dnssec.c revision 499b34cea04a46823d003d4c0520c8b03e8513cb
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉/*
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * Copyright (C) 1999-2001 Internet Software Consortium.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 *
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * Permission to use, copy, modify, and distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * purpose with or without fee is hereby granted, provided that the above
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * copyright notice and this permission notice appear in all copies.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 *
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
d7201de09b85929a86b157f4b2d91667c68c6b52Automatic Updater * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
9eae5f2a7a189353bd4fcbb939c2b61094b3bfe9Tatuya JINMEI 神明達哉 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
9eae5f2a7a189353bd4fcbb939c2b61094b3bfe9Tatuya JINMEI 神明達哉 * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 */
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉/*
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 * $Id: dnssec.c,v 1.59 2001/01/09 21:50:49 bwelling Exp $
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 */
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <config.h>
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <stdlib.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <isc/buffer.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <isc/mem.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <isc/string.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <isc/util.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <dns/db.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <dns/dnssec.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <dns/fixedname.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <dns/keyvalues.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <dns/message.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <dns/rdata.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <dns/rdatalist.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <dns/rdataset.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <dns/rdatastruct.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <dns/result.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <dns/tsig.h> /* for DNS_TSIG_FUDGE */
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#include <dst/result.h>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#define RETERR(x) do { \
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 result = (x); \
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 if (result != ISC_R_SUCCESS) \
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 goto failure; \
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 } while (0)
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt#define TYPE_SIGN 0
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉#define TYPE_VERIFY 1
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉static isc_result_t
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉digest_callback(void *arg, isc_region_t *data);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉static int
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉rdata_compare_wrapper(const void *rdata1, const void *rdata2);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉static isc_result_t
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 dns_rdata_t **rdata, int *nrdata);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉static isc_result_t
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉digest_callback(void *arg, isc_region_t *data) {
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt dst_context_t *ctx = arg;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt return (dst_context_adddata(ctx, data));
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt}
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉/*
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 * Make qsort happy.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 */
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉static int
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉rdata_compare_wrapper(const void *rdata1, const void *rdata2) {
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 return (dns_rdata_compare((const dns_rdata_t *)rdata1,
d7201de09b85929a86b157f4b2d91667c68c6b52Automatic Updater (const dns_rdata_t *)rdata2));
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt}
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt/*
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 * Sort the rdataset into an array.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 */
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉static isc_result_t
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 dns_rdata_t **rdata, int *nrdata)
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉{
d7201de09b85929a86b157f4b2d91667c68c6b52Automatic Updater isc_result_t ret;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt int i = 0, n;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt dns_rdata_t *data;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 n = dns_rdataset_count(set);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 data = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews if (data == NULL)
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews return (ISC_R_NOMEMORY);
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews
ee53fcb61cfc8c54125bcd9da8adfa89974dc948Tinderbox User ret = dns_rdataset_first(set);
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews if (ret != ISC_R_SUCCESS) {
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews isc_mem_put(mctx, data, n * sizeof(dns_rdata_t));
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews return (ret);
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews }
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews /*
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews * Put them in the array.
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews */
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews do {
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 dns_rdata_init(&data[i]);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 dns_rdataset_current(set, &data[i++]);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 } while (dns_rdataset_next(set) == ISC_R_SUCCESS);
d7201de09b85929a86b157f4b2d91667c68c6b52Automatic Updater
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt /*
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt * Sort the array.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt */
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 qsort(data, n, sizeof(dns_rdata_t), rdata_compare_wrapper);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 *rdata = data;
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 *nrdata = n;
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 return (ISC_R_SUCCESS);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉}
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉isc_result_t
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Huntdns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt dst_key_t **key)
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt{
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 isc_buffer_t b;
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 isc_region_t r;
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 INSIST(name != NULL);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 INSIST(rdata != NULL);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 INSIST(mctx != NULL);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 INSIST(key != NULL);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt INSIST(*key == NULL);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt dns_rdata_toregion(rdata, &r);
965b6e2a1baeb464db049134334321782052dde3Tatuya JINMEI 神明達哉 isc_buffer_init(&b, r.base, r.length);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 isc_buffer_add(&b, r.length);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 return (dst_key_fromdns(name, rdata->rdclass, &b, mctx, key));
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉}
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉isc_result_t
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 isc_stdtime_t *inception, isc_stdtime_t *expire,
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata)
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt{
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt dns_rdata_sig_t sig;
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 dns_rdata_t *rdatas;
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 int nrdatas, i;
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 isc_buffer_t b, sigbuf, envbuf;
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 isc_region_t r;
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 dst_context_t *ctx = NULL;
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 isc_result_t ret;
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 unsigned char data[300];
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 isc_uint32_t flags;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt unsigned int sigsize;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt REQUIRE(name != NULL);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 REQUIRE(dns_name_depth(name) <= 255);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 REQUIRE(set != NULL);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 REQUIRE(key != NULL);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 REQUIRE(inception != NULL);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 REQUIRE(expire != NULL);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 REQUIRE(mctx != NULL);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 REQUIRE(sigrdata != NULL);
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt if (*inception >= *expire)
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt return (DNS_R_INVALIDTIME);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 /*
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 * Is the key allowed to sign data?
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt */
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt flags = dst_key_flags(key);
b454c0319685041db3f3e8fd7671e1b364fd20c5Evan Hunt if (flags & DNS_KEYTYPE_NOAUTH)
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt return (DNS_R_KEYUNAUTHORIZED);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt return (DNS_R_KEYUNAUTHORIZED);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt sig.mctx = mctx;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt sig.common.rdclass = set->rdclass;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt sig.common.rdtype = dns_rdatatype_sig;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt ISC_LINK_INIT(&sig.common, link);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt dns_name_init(&sig.signer, NULL);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt dns_name_clone(dst_key_name(key), &sig.signer);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt sig.covered = set->type;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt sig.algorithm = dst_key_alg(key);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt sig.labels = dns_name_depth(name) - 1;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt if (dns_name_iswildcard(name))
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt sig.labels--;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt sig.originalttl = set->ttl;
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman sig.timesigned = *inception;
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman sig.timeexpire = *expire;
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman sig.keyid = dst_key_id(key);
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman ret = dst_key_sigsize(key, &sigsize);
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman if (ret != ISC_R_SUCCESS)
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman return (ret);
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman sig.siglen = sigsize;
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman sig.signature = isc_mem_get(mctx, sig.siglen);
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman if (sig.signature == NULL)
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt return (ISC_R_NOMEMORY);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt isc_buffer_init(&b, data, sizeof(data));
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt ret = dns_rdata_fromstruct(NULL, sig.common.rdclass,
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman sig.common.rdtype, &sig, &b);
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman if (ret != ISC_R_SUCCESS)
c10fda07d68c04221c2d552dc71a2de1352074cbTinderbox User goto cleanup_signature;
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman
db93c0def5c3e1e0ea40c7596482ad3fca4ed03bMukund Sivaraman isc_buffer_usedregion(&b, &r);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b454c0319685041db3f3e8fd7671e1b364fd20c5Evan Hunt ret = dst_context_create(key, mctx, &ctx);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt if (ret != ISC_R_SUCCESS)
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt goto cleanup_signature;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt /*
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt * Digest the SIG rdata.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt */
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt INSIST(r.length >= sig.siglen);
b454c0319685041db3f3e8fd7671e1b364fd20c5Evan Hunt r.length -= sig.siglen;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt ret = dst_context_adddata(ctx, &r);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt if (ret != ISC_R_SUCCESS)
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt goto cleanup_context;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt dns_name_toregion(name, &r);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt /*
b454c0319685041db3f3e8fd7671e1b364fd20c5Evan Hunt * Create an envelope for each rdata: <name|type|class|ttl>.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt */
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt isc_buffer_init(&envbuf, data, sizeof(data));
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt memcpy(data, r.base, r.length);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt isc_buffer_add(&envbuf, r.length);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt isc_buffer_putuint16(&envbuf, set->type);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt isc_buffer_putuint16(&envbuf, set->rdclass);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt isc_buffer_putuint32(&envbuf, set->ttl);
b454c0319685041db3f3e8fd7671e1b364fd20c5Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt if (ret != ISC_R_SUCCESS)
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt goto cleanup_context;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt isc_buffer_usedregion(&envbuf, &r);
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt for (i = 0; i < nrdatas; i++) {
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt isc_uint16_t len;
b454c0319685041db3f3e8fd7671e1b364fd20c5Evan Hunt isc_buffer_t lenbuf;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt isc_region_t lenr;
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt /*
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt * Digest the envelope.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt */
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
/*
* Digest the length of the rdata.
*/
isc_buffer_init(&lenbuf, &len, sizeof(len));
INSIST(rdatas[i].length < 65536);
isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
isc_buffer_usedregion(&lenbuf, &lenr);
ret = dst_context_adddata(ctx, &lenr);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
/*
* Digest the rdata.
*/
ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
}
isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
ret = dst_context_sign(ctx, &sigbuf);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
isc_buffer_usedregion(&sigbuf, &r);
if (r.length != sig.siglen) {
ret = ISC_R_NOSPACE;
goto cleanup_array;
}
memcpy(sig.signature, r.base, sig.siglen);
ret = dns_rdata_fromstruct(sigrdata, sig.common.rdclass,
sig.common.rdtype, &sig, buffer);
cleanup_array:
isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
cleanup_context:
dst_context_destroy(&ctx);
cleanup_signature:
isc_mem_put(mctx, sig.signature, sig.siglen);
return (ret);
}
isc_result_t
dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
isc_boolean_t ignoretime, isc_mem_t *mctx,
dns_rdata_t *sigrdata)
{
dns_rdata_sig_t sig;
dns_fixedname_t fnewname;
isc_region_t r;
isc_buffer_t envbuf;
dns_rdata_t *rdatas;
int nrdatas, i;
isc_stdtime_t now;
isc_result_t ret;
unsigned char data[300];
dst_context_t *ctx = NULL;
int labels;
isc_uint32_t flags;
REQUIRE(name != NULL);
REQUIRE(set != NULL);
REQUIRE(key != NULL);
REQUIRE(mctx != NULL);
REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_sig);
ret = dns_rdata_tostruct(sigrdata, &sig, NULL);
if (ret != ISC_R_SUCCESS)
return (ret);
if (!ignoretime) {
isc_stdtime_get(&now);
/*
* Is SIG temporally valid?
*/
if (sig.timesigned > now)
return (DNS_R_SIGFUTURE);
else if (sig.timeexpire < now)
return (DNS_R_SIGEXPIRED);
}
/*
* Is the key allowed to sign data?
*/
flags = dst_key_flags(key);
if (flags & DNS_KEYTYPE_NOAUTH)
return (DNS_R_KEYUNAUTHORIZED);
if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
return (DNS_R_KEYUNAUTHORIZED);
/*
* Digest the SIG rdata (not including the signature).
*/
dns_rdata_toregion(sigrdata, &r);
INSIST(r.length >= sig.siglen);
r.length -= sig.siglen;
RUNTIME_CHECK(r.length >= 19);
ret = dst_context_create(key, mctx, &ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
/*
* If the name is an expanded wildcard, use the wildcard name.
*/
labels = dns_name_depth(name) - 1;
if (labels - sig.labels > 0) {
dns_fixedname_init(&fnewname);
dns_name_splitatdepth(name, sig.labels + 1, NULL,
dns_fixedname_name(&fnewname));
dns_name_toregion(dns_fixedname_name(&fnewname), &r);
}
else
dns_name_toregion(name, &r);
/*
* Create an envelope for each rdata: <name|type|class|ttl>.
*/
isc_buffer_init(&envbuf, data, sizeof(data));
if (labels - sig.labels > 0) {
isc_buffer_putuint8(&envbuf, 1);
isc_buffer_putuint8(&envbuf, '*');
memcpy(data + 2, r.base, r.length);
}
else
memcpy(data, r.base, r.length);
isc_buffer_add(&envbuf, r.length);
isc_buffer_putuint16(&envbuf, set->type);
isc_buffer_putuint16(&envbuf, set->rdclass);
isc_buffer_putuint32(&envbuf, sig.originalttl);
ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_usedregion(&envbuf, &r);
for (i = 0; i < nrdatas; i++) {
isc_uint16_t len;
isc_buffer_t lenbuf;
isc_region_t lenr;
/*
* Digest the envelope.
*/
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
/*
* Digest the rdata length.
*/
isc_buffer_init(&lenbuf, &len, sizeof(len));
INSIST(rdatas[i].length < 65536);
isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
isc_buffer_usedregion(&lenbuf, &lenr);
/*
* Digest the rdata.
*/
ret = dst_context_adddata(ctx, &lenr);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
}
r.base = sig.signature;
r.length = sig.siglen;
ret = dst_context_verify(ctx, &r);
if (ret == DST_R_VERIFYFAILURE)
ret = DNS_R_SIGINVALID;
cleanup_array:
isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
cleanup_context:
dst_context_destroy(&ctx);
cleanup_struct:
dns_rdata_freestruct(&sig);
return (ret);
}
#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
== DNS_KEYOWNER_ZONE)
isc_result_t
dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys,
unsigned int *nkeys)
{
dns_rdataset_t rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
dst_key_t *pubkey = NULL;
unsigned int count = 0;
*nkeys = 0;
dns_rdataset_init(&rdataset);
RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_key, 0, 0,
&rdataset, NULL));
RETERR(dns_rdataset_first(&rdataset));
while (result == ISC_R_SUCCESS && count < maxkeys) {
pubkey = NULL;
dns_rdataset_current(&rdataset, &rdata);
RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
if (!is_zone_key(pubkey))
goto next;
keys[count] = NULL;
result = dst_key_fromfile(dst_key_name(pubkey),
dst_key_id(pubkey),
dst_key_alg(pubkey),
DST_TYPE_PRIVATE,
NULL,
mctx, &keys[count]);
if (result == DST_R_INVALIDPRIVATEKEY)
goto next;
if (result != ISC_R_SUCCESS)
goto failure;
if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
dst_key_free(&keys[count]);
goto next;
}
count++;
next:
dst_key_free(&pubkey);
dns_rdata_reset(&rdata);
result = dns_rdataset_next(&rdataset);
}
if (result != ISC_R_NOMORE)
goto failure;
if (count == 0)
result = ISC_R_NOTFOUND;
else
result = ISC_R_SUCCESS;
failure:
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
if (pubkey != NULL)
dst_key_free(&pubkey);
*nkeys = count;
return (result);
}
isc_result_t
dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
dns_rdata_sig_t sig;
unsigned char data[512];
unsigned char header[DNS_MESSAGE_HEADERLEN];
isc_buffer_t headerbuf, databuf, sigbuf;
unsigned int sigsize;
isc_buffer_t *dynbuf;
dns_rdata_t *rdata;
dns_rdatalist_t *datalist;
dns_rdataset_t *dataset;
isc_region_t r;
isc_stdtime_t now;
dst_context_t *ctx = NULL;
isc_mem_t *mctx;
isc_result_t result;
isc_boolean_t signeedsfree = ISC_TRUE;
REQUIRE(msg != NULL);
REQUIRE(key != NULL);
if (is_response(msg))
REQUIRE(msg->query.base != NULL);
mctx = msg->mctx;
memset(&sig, 0, sizeof(dns_rdata_sig_t));
sig.mctx = mctx;
sig.common.rdclass = dns_rdataclass_any;
sig.common.rdtype = dns_rdatatype_sig;
ISC_LINK_INIT(&sig.common, link);
sig.covered = 0;
sig.algorithm = dst_key_alg(key);
sig.labels = 0; /* the root name */
sig.originalttl = 0;
isc_stdtime_get(&now);
sig.timesigned = now - DNS_TSIG_FUDGE;
sig.timeexpire = now + DNS_TSIG_FUDGE;
sig.keyid = dst_key_id(key);
dns_name_init(&sig.signer, NULL);
dns_name_clone(dst_key_name(key), &sig.signer);
sig.siglen = 0;
sig.signature = NULL;
isc_buffer_init(&databuf, data, sizeof(data));
RETERR(dst_context_create(key, mctx, &ctx));
/*
* Digest the fields of the SIG - we can cheat and use
* dns_rdata_fromstruct. Since siglen is 0, the digested data
* is identical to dns format.
*/
RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
dns_rdatatype_sig, &sig, &databuf));
isc_buffer_usedregion(&databuf, &r);
RETERR(dst_context_adddata(ctx, &r));
/*
* If this is a response, digest the query.
*/
if (is_response(msg))
RETERR(dst_context_adddata(ctx, &msg->query));
/*
* Digest the header.
*/
isc_buffer_init(&headerbuf, header, sizeof(header));
dns_message_renderheader(msg, &headerbuf);
isc_buffer_usedregion(&headerbuf, &r);
RETERR(dst_context_adddata(ctx, &r));
/*
* Digest the remainder of the message.
*/
isc_buffer_usedregion(msg->buffer, &r);
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
RETERR(dst_context_adddata(ctx, &r));
RETERR(dst_key_sigsize(key, &sigsize));
sig.siglen = sigsize;
sig.signature = (unsigned char *) isc_mem_get(mctx, sig.siglen);
if (sig.signature == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
RETERR(dst_context_sign(ctx, &sigbuf));
dst_context_destroy(&ctx);
rdata = NULL;
RETERR(dns_message_gettemprdata(msg, &rdata));
dynbuf = NULL;
RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
dns_rdatatype_sig, &sig, dynbuf));
isc_mem_put(mctx, sig.signature, sig.siglen);
signeedsfree = ISC_FALSE;
dns_message_takebuffer(msg, &dynbuf);
datalist = NULL;
RETERR(dns_message_gettemprdatalist(msg, &datalist));
datalist->rdclass = dns_rdataclass_any;
datalist->type = dns_rdatatype_sig;
datalist->covers = 0;
datalist->ttl = 0;
ISC_LIST_INIT(datalist->rdata);
ISC_LIST_APPEND(datalist->rdata, rdata, link);
dataset = NULL;
RETERR(dns_message_gettemprdataset(msg, &dataset));
dns_rdataset_init(dataset);
dns_rdatalist_tordataset(datalist, dataset);
msg->sig0 = dataset;
return (ISC_R_SUCCESS);
failure:
if (dynbuf != NULL)
isc_buffer_free(&dynbuf);
if (signeedsfree)
isc_mem_put(mctx, sig.signature, sig.siglen);
if (ctx != NULL)
dst_context_destroy(&ctx);
return (result);
}
isc_result_t
dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
dst_key_t *key)
{
dns_rdata_sig_t sig;
unsigned char header[DNS_MESSAGE_HEADERLEN];
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_region_t r, source_r, sig_r, header_r;
isc_stdtime_t now;
dst_context_t *ctx = NULL;
isc_mem_t *mctx;
isc_result_t result;
isc_uint16_t addcount;
isc_boolean_t signeedsfree = ISC_FALSE;
REQUIRE(source != NULL);
REQUIRE(msg != NULL);
REQUIRE(key != NULL);
if (is_response(msg))
REQUIRE(msg->query.base != NULL);
mctx = msg->mctx;
msg->verify_attempted = 1;
isc_buffer_usedregion(source, &source_r);
RETERR(dns_rdataset_first(msg->sig0));
dns_rdataset_current(msg->sig0, &rdata);
RETERR(dns_rdata_tostruct(&rdata, &sig, NULL));
signeedsfree = ISC_TRUE;
if (sig.labels != 0) {
result = DNS_R_SIGINVALID;
goto failure;
}
isc_stdtime_get(&now);
if (sig.timesigned > now) {
result = DNS_R_SIGFUTURE;
msg->sig0status = dns_tsigerror_badtime;
goto failure;
}
else if (sig.timeexpire < now) {
result = DNS_R_SIGEXPIRED;
msg->sig0status = dns_tsigerror_badtime;
goto failure;
}
if (!dns_name_equal(dst_key_name(key), &sig.signer)) {
result = DNS_R_SIGINVALID;
msg->sig0status = dns_tsigerror_badkey;
goto failure;
}
RETERR(dst_context_create(key, mctx, &ctx));
/*
* Digest the SIG(0) record, except for the signature.
*/
dns_rdata_toregion(&rdata, &r);
r.length -= sig.siglen;
RETERR(dst_context_adddata(ctx, &r));
/*
* If this is a response, digest the query.
*/
if (is_response(msg))
RETERR(dst_context_adddata(ctx, &msg->query));
/*
* Extract the header.
*/
memcpy(header, source_r.base, DNS_MESSAGE_HEADERLEN);
/*
* Decrement the additional field counter.
*/
memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
addcount = htons(ntohs(addcount) - 1);
memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
/*
* Digest the modified header.
*/
header_r.base = (unsigned char *) header;
header_r.length = DNS_MESSAGE_HEADERLEN;
RETERR(dst_context_adddata(ctx, &header_r));
/*
* Digest all non-SIG(0) records.
*/
r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
RETERR(dst_context_adddata(ctx, &r));
sig_r.base = sig.signature;
sig_r.length = sig.siglen;
result = dst_context_verify(ctx, &sig_r);
if (result != ISC_R_SUCCESS) {
msg->sig0status = dns_tsigerror_badsig;
goto failure;
}
msg->verified_sig = 1;
dst_context_destroy(&ctx);
dns_rdata_freestruct(&sig);
return (ISC_R_SUCCESS);
failure:
if (signeedsfree)
dns_rdata_freestruct(&sig);
if (ctx != NULL)
dst_context_destroy(&ctx);
return (result);
}
isc_boolean_t
dns_dnssec_iszonekey(dns_rdata_t *keyrdata) {
isc_result_t result;
dns_rdata_key_t key;
isc_boolean_t iszonekey = ISC_TRUE;
REQUIRE(keyrdata != NULL);
result = dns_rdata_tostruct(keyrdata, &key, NULL);
if (result != ISC_R_SUCCESS)
return (ISC_FALSE);
if ((key.flags & DNS_KEYTYPE_NOAUTH) != 0)
iszonekey = ISC_FALSE;
if ((key.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
iszonekey = ISC_FALSE;
if (key.protocol != DNS_KEYPROTO_DNSSEC &&
key.protocol != DNS_KEYPROTO_ANY)
iszonekey = ISC_FALSE;
return (iszonekey);
}