void val_log_assertion_pfx(const val_context_t * ctx, int level, const char *prefix, const char * name_pr, struct val_authentication_chain *next_as) { char name_buf[INET6_ADDRSTRLEN + 1]; const char *serv_pr; int tag = 0; int class_h; int type_h; struct val_rr_rec *data; struct sockaddr *serv; val_astatus_t status; struct val_rr_rec *curkey; #undef VAL_LOG_SIG #ifdef VAL_LOG_SIG struct val_rr_rec *sig; struct val_rr_rec *cursig; #endif if (next_as == NULL) return; class_h = next_as->val_ac_rrset->val_rrset_class; type_h = next_as->val_ac_rrset->val_rrset_type; data = next_as->val_ac_rrset->val_rrset_data; #ifdef VAL_LOG_SIG sig = next_as->val_ac_rrset->val_rrset_sig; #endif serv = next_as->val_ac_rrset->val_rrset_server; status = next_as->val_ac_status; if (NULL == prefix) prefix = ""; if (serv) serv_pr = ((serv_pr = val_get_ns_string(serv, name_buf, sizeof(name_buf))) == NULL) ? "VAL_CACHE" : serv_pr; else serv_pr = "NULL"; if (type_h == ns_t_dnskey) { for (curkey = data; curkey; curkey = curkey->rr_next) { if ((curkey->rr_status == VAL_AC_VERIFIED_LINK) || (curkey->rr_status == VAL_AC_TRUST_POINT) || (curkey->rr_status == VAL_AC_UNKNOWN_ALGORITHM_LINK)) { /* * Extract the key tag */ val_dnskey_rdata_t dnskey; if (VAL_NO_ERROR != val_parse_dnskey_rdata(curkey->rr_rdata, curkey->rr_rdata_length, &dnskey)) { val_log(ctx, LOG_INFO, "val_log_assertion_pfx(): Cannot parse DNSKEY data"); } else { tag = dnskey.key_tag; if (dnskey.public_key) FREE(dnskey.public_key); } break; } } } if (tag != 0) { val_log(ctx, level, "%sname=%s class=%s type=%s[tag=%d] from-server=%s " "status=%s:%d", prefix, name_pr, p_class(class_h), p_type(type_h), tag, serv_pr, p_ac_status(status), status); } else { val_log(ctx, level, "%sname=%s class=%s type=%s from-server=%s status=%s:%d", prefix, name_pr, p_class(class_h), p_type(type_h), serv_pr, p_ac_status(status), status); } #ifdef VAL_LOG_SIG for (cursig = sig; cursig; cursig = cursig->rr_next) { char incpTime[1028]; char exprTime[1028]; struct timeval tv_sig; val_rrsig_rdata_t rrsig; val_parse_rrsig_rdata(cursig->rr_rdata, cursig->rr_rdata_length, &rrsig); memset(&tv_sig, 0, sizeof(tv_sig)); tv_sig.tv_sec = rrsig.sig_incp; GET_TIME_BUF((const time_t *)(&tv_sig.tv_sec), incpTime); memset(&tv_sig, 0, sizeof(tv_sig)); tv_sig.tv_sec = rrsig.sig_expr; GET_TIME_BUF((const time_t *)(&tv_sig.tv_sec), exprTime); val_log(ctx, level, "%s ->tag=%d status=%s sig-incep=%s sig-expr=%s", prefix, rrsig.key_tag, p_ac_status(cursig->rr_status), incpTime, exprTime); } #endif #ifdef VAL_LOG_SIG struct val_rr_rec *rr; struct val_rr_rec *sig = next_as->val_ac_rrset->val_rrset_sig; for (rr = data; rr; rr = rr->rr_next) { val_log(ctx, level, " data_status=%s:%d", p_ac_status(rr->rr_status), rr->rr_status); } for (rr = sig; rr; rr = rr->rr_next) { val_log(ctx, level, " sig_status=%s:%d", p_ac_status(rr->rr_status), rr->rr_status); } #endif }
void verify_next_assertion(val_context_t * ctx, struct val_digested_auth_chain *as, struct val_digested_auth_chain *the_trust, u_int32_t flags) { struct rrset_rec *the_set; struct rrset_rr *the_sig; u_char *signby_name_n; u_int16_t signby_footprint_n; val_dnskey_rdata_t dnskey; int is_a_wildcard; struct rrset_rr *nextrr; struct rrset_rr *keyrr; u_int16_t tag_h; char name_p[NS_MAXDNAME]; if ((as == NULL) || (as->val_ac_rrset.ac_data == NULL) || (the_trust == NULL)) { val_log(ctx, LOG_INFO, "verify_next_assertion(): Cannot verify assertion - no data"); return; } the_set = as->val_ac_rrset.ac_data; dnskey.public_key = NULL; if (-1 == ns_name_ntop(the_set->rrs_name_n, name_p, sizeof(name_p))) snprintf(name_p, sizeof(name_p), "unknown/error"); if (the_set->rrs_sig == NULL) { val_log(ctx, LOG_INFO, "verify_next_assertion(): RRSIG is missing"); as->val_ac_status = VAL_AC_RRSIG_MISSING; return; } if (the_set->rrs_type_h != ns_t_dnskey) { /* * trust path contains the key */ if (the_trust->val_ac_rrset.ac_data == NULL) { val_log(ctx, LOG_INFO, "verify_next_assertion(): Key is empty"); as->val_ac_status = VAL_AC_DNSKEY_MISSING; return; } keyrr = the_trust->val_ac_rrset.ac_data->rrs_data; } else { /* * data itself contains the key */ if (the_set->rrs_data == NULL) { val_log(ctx, LOG_INFO, "verify_next_assertion(): Key is empty"); as->val_ac_status = VAL_AC_DNSKEY_MISSING; return; } keyrr = the_set->rrs_data; } for (the_sig = the_set->rrs_sig; the_sig; the_sig = the_sig->rr_next) { /* * do wildcard processing */ if (!check_label_count(the_set, the_sig, &is_a_wildcard)) { SET_STATUS(as->val_ac_status, the_sig, VAL_AC_WRONG_LABEL_COUNT); val_log(ctx, LOG_INFO, "verify_next_assertion(): Incorrect RRSIG label count"); continue; } /* * for each sig, identify key, */ if (VAL_NO_ERROR != identify_key_from_sig(the_sig, &signby_name_n, &signby_footprint_n)) { SET_STATUS(as->val_ac_status, the_sig, VAL_AC_INVALID_RRSIG); val_log(ctx, LOG_INFO, "verify_next_assertion(): Cannot extract key footprint from RRSIG"); continue; } tag_h = ntohs(signby_footprint_n); for (nextrr = keyrr; nextrr; nextrr = nextrr->rr_next) { int is_verified = 0; if (VAL_NO_ERROR != val_parse_dnskey_rdata(nextrr->rr_rdata, nextrr->rr_rdata_length, &dnskey)) { val_log(ctx, LOG_INFO, "verify_next_assertion(): Cannot parse DNSKEY data"); nextrr->rr_status = VAL_AC_INVALID_KEY; continue; } dnskey.next = NULL; if (dnskey.key_tag != tag_h) { if (dnskey.public_key != NULL) { FREE(dnskey.public_key); dnskey.public_key = NULL; } continue; } val_log(ctx, LOG_DEBUG, "verify_next_assertion(): Found potential matching DNSKEY for RRSIG"); /* * check the signature */ is_verified = do_verify(ctx, signby_name_n, &nextrr->rr_status, &the_sig->rr_status, the_set, the_sig, &dnskey, is_a_wildcard, flags); /* * There might be multiple keys with the same key tag; set this as * the signing key only if we dont have other status for this key */ SET_STATUS(as->val_ac_status, the_sig, the_sig->rr_status); if (nextrr->rr_status == VAL_AC_UNSET) { nextrr->rr_status = VAL_AC_SIGNING_KEY; } if (is_verified) { val_log(ctx, LOG_INFO, "verify_next_assertion(): Verified a RRSIG for %s (%s) using a DNSKEY (%d)", name_p, p_type(the_set->rrs_type_h), dnskey.key_tag); if ( as->val_ac_status == VAL_AC_TRUST || nextrr->rr_status == VAL_AC_TRUST_POINT) { /* we've verified a trust anchor */ as->val_ac_status = VAL_AC_TRUST; val_log(ctx, LOG_INFO, "verify_next_assertion(): verification traces back to trust anchor"); if (dnskey.public_key != NULL) { FREE(dnskey.public_key); dnskey.public_key = NULL; } return; } /* Check if we're trying to verify some key in the authentication chain */ if ( the_set->rrs_type_h == ns_t_dnskey && as != the_trust) { /* Check if we have reached our trust key */ /* * If this record contains a DNSKEY, check if the DS record contains this key * DNSKEYs cannot be wildcard expanded, so VAL_AC_WCARD_VERIFIED does not * count as a good sig * Create the link even if the DNSKEY algorithm is unknown since this * may be the provably insecure case */ /* * follow the trust path */ struct rrset_rr *dsrec = the_trust->val_ac_rrset.ac_data->rrs_data; while (dsrec) { val_ds_rdata_t ds; ds.d_hash = NULL; int retval = val_parse_ds_rdata(dsrec->rr_rdata, dsrec->rr_rdata_length, &ds); if(retval == VAL_NOT_IMPLEMENTED) { val_log(ctx, LOG_INFO, "verify_next_assertion(): DS hash not supported"); dsrec->rr_status = VAL_AC_ALGORITHM_NOT_SUPPORTED; } else if (retval != VAL_NO_ERROR) { val_log(ctx, LOG_INFO, "verify_next_assertion(): DS parse error"); dsrec->rr_status = VAL_AC_INVALID_DS; } else if (DNSKEY_MATCHES_DS(ctx, &dnskey, &ds, the_set->rrs_name_n, nextrr, &dsrec->rr_status)) { val_log(ctx, LOG_DEBUG, "verify_next_assertion(): DNSKEY tag (%d) matches DS tag (%d)", (&dnskey)->key_tag, (&ds)->d_keytag); /* * the first match is enough */ nextrr->rr_status = VAL_AC_VERIFIED_LINK; FREE(ds.d_hash); ds.d_hash = NULL; if (dnskey.public_key) { FREE(dnskey.public_key); dnskey.public_key = NULL; } val_log(ctx, LOG_INFO, "verify_next_assertion(): Key links upward"); return; } else { /* * Didn't find a valid entry in the DS record set * Not necessarily a problem, since there is no requirement that a DS be present * If none match, then we set the status accordingly. See below. */ nextrr->rr_status = VAL_AC_DS_NOMATCH; } if (ds.d_hash != NULL) FREE(ds.d_hash); dsrec = dsrec->rr_next; } } } if (dnskey.public_key != NULL) { FREE(dnskey.public_key); } dnskey.public_key = NULL; } val_log(ctx, LOG_INFO, "verify_next_assertion(): Could not link this RRSIG to a DNSKEY"); SET_STATUS(as->val_ac_status, the_sig, VAL_AC_DNSKEY_NOMATCH); } /* * If we reach here and we're a keyset, we either didn't verify the keyset or * didn't verify the link from the key to the DS */ if (the_set->rrs_type_h == ns_t_dnskey){ as->val_ac_status = VAL_AC_NO_LINK; } }