1 /*
2 * validator/val_utils.c - validator utility functions.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 /**
37 * \file
38 *
39 * This file contains helper functions for the validator module.
40 */
41 #include "config.h"
42 #include "validator/val_utils.h"
43 #include "validator/validator.h"
44 #include "validator/val_kentry.h"
45 #include "validator/val_sigcrypt.h"
46 #include "validator/val_anchor.h"
47 #include "validator/val_nsec.h"
48 #include "validator/val_neg.h"
49 #include "services/cache/rrset.h"
50 #include "services/cache/dns.h"
51 #include "util/data/msgreply.h"
52 #include "util/data/packed_rrset.h"
53 #include "util/data/dname.h"
54 #include "util/net_help.h"
55 #include "util/module.h"
56 #include "util/regional.h"
57 #include "util/config_file.h"
58 #include "sldns/wire2str.h"
59 #include "sldns/parseutil.h"
60
61 enum val_classification
val_classify_response(uint16_t query_flags,struct query_info * origqinf,struct query_info * qinf,struct reply_info * rep,size_t skip)62 val_classify_response(uint16_t query_flags, struct query_info* origqinf,
63 struct query_info* qinf, struct reply_info* rep, size_t skip)
64 {
65 int rcode = (int)FLAGS_GET_RCODE(rep->flags);
66 size_t i;
67
68 /* Normal Name Error's are easy to detect -- but don't mistake a CNAME
69 * chain ending in NXDOMAIN. */
70 if(rcode == LDNS_RCODE_NXDOMAIN && rep->an_numrrsets == 0)
71 return VAL_CLASS_NAMEERROR;
72
73 /* check for referral: nonRD query and it looks like a nodata */
74 if(!(query_flags&BIT_RD) && rep->an_numrrsets == 0 &&
75 rcode == LDNS_RCODE_NOERROR) {
76 /* SOA record in auth indicates it is NODATA instead.
77 * All validation requiring NODATA messages have SOA in
78 * authority section. */
79 /* uses fact that answer section is empty */
80 int saw_ns = 0;
81 for(i=0; i<rep->ns_numrrsets; i++) {
82 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA)
83 return VAL_CLASS_NODATA;
84 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DS)
85 return VAL_CLASS_REFERRAL;
86 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS)
87 saw_ns = 1;
88 }
89 return saw_ns?VAL_CLASS_REFERRAL:VAL_CLASS_NODATA;
90 }
91 /* root referral where NS set is in the answer section */
92 if(!(query_flags&BIT_RD) && rep->ns_numrrsets == 0 &&
93 rep->an_numrrsets == 1 && rcode == LDNS_RCODE_NOERROR &&
94 ntohs(rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_NS &&
95 query_dname_compare(rep->rrsets[0]->rk.dname,
96 origqinf->qname) != 0)
97 return VAL_CLASS_REFERRAL;
98
99 /* dump bad messages */
100 if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN)
101 return VAL_CLASS_UNKNOWN;
102 /* next check if the skip into the answer section shows no answer */
103 if(skip>0 && rep->an_numrrsets <= skip)
104 return VAL_CLASS_CNAMENOANSWER;
105
106 /* Next is NODATA */
107 if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0)
108 return VAL_CLASS_NODATA;
109
110 /* We distinguish between CNAME response and other positive/negative
111 * responses because CNAME answers require extra processing. */
112
113 /* We distinguish between ANY and CNAME or POSITIVE because
114 * ANY responses are validated differently. */
115 if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY)
116 return VAL_CLASS_ANY;
117
118 /* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
119 * qtype=CNAME, this will yield a CNAME response. */
120 for(i=skip; i<rep->an_numrrsets; i++) {
121 if(rcode == LDNS_RCODE_NOERROR &&
122 ntohs(rep->rrsets[i]->rk.type) == qinf->qtype)
123 return VAL_CLASS_POSITIVE;
124 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME)
125 return VAL_CLASS_CNAME;
126 }
127 log_dns_msg("validator: error. failed to classify response message: ",
128 qinf, rep);
129 return VAL_CLASS_UNKNOWN;
130 }
131
132 /** Get signer name from RRSIG */
133 static void
rrsig_get_signer(uint8_t * data,size_t len,uint8_t ** sname,size_t * slen)134 rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen)
135 {
136 /* RRSIG rdata is not allowed to be compressed, it is stored
137 * uncompressed in memory as well, so return a ptr to the name */
138 if(len < 21) {
139 /* too short RRSig:
140 * short, byte, byte, long, long, long, short, "." is
141 * 2 1 1 4 4 4 2 1 = 19
142 * and a skip of 18 bytes to the name.
143 * +2 for the rdatalen is 21 bytes len for root label */
144 *sname = NULL;
145 *slen = 0;
146 return;
147 }
148 data += 20; /* skip the fixed size bits */
149 len -= 20;
150 *slen = dname_valid(data, len);
151 if(!*slen) {
152 /* bad dname in this rrsig. */
153 *sname = NULL;
154 return;
155 }
156 *sname = data;
157 }
158
159 void
val_find_rrset_signer(struct ub_packed_rrset_key * rrset,uint8_t ** sname,size_t * slen)160 val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
161 size_t* slen)
162 {
163 struct packed_rrset_data* d = (struct packed_rrset_data*)
164 rrset->entry.data;
165 /* return signer for first signature, or NULL */
166 if(d->rrsig_count == 0) {
167 *sname = NULL;
168 *slen = 0;
169 return;
170 }
171 /* get rrsig signer name out of the signature */
172 rrsig_get_signer(d->rr_data[d->count], d->rr_len[d->count],
173 sname, slen);
174 }
175
176 /**
177 * Find best signer name in this set of rrsigs.
178 * @param rrset: which rrsigs to look through.
179 * @param qinf: the query name that needs validation.
180 * @param signer_name: the best signer_name. Updated if a better one is found.
181 * @param signer_len: length of signer name.
182 * @param matchcount: count of current best name (starts at 0 for no match).
183 * Updated if match is improved.
184 */
185 static void
val_find_best_signer(struct ub_packed_rrset_key * rrset,struct query_info * qinf,uint8_t ** signer_name,size_t * signer_len,int * matchcount)186 val_find_best_signer(struct ub_packed_rrset_key* rrset,
187 struct query_info* qinf, uint8_t** signer_name, size_t* signer_len,
188 int* matchcount)
189 {
190 struct packed_rrset_data* d = (struct packed_rrset_data*)
191 rrset->entry.data;
192 uint8_t* sign;
193 size_t i;
194 int m;
195 for(i=d->count; i<d->count+d->rrsig_count; i++) {
196 sign = d->rr_data[i]+2+18;
197 /* look at signatures that are valid (long enough),
198 * and have a signer name that is a superdomain of qname,
199 * and then check the number of labels in the shared topdomain
200 * improve the match if possible */
201 if(d->rr_len[i] > 2+19 && /* rdata, sig + root label*/
202 dname_subdomain_c(qinf->qname, sign)) {
203 (void)dname_lab_cmp(qinf->qname,
204 dname_count_labels(qinf->qname),
205 sign, dname_count_labels(sign), &m);
206 if(m > *matchcount) {
207 *matchcount = m;
208 *signer_name = sign;
209 (void)dname_count_size_labels(*signer_name,
210 signer_len);
211 }
212 }
213 }
214 }
215
216 void
val_find_signer(enum val_classification subtype,struct query_info * qinf,struct reply_info * rep,size_t skip,uint8_t ** signer_name,size_t * signer_len)217 val_find_signer(enum val_classification subtype, struct query_info* qinf,
218 struct reply_info* rep, size_t skip, uint8_t** signer_name,
219 size_t* signer_len)
220 {
221 size_t i;
222
223 if(subtype == VAL_CLASS_POSITIVE) {
224 /* check for the answer rrset */
225 for(i=skip; i<rep->an_numrrsets; i++) {
226 if(query_dname_compare(qinf->qname,
227 rep->rrsets[i]->rk.dname) == 0) {
228 val_find_rrset_signer(rep->rrsets[i],
229 signer_name, signer_len);
230 return;
231 }
232 }
233 *signer_name = NULL;
234 *signer_len = 0;
235 } else if(subtype == VAL_CLASS_CNAME) {
236 /* check for the first signed cname/dname rrset */
237 for(i=skip; i<rep->an_numrrsets; i++) {
238 val_find_rrset_signer(rep->rrsets[i],
239 signer_name, signer_len);
240 if(*signer_name)
241 return;
242 if(ntohs(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_DNAME)
243 break; /* only check CNAME after a DNAME */
244 }
245 *signer_name = NULL;
246 *signer_len = 0;
247 } else if(subtype == VAL_CLASS_NAMEERROR
248 || subtype == VAL_CLASS_NODATA) {
249 /*Check to see if the AUTH section NSEC record(s) have rrsigs*/
250 for(i=rep->an_numrrsets; i<
251 rep->an_numrrsets+rep->ns_numrrsets; i++) {
252 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
253 || ntohs(rep->rrsets[i]->rk.type) ==
254 LDNS_RR_TYPE_NSEC3) {
255 val_find_rrset_signer(rep->rrsets[i],
256 signer_name, signer_len);
257 return;
258 }
259 }
260 } else if(subtype == VAL_CLASS_CNAMENOANSWER) {
261 /* find closest superdomain signer name in authority section
262 * NSEC and NSEC3s */
263 int matchcount = 0;
264 *signer_name = NULL;
265 *signer_len = 0;
266 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->
267 ns_numrrsets; i++) {
268 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
269 || ntohs(rep->rrsets[i]->rk.type) ==
270 LDNS_RR_TYPE_NSEC3) {
271 val_find_best_signer(rep->rrsets[i], qinf,
272 signer_name, signer_len, &matchcount);
273 }
274 }
275 } else if(subtype == VAL_CLASS_ANY) {
276 /* check for one of the answer rrset that has signatures,
277 * or potentially a DNAME is in use with a different qname */
278 for(i=skip; i<rep->an_numrrsets; i++) {
279 if(query_dname_compare(qinf->qname,
280 rep->rrsets[i]->rk.dname) == 0) {
281 val_find_rrset_signer(rep->rrsets[i],
282 signer_name, signer_len);
283 if(*signer_name)
284 return;
285 }
286 }
287 /* no answer RRSIGs with qname, try a DNAME */
288 if(skip < rep->an_numrrsets &&
289 ntohs(rep->rrsets[skip]->rk.type) ==
290 LDNS_RR_TYPE_DNAME) {
291 val_find_rrset_signer(rep->rrsets[skip],
292 signer_name, signer_len);
293 if(*signer_name)
294 return;
295 }
296 *signer_name = NULL;
297 *signer_len = 0;
298 } else if(subtype == VAL_CLASS_REFERRAL) {
299 /* find keys for the item at skip */
300 if(skip < rep->rrset_count) {
301 val_find_rrset_signer(rep->rrsets[skip],
302 signer_name, signer_len);
303 return;
304 }
305 *signer_name = NULL;
306 *signer_len = 0;
307 } else {
308 verbose(VERB_QUERY, "find_signer: could not find signer name"
309 " for unknown type response");
310 *signer_name = NULL;
311 *signer_len = 0;
312 }
313 }
314
315 /** return number of rrs in an rrset */
316 static size_t
rrset_get_count(struct ub_packed_rrset_key * rrset)317 rrset_get_count(struct ub_packed_rrset_key* rrset)
318 {
319 struct packed_rrset_data* d = (struct packed_rrset_data*)
320 rrset->entry.data;
321 if(!d) return 0;
322 return d->count;
323 }
324
325 /** return TTL of rrset */
326 static uint32_t
rrset_get_ttl(struct ub_packed_rrset_key * rrset)327 rrset_get_ttl(struct ub_packed_rrset_key* rrset)
328 {
329 struct packed_rrset_data* d = (struct packed_rrset_data*)
330 rrset->entry.data;
331 if(!d) return 0;
332 return d->ttl;
333 }
334
335 static enum sec_status
val_verify_rrset(struct module_env * env,struct val_env * ve,struct ub_packed_rrset_key * rrset,struct ub_packed_rrset_key * keys,uint8_t * sigalg,char ** reason,sldns_ede_code * reason_bogus,sldns_pkt_section section,struct module_qstate * qstate)336 val_verify_rrset(struct module_env* env, struct val_env* ve,
337 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
338 uint8_t* sigalg, char** reason, sldns_ede_code *reason_bogus,
339 sldns_pkt_section section, struct module_qstate* qstate)
340 {
341 enum sec_status sec;
342 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
343 entry.data;
344 if(d->security == sec_status_secure) {
345 /* re-verify all other statuses, because keyset may change*/
346 log_nametypeclass(VERB_ALGO, "verify rrset cached",
347 rrset->rk.dname, ntohs(rrset->rk.type),
348 ntohs(rrset->rk.rrset_class));
349 return d->security;
350 }
351 /* check in the cache if verification has already been done */
352 rrset_check_sec_status(env->rrset_cache, rrset, *env->now);
353 if(d->security == sec_status_secure) {
354 log_nametypeclass(VERB_ALGO, "verify rrset from cache",
355 rrset->rk.dname, ntohs(rrset->rk.type),
356 ntohs(rrset->rk.rrset_class));
357 return d->security;
358 }
359 log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname,
360 ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class));
361 sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason,
362 reason_bogus, section, qstate);
363 verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec));
364 regional_free_all(env->scratch);
365
366 /* update rrset security status
367 * only improves security status
368 * and bogus is set only once, even if we rechecked the status */
369 if(sec > d->security) {
370 d->security = sec;
371 if(sec == sec_status_secure)
372 d->trust = rrset_trust_validated;
373 else if(sec == sec_status_bogus) {
374 size_t i;
375 /* update ttl for rrset to fixed value. */
376 d->ttl = ve->bogus_ttl;
377 for(i=0; i<d->count+d->rrsig_count; i++)
378 d->rr_ttl[i] = ve->bogus_ttl;
379 /* leave RR specific TTL: not used for determine
380 * if RRset timed out and clients see proper value. */
381 lock_basic_lock(&ve->bogus_lock);
382 ve->num_rrset_bogus++;
383 lock_basic_unlock(&ve->bogus_lock);
384 }
385 /* if status updated - store in cache for reuse */
386 rrset_update_sec_status(env->rrset_cache, rrset, *env->now);
387 }
388
389 return sec;
390 }
391
392 enum sec_status
val_verify_rrset_entry(struct module_env * env,struct val_env * ve,struct ub_packed_rrset_key * rrset,struct key_entry_key * kkey,char ** reason,sldns_ede_code * reason_bogus,sldns_pkt_section section,struct module_qstate * qstate)393 val_verify_rrset_entry(struct module_env* env, struct val_env* ve,
394 struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey,
395 char** reason, sldns_ede_code *reason_bogus,
396 sldns_pkt_section section, struct module_qstate* qstate)
397 {
398 /* temporary dnskey rrset-key */
399 struct ub_packed_rrset_key dnskey;
400 struct key_entry_data* kd = (struct key_entry_data*)kkey->entry.data;
401 enum sec_status sec;
402 dnskey.rk.type = htons(kd->rrset_type);
403 dnskey.rk.rrset_class = htons(kkey->key_class);
404 dnskey.rk.flags = 0;
405 dnskey.rk.dname = kkey->name;
406 dnskey.rk.dname_len = kkey->namelen;
407 dnskey.entry.key = &dnskey;
408 dnskey.entry.data = kd->rrset_data;
409 sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason,
410 reason_bogus, section, qstate);
411 return sec;
412 }
413
414 /** verify that a DS RR hashes to a key and that key signs the set */
415 static enum sec_status
verify_dnskeys_with_ds_rr(struct module_env * env,struct val_env * ve,struct ub_packed_rrset_key * dnskey_rrset,struct ub_packed_rrset_key * ds_rrset,size_t ds_idx,char ** reason,sldns_ede_code * reason_bogus,struct module_qstate * qstate)416 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
417 struct ub_packed_rrset_key* dnskey_rrset,
418 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason,
419 sldns_ede_code *reason_bogus, struct module_qstate* qstate)
420 {
421 enum sec_status sec = sec_status_bogus;
422 size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0;
423 num = rrset_get_count(dnskey_rrset);
424 for(i=0; i<num; i++) {
425 /* Skip DNSKEYs that don't match the basic criteria. */
426 if(ds_get_key_algo(ds_rrset, ds_idx)
427 != dnskey_get_algo(dnskey_rrset, i)
428 || dnskey_calc_keytag(dnskey_rrset, i)
429 != ds_get_keytag(ds_rrset, ds_idx)) {
430 continue;
431 }
432 numchecked++;
433 verbose(VERB_ALGO, "attempt DS match algo %d keytag %d",
434 ds_get_key_algo(ds_rrset, ds_idx),
435 ds_get_keytag(ds_rrset, ds_idx));
436
437 /* Convert the candidate DNSKEY into a hash using the
438 * same DS hash algorithm. */
439 if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset,
440 ds_idx)) {
441 verbose(VERB_ALGO, "DS match attempt failed");
442 continue;
443 }
444 numhashok++;
445 if(!dnskey_size_is_supported(dnskey_rrset, i)) {
446 verbose(VERB_ALGO, "DS okay but that DNSKEY size is not supported");
447 numsizesupp++;
448 continue;
449 }
450 verbose(VERB_ALGO, "DS match digest ok, trying signature");
451
452 /* Otherwise, we have a match! Make sure that the DNSKEY
453 * verifies *with this key* */
454 sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset,
455 i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate);
456 if(sec == sec_status_secure) {
457 return sec;
458 }
459 /* If it didn't validate with the DNSKEY, try the next one! */
460 }
461 if(numsizesupp != 0 || sec == sec_status_indeterminate) {
462 /* there is a working DS, but that DNSKEY is not supported */
463 return sec_status_insecure;
464 }
465 if(numchecked == 0)
466 algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
467 reason, "no keys have a DS");
468 else if(numhashok == 0)
469 *reason = "DS hash mismatches key";
470 else if(!*reason)
471 *reason = "keyset not secured by DNSKEY that matches DS";
472 return sec_status_bogus;
473 }
474
val_favorite_ds_algo(struct ub_packed_rrset_key * ds_rrset)475 int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset)
476 {
477 size_t i, num = rrset_get_count(ds_rrset);
478 int d, digest_algo = 0; /* DS digest algo 0 is not used. */
479 /* find favorite algo, for now, highest number supported */
480 for(i=0; i<num; i++) {
481 if(!ds_digest_algo_is_supported(ds_rrset, i) ||
482 !ds_key_algo_is_supported(ds_rrset, i)) {
483 continue;
484 }
485 d = ds_get_digest_algo(ds_rrset, i);
486 if(d > digest_algo)
487 digest_algo = d;
488 }
489 return digest_algo;
490 }
491
492 enum sec_status
val_verify_DNSKEY_with_DS(struct module_env * env,struct val_env * ve,struct ub_packed_rrset_key * dnskey_rrset,struct ub_packed_rrset_key * ds_rrset,uint8_t * sigalg,char ** reason,sldns_ede_code * reason_bogus,struct module_qstate * qstate)493 val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
494 struct ub_packed_rrset_key* dnskey_rrset,
495 struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
496 sldns_ede_code *reason_bogus, struct module_qstate* qstate)
497 {
498 /* as long as this is false, we can consider this DS rrset to be
499 * equivalent to no DS rrset. */
500 int has_useful_ds = 0, digest_algo, alg;
501 struct algo_needs needs;
502 size_t i, num;
503 enum sec_status sec;
504
505 if(dnskey_rrset->rk.dname_len != ds_rrset->rk.dname_len ||
506 query_dname_compare(dnskey_rrset->rk.dname, ds_rrset->rk.dname)
507 != 0) {
508 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
509 "by name");
510 *reason = "DNSKEY RRset did not match DS RRset by name";
511 return sec_status_bogus;
512 }
513
514 if(sigalg) {
515 /* harden against algo downgrade is enabled */
516 digest_algo = val_favorite_ds_algo(ds_rrset);
517 algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg);
518 } else {
519 /* accept any key algo, any digest algo */
520 digest_algo = -1;
521 }
522 num = rrset_get_count(ds_rrset);
523 for(i=0; i<num; i++) {
524 /* Check to see if we can understand this DS.
525 * And check it is the strongest digest */
526 if(!ds_digest_algo_is_supported(ds_rrset, i) ||
527 !ds_key_algo_is_supported(ds_rrset, i) ||
528 (sigalg && (ds_get_digest_algo(ds_rrset, i) != digest_algo))) {
529 continue;
530 }
531
532 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
533 ds_rrset, i, reason, reason_bogus, qstate);
534 if(sec == sec_status_insecure)
535 continue;
536
537 /* Once we see a single DS with a known digestID and
538 * algorithm, we cannot return INSECURE (with a
539 * "null" KeyEntry). */
540 has_useful_ds = 1;
541
542 if(sec == sec_status_secure) {
543 if(!sigalg || algo_needs_set_secure(&needs,
544 (uint8_t)ds_get_key_algo(ds_rrset, i))) {
545 verbose(VERB_ALGO, "DS matched DNSKEY.");
546 if(!dnskeyset_size_is_supported(dnskey_rrset)) {
547 verbose(VERB_ALGO, "DS works, but dnskeyset contain keys that are unsupported, treat as insecure");
548 return sec_status_insecure;
549 }
550 return sec_status_secure;
551 }
552 } else if(sigalg && sec == sec_status_bogus) {
553 algo_needs_set_bogus(&needs,
554 (uint8_t)ds_get_key_algo(ds_rrset, i));
555 }
556 }
557
558 /* None of the DS's worked out. */
559
560 /* If no DSs were understandable, then this is OK. */
561 if(!has_useful_ds) {
562 verbose(VERB_ALGO, "No usable DS records were found -- "
563 "treating as insecure.");
564 return sec_status_insecure;
565 }
566 /* If any were understandable, then it is bad. */
567 verbose(VERB_QUERY, "Failed to match any usable DS to a DNSKEY.");
568 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
569 algo_needs_reason(env, alg, reason, "missing verification of "
570 "DNSKEY signature");
571 }
572 return sec_status_bogus;
573 }
574
575 struct key_entry_key*
val_verify_new_DNSKEYs(struct regional * region,struct module_env * env,struct val_env * ve,struct ub_packed_rrset_key * dnskey_rrset,struct ub_packed_rrset_key * ds_rrset,int downprot,char ** reason,sldns_ede_code * reason_bogus,struct module_qstate * qstate)576 val_verify_new_DNSKEYs(struct regional* region, struct module_env* env,
577 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
578 struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
579 sldns_ede_code *reason_bogus, struct module_qstate* qstate)
580 {
581 uint8_t sigalg[ALGO_NEEDS_MAX+1];
582 enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve,
583 dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason,
584 reason_bogus, qstate);
585
586 if(sec == sec_status_secure) {
587 return key_entry_create_rrset(region,
588 ds_rrset->rk.dname, ds_rrset->rk.dname_len,
589 ntohs(ds_rrset->rk.rrset_class), dnskey_rrset,
590 downprot?sigalg:NULL, LDNS_EDE_NONE, NULL,
591 *env->now);
592 } else if(sec == sec_status_insecure) {
593 return key_entry_create_null(region, ds_rrset->rk.dname,
594 ds_rrset->rk.dname_len,
595 ntohs(ds_rrset->rk.rrset_class),
596 rrset_get_ttl(ds_rrset), *reason_bogus, *reason,
597 *env->now);
598 }
599 return key_entry_create_bad(region, ds_rrset->rk.dname,
600 ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class),
601 BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now);
602 }
603
604 enum sec_status
val_verify_DNSKEY_with_TA(struct module_env * env,struct val_env * ve,struct ub_packed_rrset_key * dnskey_rrset,struct ub_packed_rrset_key * ta_ds,struct ub_packed_rrset_key * ta_dnskey,uint8_t * sigalg,char ** reason,sldns_ede_code * reason_bogus,struct module_qstate * qstate)605 val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
606 struct ub_packed_rrset_key* dnskey_rrset,
607 struct ub_packed_rrset_key* ta_ds,
608 struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
609 sldns_ede_code *reason_bogus, struct module_qstate* qstate)
610 {
611 /* as long as this is false, we can consider this anchor to be
612 * equivalent to no anchor. */
613 int has_useful_ta = 0, digest_algo = 0, alg;
614 struct algo_needs needs;
615 size_t i, num;
616 enum sec_status sec;
617
618 if(ta_ds && (dnskey_rrset->rk.dname_len != ta_ds->rk.dname_len ||
619 query_dname_compare(dnskey_rrset->rk.dname, ta_ds->rk.dname)
620 != 0)) {
621 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
622 "by name");
623 *reason = "DNSKEY RRset did not match DS RRset by name";
624 if(reason_bogus)
625 *reason_bogus = LDNS_EDE_DNSKEY_MISSING;
626 return sec_status_bogus;
627 }
628 if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len
629 || query_dname_compare(dnskey_rrset->rk.dname, ta_dnskey->rk.dname)
630 != 0)) {
631 verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset "
632 "by name");
633 *reason = "DNSKEY RRset did not match anchor RRset by name";
634 if(reason_bogus)
635 *reason_bogus = LDNS_EDE_DNSKEY_MISSING;
636 return sec_status_bogus;
637 }
638
639 if(ta_ds)
640 digest_algo = val_favorite_ds_algo(ta_ds);
641 if(sigalg) {
642 if(ta_ds)
643 algo_needs_init_ds(&needs, ta_ds, digest_algo, sigalg);
644 else memset(&needs, 0, sizeof(needs));
645 if(ta_dnskey)
646 algo_needs_init_dnskey_add(&needs, ta_dnskey, sigalg);
647 }
648 if(ta_ds) {
649 num = rrset_get_count(ta_ds);
650 for(i=0; i<num; i++) {
651 /* Check to see if we can understand this DS.
652 * And check it is the strongest digest */
653 if(!ds_digest_algo_is_supported(ta_ds, i) ||
654 !ds_key_algo_is_supported(ta_ds, i) ||
655 ds_get_digest_algo(ta_ds, i) != digest_algo)
656 continue;
657
658 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
659 ta_ds, i, reason, reason_bogus, qstate);
660 if(sec == sec_status_insecure)
661 continue;
662
663 /* Once we see a single DS with a known digestID and
664 * algorithm, we cannot return INSECURE (with a
665 * "null" KeyEntry). */
666 has_useful_ta = 1;
667
668 if(sec == sec_status_secure) {
669 if(!sigalg || algo_needs_set_secure(&needs,
670 (uint8_t)ds_get_key_algo(ta_ds, i))) {
671 verbose(VERB_ALGO, "DS matched DNSKEY.");
672 if(!dnskeyset_size_is_supported(dnskey_rrset)) {
673 verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
674 return sec_status_insecure;
675 }
676 return sec_status_secure;
677 }
678 } else if(sigalg && sec == sec_status_bogus) {
679 algo_needs_set_bogus(&needs,
680 (uint8_t)ds_get_key_algo(ta_ds, i));
681 }
682 }
683 }
684
685 /* None of the DS's worked out: check the DNSKEYs. */
686 if(ta_dnskey) {
687 num = rrset_get_count(ta_dnskey);
688 for(i=0; i<num; i++) {
689 /* Check to see if we can understand this DNSKEY */
690 if(!dnskey_algo_is_supported(ta_dnskey, i))
691 continue;
692 if(!dnskey_size_is_supported(ta_dnskey, i))
693 continue;
694
695 /* we saw a useful TA */
696 has_useful_ta = 1;
697
698 sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
699 ta_dnskey, i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate);
700 if(sec == sec_status_secure) {
701 if(!sigalg || algo_needs_set_secure(&needs,
702 (uint8_t)dnskey_get_algo(ta_dnskey, i))) {
703 verbose(VERB_ALGO, "anchor matched DNSKEY.");
704 if(!dnskeyset_size_is_supported(dnskey_rrset)) {
705 verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
706 return sec_status_insecure;
707 }
708 return sec_status_secure;
709 }
710 } else if(sigalg && sec == sec_status_bogus) {
711 algo_needs_set_bogus(&needs,
712 (uint8_t)dnskey_get_algo(ta_dnskey, i));
713 }
714 }
715 }
716
717 /* If no DSs were understandable, then this is OK. */
718 if(!has_useful_ta) {
719 verbose(VERB_ALGO, "No usable trust anchors were found -- "
720 "treating as insecure.");
721 return sec_status_insecure;
722 }
723 /* If any were understandable, then it is bad. */
724 verbose(VERB_QUERY, "Failed to match any usable anchor to a DNSKEY.");
725 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
726 algo_needs_reason(env, alg, reason, "missing verification of "
727 "DNSKEY signature");
728 }
729 return sec_status_bogus;
730 }
731
732 struct key_entry_key*
val_verify_new_DNSKEYs_with_ta(struct regional * region,struct module_env * env,struct val_env * ve,struct ub_packed_rrset_key * dnskey_rrset,struct ub_packed_rrset_key * ta_ds_rrset,struct ub_packed_rrset_key * ta_dnskey_rrset,int downprot,char ** reason,sldns_ede_code * reason_bogus,struct module_qstate * qstate)733 val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env,
734 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
735 struct ub_packed_rrset_key* ta_ds_rrset,
736 struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
737 char** reason, sldns_ede_code *reason_bogus, struct module_qstate* qstate)
738 {
739 uint8_t sigalg[ALGO_NEEDS_MAX+1];
740 enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve,
741 dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset,
742 downprot?sigalg:NULL, reason, reason_bogus, qstate);
743
744 if(sec == sec_status_secure) {
745 return key_entry_create_rrset(region,
746 dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len,
747 ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset,
748 downprot?sigalg:NULL, LDNS_EDE_NONE, NULL, *env->now);
749 } else if(sec == sec_status_insecure) {
750 return key_entry_create_null(region, dnskey_rrset->rk.dname,
751 dnskey_rrset->rk.dname_len,
752 ntohs(dnskey_rrset->rk.rrset_class),
753 rrset_get_ttl(dnskey_rrset), *reason_bogus, *reason,
754 *env->now);
755 }
756 return key_entry_create_bad(region, dnskey_rrset->rk.dname,
757 dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class),
758 BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now);
759 }
760
761 int
val_dsset_isusable(struct ub_packed_rrset_key * ds_rrset)762 val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
763 {
764 size_t i;
765 for(i=0; i<rrset_get_count(ds_rrset); i++) {
766 if(ds_digest_algo_is_supported(ds_rrset, i) &&
767 ds_key_algo_is_supported(ds_rrset, i))
768 return 1;
769 }
770 if(verbosity < VERB_ALGO)
771 return 0;
772 if(rrset_get_count(ds_rrset) == 0)
773 verbose(VERB_ALGO, "DS is not usable");
774 else {
775 /* report usability for the first DS RR */
776 sldns_lookup_table *lt;
777 char herr[64], aerr[64];
778 lt = sldns_lookup_by_id(sldns_hashes,
779 (int)ds_get_digest_algo(ds_rrset, 0));
780 if(lt) snprintf(herr, sizeof(herr), "%s", lt->name);
781 else snprintf(herr, sizeof(herr), "%d",
782 (int)ds_get_digest_algo(ds_rrset, 0));
783 lt = sldns_lookup_by_id(sldns_algorithms,
784 (int)ds_get_key_algo(ds_rrset, 0));
785 if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name);
786 else snprintf(aerr, sizeof(aerr), "%d",
787 (int)ds_get_key_algo(ds_rrset, 0));
788
789 verbose(VERB_ALGO, "DS unsupported, hash %s %s, "
790 "key algorithm %s %s", herr,
791 (ds_digest_algo_is_supported(ds_rrset, 0)?
792 "(supported)":"(unsupported)"), aerr,
793 (ds_key_algo_is_supported(ds_rrset, 0)?
794 "(supported)":"(unsupported)"));
795 }
796 return 0;
797 }
798
799 /** get label count for a signature */
800 static uint8_t
rrsig_get_labcount(struct packed_rrset_data * d,size_t sig)801 rrsig_get_labcount(struct packed_rrset_data* d, size_t sig)
802 {
803 if(d->rr_len[sig] < 2+4)
804 return 0; /* bad sig length */
805 return d->rr_data[sig][2+3];
806 }
807
808 int
val_rrset_wildcard(struct ub_packed_rrset_key * rrset,uint8_t ** wc,size_t * wc_len)809 val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc,
810 size_t* wc_len)
811 {
812 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
813 entry.data;
814 uint8_t labcount;
815 int labdiff;
816 uint8_t* wn;
817 size_t i, wl;
818 if(d->rrsig_count == 0) {
819 return 1;
820 }
821 labcount = rrsig_get_labcount(d, d->count + 0);
822 /* check rest of signatures identical */
823 for(i=1; i<d->rrsig_count; i++) {
824 if(labcount != rrsig_get_labcount(d, d->count + i)) {
825 return 0;
826 }
827 }
828 /* OK the rrsigs check out */
829 /* if the RRSIG label count is shorter than the number of actual
830 * labels, then this rrset was synthesized from a wildcard.
831 * Note that the RRSIG label count doesn't count the root label. */
832 wn = rrset->rk.dname;
833 wl = rrset->rk.dname_len;
834 /* skip a leading wildcard label in the dname (RFC4035 2.2) */
835 if(dname_is_wild(wn)) {
836 wn += 2;
837 wl -= 2;
838 }
839 labdiff = (dname_count_labels(wn) - 1) - (int)labcount;
840 if(labdiff > 0) {
841 *wc = wn;
842 dname_remove_labels(wc, &wl, labdiff);
843 *wc_len = wl;
844 return 1;
845 }
846 return 1;
847 }
848
849 int
val_chase_cname(struct query_info * qchase,struct reply_info * rep,size_t * cname_skip)850 val_chase_cname(struct query_info* qchase, struct reply_info* rep,
851 size_t* cname_skip) {
852 size_t i;
853 /* skip any DNAMEs, go to the CNAME for next part */
854 for(i = *cname_skip; i < rep->an_numrrsets; i++) {
855 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME &&
856 query_dname_compare(qchase->qname, rep->rrsets[i]->
857 rk.dname) == 0) {
858 qchase->qname = NULL;
859 get_cname_target(rep->rrsets[i], &qchase->qname,
860 &qchase->qname_len);
861 if(!qchase->qname)
862 return 0; /* bad CNAME rdata */
863 (*cname_skip) = i+1;
864 return 1;
865 }
866 }
867 return 0; /* CNAME classified but no matching CNAME ?! */
868 }
869
870 /** see if rrset has signer name as one of the rrsig signers */
871 static int
rrset_has_signer(struct ub_packed_rrset_key * rrset,uint8_t * name,size_t len)872 rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len)
873 {
874 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
875 entry.data;
876 size_t i;
877 for(i = d->count; i< d->count+d->rrsig_count; i++) {
878 if(d->rr_len[i] > 2+18+len) {
879 /* at least rdatalen + signature + signame (+1 sig)*/
880 if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18))
881 continue;
882 if(query_dname_compare(name, d->rr_data[i]+2+18) == 0)
883 {
884 return 1;
885 }
886 }
887 }
888 return 0;
889 }
890
891 void
val_fill_reply(struct reply_info * chase,struct reply_info * orig,size_t skip,uint8_t * name,size_t len,uint8_t * signer)892 val_fill_reply(struct reply_info* chase, struct reply_info* orig,
893 size_t skip, uint8_t* name, size_t len, uint8_t* signer)
894 {
895 size_t i;
896 int seen_dname = 0;
897 chase->rrset_count = 0;
898 chase->an_numrrsets = 0;
899 chase->ns_numrrsets = 0;
900 chase->ar_numrrsets = 0;
901 /* ANSWER section */
902 for(i=skip; i<orig->an_numrrsets; i++) {
903 if(!signer) {
904 if(query_dname_compare(name,
905 orig->rrsets[i]->rk.dname) == 0)
906 chase->rrsets[chase->an_numrrsets++] =
907 orig->rrsets[i];
908 } else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) ==
909 LDNS_RR_TYPE_CNAME) {
910 chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
911 seen_dname = 0;
912 } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
913 chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
914 if(ntohs(orig->rrsets[i]->rk.type) ==
915 LDNS_RR_TYPE_DNAME) {
916 seen_dname = 1;
917 }
918 }
919 }
920 /* AUTHORITY section */
921 for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets;
922 i<orig->an_numrrsets+orig->ns_numrrsets;
923 i++) {
924 if(!signer) {
925 if(query_dname_compare(name,
926 orig->rrsets[i]->rk.dname) == 0)
927 chase->rrsets[chase->an_numrrsets+
928 chase->ns_numrrsets++] = orig->rrsets[i];
929 } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
930 chase->rrsets[chase->an_numrrsets+
931 chase->ns_numrrsets++] = orig->rrsets[i];
932 }
933 }
934 /* ADDITIONAL section */
935 for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)?
936 skip:orig->an_numrrsets+orig->ns_numrrsets;
937 i<orig->rrset_count; i++) {
938 if(!signer) {
939 if(query_dname_compare(name,
940 orig->rrsets[i]->rk.dname) == 0)
941 chase->rrsets[chase->an_numrrsets
942 +orig->ns_numrrsets+chase->ar_numrrsets++]
943 = orig->rrsets[i];
944 } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
945 chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
946 chase->ar_numrrsets++] = orig->rrsets[i];
947 }
948 }
949 chase->rrset_count = chase->an_numrrsets + chase->ns_numrrsets +
950 chase->ar_numrrsets;
951 }
952
val_reply_remove_auth(struct reply_info * rep,size_t index)953 void val_reply_remove_auth(struct reply_info* rep, size_t index)
954 {
955 log_assert(index < rep->rrset_count);
956 log_assert(index >= rep->an_numrrsets);
957 log_assert(index < rep->an_numrrsets+rep->ns_numrrsets);
958 memmove(rep->rrsets+index, rep->rrsets+index+1,
959 sizeof(struct ub_packed_rrset_key*)*
960 (rep->rrset_count - index - 1));
961 rep->ns_numrrsets--;
962 rep->rrset_count--;
963 }
964
965 void
val_check_nonsecure(struct module_env * env,struct reply_info * rep)966 val_check_nonsecure(struct module_env* env, struct reply_info* rep)
967 {
968 size_t i;
969 /* authority */
970 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
971 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
972 ->security != sec_status_secure) {
973 /* because we want to return the authentic original
974 * message when presented with CD-flagged queries,
975 * we need to preserve AUTHORITY section data.
976 * However, this rrset is not signed or signed
977 * with the wrong keys. Validation has tried to
978 * verify this rrset with the keysets of import.
979 * But this rrset did not verify.
980 * Therefore the message is bogus.
981 */
982
983 /* check if authority has an NS record
984 * which is bad, and there is an answer section with
985 * data. In that case, delete NS and additional to
986 * be lenient and make a minimal response */
987 if(rep->an_numrrsets != 0 &&
988 ntohs(rep->rrsets[i]->rk.type)
989 == LDNS_RR_TYPE_NS) {
990 verbose(VERB_ALGO, "truncate to minimal");
991 rep->ar_numrrsets = 0;
992 rep->rrset_count = rep->an_numrrsets +
993 rep->ns_numrrsets;
994 /* remove this unneeded authority rrset */
995 memmove(rep->rrsets+i, rep->rrsets+i+1,
996 sizeof(struct ub_packed_rrset_key*)*
997 (rep->rrset_count - i - 1));
998 rep->ns_numrrsets--;
999 rep->rrset_count--;
1000 i--;
1001 return;
1002 }
1003
1004 log_nametypeclass(VERB_QUERY, "message is bogus, "
1005 "non secure rrset",
1006 rep->rrsets[i]->rk.dname,
1007 ntohs(rep->rrsets[i]->rk.type),
1008 ntohs(rep->rrsets[i]->rk.rrset_class));
1009 rep->security = sec_status_bogus;
1010 return;
1011 }
1012 }
1013 /* additional */
1014 if(!env->cfg->val_clean_additional)
1015 return;
1016 for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
1017 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
1018 ->security != sec_status_secure) {
1019 /* This does not cause message invalidation. It was
1020 * simply unsigned data in the additional. The
1021 * RRSIG must have been truncated off the message.
1022 *
1023 * However, we do not want to return possible bogus
1024 * data to clients that rely on this service for
1025 * their authentication.
1026 */
1027 /* remove this unneeded additional rrset */
1028 memmove(rep->rrsets+i, rep->rrsets+i+1,
1029 sizeof(struct ub_packed_rrset_key*)*
1030 (rep->rrset_count - i - 1));
1031 rep->ar_numrrsets--;
1032 rep->rrset_count--;
1033 i--;
1034 }
1035 }
1036 }
1037
1038 /** check no anchor and unlock */
1039 static int
check_no_anchor(struct val_anchors * anchors,uint8_t * nm,size_t l,uint16_t c)1040 check_no_anchor(struct val_anchors* anchors, uint8_t* nm, size_t l, uint16_t c)
1041 {
1042 struct trust_anchor* ta;
1043 if((ta=anchors_lookup(anchors, nm, l, c))) {
1044 lock_basic_unlock(&ta->lock);
1045 }
1046 return !ta;
1047 }
1048
1049 void
val_mark_indeterminate(struct reply_info * rep,struct val_anchors * anchors,struct rrset_cache * r,struct module_env * env)1050 val_mark_indeterminate(struct reply_info* rep, struct val_anchors* anchors,
1051 struct rrset_cache* r, struct module_env* env)
1052 {
1053 size_t i;
1054 struct packed_rrset_data* d;
1055 for(i=0; i<rep->rrset_count; i++) {
1056 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1057 if(d->security == sec_status_unchecked &&
1058 check_no_anchor(anchors, rep->rrsets[i]->rk.dname,
1059 rep->rrsets[i]->rk.dname_len,
1060 ntohs(rep->rrsets[i]->rk.rrset_class)))
1061 {
1062 /* mark as indeterminate */
1063 d->security = sec_status_indeterminate;
1064 rrset_update_sec_status(r, rep->rrsets[i], *env->now);
1065 }
1066 }
1067 }
1068
1069 void
val_mark_insecure(struct reply_info * rep,uint8_t * kname,struct rrset_cache * r,struct module_env * env)1070 val_mark_insecure(struct reply_info* rep, uint8_t* kname,
1071 struct rrset_cache* r, struct module_env* env)
1072 {
1073 size_t i;
1074 struct packed_rrset_data* d;
1075 for(i=0; i<rep->rrset_count; i++) {
1076 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1077 if(d->security == sec_status_unchecked &&
1078 dname_subdomain_c(rep->rrsets[i]->rk.dname, kname)) {
1079 /* mark as insecure */
1080 d->security = sec_status_insecure;
1081 rrset_update_sec_status(r, rep->rrsets[i], *env->now);
1082 }
1083 }
1084 }
1085
1086 size_t
val_next_unchecked(struct reply_info * rep,size_t skip)1087 val_next_unchecked(struct reply_info* rep, size_t skip)
1088 {
1089 size_t i;
1090 struct packed_rrset_data* d;
1091 for(i=skip+1; i<rep->rrset_count; i++) {
1092 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1093 if(d->security == sec_status_unchecked) {
1094 return i;
1095 }
1096 }
1097 return rep->rrset_count;
1098 }
1099
1100 const char*
val_classification_to_string(enum val_classification subtype)1101 val_classification_to_string(enum val_classification subtype)
1102 {
1103 switch(subtype) {
1104 case VAL_CLASS_UNTYPED: return "untyped";
1105 case VAL_CLASS_UNKNOWN: return "unknown";
1106 case VAL_CLASS_POSITIVE: return "positive";
1107 case VAL_CLASS_CNAME: return "cname";
1108 case VAL_CLASS_NODATA: return "nodata";
1109 case VAL_CLASS_NAMEERROR: return "nameerror";
1110 case VAL_CLASS_CNAMENOANSWER: return "cnamenoanswer";
1111 case VAL_CLASS_REFERRAL: return "referral";
1112 case VAL_CLASS_ANY: return "qtype_any";
1113 default:
1114 return "bad_val_classification";
1115 }
1116 }
1117
1118 /** log a sock_list entry */
1119 static void
sock_list_logentry(enum verbosity_value v,const char * s,struct sock_list * p)1120 sock_list_logentry(enum verbosity_value v, const char* s, struct sock_list* p)
1121 {
1122 if(p->len)
1123 log_addr(v, s, &p->addr, p->len);
1124 else verbose(v, "%s cache", s);
1125 }
1126
val_blacklist(struct sock_list ** blacklist,struct regional * region,struct sock_list * origin,int cross)1127 void val_blacklist(struct sock_list** blacklist, struct regional* region,
1128 struct sock_list* origin, int cross)
1129 {
1130 /* debug printout */
1131 if(verbosity >= VERB_ALGO) {
1132 struct sock_list* p;
1133 for(p=*blacklist; p; p=p->next)
1134 sock_list_logentry(VERB_ALGO, "blacklist", p);
1135 if(!origin)
1136 verbose(VERB_ALGO, "blacklist add: cache");
1137 for(p=origin; p; p=p->next)
1138 sock_list_logentry(VERB_ALGO, "blacklist add", p);
1139 }
1140 /* blacklist the IPs or the cache */
1141 if(!origin) {
1142 /* only add if nothing there. anything else also stops cache*/
1143 if(!*blacklist)
1144 sock_list_insert(blacklist, NULL, 0, region);
1145 } else if(!cross)
1146 sock_list_prepend(blacklist, origin);
1147 else sock_list_merge(blacklist, region, origin);
1148 }
1149
val_has_signed_nsecs(struct reply_info * rep,char ** reason)1150 int val_has_signed_nsecs(struct reply_info* rep, char** reason)
1151 {
1152 size_t i, num_nsec = 0, num_nsec3 = 0;
1153 struct packed_rrset_data* d;
1154 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
1155 if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC))
1156 num_nsec++;
1157 else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3))
1158 num_nsec3++;
1159 else continue;
1160 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
1161 if(d && d->rrsig_count != 0) {
1162 return 1;
1163 }
1164 }
1165 if(num_nsec == 0 && num_nsec3 == 0)
1166 *reason = "no DNSSEC records";
1167 else if(num_nsec != 0)
1168 *reason = "no signatures over NSECs";
1169 else *reason = "no signatures over NSEC3s";
1170 return 0;
1171 }
1172
1173 struct dns_msg*
val_find_DS(struct module_env * env,uint8_t * nm,size_t nmlen,uint16_t c,struct regional * region,uint8_t * topname)1174 val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c,
1175 struct regional* region, uint8_t* topname)
1176 {
1177 struct dns_msg* msg;
1178 struct query_info qinfo;
1179 struct ub_packed_rrset_key *rrset = rrset_cache_lookup(
1180 env->rrset_cache, nm, nmlen, LDNS_RR_TYPE_DS, c, 0,
1181 *env->now, 0);
1182 if(rrset) {
1183 /* DS rrset exists. Return it to the validator immediately*/
1184 struct ub_packed_rrset_key* copy = packed_rrset_copy_region(
1185 rrset, region, *env->now);
1186 lock_rw_unlock(&rrset->entry.lock);
1187 if(!copy)
1188 return NULL;
1189 msg = dns_msg_create(nm, nmlen, LDNS_RR_TYPE_DS, c, region, 1);
1190 if(!msg)
1191 return NULL;
1192 msg->rep->rrsets[0] = copy;
1193 msg->rep->rrset_count++;
1194 msg->rep->an_numrrsets++;
1195 return msg;
1196 }
1197 /* lookup in rrset and negative cache for NSEC/NSEC3 */
1198 qinfo.qname = nm;
1199 qinfo.qname_len = nmlen;
1200 qinfo.qtype = LDNS_RR_TYPE_DS;
1201 qinfo.qclass = c;
1202 qinfo.local_alias = NULL;
1203 /* do not add SOA to reply message, it is going to be used internal */
1204 msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache,
1205 env->scratch_buffer, *env->now, 0, topname, env->cfg);
1206 return msg;
1207 }
1208