projects / apple / network_cmds.git / blame
| Commit | Line | Data |
|---|---|---|
| 89c4ed63 A |
1 | /* |
| 2 | * validator/val_utils.c - validator utility functions. | |
| 3 | * | |
| 4 | * Copyright (c) 2007, NLnet Labs. All rights reserved. | |
| 5 | * | |
| 6 | * This software is open source. | |
| 7 | * | |
| 8 | * Redistribution and use in source and binary forms, with or without | |
| 9 | * modification, are permitted provided that the following conditions | |
| 10 | * are met: | |
| 11 | * | |
| 12 | * Redistributions of source code must retain the above copyright notice, | |
| 13 | * this list of conditions and the following disclaimer. | |
| 14 | * | |
| 15 | * Redistributions in binary form must reproduce the above copyright notice, | |
| 16 | * this list of conditions and the following disclaimer in the documentation | |
| 17 | * and/or other materials provided with the distribution. | |
| 18 | * | |
| 19 | * Neither the name of the NLNET LABS nor the names of its contributors may | |
| 20 | * be used to endorse or promote products derived from this software without | |
| 21 | * specific prior written permission. | |
| 22 | * | |
| 23 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |
| 24 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |
| 25 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |
| 26 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |
| 27 | * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
| 28 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED | |
| 29 | * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR | |
| 30 | * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | |
| 31 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING | |
| 32 | * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | |
| 33 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
| 34 | */ | |
| 35 | ||
| 36 | /** | |
| 37 | * \file | |
| 38 | * | |
| 39 | * This file contains helper functions for the validator module. | |
| 40 | */ | |
| 41 | #include "config.h" | |
| 42 | #include "validator/val_utils.h" | |
| 43 | #include "validator/validator.h" | |
| 44 | #include "validator/val_kentry.h" | |
| 45 | #include "validator/val_sigcrypt.h" | |
| 46 | #include "validator/val_anchor.h" | |
| 47 | #include "validator/val_nsec.h" | |
| 48 | #include "validator/val_neg.h" | |
| 49 | #include "services/cache/rrset.h" | |
| 50 | #include "services/cache/dns.h" | |
| 51 | #include "util/data/msgreply.h" | |
| 52 | #include "util/data/packed_rrset.h" | |
| 53 | #include "util/data/dname.h" | |
| 54 | #include "util/net_help.h" | |
| 55 | #include "util/module.h" | |
| 56 | #include "util/regional.h" | |
| 57 | ||
| 58 | enum val_classification | |
| 59 | val_classify_response(uint16_t query_flags, struct query_info* origqinf, | |
| 60 | struct query_info* qinf, struct reply_info* rep, size_t skip) | |
| 61 | { | |
| 62 | int rcode = (int)FLAGS_GET_RCODE(rep->flags); | |
| 63 | size_t i; | |
| 64 | ||
| 65 | /* Normal Name Error's are easy to detect -- but don't mistake a CNAME | |
| 66 | * chain ending in NXDOMAIN. */ | |
| 67 | if(rcode == LDNS_RCODE_NXDOMAIN && rep->an_numrrsets == 0) | |
| 68 | return VAL_CLASS_NAMEERROR; | |
| 69 | ||
| 70 | /* check for referral: nonRD query and it looks like a nodata */ | |
| 71 | if(!(query_flags&BIT_RD) && rep->an_numrrsets == 0 && | |
| 72 | rcode == LDNS_RCODE_NOERROR) { | |
| 73 | /* SOA record in auth indicates it is NODATA instead. | |
| 74 | * All validation requiring NODATA messages have SOA in | |
| 75 | * authority section. */ | |
| 76 | /* uses fact that answer section is empty */ | |
| 77 | int saw_ns = 0; | |
| 78 | for(i=0; i<rep->ns_numrrsets; i++) { | |
| 79 | if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA) | |
| 80 | return VAL_CLASS_NODATA; | |
| 81 | if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DS) | |
| 82 | return VAL_CLASS_REFERRAL; | |
| 83 | if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS) | |
| 84 | saw_ns = 1; | |
| 85 | } | |
| 86 | return saw_ns?VAL_CLASS_REFERRAL:VAL_CLASS_NODATA; | |
| 87 | } | |
| 88 | /* root referral where NS set is in the answer section */ | |
| 89 | if(!(query_flags&BIT_RD) && rep->ns_numrrsets == 0 && | |
| 90 | rep->an_numrrsets == 1 && rcode == LDNS_RCODE_NOERROR && | |
| 91 | ntohs(rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_NS && | |
| 92 | query_dname_compare(rep->rrsets[0]->rk.dname, | |
| 93 | origqinf->qname) != 0) | |
| 94 | return VAL_CLASS_REFERRAL; | |
| 95 | ||
| 96 | /* dump bad messages */ | |
| 97 | if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN) | |
| 98 | return VAL_CLASS_UNKNOWN; | |
| 99 | /* next check if the skip into the answer section shows no answer */ | |
| 100 | if(skip>0 && rep->an_numrrsets <= skip) | |
| 101 | return VAL_CLASS_CNAMENOANSWER; | |
| 102 | ||
| 103 | /* Next is NODATA */ | |
| 104 | if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0) | |
| 105 | return VAL_CLASS_NODATA; | |
| 106 | ||
| 107 | /* We distinguish between CNAME response and other positive/negative | |
| 108 | * responses because CNAME answers require extra processing. */ | |
| 109 | ||
| 110 | /* We distinguish between ANY and CNAME or POSITIVE because | |
| 111 | * ANY responses are validated differently. */ | |
| 112 | if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY) | |
| 113 | return VAL_CLASS_ANY; | |
| 114 | ||
| 115 | /* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless | |
| 116 | * qtype=CNAME, this will yield a CNAME response. */ | |
| 117 | for(i=skip; i<rep->an_numrrsets; i++) { | |
| 118 | if(rcode == LDNS_RCODE_NOERROR && | |
| 119 | ntohs(rep->rrsets[i]->rk.type) == qinf->qtype) | |
| 120 | return VAL_CLASS_POSITIVE; | |
| 121 | if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME) | |
| 122 | return VAL_CLASS_CNAME; | |
| 123 | } | |
| 124 | log_dns_msg("validator: error. failed to classify response message: ", | |
| 125 | qinf, rep); | |
| 126 | return VAL_CLASS_UNKNOWN; | |
| 127 | } | |
| 128 | ||
| 129 | /** Get signer name from RRSIG */ | |
| 130 | static void | |
| 131 | rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen) | |
| 132 | { | |
| 133 | /* RRSIG rdata is not allowed to be compressed, it is stored | |
| 134 | * uncompressed in memory as well, so return a ptr to the name */ | |
| 135 | if(len < 21) { | |
| 136 | /* too short RRSig: | |
| 137 | * short, byte, byte, long, long, long, short, "." is | |
| 138 | * 2 1 1 4 4 4 2 1 = 19 | |
| 139 | * and a skip of 18 bytes to the name. | |
| 140 | * +2 for the rdatalen is 21 bytes len for root label */ | |
| 141 | *sname = NULL; | |
| 142 | *slen = 0; | |
| 143 | return; | |
| 144 | } | |
| 145 | data += 20; /* skip the fixed size bits */ | |
| 146 | len -= 20; | |
| 147 | *slen = dname_valid(data, len); | |
| 148 | if(!*slen) { | |
| 149 | /* bad dname in this rrsig. */ | |
| 150 | *sname = NULL; | |
| 151 | return; | |
| 152 | } | |
| 153 | *sname = data; | |
| 154 | } | |
| 155 | ||
| 156 | void | |
| 157 | val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname, | |
| 158 | size_t* slen) | |
| 159 | { | |
| 160 | struct packed_rrset_data* d = (struct packed_rrset_data*) | |
| 161 | rrset->entry.data; | |
| 162 | /* return signer for first signature, or NULL */ | |
| 163 | if(d->rrsig_count == 0) { | |
| 164 | *sname = NULL; | |
| 165 | *slen = 0; | |
| 166 | return; | |
| 167 | } | |
| 168 | /* get rrsig signer name out of the signature */ | |
| 169 | rrsig_get_signer(d->rr_data[d->count], d->rr_len[d->count], | |
| 170 | sname, slen); | |
| 171 | } | |
| 172 | ||
| 173 | /** | |
| 174 | * Find best signer name in this set of rrsigs. | |
| 175 | * @param rrset: which rrsigs to look through. | |
| 176 | * @param qinf: the query name that needs validation. | |
| 177 | * @param signer_name: the best signer_name. Updated if a better one is found. | |
| 178 | * @param signer_len: length of signer name. | |
| 179 | * @param matchcount: count of current best name (starts at 0 for no match). | |
| 180 | * Updated if match is improved. | |
| 181 | */ | |
| 182 | static void | |
| 183 | val_find_best_signer(struct ub_packed_rrset_key* rrset, | |
| 184 | struct query_info* qinf, uint8_t** signer_name, size_t* signer_len, | |
| 185 | int* matchcount) | |
| 186 | { | |
| 187 | struct packed_rrset_data* d = (struct packed_rrset_data*) | |
| 188 | rrset->entry.data; | |
| 189 | uint8_t* sign; | |
| 190 | size_t i; | |
| 191 | int m; | |
| 192 | for(i=d->count; i<d->count+d->rrsig_count; i++) { | |
| 193 | sign = d->rr_data[i]+2+18; | |
| 194 | /* look at signatures that are valid (long enough), | |
| 195 | * and have a signer name that is a superdomain of qname, | |
| 196 | * and then check the number of labels in the shared topdomain | |
| 197 | * improve the match if possible */ | |
| 198 | if(d->rr_len[i] > 2+19 && /* rdata, sig + root label*/ | |
| 199 | dname_subdomain_c(qinf->qname, sign)) { | |
| 200 | (void)dname_lab_cmp(qinf->qname, | |
| 201 | dname_count_labels(qinf->qname), | |
| 202 | sign, dname_count_labels(sign), &m); | |
| 203 | if(m > *matchcount) { | |
| 204 | *matchcount = m; | |
| 205 | *signer_name = sign; | |
| 206 | (void)dname_count_size_labels(*signer_name, | |
| 207 | signer_len); | |
| 208 | } | |
| 209 | } | |
| 210 | } | |
| 211 | } | |
| 212 | ||
| 213 | void | |
| 214 | val_find_signer(enum val_classification subtype, struct query_info* qinf, | |
| 215 | struct reply_info* rep, size_t skip, uint8_t** signer_name, | |
| 216 | size_t* signer_len) | |
| 217 | { | |
| 218 | size_t i; | |
| 219 | ||
| 220 | if(subtype == VAL_CLASS_POSITIVE || subtype == VAL_CLASS_ANY) { | |
| 221 | /* check for the answer rrset */ | |
| 222 | for(i=skip; i<rep->an_numrrsets; i++) { | |
| 223 | if(query_dname_compare(qinf->qname, | |
| 224 | rep->rrsets[i]->rk.dname) == 0) { | |
| 225 | val_find_rrset_signer(rep->rrsets[i], | |
| 226 | signer_name, signer_len); | |
| 227 | return; | |
| 228 | } | |
| 229 | } | |
| 230 | *signer_name = NULL; | |
| 231 | *signer_len = 0; | |
| 232 | } else if(subtype == VAL_CLASS_CNAME) { | |
| 233 | /* check for the first signed cname/dname rrset */ | |
| 234 | for(i=skip; i<rep->an_numrrsets; i++) { | |
| 235 | val_find_rrset_signer(rep->rrsets[i], | |
| 236 | signer_name, signer_len); | |
| 237 | if(*signer_name) | |
| 238 | return; | |
| 239 | if(ntohs(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_DNAME) | |
| 240 | break; /* only check CNAME after a DNAME */ | |
| 241 | } | |
| 242 | *signer_name = NULL; | |
| 243 | *signer_len = 0; | |
| 244 | } else if(subtype == VAL_CLASS_NAMEERROR | |
| 245 | || subtype == VAL_CLASS_NODATA) { | |
| 246 | /*Check to see if the AUTH section NSEC record(s) have rrsigs*/ | |
| 247 | for(i=rep->an_numrrsets; i< | |
| 248 | rep->an_numrrsets+rep->ns_numrrsets; i++) { | |
| 249 | if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC | |
| 250 | || ntohs(rep->rrsets[i]->rk.type) == | |
| 251 | LDNS_RR_TYPE_NSEC3) { | |
| 252 | val_find_rrset_signer(rep->rrsets[i], | |
| 253 | signer_name, signer_len); | |
| 254 | return; | |
| 255 | } | |
| 256 | } | |
| 257 | } else if(subtype == VAL_CLASS_CNAMENOANSWER) { | |
| 258 | /* find closest superdomain signer name in authority section | |
| 259 | * NSEC and NSEC3s */ | |
| 260 | int matchcount = 0; | |
| 261 | *signer_name = NULL; | |
| 262 | *signer_len = 0; | |
| 263 | for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep-> | |
| 264 | ns_numrrsets; i++) { | |
| 265 | if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC | |
| 266 | || ntohs(rep->rrsets[i]->rk.type) == | |
| 267 | LDNS_RR_TYPE_NSEC3) { | |
| 268 | val_find_best_signer(rep->rrsets[i], qinf, | |
| 269 | signer_name, signer_len, &matchcount); | |
| 270 | } | |
| 271 | } | |
| 272 | } else if(subtype == VAL_CLASS_REFERRAL) { | |
| 273 | /* find keys for the item at skip */ | |
| 274 | if(skip < rep->rrset_count) { | |
| 275 | val_find_rrset_signer(rep->rrsets[skip], | |
| 276 | signer_name, signer_len); | |
| 277 | return; | |
| 278 | } | |
| 279 | *signer_name = NULL; | |
| 280 | *signer_len = 0; | |
| 281 | } else { | |
| 282 | verbose(VERB_QUERY, "find_signer: could not find signer name" | |
| 283 | " for unknown type response"); | |
| 284 | *signer_name = NULL; | |
| 285 | *signer_len = 0; | |
| 286 | } | |
| 287 | } | |
| 288 | ||
| 289 | /** return number of rrs in an rrset */ | |
| 290 | static size_t | |
| 291 | rrset_get_count(struct ub_packed_rrset_key* rrset) | |
| 292 | { | |
| 293 | struct packed_rrset_data* d = (struct packed_rrset_data*) | |
| 294 | rrset->entry.data; | |
| 295 | if(!d) return 0; | |
| 296 | return d->count; | |
| 297 | } | |
| 298 | ||
| 299 | /** return TTL of rrset */ | |
| 300 | static uint32_t | |
| 301 | rrset_get_ttl(struct ub_packed_rrset_key* rrset) | |
| 302 | { | |
| 303 | struct packed_rrset_data* d = (struct packed_rrset_data*) | |
| 304 | rrset->entry.data; | |
| 305 | if(!d) return 0; | |
| 306 | return d->ttl; | |
| 307 | } | |
| 308 | ||
| 309 | enum sec_status | |
| 310 | val_verify_rrset(struct module_env* env, struct val_env* ve, | |
| 311 | struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys, | |
| 312 | uint8_t* sigalg, char** reason) | |
| 313 | { | |
| 314 | enum sec_status sec; | |
| 315 | struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> | |
| 316 | entry.data; | |
| 317 | if(d->security == sec_status_secure) { | |
| 318 | /* re-verify all other statuses, because keyset may change*/ | |
| 319 | log_nametypeclass(VERB_ALGO, "verify rrset cached", | |
| 320 | rrset->rk.dname, ntohs(rrset->rk.type), | |
| 321 | ntohs(rrset->rk.rrset_class)); | |
| 322 | return d->security; | |
| 323 | } | |
| 324 | /* check in the cache if verification has already been done */ | |
| 325 | rrset_check_sec_status(env->rrset_cache, rrset, *env->now); | |
| 326 | if(d->security == sec_status_secure) { | |
| 327 | log_nametypeclass(VERB_ALGO, "verify rrset from cache", | |
| 328 | rrset->rk.dname, ntohs(rrset->rk.type), | |
| 329 | ntohs(rrset->rk.rrset_class)); | |
| 330 | return d->security; | |
| 331 | } | |
| 332 | log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname, | |
| 333 | ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class)); | |
| 334 | sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason); | |
| 335 | verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec)); | |
| 336 | regional_free_all(env->scratch); | |
| 337 | ||
| 338 | /* update rrset security status | |
| 339 | * only improves security status | |
| 340 | * and bogus is set only once, even if we rechecked the status */ | |
| 341 | if(sec > d->security) { | |
| 342 | d->security = sec; | |
| 343 | if(sec == sec_status_secure) | |
| 344 | d->trust = rrset_trust_validated; | |
| 345 | else if(sec == sec_status_bogus) { | |
| 346 | size_t i; | |
| 347 | /* update ttl for rrset to fixed value. */ | |
| 348 | d->ttl = ve->bogus_ttl; | |
| 349 | for(i=0; i<d->count+d->rrsig_count; i++) | |
| 350 | d->rr_ttl[i] = ve->bogus_ttl; | |
| 351 | /* leave RR specific TTL: not used for determine | |
| 352 | * if RRset timed out and clients see proper value. */ | |
| 353 | lock_basic_lock(&ve->bogus_lock); | |
| 354 | ve->num_rrset_bogus++; | |
| 355 | lock_basic_unlock(&ve->bogus_lock); | |
| 356 | } | |
| 357 | /* if status updated - store in cache for reuse */ | |
| 358 | rrset_update_sec_status(env->rrset_cache, rrset, *env->now); | |
| 359 | } | |
| 360 | ||
| 361 | return sec; | |
| 362 | } | |
| 363 | ||
| 364 | enum sec_status | |
| 365 | val_verify_rrset_entry(struct module_env* env, struct val_env* ve, | |
| 366 | struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey, | |
| 367 | char** reason) | |
| 368 | { | |
| 369 | /* temporary dnskey rrset-key */ | |
| 370 | struct ub_packed_rrset_key dnskey; | |
| 371 | struct key_entry_data* kd = (struct key_entry_data*)kkey->entry.data; | |
| 372 | enum sec_status sec; | |
| 373 | dnskey.rk.type = htons(kd->rrset_type); | |
| 374 | dnskey.rk.rrset_class = htons(kkey->key_class); | |
| 375 | dnskey.rk.flags = 0; | |
| 376 | dnskey.rk.dname = kkey->name; | |
| 377 | dnskey.rk.dname_len = kkey->namelen; | |
| 378 | dnskey.entry.key = &dnskey; | |
| 379 | dnskey.entry.data = kd->rrset_data; | |
| 380 | sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason); | |
| 381 | return sec; | |
| 382 | } | |
| 383 | ||
| 384 | /** verify that a DS RR hashes to a key and that key signs the set */ | |
| 385 | static enum sec_status | |
| 386 | verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve, | |
| 387 | struct ub_packed_rrset_key* dnskey_rrset, | |
| 388 | struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason) | |
| 389 | { | |
| 390 | enum sec_status sec = sec_status_bogus; | |
| 391 | size_t i, num, numchecked = 0, numhashok = 0; | |
| 392 | num = rrset_get_count(dnskey_rrset); | |
| 393 | for(i=0; i<num; i++) { | |
| 394 | /* Skip DNSKEYs that don't match the basic criteria. */ | |
| 395 | if(ds_get_key_algo(ds_rrset, ds_idx) | |
| 396 | != dnskey_get_algo(dnskey_rrset, i) | |
| 397 | || dnskey_calc_keytag(dnskey_rrset, i) | |
| 398 | != ds_get_keytag(ds_rrset, ds_idx)) { | |
| 399 | continue; | |
| 400 | } | |
| 401 | numchecked++; | |
| 402 | verbose(VERB_ALGO, "attempt DS match algo %d keytag %d", | |
| 403 | ds_get_key_algo(ds_rrset, ds_idx), | |
| 404 | ds_get_keytag(ds_rrset, ds_idx)); | |
| 405 | ||
| 406 | /* Convert the candidate DNSKEY into a hash using the | |
| 407 | * same DS hash algorithm. */ | |
| 408 | if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset, | |
| 409 | ds_idx)) { | |
| 410 | verbose(VERB_ALGO, "DS match attempt failed"); | |
| 411 | continue; | |
| 412 | } | |
| 413 | numhashok++; | |
| 414 | verbose(VERB_ALGO, "DS match digest ok, trying signature"); | |
| 415 | ||
| 416 | /* Otherwise, we have a match! Make sure that the DNSKEY | |
| 417 | * verifies *with this key* */ | |
| 418 | sec = dnskey_verify_rrset(env, ve, dnskey_rrset, | |
| 419 | dnskey_rrset, i, reason); | |
| 420 | if(sec == sec_status_secure) { | |
| 421 | return sec; | |
| 422 | } | |
| 423 | /* If it didn't validate with the DNSKEY, try the next one! */ | |
| 424 | } | |
| 425 | if(numchecked == 0) | |
| 426 | algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx), | |
| 427 | reason, "no keys have a DS"); | |
| 428 | else if(numhashok == 0) | |
| 429 | *reason = "DS hash mismatches key"; | |
| 430 | else if(!*reason) | |
| 431 | *reason = "keyset not secured by DNSKEY that matches DS"; | |
| 432 | return sec_status_bogus; | |
| 433 | } | |
| 434 | ||
| 435 | int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset) | |
| 436 | { | |
| 437 | size_t i, num = rrset_get_count(ds_rrset); | |
| 438 | int d, digest_algo = 0; /* DS digest algo 0 is not used. */ | |
| 439 | /* find favorite algo, for now, highest number supported */ | |
| 440 | for(i=0; i<num; i++) { | |
| 441 | if(!ds_digest_algo_is_supported(ds_rrset, i) || | |
| 442 | !ds_key_algo_is_supported(ds_rrset, i)) { | |
| 443 | continue; | |
| 444 | } | |
| 445 | d = ds_get_digest_algo(ds_rrset, i); | |
| 446 | if(d > digest_algo) | |
| 447 | digest_algo = d; | |
| 448 | } | |
| 449 | return digest_algo; | |
| 450 | } | |
| 451 | ||
| 452 | enum sec_status | |
| 453 | val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, | |
| 454 | struct ub_packed_rrset_key* dnskey_rrset, | |
| 455 | struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason) | |
| 456 | { | |
| 457 | /* as long as this is false, we can consider this DS rrset to be | |
| 458 | * equivalent to no DS rrset. */ | |
| 459 | int has_useful_ds = 0, digest_algo, alg; | |
| 460 | struct algo_needs needs; | |
| 461 | size_t i, num; | |
| 462 | enum sec_status sec; | |
| 463 | ||
| 464 | if(dnskey_rrset->rk.dname_len != ds_rrset->rk.dname_len || | |
| 465 | query_dname_compare(dnskey_rrset->rk.dname, ds_rrset->rk.dname) | |
| 466 | != 0) { | |
| 467 | verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset " | |
| 468 | "by name"); | |
| 469 | *reason = "DNSKEY RRset did not match DS RRset by name"; | |
| 470 | return sec_status_bogus; | |
| 471 | } | |
| 472 | ||
| 473 | digest_algo = val_favorite_ds_algo(ds_rrset); | |
| 474 | if(sigalg) | |
| 475 | algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg); | |
| 476 | num = rrset_get_count(ds_rrset); | |
| 477 | for(i=0; i<num; i++) { | |
| 478 | /* Check to see if we can understand this DS. | |
| 479 | * And check it is the strongest digest */ | |
| 480 | if(!ds_digest_algo_is_supported(ds_rrset, i) || | |
| 481 | !ds_key_algo_is_supported(ds_rrset, i) || | |
| 482 | ds_get_digest_algo(ds_rrset, i) != digest_algo) { | |
| 483 | continue; | |
| 484 | } | |
| 485 | ||
| 486 | /* Once we see a single DS with a known digestID and | |
| 487 | * algorithm, we cannot return INSECURE (with a | |
| 488 | * "null" KeyEntry). */ | |
| 489 | has_useful_ds = 1; | |
| 490 | ||
| 491 | sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, | |
| 492 | ds_rrset, i, reason); | |
| 493 | if(sec == sec_status_secure) { | |
| 494 | if(!sigalg || algo_needs_set_secure(&needs, | |
| 495 | (uint8_t)ds_get_key_algo(ds_rrset, i))) { | |
| 496 | verbose(VERB_ALGO, "DS matched DNSKEY."); | |
| 497 | return sec_status_secure; | |
| 498 | } | |
| 499 | } else if(sigalg && sec == sec_status_bogus) { | |
| 500 | algo_needs_set_bogus(&needs, | |
| 501 | (uint8_t)ds_get_key_algo(ds_rrset, i)); | |
| 502 | } | |
| 503 | } | |
| 504 | ||
| 505 | /* None of the DS's worked out. */ | |
| 506 | ||
| 507 | /* If no DSs were understandable, then this is OK. */ | |
| 508 | if(!has_useful_ds) { | |
| 509 | verbose(VERB_ALGO, "No usable DS records were found -- " | |
| 510 | "treating as insecure."); | |
| 511 | return sec_status_insecure; | |
| 512 | } | |
| 513 | /* If any were understandable, then it is bad. */ | |
| 514 | verbose(VERB_QUERY, "Failed to match any usable DS to a DNSKEY."); | |
| 515 | if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { | |
| 516 | algo_needs_reason(env, alg, reason, "missing verification of " | |
| 517 | "DNSKEY signature"); | |
| 518 | } | |
| 519 | return sec_status_bogus; | |
| 520 | } | |
| 521 | ||
| 522 | struct key_entry_key* | |
| 523 | val_verify_new_DNSKEYs(struct regional* region, struct module_env* env, | |
| 524 | struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, | |
| 525 | struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason) | |
| 526 | { | |
| 527 | uint8_t sigalg[ALGO_NEEDS_MAX+1]; | |
| 528 | enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve, | |
| 529 | dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason); | |
| 530 | ||
| 531 | if(sec == sec_status_secure) { | |
| 532 | return key_entry_create_rrset(region, | |
| 533 | ds_rrset->rk.dname, ds_rrset->rk.dname_len, | |
| 534 | ntohs(ds_rrset->rk.rrset_class), dnskey_rrset, | |
| 535 | downprot?sigalg:NULL, *env->now); | |
| 536 | } else if(sec == sec_status_insecure) { | |
| 537 | return key_entry_create_null(region, ds_rrset->rk.dname, | |
| 538 | ds_rrset->rk.dname_len, | |
| 539 | ntohs(ds_rrset->rk.rrset_class), | |
| 540 | rrset_get_ttl(ds_rrset), *env->now); | |
| 541 | } | |
| 542 | return key_entry_create_bad(region, ds_rrset->rk.dname, | |
| 543 | ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class), | |
| 544 | BOGUS_KEY_TTL, *env->now); | |
| 545 | } | |
| 546 | ||
| 547 | enum sec_status | |
| 548 | val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, | |
| 549 | struct ub_packed_rrset_key* dnskey_rrset, | |
| 550 | struct ub_packed_rrset_key* ta_ds, | |
| 551 | struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason) | |
| 552 | { | |
| 553 | /* as long as this is false, we can consider this anchor to be | |
| 554 | * equivalent to no anchor. */ | |
| 555 | int has_useful_ta = 0, digest_algo = 0, alg; | |
| 556 | struct algo_needs needs; | |
| 557 | size_t i, num; | |
| 558 | enum sec_status sec; | |
| 559 | ||
| 560 | if(ta_ds && (dnskey_rrset->rk.dname_len != ta_ds->rk.dname_len || | |
| 561 | query_dname_compare(dnskey_rrset->rk.dname, ta_ds->rk.dname) | |
| 562 | != 0)) { | |
| 563 | verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset " | |
| 564 | "by name"); | |
| 565 | *reason = "DNSKEY RRset did not match DS RRset by name"; | |
| 566 | return sec_status_bogus; | |
| 567 | } | |
| 568 | if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len | |
| 569 | || query_dname_compare(dnskey_rrset->rk.dname, ta_dnskey->rk.dname) | |
| 570 | != 0)) { | |
| 571 | verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset " | |
| 572 | "by name"); | |
| 573 | *reason = "DNSKEY RRset did not match anchor RRset by name"; | |
| 574 | return sec_status_bogus; | |
| 575 | } | |
| 576 | ||
| 577 | if(ta_ds) | |
| 578 | digest_algo = val_favorite_ds_algo(ta_ds); | |
| 579 | if(sigalg) { | |
| 580 | if(ta_ds) | |
| 581 | algo_needs_init_ds(&needs, ta_ds, digest_algo, sigalg); | |
| 582 | else memset(&needs, 0, sizeof(needs)); | |
| 583 | if(ta_dnskey) | |
| 584 | algo_needs_init_dnskey_add(&needs, ta_dnskey, sigalg); | |
| 585 | } | |
| 586 | if(ta_ds) { | |
| 587 | num = rrset_get_count(ta_ds); | |
| 588 | for(i=0; i<num; i++) { | |
| 589 | /* Check to see if we can understand this DS. | |
| 590 | * And check it is the strongest digest */ | |
| 591 | if(!ds_digest_algo_is_supported(ta_ds, i) || | |
| 592 | !ds_key_algo_is_supported(ta_ds, i) || | |
| 593 | ds_get_digest_algo(ta_ds, i) != digest_algo) | |
| 594 | continue; | |
| 595 | ||
| 596 | /* Once we see a single DS with a known digestID and | |
| 597 | * algorithm, we cannot return INSECURE (with a | |
| 598 | * "null" KeyEntry). */ | |
| 599 | has_useful_ta = 1; | |
| 600 | ||
| 601 | sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, | |
| 602 | ta_ds, i, reason); | |
| 603 | if(sec == sec_status_secure) { | |
| 604 | if(!sigalg || algo_needs_set_secure(&needs, | |
| 605 | (uint8_t)ds_get_key_algo(ta_ds, i))) { | |
| 606 | verbose(VERB_ALGO, "DS matched DNSKEY."); | |
| 607 | return sec_status_secure; | |
| 608 | } | |
| 609 | } else if(sigalg && sec == sec_status_bogus) { | |
| 610 | algo_needs_set_bogus(&needs, | |
| 611 | (uint8_t)ds_get_key_algo(ta_ds, i)); | |
| 612 | } | |
| 613 | } | |
| 614 | } | |
| 615 | ||
| 616 | /* None of the DS's worked out: check the DNSKEYs. */ | |
| 617 | if(ta_dnskey) { | |
| 618 | num = rrset_get_count(ta_dnskey); | |
| 619 | for(i=0; i<num; i++) { | |
| 620 | /* Check to see if we can understand this DNSKEY */ | |
| 621 | if(!dnskey_algo_is_supported(ta_dnskey, i)) | |
| 622 | continue; | |
| 623 | ||
| 624 | /* we saw a useful TA */ | |
| 625 | has_useful_ta = 1; | |
| 626 | ||
| 627 | sec = dnskey_verify_rrset(env, ve, dnskey_rrset, | |
| 628 | ta_dnskey, i, reason); | |
| 629 | if(sec == sec_status_secure) { | |
| 630 | if(!sigalg || algo_needs_set_secure(&needs, | |
| 631 | (uint8_t)dnskey_get_algo(ta_dnskey, i))) { | |
| 632 | verbose(VERB_ALGO, "anchor matched DNSKEY."); | |
| 633 | return sec_status_secure; | |
| 634 | } | |
| 635 | } else if(sigalg && sec == sec_status_bogus) { | |
| 636 | algo_needs_set_bogus(&needs, | |
| 637 | (uint8_t)dnskey_get_algo(ta_dnskey, i)); | |
| 638 | } | |
| 639 | } | |
| 640 | } | |
| 641 | ||
| 642 | /* If no DSs were understandable, then this is OK. */ | |
| 643 | if(!has_useful_ta) { | |
| 644 | verbose(VERB_ALGO, "No usable trust anchors were found -- " | |
| 645 | "treating as insecure."); | |
| 646 | return sec_status_insecure; | |
| 647 | } | |
| 648 | /* If any were understandable, then it is bad. */ | |
| 649 | verbose(VERB_QUERY, "Failed to match any usable anchor to a DNSKEY."); | |
| 650 | if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { | |
| 651 | algo_needs_reason(env, alg, reason, "missing verification of " | |
| 652 | "DNSKEY signature"); | |
| 653 | } | |
| 654 | return sec_status_bogus; | |
| 655 | } | |
| 656 | ||
| 657 | struct key_entry_key* | |
| 658 | val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env, | |
| 659 | struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, | |
| 660 | struct ub_packed_rrset_key* ta_ds_rrset, | |
| 661 | struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot, | |
| 662 | char** reason) | |
| 663 | { | |
| 664 | uint8_t sigalg[ALGO_NEEDS_MAX+1]; | |
| 665 | enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, | |
| 666 | dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset, | |
| 667 | downprot?sigalg:NULL, reason); | |
| 668 | ||
| 669 | if(sec == sec_status_secure) { | |
| 670 | return key_entry_create_rrset(region, | |
| 671 | dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len, | |
| 672 | ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset, | |
| 673 | downprot?sigalg:NULL, *env->now); | |
| 674 | } else if(sec == sec_status_insecure) { | |
| 675 | return key_entry_create_null(region, dnskey_rrset->rk.dname, | |
| 676 | dnskey_rrset->rk.dname_len, | |
| 677 | ntohs(dnskey_rrset->rk.rrset_class), | |
| 678 | rrset_get_ttl(dnskey_rrset), *env->now); | |
| 679 | } | |
| 680 | return key_entry_create_bad(region, dnskey_rrset->rk.dname, | |
| 681 | dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class), | |
| 682 | BOGUS_KEY_TTL, *env->now); | |
| 683 | } | |
| 684 | ||
| 685 | int | |
| 686 | val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset) | |
| 687 | { | |
| 688 | size_t i; | |
| 689 | for(i=0; i<rrset_get_count(ds_rrset); i++) { | |
| 690 | if(ds_digest_algo_is_supported(ds_rrset, i) && | |
| 691 | ds_key_algo_is_supported(ds_rrset, i)) | |
| 692 | return 1; | |
| 693 | } | |
| 694 | return 0; | |
| 695 | } | |
| 696 | ||
| 697 | /** get label count for a signature */ | |
| 698 | static uint8_t | |
| 699 | rrsig_get_labcount(struct packed_rrset_data* d, size_t sig) | |
| 700 | { | |
| 701 | if(d->rr_len[sig] < 2+4) | |
| 702 | return 0; /* bad sig length */ | |
| 703 | return d->rr_data[sig][2+3]; | |
| 704 | } | |
| 705 | ||
| 706 | int | |
| 707 | val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc) | |
| 708 | { | |
| 709 | struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> | |
| 710 | entry.data; | |
| 711 | uint8_t labcount; | |
| 712 | int labdiff; | |
| 713 | uint8_t* wn; | |
| 714 | size_t i, wl; | |
| 715 | if(d->rrsig_count == 0) { | |
| 716 | return 1; | |
| 717 | } | |
| 718 | labcount = rrsig_get_labcount(d, d->count + 0); | |
| 719 | /* check rest of signatures identical */ | |
| 720 | for(i=1; i<d->rrsig_count; i++) { | |
| 721 | if(labcount != rrsig_get_labcount(d, d->count + i)) { | |
| 722 | return 0; | |
| 723 | } | |
| 724 | } | |
| 725 | /* OK the rrsigs check out */ | |
| 726 | /* if the RRSIG label count is shorter than the number of actual | |
| 727 | * labels, then this rrset was synthesized from a wildcard. | |
| 728 | * Note that the RRSIG label count doesn't count the root label. */ | |
| 729 | wn = rrset->rk.dname; | |
| 730 | wl = rrset->rk.dname_len; | |
| 731 | /* skip a leading wildcard label in the dname (RFC4035 2.2) */ | |
| 732 | if(dname_is_wild(wn)) { | |
| 733 | wn += 2; | |
| 734 | wl -= 2; | |
| 735 | } | |
| 736 | labdiff = (dname_count_labels(wn) - 1) - (int)labcount; | |
| 737 | if(labdiff > 0) { | |
| 738 | *wc = wn; | |
| 739 | dname_remove_labels(wc, &wl, labdiff); | |
| 740 | return 1; | |
| 741 | } | |
| 742 | return 1; | |
| 743 | } | |
| 744 | ||
| 745 | int | |
| 746 | val_chase_cname(struct query_info* qchase, struct reply_info* rep, | |
| 747 | size_t* cname_skip) { | |
| 748 | size_t i; | |
| 749 | /* skip any DNAMEs, go to the CNAME for next part */ | |
| 750 | for(i = *cname_skip; i < rep->an_numrrsets; i++) { | |
| 751 | if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME && | |
| 752 | query_dname_compare(qchase->qname, rep->rrsets[i]-> | |
| 753 | rk.dname) == 0) { | |
| 754 | qchase->qname = NULL; | |
| 755 | get_cname_target(rep->rrsets[i], &qchase->qname, | |
| 756 | &qchase->qname_len); | |
| 757 | if(!qchase->qname) | |
| 758 | return 0; /* bad CNAME rdata */ | |
| 759 | (*cname_skip) = i+1; | |
| 760 | return 1; | |
| 761 | } | |
| 762 | } | |
| 763 | return 0; /* CNAME classified but no matching CNAME ?! */ | |
| 764 | } | |
| 765 | ||
| 766 | /** see if rrset has signer name as one of the rrsig signers */ | |
| 767 | static int | |
| 768 | rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len) | |
| 769 | { | |
| 770 | struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> | |
| 771 | entry.data; | |
| 772 | size_t i; | |
| 773 | for(i = d->count; i< d->count+d->rrsig_count; i++) { | |
| 774 | if(d->rr_len[i] > 2+18+len) { | |
| 775 | /* at least rdatalen + signature + signame (+1 sig)*/ | |
| 776 | if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18)) | |
| 777 | continue; | |
| 778 | if(query_dname_compare(name, d->rr_data[i]+2+18) == 0) | |
| 779 | { | |
| 780 | return 1; | |
| 781 | } | |
| 782 | } | |
| 783 | } | |
| 784 | return 0; | |
| 785 | } | |
| 786 | ||
| 787 | void | |
| 788 | val_fill_reply(struct reply_info* chase, struct reply_info* orig, | |
| 789 | size_t skip, uint8_t* name, size_t len, uint8_t* signer) | |
| 790 | { | |
| 791 | size_t i; | |
| 792 | int seen_dname = 0; | |
| 793 | chase->rrset_count = 0; | |
| 794 | chase->an_numrrsets = 0; | |
| 795 | chase->ns_numrrsets = 0; | |
| 796 | chase->ar_numrrsets = 0; | |
| 797 | /* ANSWER section */ | |
| 798 | for(i=skip; i<orig->an_numrrsets; i++) { | |
| 799 | if(!signer) { | |
| 800 | if(query_dname_compare(name, | |
| 801 | orig->rrsets[i]->rk.dname) == 0) | |
| 802 | chase->rrsets[chase->an_numrrsets++] = | |
| 803 | orig->rrsets[i]; | |
| 804 | } else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) == | |
| 805 | LDNS_RR_TYPE_CNAME) { | |
| 806 | chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i]; | |
| 807 | seen_dname = 0; | |
| 808 | } else if(rrset_has_signer(orig->rrsets[i], name, len)) { | |
| 809 | chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i]; | |
| 810 | if(ntohs(orig->rrsets[i]->rk.type) == | |
| 811 | LDNS_RR_TYPE_DNAME) { | |
| 812 | seen_dname = 1; | |
| 813 | } | |
| 814 | } | |
| 815 | } | |
| 816 | /* AUTHORITY section */ | |
| 817 | for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets; | |
| 818 | i<orig->an_numrrsets+orig->ns_numrrsets; | |
| 819 | i++) { | |
| 820 | if(!signer) { | |
| 821 | if(query_dname_compare(name, | |
| 822 | orig->rrsets[i]->rk.dname) == 0) | |
| 823 | chase->rrsets[chase->an_numrrsets+ | |
| 824 | chase->ns_numrrsets++] = orig->rrsets[i]; | |
| 825 | } else if(rrset_has_signer(orig->rrsets[i], name, len)) { | |
| 826 | chase->rrsets[chase->an_numrrsets+ | |
| 827 | chase->ns_numrrsets++] = orig->rrsets[i]; | |
| 828 | } | |
| 829 | } | |
| 830 | /* ADDITIONAL section */ | |
| 831 | for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)? | |
| 832 | skip:orig->an_numrrsets+orig->ns_numrrsets; | |
| 833 | i<orig->rrset_count; i++) { | |
| 834 | if(!signer) { | |
| 835 | if(query_dname_compare(name, | |
| 836 | orig->rrsets[i]->rk.dname) == 0) | |
| 837 | chase->rrsets[chase->an_numrrsets | |
| 838 | +orig->ns_numrrsets+chase->ar_numrrsets++] | |
| 839 | = orig->rrsets[i]; | |
| 840 | } else if(rrset_has_signer(orig->rrsets[i], name, len)) { | |
| 841 | chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+ | |
| 842 | chase->ar_numrrsets++] = orig->rrsets[i]; | |
| 843 | } | |
| 844 | } | |
| 845 | chase->rrset_count = chase->an_numrrsets + chase->ns_numrrsets + | |
| 846 | chase->ar_numrrsets; | |
| 847 | } | |
| 848 | ||
| 849 | void | |
| 850 | val_check_nonsecure(struct val_env* ve, struct reply_info* rep) | |
| 851 | { | |
| 852 | size_t i; | |
| 853 | /* authority */ | |
| 854 | for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) { | |
| 855 | if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data) | |
| 856 | ->security != sec_status_secure) { | |
| 857 | /* because we want to return the authentic original | |
| 858 | * message when presented with CD-flagged queries, | |
| 859 | * we need to preserve AUTHORITY section data. | |
| 860 | * However, this rrset is not signed or signed | |
| 861 | * with the wrong keys. Validation has tried to | |
| 862 | * verify this rrset with the keysets of import. | |
| 863 | * But this rrset did not verify. | |
| 864 | * Therefore the message is bogus. | |
| 865 | */ | |
| 866 | ||
| 867 | /* check if authority consists of only an NS record | |
| 868 | * which is bad, and there is an answer section with | |
| 869 | * data. In that case, delete NS and additional to | |
| 870 | * be lenient and make a minimal response */ | |
| 871 | if(rep->an_numrrsets != 0 && rep->ns_numrrsets == 1 && | |
| 872 | ntohs(rep->rrsets[i]->rk.type) | |
| 873 | == LDNS_RR_TYPE_NS) { | |
| 874 | verbose(VERB_ALGO, "truncate to minimal"); | |
| 875 | rep->ns_numrrsets = 0; | |
| 876 | rep->ar_numrrsets = 0; | |
| 877 | rep->rrset_count = rep->an_numrrsets; | |
| 878 | return; | |
| 879 | } | |
| 880 | ||
| 881 | log_nametypeclass(VERB_QUERY, "message is bogus, " | |
| 882 | "non secure rrset", | |
| 883 | rep->rrsets[i]->rk.dname, | |
| 884 | ntohs(rep->rrsets[i]->rk.type), | |
| 885 | ntohs(rep->rrsets[i]->rk.rrset_class)); | |
| 886 | rep->security = sec_status_bogus; | |
| 887 | return; | |
| 888 | } | |
| 889 | } | |
| 890 | /* additional */ | |
| 891 | if(!ve->clean_additional) | |
| 892 | return; | |
| 893 | for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) { | |
| 894 | if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data) | |
| 895 | ->security != sec_status_secure) { | |
| 896 | /* This does not cause message invalidation. It was | |
| 897 | * simply unsigned data in the additional. The | |
| 898 | * RRSIG must have been truncated off the message. | |
| 899 | * | |
| 900 | * However, we do not want to return possible bogus | |
| 901 | * data to clients that rely on this service for | |
| 902 | * their authentication. | |
| 903 | */ | |
| 904 | /* remove this unneeded additional rrset */ | |
| 905 | memmove(rep->rrsets+i, rep->rrsets+i+1, | |
| 906 | sizeof(struct ub_packed_rrset_key*)* | |
| 907 | (rep->rrset_count - i - 1)); | |
| 908 | rep->ar_numrrsets--; | |
| 909 | rep->rrset_count--; | |
| 910 | i--; | |
| 911 | } | |
| 912 | } | |
| 913 | } | |
| 914 | ||
| 915 | /** check no anchor and unlock */ | |
| 916 | static int | |
| 917 | check_no_anchor(struct val_anchors* anchors, uint8_t* nm, size_t l, uint16_t c) | |
| 918 | { | |
| 919 | struct trust_anchor* ta; | |
| 920 | if((ta=anchors_lookup(anchors, nm, l, c))) { | |
| 921 | lock_basic_unlock(&ta->lock); | |
| 922 | } | |
| 923 | return !ta; | |
| 924 | } | |
| 925 | ||
| 926 | void | |
| 927 | val_mark_indeterminate(struct reply_info* rep, struct val_anchors* anchors, | |
| 928 | struct rrset_cache* r, struct module_env* env) | |
| 929 | { | |
| 930 | size_t i; | |
| 931 | struct packed_rrset_data* d; | |
| 932 | for(i=0; i<rep->rrset_count; i++) { | |
| 933 | d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; | |
| 934 | if(d->security == sec_status_unchecked && | |
| 935 | check_no_anchor(anchors, rep->rrsets[i]->rk.dname, | |
| 936 | rep->rrsets[i]->rk.dname_len, | |
| 937 | ntohs(rep->rrsets[i]->rk.rrset_class))) | |
| 938 | { | |
| 939 | /* mark as indeterminate */ | |
| 940 | d->security = sec_status_indeterminate; | |
| 941 | rrset_update_sec_status(r, rep->rrsets[i], *env->now); | |
| 942 | } | |
| 943 | } | |
| 944 | } | |
| 945 | ||
| 946 | void | |
| 947 | val_mark_insecure(struct reply_info* rep, uint8_t* kname, | |
| 948 | struct rrset_cache* r, struct module_env* env) | |
| 949 | { | |
| 950 | size_t i; | |
| 951 | struct packed_rrset_data* d; | |
| 952 | for(i=0; i<rep->rrset_count; i++) { | |
| 953 | d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; | |
| 954 | if(d->security == sec_status_unchecked && | |
| 955 | dname_subdomain_c(rep->rrsets[i]->rk.dname, kname)) { | |
| 956 | /* mark as insecure */ | |
| 957 | d->security = sec_status_insecure; | |
| 958 | rrset_update_sec_status(r, rep->rrsets[i], *env->now); | |
| 959 | } | |
| 960 | } | |
| 961 | } | |
| 962 | ||
| 963 | size_t | |
| 964 | val_next_unchecked(struct reply_info* rep, size_t skip) | |
| 965 | { | |
| 966 | size_t i; | |
| 967 | struct packed_rrset_data* d; | |
| 968 | for(i=skip+1; i<rep->rrset_count; i++) { | |
| 969 | d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; | |
| 970 | if(d->security == sec_status_unchecked) { | |
| 971 | return i; | |
| 972 | } | |
| 973 | } | |
| 974 | return rep->rrset_count; | |
| 975 | } | |
| 976 | ||
| 977 | const char* | |
| 978 | val_classification_to_string(enum val_classification subtype) | |
| 979 | { | |
| 980 | switch(subtype) { | |
| 981 | case VAL_CLASS_UNTYPED: return "untyped"; | |
| 982 | case VAL_CLASS_UNKNOWN: return "unknown"; | |
| 983 | case VAL_CLASS_POSITIVE: return "positive"; | |
| 984 | case VAL_CLASS_CNAME: return "cname"; | |
| 985 | case VAL_CLASS_NODATA: return "nodata"; | |
| 986 | case VAL_CLASS_NAMEERROR: return "nameerror"; | |
| 987 | case VAL_CLASS_CNAMENOANSWER: return "cnamenoanswer"; | |
| 988 | case VAL_CLASS_REFERRAL: return "referral"; | |
| 989 | case VAL_CLASS_ANY: return "qtype_any"; | |
| 990 | default: | |
| 991 | return "bad_val_classification"; | |
| 992 | } | |
| 993 | } | |
| 994 | ||
| 995 | /** log a sock_list entry */ | |
| 996 | static void | |
| 997 | sock_list_logentry(enum verbosity_value v, const char* s, struct sock_list* p) | |
| 998 | { | |
| 999 | if(p->len) | |
| 1000 | log_addr(v, s, &p->addr, p->len); | |
| 1001 | else verbose(v, "%s cache", s); | |
| 1002 | } | |
| 1003 | ||
| 1004 | void val_blacklist(struct sock_list** blacklist, struct regional* region, | |
| 1005 | struct sock_list* origin, int cross) | |
| 1006 | { | |
| 1007 | /* debug printout */ | |
| 1008 | if(verbosity >= VERB_ALGO) { | |
| 1009 | struct sock_list* p; | |
| 1010 | for(p=*blacklist; p; p=p->next) | |
| 1011 | sock_list_logentry(VERB_ALGO, "blacklist", p); | |
| 1012 | if(!origin) | |
| 1013 | verbose(VERB_ALGO, "blacklist add: cache"); | |
| 1014 | for(p=origin; p; p=p->next) | |
| 1015 | sock_list_logentry(VERB_ALGO, "blacklist add", p); | |
| 1016 | } | |
| 1017 | /* blacklist the IPs or the cache */ | |
| 1018 | if(!origin) { | |
| 1019 | /* only add if nothing there. anything else also stops cache*/ | |
| 1020 | if(!*blacklist) | |
| 1021 | sock_list_insert(blacklist, NULL, 0, region); | |
| 1022 | } else if(!cross) | |
| 1023 | sock_list_prepend(blacklist, origin); | |
| 1024 | else sock_list_merge(blacklist, region, origin); | |
| 1025 | } | |
| 1026 | ||
| 1027 | int val_has_signed_nsecs(struct reply_info* rep, char** reason) | |
| 1028 | { | |
| 1029 | size_t i, num_nsec = 0, num_nsec3 = 0; | |
| 1030 | struct packed_rrset_data* d; | |
| 1031 | for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) { | |
| 1032 | if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC)) | |
| 1033 | num_nsec++; | |
| 1034 | else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3)) | |
| 1035 | num_nsec3++; | |
| 1036 | else continue; | |
| 1037 | d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; | |
| 1038 | if(d && d->rrsig_count != 0) { | |
| 1039 | return 1; | |
| 1040 | } | |
| 1041 | } | |
| 1042 | if(num_nsec == 0 && num_nsec3 == 0) | |
| 1043 | *reason = "no DNSSEC records"; | |
| 1044 | else if(num_nsec != 0) | |
| 1045 | *reason = "no signatures over NSECs"; | |
| 1046 | else *reason = "no signatures over NSEC3s"; | |
| 1047 | return 0; | |
| 1048 | } | |
| 1049 | ||
| 1050 | struct dns_msg* | |
| 1051 | val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c, | |
| 1052 | struct regional* region, uint8_t* topname) | |
| 1053 | { | |
| 1054 | struct dns_msg* msg; | |
| 1055 | struct query_info qinfo; | |
| 1056 | struct ub_packed_rrset_key *rrset = rrset_cache_lookup( | |
| 1057 | env->rrset_cache, nm, nmlen, LDNS_RR_TYPE_DS, c, 0, | |
| 1058 | *env->now, 0); | |
| 1059 | if(rrset) { | |
| 1060 | /* DS rrset exists. Return it to the validator immediately*/ | |
| 1061 | struct ub_packed_rrset_key* copy = packed_rrset_copy_region( | |
| 1062 | rrset, region, *env->now); | |
| 1063 | lock_rw_unlock(&rrset->entry.lock); | |
| 1064 | if(!copy) | |
| 1065 | return NULL; | |
| 1066 | msg = dns_msg_create(nm, nmlen, LDNS_RR_TYPE_DS, c, region, 1); | |
| 1067 | if(!msg) | |
| 1068 | return NULL; | |
| 1069 | msg->rep->rrsets[0] = copy; | |
| 1070 | msg->rep->rrset_count++; | |
| 1071 | msg->rep->an_numrrsets++; | |
| 1072 | return msg; | |
| 1073 | } | |
| 1074 | /* lookup in rrset and negative cache for NSEC/NSEC3 */ | |
| 1075 | qinfo.qname = nm; | |
| 1076 | qinfo.qname_len = nmlen; | |
| 1077 | qinfo.qtype = LDNS_RR_TYPE_DS; | |
| 1078 | qinfo.qclass = c; | |
| 1079 | /* do not add SOA to reply message, it is going to be used internal */ | |
| 1080 | msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache, | |
| 1081 | env->scratch_buffer, *env->now, 0, topname); | |
| 1082 | return msg; | |
| 1083 | } |