]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/resolve/resolved-dns-dnssec.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
resolved: when validating, first strip revoked trust anchor keys from validated keys...
[thirdparty/systemd.git] / src / resolve / resolved-dns-dnssec.c
CommitLineData
2b442ac8
LP		 1/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3/***
4 This file is part of systemd.
5
6 Copyright 2015 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20***/
21
22#include <gcrypt.h>
23
24#include "alloc-util.h"
25#include "dns-domain.h"
72667f08 26#include "hexdecoct.h"
2b442ac8
LP		 27#include "resolved-dns-dnssec.h"
28#include "resolved-dns-packet.h"
24710c48 29#include "string-table.h"
2b442ac8
LP		 30
31/* Open question:
32 *
33 * How does the DNSSEC canonical form of a hostname with a label
34 * containing a dot look like, the way DNS-SD does it?
35 *
2cd87277
LP		 36 * TODO:
37 *
3ecc3df8 38 * - wildcard zones compatibility (NSEC/NSEC3 wildcard check is missing)
bb1fa242 39 * - multi-label zone compatibility
3e92a719 40 * - cname/dname compatibility
160fbda9 41 * - nxdomain on qname
d1d1d4b8 42 * - bus calls to override DNSEC setting per interface
28bf03b5
LP		 43 * - log all DNSSEC downgrades
44 * - enable by default
2cd87277 45 *
3a33c81b
LP		 46 * - RFC 4035, Section 5.3.4 (When receiving a positive wildcard reply, use NSEC to ensure it actually really applies)
47 * - RFC 6840, Section 4.1 (ensure we don't get fed a glue NSEC from the parent zone)
48 * - RFC 6840, Section 4.3 (check for CNAME on NSEC too)
2b442ac8
LP		 49 * */
50
51#define VERIFY_RRS_MAX 256
52#define MAX_KEY_SIZE (32*1024)
53
896c5672
LP		 54/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
55#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
56
3a33c81b
LP		 57/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */
58#define NSEC3_ITERATIONS_MAX 2500
a8f158b9 59
2b442ac8
LP		 60/*
61 * The DNSSEC Chain of trust:
62 *
63 * Normal RRs are protected via RRSIG RRs in combination with DNSKEY RRs, all in the same zone
64 * DNSKEY RRs are either protected like normal RRs, or via a DS from a zone "higher" up the tree
65 * DS RRs are protected like normal RRs
66 *
67 * Example chain:
68 * Normal RR → RRSIG/DNSKEY+ → DS → RRSIG/DNSKEY+ → DS → ... → DS → RRSIG/DNSKEY+ → DS
69 */
70
0638401a
LP		 71static void initialize_libgcrypt(void) {
72 const char *p;
73
74 if (gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P))
75 return;
76
77 p = gcry_check_version("1.4.5");
78 assert(p);
79
80 gcry_control(GCRYCTL_DISABLE_SECMEM);
81 gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
82}
83
0c857028 84uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke) {
2b442ac8 85 const uint8_t *p;
0c857028 86 uint32_t sum, f;
2b442ac8
LP		 87 size_t i;
88
89 /* The algorithm from RFC 4034, Appendix B. */
90
91 assert(dnskey);
92 assert(dnskey->key->type == DNS_TYPE_DNSKEY);
93
0c857028
LP		 94 f = (uint32_t) dnskey->dnskey.flags;
95
96 if (mask_revoke)
97 f &= ~DNSKEY_FLAG_REVOKE;
98
99 sum = f + ((((uint32_t) dnskey->dnskey.protocol) << 8) + (uint32_t) dnskey->dnskey.algorithm);
2b442ac8
LP		 100
101 p = dnskey->dnskey.key;
102
103 for (i = 0; i < dnskey->dnskey.key_size; i++)
104 sum += (i & 1) == 0 ? (uint32_t) p[i] << 8 : (uint32_t) p[i];
105
106 sum += (sum >> 16) & UINT32_C(0xFFFF);
107
108 return sum & UINT32_C(0xFFFF);
109}
110
111static int rr_compare(const void *a, const void *b) {
112 DnsResourceRecord **x = (DnsResourceRecord**) a, **y = (DnsResourceRecord**) b;
113 size_t m;
114 int r;
115
116 /* Let's order the RRs according to RFC 4034, Section 6.3 */
117
118 assert(x);
119 assert(*x);
120 assert((*x)->wire_format);
121 assert(y);
122 assert(*y);
123 assert((*y)->wire_format);
124
85aeaccc 125 m = MIN(DNS_RESOURCE_RECORD_RDATA_SIZE(*x), DNS_RESOURCE_RECORD_RDATA_SIZE(*y));
2b442ac8 126
85aeaccc 127 r = memcmp(DNS_RESOURCE_RECORD_RDATA(*x), DNS_RESOURCE_RECORD_RDATA(*y), m);
2b442ac8
LP		 128 if (r != 0)
129 return r;
130
85aeaccc 131 if (DNS_RESOURCE_RECORD_RDATA_SIZE(*x) < DNS_RESOURCE_RECORD_RDATA_SIZE(*y))
2b442ac8 132 return -1;
85aeaccc 133 else if (DNS_RESOURCE_RECORD_RDATA_SIZE(*x) > DNS_RESOURCE_RECORD_RDATA_SIZE(*y))
2b442ac8
LP		 134 return 1;
135
136 return 0;
137}
138
ea3a892f 139static int dnssec_rsa_verify_raw(
2b442ac8
LP		 140 const char *hash_algorithm,
141 const void *signature, size_t signature_size,
142 const void *data, size_t data_size,
143 const void *exponent, size_t exponent_size,
144 const void *modulus, size_t modulus_size) {
145
146 gcry_sexp_t public_key_sexp = NULL, data_sexp = NULL, signature_sexp = NULL;
147 gcry_mpi_t n = NULL, e = NULL, s = NULL;
148 gcry_error_t ge;
149 int r;
150
151 assert(hash_algorithm);
152
153 ge = gcry_mpi_scan(&s, GCRYMPI_FMT_USG, signature, signature_size, NULL);
154 if (ge != 0) {
155 r = -EIO;
156 goto finish;
157 }
158
159 ge = gcry_mpi_scan(&e, GCRYMPI_FMT_USG, exponent, exponent_size, NULL);
160 if (ge != 0) {
161 r = -EIO;
162 goto finish;
163 }
164
165 ge = gcry_mpi_scan(&n, GCRYMPI_FMT_USG, modulus, modulus_size, NULL);
166 if (ge != 0) {
167 r = -EIO;
168 goto finish;
169 }
170
171 ge = gcry_sexp_build(&signature_sexp,
172 NULL,
173 "(sig-val (rsa (s %m)))",
174 s);
175
176 if (ge != 0) {
177 r = -EIO;
178 goto finish;
179 }
180
181 ge = gcry_sexp_build(&data_sexp,
182 NULL,
183 "(data (flags pkcs1) (hash %s %b))",
184 hash_algorithm,
185 (int) data_size,
186 data);
187 if (ge != 0) {
188 r = -EIO;
189 goto finish;
190 }
191
192 ge = gcry_sexp_build(&public_key_sexp,
193 NULL,
194 "(public-key (rsa (n %m) (e %m)))",
195 n,
196 e);
197 if (ge != 0) {
198 r = -EIO;
199 goto finish;
200 }
201
202 ge = gcry_pk_verify(signature_sexp, data_sexp, public_key_sexp);
d12bf2bd 203 if (gpg_err_code(ge) == GPG_ERR_BAD_SIGNATURE)
2b442ac8 204 r = 0;
d12bf2bd
LP		 205 else if (ge != 0) {
206 log_debug("RSA signature check failed: %s", gpg_strerror(ge));
2b442ac8 207 r = -EIO;
d12bf2bd 208 } else
2b442ac8
LP		 209 r = 1;
210
211finish:
212 if (e)
213 gcry_mpi_release(e);
214 if (n)
215 gcry_mpi_release(n);
216 if (s)
217 gcry_mpi_release(s);
218
219 if (public_key_sexp)
220 gcry_sexp_release(public_key_sexp);
221 if (signature_sexp)
222 gcry_sexp_release(signature_sexp);
223 if (data_sexp)
224 gcry_sexp_release(data_sexp);
225
226 return r;
227}
228
ea3a892f
LP		 229static int dnssec_rsa_verify(
230 const char *hash_algorithm,
231 const void *hash, size_t hash_size,
232 DnsResourceRecord *rrsig,
233 DnsResourceRecord *dnskey) {
234
235 size_t exponent_size, modulus_size;
236 void *exponent, *modulus;
237
238 assert(hash_algorithm);
239 assert(hash);
240 assert(hash_size > 0);
241 assert(rrsig);
242 assert(dnskey);
243
244 if (*(uint8_t*) dnskey->dnskey.key == 0) {
245 /* exponent is > 255 bytes long */
246
247 exponent = (uint8_t*) dnskey->dnskey.key + 3;
248 exponent_size =
ac04adbe
TG		 249 ((size_t) (((uint8_t*) dnskey->dnskey.key)[1]) << 8) |
250 ((size_t) ((uint8_t*) dnskey->dnskey.key)[2]);
ea3a892f
LP		 251
252 if (exponent_size < 256)
253 return -EINVAL;
254
255 if (3 + exponent_size >= dnskey->dnskey.key_size)
256 return -EINVAL;
257
258 modulus = (uint8_t*) dnskey->dnskey.key + 3 + exponent_size;
259 modulus_size = dnskey->dnskey.key_size - 3 - exponent_size;
260
261 } else {
262 /* exponent is <= 255 bytes long */
263
264 exponent = (uint8_t*) dnskey->dnskey.key + 1;
265 exponent_size = (size_t) ((uint8_t*) dnskey->dnskey.key)[0];
266
267 if (exponent_size <= 0)
268 return -EINVAL;
269
270 if (1 + exponent_size >= dnskey->dnskey.key_size)
271 return -EINVAL;
272
273 modulus = (uint8_t*) dnskey->dnskey.key + 1 + exponent_size;
274 modulus_size = dnskey->dnskey.key_size - 1 - exponent_size;
275 }
276
277 return dnssec_rsa_verify_raw(
278 hash_algorithm,
279 rrsig->rrsig.signature, rrsig->rrsig.signature_size,
280 hash, hash_size,
281 exponent, exponent_size,
282 modulus, modulus_size);
283}
284
e0240c64
LP		 285static int dnssec_ecdsa_verify_raw(
286 const char *hash_algorithm,
287 const char *curve,
288 const void *signature_r, size_t signature_r_size,
289 const void *signature_s, size_t signature_s_size,
290 const void *data, size_t data_size,
291 const void *key, size_t key_size) {
292
293 gcry_sexp_t public_key_sexp = NULL, data_sexp = NULL, signature_sexp = NULL;
294 gcry_mpi_t q = NULL, r = NULL, s = NULL;
295 gcry_error_t ge;
296 int k;
297
298 assert(hash_algorithm);
299
300 ge = gcry_mpi_scan(&r, GCRYMPI_FMT_USG, signature_r, signature_r_size, NULL);
301 if (ge != 0) {
302 k = -EIO;
303 goto finish;
304 }
305
306 ge = gcry_mpi_scan(&s, GCRYMPI_FMT_USG, signature_s, signature_s_size, NULL);
307 if (ge != 0) {
308 k = -EIO;
309 goto finish;
310 }
311
312 ge = gcry_mpi_scan(&q, GCRYMPI_FMT_USG, key, key_size, NULL);
313 if (ge != 0) {
314 k = -EIO;
315 goto finish;
316 }
317
318 ge = gcry_sexp_build(&signature_sexp,
319 NULL,
320 "(sig-val (ecdsa (r %m) (s %m)))",
321 r,
322 s);
323 if (ge != 0) {
324 k = -EIO;
325 goto finish;
326 }
327
328 ge = gcry_sexp_build(&data_sexp,
329 NULL,
330 "(data (flags rfc6979) (hash %s %b))",
331 hash_algorithm,
332 (int) data_size,
333 data);
334 if (ge != 0) {
335 k = -EIO;
336 goto finish;
337 }
338
339 ge = gcry_sexp_build(&public_key_sexp,
340 NULL,
341 "(public-key (ecc (curve %s) (q %m)))",
342 curve,
343 q);
344 if (ge != 0) {
345 k = -EIO;
346 goto finish;
347 }
348
349 ge = gcry_pk_verify(signature_sexp, data_sexp, public_key_sexp);
350 if (gpg_err_code(ge) == GPG_ERR_BAD_SIGNATURE)
351 k = 0;
352 else if (ge != 0) {
353 log_debug("ECDSA signature check failed: %s", gpg_strerror(ge));
354 k = -EIO;
355 } else
356 k = 1;
357finish:
358 if (r)
359 gcry_mpi_release(r);
360 if (s)
361 gcry_mpi_release(s);
362 if (q)
363 gcry_mpi_release(q);
364
365 if (public_key_sexp)
366 gcry_sexp_release(public_key_sexp);
367 if (signature_sexp)
368 gcry_sexp_release(signature_sexp);
369 if (data_sexp)
370 gcry_sexp_release(data_sexp);
371
372 return k;
373}
374
375static int dnssec_ecdsa_verify(
376 const char *hash_algorithm,
377 int algorithm,
378 const void *hash, size_t hash_size,
379 DnsResourceRecord *rrsig,
380 DnsResourceRecord *dnskey) {
381
382 const char *curve;
383 size_t key_size;
384 uint8_t *q;
385
386 assert(hash);
387 assert(hash_size);
388 assert(rrsig);
389 assert(dnskey);
390
391 if (algorithm == DNSSEC_ALGORITHM_ECDSAP256SHA256) {
392 key_size = 32;
393 curve = "NIST P-256";
394 } else if (algorithm == DNSSEC_ALGORITHM_ECDSAP384SHA384) {
395 key_size = 48;
396 curve = "NIST P-384";
397 } else
398 return -EOPNOTSUPP;
399
400 if (dnskey->dnskey.key_size != key_size * 2)
401 return -EINVAL;
402
403 if (rrsig->rrsig.signature_size != key_size * 2)
404 return -EINVAL;
405
406 q = alloca(key_size*2 + 1);
407 q[0] = 0x04; /* Prepend 0x04 to indicate an uncompressed key */
408 memcpy(q+1, dnskey->dnskey.key, key_size*2);
409
410 return dnssec_ecdsa_verify_raw(
411 hash_algorithm,
412 curve,
413 rrsig->rrsig.signature, key_size,
414 (uint8_t*) rrsig->rrsig.signature + key_size, key_size,
415 hash, hash_size,
416 q, key_size*2+1);
417}
418
2b442ac8
LP		 419static void md_add_uint8(gcry_md_hd_t md, uint8_t v) {
420 gcry_md_write(md, &v, sizeof(v));
421}
422
423static void md_add_uint16(gcry_md_hd_t md, uint16_t v) {
424 v = htobe16(v);
425 gcry_md_write(md, &v, sizeof(v));
426}
427
428static void md_add_uint32(gcry_md_hd_t md, uint32_t v) {
429 v = htobe32(v);
430 gcry_md_write(md, &v, sizeof(v));
431}
432
2a326321
LP		 433static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) {
434 usec_t expiration, inception, skew;
435
436 assert(rrsig);
437 assert(rrsig->key->type == DNS_TYPE_RRSIG);
438
439 if (realtime == USEC_INFINITY)
440 realtime = now(CLOCK_REALTIME);
441
442 expiration = rrsig->rrsig.expiration * USEC_PER_SEC;
443 inception = rrsig->rrsig.inception * USEC_PER_SEC;
444
445 if (inception > expiration)
2a44bec4 446 return -EKEYREJECTED;
2a326321 447
896c5672
LP		 448 /* Permit a certain amount of clock skew of 10% of the valid
449 * time range. This takes inspiration from unbound's
450 * resolver. */
2a326321 451 skew = (expiration - inception) / 10;
896c5672
LP		 452 if (skew > SKEW_MAX)
453 skew = SKEW_MAX;
2a326321
LP		 454
455 if (inception < skew)
456 inception = 0;
457 else
458 inception -= skew;
459
460 if (expiration + skew < expiration)
461 expiration = USEC_INFINITY;
462 else
463 expiration += skew;
464
465 return realtime < inception || realtime > expiration;
466}
467
ca994e85 468static int algorithm_to_gcrypt_md(uint8_t algorithm) {
fbf1a66d 469
6af47493
LP		 470 /* Translates a DNSSEC signature algorithm into a gcrypt
471 * digest identifier.
472 *
473 * Note that we implement all algorithms listed as "Must
474 * implement" and "Recommended to Implement" in RFC6944. We
475 * don't implement any algorithms that are listed as
476 * "Optional" or "Must Not Implement". Specifically, we do not
477 * implement RSAMD5, DSASHA1, DH, DSA-NSEC3-SHA1, and
478 * GOST-ECC. */
fbf1a66d
LP		 479
480 switch (algorithm) {
481
482 case DNSSEC_ALGORITHM_RSASHA1:
483 case DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1:
484 return GCRY_MD_SHA1;
485
486 case DNSSEC_ALGORITHM_RSASHA256:
e0240c64 487 case DNSSEC_ALGORITHM_ECDSAP256SHA256:
fbf1a66d
LP		 488 return GCRY_MD_SHA256;
489
e0240c64
LP		 490 case DNSSEC_ALGORITHM_ECDSAP384SHA384:
491 return GCRY_MD_SHA384;
492
fbf1a66d
LP		 493 case DNSSEC_ALGORITHM_RSASHA512:
494 return GCRY_MD_SHA512;
495
496 default:
497 return -EOPNOTSUPP;
498 }
499}
500
2a326321
LP		 501int dnssec_verify_rrset(
502 DnsAnswer *a,
0c857028 503 const DnsResourceKey *key,
2a326321
LP		 504 DnsResourceRecord *rrsig,
505 DnsResourceRecord *dnskey,
547973de
LP		 506 usec_t realtime,
507 DnssecResult *result) {
2a326321 508
2b442ac8 509 uint8_t wire_format_name[DNS_WIRE_FOMAT_HOSTNAME_MAX];
ea3a892f
LP		 510 size_t hash_size;
511 void *hash;
2b442ac8
LP		 512 DnsResourceRecord **list, *rr;
513 gcry_md_hd_t md = NULL;
ca994e85 514 int r, md_algorithm;
2b442ac8 515 size_t k, n = 0;
2b442ac8
LP		 516
517 assert(key);
518 assert(rrsig);
519 assert(dnskey);
547973de 520 assert(result);
2a326321
LP		 521 assert(rrsig->key->type == DNS_TYPE_RRSIG);
522 assert(dnskey->key->type == DNS_TYPE_DNSKEY);
2b442ac8
LP		 523
524 /* Verifies the the RRSet matching the specified "key" in "a",
525 * using the signature "rrsig" and the key "dnskey". It's
526 * assumed the RRSIG and DNSKEY match. */
527
ca994e85
LP		 528 md_algorithm = algorithm_to_gcrypt_md(rrsig->rrsig.algorithm);
529 if (md_algorithm == -EOPNOTSUPP) {
203f1b35
LP		 530 *result = DNSSEC_UNSUPPORTED_ALGORITHM;
531 return 0;
532 }
ca994e85
LP		 533 if (md_algorithm < 0)
534 return md_algorithm;
2b442ac8 535
2a326321
LP		 536 r = dnssec_rrsig_expired(rrsig, realtime);
537 if (r < 0)
538 return r;
547973de
LP		 539 if (r > 0) {
540 *result = DNSSEC_SIGNATURE_EXPIRED;
541 return 0;
542 }
2a326321 543
2b442ac8 544 /* Collect all relevant RRs in a single array, so that we can look at the RRset */
0f23174c 545 list = newa(DnsResourceRecord *, dns_answer_size(a));
2b442ac8
LP		 546
547 DNS_ANSWER_FOREACH(rr, a) {
548 r = dns_resource_key_equal(key, rr->key);
549 if (r < 0)
550 return r;
551 if (r == 0)
552 continue;
553
554 /* We need the wire format for ordering, and digest calculation */
555 r = dns_resource_record_to_wire_format(rr, true);
556 if (r < 0)
557 return r;
558
559 list[n++] = rr;
935a999f
TG		 560
561 if (n > VERIFY_RRS_MAX)
562 return -E2BIG;
2b442ac8
LP		 563 }
564
565 if (n <= 0)
566 return -ENODATA;
567
568 /* Bring the RRs into canonical order */
6c5e8fbf 569 qsort_safe(list, n, sizeof(DnsResourceRecord*), rr_compare);
2b442ac8
LP		 570
571 /* OK, the RRs are now in canonical order. Let's calculate the digest */
fbf1a66d 572 initialize_libgcrypt();
2b442ac8 573
ca994e85 574 hash_size = gcry_md_get_algo_dlen(md_algorithm);
fbf1a66d 575 assert(hash_size > 0);
2b442ac8 576
ca994e85 577 gcry_md_open(&md, md_algorithm, 0);
2b442ac8
LP		 578 if (!md)
579 return -EIO;
580
581 md_add_uint16(md, rrsig->rrsig.type_covered);
582 md_add_uint8(md, rrsig->rrsig.algorithm);
583 md_add_uint8(md, rrsig->rrsig.labels);
584 md_add_uint32(md, rrsig->rrsig.original_ttl);
585 md_add_uint32(md, rrsig->rrsig.expiration);
586 md_add_uint32(md, rrsig->rrsig.inception);
587 md_add_uint16(md, rrsig->rrsig.key_tag);
588
589 r = dns_name_to_wire_format(rrsig->rrsig.signer, wire_format_name, sizeof(wire_format_name), true);
590 if (r < 0)
591 goto finish;
592 gcry_md_write(md, wire_format_name, r);
593
594 for (k = 0; k < n; k++) {
e7ff0e0b 595 const char *suffix;
2b442ac8
LP		 596 size_t l;
597 rr = list[k];
598
e7ff0e0b
LP		 599 r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rrsig->rrsig.labels, &suffix);
600 if (r < 0)
601 goto finish;
602 if (r > 0) /* This is a wildcard! */
603 gcry_md_write(md, (uint8_t[]) { 1, '*'}, 2);
604
605 r = dns_name_to_wire_format(suffix, wire_format_name, sizeof(wire_format_name), true);
2b442ac8
LP		 606 if (r < 0)
607 goto finish;
608 gcry_md_write(md, wire_format_name, r);
609
610 md_add_uint16(md, rr->key->type);
611 md_add_uint16(md, rr->key->class);
612 md_add_uint32(md, rrsig->rrsig.original_ttl);
613
85aeaccc 614 l = DNS_RESOURCE_RECORD_RDATA_SIZE(rr);
2b442ac8
LP		 615 assert(l <= 0xFFFF);
616
617 md_add_uint16(md, (uint16_t) l);
85aeaccc 618 gcry_md_write(md, DNS_RESOURCE_RECORD_RDATA(rr), l);
2b442ac8
LP		 619 }
620
621 hash = gcry_md_read(md, 0);
622 if (!hash) {
623 r = -EIO;
624 goto finish;
625 }
626
e0240c64
LP		 627 switch (rrsig->rrsig.algorithm) {
628
629 case DNSSEC_ALGORITHM_RSASHA1:
630 case DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1:
631 case DNSSEC_ALGORITHM_RSASHA256:
632 case DNSSEC_ALGORITHM_RSASHA512:
633 r = dnssec_rsa_verify(
ca994e85 634 gcry_md_algo_name(md_algorithm),
e0240c64
LP		 635 hash, hash_size,
636 rrsig,
637 dnskey);
638 break;
639
640 case DNSSEC_ALGORITHM_ECDSAP256SHA256:
641 case DNSSEC_ALGORITHM_ECDSAP384SHA384:
642 r = dnssec_ecdsa_verify(
ca994e85 643 gcry_md_algo_name(md_algorithm),
e0240c64
LP		 644 rrsig->rrsig.algorithm,
645 hash, hash_size,
646 rrsig,
647 dnskey);
648 break;
649 }
650
2b442ac8
LP		 651 if (r < 0)
652 goto finish;
653
547973de
LP		 654 *result = r ? DNSSEC_VALIDATED : DNSSEC_INVALID;
655 r = 0;
2b442ac8
LP		 656
657finish:
658 gcry_md_close(md);
659 return r;
660}
661
0c857028 662int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok) {
2b442ac8
LP		 663
664 assert(rrsig);
665 assert(dnskey);
666
667 /* Checks if the specified DNSKEY RR matches the key used for
668 * the signature in the specified RRSIG RR */
669
670 if (rrsig->key->type != DNS_TYPE_RRSIG)
671 return -EINVAL;
672
673 if (dnskey->key->type != DNS_TYPE_DNSKEY)
674 return 0;
675 if (dnskey->key->class != rrsig->key->class)
676 return 0;
677 if ((dnskey->dnskey.flags & DNSKEY_FLAG_ZONE_KEY) == 0)
678 return 0;
0c857028 679 if (!revoked_ok && (dnskey->dnskey.flags & DNSKEY_FLAG_REVOKE))
28b8191e 680 return 0;
2b442ac8
LP		 681 if (dnskey->dnskey.protocol != 3)
682 return 0;
683 if (dnskey->dnskey.algorithm != rrsig->rrsig.algorithm)
684 return 0;
685
0c857028 686 if (dnssec_keytag(dnskey, false) != rrsig->rrsig.key_tag)
2b442ac8
LP		 687 return 0;
688
15accc27 689 return dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), rrsig->rrsig.signer);
2b442ac8
LP		 690}
691
105e1512 692int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig) {
e7ff0e0b
LP		 693 int r;
694
2b442ac8
LP		 695 assert(key);
696 assert(rrsig);
697
698 /* Checks if the specified RRSIG RR protects the RRSet of the specified RR key. */
699
700 if (rrsig->key->type != DNS_TYPE_RRSIG)
701 return 0;
702 if (rrsig->key->class != key->class)
703 return 0;
704 if (rrsig->rrsig.type_covered != key->type)
705 return 0;
706
e7ff0e0b
LP		 707 /* Make sure signer is a parent of the RRset */
708 r = dns_name_endswith(DNS_RESOURCE_KEY_NAME(rrsig->key), rrsig->rrsig.signer);
709 if (r <= 0)
710 return r;
711
712 /* Make sure the owner name has at least as many labels as the "label" fields indicates. */
713 r = dns_name_count_labels(DNS_RESOURCE_KEY_NAME(rrsig->key));
714 if (r < 0)
715 return r;
716 if (r < rrsig->rrsig.labels)
717 return 0;
718
2b442ac8
LP		 719 return dns_name_equal(DNS_RESOURCE_KEY_NAME(rrsig->key), DNS_RESOURCE_KEY_NAME(key));
720}
721
ee3d6aff
LP		 722static int dnssec_fix_rrset_ttl(DnsAnswer *a, const DnsResourceKey *key, DnsResourceRecord *rrsig, usec_t realtime) {
723 DnsResourceRecord *rr;
724 int r;
725
726 assert(key);
727 assert(rrsig);
728
729 DNS_ANSWER_FOREACH(rr, a) {
730 r = dns_resource_key_equal(key, rr->key);
731 if (r < 0)
732 return r;
733 if (r == 0)
734 continue;
735
736 /* Pick the TTL as the minimum of the RR's TTL, the
737 * RR's original TTL according to the RRSIG and the
738 * RRSIG's own TTL, see RFC 4035, Section 5.3.3 */
739 rr->ttl = MIN3(rr->ttl, rrsig->rrsig.original_ttl, rrsig->ttl);
740 rr->expiry = rrsig->rrsig.expiration * USEC_PER_SEC;
741 }
742
743 return 0;
744}
745
2a326321
LP		 746int dnssec_verify_rrset_search(
747 DnsAnswer *a,
0c857028 748 const DnsResourceKey *key,
2a326321 749 DnsAnswer *validated_dnskeys,
547973de
LP		 750 usec_t realtime,
751 DnssecResult *result) {
2a326321 752
203f1b35 753 bool found_rrsig = false, found_invalid = false, found_expired_rrsig = false, found_unsupported_algorithm = false;
2b442ac8
LP		 754 DnsResourceRecord *rrsig;
755 int r;
756
757 assert(key);
547973de 758 assert(result);
2b442ac8 759
105e1512 760 /* Verifies all RRs from "a" that match the key "key" against DNSKEYs in "validated_dnskeys" */
2b442ac8
LP		 761
762 if (!a || a->n_rrs <= 0)
763 return -ENODATA;
764
765 /* Iterate through each RRSIG RR. */
766 DNS_ANSWER_FOREACH(rrsig, a) {
767 DnsResourceRecord *dnskey;
105e1512 768 DnsAnswerFlags flags;
2b442ac8 769
203f1b35 770 /* Is this an RRSIG RR that applies to RRs matching our key? */
2b442ac8
LP		 771 r = dnssec_key_match_rrsig(key, rrsig);
772 if (r < 0)
773 return r;
774 if (r == 0)
775 continue;
776
777 found_rrsig = true;
778
547973de 779 /* Look for a matching key */
105e1512 780 DNS_ANSWER_FOREACH_FLAGS(dnskey, flags, validated_dnskeys) {
547973de 781 DnssecResult one_result;
2b442ac8 782
105e1512
LP		 783 if ((flags & DNS_ANSWER_AUTHENTICATED) == 0)
784 continue;
785
203f1b35 786 /* Is this a DNSKEY RR that matches they key of our RRSIG? */
0c857028 787 r = dnssec_rrsig_match_dnskey(rrsig, dnskey, false);
2b442ac8
LP		 788 if (r < 0)
789 return r;
790 if (r == 0)
791 continue;
792
2a326321
LP		 793 /* Take the time here, if it isn't set yet, so
794 * that we do all validations with the same
795 * time. */
796 if (realtime == USEC_INFINITY)
797 realtime = now(CLOCK_REALTIME);
798
2b442ac8
LP		 799 /* Yay, we found a matching RRSIG with a matching
800 * DNSKEY, awesome. Now let's verify all entries of
801 * the RRSet against the RRSIG and DNSKEY
802 * combination. */
803
547973de 804 r = dnssec_verify_rrset(a, key, rrsig, dnskey, realtime, &one_result);
203f1b35 805 if (r < 0)
2b442ac8 806 return r;
203f1b35
LP		 807
808 switch (one_result) {
809
810 case DNSSEC_VALIDATED:
811 /* Yay, the RR has been validated,
ee3d6aff
LP		 812 * return immediately, but fix up the expiry */
813 r = dnssec_fix_rrset_ttl(a, key, rrsig, realtime);
814 if (r < 0)
815 return r;
816
547973de
LP		 817 *result = DNSSEC_VALIDATED;
818 return 0;
2b442ac8 819
203f1b35
LP		 820 case DNSSEC_INVALID:
821 /* If the signature is invalid, let's try another
822 key and/or signature. After all they
823 key_tags and stuff are not unique, and
824 might be shared by multiple keys. */
825 found_invalid = true;
826 continue;
827
828 case DNSSEC_UNSUPPORTED_ALGORITHM:
829 /* If the key algorithm is
830 unsupported, try another
831 RRSIG/DNSKEY pair, but remember we
832 encountered this, so that we can
833 return a proper error when we
834 encounter nothing better. */
835 found_unsupported_algorithm = true;
836 continue;
837
838 case DNSSEC_SIGNATURE_EXPIRED:
839 /* If the signature is expired, try
840 another one, but remember it, so
841 that we can return this */
842 found_expired_rrsig = true;
843 continue;
844
845 default:
846 assert_not_reached("Unexpected DNSSEC validation result");
847 }
2b442ac8
LP		 848 }
849 }
850
203f1b35
LP		 851 if (found_expired_rrsig)
852 *result = DNSSEC_SIGNATURE_EXPIRED;
853 else if (found_unsupported_algorithm)
854 *result = DNSSEC_UNSUPPORTED_ALGORITHM;
855 else if (found_invalid)
547973de
LP		 856 *result = DNSSEC_INVALID;
857 else if (found_rrsig)
858 *result = DNSSEC_MISSING_KEY;
859 else
860 *result = DNSSEC_NO_SIGNATURE;
2b442ac8 861
547973de 862 return 0;
2b442ac8
LP		 863}
864
105e1512
LP		 865int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key) {
866 DnsResourceRecord *rr;
867 int r;
868
869 /* Checks whether there's at least one RRSIG in 'a' that proctects RRs of the specified key */
870
871 DNS_ANSWER_FOREACH(rr, a) {
872 r = dnssec_key_match_rrsig(key, rr);
873 if (r < 0)
874 return r;
875 if (r > 0)
876 return 1;
877 }
878
879 return 0;
880}
881
2b442ac8 882int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max) {
2b442ac8
LP		 883 size_t c = 0;
884 int r;
885
886 /* Converts the specified hostname into DNSSEC canonicalized
887 * form. */
888
889 if (buffer_max < 2)
890 return -ENOBUFS;
891
892 for (;;) {
2b442ac8
LP		 893 r = dns_label_unescape(&n, buffer, buffer_max);
894 if (r < 0)
895 return r;
896 if (r == 0)
897 break;
898 if (r > 0) {
899 int k;
900
901 /* DNSSEC validation is always done on the ASCII version of the label */
902 k = dns_label_apply_idna(buffer, r, buffer, buffer_max);
903 if (k < 0)
904 return k;
905 if (k > 0)
906 r = k;
907 }
908
909 if (buffer_max < (size_t) r + 2)
910 return -ENOBUFS;
911
912 /* The DNSSEC canonical form is not clear on what to
913 * do with dots appearing in labels, the way DNS-SD
914 * does it. Refuse it for now. */
915
916 if (memchr(buffer, '.', r))
917 return -EINVAL;
918
b577e3d5 919 ascii_strlower_n(buffer, (size_t) r);
2b442ac8
LP		 920 buffer[r] = '.';
921
922 buffer += r + 1;
923 c += r + 1;
924
925 buffer_max -= r + 1;
926 }
927
928 if (c <= 0) {
929 /* Not even a single label: this is the root domain name */
930
931 assert(buffer_max > 2);
932 buffer[0] = '.';
933 buffer[1] = 0;
934
935 return 1;
936 }
937
938 return (int) c;
939}
940
ca994e85 941static int digest_to_gcrypt_md(uint8_t algorithm) {
a1972a91 942
fbf1a66d 943 /* Translates a DNSSEC digest algorithm into a gcrypt digest identifier */
a1972a91
LP		 944
945 switch (algorithm) {
946
947 case DNSSEC_DIGEST_SHA1:
948 return GCRY_MD_SHA1;
949
950 case DNSSEC_DIGEST_SHA256:
951 return GCRY_MD_SHA256;
952
af22c65b
LP		 953 case DNSSEC_DIGEST_SHA384:
954 return GCRY_MD_SHA384;
955
a1972a91
LP		 956 default:
957 return -EOPNOTSUPP;
958 }
959}
960
0c857028 961int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke) {
2b442ac8 962 char owner_name[DNSSEC_CANONICAL_HOSTNAME_MAX];
a1972a91
LP		 963 gcry_md_hd_t md = NULL;
964 size_t hash_size;
ca994e85 965 int md_algorithm, r;
2b442ac8 966 void *result;
2b442ac8
LP		 967
968 assert(dnskey);
969 assert(ds);
970
971 /* Implements DNSKEY verification by a DS, according to RFC 4035, section 5.2 */
972
973 if (dnskey->key->type != DNS_TYPE_DNSKEY)
974 return -EINVAL;
975 if (ds->key->type != DNS_TYPE_DS)
976 return -EINVAL;
977 if ((dnskey->dnskey.flags & DNSKEY_FLAG_ZONE_KEY) == 0)
978 return -EKEYREJECTED;
0c857028
LP		 979 if (!mask_revoke && (dnskey->dnskey.flags & DNSKEY_FLAG_REVOKE))
980 return -EKEYREJECTED;
2b442ac8
LP		 981 if (dnskey->dnskey.protocol != 3)
982 return -EKEYREJECTED;
983
2b442ac8
LP		 984 if (dnskey->dnskey.algorithm != ds->ds.algorithm)
985 return 0;
0c857028 986 if (dnssec_keytag(dnskey, mask_revoke) != ds->ds.key_tag)
2b442ac8
LP		 987 return 0;
988
0638401a
LP		 989 initialize_libgcrypt();
990
ca994e85
LP		 991 md_algorithm = digest_to_gcrypt_md(ds->ds.digest_type);
992 if (md_algorithm < 0)
993 return md_algorithm;
2b442ac8 994
ca994e85 995 hash_size = gcry_md_get_algo_dlen(md_algorithm);
a1972a91 996 assert(hash_size > 0);
2b442ac8 997
a1972a91
LP		 998 if (ds->ds.digest_size != hash_size)
999 return 0;
2b442ac8 1000
a1972a91
LP		 1001 r = dnssec_canonicalize(DNS_RESOURCE_KEY_NAME(dnskey->key), owner_name, sizeof(owner_name));
1002 if (r < 0)
1003 return r;
2b442ac8 1004
ca994e85 1005 gcry_md_open(&md, md_algorithm, 0);
2b442ac8
LP		 1006 if (!md)
1007 return -EIO;
1008
2b442ac8 1009 gcry_md_write(md, owner_name, r);
0c857028
LP		 1010 if (mask_revoke)
1011 md_add_uint16(md, dnskey->dnskey.flags & ~DNSKEY_FLAG_REVOKE);
1012 else
1013 md_add_uint16(md, dnskey->dnskey.flags);
2b442ac8
LP		 1014 md_add_uint8(md, dnskey->dnskey.protocol);
1015 md_add_uint8(md, dnskey->dnskey.algorithm);
1016 gcry_md_write(md, dnskey->dnskey.key, dnskey->dnskey.key_size);
1017
1018 result = gcry_md_read(md, 0);
1019 if (!result) {
1020 r = -EIO;
1021 goto finish;
1022 }
1023
1024 r = memcmp(result, ds->ds.digest, ds->ds.digest_size) != 0;
1025
1026finish:
1027 gcry_md_close(md);
1028 return r;
1029}
24710c48 1030
547973de
LP		 1031int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds) {
1032 DnsResourceRecord *ds;
105e1512 1033 DnsAnswerFlags flags;
547973de
LP		 1034 int r;
1035
1036 assert(dnskey);
1037
1038 if (dnskey->key->type != DNS_TYPE_DNSKEY)
1039 return 0;
1040
105e1512
LP		 1041 DNS_ANSWER_FOREACH_FLAGS(ds, flags, validated_ds) {
1042
1043 if ((flags & DNS_ANSWER_AUTHENTICATED) == 0)
1044 continue;
547973de
LP		 1045
1046 if (ds->key->type != DNS_TYPE_DS)
1047 continue;
1048
d1c4ee32
LP		 1049 if (ds->key->class != dnskey->key->class)
1050 continue;
1051
1052 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), DNS_RESOURCE_KEY_NAME(ds->key));
1053 if (r < 0)
1054 return r;
1055 if (r == 0)
1056 continue;
1057
0c857028
LP		 1058 r = dnssec_verify_dnskey(dnskey, ds, false);
1059 if (r == -EKEYREJECTED)
1060 return 0; /* The DNSKEY is revoked or otherwise invalid, we won't bless it */
547973de
LP		 1061 if (r < 0)
1062 return r;
1063 if (r > 0)
1064 return 1;
1065 }
1066
1067 return 0;
1068}
1069
d15ad742
LP		 1070static int nsec3_hash_to_gcrypt_md(uint8_t algorithm) {
1071
1072 /* Translates a DNSSEC NSEC3 hash algorithm into a gcrypt digest identifier */
1073
1074 switch (algorithm) {
1075
1076 case NSEC3_ALGORITHM_SHA1:
1077 return GCRY_MD_SHA1;
1078
1079 default:
1080 return -EOPNOTSUPP;
1081 }
1082}
1083
1d3db294 1084int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) {
72667f08
LP		 1085 uint8_t wire_format[DNS_WIRE_FOMAT_HOSTNAME_MAX];
1086 gcry_md_hd_t md = NULL;
1087 size_t hash_size;
1088 int algorithm;
1089 void *result;
1090 unsigned k;
1091 int r;
1092
1093 assert(nsec3);
1094 assert(name);
1095 assert(ret);
1096
1097 if (nsec3->key->type != DNS_TYPE_NSEC3)
1098 return -EINVAL;
1099
1d3db294
LP		 1100 if (nsec3->nsec3.iterations > NSEC3_ITERATIONS_MAX) {
1101 log_debug("Ignoring NSEC3 RR %s with excessive number of iterations.", dns_resource_record_to_string(nsec3));
a8f158b9 1102 return -EOPNOTSUPP;
1d3db294 1103 }
a8f158b9 1104
d15ad742 1105 algorithm = nsec3_hash_to_gcrypt_md(nsec3->nsec3.algorithm);
72667f08
LP		 1106 if (algorithm < 0)
1107 return algorithm;
1108
1109 initialize_libgcrypt();
1110
1111 hash_size = gcry_md_get_algo_dlen(algorithm);
1112 assert(hash_size > 0);
1113
1114 if (nsec3->nsec3.next_hashed_name_size != hash_size)
1115 return -EINVAL;
1116
1117 r = dns_name_to_wire_format(name, wire_format, sizeof(wire_format), true);
1118 if (r < 0)
1119 return r;
1120
1121 gcry_md_open(&md, algorithm, 0);
1122 if (!md)
1123 return -EIO;
1124
1125 gcry_md_write(md, wire_format, r);
1126 gcry_md_write(md, nsec3->nsec3.salt, nsec3->nsec3.salt_size);
1127
1128 result = gcry_md_read(md, 0);
1129 if (!result) {
1130 r = -EIO;
1131 goto finish;
1132 }
1133
1134 for (k = 0; k < nsec3->nsec3.iterations; k++) {
1135 uint8_t tmp[hash_size];
1136 memcpy(tmp, result, hash_size);
1137
1138 gcry_md_reset(md);
1139 gcry_md_write(md, tmp, hash_size);
1140 gcry_md_write(md, nsec3->nsec3.salt, nsec3->nsec3.salt_size);
1141
1142 result = gcry_md_read(md, 0);
1143 if (!result) {
1144 r = -EIO;
1145 goto finish;
1146 }
1147 }
1148
1149 memcpy(ret, result, hash_size);
1150 r = (int) hash_size;
1151
1152finish:
1153 gcry_md_close(md);
1154 return r;
1155}
1156
db5b0e92
LP		 1157static int nsec3_is_good(DnsResourceRecord *rr, DnsAnswerFlags flags, DnsResourceRecord *nsec3) {
1158 const char *a, *b;
1159 int r;
1160
1161 assert(rr);
1162
db5b0e92
LP		 1163 if (rr->key->type != DNS_TYPE_NSEC3)
1164 return 0;
1165
1166 /* RFC 5155, Section 8.2 says we MUST ignore NSEC3 RRs with flags != 0 or 1 */
1167 if (!IN_SET(rr->nsec3.flags, 0, 1))
1168 return 0;
1169
d15ad742
LP		 1170 /* Ignore NSEC3 RRs whose algorithm we don't know */
1171 if (nsec3_hash_to_gcrypt_md(rr->nsec3.algorithm) < 0)
1172 return 0;
a8f158b9
LP		 1173 /* Ignore NSEC3 RRs with an excessive number of required iterations */
1174 if (rr->nsec3.iterations > NSEC3_ITERATIONS_MAX)
1175 return 0;
d15ad742 1176
db5b0e92
LP		 1177 if (!nsec3)
1178 return 1;
1179
1180 /* If a second NSEC3 RR is specified, also check if they are from the same zone. */
1181
1182 if (nsec3 == rr) /* Shortcut */
1183 return 1;
1184
1185 if (rr->key->class != nsec3->key->class)
1186 return 0;
1187 if (rr->nsec3.algorithm != nsec3->nsec3.algorithm)
1188 return 0;
1189 if (rr->nsec3.iterations != nsec3->nsec3.iterations)
1190 return 0;
1191 if (rr->nsec3.salt_size != nsec3->nsec3.salt_size)
1192 return 0;
1193 if (memcmp(rr->nsec3.salt, nsec3->nsec3.salt, rr->nsec3.salt_size) != 0)
1194 return 0;
1195
1196 a = DNS_RESOURCE_KEY_NAME(rr->key);
1197 r = dns_name_parent(&a); /* strip off hash */
1198 if (r < 0)
1199 return r;
1200 if (r == 0)
1201 return 0;
1202
1203 b = DNS_RESOURCE_KEY_NAME(nsec3->key);
1204 r = dns_name_parent(&b); /* strip off hash */
1205 if (r < 0)
1206 return r;
1207 if (r == 0)
1208 return 0;
1209
1210 return dns_name_equal(a, b);
1211}
1212
1d3db294 1213static int nsec3_hashed_domain(DnsResourceRecord *nsec3, const char *domain, const char *zone, char **ret) {
6f76ec5a 1214 _cleanup_free_ char *l = NULL, *hashed_domain = NULL;
105e1512 1215 uint8_t hashed[DNSSEC_HASH_SIZE_MAX];
6f76ec5a
TG		 1216 int hashed_size;
1217
1218 assert(nsec3);
1219 assert(domain);
1220 assert(zone);
1221 assert(ret);
1222
1223 hashed_size = dnssec_nsec3_hash(nsec3, domain, hashed);
1224 if (hashed_size < 0)
1225 return hashed_size;
1226
1227 l = base32hexmem(hashed, hashed_size, false);
1228 if (!l)
1229 return -ENOMEM;
1230
1231 hashed_domain = strjoin(l, ".", zone, NULL);
1232 if (!hashed_domain)
1233 return -ENOMEM;
1234
1235 *ret = hashed_domain;
1236 hashed_domain = NULL;
1237
1238 return hashed_size;
1239}
1240
35ad41d3
TG		 1241/* See RFC 5155, Section 8
1242 * First try to find a NSEC3 record that matches our query precisely, if that fails, find the closest
1243 * enclosure. Secondly, find a proof that there is no closer enclosure and either a proof that there
1244 * is no wildcard domain as a direct descendant of the closest enclosure, or find an NSEC3 record that
1245 * matches the wildcard domain.
1246 *
1247 * Based on this we can prove either the existence of the record in @key, or NXDOMAIN or NODATA, or
1248 * that there is no proof either way. The latter is the case if a the proof of non-existence of a given
1249 * name uses an NSEC3 record with the opt-out bit set. Lastly, if we are given insufficient NSEC3 records
1250 * to conclude anything we indicate this by returning NO_RR. */
d3760be0 1251static int dnssec_test_nsec3(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl) {
35ad41d3 1252 _cleanup_free_ char *next_closer_domain = NULL, *wildcard = NULL, *wildcard_domain = NULL;
d1511b33 1253 const char *zone, *p, *pp = NULL;
7e35195f 1254 DnsResourceRecord *rr, *enclosure_rr, *zone_rr, *wildcard_rr = NULL;
105e1512
LP		 1255 DnsAnswerFlags flags;
1256 int hashed_size, r;
35ad41d3 1257 bool a, no_closer = false, no_wildcard = false, optout = false;
72667f08
LP		 1258
1259 assert(key);
1260 assert(result);
1261
d1511b33
TG		 1262 /* First step, find the zone name and the NSEC3 parameters of the zone.
1263 * it is sufficient to look for the longest common suffix we find with
1264 * any NSEC3 RR in the response. Any NSEC3 record will do as all NSEC3
1265 * records from a given zone in a response must use the same
1266 * parameters. */
1267 zone = DNS_RESOURCE_KEY_NAME(key);
13b78323 1268 for (;;) {
7e35195f
LP		 1269 DNS_ANSWER_FOREACH_FLAGS(zone_rr, flags, answer) {
1270 r = nsec3_is_good(zone_rr, flags, NULL);
db5b0e92
LP		 1271 if (r < 0)
1272 return r;
1273 if (r == 0)
13b78323
LP		 1274 continue;
1275
7e35195f 1276 r = dns_name_equal_skip(DNS_RESOURCE_KEY_NAME(zone_rr->key), 1, zone);
13b78323
LP		 1277 if (r < 0)
1278 return r;
1279 if (r > 0)
d1511b33 1280 goto found_zone;
13b78323
LP		 1281 }
1282
1283 /* Strip one label from the front */
d1511b33 1284 r = dns_name_parent(&zone);
13b78323
LP		 1285 if (r < 0)
1286 return r;
1287 if (r == 0)
1288 break;
1289 }
1290
1291 *result = DNSSEC_NSEC_NO_RR;
1292 return 0;
1293
d1511b33 1294found_zone:
13b78323 1295 /* Second step, find the closest encloser NSEC3 RR in 'answer' that matches 'key' */
105e1512
LP		 1296 p = DNS_RESOURCE_KEY_NAME(key);
1297 for (;;) {
6f76ec5a 1298 _cleanup_free_ char *hashed_domain = NULL;
72667f08 1299
7e35195f 1300 hashed_size = nsec3_hashed_domain(zone_rr, p, zone, &hashed_domain);
db5b0e92
LP		 1301 if (hashed_size == -EOPNOTSUPP) {
1302 *result = DNSSEC_NSEC_UNSUPPORTED_ALGORITHM;
1303 return 0;
1304 }
1305 if (hashed_size < 0)
1306 return hashed_size;
72667f08 1307
d1511b33 1308 DNS_ANSWER_FOREACH_FLAGS(enclosure_rr, flags, answer) {
db5b0e92 1309
7e35195f 1310 r = nsec3_is_good(enclosure_rr, flags, zone_rr);
72667f08
LP		 1311 if (r < 0)
1312 return r;
105e1512
LP		 1313 if (r == 0)
1314 continue;
1315
d1511b33 1316 if (enclosure_rr->nsec3.next_hashed_name_size != (size_t) hashed_size)
db5b0e92 1317 continue;
105e1512 1318
d1511b33 1319 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(enclosure_rr->key), hashed_domain);
72667f08
LP		 1320 if (r < 0)
1321 return r;
ed29bfdc
LP		 1322 if (r > 0) {
1323 a = flags & DNS_ANSWER_AUTHENTICATED;
13b78323 1324 goto found_closest_encloser;
ed29bfdc 1325 }
105e1512
LP		 1326 }
1327
1328 /* We didn't find the closest encloser with this name,
1329 * but let's remember this domain name, it might be
1330 * the next closer name */
1331
1332 pp = p;
1333
1334 /* Strip one label from the front */
1335 r = dns_name_parent(&p);
1336 if (r < 0)
1337 return r;
1338 if (r == 0)
72667f08 1339 break;
105e1512 1340 }
72667f08 1341
105e1512
LP		 1342 *result = DNSSEC_NSEC_NO_RR;
1343 return 0;
72667f08 1344
13b78323 1345found_closest_encloser:
105e1512 1346 /* We found a closest encloser in 'p'; next closer is 'pp' */
72667f08 1347
105e1512 1348 /* Ensure this is not a DNAME domain, see RFC5155, section 8.3. */
d1511b33 1349 if (bitmap_isset(enclosure_rr->nsec3.types, DNS_TYPE_DNAME))
105e1512 1350 return -EBADMSG;
72667f08 1351
105e1512
LP		 1352 /* Ensure that this data is from the delegated domain
1353 * (i.e. originates from the "lower" DNS server), and isn't
1354 * just glue records (i.e. doesn't originate from the "upper"
1355 * DNS server). */
d1511b33
TG		 1356 if (bitmap_isset(enclosure_rr->nsec3.types, DNS_TYPE_NS) &&
1357 !bitmap_isset(enclosure_rr->nsec3.types, DNS_TYPE_SOA))
105e1512 1358 return -EBADMSG;
72667f08 1359
105e1512
LP		 1360 if (!pp) {
1361 /* No next closer NSEC3 RR. That means there's a direct NSEC3 RR for our key. */
146035b3
TG		 1362 if (bitmap_isset(enclosure_rr->nsec3.types, key->type))
1363 *result = DNSSEC_NSEC_FOUND;
1364 else if (bitmap_isset(enclosure_rr->nsec3.types, DNS_TYPE_CNAME))
1365 *result = DNSSEC_NSEC_CNAME;
1366 else
1367 *result = DNSSEC_NSEC_NODATA;
1368
d3760be0
LP		 1369 if (authenticated)
1370 *authenticated = a;
1371 if (ttl)
1372 *ttl = enclosure_rr->ttl;
146035b3 1373
105e1512
LP		 1374 return 0;
1375 }
72667f08 1376
35ad41d3
TG		 1377 /* Prove that there is no next closer and whether or not there is a wildcard domain. */
1378
1379 wildcard = strappend("*.", p);
1380 if (!wildcard)
1381 return -ENOMEM;
1382
1383 r = nsec3_hashed_domain(enclosure_rr, wildcard, zone, &wildcard_domain);
105e1512
LP		 1384 if (r < 0)
1385 return r;
1386 if (r != hashed_size)
1387 return -EBADMSG;
72667f08 1388
6f76ec5a 1389 r = nsec3_hashed_domain(enclosure_rr, pp, zone, &next_closer_domain);
105e1512
LP		 1390 if (r < 0)
1391 return r;
1392 if (r != hashed_size)
1393 return -EBADMSG;
72667f08 1394
105e1512
LP		 1395 DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) {
1396 _cleanup_free_ char *label = NULL, *next_hashed_domain = NULL;
105e1512 1397
7e35195f 1398 r = nsec3_is_good(rr, flags, zone_rr);
105e1512
LP		 1399 if (r < 0)
1400 return r;
1401 if (r == 0)
1402 continue;
1403
1404 label = base32hexmem(rr->nsec3.next_hashed_name, rr->nsec3.next_hashed_name_size, false);
1405 if (!label)
1406 return -ENOMEM;
1407
b2c2a1b9 1408 next_hashed_domain = strjoin(label, ".", zone, NULL);
105e1512
LP		 1409 if (!next_hashed_domain)
1410 return -ENOMEM;
1411
1412 r = dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), next_closer_domain, next_hashed_domain);
1413 if (r < 0)
1414 return r;
1415 if (r > 0) {
1416 if (rr->nsec3.flags & 1)
35ad41d3 1417 optout = true;
105e1512 1418
35ad41d3
TG		 1419 a = a && (flags & DNS_ANSWER_AUTHENTICATED);
1420
1421 no_closer = true;
1422 }
1423
1424 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(rr->key), wildcard_domain);
1425 if (r < 0)
1426 return r;
1427 if (r > 0) {
1428 a = a && (flags & DNS_ANSWER_AUTHENTICATED);
1429
1430 wildcard_rr = rr;
1431 }
1432
1433 r = dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), wildcard_domain, next_hashed_domain);
1434 if (r < 0)
1435 return r;
1436 if (r > 0) {
1437 if (rr->nsec3.flags & 1)
1438 /* This only makes sense if we have a wildcard delegation, which is
1439 * very unlikely, see RFC 4592, Section 4.2, but we cannot rely on
1440 * this not happening, so hence cannot simply conclude NXDOMAIN as
1441 * we would wish */
1442 optout = true;
1443
1444 a = a && (flags & DNS_ANSWER_AUTHENTICATED);
1445
1446 no_wildcard = true;
105e1512
LP		 1447 }
1448 }
1449
35ad41d3
TG		 1450 if (wildcard_rr && no_wildcard)
1451 return -EBADMSG;
1452
1453 if (!no_closer) {
1454 *result = DNSSEC_NSEC_NO_RR;
35ad41d3
TG		 1455 return 0;
1456 }
1457
1458 if (wildcard_rr) {
1459 /* A wildcard exists that matches our query. */
1460 if (optout)
1461 /* This is not specified in any RFC to the best of my knowledge, but
1462 * if the next closer enclosure is covered by an opt-out NSEC3 RR
1463 * it means that we cannot prove that the source of synthesis is
1464 * correct, as there may be a closer match. */
1465 *result = DNSSEC_NSEC_OPTOUT;
1466 else if (bitmap_isset(wildcard_rr->nsec3.types, key->type))
1467 *result = DNSSEC_NSEC_FOUND;
1468 else if (bitmap_isset(wildcard_rr->nsec3.types, DNS_TYPE_CNAME))
1469 *result = DNSSEC_NSEC_CNAME;
1470 else
1471 *result = DNSSEC_NSEC_NODATA;
1472 } else {
1473 if (optout)
1474 /* The RFC only specifies that we have to care for optout for NODATA for
1475 * DS records. However, children of an insecure opt-out delegation should
1476 * also be considered opt-out, rather than verified NXDOMAIN.
1477 * Note that we do not require a proof of wildcard non-existence if the
1478 * next closer domain is covered by an opt-out, as that would not provide
1479 * any additional information. */
1480 *result = DNSSEC_NSEC_OPTOUT;
1481 else if (no_wildcard)
1482 *result = DNSSEC_NSEC_NXDOMAIN;
1483 else {
1484 *result = DNSSEC_NSEC_NO_RR;
1485
1486 return 0;
1487 }
1488 }
1489
d3760be0
LP		 1490 if (authenticated)
1491 *authenticated = a;
1492
1493 if (ttl)
1494 *ttl = enclosure_rr->ttl;
35ad41d3 1495
105e1512
LP		 1496 return 0;
1497}
1498
d3760be0 1499int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl) {
105e1512
LP		 1500 DnsResourceRecord *rr;
1501 bool have_nsec3 = false;
1502 DnsAnswerFlags flags;
1503 int r;
1504
1505 assert(key);
1506 assert(result);
1507
1508 /* Look for any NSEC/NSEC3 RRs that say something about the specified key. */
1509
1510 DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) {
1511
1512 if (rr->key->class != key->class)
1513 continue;
1514
105e1512
LP		 1515 switch (rr->key->type) {
1516
1517 case DNS_TYPE_NSEC:
1518
1519 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(rr->key), DNS_RESOURCE_KEY_NAME(key));
1520 if (r < 0)
1521 return r;
1522 if (r > 0) {
146035b3
TG		 1523 if (bitmap_isset(rr->nsec.types, key->type))
1524 *result = DNSSEC_NSEC_FOUND;
1525 else if (bitmap_isset(rr->nsec.types, DNS_TYPE_CNAME))
1526 *result = DNSSEC_NSEC_CNAME;
1527 else
1528 *result = DNSSEC_NSEC_NODATA;
d3760be0
LP		 1529
1530 if (authenticated)
1531 *authenticated = flags & DNS_ANSWER_AUTHENTICATED;
1532 if (ttl)
1533 *ttl = rr->ttl;
1534
72667f08
LP		 1535 return 0;
1536 }
1537
105e1512
LP		 1538 r = dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), DNS_RESOURCE_KEY_NAME(key), rr->nsec.next_domain_name);
1539 if (r < 0)
1540 return r;
1541 if (r > 0) {
1542 *result = DNSSEC_NSEC_NXDOMAIN;
d3760be0
LP		 1543
1544 if (authenticated)
1545 *authenticated = flags & DNS_ANSWER_AUTHENTICATED;
1546 if (ttl)
1547 *ttl = rr->ttl;
1548
105e1512
LP		 1549 return 0;
1550 }
72667f08 1551 break;
72667f08 1552
105e1512
LP		 1553 case DNS_TYPE_NSEC3:
1554 have_nsec3 = true;
72667f08
LP		 1555 break;
1556 }
1557 }
1558
105e1512
LP		 1559 /* OK, this was not sufficient. Let's see if NSEC3 can help. */
1560 if (have_nsec3)
d3760be0 1561 return dnssec_test_nsec3(answer, key, result, authenticated, ttl);
105e1512 1562
72667f08
LP		 1563 /* No approproate NSEC RR found, report this. */
1564 *result = DNSSEC_NSEC_NO_RR;
1565 return 0;
1566}
1567
547973de
LP		 1568static const char* const dnssec_result_table[_DNSSEC_RESULT_MAX] = {
1569 [DNSSEC_VALIDATED] = "validated",
1570 [DNSSEC_INVALID] = "invalid",
203f1b35
LP		 1571 [DNSSEC_SIGNATURE_EXPIRED] = "signature-expired",
1572 [DNSSEC_UNSUPPORTED_ALGORITHM] = "unsupported-algorithm",
547973de
LP		 1573 [DNSSEC_NO_SIGNATURE] = "no-signature",
1574 [DNSSEC_MISSING_KEY] = "missing-key",
203f1b35 1575 [DNSSEC_UNSIGNED] = "unsigned",
547973de 1576 [DNSSEC_FAILED_AUXILIARY] = "failed-auxiliary",
72667f08 1577 [DNSSEC_NSEC_MISMATCH] = "nsec-mismatch",
b652d4a2 1578 [DNSSEC_INCOMPATIBLE_SERVER] = "incompatible-server",
547973de
LP		 1579};
1580DEFINE_STRING_TABLE_LOOKUP(dnssec_result, DnssecResult);
Unnamed repository; edit this file 'description' to name the repository.