search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add BIND 9.2.4rc7.
[dragonfly.git] / contrib / bind-9.2.4rc7 / lib / dns / dnssec.c
blobfdbd048380bb7bb7d137c058aa5af9d2143bd389
1 /*
2 * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 /*
19 * $Id: dnssec.c,v 1.69.2.7 2004/03/09 06:11:01 marka Exp $
20 */
21
22
23 #include <config.h>
24
25 #include <stdlib.h>
26
27 #include <isc/buffer.h>
28 #include <isc/mem.h>
29 #include <isc/serial.h>
30 #include <isc/string.h>
31 #include <isc/util.h>
32
33 #include <dns/db.h>
34 #include <dns/dnssec.h>
35 #include <dns/fixedname.h>
36 #include <dns/keyvalues.h>
37 #include <dns/message.h>
38 #include <dns/rdata.h>
39 #include <dns/rdatalist.h>
40 #include <dns/rdataset.h>
41 #include <dns/rdatastruct.h>
42 #include <dns/result.h>
43 #include <dns/tsig.h> /* for DNS_TSIG_FUDGE */
44
45 #include <dst/result.h>
46
47 #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
48
49 #define RETERR(x) do { \
50 result = (x); \
51 if (result != ISC_R_SUCCESS) \
52 goto failure; \
53 } while (0)
54
55
56 #define TYPE_SIGN 0
57 #define TYPE_VERIFY 1
58
59 static isc_result_t
60 digest_callback(void *arg, isc_region_t *data);
61
62 static int
63 rdata_compare_wrapper(const void *rdata1, const void *rdata2);
64
65 static isc_result_t
66 rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
67 dns_rdata_t **rdata, int *nrdata);
68
69 static isc_result_t
70 digest_callback(void *arg, isc_region_t *data) {
71 dst_context_t *ctx = arg;
72
73 return (dst_context_adddata(ctx, data));
74 }
75
76 /*
77 * Make qsort happy.
78 */
79 static int
80 rdata_compare_wrapper(const void *rdata1, const void *rdata2) {
81 return (dns_rdata_compare((const dns_rdata_t *)rdata1,
82 (const dns_rdata_t *)rdata2));
83 }
84
85 /*
86 * Sort the rdataset into an array.
87 */
88 static isc_result_t
89 rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
90 dns_rdata_t **rdata, int *nrdata)
91 {
92 isc_result_t ret;
93 int i = 0, n;
94 dns_rdata_t *data;
95
96 n = dns_rdataset_count(set);
97
98 data = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
99 if (data == NULL)
100 return (ISC_R_NOMEMORY);
101
102 ret = dns_rdataset_first(set);
103 if (ret != ISC_R_SUCCESS) {
104 isc_mem_put(mctx, data, n * sizeof(dns_rdata_t));
105 return (ret);
106 }
107
108 /*
109 * Put them in the array.
110 */
111 do {
112 dns_rdata_init(&data[i]);
113 dns_rdataset_current(set, &data[i++]);
114 } while (dns_rdataset_next(set) == ISC_R_SUCCESS);
115
116 /*
117 * Sort the array.
118 */
119 qsort(data, n, sizeof(dns_rdata_t), rdata_compare_wrapper);
120 *rdata = data;
121 *nrdata = n;
122 return (ISC_R_SUCCESS);
123 }
124
125 isc_result_t
126 dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
127 dst_key_t **key)
128 {
129 isc_buffer_t b;
130 isc_region_t r;
131
132 INSIST(name != NULL);
133 INSIST(rdata != NULL);
134 INSIST(mctx != NULL);
135 INSIST(key != NULL);
136 INSIST(*key == NULL);
137
138 dns_rdata_toregion(rdata, &r);
139 isc_buffer_init(&b, r.base, r.length);
140 isc_buffer_add(&b, r.length);
141 return (dst_key_fromdns(name, rdata->rdclass, &b, mctx, key));
142 }
143
144 static isc_result_t
145 digest_sig(dst_context_t *ctx, dns_rdata_t *sigrdata, dns_rdata_sig_t *sig) {
146 isc_region_t r;
147 isc_result_t ret;
148 dns_fixedname_t fname;
149
150 dns_rdata_toregion(sigrdata, &r);
151 INSIST(r.length >= 19);
152
153 r.length = 18;
154 ret = dst_context_adddata(ctx, &r);
155 if (ret != ISC_R_SUCCESS)
156 return (ret);
157 dns_fixedname_init(&fname);
158 dns_name_downcase(&sig->signer, dns_fixedname_name(&fname), NULL);
159 dns_name_toregion(dns_fixedname_name(&fname), &r);
160 return (dst_context_adddata(ctx, &r));
161 }
162
163 isc_result_t
164 dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
165 isc_stdtime_t *inception, isc_stdtime_t *expire,
166 isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata)
167 {
168 dns_rdata_sig_t sig;
169 dns_rdata_t tmpsigrdata;
170 dns_rdata_t *rdatas;
171 int nrdatas, i;
172 isc_buffer_t sigbuf, envbuf;
173 isc_region_t r;
174 dst_context_t *ctx = NULL;
175 isc_result_t ret;
176 isc_buffer_t *databuf = NULL;
177 char data[256 + 8];
178 isc_uint32_t flags;
179 unsigned int sigsize;
180 dns_fixedname_t fnewname;
181
182 REQUIRE(name != NULL);
183 REQUIRE(dns_name_depth(name) <= 255);
184 REQUIRE(set != NULL);
185 REQUIRE(key != NULL);
186 REQUIRE(inception != NULL);
187 REQUIRE(expire != NULL);
188 REQUIRE(mctx != NULL);
189 REQUIRE(sigrdata != NULL);
190
191 if (*inception >= *expire)
192 return (DNS_R_INVALIDTIME);
193
194 /*
195 * Is the key allowed to sign data?
196 */
197 flags = dst_key_flags(key);
198 if (flags & DNS_KEYTYPE_NOAUTH)
199 return (DNS_R_KEYUNAUTHORIZED);
200 if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
201 return (DNS_R_KEYUNAUTHORIZED);
202
203 sig.mctx = mctx;
204 sig.common.rdclass = set->rdclass;
205 sig.common.rdtype = dns_rdatatype_sig;
206 ISC_LINK_INIT(&sig.common, link);
207
208 dns_name_init(&sig.signer, NULL);
209 dns_name_clone(dst_key_name(key), &sig.signer);
210
211 sig.covered = set->type;
212 sig.algorithm = dst_key_alg(key);
213 sig.labels = dns_name_depth(name) - 1;
214 if (dns_name_iswildcard(name))
215 sig.labels--;
216 sig.originalttl = set->ttl;
217 sig.timesigned = *inception;
218 sig.timeexpire = *expire;
219 sig.keyid = dst_key_id(key);
220 ret = dst_key_sigsize(key, &sigsize);
221 if (ret != ISC_R_SUCCESS)
222 return (ret);
223 sig.siglen = sigsize;
224 /*
225 * The actual contents of sig.signature are not important yet, since
226 * they're not used in digest_sig().
227 */
228 sig.signature = isc_mem_get(mctx, sig.siglen);
229 if (sig.signature == NULL)
230 return (ISC_R_NOMEMORY);
231
232 ret = isc_buffer_allocate(mctx, &databuf, sigsize + 256 + 18);
233 if (ret != ISC_R_SUCCESS)
234 goto cleanup_signature;
235
236 dns_rdata_init(&tmpsigrdata);
237 ret = dns_rdata_fromstruct(&tmpsigrdata, sig.common.rdclass,
238 sig.common.rdtype, &sig, databuf);
239 if (ret != ISC_R_SUCCESS)
240 goto cleanup_databuf;
241
242 ret = dst_context_create(key, mctx, &ctx);
243 if (ret != ISC_R_SUCCESS)
244 goto cleanup_databuf;
245
246 /*
247 * Digest the SIG rdata.
248 */
249 ret = digest_sig(ctx, &tmpsigrdata, &sig);
250 if (ret != ISC_R_SUCCESS)
251 goto cleanup_context;
252
253 dns_fixedname_init(&fnewname);
254 dns_name_downcase(name, dns_fixedname_name(&fnewname), NULL);
255 dns_name_toregion(dns_fixedname_name(&fnewname), &r);
256
257 /*
258 * Create an envelope for each rdata: <name|type|class|ttl>.
259 */
260 isc_buffer_init(&envbuf, data, sizeof(data));
261 memcpy(data, r.base, r.length);
262 isc_buffer_add(&envbuf, r.length);
263 isc_buffer_putuint16(&envbuf, set->type);
264 isc_buffer_putuint16(&envbuf, set->rdclass);
265 isc_buffer_putuint32(&envbuf, set->ttl);
266
267 ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
268 if (ret != ISC_R_SUCCESS)
269 goto cleanup_context;
270 isc_buffer_usedregion(&envbuf, &r);
271
272 for (i = 0; i < nrdatas; i++) {
273 isc_uint16_t len;
274 isc_buffer_t lenbuf;
275 isc_region_t lenr;
276
277 /*
278 * Skip duplicates.
279 */
280 if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
281 continue;
282
283 /*
284 * Digest the envelope.
285 */
286 ret = dst_context_adddata(ctx, &r);
287 if (ret != ISC_R_SUCCESS)
288 goto cleanup_array;
289
290 /*
291 * Digest the length of the rdata.
292 */
293 isc_buffer_init(&lenbuf, &len, sizeof(len));
294 INSIST(rdatas[i].length < 65536);
295 isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
296 isc_buffer_usedregion(&lenbuf, &lenr);
297 ret = dst_context_adddata(ctx, &lenr);
298 if (ret != ISC_R_SUCCESS)
299 goto cleanup_array;
300
301 /*
302 * Digest the rdata.
303 */
304 ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
305 if (ret != ISC_R_SUCCESS)
306 goto cleanup_array;
307 }
308
309 isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
310 ret = dst_context_sign(ctx, &sigbuf);
311 if (ret != ISC_R_SUCCESS)
312 goto cleanup_array;
313 isc_buffer_usedregion(&sigbuf, &r);
314 if (r.length != sig.siglen) {
315 ret = ISC_R_NOSPACE;
316 goto cleanup_array;
317 }
318 memcpy(sig.signature, r.base, sig.siglen);
319
320 ret = dns_rdata_fromstruct(sigrdata, sig.common.rdclass,
321 sig.common.rdtype, &sig, buffer);
322
323 cleanup_array:
324 isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
325 cleanup_context:
326 dst_context_destroy(&ctx);
327 cleanup_databuf:
328 if (databuf != NULL)
329 isc_buffer_free(&databuf);
330 cleanup_signature:
331 isc_mem_put(mctx, sig.signature, sig.siglen);
332
333 return (ret);
334 }
335
336 isc_result_t
337 dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
338 isc_boolean_t ignoretime, isc_mem_t *mctx,
339 dns_rdata_t *sigrdata)
340 {
341 dns_rdata_sig_t sig;
342 dns_fixedname_t fnewname;
343 isc_region_t r;
344 isc_buffer_t envbuf;
345 dns_rdata_t *rdatas;
346 int nrdatas, i;
347 isc_stdtime_t now;
348 isc_result_t ret;
349 unsigned char data[300];
350 dst_context_t *ctx = NULL;
351 int labels;
352 isc_uint32_t flags;
353
354 REQUIRE(name != NULL);
355 REQUIRE(set != NULL);
356 REQUIRE(key != NULL);
357 REQUIRE(mctx != NULL);
358 REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_sig);
359
360 ret = dns_rdata_tostruct(sigrdata, &sig, NULL);
361 if (ret != ISC_R_SUCCESS)
362 return (ret);
363
364 if (isc_serial_lt(sig.timeexpire, sig.timesigned))
365 return (DNS_R_SIGINVALID);
366
367 if (!ignoretime) {
368 isc_stdtime_get(&now);
369
370 /*
371 * Is SIG temporally valid?
372 */
373 if (isc_serial_lt((isc_uint32_t)now, sig.timesigned))
374 return (DNS_R_SIGFUTURE);
375 else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now))
376 return (DNS_R_SIGEXPIRED);
377 }
378
379 /*
380 * Is the key allowed to sign data?
381 */
382 flags = dst_key_flags(key);
383 if (flags & DNS_KEYTYPE_NOAUTH)
384 return (DNS_R_KEYUNAUTHORIZED);
385 if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
386 return (DNS_R_KEYUNAUTHORIZED);
387
388 ret = dst_context_create(key, mctx, &ctx);
389 if (ret != ISC_R_SUCCESS)
390 goto cleanup_struct;
391
392 /*
393 * Digest the SIG rdata (not including the signature).
394 */
395 ret = digest_sig(ctx, sigrdata, &sig);
396 if (ret != ISC_R_SUCCESS)
397 goto cleanup_context;
398
399 /*
400 * If the name is an expanded wildcard, use the wildcard name.
401 */
402 dns_fixedname_init(&fnewname);
403 labels = dns_name_depth(name) - 1;
404 if (labels - sig.labels > 0) {
405 dns_name_splitatdepth(name, sig.labels + 1, NULL,
406 dns_fixedname_name(&fnewname));
407 dns_name_downcase(dns_fixedname_name(&fnewname),
408 dns_fixedname_name(&fnewname),
409 NULL);
410 }
411 else
412 dns_name_downcase(name, dns_fixedname_name(&fnewname), NULL);
413
414 dns_name_toregion(dns_fixedname_name(&fnewname), &r);
415
416 /*
417 * Create an envelope for each rdata: <name|type|class|ttl>.
418 */
419 isc_buffer_init(&envbuf, data, sizeof(data));
420 if (labels - sig.labels > 0) {
421 isc_buffer_putuint8(&envbuf, 1);
422 isc_buffer_putuint8(&envbuf, '*');
423 memcpy(data + 2, r.base, r.length);
424 }
425 else
426 memcpy(data, r.base, r.length);
427 isc_buffer_add(&envbuf, r.length);
428 isc_buffer_putuint16(&envbuf, set->type);
429 isc_buffer_putuint16(&envbuf, set->rdclass);
430 isc_buffer_putuint32(&envbuf, sig.originalttl);
431
432 ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
433 if (ret != ISC_R_SUCCESS)
434 goto cleanup_context;
435
436 isc_buffer_usedregion(&envbuf, &r);
437
438 for (i = 0; i < nrdatas; i++) {
439 isc_uint16_t len;
440 isc_buffer_t lenbuf;
441 isc_region_t lenr;
442
443 /*
444 * Skip duplicates.
445 */
446 if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
447 continue;
448
449 /*
450 * Digest the envelope.
451 */
452 ret = dst_context_adddata(ctx, &r);
453 if (ret != ISC_R_SUCCESS)
454 goto cleanup_array;
455
456 /*
457 * Digest the rdata length.
458 */
459 isc_buffer_init(&lenbuf, &len, sizeof(len));
460 INSIST(rdatas[i].length < 65536);
461 isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
462 isc_buffer_usedregion(&lenbuf, &lenr);
463
464 /*
465 * Digest the rdata.
466 */
467 ret = dst_context_adddata(ctx, &lenr);
468 if (ret != ISC_R_SUCCESS)
469 goto cleanup_array;
470 ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
471 if (ret != ISC_R_SUCCESS)
472 goto cleanup_array;
473 }
474
475 r.base = sig.signature;
476 r.length = sig.siglen;
477 ret = dst_context_verify(ctx, &r);
478 if (ret == DST_R_VERIFYFAILURE)
479 ret = DNS_R_SIGINVALID;
480
481 cleanup_array:
482 isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
483 cleanup_context:
484 dst_context_destroy(&ctx);
485 cleanup_struct:
486 dns_rdata_freestruct(&sig);
487
488 return (ret);
489 }
490
491 #define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
492 == DNS_KEYOWNER_ZONE)
493
494 isc_result_t
495 dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
496 dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
497 unsigned int maxkeys, dst_key_t **keys,
498 unsigned int *nkeys)
499 {
500 dns_rdataset_t rdataset;
501 dns_rdata_t rdata = DNS_RDATA_INIT;
502 isc_result_t result;
503 dst_key_t *pubkey = NULL;
504 unsigned int count = 0;
505
506 *nkeys = 0;
507 dns_rdataset_init(&rdataset);
508 RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_key, 0, 0,
509 &rdataset, NULL));
510 RETERR(dns_rdataset_first(&rdataset));
511 while (result == ISC_R_SUCCESS && count < maxkeys) {
512 pubkey = NULL;
513 dns_rdataset_current(&rdataset, &rdata);
514 RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
515 if (!is_zone_key(pubkey))
516 goto next;
517 keys[count] = NULL;
518 result = dst_key_fromfile(dst_key_name(pubkey),
519 dst_key_id(pubkey),
520 dst_key_alg(pubkey),
521 DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
522 NULL,
523 mctx, &keys[count]);
524 if (result == ISC_R_FILENOTFOUND)
525 goto next;
526 if (result != ISC_R_SUCCESS)
527 goto failure;
528 if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
529 dst_key_free(&keys[count]);
530 goto next;
531 }
532 count++;
533 next:
534 dst_key_free(&pubkey);
535 dns_rdata_reset(&rdata);
536 result = dns_rdataset_next(&rdataset);
537 }
538 if (result != ISC_R_NOMORE)
539 goto failure;
540 if (count == 0)
541 result = ISC_R_NOTFOUND;
542 else
543 result = ISC_R_SUCCESS;
544
545 failure:
546 if (dns_rdataset_isassociated(&rdataset))
547 dns_rdataset_disassociate(&rdataset);
548 if (pubkey != NULL)
549 dst_key_free(&pubkey);
550 *nkeys = count;
551 return (result);
552 }
553
554 isc_result_t
555 dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
556 dns_rdata_sig_t sig;
557 unsigned char data[512];
558 unsigned char header[DNS_MESSAGE_HEADERLEN];
559 isc_buffer_t headerbuf, databuf, sigbuf;
560 unsigned int sigsize;
561 isc_buffer_t *dynbuf = NULL;
562 dns_rdata_t *rdata;
563 dns_rdatalist_t *datalist;
564 dns_rdataset_t *dataset;
565 isc_region_t r;
566 isc_stdtime_t now;
567 dst_context_t *ctx = NULL;
568 isc_mem_t *mctx;
569 isc_result_t result;
570 isc_boolean_t signeedsfree = ISC_TRUE;
571
572 REQUIRE(msg != NULL);
573 REQUIRE(key != NULL);
574
575 if (is_response(msg))
576 REQUIRE(msg->query.base != NULL);
577
578 mctx = msg->mctx;
579
580 memset(&sig, 0, sizeof(dns_rdata_sig_t));
581
582 sig.mctx = mctx;
583 sig.common.rdclass = dns_rdataclass_any;
584 sig.common.rdtype = dns_rdatatype_sig;
585 ISC_LINK_INIT(&sig.common, link);
586
587 sig.covered = 0;
588 sig.algorithm = dst_key_alg(key);
589 sig.labels = 0; /* the root name */
590 sig.originalttl = 0;
591
592 isc_stdtime_get(&now);
593 sig.timesigned = now - DNS_TSIG_FUDGE;
594 sig.timeexpire = now + DNS_TSIG_FUDGE;
595
596 sig.keyid = dst_key_id(key);
597
598 dns_name_init(&sig.signer, NULL);
599 dns_name_clone(dst_key_name(key), &sig.signer);
600
601 sig.siglen = 0;
602 sig.signature = NULL;
603
604 isc_buffer_init(&databuf, data, sizeof(data));
605
606 RETERR(dst_context_create(key, mctx, &ctx));
607
608 /*
609 * Digest the fields of the SIG - we can cheat and use
610 * dns_rdata_fromstruct. Since siglen is 0, the digested data
611 * is identical to dns format.
612 */
613 RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
614 dns_rdatatype_sig, &sig, &databuf));
615 isc_buffer_usedregion(&databuf, &r);
616 RETERR(dst_context_adddata(ctx, &r));
617
618 /*
619 * If this is a response, digest the query.
620 */
621 if (is_response(msg))
622 RETERR(dst_context_adddata(ctx, &msg->query));
623
624 /*
625 * Digest the header.
626 */
627 isc_buffer_init(&headerbuf, header, sizeof(header));
628 dns_message_renderheader(msg, &headerbuf);
629 isc_buffer_usedregion(&headerbuf, &r);
630 RETERR(dst_context_adddata(ctx, &r));
631
632 /*
633 * Digest the remainder of the message.
634 */
635 isc_buffer_usedregion(msg->buffer, &r);
636 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
637 RETERR(dst_context_adddata(ctx, &r));
638
639 RETERR(dst_key_sigsize(key, &sigsize));
640 sig.siglen = sigsize;
641 sig.signature = (unsigned char *) isc_mem_get(mctx, sig.siglen);
642 if (sig.signature == NULL) {
643 result = ISC_R_NOMEMORY;
644 goto failure;
645 }
646
647 isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
648 RETERR(dst_context_sign(ctx, &sigbuf));
649 dst_context_destroy(&ctx);
650
651 rdata = NULL;
652 RETERR(dns_message_gettemprdata(msg, &rdata));
653 RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
654 RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
655 dns_rdatatype_sig, &sig, dynbuf));
656
657 isc_mem_put(mctx, sig.signature, sig.siglen);
658 signeedsfree = ISC_FALSE;
659
660 dns_message_takebuffer(msg, &dynbuf);
661
662 datalist = NULL;
663 RETERR(dns_message_gettemprdatalist(msg, &datalist));
664 datalist->rdclass = dns_rdataclass_any;
665 datalist->type = dns_rdatatype_sig;
666 datalist->covers = 0;
667 datalist->ttl = 0;
668 ISC_LIST_INIT(datalist->rdata);
669 ISC_LIST_APPEND(datalist->rdata, rdata, link);
670 dataset = NULL;
671 RETERR(dns_message_gettemprdataset(msg, &dataset));
672 dns_rdataset_init(dataset);
673 dns_rdatalist_tordataset(datalist, dataset);
674 msg->sig0 = dataset;
675
676 return (ISC_R_SUCCESS);
677
678 failure:
679 if (dynbuf != NULL)
680 isc_buffer_free(&dynbuf);
681 if (signeedsfree)
682 isc_mem_put(mctx, sig.signature, sig.siglen);
683 if (ctx != NULL)
684 dst_context_destroy(&ctx);
685
686 return (result);
687 }
688
689 isc_result_t
690 dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
691 dst_key_t *key)
692 {
693 dns_rdata_sig_t sig;
694 unsigned char header[DNS_MESSAGE_HEADERLEN];
695 dns_rdata_t rdata = DNS_RDATA_INIT;
696 isc_region_t r, source_r, sig_r, header_r;
697 isc_stdtime_t now;
698 dst_context_t *ctx = NULL;
699 isc_mem_t *mctx;
700 isc_result_t result;
701 isc_uint16_t addcount;
702 isc_boolean_t signeedsfree = ISC_FALSE;
703
704 REQUIRE(source != NULL);
705 REQUIRE(msg != NULL);
706 REQUIRE(key != NULL);
707
708 mctx = msg->mctx;
709
710 msg->verify_attempted = 1;
711
712 if (is_response(msg)) {
713 if (msg->query.base == NULL)
714 return (DNS_R_UNEXPECTEDTSIG);
715 }
716
717 isc_buffer_usedregion(source, &source_r);
718
719 RETERR(dns_rdataset_first(msg->sig0));
720 dns_rdataset_current(msg->sig0, &rdata);
721
722 RETERR(dns_rdata_tostruct(&rdata, &sig, NULL));
723 signeedsfree = ISC_TRUE;
724
725 if (sig.labels != 0) {
726 result = DNS_R_SIGINVALID;
727 goto failure;
728 }
729
730 if (isc_serial_lt(sig.timeexpire, sig.timesigned)) {
731 result = DNS_R_SIGINVALID;
732 msg->sig0status = dns_tsigerror_badtime;
733 goto failure;
734 }
735
736 isc_stdtime_get(&now);
737 if (isc_serial_lt((isc_uint32_t)now, sig.timesigned)) {
738 result = DNS_R_SIGFUTURE;
739 msg->sig0status = dns_tsigerror_badtime;
740 goto failure;
741 }
742 else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now)) {
743 result = DNS_R_SIGEXPIRED;
744 msg->sig0status = dns_tsigerror_badtime;
745 goto failure;
746 }
747
748 if (!dns_name_equal(dst_key_name(key), &sig.signer)) {
749 result = DNS_R_SIGINVALID;
750 msg->sig0status = dns_tsigerror_badkey;
751 goto failure;
752 }
753
754 RETERR(dst_context_create(key, mctx, &ctx));
755
756 /*
757 * Digest the SIG(0) record, except for the signature.
758 */
759 dns_rdata_toregion(&rdata, &r);
760 r.length -= sig.siglen;
761 RETERR(dst_context_adddata(ctx, &r));
762
763 /*
764 * If this is a response, digest the query.
765 */
766 if (is_response(msg))
767 RETERR(dst_context_adddata(ctx, &msg->query));
768
769 /*
770 * Extract the header.
771 */
772 memcpy(header, source_r.base, DNS_MESSAGE_HEADERLEN);
773
774 /*
775 * Decrement the additional field counter.
776 */
777 memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
778 addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
779 memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
780
781 /*
782 * Digest the modified header.
783 */
784 header_r.base = (unsigned char *) header;
785 header_r.length = DNS_MESSAGE_HEADERLEN;
786 RETERR(dst_context_adddata(ctx, &header_r));
787
788 /*
789 * Digest all non-SIG(0) records.
790 */
791 r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
792 r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
793 RETERR(dst_context_adddata(ctx, &r));
794
795 sig_r.base = sig.signature;
796 sig_r.length = sig.siglen;
797 result = dst_context_verify(ctx, &sig_r);
798 if (result != ISC_R_SUCCESS) {
799 msg->sig0status = dns_tsigerror_badsig;
800 goto failure;
801 }
802
803 msg->verified_sig = 1;
804
805 dst_context_destroy(&ctx);
806 dns_rdata_freestruct(&sig);
807
808 return (ISC_R_SUCCESS);
809
810 failure:
811 if (signeedsfree)
812 dns_rdata_freestruct(&sig);
813 if (ctx != NULL)
814 dst_context_destroy(&ctx);
815
816 return (result);
817 }
DragonFly BSD