dnssec.c revision d312bc5d81cff8fc156b62c970334b52227ee854
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt/*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
6bb1560124ce99fe50b9847ce29fcaed52564900Automatic Updater * Copyright (C) 1999-2003 Internet Software Consortium.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt *
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Permission to use, copy, modify, and/or distribute this software for any
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * purpose with or without fee is hereby granted, provided that the above
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * copyright notice and this permission notice appear in all copies.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt *
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * PERFORMANCE OF THIS SOFTWARE.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt/*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * $Id: dnssec.c,v 1.114 2009/11/24 03:42:32 each Exp $
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt/*! \file */
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#include <config.h>
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#include <stdlib.h>
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#include <isc/buffer.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <isc/dir.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <isc/mem.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <isc/serial.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <isc/string.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <isc/util.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dns/db.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dns/diff.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dns/dnssec.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dns/fixedname.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dns/keyvalues.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dns/message.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dns/rdata.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dns/rdatalist.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dns/rdataset.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dns/rdatastruct.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dns/result.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dns/tsig.h> /* for DNS_TSIG_FUDGE */
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#include <dst/result.h>
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews#define RETERR(x) do { \
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews result = (x); \
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews if (result != ISC_R_SUCCESS) \
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt goto failure; \
e24ccb512c110d181e01f977196e518b0e72e451Mark Andrews } while (0)
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt#define TYPE_SIGN 0
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt#define TYPE_VERIFY 1
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntstatic isc_result_t
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntdigest_callback(void *arg, isc_region_t *data);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntstatic int
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntrdata_compare_wrapper(const void *rdata1, const void *rdata2);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntstatic isc_result_t
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntrdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdata_t **rdata, int *nrdata);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntstatic isc_result_t
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntdigest_callback(void *arg, isc_region_t *data) {
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dst_context_t *ctx = arg;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (dst_context_adddata(ctx, data));
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt}
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt/*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Make qsort happy.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntstatic int
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntrdata_compare_wrapper(const void *rdata1, const void *rdata2) {
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (dns_rdata_compare((const dns_rdata_t *)rdata1,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt (const dns_rdata_t *)rdata2));
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt}
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt/*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Sort the rdataset into an array.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntstatic isc_result_t
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntrdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdata_t **rdata, int *nrdata)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt{
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_result_t ret;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt int i = 0, n;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdata_t *data;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdataset_t rdataset;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt n = dns_rdataset_count(set);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt data = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt if (data == NULL)
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt return (ISC_R_NOMEMORY);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdataset_init(&rdataset);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdataset_clone(set, &rdataset);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt ret = dns_rdataset_first(&rdataset);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt if (ret != ISC_R_SUCCESS) {
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdataset_disassociate(&rdataset);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt isc_mem_put(mctx, data, n * sizeof(dns_rdata_t));
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt return (ret);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt }
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt /*
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt * Put them in the array.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt */
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt do {
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdata_init(&data[i]);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdataset_current(&rdataset, &data[i++]);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt } while (dns_rdataset_next(&rdataset) == ISC_R_SUCCESS);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Sort the array.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt qsort(data, n, sizeof(dns_rdata_t), rdata_compare_wrapper);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt *rdata = data;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt *nrdata = n;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdataset_disassociate(&rdataset);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (ISC_R_SUCCESS);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt}
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntisc_result_t
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntdns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dst_key_t **key)
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt{
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt isc_buffer_t b;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt isc_region_t r;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt INSIST(name != NULL);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt INSIST(rdata != NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt INSIST(mctx != NULL);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt INSIST(key != NULL);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt INSIST(*key == NULL);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt REQUIRE(rdata->type == dns_rdatatype_key ||
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt rdata->type == dns_rdatatype_dnskey);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdata_toregion(rdata, &r);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt isc_buffer_init(&b, r.base, r.length);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt isc_buffer_add(&b, r.length);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt return (dst_key_fromdns(name, rdata->rdclass, &b, mctx, key));
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt}
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntstatic isc_result_t
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntdigest_sig(dst_context_t *ctx, dns_rdata_t *sigrdata, dns_rdata_rrsig_t *sig) {
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt isc_region_t r;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt isc_result_t ret;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_fixedname_t fname;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdata_toregion(sigrdata, &r);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt INSIST(r.length >= 19);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt r.length = 18;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt ret = dst_context_adddata(ctx, &r);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt if (ret != ISC_R_SUCCESS)
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt return (ret);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_fixedname_init(&fname);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt RUNTIME_CHECK(dns_name_downcase(&sig->signer,
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_fixedname_name(&fname), NULL)
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt == ISC_R_SUCCESS);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_name_toregion(dns_fixedname_name(&fname), &r);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (dst_context_adddata(ctx, &r));
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt}
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntisc_result_t
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntdns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_stdtime_t *inception, isc_stdtime_t *expire,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt{
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdata_rrsig_t sig;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdata_t tmpsigrdata;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdata_t *rdatas;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt int nrdatas, i;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_t sigbuf, envbuf;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_region_t r;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dst_context_t *ctx = NULL;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_result_t ret;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_t *databuf = NULL;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt char data[256 + 8];
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_uint32_t flags;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt unsigned int sigsize;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_fixedname_t fnewname;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(name != NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(dns_name_countlabels(name) <= 255);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(set != NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(key != NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(inception != NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(expire != NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(mctx != NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(sigrdata != NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (*inception >= *expire)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (DNS_R_INVALIDTIME);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Is the key allowed to sign data?
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt flags = dst_key_flags(key);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (flags & DNS_KEYTYPE_NOAUTH)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (DNS_R_KEYUNAUTHORIZED);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (DNS_R_KEYUNAUTHORIZED);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.mctx = mctx;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.common.rdclass = set->rdclass;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.common.rdtype = dns_rdatatype_rrsig;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ISC_LINK_INIT(&sig.common, link);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_name_init(&sig.signer, NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_name_clone(dst_key_name(key), &sig.signer);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.covered = set->type;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.algorithm = dst_key_alg(key);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.labels = dns_name_countlabels(name) - 1;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (dns_name_iswildcard(name))
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.labels--;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.originalttl = set->ttl;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.timesigned = *inception;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.timeexpire = *expire;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.keyid = dst_key_id(key);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dst_key_sigsize(key, &sigsize);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (ret);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.siglen = sigsize;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * The actual contents of sig.signature are not important yet, since
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * they're not used in digest_sig().
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.signature = isc_mem_get(mctx, sig.siglen);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (sig.signature == NULL)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (ISC_R_NOMEMORY);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = isc_buffer_allocate(mctx, &databuf, sigsize + 256 + 18);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_signature;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdata_init(&tmpsigrdata);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dns_rdata_fromstruct(&tmpsigrdata, sig.common.rdclass,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.common.rdtype, &sig, databuf);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_databuf;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dst_context_create(key, mctx, &ctx);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_databuf;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Digest the SIG rdata.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = digest_sig(ctx, &tmpsigrdata, &sig);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_context;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_fixedname_init(&fnewname);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt NULL) == ISC_R_SUCCESS);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_name_toregion(dns_fixedname_name(&fnewname), &r);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Create an envelope for each rdata: <name|type|class|ttl>.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_init(&envbuf, data, sizeof(data));
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt memcpy(data, r.base, r.length);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_add(&envbuf, r.length);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_putuint16(&envbuf, set->type);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_putuint16(&envbuf, set->rdclass);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_putuint32(&envbuf, set->ttl);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_context;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_usedregion(&envbuf, &r);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt for (i = 0; i < nrdatas; i++) {
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_uint16_t len;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_t lenbuf;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_region_t lenr;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Skip duplicates.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt continue;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Digest the envelope.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dst_context_adddata(ctx, &r);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_array;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Digest the length of the rdata.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_init(&lenbuf, &len, sizeof(len));
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt INSIST(rdatas[i].length < 65536);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_usedregion(&lenbuf, &lenr);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dst_context_adddata(ctx, &lenr);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_array;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Digest the rdata.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_array;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt }
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dst_context_sign(ctx, &sigbuf);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_array;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_usedregion(&sigbuf, &r);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (r.length != sig.siglen) {
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = ISC_R_NOSPACE;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_array;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt }
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt memcpy(sig.signature, r.base, sig.siglen);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dns_rdata_fromstruct(sigrdata, sig.common.rdclass,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sig.common.rdtype, &sig, buffer);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcleanup_array:
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcleanup_context:
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dst_context_destroy(&ctx);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcleanup_databuf:
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_free(&databuf);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcleanup_signature:
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_mem_put(mctx, sig.signature, sig.siglen);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (ret);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt}
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntisc_result_t
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntdns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_boolean_t ignoretime, isc_mem_t *mctx,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdata_t *sigrdata, dns_name_t *wild)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt{
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdata_rrsig_t sig;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_fixedname_t fnewname;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_region_t r;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_t envbuf;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdata_t *rdatas;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt int nrdatas, i;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_stdtime_t now;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_result_t ret;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt unsigned char data[300];
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dst_context_t *ctx = NULL;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt int labels = 0;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_uint32_t flags;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(name != NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(set != NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(key != NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(mctx != NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_rrsig);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dns_rdata_tostruct(sigrdata, &sig, NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (ret);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (set->type != sig.covered)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (DNS_R_SIGINVALID);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (isc_serial_lt(sig.timeexpire, sig.timesigned))
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (DNS_R_SIGINVALID);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (!ignoretime) {
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_stdtime_get(&now);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Is SIG temporally valid?
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (isc_serial_lt((isc_uint32_t)now, sig.timesigned))
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (DNS_R_SIGFUTURE);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now))
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (DNS_R_SIGEXPIRED);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt }
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * NS, SOA and DNSSKEY records are signed by their owner.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * DS records are signed by the parent.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt switch (set->type) {
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt case dns_rdatatype_ns:
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt case dns_rdatatype_soa:
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt case dns_rdatatype_dnskey:
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (!dns_name_equal(name, &sig.signer))
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (DNS_R_SIGINVALID);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt break;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt case dns_rdatatype_ds:
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (dns_name_equal(name, &sig.signer))
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (DNS_R_SIGINVALID);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /* FALLTHROUGH */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt default:
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (!dns_name_issubdomain(name, &sig.signer))
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (DNS_R_SIGINVALID);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt break;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt }
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Is the key allowed to sign data?
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt flags = dst_key_flags(key);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (flags & DNS_KEYTYPE_NOAUTH)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (DNS_R_KEYUNAUTHORIZED);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (DNS_R_KEYUNAUTHORIZED);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dst_context_create(key, mctx, &ctx);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_struct;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Digest the SIG rdata (not including the signature).
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = digest_sig(ctx, sigrdata, &sig);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_context;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * If the name is an expanded wildcard, use the wildcard name.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_fixedname_init(&fnewname);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt labels = dns_name_countlabels(name) - 1;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt NULL) == ISC_R_SUCCESS);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (labels - sig.labels > 0)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_name_split(dns_fixedname_name(&fnewname), sig.labels + 1,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt NULL, dns_fixedname_name(&fnewname));
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_name_toregion(dns_fixedname_name(&fnewname), &r);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Create an envelope for each rdata: <name|type|class|ttl>.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_init(&envbuf, data, sizeof(data));
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (labels - sig.labels > 0) {
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_putuint8(&envbuf, 1);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_putuint8(&envbuf, '*');
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt memcpy(data + 2, r.base, r.length);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt }
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt else
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt memcpy(data, r.base, r.length);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_add(&envbuf, r.length);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_putuint16(&envbuf, set->type);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_putuint16(&envbuf, set->rdclass);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_putuint32(&envbuf, sig.originalttl);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_context;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_usedregion(&envbuf, &r);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt for (i = 0; i < nrdatas; i++) {
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_uint16_t len;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_t lenbuf;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_region_t lenr;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Skip duplicates.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt continue;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Digest the envelope.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dst_context_adddata(ctx, &r);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_array;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Digest the rdata length.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_init(&lenbuf, &len, sizeof(len));
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt INSIST(rdatas[i].length < 65536);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_buffer_usedregion(&lenbuf, &lenr);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Digest the rdata.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dst_context_adddata(ctx, &lenr);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_array;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret != ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto cleanup_array;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt }
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt r.base = sig.signature;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt r.length = sig.siglen;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = dst_context_verify(ctx, &r);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret == DST_R_VERIFYFAILURE)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = DNS_R_SIGINVALID;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcleanup_array:
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcleanup_context:
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dst_context_destroy(&ctx);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntcleanup_struct:
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdata_freestruct(&sig);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) {
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (wild != NULL)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_fixedname_name(&fnewname),
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt wild, NULL) == ISC_R_SUCCESS);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt ret = DNS_R_FROMWILDCARD;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt }
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (ret);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt}
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntisc_result_t
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntdns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_boolean_t ignoretime, isc_mem_t *mctx,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdata_t *sigrdata)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt{
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_result_t result;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt result = dns_dnssec_verify2(name, set, key, ignoretime, mctx,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt sigrdata, NULL);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (result == DNS_R_FROMWILDCARD)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt result = ISC_R_SUCCESS;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (result);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt}
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntstatic isc_boolean_t
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntkey_active(dst_key_t *key) {
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_result_t result;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_stdtime_t now, publish, active, revoke, inactive, delete;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt isc_boolean_t delset = ISC_FALSE;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt int major, minor;
44f175a90a855326725439b2f1178f0dcca8f67dMark Andrews
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /* Is this an old-style key? */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt result = dst_key_getprivateformat(key, &major, &minor);
44f175a90a855326725439b2f1178f0dcca8f67dMark Andrews
44f175a90a855326725439b2f1178f0dcca8f67dMark Andrews /*
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * Smart signing started with key format 1.3; prior to that, all
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt * keys are assumed active
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (major == 1 && minor <= 2)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (ISC_TRUE);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
f766024a27c891a107a1f57013d8a460fb172b19Evan Hunt isc_stdtime_get(&now);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt result = dst_key_gettime(key, DST_TIME_PUBLISH, &publish);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (result == ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt pubset = ISC_TRUE;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt result = dst_key_gettime(key, DST_TIME_ACTIVATE, &active);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (result == ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt actset = ISC_TRUE;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
f766024a27c891a107a1f57013d8a460fb172b19Evan Hunt result = dst_key_gettime(key, DST_TIME_REVOKE, &revoke);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (result == ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt revset = ISC_TRUE;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt result = dst_key_gettime(key, DST_TIME_INACTIVE, &inactive);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (result == ISC_R_SUCCESS)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt inactset = ISC_TRUE;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt result = dst_key_gettime(key, DST_TIME_DELETE, &delete);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (result == ISC_R_SUCCESS)
f766024a27c891a107a1f57013d8a460fb172b19Evan Hunt delset = ISC_TRUE;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if ((inactset && inactive <= now) || (delset && delete <= now))
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (ISC_FALSE);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (revset && revoke <= now && pubset && publish <= now)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (ISC_TRUE);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt if (actset && active <= now)
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt return (ISC_TRUE);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt return (ISC_FALSE);
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt}
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt == DNS_KEYOWNER_ZONE)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntisc_result_t
f766024a27c891a107a1f57013d8a460fb172b19Evan Huntdns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_dbnode_t *node, dns_name_t *name,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt const char *directory, isc_mem_t *mctx,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt unsigned int maxkeys, dst_key_t **keys,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt unsigned int *nkeys)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt{
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdataset_t rdataset;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdata_t rdata = DNS_RDATA_INIT;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt isc_result_t result;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dst_key_t *pubkey = NULL;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt unsigned int count = 0;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt REQUIRE(nkeys != NULL);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt REQUIRE(keys != NULL);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt *nkeys = 0;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdataset_init(&rdataset);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt &rdataset, NULL));
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt RETERR(dns_rdataset_first(&rdataset));
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt while (result == ISC_R_SUCCESS && count < maxkeys) {
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt pubkey = NULL;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdataset_current(&rdataset, &rdata);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt if (!is_zone_key(pubkey) ||
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto next;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt /* Corrupted .key file? */
f766024a27c891a107a1f57013d8a460fb172b19Evan Hunt if (!dns_name_equal(name, dst_key_name(pubkey)))
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt goto next;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt keys[count] = NULL;
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt result = dst_key_fromfile(dst_key_name(pubkey),
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dst_key_id(pubkey),
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dst_key_alg(pubkey),
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews directory,
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt mctx, &keys[count]);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt /*
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt * If the key was revoked and the private file
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt * doesn't exist, maybe it was revoked internally
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt * by named. Try loading the unrevoked version.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt */
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt if (result == ISC_R_FILENOTFOUND) {
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt isc_uint32_t flags;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt flags = dst_key_flags(pubkey);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dst_key_setflags(pubkey,
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt flags & ~DNS_KEYFLAG_REVOKE);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt result = dst_key_fromfile(dst_key_name(pubkey),
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews dst_key_id(pubkey),
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews dst_key_alg(pubkey),
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews DST_TYPE_PUBLIC|
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews DST_TYPE_PRIVATE,
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews directory,
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews mctx, &keys[count]);
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews if (result == ISC_R_SUCCESS &&
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews dst_key_pubcompare(pubkey, keys[count],
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews ISC_FALSE)) {
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews dst_key_setflags(keys[count], flags);
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews }
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews dst_key_setflags(pubkey, flags);
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews }
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews }
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt if (result == ISC_R_FILENOTFOUND) {
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt keys[count] = pubkey;
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt pubkey = NULL;
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt count++;
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt goto next;
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt }
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt if (result != ISC_R_SUCCESS)
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt goto failure;
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt /*
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt * If a key is marked inactive, skip it
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt */
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt if (!key_active(keys[count])) {
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt dst_key_free(&keys[count]);
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt keys[count] = pubkey;
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt pubkey = NULL;
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt count++;
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt goto next;
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt }
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt /* We should never get here. */
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt dst_key_free(&keys[count]);
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt goto next;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt }
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt count++;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt next:
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt if (pubkey != NULL)
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dst_key_free(&pubkey);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdata_reset(&rdata);
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews result = dns_rdataset_next(&rdataset);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt }
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews if (result != ISC_R_NOMORE)
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews goto failure;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews if (count == 0)
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews result = ISC_R_NOTFOUND;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt else
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt result = ISC_R_SUCCESS;
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt failure:
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews if (dns_rdataset_isassociated(&rdataset))
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_rdataset_disassociate(&rdataset);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt if (pubkey != NULL)
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews dst_key_free(&pubkey);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt if (result != ISC_R_SUCCESS)
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews while (count > 0)
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dst_key_free(&keys[--count]);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt *nkeys = count;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt return (result);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt}
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntisc_result_t
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Huntdns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt unsigned int maxkeys, dst_key_t **keys,
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt unsigned int *nkeys)
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt{
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt return (dns_dnssec_findzonekeys2(db, ver, node, name, NULL, mctx,
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews maxkeys, keys, nkeys));
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews}
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrewsisc_result_t
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrewsdns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews dns_rdata_sig_t sig; /* SIG(0) */
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews unsigned char data[512];
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews unsigned char header[DNS_MESSAGE_HEADERLEN];
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews isc_buffer_t headerbuf, databuf, sigbuf;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews unsigned int sigsize;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews isc_buffer_t *dynbuf = NULL;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews dns_rdata_t *rdata;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews dns_rdatalist_t *datalist;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews dns_rdataset_t *dataset;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews isc_region_t r;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews isc_stdtime_t now;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews dst_context_t *ctx = NULL;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews isc_mem_t *mctx;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews isc_result_t result;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews isc_boolean_t signeedsfree = ISC_TRUE;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews REQUIRE(msg != NULL);
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews REQUIRE(key != NULL);
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt if (is_response(msg))
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt REQUIRE(msg->query.base != NULL);
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt mctx = msg->mctx;
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt memset(&sig, 0, sizeof(sig));
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt sig.mctx = mctx;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt sig.common.rdclass = dns_rdataclass_any;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt sig.common.rdtype = dns_rdatatype_sig; /* SIG(0) */
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt ISC_LINK_INIT(&sig.common, link);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt sig.covered = 0;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt sig.algorithm = dst_key_alg(key);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt sig.labels = 0; /* the root name */
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt sig.originalttl = 0;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt isc_stdtime_get(&now);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt sig.timesigned = now - DNS_TSIG_FUDGE;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt sig.timeexpire = now + DNS_TSIG_FUDGE;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt sig.keyid = dst_key_id(key);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_name_init(&sig.signer, NULL);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt dns_name_clone(dst_key_name(key), &sig.signer);
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt sig.siglen = 0;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt sig.signature = NULL;
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt isc_buffer_init(&databuf, data, sizeof(data));
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt RETERR(dst_context_create(key, mctx, &ctx));
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt /*
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt * Digest the fields of the SIG - we can cheat and use
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt * dns_rdata_fromstruct. Since siglen is 0, the digested data
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt * is identical to dns format.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt */
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt dns_rdatatype_sig /* SIG(0) */,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt &sig, &databuf));
isc_buffer_usedregion(&databuf, &r);
RETERR(dst_context_adddata(ctx, &r));
/*
* If this is a response, digest the query.
*/
if (is_response(msg))
RETERR(dst_context_adddata(ctx, &msg->query));
/*
* Digest the header.
*/
isc_buffer_init(&headerbuf, header, sizeof(header));
dns_message_renderheader(msg, &headerbuf);
isc_buffer_usedregion(&headerbuf, &r);
RETERR(dst_context_adddata(ctx, &r));
/*
* Digest the remainder of the message.
*/
isc_buffer_usedregion(msg->buffer, &r);
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
RETERR(dst_context_adddata(ctx, &r));
RETERR(dst_key_sigsize(key, &sigsize));
sig.siglen = sigsize;
sig.signature = (unsigned char *) isc_mem_get(mctx, sig.siglen);
if (sig.signature == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
RETERR(dst_context_sign(ctx, &sigbuf));
dst_context_destroy(&ctx);
rdata = NULL;
RETERR(dns_message_gettemprdata(msg, &rdata));
RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
dns_rdatatype_sig /* SIG(0) */,
&sig, dynbuf));
isc_mem_put(mctx, sig.signature, sig.siglen);
signeedsfree = ISC_FALSE;
dns_message_takebuffer(msg, &dynbuf);
datalist = NULL;
RETERR(dns_message_gettemprdatalist(msg, &datalist));
datalist->rdclass = dns_rdataclass_any;
datalist->type = dns_rdatatype_sig; /* SIG(0) */
datalist->covers = 0;
datalist->ttl = 0;
ISC_LIST_INIT(datalist->rdata);
ISC_LIST_APPEND(datalist->rdata, rdata, link);
dataset = NULL;
RETERR(dns_message_gettemprdataset(msg, &dataset));
dns_rdataset_init(dataset);
RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset) == ISC_R_SUCCESS);
msg->sig0 = dataset;
return (ISC_R_SUCCESS);
failure:
if (dynbuf != NULL)
isc_buffer_free(&dynbuf);
if (signeedsfree)
isc_mem_put(mctx, sig.signature, sig.siglen);
if (ctx != NULL)
dst_context_destroy(&ctx);
return (result);
}
isc_result_t
dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
dst_key_t *key)
{
dns_rdata_sig_t sig; /* SIG(0) */
unsigned char header[DNS_MESSAGE_HEADERLEN];
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_region_t r, source_r, sig_r, header_r;
isc_stdtime_t now;
dst_context_t *ctx = NULL;
isc_mem_t *mctx;
isc_result_t result;
isc_uint16_t addcount;
isc_boolean_t signeedsfree = ISC_FALSE;
REQUIRE(source != NULL);
REQUIRE(msg != NULL);
REQUIRE(key != NULL);
mctx = msg->mctx;
msg->verify_attempted = 1;
if (is_response(msg)) {
if (msg->query.base == NULL)
return (DNS_R_UNEXPECTEDTSIG);
}
isc_buffer_usedregion(source, &source_r);
RETERR(dns_rdataset_first(msg->sig0));
dns_rdataset_current(msg->sig0, &rdata);
RETERR(dns_rdata_tostruct(&rdata, &sig, NULL));
signeedsfree = ISC_TRUE;
if (sig.labels != 0) {
result = DNS_R_SIGINVALID;
goto failure;
}
if (isc_serial_lt(sig.timeexpire, sig.timesigned)) {
result = DNS_R_SIGINVALID;
msg->sig0status = dns_tsigerror_badtime;
goto failure;
}
isc_stdtime_get(&now);
if (isc_serial_lt((isc_uint32_t)now, sig.timesigned)) {
result = DNS_R_SIGFUTURE;
msg->sig0status = dns_tsigerror_badtime;
goto failure;
}
else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now)) {
result = DNS_R_SIGEXPIRED;
msg->sig0status = dns_tsigerror_badtime;
goto failure;
}
if (!dns_name_equal(dst_key_name(key), &sig.signer)) {
result = DNS_R_SIGINVALID;
msg->sig0status = dns_tsigerror_badkey;
goto failure;
}
RETERR(dst_context_create(key, mctx, &ctx));
/*
* Digest the SIG(0) record, except for the signature.
*/
dns_rdata_toregion(&rdata, &r);
r.length -= sig.siglen;
RETERR(dst_context_adddata(ctx, &r));
/*
* If this is a response, digest the query.
*/
if (is_response(msg))
RETERR(dst_context_adddata(ctx, &msg->query));
/*
* Extract the header.
*/
memcpy(header, source_r.base, DNS_MESSAGE_HEADERLEN);
/*
* Decrement the additional field counter.
*/
memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
/*
* Digest the modified header.
*/
header_r.base = (unsigned char *) header;
header_r.length = DNS_MESSAGE_HEADERLEN;
RETERR(dst_context_adddata(ctx, &header_r));
/*
* Digest all non-SIG(0) records.
*/
r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
RETERR(dst_context_adddata(ctx, &r));
sig_r.base = sig.signature;
sig_r.length = sig.siglen;
result = dst_context_verify(ctx, &sig_r);
if (result != ISC_R_SUCCESS) {
msg->sig0status = dns_tsigerror_badsig;
goto failure;
}
msg->verified_sig = 1;
dst_context_destroy(&ctx);
dns_rdata_freestruct(&sig);
return (ISC_R_SUCCESS);
failure:
if (signeedsfree)
dns_rdata_freestruct(&sig);
if (ctx != NULL)
dst_context_destroy(&ctx);
return (result);
}
/*%
* Does this key ('rdata') self sign the rrset ('rdataset')?
*/
isc_boolean_t
dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
isc_boolean_t ignoretime, isc_mem_t *mctx)
{
dst_key_t *dstkey = NULL;
dns_keytag_t keytag;
dns_rdata_dnskey_t key;
dns_rdata_rrsig_t sig;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
isc_result_t result;
INSIST(rdataset->type == dns_rdatatype_key ||
rdataset->type == dns_rdatatype_dnskey);
if (rdataset->type == dns_rdatatype_key) {
INSIST(sigrdataset->type == dns_rdatatype_sig);
INSIST(sigrdataset->covers == dns_rdatatype_key);
} else {
INSIST(sigrdataset->type == dns_rdatatype_rrsig);
INSIST(sigrdataset->covers == dns_rdatatype_dnskey);
}
result = dns_dnssec_keyfromrdata(name, rdata, mctx, &dstkey);
if (result != ISC_R_SUCCESS)
return (ISC_FALSE);
result = dns_rdata_tostruct(rdata, &key, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
keytag = dst_key_id(dstkey);
for (result = dns_rdataset_first(sigrdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(sigrdataset))
{
dns_rdata_reset(&sigrdata);
dns_rdataset_current(sigrdataset, &sigrdata);
result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (sig.algorithm == key.algorithm &&
sig.keyid == keytag) {
result = dns_dnssec_verify2(name, rdataset, dstkey,
ignoretime, mctx,
&sigrdata, NULL);
if (result == ISC_R_SUCCESS) {
dst_key_free(&dstkey);
return (ISC_TRUE);
}
}
}
dst_key_free(&dstkey);
return (ISC_FALSE);
}
isc_result_t
dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
dns_dnsseckey_t **dkp)
{
isc_result_t result;
dns_dnsseckey_t *dk;
int major, minor;
REQUIRE(dkp != NULL && *dkp == NULL);
dk = isc_mem_get(mctx, sizeof(dns_dnsseckey_t));
if (dk == NULL)
return (ISC_R_NOMEMORY);
dk->key = *dstkey;
*dstkey = NULL;
dk->force_publish = ISC_FALSE;
dk->force_sign = ISC_FALSE;
dk->hint_publish = ISC_FALSE;
dk->hint_sign = ISC_FALSE;
dk->hint_remove = ISC_FALSE;
dk->first_sign = ISC_FALSE;
dk->is_active = ISC_FALSE;
dk->prepublish = 0;
dk->source = dns_keysource_unknown;
dk->index = 0;
/* KSK or ZSK? */
dk->ksk = ISC_TF((dst_key_flags(dk->key) & DNS_KEYFLAG_KSK) != 0);
/* Is this an old-style key? */
result = dst_key_getprivateformat(dk->key, &major, &minor);
/* Smart signing started with key format 1.3 */
dk->legacy = ISC_TF(major == 1 && minor <= 2);
ISC_LINK_INIT(dk, link);
*dkp = dk;
return (ISC_R_SUCCESS);
}
void
dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) {
dns_dnsseckey_t *dk;
REQUIRE(dkp != NULL && *dkp != NULL);
dk = *dkp;
if (dk->key != NULL)
dst_key_free(&dk->key);
isc_mem_put(mctx, dk, sizeof(dns_dnsseckey_t));
*dkp = NULL;
}
static void
get_hints(dns_dnsseckey_t *key) {
isc_result_t result;
isc_stdtime_t now, publish, active, revoke, inactive, delete;
isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
isc_boolean_t delset = ISC_FALSE;
REQUIRE(key != NULL && key->key != NULL);
isc_stdtime_get(&now);
result = dst_key_gettime(key->key, DST_TIME_PUBLISH, &publish);
if (result == ISC_R_SUCCESS)
pubset = ISC_TRUE;
result = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
if (result == ISC_R_SUCCESS)
actset = ISC_TRUE;
result = dst_key_gettime(key->key, DST_TIME_REVOKE, &revoke);
if (result == ISC_R_SUCCESS)
revset = ISC_TRUE;
result = dst_key_gettime(key->key, DST_TIME_INACTIVE, &inactive);
if (result == ISC_R_SUCCESS)
inactset = ISC_TRUE;
result = dst_key_gettime(key->key, DST_TIME_DELETE, &delete);
if (result == ISC_R_SUCCESS)
delset = ISC_TRUE;
/* Metadata says publish (but possibly not activate) */
if (pubset && publish <= now)
key->hint_publish = ISC_TRUE;
/* Metadata says activate (so we must also publish) */
if (actset && active <= now) {
key->hint_sign = ISC_TRUE;
key->hint_publish = ISC_TRUE;
}
/*
* Activation date is set (maybe in the future), but
* publication date isn't. Most likely the user wants to
* publish now and activate later.
*/
if (actset && !pubset)
key->hint_publish = ISC_TRUE;
/*
* If activation date is in the future, make note of how far off
*/
if (key->hint_publish && actset && active > now) {
key->prepublish = active - now;
}
/*
* Key has been marked inactive: we can continue publishing,
* but don't sign.
*/
if (key->hint_publish && inactset && inactive <= now) {
key->hint_sign = ISC_FALSE;
}
/*
* Metadata says revoke. If the key is published,
* we *have to* sign with it per RFC5011--even if it was
* not active before.
*
* If it hasn't already been done, we should also revoke it now.
*/
if (key->hint_publish && (revset && revoke <= now)) {
isc_uint32_t flags;
key->hint_sign = ISC_TRUE;
flags = dst_key_flags(key->key);
if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
flags |= DNS_KEYFLAG_REVOKE;
dst_key_setflags(key->key, flags);
}
}
/*
* Metadata says delete, so don't publish this key or sign with it.
*/
if (delset && delete <= now) {
key->hint_publish = ISC_FALSE;
key->hint_sign = ISC_FALSE;
key->hint_remove = ISC_TRUE;
}
}
/*%
* Get a list of DNSSEC keys from the key repository
*/
isc_result_t
dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
isc_mem_t *mctx, dns_dnsseckeylist_t *keylist)
{
isc_result_t result = ISC_R_SUCCESS;
isc_boolean_t dir_open = ISC_FALSE;
dns_dnsseckeylist_t list;
isc_dir_t dir;
dns_dnsseckey_t *key = NULL;
dst_key_t *dstkey = NULL;
char namebuf[DNS_NAME_FORMATSIZE], *p;
isc_buffer_t b;
unsigned int len;
REQUIRE(keylist != NULL);
ISC_LIST_INIT(list);
isc_dir_init(&dir);
isc_buffer_init(&b, namebuf, sizeof(namebuf) - 1);
RETERR(dns_name_totext(origin, ISC_FALSE, &b));
len = isc_buffer_usedlength(&b);
namebuf[len] = '\0';
if (directory == NULL)
directory = ".";
RETERR(isc_dir_open(&dir, directory));
dir_open = ISC_TRUE;
while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
if (dir.entry.name[0] == 'K' &&
dir.entry.length > len + 1 &&
dir.entry.name[len + 1] == '+' &&
strncasecmp(dir.entry.name + 1, namebuf, len) == 0) {
p = strrchr(dir.entry.name, '.');
if (p != NULL && strcmp(p, ".private") != 0)
continue;
dstkey = NULL;
RETERR(dst_key_fromnamedfile(dir.entry.name, directory,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
mctx, &dstkey));
RETERR(dns_dnsseckey_create(mctx, &dstkey, &key));
key->source = dns_keysource_repository;
get_hints(key);
if (key->legacy) {
dns_dnsseckey_destroy(mctx, &key);
} else {
ISC_LIST_APPEND(list, key, link);
key = NULL;
}
}
}
if (!ISC_LIST_EMPTY(list))
ISC_LIST_APPENDLIST(*keylist, list, link);
else
result = ISC_R_NOTFOUND;
failure:
if (dir_open)
isc_dir_close(&dir);
INSIST(key == NULL);
while ((key = ISC_LIST_HEAD(list)) != NULL) {
ISC_LIST_UNLINK(list, key, link);
INSIST(key->key != NULL);
dst_key_free(&key->key);
dns_dnsseckey_destroy(mctx, &key);
}
if (dstkey != NULL)
dst_key_free(&dstkey);
return (result);
}
/*%
* Add 'newkey' to 'keylist' if it's not already there.
*
* If 'savekeys' is ISC_TRUE, then we need to preserve all
* the keys in the keyset, regardless of whether they have
* metadata indicating they should be deactivated or removed.
*/
static void
addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey,
isc_boolean_t savekeys, isc_mem_t *mctx)
{
dns_dnsseckey_t *key;
/* Skip duplicates */
for (key = ISC_LIST_HEAD(*keylist);
key != NULL;
key = ISC_LIST_NEXT(key, link)) {
if (dst_key_id(key->key) == dst_key_id(*newkey) &&
dst_key_alg(key->key) == dst_key_alg(*newkey) &&
dns_name_equal(dst_key_name(key->key),
dst_key_name(*newkey)))
break;
}
if (key != NULL) {
/*
* Found a match. If the old key was only public and the
* new key is private, replace the old one; otherwise
* leave it. But either way, mark the key as having
* been found in the zone.
*/
if (dst_key_isprivate(key->key)) {
dst_key_free(newkey);
} else if (dst_key_isprivate(*newkey)) {
dst_key_free(&key->key);
key->key = *newkey;
}
key->source = dns_keysource_zoneapex;
return;
}
dns_dnsseckey_create(mctx, newkey, &key);
if (key->legacy || savekeys) {
key->force_publish = ISC_TRUE;
key->force_sign = dst_key_isprivate(key->key);
}
key->source = dns_keysource_zoneapex;
ISC_LIST_APPEND(*keylist, key, link);
*newkey = NULL;
}
/*%
* Mark all keys which signed the DNSKEY/SOA RRsets as "active",
* for future reference.
*/
static isc_result_t
mark_active_keys(dns_dnsseckeylist_t *keylist, dns_rdataset_t *rrsigs) {
isc_result_t result = ISC_R_SUCCESS;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t sigs;
dns_dnsseckey_t *key;
REQUIRE(rrsigs != NULL && dns_rdataset_isassociated(rrsigs));
dns_rdataset_init(&sigs);
dns_rdataset_clone(rrsigs, &sigs);
for (key = ISC_LIST_HEAD(*keylist);
key != NULL;
key = ISC_LIST_NEXT(key, link)) {
isc_uint16_t keyid, sigid;
dns_secalg_t keyalg, sigalg;
keyid = dst_key_id(key->key);
keyalg = dst_key_alg(key->key);
for (result = dns_rdataset_first(&sigs);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&sigs)) {
dns_rdata_rrsig_t sig;
dns_rdata_reset(&rdata);
dns_rdataset_current(&sigs, &rdata);
result = dns_rdata_tostruct(&rdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
sigalg = sig.algorithm;
sigid = sig.keyid;
if (keyid == sigid && keyalg == sigalg) {
key->is_active = ISC_TRUE;
break;
}
}
}
if (result == ISC_R_NOMORE)
result = ISC_R_SUCCESS;
if (dns_rdataset_isassociated(&sigs))
dns_rdataset_disassociate(&sigs);
return (result);
}
/*%
* Add the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
*/
isc_result_t
dns_dnssec_keylistfromrdataset(dns_name_t *origin,
const char *directory, isc_mem_t *mctx,
dns_rdataset_t *keyset, dns_rdataset_t *keysigs,
dns_rdataset_t *soasigs, isc_boolean_t savekeys,
isc_boolean_t public,
dns_dnsseckeylist_t *keylist)
{
dns_rdataset_t keys;
dns_rdata_t rdata = DNS_RDATA_INIT;
dst_key_t *pubkey = NULL, *privkey = NULL;
isc_result_t result;
REQUIRE(keyset != NULL && dns_rdataset_isassociated(keyset));
dns_rdataset_init(&keys);
dns_rdataset_clone(keyset, &keys);
for (result = dns_rdataset_first(&keys);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&keys)) {
dns_rdata_reset(&rdata);
dns_rdataset_current(&keys, &rdata);
RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
if (!is_zone_key(pubkey) ||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
goto skip;
/* Corrupted .key file? */
if (!dns_name_equal(origin, dst_key_name(pubkey)))
goto skip;
if (public) {
addkey(keylist, &pubkey, savekeys, mctx);
goto skip;
}
result = dst_key_fromfile(dst_key_name(pubkey),
dst_key_id(pubkey),
dst_key_alg(pubkey),
DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
directory, mctx, &privkey);
if (result == ISC_R_FILENOTFOUND) {
addkey(keylist, &pubkey, savekeys, mctx);
goto skip;
}
RETERR(result);
/* This should never happen. */
if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
goto skip;
addkey(keylist, &privkey, savekeys, mctx);
skip:
if (pubkey != NULL)
dst_key_free(&pubkey);
if (privkey != NULL)
dst_key_free(&privkey);
}
if (result != ISC_R_NOMORE)
RETERR(result);
if (keysigs != NULL && dns_rdataset_isassociated(keysigs))
RETERR(mark_active_keys(keylist, keysigs));
if (soasigs != NULL && dns_rdataset_isassociated(soasigs))
RETERR(mark_active_keys(keylist, soasigs));
result = ISC_R_SUCCESS;
failure:
if (dns_rdataset_isassociated(&keys))
dns_rdataset_disassociate(&keys);
if (pubkey != NULL)
dst_key_free(&pubkey);
if (privkey != NULL)
dst_key_free(&privkey);
return (result);
}
static isc_result_t
make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize,
dns_rdata_t *target)
{
isc_result_t result;
isc_buffer_t b;
isc_region_t r;
isc_buffer_init(&b, buf, bufsize);
result = dst_key_todns(key, &b);
if (result != ISC_R_SUCCESS)
return (result);
dns_rdata_reset(target);
isc_buffer_usedregion(&b, &r);
dns_rdata_fromregion(target, dst_key_class(key),
dns_rdatatype_dnskey, &r);
return (ISC_R_SUCCESS);
}
static isc_result_t
publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
dns_ttl_t ttl, isc_mem_t *mctx, isc_boolean_t allzsk,
void (*report)(const char *, ...))
{
isc_result_t result;
dns_difftuple_t *tuple = NULL;
unsigned char buf[DST_KEY_MAXSIZE];
dns_rdata_t dnskey = DNS_RDATA_INIT;
char alg[80];
dns_rdata_reset(&dnskey);
RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
report("Fetching %s %d/%s from key %s.",
key->ksk ? (allzsk ? "KSK/ZSK" : "KSK") : "ZSK",
dst_key_id(key->key), alg,
key->source == dns_keysource_user ? "file" : "repository");
if (key->prepublish && ttl > key->prepublish) {
char keystr[DST_KEY_FORMATSIZE];
isc_stdtime_t now;
dst_key_format(key->key, keystr, sizeof(keystr));
report("Key %s: Delaying activation to match the DNSKEY TTL.\n",
keystr, ttl);
isc_stdtime_get(&now);
dst_key_settime(key->key, DST_TIME_ACTIVATE, now + ttl);
}
/* publish key */
RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, ttl,
&dnskey, &tuple));
dns_diff_appendminimal(diff, &tuple);
result = ISC_R_SUCCESS;
failure:
return (result);
}
static isc_result_t
remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
dns_ttl_t ttl, isc_mem_t *mctx, const char *reason,
void (*report)(const char *, ...))
{
isc_result_t result;
dns_difftuple_t *tuple = NULL;
unsigned char buf[DST_KEY_MAXSIZE];
dns_rdata_t dnskey = DNS_RDATA_INIT;
char alg[80];
dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
report("Removing %s key %d/%s from DNSKEY RRset.",
reason, dst_key_id(key->key), alg);
RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_DEL, origin, ttl, &dnskey,
&tuple));
dns_diff_appendminimal(diff, &tuple);
result = ISC_R_SUCCESS;
failure:
return (result);
}
/*
* Update 'keys' with information from 'newkeys'.
*
* If 'removed' is not NULL, any keys that are being removed from
* the zone will be added to the list for post-removal processing.
*/
isc_result_t
dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
dns_dnsseckeylist_t *removed, dns_name_t *origin,
dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk,
isc_mem_t *mctx, void (*report)(const char *, ...))
{
isc_result_t result;
dns_dnsseckey_t *key, *key1, *key2, *next;
/*
* First, look through the existing key list to find keys
* supplied from the command line which are not in the zone.
* Update the zone to include them.
*/
for (key = ISC_LIST_HEAD(*keys);
key != NULL;
key = ISC_LIST_NEXT(key, link)) {
if (key->source == dns_keysource_user &&
(key->hint_publish || key->force_publish)) {
RETERR(publish_key(diff, key, origin, ttl,
mctx, allzsk, report));
}
}
/*
* Second, scan the list of newly found keys looking for matches
* with known keys, and update accordingly.
*/
for (key1 = ISC_LIST_HEAD(*newkeys); key1 != NULL; key1 = next) {
isc_boolean_t key_revoked = ISC_FALSE;
next = ISC_LIST_NEXT(key1, link);
for (key2 = ISC_LIST_HEAD(*keys);
key2 != NULL;
key2 = ISC_LIST_NEXT(key2, link)) {
if (dst_key_pubcompare(key1->key, key2->key,
ISC_TRUE)) {
int r1, r2;
r1 = dst_key_flags(key1->key) &
DNS_KEYFLAG_REVOKE;
r2 = dst_key_flags(key2->key) &
DNS_KEYFLAG_REVOKE;
key_revoked = ISC_TF(r1 != r2);
break;
}
}
/* No match found in keys; add the new key. */
if (key2 == NULL) {
dns_dnsseckey_t *next;
next = ISC_LIST_NEXT(key1, link);
ISC_LIST_UNLINK(*newkeys, key1, link);
ISC_LIST_APPEND(*keys, key1, link);
if (key1->source != dns_keysource_zoneapex &&
(key1->hint_publish || key1->force_publish)) {
RETERR(publish_key(diff, key1, origin, ttl,
mctx, allzsk, report));
if (key1->hint_sign || key1->force_sign)
key1->first_sign = ISC_TRUE;
}
continue;
}
/* Match found: remove or update it as needed */
if (key1->hint_remove) {
RETERR(remove_key(diff, key2, origin, ttl, mctx,
"expired", report));
ISC_LIST_UNLINK(*keys, key2, link);
if (removed != NULL)
ISC_LIST_APPEND(*removed, key2, link);
else
dns_dnsseckey_destroy(mctx, &key2);
} else if (key_revoked &&
(dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0) {
/*
* A previously valid key has been revoked.
* We need to remove the old version and pull
* in the new one.
*/
RETERR(remove_key(diff, key2, origin, ttl, mctx,
"revoked", report));
ISC_LIST_UNLINK(*keys, key2, link);
if (removed != NULL)
ISC_LIST_APPEND(*removed, key2, link);
else
dns_dnsseckey_destroy(mctx, &key2);
RETERR(publish_key(diff, key1, origin, ttl,
mctx, allzsk, report));
ISC_LIST_UNLINK(*newkeys, key1, link);
ISC_LIST_APPEND(*keys, key1, link);
/*
* XXX: The revoke flag is only defined for trust
* anchors. Setting the flag on a non-KSK is legal,
* but not defined in any RFC. It seems reasonable
* to treat it the same as a KSK: keep it in the
* zone, sign the DNSKEY set with it, but not
* sign other records with it.
*/
key1->ksk = ISC_TRUE;
continue;
} else {
if (!key2->is_active &&
(key1->hint_sign || key1->force_sign))
key2->first_sign = ISC_TRUE;
key2->hint_sign = key1->hint_sign;
key2->hint_publish = key1->hint_publish;
}
}
/* Free any leftover keys in newkeys */
while (!ISC_LIST_EMPTY(*newkeys)) {
key1 = ISC_LIST_HEAD(*newkeys);
ISC_LIST_UNLINK(*newkeys, key1, link);
dns_dnsseckey_destroy(mctx, &key1);
}
result = ISC_R_SUCCESS;
failure:
return (result);
}