240 		fdata[1] = d2->rr_data[p2->rr_idx];
1241 
1242 		if(canonical_compare(&fk, 0, 1) != 0)
1243 			return 0;
1244 		p1 = (struct canon_rr*)rbtree_next(&p1->node);
1245 		p2 = (struct canon_rr*)rbtree_next(&p2->node);
1246 	}
1247 	return 1;
1248 }
1249 
1250 /**
1251  * Create canonical form of rrset in the scratch buffer.
1252  * @param region: temporary region.
1253  * @param buf: the buffer to use.
1254  * @param k: the rrset to insert.
1255  * @param sig: RRSIG rdata to include.
1256  * @param siglen: RRSIG rdata len excluding signature field, but inclusive
1257  * 	signer name length.
1258  * @param sortree: if NULL is passed a new sorted rrset tree is built.
1259  * 	Otherwise it is reused.
1260  * @param section: section of packet where this rrset comes from.
1261  * @param qstate: qstate with region.
1262  * @return false on alloc error.
1263  */
1264 static int
1265 rrset_canonical(struct regional* region, sldns_buffer* buf,
1266 	struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen,
1267 	struct rbtree_type** sortree, sldns_pkt_section section,
1268 	struct module_qstate* qstate)
1269 {
1270 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
1271 	uint8_t* can_owner = NULL;
1272 	size_t can_owner_len = 0;
1273 	struct canon_rr* walk;
1274 	struct canon_rr* rrs;
1275 
1276 	if(!*sortree) {
1277 		*sortree = (struct rbtree_type*)regional_alloc(region,
1278 			sizeof(rbtree_type));
1279 		if(!*sortree)
1280 			return 0;
1281 		if(d->count > RR_COUNT_MAX)
1282 			return 0; /* integer overflow protection */
1283 		rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count);
1284 		if(!rrs) {
1285 			*sortree = NULL;
1286 			return 0;
1287 		}
1288 		rbtree_init(*sortree, &canonical_tree_compare);
1289 		canonical_sort(k, d, *sortree, rrs);
1290 	}
1291 
1292 	sldns_buffer_clear(buf);
1293 	sldns_buffer_write(buf, sig, siglen);
1294 	/* canonicalize signer name */
1295 	query_dname_tolower(sldns_buffer_begin(buf)+18);
1296 	RBTREE_FOR(walk, struct canon_rr*, (*sortree)) {
1297 		/* see if there is enough space left in the buffer */
1298 		if(sldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4
1299 			+ d->rr_len[walk->rr_idx]) {
1300 			log_err("verify: failed to canonicalize, "
1301 				"rrset too big");
1302 			return 0;
1303 		}
1304 		/* determine canonical owner name */
1305 		if(can_owner)
1306 			sldns_buffer_write(buf, can_owner, can_owner_len);
1307 		else	insert_can_owner(buf, k, sig, &can_owner,
1308 				&can_owner_len);
1309 		sldns_buffer_write(buf, &k->rk.type, 2);
1310 		sldns_buffer_write(buf, &k->rk.rrset_class, 2);
1311 		sldns_buffer_write(buf, sig+4, 4);
1312 		sldns_buffer_write(buf, d->rr_data[walk->rr_idx],
1313 			d->rr_len[walk->rr_idx]);
1314 		canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]);
1315 	}
1316 	sldns_buffer_flip(buf);
1317 
1318 	/* Replace RR owner with canonical owner for NSEC records in authority
1319 	 * section, to prevent that a wildcard synthesized NSEC can be used in
1320 	 * the non-existence proves. */
1321 	if(ntohs(k->rk.type) == LDNS_RR_TYPE_NSEC &&
1322 		section == LDNS_SECTION_AUTHORITY && qstate) {
1323 		k->rk.dname = regional_alloc_init(qstate->region, can_owner,
1324 			can_owner_len);
1325 		if(!k->rk.dname)
1326 			return 0;
1327 		k->rk.dname_len = can_owner_len;
1328 	}
1329 
1330 
1331 	return 1;
1332 }
1333 
1334 int
1335 rrset_canonicalize_to_buffer(struct regional* region, sldns_buffer* buf,
1336 	struct ub_packed_rrset_key* k)
1337 {
1338 	struct rbtree_type* sortree = NULL;
1339 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
1340 	uint8_t* can_owner = NULL;
1341 	size_t can_owner_len = 0;
1342 	struct canon_rr* walk;
1343 	struct canon_rr* rrs;
1344 
1345 	sortree = (struct rbtree_type*)regional_alloc(region,
1346 		sizeof(rbtree_type));
1347 	if(!sortree)
1348 		return 0;
1349 	if(d->count > RR_COUNT_MAX)
1350 		return 0; /* integer overflow protection */
1351 	rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count);
1352 	if(!rrs) {
1353 		return 0;
1354 	}
1355 	rbtree_init(sortree, &canonical_tree_compare);
1356 	canonical_sort(k, d, sortree, rrs);
1357 
1358 	sldns_buffer_clear(buf);
1359 	RBTREE_FOR(walk, struct canon_rr*, sortree) {
1360 		/* see if there is enough space left in the buffer */
1361 		if(sldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4
1362 			+ d->rr_len[walk->rr_idx]) {
1363 			log_err("verify: failed to canonicalize, "
1364 				"rrset too big");
1365 			return 0;
1366 		}
1367 		/* determine canonical owner name */
1368 		if(can_owner)
1369 			sldns_buffer_write(buf, can_owner, can_owner_len);
1370 		else	{
1371 			can_owner = sldns_buffer_current(buf);
1372 			sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len);
1373 			query_dname_tolower(can_owner);
1374 			can_owner_len = k->rk.dname_len;
1375 		}
1376 		sldns_buffer_write(buf, &k->rk.type, 2);
1377 		sldns_buffer_write(buf, &k->rk.rrset_class, 2);
1378 		sldns_buffer_write_u32(buf, d->rr_ttl[walk->rr_idx]);
1379 		sldns_buffer_write(buf, d->rr_data[walk->rr_idx],
1380 			d->rr_len[walk->rr_idx]);
1381 		canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]);
1382 	}
1383 	sldns_buffer_flip(buf);
1384 	return 1;
1385 }
1386 
1387 /** pretty print rrsig error with dates */
1388 static void
1389 sigdate_error(const char* str, int32_t expi, int32_t incep, int32_t now)
1390 {
1391 	struct tm tm;
1392 	char expi_buf[16];
1393 	char incep_buf[16];
1394 	char now_buf[16];
1395 	time_t te, ti, tn;
1396 
1397 	if(verbosity < VERB_QUERY)
1398 		return;
1399 	te = (time_t)expi;
1400 	ti = (time_t)incep;
1401 	tn = (time_t)now;
1402 	memset(&tm, 0, sizeof(tm));
1403 	if(gmtime_r(&te, &tm) && strftime(expi_buf, 15, "%Y%m%d%H%M%S", &tm)
1404 	 &&gmtime_r(&ti, &tm) && strftime(incep_buf, 15, "%Y%m%d%H%M%S", &tm)
1405 	 &&gmtime_r(&tn, &tm) && strftime(now_buf, 15, "%Y%m%d%H%M%S", &tm)) {
1406 		log_info("%s expi=%s incep=%s now=%s", str, expi_buf,
1407 			incep_buf, now_buf);
1408 	} else
1409 		log_info("%s expi=%u incep=%u now=%u", str, (unsigned)expi,
1410 			(unsigned)incep, (unsigned)now);
1411 }
1412 
1413 /** check rrsig dates */
1414 static int
1415 check_dates(struct val_env* ve, uint32_t unow, uint8_t* expi_p,
1416 	uint8_t* incep_p, char** reason, sldns_ede_code *reason_bogus)
1417 {
1418 	/* read out the dates */
1419 	uint32_t expi, incep, now;
1420 	memmove(&expi, expi_p, sizeof(expi));
1421 	memmove(&incep, incep_p, sizeof(incep));
1422 	expi = ntohl(expi);
1423 	incep = ntohl(incep);
1424 
1425 	/* get current date */
1426 	if(ve->date_override) {
1427 		if(ve->date_override == -1) {
1428 			verbose(VERB_ALGO, "date override: ignore date");
1429 			return 1;
1430 		}
1431 		now = ve->date_override;
1432 		verbose(VERB_ALGO, "date override option %d", (int)now);
1433 	} else	now = unow;
1434 
1435 	/* check them */
1436 	if(compare_1982(incep, expi) > 0) {
1437 		sigdate_error("verify: inception after expiration, "
1438 			"signature bad", expi, incep, now);
1439 		*reason = "signature inception after expiration";
1440 		if(reason_bogus){
1441 			/* from RFC8914 on Signature Not Yet Valid: The resolver
1442 			 * attempted to perform DNSSEC validation, but no
1443 			 * signatures are presently valid and at least some are
1444 			 * not yet valid. */
1445 			*reason_bogus = LDNS_EDE_SIGNATURE_NOT_YET_VALID;
1446 		}
1447 
1448 		return 0;
1449 	}
1450 	if(compare_1982(incep, now) > 0) {
1451 		/* within skew ? (calc here to avoid calculation normally) */
1452 		uint32_t skew = subtract_1982(incep, expi)/10;
1453 		if(skew < (uint32_t)ve->skew_min) skew = ve->skew_min;
1454 		if(skew > (uint32_t)ve->skew_max) skew = ve->skew_max;
1455 		if(subtract_1982(now, incep) > skew) {
1456 			sigdate_error("verify: signature bad, current time is"
1457 				" before inception date", expi, incep, now);
1458 			*reason = "signature before inception date";
1459 			if(reason_bogus)
1460 				*reason_bogus = LDNS_EDE_SIGNATURE_NOT_YET_VALID;
1461 			return 0;
1462 		}
1463 		sigdate_error("verify warning suspicious signature inception "
1464 			" or bad local clock", expi, incep, now);
1465 	}
1466 	if(compare_1982(now, expi) > 0) {
1467 		uint32_t skew = subtract_1982(incep, expi)/10;
1468 		if(skew < (uint32_t)ve->skew_min) skew = ve->skew_min;
1469 		if(skew > (uint32_t)ve->skew_max) skew = ve->skew_max;
1470 		if(subtract_1982(expi, now) > skew) {
1471 			sigdate_error("verify: signature expired", expi,
1472 				incep, now);
1473 			*reason = "signature expired";
1474 			if(reason_bogus)
1475 				*reason_bogus = LDNS_EDE_SIGNATURE_EXPIRED;
1476 			return 0;
1477 		}
1478 		sigdate_error("verify warning suspicious signature expiration "
1479 			" or bad local clock", expi, incep, now);
1480 	}
1481 	return 1;
1482 }
1483 
1484 /** adjust rrset TTL for verified rrset, compare to original TTL and expi */
1485 static void
1486 adjust_ttl(struct val_env* ve, uint32_t unow,
1487 	struct ub_packed_rrset_key* rrset, uint8_t* orig_p,
1488 	uint8_t* expi_p, uint8_t* incep_p)
1489 {
1490 	struct packed_rrset_data* d =
1491 		(struct packed_rrset_data*)rrset->entry.data;
1492 	/* read out the dates */
1493 	int32_t origttl, expittl, expi, incep, now;
1494 	memmove(&origttl, orig_p, sizeof(origttl));
1495 	memmove(&expi, expi_p, sizeof(expi));
1496 	memmove(&incep, incep_p, sizeof(incep));
1497 	expi = ntohl(expi);
1498 	incep = ntohl(incep);
1499 	origttl = ntohl(origttl);
1500 
1501 	/* get current date */
1502 	if(ve->date_override) {
1503 		now = ve->date_override;
1504 	} else	now = (int32_t)unow;
1505 	expittl = (int32_t)((uint32_t)expi - (uint32_t)now);
1506 
1507 	/* so now:
1508 	 * d->ttl: rrset ttl read from message or cache. May be reduced
1509 	 * origttl: original TTL from signature, authoritative TTL max.
1510 	 * MIN_TTL: minimum TTL from config.
1511 	 * expittl: TTL until the signature expires.
1512 	 *
1513 	 * Use the smallest of these, but don't let origttl set the TTL
1514 	 * below the minimum.
1515 	 */
1516 	if(MIN_TTL > (time_t)origttl && d->ttl > MIN_TTL) {
1517 		verbose(VERB_QUERY, "rrset TTL larger than original and minimum"
1518 			" TTL, adjusting TTL downwards to minimum ttl");
1519 		d->ttl = MIN_TTL;
1520 	}
1521 	else if(MIN_TTL <= origttl && d->ttl > (time_t)origttl) {
1522 		verbose(VERB_QUERY, "rrset TTL larger than original TTL, "
1523 		"adjusting TTL downwards to original ttl");
1524 		d->ttl = origttl;
1525 	}
1526 
1527 	if(expittl > 0 && d->ttl > (time_t)expittl) {
1528 		verbose(VERB_ALGO, "rrset TTL larger than sig expiration ttl,"
1529 			" adjusting TTL downwards");
1530 		d->ttl = expittl;
1531 	}
1532 }
1533 
1534 enum sec_status
1535 dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
1536 	struct val_env* ve, time_t now,
1537         struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
1538         size_t dnskey_idx, size_t sig_idx,
1539 	struct rbtree_type** sortree, int* buf_canon,
1540 	char** reason, sldns_ede_code *reason_bogus,
1541 	sldns_pkt_section section, struct module_qstate* qstate)
1542 {
1543 	enum sec_status sec;
1544 	uint8_t* sig;		/* RRSIG rdata */
1545 	size_t siglen;
1546 	size_t rrnum = rrset_get_count(rrset);
1547 	uint8_t* signer;	/* rrsig signer name */
1548 	size_t signer_len;
1549 	unsigned char* sigblock; /* signature rdata field */
1550 	unsigned int sigblock_len;
1551 	uint16_t ktag;		/* DNSKEY key tag */
1552 	unsigned char* key;	/* public key rdata field */
1553 	unsigned int keylen;
1554 	rrset_get_rdata(rrset, rrnum + sig_idx, &sig, &siglen);
1555 	/* min length of rdatalen, fixed rrsig, root signer, 1 byte sig */
1556 	if(siglen < 2+20) {
1557 		verbose(VERB_QUERY, "verify: signature too short");
1558 		*reason = "signature too short";
1559 		if(reason_bogus)
1560 			*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1561 		return sec_status_bogus;
1562 	}
1563 
1564 	if(!(dnskey_get_flags(dnskey, dnskey_idx) & DNSKEY_BIT_ZSK)) {
1565 		verbose(VERB_QUERY, "verify: dnskey without ZSK flag");
1566 		*reason = "dnskey without ZSK flag";
1567 		if(reason_bogus)
1568 			*reason_bogus = LDNS_EDE_NO_ZONE_KEY_BIT_SET;
1569 		return sec_status_bogus;
1570 	}
1571 
1572 	if(dnskey_get_protocol(dnskey, dnskey_idx) != LDNS_DNSSEC_KEYPROTO) {
1573 		/* RFC 4034 says DNSKEY PROTOCOL MUST be 3 */
1574 		verbose(VERB_QUERY, "verify: dnskey has wrong key protocol");
1575 		*reason = "dnskey has wrong protocolnumber";
1576 		if(reason_bogus)
1577 			*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1578 		return sec_status_bogus;
1579 	}
1580 
1581 	/* verify as many fields in rrsig as possible */
1582 	signer = sig+2+18;
1583 	signer_len = dname_valid(signer, siglen-2-18);
1584 	if(!signer_len) {
1585 		verbose(VERB_QUERY, "verify: malformed signer name");
1586 		*reason = "signer name malformed";
1587 		if(reason_bogus)
1588 			*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1589 		return sec_status_bogus; /* signer name invalid */
1590 	}
1591 	if(!dname_subdomain_c(rrset->rk.dname, signer)) {
1592 		verbose(VERB_QUERY, "verify: signer name is off-tree");
1593 		*reason = "signer name off-tree";
1594 		if(reason_bogus)
1595 			*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1596 		return sec_status_bogus; /* signer name offtree */
1597 	}
1598 	sigblock = (unsigned char*)signer+signer_len;
1599 	if(siglen < 2+18+signer_len+1) {
1600 		verbose(VERB_QUERY, "verify: too short, no signature data");
1601 		*reason = "signature too short, no signature data";
1602 		if(reason_bogus)
1603 			*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1604 		return sec_status_bogus; /* sig rdf is < 1 byte */
1605 	}
1606 	sigblock_len = (unsigned int)(siglen - 2 - 18 - signer_len);
1607 
1608 	/* verify key dname == sig signer name */
1609 	if(query_dname_compare(signer, dnskey->rk.dname) != 0) {
1610 		verbose(VERB_QUERY, "verify: wrong key for rrsig");
1611 		log_nametypeclass(VERB_QUERY, "RRSIG signername is",
1612 			signer, 0, 0);
1613 		log_nametypeclass(VERB_QUERY, "the key name is",
1614 			dnskey->rk.dname, 0, 0);
1615 		*reason = "signer name mismatches key name";
1616 		if(reason_bogus)
1617 			*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1618 		return sec_status_bogus;
1619 	}
1620 
1621 	/* verify covered type */
1622 	/* memcmp works because type is in network format for rrset */
1623 	if(memcmp(sig+2, &rrset->rk.type, 2) != 0) {
1624 		verbose(VERB_QUERY, "verify: wrong type covered");
1625 		*reason = "signature covers wrong type";
1626 		if(reason_bogus)
1627 			*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1628 		return sec_status_bogus;
1629 	}
1630 	/* verify keytag and sig algo (possibly again) */
1631 	if((int)sig[2+2] != dnskey_get_algo(dnskey, dnskey_idx)) {
1632 		verbose(VERB_QUERY, "verify: wrong algorithm");
1633 		*reason = "signature has wrong algorithm";
1634 		if(reason_bogus)
1635 			*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1636 		return sec_status_bogus;
1637 	}
1638 	ktag = htons(dnskey_calc_keytag(dnskey, dnskey_idx));
1639 	if(memcmp(sig+2+16, &ktag, 2) != 0) {
1640 		verbose(VERB_QUERY, "verify: wrong keytag");
1641 		*reason = "signature has wrong keytag";
1642 		if(reason_bogus)
1643 			*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1644 		return sec_status_bogus;
1645 	}
1646 
1647 	/* verify labels is in a valid range */
1648 	if((int)sig[2+3] > dname_signame_label_count(rrset->rk.dname)) {
1649 		verbose(VERB_QUERY, "verify: labelcount out of range");
1650 		*reason = "signature labelcount out of range";
1651 		if(reason_bogus)
1652 			*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
1653 		return sec_status_bogus;
1654 	}
1655 
1656 	/* original ttl, always ok */
1657 
1658 	if(!*buf_canon) {
1659 		/* create rrset canonical format in buffer, ready for
1660 		 * signature */
1661 		if(!rrset_canonical(region, buf, rrset, sig+2,
1662 			18 + signer_len, sortree, section, qstate)) {
1663 			log_err("verify: failed due to alloc error");
1664 			return sec_status_unchecked;
1665 		}
1666 		*buf_canon = 1;
1667 	}
1668 
1669 	/* check that dnskey is available */
1670 	dnskey_get_pubkey(dnskey, dnskey_idx, &key, &keylen);
1671 	if(!key) {
1672 		verbose(VERB_QUERY, "verify: short DNSKEY RR");
1673 		return sec_status_unchecked;
1674 	}
1675 
1676 	/* verify */
1677 	sec = verify_canonrrset(buf, (int)sig[2+2],
1678 		sigblock, sigblock_len, key, keylen, reason);
1679 
1680 	if(sec == sec_status_secure) {
1681 		/* check if TTL is too high - reduce if so */
1682 		adjust_ttl(ve, now, rrset, sig+2+4, sig+2+8, sig+2+12);
1683 
1684 		/* verify inception, expiration dates
1685 		 * Do this last so that if you ignore expired-sigs the
1686 		 * rest is sure to be OK. */
1687 		if(!check_dates(ve, now, sig+2+8, sig+2+12,
1688 			reason, reason_bogus)) {
1689 			return sec_status_bogus;
1690 		}
1691 	}
1692 
1693 	return sec;
1694 }
1695