From 309b1d368b7d43e51c92b666b1007daa92a96181 Mon Sep 17 00:00:00 2001
From: George Thessalonikefs <george@nlnetlabs.nl>
Date: Mon, 4 Jul 2022 00:06:26 +0200
Subject: [PATCH] - Reintroduce documentation and more EDE support for  
 val_sigcrypt.c::dnskeyset_verify_rrset_sig.

---
 doc/Changelog            |   2 +
 validator/val_secalgo.c  |   3 +-
 validator/val_sigcrypt.c | 124 ++++++++++++++++++++++-----------------
 3 files changed, 74 insertions(+), 55 deletions(-)

diff --git a/doc/Changelog b/doc/Changelog
index 8568395fb..2441999c7 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -6,6 +6,8 @@
 	- Fix for correct openssl error when adding windows CA certificates to
 	  the openssl trust store.
 	- Improve val_sigcrypt.c::algo_needs_missing for one loop pass.
+	- Reintroduce documentation and more EDE support for
+	  val_sigcrypt.c::dnskeyset_verify_rrset_sig.
 
 1 July 2022: George
 	- Merge PR #706: NXNS fallback.
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index 1d933f9a7..786516749 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -725,7 +725,8 @@ digest_error_status(const char *str)
  * @param keylen: length of keydata.
  * @param reason: bogus reason in more detail.
  * @return secure if verification succeeded, bogus on crypto failure,
- *	unchecked on format errors and alloc failures.
+ *	unchecked on format errors and alloc failures, indeterminate
+ *	if digest is not supported by the crypto library (openssl3+ only).
  */
 enum sec_status
 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 17d1b4545..6d62119eb 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -526,13 +526,82 @@ int algo_needs_missing(struct algo_needs* n)
 	return 0;
 }
 
+/**
+ * verify rrset, with dnskey rrset, for a specific rrsig in rrset
+ * @param env: module environment, scratch space is used.
+ * @param ve: validator environment, date settings.
+ * @param now: current time for validation (can be overridden).
+ * @param rrset: to be validated.
+ * @param dnskey: DNSKEY rrset, keyset to try.
+ * @param sig_idx: which signature to try to validate.
+ * @param sortree: reused sorted order. Stored in region. Pass NULL at start,
+ * 	and for a new rrset.
+ * @param reason: if bogus, a string returned, fixed or alloced in scratch.
+ * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
+ * @param section: section of packet where this rrset comes from.
+ * @param qstate: qstate with region.
+ * @return secure if any key signs *this* signature. bogus if no key signs it,
+ *	unchecked on error, or indeterminate if all keys are not supported by
+ *	the crypto library (openssl3+ only).
+ */
 static enum sec_status
 dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
 	time_t now, struct ub_packed_rrset_key* rrset,
 	struct ub_packed_rrset_key* dnskey, size_t sig_idx,
 	struct rbtree_type** sortree,
 	char** reason, sldns_ede_code *reason_bogus,
-	sldns_pkt_section section, struct module_qstate* qstate);
+	sldns_pkt_section section, struct module_qstate* qstate)
+{
+	/* find matching keys and check them */
+	enum sec_status sec = sec_status_bogus;
+	uint16_t tag = rrset_get_sig_keytag(rrset, sig_idx);
+	int algo = rrset_get_sig_algo(rrset, sig_idx);
+	size_t i, num = rrset_get_count(dnskey);
+	size_t numchecked = 0;
+	size_t numindeterminate = 0;
+	int buf_canon = 0;
+	verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo);
+	if(!dnskey_algo_id_is_supported(algo)) {
+		if(reason_bogus)
+			*reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
+		verbose(VERB_QUERY, "verify sig: unknown algorithm");
+		return sec_status_insecure;
+	}
+
+	for(i=0; i<num; i++) {
+		/* see if key matches keytag and algo */
+		if(algo != dnskey_get_algo(dnskey, i) ||
+			tag != dnskey_calc_keytag(dnskey, i))
+			continue;
+		numchecked ++;
+
+		/* see if key verifies */
+		sec = dnskey_verify_rrset_sig(env->scratch,
+			env->scratch_buffer, ve, now, rrset, dnskey, i,
+			sig_idx, sortree, &buf_canon, reason, reason_bogus,
+			section, qstate);
+		if(sec == sec_status_secure)
+			return sec;
+		else if(sec == sec_status_indeterminate)
+			numindeterminate ++;
+	}
+	if(numchecked == 0) {
+		*reason = "signatures from unknown keys";
+		if(reason_bogus)
+			*reason_bogus = LDNS_EDE_DNSKEY_MISSING;
+		verbose(VERB_QUERY, "verify: could not find appropriate key");
+		return sec_status_bogus;
+	}
+	if(numindeterminate == numchecked) {
+		*reason = "unsupported algorithm by crypto library";
+		if(reason_bogus)
+			*reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
+		verbose(VERB_ALGO, "verify sig: unsupported algorithm by "
+			"crypto library");
+		return sec_status_indeterminate;
+	}
+	return sec_status_bogus;
+}
 
 enum sec_status 
 dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
@@ -662,59 +731,6 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
 	return sec_status_bogus;
 }
 
-static enum sec_status
-dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
-	time_t now, struct ub_packed_rrset_key* rrset,
-	struct ub_packed_rrset_key* dnskey, size_t sig_idx,
-	struct rbtree_type** sortree,
-	char** reason, sldns_ede_code *reason_bogus,
-	sldns_pkt_section section, struct module_qstate* qstate)
-{
-	/* find matching keys and check them */
-	enum sec_status sec = sec_status_bogus;
-	uint16_t tag = rrset_get_sig_keytag(rrset, sig_idx);
-	int algo = rrset_get_sig_algo(rrset, sig_idx);
-	size_t i, num = rrset_get_count(dnskey);
-	size_t numchecked = 0;
-	size_t numindeterminate = 0;
-	int buf_canon = 0;
-	verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo);
-	if(!dnskey_algo_id_is_supported(algo)) {
-		if(reason_bogus)
-			*reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
-		verbose(VERB_QUERY, "verify sig: unknown algorithm");
-		return sec_status_insecure;
-	}
-
-	for(i=0; i<num; i++) {
-		/* see if key matches keytag and algo */
-		if(algo != dnskey_get_algo(dnskey, i) ||
-			tag != dnskey_calc_keytag(dnskey, i))
-			continue;
-		numchecked ++;
-
-		/* see if key verifies */
-		sec = dnskey_verify_rrset_sig(env->scratch,
-			env->scratch_buffer, ve, now, rrset, dnskey, i,
-			sig_idx, sortree, &buf_canon, reason, reason_bogus,
-			section, qstate);
-		if(sec == sec_status_secure)
-			return sec;
-		else if(sec == sec_status_indeterminate)
-			numindeterminate ++;
-	}
-	if(numchecked == 0) {
-		*reason = "signatures from unknown keys";
-		if(reason_bogus)
-			*reason_bogus = LDNS_EDE_DNSKEY_MISSING;
-		verbose(VERB_QUERY, "verify: could not find appropriate key");
-		return sec_status_bogus;
-	}
-	if(numindeterminate == numchecked)
-		return sec_status_indeterminate;
-	return sec_status_bogus;
-}
-
 /**
  * RR entries in a canonical sorted tree of RRs
  */
-- 
2.47.3