1 1.1 christos /* 2 1.1 christos * validator/val_utils.c - validator utility functions. 3 1.1 christos * 4 1.1 christos * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 1.1 christos * 6 1.1 christos * This software is open source. 7 1.1 christos * 8 1.1 christos * Redistribution and use in source and binary forms, with or without 9 1.1 christos * modification, are permitted provided that the following conditions 10 1.1 christos * are met: 11 1.1 christos * 12 1.1 christos * Redistributions of source code must retain the above copyright notice, 13 1.1 christos * this list of conditions and the following disclaimer. 14 1.1 christos * 15 1.1 christos * Redistributions in binary form must reproduce the above copyright notice, 16 1.1 christos * this list of conditions and the following disclaimer in the documentation 17 1.1 christos * and/or other materials provided with the distribution. 18 1.1 christos * 19 1.1 christos * Neither the name of the NLNET LABS nor the names of its contributors may 20 1.1 christos * be used to endorse or promote products derived from this software without 21 1.1 christos * specific prior written permission. 22 1.1 christos * 23 1.1 christos * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 1.1 christos * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 1.1 christos * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 1.1 christos * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 1.1 christos * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 1.1 christos * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 1.1 christos * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 1.1 christos * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 1.1 christos * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 1.1 christos * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 1.1 christos * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 1.1 christos */ 35 1.1 christos 36 1.1 christos /** 37 1.1 christos * \file 38 1.1 christos * 39 1.1 christos * This file contains helper functions for the validator module. 40 1.1 christos */ 41 1.1 christos #include "config.h" 42 1.1 christos #include "validator/val_utils.h" 43 1.1 christos #include "validator/validator.h" 44 1.1 christos #include "validator/val_kentry.h" 45 1.1 christos #include "validator/val_sigcrypt.h" 46 1.1 christos #include "validator/val_anchor.h" 47 1.1 christos #include "validator/val_nsec.h" 48 1.1 christos #include "validator/val_neg.h" 49 1.1 christos #include "services/cache/rrset.h" 50 1.1 christos #include "services/cache/dns.h" 51 1.1 christos #include "util/data/msgreply.h" 52 1.1 christos #include "util/data/packed_rrset.h" 53 1.1 christos #include "util/data/dname.h" 54 1.1 christos #include "util/net_help.h" 55 1.1 christos #include "util/module.h" 56 1.1 christos #include "util/regional.h" 57 1.1.1.2 christos #include "util/config_file.h" 58 1.1 christos #include "sldns/wire2str.h" 59 1.1 christos #include "sldns/parseutil.h" 60 1.1 christos 61 1.1.1.5 christos /** Maximum allowed digest match failures per DS, for DNSKEYs with the same 62 1.1.1.5 christos * properties */ 63 1.1.1.5 christos #define MAX_DS_MATCH_FAILURES 4 64 1.1.1.5 christos 65 1.1 christos enum val_classification 66 1.1 christos val_classify_response(uint16_t query_flags, struct query_info* origqinf, 67 1.1 christos struct query_info* qinf, struct reply_info* rep, size_t skip) 68 1.1 christos { 69 1.1 christos int rcode = (int)FLAGS_GET_RCODE(rep->flags); 70 1.1 christos size_t i; 71 1.1 christos 72 1.1 christos /* Normal Name Error's are easy to detect -- but don't mistake a CNAME 73 1.1 christos * chain ending in NXDOMAIN. */ 74 1.1 christos if(rcode == LDNS_RCODE_NXDOMAIN && rep->an_numrrsets == 0) 75 1.1 christos return VAL_CLASS_NAMEERROR; 76 1.1 christos 77 1.1 christos /* check for referral: nonRD query and it looks like a nodata */ 78 1.1 christos if(!(query_flags&BIT_RD) && rep->an_numrrsets == 0 && 79 1.1 christos rcode == LDNS_RCODE_NOERROR) { 80 1.1 christos /* SOA record in auth indicates it is NODATA instead. 81 1.1 christos * All validation requiring NODATA messages have SOA in 82 1.1 christos * authority section. */ 83 1.1 christos /* uses fact that answer section is empty */ 84 1.1 christos int saw_ns = 0; 85 1.1 christos for(i=0; i<rep->ns_numrrsets; i++) { 86 1.1 christos if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA) 87 1.1 christos return VAL_CLASS_NODATA; 88 1.1 christos if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DS) 89 1.1 christos return VAL_CLASS_REFERRAL; 90 1.1 christos if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS) 91 1.1 christos saw_ns = 1; 92 1.1 christos } 93 1.1 christos return saw_ns?VAL_CLASS_REFERRAL:VAL_CLASS_NODATA; 94 1.1 christos } 95 1.1 christos /* root referral where NS set is in the answer section */ 96 1.1 christos if(!(query_flags&BIT_RD) && rep->ns_numrrsets == 0 && 97 1.1 christos rep->an_numrrsets == 1 && rcode == LDNS_RCODE_NOERROR && 98 1.1 christos ntohs(rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_NS && 99 1.1 christos query_dname_compare(rep->rrsets[0]->rk.dname, 100 1.1 christos origqinf->qname) != 0) 101 1.1 christos return VAL_CLASS_REFERRAL; 102 1.1 christos 103 1.1 christos /* dump bad messages */ 104 1.1 christos if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN) 105 1.1 christos return VAL_CLASS_UNKNOWN; 106 1.1 christos /* next check if the skip into the answer section shows no answer */ 107 1.1 christos if(skip>0 && rep->an_numrrsets <= skip) 108 1.1 christos return VAL_CLASS_CNAMENOANSWER; 109 1.1 christos 110 1.1 christos /* Next is NODATA */ 111 1.1 christos if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0) 112 1.1 christos return VAL_CLASS_NODATA; 113 1.1 christos 114 1.1 christos /* We distinguish between CNAME response and other positive/negative 115 1.1 christos * responses because CNAME answers require extra processing. */ 116 1.1 christos 117 1.1 christos /* We distinguish between ANY and CNAME or POSITIVE because 118 1.1 christos * ANY responses are validated differently. */ 119 1.1 christos if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY) 120 1.1 christos return VAL_CLASS_ANY; 121 1.1.1.6 christos 122 1.1.1.6 christos /* For the query type DNAME, the name matters. Equal name is the 123 1.1.1.6 christos * answer looked for, but a subdomain redirects the query. */ 124 1.1.1.6 christos if(qinf->qtype == LDNS_RR_TYPE_DNAME) { 125 1.1.1.6 christos for(i=skip; i<rep->an_numrrsets; i++) { 126 1.1.1.6 christos if(rcode == LDNS_RCODE_NOERROR && 127 1.1.1.6 christos ntohs(rep->rrsets[i]->rk.type) 128 1.1.1.6 christos == LDNS_RR_TYPE_DNAME && 129 1.1.1.6 christos query_dname_compare(qinf->qname, 130 1.1.1.6 christos rep->rrsets[i]->rk.dname) == 0) { 131 1.1.1.6 christos /* type is DNAME and name is equal, it is 132 1.1.1.6 christos * the answer. For the query name a subdomain 133 1.1.1.6 christos * of the rrset.dname it would redirect. */ 134 1.1.1.6 christos return VAL_CLASS_POSITIVE; 135 1.1.1.6 christos } 136 1.1.1.6 christos if(ntohs(rep->rrsets[i]->rk.type) 137 1.1.1.6 christos == LDNS_RR_TYPE_CNAME) 138 1.1.1.6 christos return VAL_CLASS_CNAME; 139 1.1.1.6 christos } 140 1.1.1.6 christos log_dns_msg("validator: error. failed to classify response message: ", 141 1.1.1.6 christos qinf, rep); 142 1.1.1.6 christos return VAL_CLASS_UNKNOWN; 143 1.1.1.6 christos } 144 1.1.1.6 christos 145 1.1 christos /* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless 146 1.1 christos * qtype=CNAME, this will yield a CNAME response. */ 147 1.1 christos for(i=skip; i<rep->an_numrrsets; i++) { 148 1.1 christos if(rcode == LDNS_RCODE_NOERROR && 149 1.1 christos ntohs(rep->rrsets[i]->rk.type) == qinf->qtype) 150 1.1 christos return VAL_CLASS_POSITIVE; 151 1.1 christos if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME) 152 1.1 christos return VAL_CLASS_CNAME; 153 1.1 christos } 154 1.1 christos log_dns_msg("validator: error. failed to classify response message: ", 155 1.1 christos qinf, rep); 156 1.1 christos return VAL_CLASS_UNKNOWN; 157 1.1 christos } 158 1.1 christos 159 1.1 christos /** Get signer name from RRSIG */ 160 1.1 christos static void 161 1.1 christos rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen) 162 1.1 christos { 163 1.1 christos /* RRSIG rdata is not allowed to be compressed, it is stored 164 1.1 christos * uncompressed in memory as well, so return a ptr to the name */ 165 1.1 christos if(len < 21) { 166 1.1 christos /* too short RRSig: 167 1.1 christos * short, byte, byte, long, long, long, short, "." is 168 1.1 christos * 2 1 1 4 4 4 2 1 = 19 169 1.1 christos * and a skip of 18 bytes to the name. 170 1.1 christos * +2 for the rdatalen is 21 bytes len for root label */ 171 1.1 christos *sname = NULL; 172 1.1 christos *slen = 0; 173 1.1 christos return; 174 1.1 christos } 175 1.1 christos data += 20; /* skip the fixed size bits */ 176 1.1 christos len -= 20; 177 1.1 christos *slen = dname_valid(data, len); 178 1.1 christos if(!*slen) { 179 1.1 christos /* bad dname in this rrsig. */ 180 1.1 christos *sname = NULL; 181 1.1 christos return; 182 1.1 christos } 183 1.1 christos *sname = data; 184 1.1 christos } 185 1.1 christos 186 1.1 christos void 187 1.1 christos val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname, 188 1.1 christos size_t* slen) 189 1.1 christos { 190 1.1 christos struct packed_rrset_data* d = (struct packed_rrset_data*) 191 1.1 christos rrset->entry.data; 192 1.1 christos /* return signer for first signature, or NULL */ 193 1.1 christos if(d->rrsig_count == 0) { 194 1.1 christos *sname = NULL; 195 1.1 christos *slen = 0; 196 1.1 christos return; 197 1.1 christos } 198 1.1 christos /* get rrsig signer name out of the signature */ 199 1.1 christos rrsig_get_signer(d->rr_data[d->count], d->rr_len[d->count], 200 1.1 christos sname, slen); 201 1.1 christos } 202 1.1 christos 203 1.1 christos /** 204 1.1 christos * Find best signer name in this set of rrsigs. 205 1.1 christos * @param rrset: which rrsigs to look through. 206 1.1 christos * @param qinf: the query name that needs validation. 207 1.1 christos * @param signer_name: the best signer_name. Updated if a better one is found. 208 1.1 christos * @param signer_len: length of signer name. 209 1.1 christos * @param matchcount: count of current best name (starts at 0 for no match). 210 1.1 christos * Updated if match is improved. 211 1.1 christos */ 212 1.1 christos static void 213 1.1 christos val_find_best_signer(struct ub_packed_rrset_key* rrset, 214 1.1 christos struct query_info* qinf, uint8_t** signer_name, size_t* signer_len, 215 1.1 christos int* matchcount) 216 1.1 christos { 217 1.1 christos struct packed_rrset_data* d = (struct packed_rrset_data*) 218 1.1 christos rrset->entry.data; 219 1.1 christos uint8_t* sign; 220 1.1 christos size_t i; 221 1.1 christos int m; 222 1.1 christos for(i=d->count; i<d->count+d->rrsig_count; i++) { 223 1.1 christos sign = d->rr_data[i]+2+18; 224 1.1 christos /* look at signatures that are valid (long enough), 225 1.1 christos * and have a signer name that is a superdomain of qname, 226 1.1 christos * and then check the number of labels in the shared topdomain 227 1.1 christos * improve the match if possible */ 228 1.1 christos if(d->rr_len[i] > 2+19 && /* rdata, sig + root label*/ 229 1.1 christos dname_subdomain_c(qinf->qname, sign)) { 230 1.1 christos (void)dname_lab_cmp(qinf->qname, 231 1.1 christos dname_count_labels(qinf->qname), 232 1.1 christos sign, dname_count_labels(sign), &m); 233 1.1 christos if(m > *matchcount) { 234 1.1 christos *matchcount = m; 235 1.1 christos *signer_name = sign; 236 1.1 christos (void)dname_count_size_labels(*signer_name, 237 1.1 christos signer_len); 238 1.1 christos } 239 1.1 christos } 240 1.1 christos } 241 1.1 christos } 242 1.1 christos 243 1.1.1.6 christos /** Detect if the, unsigned, CNAME is under a previous DNAME RR in the 244 1.1.1.6 christos * message, and thus it was generated from that previous DNAME. 245 1.1.1.6 christos */ 246 1.1.1.6 christos static int 247 1.1.1.6 christos cname_under_previous_dname(struct reply_info* rep, size_t cname_idx, 248 1.1.1.6 christos size_t* ret) 249 1.1.1.6 christos { 250 1.1.1.6 christos size_t i; 251 1.1.1.6 christos for(i=0; i<cname_idx; i++) { 252 1.1.1.6 christos if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DNAME && 253 1.1.1.6 christos dname_strict_subdomain_c(rep->rrsets[cname_idx]-> 254 1.1.1.6 christos rk.dname, rep->rrsets[i]->rk.dname)) { 255 1.1.1.6 christos *ret = i; 256 1.1.1.6 christos return 1; 257 1.1.1.6 christos } 258 1.1.1.6 christos } 259 1.1.1.6 christos *ret = 0; 260 1.1.1.6 christos return 0; 261 1.1.1.6 christos } 262 1.1.1.6 christos 263 1.1 christos void 264 1.1 christos val_find_signer(enum val_classification subtype, struct query_info* qinf, 265 1.1 christos struct reply_info* rep, size_t skip, uint8_t** signer_name, 266 1.1 christos size_t* signer_len) 267 1.1 christos { 268 1.1 christos size_t i; 269 1.1 christos 270 1.1.1.2 christos if(subtype == VAL_CLASS_POSITIVE) { 271 1.1 christos /* check for the answer rrset */ 272 1.1 christos for(i=skip; i<rep->an_numrrsets; i++) { 273 1.1 christos if(query_dname_compare(qinf->qname, 274 1.1 christos rep->rrsets[i]->rk.dname) == 0) { 275 1.1 christos val_find_rrset_signer(rep->rrsets[i], 276 1.1 christos signer_name, signer_len); 277 1.1.1.6 christos /* If there was no signer, and the query 278 1.1.1.6 christos * was for type CNAME, and this is a CNAME, 279 1.1.1.6 christos * and the previous is a DNAME, then this 280 1.1.1.6 christos * is the synthesized CNAME, use the signer 281 1.1.1.6 christos * of the DNAME record. */ 282 1.1.1.6 christos if(*signer_name == NULL && 283 1.1.1.6 christos qinf->qtype == LDNS_RR_TYPE_CNAME && 284 1.1.1.6 christos ntohs(rep->rrsets[i]->rk.type) == 285 1.1.1.6 christos LDNS_RR_TYPE_CNAME && i > skip && 286 1.1.1.6 christos ntohs(rep->rrsets[i-1]->rk.type) == 287 1.1.1.6 christos LDNS_RR_TYPE_DNAME && 288 1.1.1.6 christos dname_strict_subdomain_c(rep->rrsets[i]->rk.dname, rep->rrsets[i-1]->rk.dname)) { 289 1.1.1.6 christos val_find_rrset_signer(rep->rrsets[i-1], 290 1.1.1.6 christos signer_name, signer_len); 291 1.1.1.6 christos } 292 1.1 christos return; 293 1.1 christos } 294 1.1 christos } 295 1.1 christos *signer_name = NULL; 296 1.1 christos *signer_len = 0; 297 1.1 christos } else if(subtype == VAL_CLASS_CNAME) { 298 1.1.1.6 christos size_t j; 299 1.1 christos /* check for the first signed cname/dname rrset */ 300 1.1 christos for(i=skip; i<rep->an_numrrsets; i++) { 301 1.1 christos val_find_rrset_signer(rep->rrsets[i], 302 1.1 christos signer_name, signer_len); 303 1.1 christos if(*signer_name) 304 1.1 christos return; 305 1.1.1.6 christos if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME 306 1.1.1.6 christos && cname_under_previous_dname(rep, i, &j)) { 307 1.1.1.6 christos val_find_rrset_signer(rep->rrsets[j], 308 1.1.1.6 christos signer_name, signer_len); 309 1.1.1.6 christos return; 310 1.1.1.6 christos } 311 1.1 christos if(ntohs(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_DNAME) 312 1.1 christos break; /* only check CNAME after a DNAME */ 313 1.1 christos } 314 1.1 christos *signer_name = NULL; 315 1.1 christos *signer_len = 0; 316 1.1 christos } else if(subtype == VAL_CLASS_NAMEERROR 317 1.1 christos || subtype == VAL_CLASS_NODATA) { 318 1.1 christos /*Check to see if the AUTH section NSEC record(s) have rrsigs*/ 319 1.1 christos for(i=rep->an_numrrsets; i< 320 1.1 christos rep->an_numrrsets+rep->ns_numrrsets; i++) { 321 1.1 christos if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC 322 1.1 christos || ntohs(rep->rrsets[i]->rk.type) == 323 1.1 christos LDNS_RR_TYPE_NSEC3) { 324 1.1 christos val_find_rrset_signer(rep->rrsets[i], 325 1.1 christos signer_name, signer_len); 326 1.1 christos return; 327 1.1 christos } 328 1.1 christos } 329 1.1 christos } else if(subtype == VAL_CLASS_CNAMENOANSWER) { 330 1.1 christos /* find closest superdomain signer name in authority section 331 1.1 christos * NSEC and NSEC3s */ 332 1.1 christos int matchcount = 0; 333 1.1 christos *signer_name = NULL; 334 1.1 christos *signer_len = 0; 335 1.1 christos for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep-> 336 1.1 christos ns_numrrsets; i++) { 337 1.1 christos if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC 338 1.1 christos || ntohs(rep->rrsets[i]->rk.type) == 339 1.1 christos LDNS_RR_TYPE_NSEC3) { 340 1.1 christos val_find_best_signer(rep->rrsets[i], qinf, 341 1.1 christos signer_name, signer_len, &matchcount); 342 1.1 christos } 343 1.1 christos } 344 1.1.1.2 christos } else if(subtype == VAL_CLASS_ANY) { 345 1.1.1.2 christos /* check for one of the answer rrset that has signatures, 346 1.1.1.2 christos * or potentially a DNAME is in use with a different qname */ 347 1.1.1.2 christos for(i=skip; i<rep->an_numrrsets; i++) { 348 1.1.1.2 christos if(query_dname_compare(qinf->qname, 349 1.1.1.2 christos rep->rrsets[i]->rk.dname) == 0) { 350 1.1.1.2 christos val_find_rrset_signer(rep->rrsets[i], 351 1.1.1.2 christos signer_name, signer_len); 352 1.1.1.2 christos if(*signer_name) 353 1.1.1.2 christos return; 354 1.1.1.2 christos } 355 1.1.1.2 christos } 356 1.1.1.2 christos /* no answer RRSIGs with qname, try a DNAME */ 357 1.1.1.2 christos if(skip < rep->an_numrrsets && 358 1.1.1.2 christos ntohs(rep->rrsets[skip]->rk.type) == 359 1.1.1.2 christos LDNS_RR_TYPE_DNAME) { 360 1.1.1.2 christos val_find_rrset_signer(rep->rrsets[skip], 361 1.1.1.2 christos signer_name, signer_len); 362 1.1.1.2 christos if(*signer_name) 363 1.1.1.2 christos return; 364 1.1.1.2 christos } 365 1.1.1.2 christos *signer_name = NULL; 366 1.1.1.2 christos *signer_len = 0; 367 1.1 christos } else if(subtype == VAL_CLASS_REFERRAL) { 368 1.1 christos /* find keys for the item at skip */ 369 1.1 christos if(skip < rep->rrset_count) { 370 1.1 christos val_find_rrset_signer(rep->rrsets[skip], 371 1.1 christos signer_name, signer_len); 372 1.1 christos return; 373 1.1 christos } 374 1.1 christos *signer_name = NULL; 375 1.1 christos *signer_len = 0; 376 1.1 christos } else { 377 1.1 christos verbose(VERB_QUERY, "find_signer: could not find signer name" 378 1.1 christos " for unknown type response"); 379 1.1 christos *signer_name = NULL; 380 1.1 christos *signer_len = 0; 381 1.1 christos } 382 1.1 christos } 383 1.1 christos 384 1.1 christos /** return number of rrs in an rrset */ 385 1.1 christos static size_t 386 1.1 christos rrset_get_count(struct ub_packed_rrset_key* rrset) 387 1.1 christos { 388 1.1 christos struct packed_rrset_data* d = (struct packed_rrset_data*) 389 1.1 christos rrset->entry.data; 390 1.1 christos if(!d) return 0; 391 1.1 christos return d->count; 392 1.1 christos } 393 1.1 christos 394 1.1 christos /** return TTL of rrset */ 395 1.1 christos static uint32_t 396 1.1 christos rrset_get_ttl(struct ub_packed_rrset_key* rrset) 397 1.1 christos { 398 1.1 christos struct packed_rrset_data* d = (struct packed_rrset_data*) 399 1.1 christos rrset->entry.data; 400 1.1 christos if(!d) return 0; 401 1.1 christos return d->ttl; 402 1.1 christos } 403 1.1 christos 404 1.1.1.4 christos static enum sec_status 405 1.1 christos val_verify_rrset(struct module_env* env, struct val_env* ve, 406 1.1 christos struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys, 407 1.1.1.4 christos uint8_t* sigalg, char** reason, sldns_ede_code *reason_bogus, 408 1.1.1.5 christos sldns_pkt_section section, struct module_qstate* qstate, 409 1.1.1.6 christos int *verified, char* reasonbuf, size_t reasonlen) 410 1.1 christos { 411 1.1 christos enum sec_status sec; 412 1.1 christos struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 413 1.1 christos entry.data; 414 1.1 christos if(d->security == sec_status_secure) { 415 1.1 christos /* re-verify all other statuses, because keyset may change*/ 416 1.1 christos log_nametypeclass(VERB_ALGO, "verify rrset cached", 417 1.1 christos rrset->rk.dname, ntohs(rrset->rk.type), 418 1.1 christos ntohs(rrset->rk.rrset_class)); 419 1.1.1.5 christos *verified = 0; 420 1.1 christos return d->security; 421 1.1 christos } 422 1.1 christos /* check in the cache if verification has already been done */ 423 1.1 christos rrset_check_sec_status(env->rrset_cache, rrset, *env->now); 424 1.1 christos if(d->security == sec_status_secure) { 425 1.1 christos log_nametypeclass(VERB_ALGO, "verify rrset from cache", 426 1.1 christos rrset->rk.dname, ntohs(rrset->rk.type), 427 1.1 christos ntohs(rrset->rk.rrset_class)); 428 1.1.1.5 christos *verified = 0; 429 1.1 christos return d->security; 430 1.1 christos } 431 1.1 christos log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname, 432 1.1 christos ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class)); 433 1.1.1.2 christos sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason, 434 1.1.1.6 christos reason_bogus, section, qstate, verified, reasonbuf, reasonlen); 435 1.1 christos verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec)); 436 1.1 christos regional_free_all(env->scratch); 437 1.1 christos 438 1.1 christos /* update rrset security status 439 1.1 christos * only improves security status 440 1.1 christos * and bogus is set only once, even if we rechecked the status */ 441 1.1 christos if(sec > d->security) { 442 1.1 christos d->security = sec; 443 1.1 christos if(sec == sec_status_secure) 444 1.1 christos d->trust = rrset_trust_validated; 445 1.1 christos else if(sec == sec_status_bogus) { 446 1.1 christos size_t i; 447 1.1 christos /* update ttl for rrset to fixed value. */ 448 1.1 christos d->ttl = ve->bogus_ttl; 449 1.1 christos for(i=0; i<d->count+d->rrsig_count; i++) 450 1.1 christos d->rr_ttl[i] = ve->bogus_ttl; 451 1.1 christos /* leave RR specific TTL: not used for determine 452 1.1 christos * if RRset timed out and clients see proper value. */ 453 1.1 christos lock_basic_lock(&ve->bogus_lock); 454 1.1 christos ve->num_rrset_bogus++; 455 1.1 christos lock_basic_unlock(&ve->bogus_lock); 456 1.1 christos } 457 1.1 christos /* if status updated - store in cache for reuse */ 458 1.1 christos rrset_update_sec_status(env->rrset_cache, rrset, *env->now); 459 1.1 christos } 460 1.1 christos 461 1.1 christos return sec; 462 1.1 christos } 463 1.1 christos 464 1.1 christos enum sec_status 465 1.1 christos val_verify_rrset_entry(struct module_env* env, struct val_env* ve, 466 1.1 christos struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey, 467 1.1.1.4 christos char** reason, sldns_ede_code *reason_bogus, 468 1.1.1.5 christos sldns_pkt_section section, struct module_qstate* qstate, 469 1.1.1.6 christos int* verified, char* reasonbuf, size_t reasonlen) 470 1.1 christos { 471 1.1 christos /* temporary dnskey rrset-key */ 472 1.1 christos struct ub_packed_rrset_key dnskey; 473 1.1 christos struct key_entry_data* kd = (struct key_entry_data*)kkey->entry.data; 474 1.1 christos enum sec_status sec; 475 1.1 christos dnskey.rk.type = htons(kd->rrset_type); 476 1.1 christos dnskey.rk.rrset_class = htons(kkey->key_class); 477 1.1 christos dnskey.rk.flags = 0; 478 1.1 christos dnskey.rk.dname = kkey->name; 479 1.1 christos dnskey.rk.dname_len = kkey->namelen; 480 1.1 christos dnskey.entry.key = &dnskey; 481 1.1 christos dnskey.entry.data = kd->rrset_data; 482 1.1.1.2 christos sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason, 483 1.1.1.6 christos reason_bogus, section, qstate, verified, reasonbuf, reasonlen); 484 1.1 christos return sec; 485 1.1 christos } 486 1.1 christos 487 1.1 christos /** verify that a DS RR hashes to a key and that key signs the set */ 488 1.1 christos static enum sec_status 489 1.1.1.4 christos verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve, 490 1.1.1.4 christos struct ub_packed_rrset_key* dnskey_rrset, 491 1.1.1.2 christos struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason, 492 1.1.1.6 christos sldns_ede_code *reason_bogus, struct module_qstate* qstate, 493 1.1.1.6 christos int *nonechecked, char* reasonbuf, size_t reasonlen) 494 1.1 christos { 495 1.1 christos enum sec_status sec = sec_status_bogus; 496 1.1.1.4 christos size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0; 497 1.1 christos num = rrset_get_count(dnskey_rrset); 498 1.1.1.6 christos *nonechecked = 0; 499 1.1 christos for(i=0; i<num; i++) { 500 1.1 christos /* Skip DNSKEYs that don't match the basic criteria. */ 501 1.1 christos if(ds_get_key_algo(ds_rrset, ds_idx) 502 1.1 christos != dnskey_get_algo(dnskey_rrset, i) 503 1.1 christos || dnskey_calc_keytag(dnskey_rrset, i) 504 1.1 christos != ds_get_keytag(ds_rrset, ds_idx)) { 505 1.1 christos continue; 506 1.1 christos } 507 1.1 christos numchecked++; 508 1.1 christos verbose(VERB_ALGO, "attempt DS match algo %d keytag %d", 509 1.1 christos ds_get_key_algo(ds_rrset, ds_idx), 510 1.1 christos ds_get_keytag(ds_rrset, ds_idx)); 511 1.1 christos 512 1.1 christos /* Convert the candidate DNSKEY into a hash using the 513 1.1 christos * same DS hash algorithm. */ 514 1.1 christos if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset, 515 1.1 christos ds_idx)) { 516 1.1 christos verbose(VERB_ALGO, "DS match attempt failed"); 517 1.1.1.5 christos if(numchecked > numhashok + MAX_DS_MATCH_FAILURES) { 518 1.1.1.5 christos verbose(VERB_ALGO, "DS match attempt reached " 519 1.1.1.5 christos "MAX_DS_MATCH_FAILURES (%d); bogus", 520 1.1.1.5 christos MAX_DS_MATCH_FAILURES); 521 1.1.1.5 christos return sec_status_bogus; 522 1.1.1.5 christos } 523 1.1 christos continue; 524 1.1 christos } 525 1.1 christos numhashok++; 526 1.1.1.4 christos if(!dnskey_size_is_supported(dnskey_rrset, i)) { 527 1.1.1.4 christos verbose(VERB_ALGO, "DS okay but that DNSKEY size is not supported"); 528 1.1.1.4 christos numsizesupp++; 529 1.1.1.4 christos continue; 530 1.1.1.4 christos } 531 1.1 christos verbose(VERB_ALGO, "DS match digest ok, trying signature"); 532 1.1 christos 533 1.1 christos /* Otherwise, we have a match! Make sure that the DNSKEY 534 1.1 christos * verifies *with this key* */ 535 1.1.1.4 christos sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, 536 1.1.1.4 christos i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate); 537 1.1 christos if(sec == sec_status_secure) { 538 1.1 christos return sec; 539 1.1 christos } 540 1.1 christos /* If it didn't validate with the DNSKEY, try the next one! */ 541 1.1 christos } 542 1.1.1.4 christos if(numsizesupp != 0 || sec == sec_status_indeterminate) { 543 1.1.1.4 christos /* there is a working DS, but that DNSKEY is not supported */ 544 1.1.1.4 christos return sec_status_insecure; 545 1.1.1.4 christos } 546 1.1.1.6 christos if(numchecked == 0) { 547 1.1.1.6 christos algo_needs_reason(ds_get_key_algo(ds_rrset, ds_idx), 548 1.1.1.6 christos reason, "no keys have a DS", reasonbuf, reasonlen); 549 1.1.1.6 christos *nonechecked = 1; 550 1.1.1.6 christos } else if(numhashok == 0) { 551 1.1 christos *reason = "DS hash mismatches key"; 552 1.1.1.6 christos } else if(!*reason) { 553 1.1 christos *reason = "keyset not secured by DNSKEY that matches DS"; 554 1.1.1.6 christos } 555 1.1 christos return sec_status_bogus; 556 1.1 christos } 557 1.1 christos 558 1.1 christos int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset) 559 1.1 christos { 560 1.1 christos size_t i, num = rrset_get_count(ds_rrset); 561 1.1 christos int d, digest_algo = 0; /* DS digest algo 0 is not used. */ 562 1.1 christos /* find favorite algo, for now, highest number supported */ 563 1.1 christos for(i=0; i<num; i++) { 564 1.1 christos if(!ds_digest_algo_is_supported(ds_rrset, i) || 565 1.1 christos !ds_key_algo_is_supported(ds_rrset, i)) { 566 1.1 christos continue; 567 1.1 christos } 568 1.1 christos d = ds_get_digest_algo(ds_rrset, i); 569 1.1 christos if(d > digest_algo) 570 1.1 christos digest_algo = d; 571 1.1 christos } 572 1.1 christos return digest_algo; 573 1.1 christos } 574 1.1 christos 575 1.1.1.4 christos enum sec_status 576 1.1 christos val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, 577 1.1 christos struct ub_packed_rrset_key* dnskey_rrset, 578 1.1.1.2 christos struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason, 579 1.1.1.6 christos sldns_ede_code *reason_bogus, struct module_qstate* qstate, 580 1.1.1.6 christos char* reasonbuf, size_t reasonlen) 581 1.1 christos { 582 1.1 christos /* as long as this is false, we can consider this DS rrset to be 583 1.1 christos * equivalent to no DS rrset. */ 584 1.1.1.6 christos int has_useful_ds = 0, digest_algo, alg, has_algo_refusal = 0, 585 1.1.1.6 christos nonechecked, has_checked_ds = 0; 586 1.1 christos struct algo_needs needs; 587 1.1 christos size_t i, num; 588 1.1 christos enum sec_status sec; 589 1.1 christos 590 1.1 christos if(dnskey_rrset->rk.dname_len != ds_rrset->rk.dname_len || 591 1.1 christos query_dname_compare(dnskey_rrset->rk.dname, ds_rrset->rk.dname) 592 1.1 christos != 0) { 593 1.1 christos verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset " 594 1.1 christos "by name"); 595 1.1 christos *reason = "DNSKEY RRset did not match DS RRset by name"; 596 1.1 christos return sec_status_bogus; 597 1.1 christos } 598 1.1 christos 599 1.1.1.2 christos if(sigalg) { 600 1.1.1.2 christos /* harden against algo downgrade is enabled */ 601 1.1.1.2 christos digest_algo = val_favorite_ds_algo(ds_rrset); 602 1.1 christos algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg); 603 1.1.1.2 christos } else { 604 1.1.1.2 christos /* accept any key algo, any digest algo */ 605 1.1.1.2 christos digest_algo = -1; 606 1.1.1.2 christos } 607 1.1 christos num = rrset_get_count(ds_rrset); 608 1.1 christos for(i=0; i<num; i++) { 609 1.1 christos /* Check to see if we can understand this DS. 610 1.1 christos * And check it is the strongest digest */ 611 1.1 christos if(!ds_digest_algo_is_supported(ds_rrset, i) || 612 1.1 christos !ds_key_algo_is_supported(ds_rrset, i) || 613 1.1.1.2 christos (sigalg && (ds_get_digest_algo(ds_rrset, i) != digest_algo))) { 614 1.1 christos continue; 615 1.1 christos } 616 1.1 christos 617 1.1.1.4 christos sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 618 1.1.1.6 christos ds_rrset, i, reason, reason_bogus, qstate, 619 1.1.1.6 christos &nonechecked, reasonbuf, reasonlen); 620 1.1.1.6 christos if(sec == sec_status_insecure) { 621 1.1.1.6 christos /* DNSKEY too large unsupported or algo refused by 622 1.1.1.6 christos * crypto lib. */ 623 1.1.1.6 christos has_algo_refusal = 1; 624 1.1.1.4 christos continue; 625 1.1.1.6 christos } 626 1.1.1.6 christos if(!nonechecked) 627 1.1.1.6 christos has_checked_ds = 1; 628 1.1.1.4 christos 629 1.1 christos /* Once we see a single DS with a known digestID and 630 1.1 christos * algorithm, we cannot return INSECURE (with a 631 1.1 christos * "null" KeyEntry). */ 632 1.1 christos has_useful_ds = 1; 633 1.1 christos 634 1.1 christos if(sec == sec_status_secure) { 635 1.1 christos if(!sigalg || algo_needs_set_secure(&needs, 636 1.1 christos (uint8_t)ds_get_key_algo(ds_rrset, i))) { 637 1.1 christos verbose(VERB_ALGO, "DS matched DNSKEY."); 638 1.1.1.4 christos if(!dnskeyset_size_is_supported(dnskey_rrset)) { 639 1.1.1.4 christos verbose(VERB_ALGO, "DS works, but dnskeyset contain keys that are unsupported, treat as insecure"); 640 1.1.1.4 christos return sec_status_insecure; 641 1.1.1.4 christos } 642 1.1 christos return sec_status_secure; 643 1.1 christos } 644 1.1 christos } else if(sigalg && sec == sec_status_bogus) { 645 1.1 christos algo_needs_set_bogus(&needs, 646 1.1 christos (uint8_t)ds_get_key_algo(ds_rrset, i)); 647 1.1 christos } 648 1.1 christos } 649 1.1 christos 650 1.1 christos /* None of the DS's worked out. */ 651 1.1 christos 652 1.1.1.6 christos /* If none of the DSes have been checked, eg. that means no matches 653 1.1.1.6 christos * for keytags, and the other dses are all algo_refusal, it is an 654 1.1.1.6 christos * insecure delegation point, since the only matched DS records 655 1.1.1.6 christos * have an algo refusal, or are unsupported. */ 656 1.1.1.6 christos if(has_algo_refusal && !has_checked_ds) { 657 1.1.1.6 christos verbose(VERB_ALGO, "No supported DS records were found -- " 658 1.1.1.6 christos "treating as insecure."); 659 1.1.1.6 christos return sec_status_insecure; 660 1.1.1.6 christos } 661 1.1 christos /* If no DSs were understandable, then this is OK. */ 662 1.1 christos if(!has_useful_ds) { 663 1.1 christos verbose(VERB_ALGO, "No usable DS records were found -- " 664 1.1 christos "treating as insecure."); 665 1.1 christos return sec_status_insecure; 666 1.1 christos } 667 1.1 christos /* If any were understandable, then it is bad. */ 668 1.1 christos verbose(VERB_QUERY, "Failed to match any usable DS to a DNSKEY."); 669 1.1 christos if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { 670 1.1.1.6 christos algo_needs_reason(alg, reason, "missing verification of " 671 1.1.1.6 christos "DNSKEY signature", reasonbuf, reasonlen); 672 1.1 christos } 673 1.1 christos return sec_status_bogus; 674 1.1 christos } 675 1.1 christos 676 1.1.1.4 christos struct key_entry_key* 677 1.1 christos val_verify_new_DNSKEYs(struct regional* region, struct module_env* env, 678 1.1 christos struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 679 1.1.1.2 christos struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason, 680 1.1.1.6 christos sldns_ede_code *reason_bogus, struct module_qstate* qstate, 681 1.1.1.6 christos char* reasonbuf, size_t reasonlen) 682 1.1 christos { 683 1.1 christos uint8_t sigalg[ALGO_NEEDS_MAX+1]; 684 1.1.1.4 christos enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve, 685 1.1.1.4 christos dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason, 686 1.1.1.6 christos reason_bogus, qstate, reasonbuf, reasonlen); 687 1.1 christos 688 1.1 christos if(sec == sec_status_secure) { 689 1.1 christos return key_entry_create_rrset(region, 690 1.1 christos ds_rrset->rk.dname, ds_rrset->rk.dname_len, 691 1.1 christos ntohs(ds_rrset->rk.rrset_class), dnskey_rrset, 692 1.1.1.5 christos downprot?sigalg:NULL, LDNS_EDE_NONE, NULL, 693 1.1.1.5 christos *env->now); 694 1.1 christos } else if(sec == sec_status_insecure) { 695 1.1 christos return key_entry_create_null(region, ds_rrset->rk.dname, 696 1.1.1.5 christos ds_rrset->rk.dname_len, 697 1.1 christos ntohs(ds_rrset->rk.rrset_class), 698 1.1.1.5 christos rrset_get_ttl(ds_rrset), *reason_bogus, *reason, 699 1.1.1.5 christos *env->now); 700 1.1 christos } 701 1.1 christos return key_entry_create_bad(region, ds_rrset->rk.dname, 702 1.1 christos ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class), 703 1.1.1.5 christos BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now); 704 1.1 christos } 705 1.1 christos 706 1.1.1.4 christos enum sec_status 707 1.1 christos val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, 708 1.1 christos struct ub_packed_rrset_key* dnskey_rrset, 709 1.1 christos struct ub_packed_rrset_key* ta_ds, 710 1.1.1.2 christos struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason, 711 1.1.1.6 christos sldns_ede_code *reason_bogus, struct module_qstate* qstate, 712 1.1.1.6 christos char* reasonbuf, size_t reasonlen) 713 1.1 christos { 714 1.1 christos /* as long as this is false, we can consider this anchor to be 715 1.1 christos * equivalent to no anchor. */ 716 1.1.1.6 christos int has_useful_ta = 0, digest_algo = 0, alg, has_algo_refusal = 0, 717 1.1.1.6 christos nonechecked, has_checked_ds = 0; 718 1.1 christos struct algo_needs needs; 719 1.1 christos size_t i, num; 720 1.1 christos enum sec_status sec; 721 1.1 christos 722 1.1 christos if(ta_ds && (dnskey_rrset->rk.dname_len != ta_ds->rk.dname_len || 723 1.1 christos query_dname_compare(dnskey_rrset->rk.dname, ta_ds->rk.dname) 724 1.1 christos != 0)) { 725 1.1 christos verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset " 726 1.1 christos "by name"); 727 1.1 christos *reason = "DNSKEY RRset did not match DS RRset by name"; 728 1.1.1.4 christos if(reason_bogus) 729 1.1.1.4 christos *reason_bogus = LDNS_EDE_DNSKEY_MISSING; 730 1.1 christos return sec_status_bogus; 731 1.1 christos } 732 1.1 christos if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len 733 1.1 christos || query_dname_compare(dnskey_rrset->rk.dname, ta_dnskey->rk.dname) 734 1.1 christos != 0)) { 735 1.1 christos verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset " 736 1.1 christos "by name"); 737 1.1 christos *reason = "DNSKEY RRset did not match anchor RRset by name"; 738 1.1.1.4 christos if(reason_bogus) 739 1.1.1.4 christos *reason_bogus = LDNS_EDE_DNSKEY_MISSING; 740 1.1 christos return sec_status_bogus; 741 1.1 christos } 742 1.1 christos 743 1.1 christos if(ta_ds) 744 1.1 christos digest_algo = val_favorite_ds_algo(ta_ds); 745 1.1 christos if(sigalg) { 746 1.1 christos if(ta_ds) 747 1.1 christos algo_needs_init_ds(&needs, ta_ds, digest_algo, sigalg); 748 1.1 christos else memset(&needs, 0, sizeof(needs)); 749 1.1 christos if(ta_dnskey) 750 1.1 christos algo_needs_init_dnskey_add(&needs, ta_dnskey, sigalg); 751 1.1 christos } 752 1.1 christos if(ta_ds) { 753 1.1 christos num = rrset_get_count(ta_ds); 754 1.1 christos for(i=0; i<num; i++) { 755 1.1 christos /* Check to see if we can understand this DS. 756 1.1 christos * And check it is the strongest digest */ 757 1.1 christos if(!ds_digest_algo_is_supported(ta_ds, i) || 758 1.1 christos !ds_key_algo_is_supported(ta_ds, i) || 759 1.1 christos ds_get_digest_algo(ta_ds, i) != digest_algo) 760 1.1 christos continue; 761 1.1 christos 762 1.1.1.4 christos sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 763 1.1.1.6 christos ta_ds, i, reason, reason_bogus, qstate, &nonechecked, 764 1.1.1.6 christos reasonbuf, reasonlen); 765 1.1.1.6 christos if(sec == sec_status_insecure) { 766 1.1.1.6 christos has_algo_refusal = 1; 767 1.1.1.4 christos continue; 768 1.1.1.6 christos } 769 1.1.1.6 christos if(!nonechecked) 770 1.1.1.6 christos has_checked_ds = 1; 771 1.1.1.4 christos 772 1.1 christos /* Once we see a single DS with a known digestID and 773 1.1 christos * algorithm, we cannot return INSECURE (with a 774 1.1 christos * "null" KeyEntry). */ 775 1.1 christos has_useful_ta = 1; 776 1.1 christos 777 1.1 christos if(sec == sec_status_secure) { 778 1.1 christos if(!sigalg || algo_needs_set_secure(&needs, 779 1.1 christos (uint8_t)ds_get_key_algo(ta_ds, i))) { 780 1.1 christos verbose(VERB_ALGO, "DS matched DNSKEY."); 781 1.1.1.4 christos if(!dnskeyset_size_is_supported(dnskey_rrset)) { 782 1.1.1.4 christos verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure"); 783 1.1.1.4 christos return sec_status_insecure; 784 1.1.1.4 christos } 785 1.1 christos return sec_status_secure; 786 1.1 christos } 787 1.1 christos } else if(sigalg && sec == sec_status_bogus) { 788 1.1 christos algo_needs_set_bogus(&needs, 789 1.1 christos (uint8_t)ds_get_key_algo(ta_ds, i)); 790 1.1 christos } 791 1.1 christos } 792 1.1 christos } 793 1.1 christos 794 1.1 christos /* None of the DS's worked out: check the DNSKEYs. */ 795 1.1 christos if(ta_dnskey) { 796 1.1 christos num = rrset_get_count(ta_dnskey); 797 1.1 christos for(i=0; i<num; i++) { 798 1.1 christos /* Check to see if we can understand this DNSKEY */ 799 1.1 christos if(!dnskey_algo_is_supported(ta_dnskey, i)) 800 1.1 christos continue; 801 1.1.1.4 christos if(!dnskey_size_is_supported(ta_dnskey, i)) 802 1.1.1.4 christos continue; 803 1.1 christos 804 1.1 christos /* we saw a useful TA */ 805 1.1 christos has_useful_ta = 1; 806 1.1 christos 807 1.1 christos sec = dnskey_verify_rrset(env, ve, dnskey_rrset, 808 1.1.1.5 christos ta_dnskey, i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate); 809 1.1 christos if(sec == sec_status_secure) { 810 1.1 christos if(!sigalg || algo_needs_set_secure(&needs, 811 1.1 christos (uint8_t)dnskey_get_algo(ta_dnskey, i))) { 812 1.1 christos verbose(VERB_ALGO, "anchor matched DNSKEY."); 813 1.1.1.4 christos if(!dnskeyset_size_is_supported(dnskey_rrset)) { 814 1.1.1.4 christos verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure"); 815 1.1.1.4 christos return sec_status_insecure; 816 1.1.1.4 christos } 817 1.1 christos return sec_status_secure; 818 1.1 christos } 819 1.1 christos } else if(sigalg && sec == sec_status_bogus) { 820 1.1 christos algo_needs_set_bogus(&needs, 821 1.1 christos (uint8_t)dnskey_get_algo(ta_dnskey, i)); 822 1.1 christos } 823 1.1 christos } 824 1.1 christos } 825 1.1 christos 826 1.1.1.6 christos /* If none of the DSes have been checked, eg. that means no matches 827 1.1.1.6 christos * for keytags, and the other dses are all algo_refusal, it is an 828 1.1.1.6 christos * insecure delegation point, since the only matched DS records 829 1.1.1.6 christos * have an algo refusal, or are unsupported. */ 830 1.1.1.6 christos if(has_algo_refusal && !has_checked_ds) { 831 1.1.1.6 christos verbose(VERB_ALGO, "No supported trust anchors were found -- " 832 1.1.1.6 christos "treating as insecure."); 833 1.1.1.6 christos return sec_status_insecure; 834 1.1.1.6 christos } 835 1.1 christos /* If no DSs were understandable, then this is OK. */ 836 1.1 christos if(!has_useful_ta) { 837 1.1 christos verbose(VERB_ALGO, "No usable trust anchors were found -- " 838 1.1 christos "treating as insecure."); 839 1.1 christos return sec_status_insecure; 840 1.1 christos } 841 1.1 christos /* If any were understandable, then it is bad. */ 842 1.1 christos verbose(VERB_QUERY, "Failed to match any usable anchor to a DNSKEY."); 843 1.1 christos if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { 844 1.1.1.6 christos algo_needs_reason(alg, reason, "missing verification of " 845 1.1.1.6 christos "DNSKEY signature", reasonbuf, reasonlen); 846 1.1 christos } 847 1.1 christos return sec_status_bogus; 848 1.1 christos } 849 1.1 christos 850 1.1 christos struct key_entry_key* 851 1.1 christos val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env, 852 1.1.1.4 christos struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 853 1.1 christos struct ub_packed_rrset_key* ta_ds_rrset, 854 1.1 christos struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot, 855 1.1.1.6 christos char** reason, sldns_ede_code *reason_bogus, 856 1.1.1.6 christos struct module_qstate* qstate, char* reasonbuf, size_t reasonlen) 857 1.1 christos { 858 1.1 christos uint8_t sigalg[ALGO_NEEDS_MAX+1]; 859 1.1.1.4 christos enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, 860 1.1 christos dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset, 861 1.1.1.6 christos downprot?sigalg:NULL, reason, reason_bogus, qstate, 862 1.1.1.6 christos reasonbuf, reasonlen); 863 1.1 christos 864 1.1 christos if(sec == sec_status_secure) { 865 1.1.1.4 christos return key_entry_create_rrset(region, 866 1.1 christos dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len, 867 1.1 christos ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset, 868 1.1.1.5 christos downprot?sigalg:NULL, LDNS_EDE_NONE, NULL, *env->now); 869 1.1 christos } else if(sec == sec_status_insecure) { 870 1.1 christos return key_entry_create_null(region, dnskey_rrset->rk.dname, 871 1.1.1.4 christos dnskey_rrset->rk.dname_len, 872 1.1 christos ntohs(dnskey_rrset->rk.rrset_class), 873 1.1.1.5 christos rrset_get_ttl(dnskey_rrset), *reason_bogus, *reason, 874 1.1.1.5 christos *env->now); 875 1.1 christos } 876 1.1 christos return key_entry_create_bad(region, dnskey_rrset->rk.dname, 877 1.1 christos dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class), 878 1.1.1.5 christos BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now); 879 1.1 christos } 880 1.1 christos 881 1.1.1.4 christos int 882 1.1 christos val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset) 883 1.1 christos { 884 1.1 christos size_t i; 885 1.1 christos for(i=0; i<rrset_get_count(ds_rrset); i++) { 886 1.1 christos if(ds_digest_algo_is_supported(ds_rrset, i) && 887 1.1 christos ds_key_algo_is_supported(ds_rrset, i)) 888 1.1 christos return 1; 889 1.1 christos } 890 1.1 christos if(verbosity < VERB_ALGO) 891 1.1 christos return 0; 892 1.1 christos if(rrset_get_count(ds_rrset) == 0) 893 1.1 christos verbose(VERB_ALGO, "DS is not usable"); 894 1.1 christos else { 895 1.1 christos /* report usability for the first DS RR */ 896 1.1 christos sldns_lookup_table *lt; 897 1.1 christos char herr[64], aerr[64]; 898 1.1 christos lt = sldns_lookup_by_id(sldns_hashes, 899 1.1.1.4 christos (int)ds_get_digest_algo(ds_rrset, 0)); 900 1.1 christos if(lt) snprintf(herr, sizeof(herr), "%s", lt->name); 901 1.1 christos else snprintf(herr, sizeof(herr), "%d", 902 1.1.1.4 christos (int)ds_get_digest_algo(ds_rrset, 0)); 903 1.1 christos lt = sldns_lookup_by_id(sldns_algorithms, 904 1.1.1.4 christos (int)ds_get_key_algo(ds_rrset, 0)); 905 1.1 christos if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name); 906 1.1 christos else snprintf(aerr, sizeof(aerr), "%d", 907 1.1.1.4 christos (int)ds_get_key_algo(ds_rrset, 0)); 908 1.1.1.4 christos 909 1.1 christos verbose(VERB_ALGO, "DS unsupported, hash %s %s, " 910 1.1 christos "key algorithm %s %s", herr, 911 1.1 christos (ds_digest_algo_is_supported(ds_rrset, 0)? 912 1.1 christos "(supported)":"(unsupported)"), aerr, 913 1.1 christos (ds_key_algo_is_supported(ds_rrset, 0)? 914 1.1 christos "(supported)":"(unsupported)")); 915 1.1 christos } 916 1.1 christos return 0; 917 1.1 christos } 918 1.1 christos 919 1.1 christos /** get label count for a signature */ 920 1.1 christos static uint8_t 921 1.1 christos rrsig_get_labcount(struct packed_rrset_data* d, size_t sig) 922 1.1 christos { 923 1.1 christos if(d->rr_len[sig] < 2+4) 924 1.1 christos return 0; /* bad sig length */ 925 1.1 christos return d->rr_data[sig][2+3]; 926 1.1 christos } 927 1.1 christos 928 1.1 christos int 929 1.1.1.3 christos val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc, 930 1.1.1.3 christos size_t* wc_len) 931 1.1 christos { 932 1.1 christos struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 933 1.1 christos entry.data; 934 1.1 christos uint8_t labcount; 935 1.1 christos int labdiff; 936 1.1 christos uint8_t* wn; 937 1.1 christos size_t i, wl; 938 1.1 christos if(d->rrsig_count == 0) { 939 1.1 christos return 1; 940 1.1 christos } 941 1.1 christos labcount = rrsig_get_labcount(d, d->count + 0); 942 1.1 christos /* check rest of signatures identical */ 943 1.1 christos for(i=1; i<d->rrsig_count; i++) { 944 1.1 christos if(labcount != rrsig_get_labcount(d, d->count + i)) { 945 1.1 christos return 0; 946 1.1 christos } 947 1.1 christos } 948 1.1 christos /* OK the rrsigs check out */ 949 1.1 christos /* if the RRSIG label count is shorter than the number of actual 950 1.1 christos * labels, then this rrset was synthesized from a wildcard. 951 1.1 christos * Note that the RRSIG label count doesn't count the root label. */ 952 1.1 christos wn = rrset->rk.dname; 953 1.1 christos wl = rrset->rk.dname_len; 954 1.1 christos /* skip a leading wildcard label in the dname (RFC4035 2.2) */ 955 1.1 christos if(dname_is_wild(wn)) { 956 1.1 christos wn += 2; 957 1.1 christos wl -= 2; 958 1.1 christos } 959 1.1 christos labdiff = (dname_count_labels(wn) - 1) - (int)labcount; 960 1.1 christos if(labdiff > 0) { 961 1.1 christos *wc = wn; 962 1.1 christos dname_remove_labels(wc, &wl, labdiff); 963 1.1.1.3 christos *wc_len = wl; 964 1.1 christos return 1; 965 1.1 christos } 966 1.1 christos return 1; 967 1.1 christos } 968 1.1 christos 969 1.1 christos int 970 1.1 christos val_chase_cname(struct query_info* qchase, struct reply_info* rep, 971 1.1 christos size_t* cname_skip) { 972 1.1 christos size_t i; 973 1.1 christos /* skip any DNAMEs, go to the CNAME for next part */ 974 1.1 christos for(i = *cname_skip; i < rep->an_numrrsets; i++) { 975 1.1 christos if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME && 976 1.1 christos query_dname_compare(qchase->qname, rep->rrsets[i]-> 977 1.1 christos rk.dname) == 0) { 978 1.1 christos qchase->qname = NULL; 979 1.1 christos get_cname_target(rep->rrsets[i], &qchase->qname, 980 1.1 christos &qchase->qname_len); 981 1.1 christos if(!qchase->qname) 982 1.1 christos return 0; /* bad CNAME rdata */ 983 1.1 christos (*cname_skip) = i+1; 984 1.1 christos return 1; 985 1.1 christos } 986 1.1 christos } 987 1.1 christos return 0; /* CNAME classified but no matching CNAME ?! */ 988 1.1 christos } 989 1.1 christos 990 1.1 christos /** see if rrset has signer name as one of the rrsig signers */ 991 1.1 christos static int 992 1.1 christos rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len) 993 1.1 christos { 994 1.1 christos struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 995 1.1 christos entry.data; 996 1.1 christos size_t i; 997 1.1 christos for(i = d->count; i< d->count+d->rrsig_count; i++) { 998 1.1 christos if(d->rr_len[i] > 2+18+len) { 999 1.1 christos /* at least rdatalen + signature + signame (+1 sig)*/ 1000 1.1 christos if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18)) 1001 1.1 christos continue; 1002 1.1 christos if(query_dname_compare(name, d->rr_data[i]+2+18) == 0) 1003 1.1 christos { 1004 1.1 christos return 1; 1005 1.1 christos } 1006 1.1 christos } 1007 1.1 christos } 1008 1.1 christos return 0; 1009 1.1 christos } 1010 1.1 christos 1011 1.1 christos void 1012 1.1 christos val_fill_reply(struct reply_info* chase, struct reply_info* orig, 1013 1.1 christos size_t skip, uint8_t* name, size_t len, uint8_t* signer) 1014 1.1 christos { 1015 1.1.1.6 christos size_t i, j; 1016 1.1 christos int seen_dname = 0; 1017 1.1 christos chase->rrset_count = 0; 1018 1.1 christos chase->an_numrrsets = 0; 1019 1.1 christos chase->ns_numrrsets = 0; 1020 1.1 christos chase->ar_numrrsets = 0; 1021 1.1 christos /* ANSWER section */ 1022 1.1 christos for(i=skip; i<orig->an_numrrsets; i++) { 1023 1.1 christos if(!signer) { 1024 1.1 christos if(query_dname_compare(name, 1025 1.1 christos orig->rrsets[i]->rk.dname) == 0) 1026 1.1 christos chase->rrsets[chase->an_numrrsets++] = 1027 1.1 christos orig->rrsets[i]; 1028 1.1 christos } else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) == 1029 1.1 christos LDNS_RR_TYPE_CNAME) { 1030 1.1 christos chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i]; 1031 1.1 christos seen_dname = 0; 1032 1.1 christos } else if(rrset_has_signer(orig->rrsets[i], name, len)) { 1033 1.1 christos chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i]; 1034 1.1 christos if(ntohs(orig->rrsets[i]->rk.type) == 1035 1.1 christos LDNS_RR_TYPE_DNAME) { 1036 1.1 christos seen_dname = 1; 1037 1.1 christos } 1038 1.1.1.6 christos } else if(ntohs(orig->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME 1039 1.1.1.6 christos && ((struct packed_rrset_data*)orig->rrsets[i]-> 1040 1.1.1.6 christos entry.data)->rrsig_count == 0 && 1041 1.1.1.6 christos cname_under_previous_dname(orig, i, &j) && 1042 1.1.1.6 christos rrset_has_signer(orig->rrsets[j], name, len)) { 1043 1.1.1.6 christos chase->rrsets[chase->an_numrrsets++] = orig->rrsets[j]; 1044 1.1.1.6 christos chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i]; 1045 1.1 christos } 1046 1.1.1.6 christos } 1047 1.1 christos /* AUTHORITY section */ 1048 1.1 christos for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets; 1049 1.1 christos i<orig->an_numrrsets+orig->ns_numrrsets; 1050 1.1 christos i++) { 1051 1.1 christos if(!signer) { 1052 1.1 christos if(query_dname_compare(name, 1053 1.1 christos orig->rrsets[i]->rk.dname) == 0) 1054 1.1 christos chase->rrsets[chase->an_numrrsets+ 1055 1.1 christos chase->ns_numrrsets++] = orig->rrsets[i]; 1056 1.1 christos } else if(rrset_has_signer(orig->rrsets[i], name, len)) { 1057 1.1 christos chase->rrsets[chase->an_numrrsets+ 1058 1.1 christos chase->ns_numrrsets++] = orig->rrsets[i]; 1059 1.1 christos } 1060 1.1 christos } 1061 1.1 christos /* ADDITIONAL section */ 1062 1.1 christos for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)? 1063 1.1 christos skip:orig->an_numrrsets+orig->ns_numrrsets; 1064 1.1 christos i<orig->rrset_count; i++) { 1065 1.1 christos if(!signer) { 1066 1.1 christos if(query_dname_compare(name, 1067 1.1 christos orig->rrsets[i]->rk.dname) == 0) 1068 1.1 christos chase->rrsets[chase->an_numrrsets 1069 1.1 christos +orig->ns_numrrsets+chase->ar_numrrsets++] 1070 1.1 christos = orig->rrsets[i]; 1071 1.1 christos } else if(rrset_has_signer(orig->rrsets[i], name, len)) { 1072 1.1 christos chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+ 1073 1.1 christos chase->ar_numrrsets++] = orig->rrsets[i]; 1074 1.1 christos } 1075 1.1 christos } 1076 1.1 christos chase->rrset_count = chase->an_numrrsets + chase->ns_numrrsets + 1077 1.1 christos chase->ar_numrrsets; 1078 1.1 christos } 1079 1.1 christos 1080 1.1 christos void val_reply_remove_auth(struct reply_info* rep, size_t index) 1081 1.1 christos { 1082 1.1 christos log_assert(index < rep->rrset_count); 1083 1.1 christos log_assert(index >= rep->an_numrrsets); 1084 1.1 christos log_assert(index < rep->an_numrrsets+rep->ns_numrrsets); 1085 1.1 christos memmove(rep->rrsets+index, rep->rrsets+index+1, 1086 1.1 christos sizeof(struct ub_packed_rrset_key*)* 1087 1.1 christos (rep->rrset_count - index - 1)); 1088 1.1 christos rep->ns_numrrsets--; 1089 1.1 christos rep->rrset_count--; 1090 1.1 christos } 1091 1.1 christos 1092 1.1 christos void 1093 1.1.1.2 christos val_check_nonsecure(struct module_env* env, struct reply_info* rep) 1094 1.1 christos { 1095 1.1 christos size_t i; 1096 1.1 christos /* authority */ 1097 1.1 christos for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) { 1098 1.1 christos if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data) 1099 1.1 christos ->security != sec_status_secure) { 1100 1.1 christos /* because we want to return the authentic original 1101 1.1 christos * message when presented with CD-flagged queries, 1102 1.1 christos * we need to preserve AUTHORITY section data. 1103 1.1 christos * However, this rrset is not signed or signed 1104 1.1 christos * with the wrong keys. Validation has tried to 1105 1.1 christos * verify this rrset with the keysets of import. 1106 1.1 christos * But this rrset did not verify. 1107 1.1 christos * Therefore the message is bogus. 1108 1.1 christos */ 1109 1.1 christos 1110 1.1.1.2 christos /* check if authority has an NS record 1111 1.1 christos * which is bad, and there is an answer section with 1112 1.1 christos * data. In that case, delete NS and additional to 1113 1.1 christos * be lenient and make a minimal response */ 1114 1.1.1.2 christos if(rep->an_numrrsets != 0 && 1115 1.1 christos ntohs(rep->rrsets[i]->rk.type) 1116 1.1 christos == LDNS_RR_TYPE_NS) { 1117 1.1 christos verbose(VERB_ALGO, "truncate to minimal"); 1118 1.1 christos rep->ar_numrrsets = 0; 1119 1.1.1.2 christos rep->rrset_count = rep->an_numrrsets + 1120 1.1.1.2 christos rep->ns_numrrsets; 1121 1.1.1.2 christos /* remove this unneeded authority rrset */ 1122 1.1.1.2 christos memmove(rep->rrsets+i, rep->rrsets+i+1, 1123 1.1.1.2 christos sizeof(struct ub_packed_rrset_key*)* 1124 1.1.1.2 christos (rep->rrset_count - i - 1)); 1125 1.1.1.2 christos rep->ns_numrrsets--; 1126 1.1.1.2 christos rep->rrset_count--; 1127 1.1.1.2 christos i--; 1128 1.1 christos return; 1129 1.1 christos } 1130 1.1 christos 1131 1.1 christos log_nametypeclass(VERB_QUERY, "message is bogus, " 1132 1.1 christos "non secure rrset", 1133 1.1 christos rep->rrsets[i]->rk.dname, 1134 1.1 christos ntohs(rep->rrsets[i]->rk.type), 1135 1.1 christos ntohs(rep->rrsets[i]->rk.rrset_class)); 1136 1.1 christos rep->security = sec_status_bogus; 1137 1.1 christos return; 1138 1.1 christos } 1139 1.1 christos } 1140 1.1 christos /* additional */ 1141 1.1.1.2 christos if(!env->cfg->val_clean_additional) 1142 1.1 christos return; 1143 1.1 christos for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) { 1144 1.1 christos if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data) 1145 1.1 christos ->security != sec_status_secure) { 1146 1.1 christos /* This does not cause message invalidation. It was 1147 1.1 christos * simply unsigned data in the additional. The 1148 1.1 christos * RRSIG must have been truncated off the message. 1149 1.1 christos * 1150 1.1 christos * However, we do not want to return possible bogus 1151 1.1 christos * data to clients that rely on this service for 1152 1.1 christos * their authentication. 1153 1.1 christos */ 1154 1.1 christos /* remove this unneeded additional rrset */ 1155 1.1 christos memmove(rep->rrsets+i, rep->rrsets+i+1, 1156 1.1 christos sizeof(struct ub_packed_rrset_key*)* 1157 1.1 christos (rep->rrset_count - i - 1)); 1158 1.1 christos rep->ar_numrrsets--; 1159 1.1 christos rep->rrset_count--; 1160 1.1 christos i--; 1161 1.1 christos } 1162 1.1 christos } 1163 1.1 christos } 1164 1.1 christos 1165 1.1 christos /** check no anchor and unlock */ 1166 1.1 christos static int 1167 1.1 christos check_no_anchor(struct val_anchors* anchors, uint8_t* nm, size_t l, uint16_t c) 1168 1.1 christos { 1169 1.1 christos struct trust_anchor* ta; 1170 1.1 christos if((ta=anchors_lookup(anchors, nm, l, c))) { 1171 1.1 christos lock_basic_unlock(&ta->lock); 1172 1.1 christos } 1173 1.1 christos return !ta; 1174 1.1 christos } 1175 1.1 christos 1176 1.1 christos void 1177 1.1 christos val_mark_indeterminate(struct reply_info* rep, struct val_anchors* anchors, 1178 1.1 christos struct rrset_cache* r, struct module_env* env) 1179 1.1 christos { 1180 1.1 christos size_t i; 1181 1.1 christos struct packed_rrset_data* d; 1182 1.1 christos for(i=0; i<rep->rrset_count; i++) { 1183 1.1 christos d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1184 1.1 christos if(d->security == sec_status_unchecked && 1185 1.1 christos check_no_anchor(anchors, rep->rrsets[i]->rk.dname, 1186 1.1 christos rep->rrsets[i]->rk.dname_len, 1187 1.1 christos ntohs(rep->rrsets[i]->rk.rrset_class))) 1188 1.1 christos { 1189 1.1 christos /* mark as indeterminate */ 1190 1.1 christos d->security = sec_status_indeterminate; 1191 1.1 christos rrset_update_sec_status(r, rep->rrsets[i], *env->now); 1192 1.1 christos } 1193 1.1 christos } 1194 1.1 christos } 1195 1.1 christos 1196 1.1 christos void 1197 1.1 christos val_mark_insecure(struct reply_info* rep, uint8_t* kname, 1198 1.1 christos struct rrset_cache* r, struct module_env* env) 1199 1.1 christos { 1200 1.1 christos size_t i; 1201 1.1 christos struct packed_rrset_data* d; 1202 1.1 christos for(i=0; i<rep->rrset_count; i++) { 1203 1.1 christos d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1204 1.1 christos if(d->security == sec_status_unchecked && 1205 1.1 christos dname_subdomain_c(rep->rrsets[i]->rk.dname, kname)) { 1206 1.1 christos /* mark as insecure */ 1207 1.1 christos d->security = sec_status_insecure; 1208 1.1 christos rrset_update_sec_status(r, rep->rrsets[i], *env->now); 1209 1.1 christos } 1210 1.1 christos } 1211 1.1 christos } 1212 1.1 christos 1213 1.1 christos size_t 1214 1.1 christos val_next_unchecked(struct reply_info* rep, size_t skip) 1215 1.1 christos { 1216 1.1 christos size_t i; 1217 1.1 christos struct packed_rrset_data* d; 1218 1.1 christos for(i=skip+1; i<rep->rrset_count; i++) { 1219 1.1 christos d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1220 1.1 christos if(d->security == sec_status_unchecked) { 1221 1.1 christos return i; 1222 1.1 christos } 1223 1.1 christos } 1224 1.1 christos return rep->rrset_count; 1225 1.1 christos } 1226 1.1 christos 1227 1.1 christos const char* 1228 1.1 christos val_classification_to_string(enum val_classification subtype) 1229 1.1 christos { 1230 1.1 christos switch(subtype) { 1231 1.1 christos case VAL_CLASS_UNTYPED: return "untyped"; 1232 1.1 christos case VAL_CLASS_UNKNOWN: return "unknown"; 1233 1.1 christos case VAL_CLASS_POSITIVE: return "positive"; 1234 1.1 christos case VAL_CLASS_CNAME: return "cname"; 1235 1.1 christos case VAL_CLASS_NODATA: return "nodata"; 1236 1.1 christos case VAL_CLASS_NAMEERROR: return "nameerror"; 1237 1.1 christos case VAL_CLASS_CNAMENOANSWER: return "cnamenoanswer"; 1238 1.1 christos case VAL_CLASS_REFERRAL: return "referral"; 1239 1.1 christos case VAL_CLASS_ANY: return "qtype_any"; 1240 1.1 christos default: 1241 1.1 christos return "bad_val_classification"; 1242 1.1 christos } 1243 1.1 christos } 1244 1.1 christos 1245 1.1 christos /** log a sock_list entry */ 1246 1.1 christos static void 1247 1.1 christos sock_list_logentry(enum verbosity_value v, const char* s, struct sock_list* p) 1248 1.1 christos { 1249 1.1 christos if(p->len) 1250 1.1 christos log_addr(v, s, &p->addr, p->len); 1251 1.1 christos else verbose(v, "%s cache", s); 1252 1.1 christos } 1253 1.1 christos 1254 1.1 christos void val_blacklist(struct sock_list** blacklist, struct regional* region, 1255 1.1 christos struct sock_list* origin, int cross) 1256 1.1 christos { 1257 1.1 christos /* debug printout */ 1258 1.1 christos if(verbosity >= VERB_ALGO) { 1259 1.1 christos struct sock_list* p; 1260 1.1 christos for(p=*blacklist; p; p=p->next) 1261 1.1 christos sock_list_logentry(VERB_ALGO, "blacklist", p); 1262 1.1 christos if(!origin) 1263 1.1 christos verbose(VERB_ALGO, "blacklist add: cache"); 1264 1.1 christos for(p=origin; p; p=p->next) 1265 1.1 christos sock_list_logentry(VERB_ALGO, "blacklist add", p); 1266 1.1 christos } 1267 1.1 christos /* blacklist the IPs or the cache */ 1268 1.1 christos if(!origin) { 1269 1.1 christos /* only add if nothing there. anything else also stops cache*/ 1270 1.1 christos if(!*blacklist) 1271 1.1 christos sock_list_insert(blacklist, NULL, 0, region); 1272 1.1 christos } else if(!cross) 1273 1.1 christos sock_list_prepend(blacklist, origin); 1274 1.1 christos else sock_list_merge(blacklist, region, origin); 1275 1.1 christos } 1276 1.1 christos 1277 1.1 christos int val_has_signed_nsecs(struct reply_info* rep, char** reason) 1278 1.1 christos { 1279 1.1 christos size_t i, num_nsec = 0, num_nsec3 = 0; 1280 1.1 christos struct packed_rrset_data* d; 1281 1.1 christos for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) { 1282 1.1 christos if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC)) 1283 1.1 christos num_nsec++; 1284 1.1 christos else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3)) 1285 1.1 christos num_nsec3++; 1286 1.1 christos else continue; 1287 1.1 christos d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1288 1.1 christos if(d && d->rrsig_count != 0) { 1289 1.1 christos return 1; 1290 1.1 christos } 1291 1.1 christos } 1292 1.1 christos if(num_nsec == 0 && num_nsec3 == 0) 1293 1.1 christos *reason = "no DNSSEC records"; 1294 1.1 christos else if(num_nsec != 0) 1295 1.1 christos *reason = "no signatures over NSECs"; 1296 1.1 christos else *reason = "no signatures over NSEC3s"; 1297 1.1 christos return 0; 1298 1.1 christos } 1299 1.1 christos 1300 1.1 christos struct dns_msg* 1301 1.1 christos val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c, 1302 1.1 christos struct regional* region, uint8_t* topname) 1303 1.1 christos { 1304 1.1 christos struct dns_msg* msg; 1305 1.1 christos struct query_info qinfo; 1306 1.1 christos struct ub_packed_rrset_key *rrset = rrset_cache_lookup( 1307 1.1 christos env->rrset_cache, nm, nmlen, LDNS_RR_TYPE_DS, c, 0, 1308 1.1 christos *env->now, 0); 1309 1.1 christos if(rrset) { 1310 1.1 christos /* DS rrset exists. Return it to the validator immediately*/ 1311 1.1 christos struct ub_packed_rrset_key* copy = packed_rrset_copy_region( 1312 1.1 christos rrset, region, *env->now); 1313 1.1 christos lock_rw_unlock(&rrset->entry.lock); 1314 1.1 christos if(!copy) 1315 1.1 christos return NULL; 1316 1.1 christos msg = dns_msg_create(nm, nmlen, LDNS_RR_TYPE_DS, c, region, 1); 1317 1.1 christos if(!msg) 1318 1.1 christos return NULL; 1319 1.1 christos msg->rep->rrsets[0] = copy; 1320 1.1 christos msg->rep->rrset_count++; 1321 1.1 christos msg->rep->an_numrrsets++; 1322 1.1 christos return msg; 1323 1.1 christos } 1324 1.1 christos /* lookup in rrset and negative cache for NSEC/NSEC3 */ 1325 1.1 christos qinfo.qname = nm; 1326 1.1 christos qinfo.qname_len = nmlen; 1327 1.1 christos qinfo.qtype = LDNS_RR_TYPE_DS; 1328 1.1 christos qinfo.qclass = c; 1329 1.1.1.2 christos qinfo.local_alias = NULL; 1330 1.1 christos /* do not add SOA to reply message, it is going to be used internal */ 1331 1.1 christos msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache, 1332 1.1.1.3 christos env->scratch_buffer, *env->now, 0, topname, env->cfg); 1333 1.1 christos return msg; 1334 1.1 christos } 1335
Indexes created Sun Mar 01 05:31:48 UTC 2026