/* * validator/val_sigcrypt.c - validator signature crypto functions. * * Copyright (c) 2007, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ /** * \file * * This file contains helper functions for the validator module. * The functions help with signature verification and checking, the * bridging between RR wireformat data and crypto calls. */ #include "config.h" #include "validator/val_sigcrypt.h" #include "validator/validator.h" #include "util/data/msgreply.h" #include "util/data/msgparse.h" #include "util/data/dname.h" #include "util/rbtree.h" #include "util/module.h" #include "util/net_help.h" #include "util/region-allocator.h" #ifndef HAVE_SSL #error "Need SSL library to do digital signature cryptography" #endif /** return number of rrs in an rrset */ static size_t rrset_get_count(struct ub_packed_rrset_key* rrset) { struct packed_rrset_data* d = (struct packed_rrset_data*) rrset->entry.data; if(!d) return 0; return d->count; } /** * Get RR signature count */ static size_t rrset_get_sigcount(struct ub_packed_rrset_key* k) { struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; return d->rrsig_count; } /** * Get signature keytag value * @param k: rrset (with signatures) * @param sig_idx: signature index. * @return keytag or 0 if malformed rrsig. */ static uint16_t rrset_get_sig_keytag(struct ub_packed_rrset_key* k, size_t sig_idx) { uint16_t t; struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; log_assert(sig_idx < d->rrsig_count); if(d->rr_len[d->count + sig_idx] < 2+18) return 0; memmove(&t, d->rr_data[d->count + sig_idx]+2+16, 2); return ntohs(t); } /** * Get signature signing algorithm value * @param k: rrset (with signatures) * @param sig_idx: signature index. * @return algo or 0 if malformed rrsig. */ static int rrset_get_sig_algo(struct ub_packed_rrset_key* k, size_t sig_idx) { struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; log_assert(sig_idx < d->rrsig_count); if(d->rr_len[d->count + sig_idx] < 2+3) return 0; return (int)d->rr_data[d->count + sig_idx][2+2]; } /** get rdata pointer and size */ static void rrset_get_rdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** rdata, size_t* len) { struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; log_assert(d && idx < (d->count + d->rrsig_count)); *rdata = d->rr_data[idx]; *len = d->rr_len[idx]; } uint16_t dnskey_get_flags(struct ub_packed_rrset_key* k, size_t idx) { uint8_t* rdata; size_t len; uint16_t f; rrset_get_rdata(k, idx, &rdata, &len); if(len < 2+2) return 0; memmove(&f, rdata+2, 2); f = ntohs(f); return f; } int dnskey_get_algo(struct ub_packed_rrset_key* k, size_t idx) { uint8_t* rdata; size_t len; rrset_get_rdata(k, idx, &rdata, &len); if(len < 2+4) return 0; return (int)rdata[2+3]; } /** get public key rdata field from a dnskey RR and do some checks */ static void dnskey_get_pubkey(struct ub_packed_rrset_key* k, size_t idx, unsigned char** pk, size_t* pklen) { uint8_t* rdata; size_t len; rrset_get_rdata(k, idx, &rdata, &len); if(len < 2+5) { *pk = NULL; *pklen = 0; return; } *pk = (unsigned char*)rdata+2+4; *pklen = len-2-4; } int ds_get_key_algo(struct ub_packed_rrset_key* k, size_t idx) { uint8_t* rdata; size_t len; rrset_get_rdata(k, idx, &rdata, &len); if(len < 2+3) return 0; return (int)rdata[2+2]; } /** * Get DS RR digest algorithm * @param k: DS rrset. * @param idx: which DS. * @return algorithm or 0 if DS too short. */ static int ds_get_digest_algo(struct ub_packed_rrset_key* k, size_t idx) { uint8_t* rdata; size_t len; rrset_get_rdata(k, idx, &rdata, &len); if(len < 2+4) return 0; return (int)rdata[2+3]; } uint16_t ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx) { uint16_t t; uint8_t* rdata; size_t len; rrset_get_rdata(ds_rrset, ds_idx, &rdata, &len); if(len < 2+2) return 0; memmove(&t, rdata+2, 2); return ntohs(t); } /** * Return pointer to the digest in a DS RR. * @param k: DS rrset. * @param idx: which DS. * @param digest: digest data is returned. * on error, this is NULL. * @param len: length of digest is returned. * on error, the length is 0. */ static void ds_get_sigdata(struct ub_packed_rrset_key* k, size_t idx, uint8_t** digest, size_t* len) { uint8_t* rdata; size_t rdlen; rrset_get_rdata(k, idx, &rdata, &rdlen); if(rdlen < 2+5) { *digest = NULL; *len = 0; return; } *digest = rdata + 2 + 4; *len = rdlen - 2 - 4; } /** * Return size of DS digest according to its hash algorithm. * @param k: DS rrset. * @param idx: which DS. * @return size in bytes of digest, or 0 if not supported. */ static size_t ds_digest_size_algo(struct ub_packed_rrset_key* k, size_t idx) { switch(ds_get_digest_algo(k, idx)) { #ifdef SHA_DIGEST_LENGTH case LDNS_SHA1: return SHA_DIGEST_LENGTH; #endif #ifdef SHA256_DIGEST_LENGTH case LDNS_SHA256: return SHA256_DIGEST_LENGTH; #endif default: break; } return 0; } /** * Create a DS digest for a DNSKEY entry. * * @param env: module environment. Uses scratch space. * @param dnskey_rrset: DNSKEY rrset. * @param dnskey_idx: index of RR in rrset. * @param ds_rrset: DS rrset * @param ds_idx: index of RR in DS rrset. * @param digest: digest is returned in here (must be correctly sized). * @return false on error. */ static int ds_create_dnskey_digest(struct module_env* env, struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, uint8_t* digest) { ldns_buffer* b = env->scratch_buffer; uint8_t* dnskey_rdata; size_t dnskey_len; rrset_get_rdata(dnskey_rrset, dnskey_idx, &dnskey_rdata, &dnskey_len); /* create digest source material in buffer * digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA); * DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key. */ ldns_buffer_clear(b); ldns_buffer_write(b, dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len); query_dname_tolower(ldns_buffer_begin(b)); ldns_buffer_write(b, dnskey_rdata+2, dnskey_len-2); /* skip rdatalen*/ ldns_buffer_flip(b); switch(ds_get_digest_algo(ds_rrset, ds_idx)) { #ifdef SHA_DIGEST_LENGTH case LDNS_SHA1: (void)SHA1((unsigned char*)ldns_buffer_begin(b), ldns_buffer_limit(b), (unsigned char*)digest); return 1; #endif #ifdef SHA256_DIGEST_LENGTH case LDNS_SHA256: (void)SHA256((unsigned char*)ldns_buffer_begin(b), ldns_buffer_limit(b), (unsigned char*)digest); return 1; #endif default: break; } return 0; } int ds_digest_match_dnskey(struct module_env* env, struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx, struct ub_packed_rrset_key* ds_rrset, size_t ds_idx) { uint8_t* ds; /* DS digest */ size_t dslen; uint8_t* digest; /* generated digest */ size_t digestlen = ds_digest_size_algo(ds_rrset, ds_idx); if(digestlen == 0) return 0; /* not supported, or DS RR format error */ /* check digest length in DS with length from hash function */ ds_get_sigdata(ds_rrset, ds_idx, &ds, &dslen); if(!ds || dslen != digestlen) return 0; /* DS algorithm and digest do not match */ digest = region_alloc(env->scratch, digestlen); if(!digest) return 0; /* mem error */ if(!ds_create_dnskey_digest(env, dnskey_rrset, dnskey_idx, ds_rrset, ds_idx, digest)) return 0; /* digest algo failed */ if(memcmp(digest, ds, dslen) != 0) return 0; /* digest different */ return 1; } int ds_digest_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx) { return (ds_digest_size_algo(ds_rrset, ds_idx) != 0); } /** return true if DNSKEY algorithm id is supported */ static int dnskey_algo_id_is_supported(int id) { switch(id) { case LDNS_DSA: case LDNS_DSA_NSEC3: case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: case LDNS_RSAMD5: return 1; default: return 0; } } int ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx) { return dnskey_algo_id_is_supported(ds_get_key_algo(ds_rrset, ds_idx)); } uint16_t dnskey_calc_keytag(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx) { uint8_t* data; size_t len; rrset_get_rdata(dnskey_rrset, dnskey_idx, &data, &len); /* do not pass rdatalen to ldns */ return ldns_calc_keytag_raw(data+2, len-2); } int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset, size_t dnskey_idx) { return dnskey_algo_id_is_supported(dnskey_get_algo(dnskey_rrset, dnskey_idx)); } enum sec_status dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey) { enum sec_status sec; size_t i, num; num = rrset_get_sigcount(rrset); if(num == 0) { verbose(VERB_ALGO, "rrset failed to verify due to a lack of " "signatures"); return sec_status_bogus; } for(i=0; irr_data[i]+2; /* ptr to current rdata byte */ uint8_t* dj = d->rr_data[j]+2; size_t ilen = d->rr_len[i]-2; /* length left in rdata */ size_t jlen = d->rr_len[j]-2; size_t strlen_i = 0; size_t strlen_j = 0; while(ilen > 0 && jlen > 0) { /* compare this pair of bytes */ if( ((strlen_i)?(uint8_t)tolower((int)*di):*di) != ((strlen_j)?(uint8_t)tolower((int)*dj):*dj) ) { if(((strlen_i)?(uint8_t)tolower((int)*di):*di) < ((strlen_j)?(uint8_t)tolower((int)*dj):*dj)) return -1; return 1; } ilen --; jlen --; /* read length byte of the string in rdata if strlen=0 */ if(strlen_i == 0) { strlen_i = (size_t)*di; } else strlen_i--; if(strlen_j == 0) { strlen_j = (size_t)*dj; } else strlen_j--; di++; dj++; } if(ilen == 0 && jlen == 0) return 0; if(ilen == 0) return -1; return 1; } /** * Compare two RR for canonical order, in a field-style sweep. * @param d: rrset data * @param desc: ldns wireformat descriptor. * @param i: first RR to compare * @param j: first RR to compare * @return comparison code. */ static int canonical_compare_byfield(struct packed_rrset_data* d, const ldns_rr_descriptor* desc, size_t i, size_t j) { /* sweep across rdata, keep track of some state: * which rr field, and bytes left in field. * current position in rdata, length left. * are we in a dname, length left in a label. */ int wfi = -1; /* current wireformat rdata field (rdf) */ int wfj = -1; uint8_t* di = d->rr_data[i]+2; /* ptr to current rdata byte */ uint8_t* dj = d->rr_data[j]+2; size_t ilen = d->rr_len[i]-2; /* length left in rdata */ size_t jlen = d->rr_len[j]-2; int dname_i = 0; /* true if these bytes are part of a name */ int dname_j = 0; size_t lablen_i = 0; /* 0 for label length byte,for first byte of rdf*/ size_t lablen_j = 0; /* otherwise remaining length of rdf or label */ int dname_num_i = (int)desc->_dname_count; /* decreased at root label */ int dname_num_j = (int)desc->_dname_count; /* loop while there are rdata bytes available for both rrs, * and still some lowercasing needs to be done; either the dnames * have not been reached yet, or they are currently being processed */ while(ilen > 0 && jlen > 0 && (dname_num_i > 0 || dname_num_j > 0)) { /* compare these two bytes */ /* lowercase if in a dname and not a label length byte */ if( ((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di) != ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj) ) { if(((dname_i && lablen_i)?(uint8_t)tolower((int)*di):*di) < ((dname_j && lablen_j)?(uint8_t)tolower((int)*dj):*dj)) return -1; return 1; } ilen--; jlen--; /* bytes are equal */ /* advance field i */ /* lablen 0 means that this byte is the first byte of the * next rdata field; inspect this rdata field and setup * to process the rest of this rdata field. * The reason to first read the byte, then setup the rdf, * is that we are then sure the byte is available and short * rdata is handled gracefully (even if it is a formerr). */ if(lablen_i == 0) { if(dname_i) { /* scan this dname label */ /* capture length to lowercase */ lablen_i = (size_t)*di; if(lablen_i == 0) { /* end root label */ dname_i = 0; dname_num_i--; /* if dname num is 0, then the * remainder is binary only */ if(dname_num_i == 0) lablen_i = ilen; } } else { /* scan this rdata field */ wfi++; if(desc->_wireformat[wfi] == LDNS_RDF_TYPE_DNAME) { dname_i = 1; lablen_i = (size_t)*di; if(lablen_i == 0) { dname_i = 0; dname_num_i--; if(dname_num_i == 0) lablen_i = ilen; } } else if(desc->_wireformat[wfi] == LDNS_RDF_TYPE_STR) lablen_i = (size_t)*di; else lablen_i = get_rdf_size( desc->_wireformat[wfi]) - 1; } } else lablen_i--; /* advance field j; same as for i */ if(lablen_j == 0) { if(dname_j) { lablen_j = (size_t)*dj; if(lablen_j == 0) { dname_j = 0; dname_num_j--; if(dname_num_j == 0) lablen_j = jlen; } } else { wfj++; if(desc->_wireformat[wfj] == LDNS_RDF_TYPE_DNAME) { dname_j = 1; lablen_j = (size_t)*dj; if(lablen_j == 0) { dname_j = 0; dname_num_j--; if(dname_num_j == 0) lablen_j = jlen; } } else if(desc->_wireformat[wfj] == LDNS_RDF_TYPE_STR) lablen_j = (size_t)*dj; else lablen_j = get_rdf_size( desc->_wireformat[wfj]) - 1; } } else lablen_j--; di++; dj++; } /* end of the loop; because we advanced byte by byte; now we have * that the rdata has ended, or that there is a binary remainder */ /* shortest first */ if(ilen == 0 && jlen == 0) return 0; if(ilen == 0) return -1; if(jlen == 0) return 1; /* binary remainder, capture comparison in wfi variable */ if((wfi = memcmp(di, dj, (ilen. */ static int canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j) { struct packed_rrset_data* d = (struct packed_rrset_data*) rrset->entry.data; const ldns_rr_descriptor* desc; uint16_t type = ntohs(rrset->rk.type); size_t minlen; int c; if(i==j) return 0; /* in case rdata-len is to be compared for canonical order c = memcmp(d->rr_data[i], d->rr_data[j], 2); if(c != 0) return c; */ switch(type) { /* These RR types have only a name as RDATA. * This name has to be canonicalized.*/ case LDNS_RR_TYPE_NS: case LDNS_RR_TYPE_MD: case LDNS_RR_TYPE_MF: case LDNS_RR_TYPE_CNAME: case LDNS_RR_TYPE_MB: case LDNS_RR_TYPE_MG: case LDNS_RR_TYPE_MR: case LDNS_RR_TYPE_PTR: case LDNS_RR_TYPE_DNAME: return query_dname_compare(d->rr_data[i]+2, d->rr_data[j]+2); /* These RR types have STR and fixed size rdata fields * before one or more name fields that need canonicalizing, * and after that a byte-for byte remainder can be compared. */ /* type starts with the name; remainder is binary compared */ case LDNS_RR_TYPE_NXT: case LDNS_RR_TYPE_NSEC: /* use rdata field formats */ case LDNS_RR_TYPE_MINFO: case LDNS_RR_TYPE_RP: case LDNS_RR_TYPE_SOA: case LDNS_RR_TYPE_RT: case LDNS_RR_TYPE_AFSDB: case LDNS_RR_TYPE_KX: case LDNS_RR_TYPE_MX: case LDNS_RR_TYPE_SIG: case LDNS_RR_TYPE_RRSIG: case LDNS_RR_TYPE_PX: case LDNS_RR_TYPE_NAPTR: case LDNS_RR_TYPE_SRV: desc = ldns_rr_descript(type); log_assert(desc); /* this holds for the types that need canonicalizing */ log_assert(desc->_minimum == desc->_maximum); return canonical_compare_byfield(d, desc, i, j); /* This RR type is special, as the contents of text fields * is lowercased. */ case LDNS_RR_TYPE_HINFO: return canonical_compare_hinfo(d, i, j); default: /* For unknown RR types, or types not listed above, * no canonicalization is needed, do binary compare */ /* byte for byte compare, equal means shortest first*/ minlen = d->rr_len[i]-2; if(minlen > d->rr_len[j]-2) minlen = d->rr_len[j]-2; c = memcmp(d->rr_data[i]+2, d->rr_data[j]+2, minlen); if(c!=0) return c; /* rdata equal, shortest is first */ if(d->rr_len[i] < d->rr_len[j]) return -1; if(d->rr_len[i] > d->rr_len[j]) return 1; /* rdata equal, length equal */ break; } return 0; } /** * canonical compare for two tree entries */ static int canonical_tree_compare(const void* k1, const void* k2) { struct canon_rr* r1 = (struct canon_rr*)k1; struct canon_rr* r2 = (struct canon_rr*)k2; log_assert(r1->rrset == r2->rrset); return canonical_compare(r1->rrset, r1->rr_idx, r2->rr_idx); } /** * Sort RRs for rrset in canonical order. * Does not actually canonicalize the RR rdatas. * Does not touch rrsigs. * @param rrset: to sort. * @param d: rrset data. * @param sortree: tree to sort into. * @param rrs: rr storage. */ static void canonical_sort(struct ub_packed_rrset_key* rrset, struct packed_rrset_data* d, rbtree_t* sortree, struct canon_rr* rrs) { size_t i; /* insert into rbtree to sort and detect duplicates */ for(i=0; icount; i++) { rrs[i].node.key = &rrs[i]; rrs[i].rrset = rrset; rrs[i].rr_idx = i; if(!rbtree_insert(sortree, &rrs[i].node)) { /* this was a duplicate */ } } } /** * Inser canonical owner name into buffer. * @param buf: buffer to insert into at current position. * @param k: rrset with its owner name. * @param sig: signature with signer name and label count. * must be length checked, at least 18 bytes long. * @param can_owner: position in buffer returned for future use. * @param can_owner_len: length of canonical owner name. */ static void insert_can_owner(ldns_buffer* buf, struct ub_packed_rrset_key* k, uint8_t* sig, uint8_t** can_owner, size_t* can_owner_len) { int rrsig_labels = (int)sig[3]; int fqdn_labels = dname_signame_label_count(k->rk.dname); *can_owner = ldns_buffer_current(buf); if(rrsig_labels == fqdn_labels) { /* no change */ ldns_buffer_write(buf, k->rk.dname, k->rk.dname_len); query_dname_tolower(*can_owner); *can_owner_len = k->rk.dname_len; return; } log_assert(rrsig_labels < fqdn_labels); /* *. | fqdn(rightmost rrsig_labels) */ if(rrsig_labels < fqdn_labels) { int i; uint8_t* nm = k->rk.dname; size_t len = k->rk.dname_len; /* so skip fqdn_labels-rrsig_labels */ for(i=0; irk.type)) { case LDNS_RR_TYPE_NXT: case LDNS_RR_TYPE_NSEC: /* type starts with the name */ case LDNS_RR_TYPE_NS: case LDNS_RR_TYPE_MD: case LDNS_RR_TYPE_MF: case LDNS_RR_TYPE_CNAME: case LDNS_RR_TYPE_MB: case LDNS_RR_TYPE_MG: case LDNS_RR_TYPE_MR: case LDNS_RR_TYPE_PTR: case LDNS_RR_TYPE_DNAME: /* type only has a single argument, the name */ query_dname_tolower(datstart); return; case LDNS_RR_TYPE_MINFO: case LDNS_RR_TYPE_RP: case LDNS_RR_TYPE_SOA: /* two names after another */ query_dname_tolower(datstart); query_dname_tolower(datstart + dname_valid(datstart, len-2)); return; case LDNS_RR_TYPE_HINFO: /* lowercase text records */ len -= 2; if(len < (size_t)datstart[0]+1) return; lowercase_text_field(datstart); len -= (size_t)datstart[0]+1; /* and skip the 1st */ datstart += (size_t)datstart[0]+1; if(len < (size_t)datstart[0]+1) return; lowercase_text_field(datstart); return; case LDNS_RR_TYPE_RT: case LDNS_RR_TYPE_AFSDB: case LDNS_RR_TYPE_KX: case LDNS_RR_TYPE_MX: /* skip fixed part */ if(len < 2+2+1) /* rdlen, skiplen, 1byteroot */ return; datstart += 2; query_dname_tolower(datstart); return; case LDNS_RR_TYPE_SIG: case LDNS_RR_TYPE_RRSIG: /* skip fixed part */ if(len < 2+18+1) return; datstart += 18; query_dname_tolower(datstart); return; case LDNS_RR_TYPE_PX: /* skip, then two names after another */ if(len < 2+2+1) return; datstart += 2; query_dname_tolower(datstart); query_dname_tolower(datstart + dname_valid(datstart, len-2-2)); return; case LDNS_RR_TYPE_NAPTR: if(len < 2+4) return; len -= 2+4; datstart += 4; if(len < (size_t)datstart[0]+1) /* skip text field */ return; len -= (size_t)datstart[0]+1; datstart += (size_t)datstart[0]+1; if(len < (size_t)datstart[0]+1) /* skip text field */ return; len -= (size_t)datstart[0]+1; datstart += (size_t)datstart[0]+1; if(len < (size_t)datstart[0]+1) /* skip text field */ return; len -= (size_t)datstart[0]+1; datstart += (size_t)datstart[0]+1; if(len < 1) /* check name is at least 1 byte*/ return; query_dname_tolower(datstart); return; case LDNS_RR_TYPE_SRV: /* skip fixed part */ if(len < 2+6+1) return; datstart += 6; query_dname_tolower(datstart); return; /* A6 not supported */ default: /* nothing to do for unknown types */ return; } } /** * Create canonical form of rrset in the scratch buffer. * @param region: temporary region. * @param buf: the buffer to use. * @param k: the rrset to insert. * @param sig: RRSIG rdata to include. * @param siglen: RRSIG rdata len excluding signature field, but inclusive * signer name length. * @return false on alloc error. */ static int rrset_canonical(struct region* region, ldns_buffer* buf, struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen) { struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; uint8_t* can_owner = NULL; size_t can_owner_len = 0; rbtree_t sortree; struct canon_rr* walk; struct canon_rr* rrs; rrs = region_alloc(region, sizeof(struct canon_rr)*d->count); if(!rrs) return 0; rbtree_init(&sortree, &canonical_tree_compare); canonical_sort(k, d, &sortree, rrs); ldns_buffer_clear(buf); ldns_buffer_write(buf, sig, siglen); /* canonicalize signer name */ query_dname_tolower(ldns_buffer_begin(buf)+18); RBTREE_FOR(walk, struct canon_rr*, &sortree) { /* determine canonical owner name */ if(can_owner) ldns_buffer_write(buf, can_owner, can_owner_len); else insert_can_owner(buf, k, sig, &can_owner, &can_owner_len); ldns_buffer_write(buf, &k->rk.type, 2); ldns_buffer_write(buf, &k->rk.rrset_class, 2); ldns_buffer_write(buf, sig+4, 4); ldns_buffer_write(buf, d->rr_data[walk->rr_idx], d->rr_len[walk->rr_idx]); canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]); } ldns_buffer_flip(buf); return 1; } /** check rrsig dates */ static int check_dates(struct val_env* ve, uint8_t* expi_p, uint8_t* incep_p) { /* read out the dates */ int32_t expi, incep, now; memmove(&expi, expi_p, sizeof(expi)); memmove(&incep, incep_p, sizeof(incep)); expi = ntohl(expi); incep = ntohl(incep); /* get current date */ if(ve->date_override) { now = ve->date_override; verbose(VERB_ALGO, "date override option %d", (int)now); } else now = (int32_t)time(0); /* check them */ if(incep - expi > 0) { verbose(VERB_ALGO, "verify: inception after expiration, " "signature bad"); return 0; } if(incep - now > 0) { verbose(VERB_ALGO, "verify: signature bad, current time is" " before inception date"); return 0; } if(now - expi > 0) { verbose(VERB_ALGO, "verify: signature expired"); return 0; } return 1; } /** * Output a libcrypto openssl error to the logfile. * @param str: string to add to it. * @param e: the error to output, error number from ERR_get_error(). */ static void log_crypto_error(const char* str, unsigned long e) { char buf[128]; /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ ERR_error_string_n(e, buf, sizeof(buf)); /* buf now contains */ /* error:[error code]:[library name]:[function name]:[reason string] */ log_err("%s crypto %s", str, buf); } /** * Convert DSA RRsig sigblock to a DSA_SIG structure. * @param sig: sigblock field of RRSIG * @param siglen: length of sig. * @return DSA_SIG or NULL */ static DSA_SIG* dsa_rrsig_to_dsa_sig(unsigned char* sig, unsigned int siglen) { uint8_t t; BIGNUM *R, *S; DSA_SIG *dsasig; /* extract the R and S field from the sig buffer */ if(siglen < 1 + SHA_DIGEST_LENGTH*2) { verbose(VERB_ALGO, "verify: short DSA RRSIG"); return NULL; } t = sig[0]; R = BN_new(); if(!R) { log_err("verify: alloc failure"); return NULL; } S = BN_new(); if(!S) { BN_free(R); log_err("verify: alloc failure"); return NULL; } if(!BN_bin2bn(sig + 1, SHA_DIGEST_LENGTH, R)) { log_err("verify: bignum failure"); BN_free(R); BN_free(S); return NULL; } if(!BN_bin2bn(sig + 21, SHA_DIGEST_LENGTH, S)) { log_err("verify: bignum failure"); BN_free(R); BN_free(S); return NULL; } dsasig = DSA_SIG_new(); if(!dsasig) { log_err("verify: alloc failure"); BN_free(R); BN_free(S); return NULL; } dsasig->r = R; dsasig->s = S; return dsasig; } /** * Convert DSA signature to a DER signature. * @param sig: signature, used to read, then replaced with malloced * DER signature on success. * @param siglen: read to get input len, then updated to new length. * @return false on (alloc) error. */ static int dsa_convert_to_der(unsigned char** sig, unsigned int* siglen) { DSA_SIG* dsasig; int res; dsasig = dsa_rrsig_to_dsa_sig(*sig, *siglen); if(!dsasig) { return 0; } *sig = NULL; /* needs libcrypto >= 0.9.7 */ res = i2d_DSA_SIG(dsasig, sig); if(res < 0) { log_crypto_error("verify: bad dsa sig ", ERR_get_error()); DSA_SIG_free(dsasig); return 0; } DSA_SIG_free(dsasig); *siglen = (unsigned int)res; return 1; } /** * Setup key and digest for verification. Adjust sig if necessary. * * @param algo: key algorithm * @param evp_key: EVP PKEY public key to update. * @param digest_type: digest type to use * @param key: key to setup for. * @param keylen: length of key. * @param sig: sig to update if necessary. * @param siglen: length of sig. * @return false on failure. */ static int setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type, unsigned char* key, size_t keylen, unsigned char** sig, unsigned int* siglen) { switch(algo) { case LDNS_DSA: case LDNS_DSA_NSEC3: EVP_PKEY_assign_DSA(evp_key, ldns_key_buf2dsa_raw(key, keylen)); *digest_type = EVP_dss1(); if(!dsa_convert_to_der(sig, siglen)) return 0; break; case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen)); *digest_type = EVP_sha1(); break; case LDNS_RSAMD5: EVP_PKEY_assign_RSA(evp_key, ldns_key_buf2rsa_raw(key, keylen)); *digest_type = EVP_md5(); break; default: verbose(VERB_ALGO, "verify: unknown algorithm %d", algo); return 0; } return 1; } /** * Desetup what setup_key_digest setup. * @param algo: key algorithm * @param sig: signature. */ static void desetup_key_digest(int algo, unsigned char* sig) { switch(algo) { case LDNS_DSA: case LDNS_DSA_NSEC3: /* free converted signature */ free(sig); break; } } /** * Check a canonical sig+rrset and signature against a dnskey * @param buf: buffer with data to verify, the first rrsig part and the * canonicalized rrset. * @param algo: DNSKEY algorithm. * @param sigblock: signature rdata field from RRSIG * @param sigblock_len: length of sigblock data. * @param key: public key data from DNSKEY RR. * @param keylen: length of keydata. * @return secure if verification succeeded, bogus on crypto failure, * unchecked on format errors and alloc failures. */ static enum sec_status verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, unsigned int sigblock_len, unsigned char* key, unsigned int keylen) { const EVP_MD *digest_type; EVP_MD_CTX ctx; int res; EVP_PKEY *evp_key = EVP_PKEY_new(); if(!evp_key) { log_err("verify: malloc failure in crypto"); return sec_status_unchecked; } if(!setup_key_digest(algo, evp_key, &digest_type, key, keylen, &sigblock, &sigblock_len)) { EVP_PKEY_free(evp_key); return sec_status_bogus; } /* do the signature cryptography work */ EVP_MD_CTX_init(&ctx); EVP_VerifyInit(&ctx, digest_type); EVP_VerifyUpdate(&ctx, (unsigned char*)ldns_buffer_begin(buf), (unsigned int)ldns_buffer_limit(buf)); res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key); EVP_MD_CTX_cleanup(&ctx); EVP_PKEY_free(evp_key); desetup_key_digest(algo, sigblock); if(res == 1) { return sec_status_secure; } else if(res == 0) { return sec_status_bogus; } log_crypto_error("verify:", ERR_get_error()); return sec_status_unchecked; } enum sec_status dnskey_verify_rrset_sig(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, size_t sig_idx) { uint8_t* sig; /* RRSIG rdata */ size_t siglen; size_t rrnum = rrset_get_count(rrset); uint8_t* signer; /* rrsig signer name */ size_t signer_len; unsigned char* sigblock; /* signature rdata field */ unsigned int sigblock_len; uint16_t ktag; /* DNSKEY key tag */ unsigned char* key; /* public key rdata field */ unsigned int keylen; rrset_get_rdata(rrset, rrnum + sig_idx, &sig, &siglen); /* min length of rdatalen, fixed rrsig, root signer, 1 byte sig */ if(siglen < 2+20) { verbose(VERB_ALGO, "verify: signature too short"); return sec_status_bogus; } if(!(dnskey_get_flags(dnskey, dnskey_idx) & DNSKEY_BIT_ZSK)) { verbose(VERB_ALGO, "verify: dnskey without ZSK flag"); return sec_status_bogus; /* signer name invalid */ } /* verify as many fields in rrsig as possible */ signer = sig+2+18; signer_len = dname_valid(signer, siglen-2-18); if(!signer_len) { verbose(VERB_ALGO, "verify: malformed signer name"); return sec_status_bogus; /* signer name invalid */ } sigblock = (unsigned char*)signer+signer_len; if(siglen < 2+18+signer_len+1) { verbose(VERB_ALGO, "verify: too short, no signature data"); return sec_status_bogus; /* sig rdf is < 1 byte */ } sigblock_len = (unsigned int)(siglen - 2 - 18 - signer_len); /* verify key dname == sig signer name */ if(query_dname_compare(signer, dnskey->rk.dname) != 0) { verbose(VERB_ALGO, "verify: wrong key for rrsig"); return sec_status_bogus; } /* verify covered type */ /* memcmp works because type is in network format for rrset */ if(memcmp(sig+2, &rrset->rk.type, 2) != 0) { verbose(VERB_ALGO, "verify: wrong type covered"); return sec_status_bogus; } /* verify keytag and sig algo (possibly again) */ if((int)sig[2+2] != dnskey_get_algo(dnskey, dnskey_idx)) { verbose(VERB_ALGO, "verify: wrong algorithm"); return sec_status_bogus; } ktag = htons(dnskey_calc_keytag(dnskey, dnskey_idx)); if(memcmp(sig+2+16, &ktag, 2) != 0) { verbose(VERB_ALGO, "verify: wrong keytag"); return sec_status_bogus; } /* verify labels is in a valid range */ if((int)sig[2+3] > dname_signame_label_count(rrset->rk.dname)) { verbose(VERB_ALGO, "verify: labelcount out of range"); return sec_status_bogus; } /* original ttl, always ok */ /* verify inception, expiration dates */ if(!check_dates(ve, sig+2+8, sig+2+12)) { return sec_status_bogus; } /* create rrset canonical format in buffer, ready for signature */ if(!rrset_canonical(env->scratch, env->scratch_buffer, rrset, sig+2, 18 + signer_len)) { log_err("verify: failed due to alloc error"); return sec_status_unchecked; } /* check that dnskey is available */ dnskey_get_pubkey(dnskey, dnskey_idx, &key, &keylen); if(!key) { verbose(VERB_ALGO, "verify: short DNSKEY RR"); return sec_status_unchecked; } /* verify */ return verify_canonrrset(env->scratch_buffer, (int)sig[2+2], sigblock, sigblock_len, key, keylen); }