void
val_log_assertion_pfx(const val_context_t * ctx, int level,
const char *prefix, const char * name_pr,
struct val_authentication_chain *next_as)
{
char name_buf[INET6_ADDRSTRLEN + 1];
const char *serv_pr;
int tag = 0;
int class_h;
int type_h;
struct val_rr_rec *data;
struct sockaddr *serv;
val_astatus_t status;
struct val_rr_rec *curkey;
#undef VAL_LOG_SIG
#ifdef VAL_LOG_SIG
struct val_rr_rec *sig;
struct val_rr_rec *cursig;
#endif
if (next_as == NULL)
return;
class_h = next_as->val_ac_rrset->val_rrset_class;
type_h = next_as->val_ac_rrset->val_rrset_type;
data = next_as->val_ac_rrset->val_rrset_data;
#ifdef VAL_LOG_SIG
sig = next_as->val_ac_rrset->val_rrset_sig;
#endif
serv = next_as->val_ac_rrset->val_rrset_server;
status = next_as->val_ac_status;
if (NULL == prefix)
prefix = "";
if (serv)
serv_pr =
((serv_pr =
val_get_ns_string(serv, name_buf, sizeof(name_buf))) == NULL) ? "VAL_CACHE" : serv_pr;
else
serv_pr = "NULL";
if (type_h == ns_t_dnskey) {
for (curkey = data; curkey; curkey = curkey->rr_next) {
if ((curkey->rr_status == VAL_AC_VERIFIED_LINK) ||
(curkey->rr_status == VAL_AC_TRUST_POINT) ||
(curkey->rr_status == VAL_AC_UNKNOWN_ALGORITHM_LINK)) {
/*
* Extract the key tag
*/
val_dnskey_rdata_t dnskey;
if (VAL_NO_ERROR != val_parse_dnskey_rdata(curkey->rr_rdata,
curkey->rr_rdata_length, &dnskey)) {
val_log(ctx, LOG_INFO, "val_log_assertion_pfx(): Cannot parse DNSKEY data");
} else {
tag = dnskey.key_tag;
if (dnskey.public_key)
FREE(dnskey.public_key);
}
break;
}
}
}
if (tag != 0) {
val_log(ctx, level,
"%sname=%s class=%s type=%s[tag=%d] from-server=%s "
"status=%s:%d", prefix, name_pr, p_class(class_h),
p_type(type_h), tag, serv_pr, p_ac_status(status), status);
} else {
val_log(ctx, level,
"%sname=%s class=%s type=%s from-server=%s status=%s:%d",
prefix, name_pr, p_class(class_h), p_type(type_h), serv_pr,
p_ac_status(status), status);
}
#ifdef VAL_LOG_SIG
for (cursig = sig; cursig; cursig = cursig->rr_next) {
char incpTime[1028];
char exprTime[1028];
struct timeval tv_sig;
val_rrsig_rdata_t rrsig;
val_parse_rrsig_rdata(cursig->rr_rdata, cursig->rr_rdata_length, &rrsig);
memset(&tv_sig, 0, sizeof(tv_sig));
tv_sig.tv_sec = rrsig.sig_incp;
GET_TIME_BUF((const time_t *)(&tv_sig.tv_sec), incpTime);
memset(&tv_sig, 0, sizeof(tv_sig));
tv_sig.tv_sec = rrsig.sig_expr;
GET_TIME_BUF((const time_t *)(&tv_sig.tv_sec), exprTime);
val_log(ctx, level,
"%s ->tag=%d status=%s sig-incep=%s sig-expr=%s",
prefix, rrsig.key_tag,
p_ac_status(cursig->rr_status),
incpTime, exprTime);
}
#endif
#ifdef VAL_LOG_SIG
struct val_rr_rec *rr;
struct val_rr_rec *sig = next_as->val_ac_rrset->val_rrset_sig;
for (rr = data; rr; rr = rr->rr_next) {
val_log(ctx, level, " data_status=%s:%d",
p_ac_status(rr->rr_status), rr->rr_status);
}
for (rr = sig; rr; rr = rr->rr_next) {
val_log(ctx, level, " sig_status=%s:%d",
p_ac_status(rr->rr_status), rr->rr_status);
}
#endif
}
void
verify_next_assertion(val_context_t * ctx,
struct val_digested_auth_chain *as,
struct val_digested_auth_chain *the_trust,
u_int32_t flags)
{
struct rrset_rec *the_set;
struct rrset_rr *the_sig;
u_char *signby_name_n;
u_int16_t signby_footprint_n;
val_dnskey_rdata_t dnskey;
int is_a_wildcard;
struct rrset_rr *nextrr;
struct rrset_rr *keyrr;
u_int16_t tag_h;
char name_p[NS_MAXDNAME];
if ((as == NULL) || (as->val_ac_rrset.ac_data == NULL) || (the_trust == NULL)) {
val_log(ctx, LOG_INFO, "verify_next_assertion(): Cannot verify assertion - no data");
return;
}
the_set = as->val_ac_rrset.ac_data;
dnskey.public_key = NULL;
if (-1 == ns_name_ntop(the_set->rrs_name_n, name_p, sizeof(name_p)))
snprintf(name_p, sizeof(name_p), "unknown/error");
if (the_set->rrs_sig == NULL) {
val_log(ctx, LOG_INFO, "verify_next_assertion(): RRSIG is missing");
as->val_ac_status = VAL_AC_RRSIG_MISSING;
return;
}
if (the_set->rrs_type_h != ns_t_dnskey) {
/*
* trust path contains the key
*/
if (the_trust->val_ac_rrset.ac_data == NULL) {
val_log(ctx, LOG_INFO, "verify_next_assertion(): Key is empty");
as->val_ac_status = VAL_AC_DNSKEY_MISSING;
return;
}
keyrr = the_trust->val_ac_rrset.ac_data->rrs_data;
} else {
/*
* data itself contains the key
*/
if (the_set->rrs_data == NULL) {
val_log(ctx, LOG_INFO, "verify_next_assertion(): Key is empty");
as->val_ac_status = VAL_AC_DNSKEY_MISSING;
return;
}
keyrr = the_set->rrs_data;
}
for (the_sig = the_set->rrs_sig;
the_sig; the_sig = the_sig->rr_next) {
/*
* do wildcard processing
*/
if (!check_label_count(the_set, the_sig, &is_a_wildcard)) {
SET_STATUS(as->val_ac_status, the_sig,
VAL_AC_WRONG_LABEL_COUNT);
val_log(ctx, LOG_INFO, "verify_next_assertion(): Incorrect RRSIG label count");
continue;
}
/*
* for each sig, identify key,
*/
if (VAL_NO_ERROR != identify_key_from_sig(the_sig, &signby_name_n,
&signby_footprint_n)) {
SET_STATUS(as->val_ac_status, the_sig,
VAL_AC_INVALID_RRSIG);
val_log(ctx, LOG_INFO, "verify_next_assertion(): Cannot extract key footprint from RRSIG");
continue;
}
tag_h = ntohs(signby_footprint_n);
for (nextrr = keyrr; nextrr; nextrr = nextrr->rr_next) {
int is_verified = 0;
if (VAL_NO_ERROR != val_parse_dnskey_rdata(nextrr->rr_rdata,
nextrr->rr_rdata_length,
&dnskey)) {
val_log(ctx, LOG_INFO, "verify_next_assertion(): Cannot parse DNSKEY data");
nextrr->rr_status = VAL_AC_INVALID_KEY;
continue;
}
dnskey.next = NULL;
if (dnskey.key_tag != tag_h) {
if (dnskey.public_key != NULL) {
FREE(dnskey.public_key);
dnskey.public_key = NULL;
}
continue;
}
val_log(ctx, LOG_DEBUG, "verify_next_assertion(): Found potential matching DNSKEY for RRSIG");
/*
* check the signature
*/
is_verified = do_verify(ctx, signby_name_n,
&nextrr->rr_status,
&the_sig->rr_status,
the_set, the_sig, &dnskey, is_a_wildcard, flags);
/*
* There might be multiple keys with the same key tag; set this as
* the signing key only if we dont have other status for this key
*/
SET_STATUS(as->val_ac_status, the_sig, the_sig->rr_status);
if (nextrr->rr_status == VAL_AC_UNSET) {
nextrr->rr_status = VAL_AC_SIGNING_KEY;
}
if (is_verified) {
val_log(ctx, LOG_INFO, "verify_next_assertion(): Verified a RRSIG for %s (%s) using a DNSKEY (%d)",
name_p, p_type(the_set->rrs_type_h),
dnskey.key_tag);
if ( as->val_ac_status == VAL_AC_TRUST ||
nextrr->rr_status == VAL_AC_TRUST_POINT) {
/* we've verified a trust anchor */
as->val_ac_status = VAL_AC_TRUST;
val_log(ctx, LOG_INFO, "verify_next_assertion(): verification traces back to trust anchor");
if (dnskey.public_key != NULL) {
FREE(dnskey.public_key);
dnskey.public_key = NULL;
}
return;
}
/* Check if we're trying to verify some key in the authentication chain */
if ( the_set->rrs_type_h == ns_t_dnskey &&
as != the_trust) {
/* Check if we have reached our trust key */
/*
* If this record contains a DNSKEY, check if the DS record contains this key
* DNSKEYs cannot be wildcard expanded, so VAL_AC_WCARD_VERIFIED does not
* count as a good sig
* Create the link even if the DNSKEY algorithm is unknown since this
* may be the provably insecure case
*/
/*
* follow the trust path
*/
struct rrset_rr *dsrec =
the_trust->val_ac_rrset.ac_data->rrs_data;
while (dsrec) {
val_ds_rdata_t ds;
ds.d_hash = NULL;
int retval = val_parse_ds_rdata(dsrec->rr_rdata,
dsrec->rr_rdata_length, &ds);
if(retval == VAL_NOT_IMPLEMENTED) {
val_log(ctx, LOG_INFO, "verify_next_assertion(): DS hash not supported");
dsrec->rr_status = VAL_AC_ALGORITHM_NOT_SUPPORTED;
} else if (retval != VAL_NO_ERROR) {
val_log(ctx, LOG_INFO, "verify_next_assertion(): DS parse error");
dsrec->rr_status = VAL_AC_INVALID_DS;
} else if (DNSKEY_MATCHES_DS(ctx, &dnskey, &ds,
the_set->rrs_name_n, nextrr,
&dsrec->rr_status)) {
val_log(ctx, LOG_DEBUG,
"verify_next_assertion(): DNSKEY tag (%d) matches DS tag (%d)",
(&dnskey)->key_tag,
(&ds)->d_keytag);
/*
* the first match is enough
*/
nextrr->rr_status = VAL_AC_VERIFIED_LINK;
FREE(ds.d_hash);
ds.d_hash = NULL;
if (dnskey.public_key) {
FREE(dnskey.public_key);
dnskey.public_key = NULL;
}
val_log(ctx, LOG_INFO, "verify_next_assertion(): Key links upward");
return;
} else {
/*
* Didn't find a valid entry in the DS record set
* Not necessarily a problem, since there is no requirement that a DS be present
* If none match, then we set the status accordingly. See below.
*/
nextrr->rr_status = VAL_AC_DS_NOMATCH;
}
if (ds.d_hash != NULL)
FREE(ds.d_hash);
dsrec = dsrec->rr_next;
}
}
}
if (dnskey.public_key != NULL) {
FREE(dnskey.public_key);
}
dnskey.public_key = NULL;
}
val_log(ctx, LOG_INFO, "verify_next_assertion(): Could not link this RRSIG to a DNSKEY");
SET_STATUS(as->val_ac_status, the_sig, VAL_AC_DNSKEY_NOMATCH);
}
/*
* If we reach here and we're a keyset, we either didn't verify the keyset or
* didn't verify the link from the key to the DS
*/
if (the_set->rrs_type_h == ns_t_dnskey){
as->val_ac_status = VAL_AC_NO_LINK;
}
}
