xref: /freebsd/contrib/unbound/validator/val_nsec.c (revision 608da65de9552d5678c1000776ed69da04a45983)
1 /*
2  * validator/val_nsec.c - validator NSEC denial of existence functions.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * The functions help with NSEC checking, the different NSEC proofs
41  * for denial of existence, and proofs for presence of types.
42  */
43 #include "config.h"
44 #include "validator/val_nsec.h"
45 #include "validator/val_utils.h"
46 #include "util/data/msgreply.h"
47 #include "util/data/dname.h"
48 #include "util/net_help.h"
49 #include "util/module.h"
50 #include "services/cache/rrset.h"
51 
52 /** get ttl of rrset */
53 static uint32_t
54 rrset_get_ttl(struct ub_packed_rrset_key* k)
55 {
56 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
57 	return d->ttl;
58 }
59 
60 int
61 nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type)
62 {
63 	/* Check type present in NSEC typemap with bitmap arg */
64 	/* bitmasks for determining type-lowerbits presence */
65 	uint8_t masks[8] = {0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01};
66 	uint8_t type_window = type>>8;
67 	uint8_t type_low = type&0xff;
68 	uint8_t win, winlen;
69 	/* read each of the type bitmap windows and see if the searched
70 	 * type is amongst it */
71 	while(len > 0) {
72 		if(len < 3) /* bad window, at least window# winlen bitmap */
73 			return 0;
74 		win = *bitmap++;
75 		winlen = *bitmap++;
76 		len -= 2;
77 		if(len < winlen || winlen < 1 || winlen > 32)
78 			return 0;	/* bad window length */
79 		if(win == type_window) {
80 			/* search window bitmap for the correct byte */
81 			/* mybyte is 0 if we need the first byte */
82 			size_t mybyte = type_low>>3;
83 			if(winlen <= mybyte)
84 				return 0; /* window too short */
85 			return (int)(bitmap[mybyte] & masks[type_low&0x7]);
86 		} else {
87 			/* not the window we are looking for */
88 			bitmap += winlen;
89 			len -= winlen;
90 		}
91 	}
92 	/* end of bitmap reached, no type found */
93 	return 0;
94 }
95 
96 int
97 nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type)
98 {
99 	struct packed_rrset_data* d = (struct packed_rrset_data*)nsec->
100 		entry.data;
101 	size_t len;
102 	if(!d || d->count == 0 || d->rr_len[0] < 2+1)
103 		return 0;
104 	len = dname_valid(d->rr_data[0]+2, d->rr_len[0]-2);
105 	if(!len)
106 		return 0;
107 	return nsecbitmap_has_type_rdata(d->rr_data[0]+2+len,
108 		d->rr_len[0]-2-len, type);
109 }
110 
111 /**
112  * Get next owner name from nsec record
113  * @param nsec: the nsec RRset.
114  *	If there are multiple RRs, then this will only return one of them.
115  * @param nm: the next name is returned.
116  * @param ln: length of nm is returned.
117  * @return false on a bad NSEC RR (too short, malformed dname).
118  */
119 static int
120 nsec_get_next(struct ub_packed_rrset_key* nsec, uint8_t** nm, size_t* ln)
121 {
122 	struct packed_rrset_data* d = (struct packed_rrset_data*)nsec->
123 		entry.data;
124 	if(!d || d->count == 0 || d->rr_len[0] < 2+1) {
125 		*nm = 0;
126 		*ln = 0;
127 		return 0;
128 	}
129 	*nm = d->rr_data[0]+2;
130 	*ln = dname_valid(*nm, d->rr_len[0]-2);
131 	if(!*ln) {
132 		*nm = 0;
133 		*ln = 0;
134 		return 0;
135 	}
136 	return 1;
137 }
138 
139 /**
140  * For an NSEC that matches the DS queried for, check absence of DS type.
141  *
142  * @param nsec: NSEC for proof, must be trusted.
143  * @param qinfo: what is queried for.
144  * @return if secure the nsec proves that no DS is present, or
145  *	insecure if it proves it is not a delegation point.
146  *	or bogus if something was wrong.
147  */
148 static enum sec_status
149 val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
150 	struct query_info* qinfo)
151 {
152 	log_assert(qinfo->qtype == LDNS_RR_TYPE_DS);
153 	log_assert(ntohs(nsec->rk.type) == LDNS_RR_TYPE_NSEC);
154 
155 	if(nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && qinfo->qname_len != 1) {
156 		/* SOA present means that this is the NSEC from the child,
157 		 * not the parent (so it is the wrong one). */
158 		return sec_status_bogus;
159 	}
160 	if(nsec_has_type(nsec, LDNS_RR_TYPE_DS)) {
161 		/* DS present means that there should have been a positive
162 		 * response to the DS query, so there is something wrong. */
163 		return sec_status_bogus;
164 	}
165 
166 	if(!nsec_has_type(nsec, LDNS_RR_TYPE_NS)) {
167 		/* If there is no NS at this point at all, then this
168 		 * doesn't prove anything one way or the other. */
169 		return sec_status_insecure;
170 	}
171 	/* Otherwise, this proves no DS. */
172 	return sec_status_secure;
173 }
174 
175 /** check security status from cache or verify rrset, returns true if secure */
176 static int
177 nsec_verify_rrset(struct module_env* env, struct val_env* ve,
178 	struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
179 	char** reason, sldns_ede_code* reason_bogus,
180 	struct module_qstate* qstate)
181 {
182 	struct packed_rrset_data* d = (struct packed_rrset_data*)
183 		nsec->entry.data;
184 	if(!d) return 0;
185 	if(d->security == sec_status_secure)
186 		return 1;
187 	rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
188 	if(d->security == sec_status_secure)
189 		return 1;
190 	d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason,
191 		reason_bogus, LDNS_SECTION_AUTHORITY, qstate);
192 	if(d->security == sec_status_secure) {
193 		rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
194 		return 1;
195 	}
196 	return 0;
197 }
198 
199 enum sec_status
200 val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
201 	struct query_info* qinfo, struct reply_info* rep,
202 	struct key_entry_key* kkey, time_t* proof_ttl, char** reason,
203 	sldns_ede_code* reason_bogus, struct module_qstate* qstate)
204 {
205 	struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
206 		rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
207 		qinfo->qclass);
208 	enum sec_status sec;
209 	size_t i;
210 	uint8_t* wc = NULL, *ce = NULL;
211 	int valid_nsec = 0;
212 	struct ub_packed_rrset_key* wc_nsec = NULL;
213 
214 	/* If we have a NSEC at the same name, it must prove one
215 	 * of two things
216 	 * --
217 	 * 1) this is a delegation point and there is no DS
218 	 * 2) this is not a delegation point */
219 	if(nsec) {
220 		if(!nsec_verify_rrset(env, ve, nsec, kkey, reason,
221 			reason_bogus, qstate)) {
222 			verbose(VERB_ALGO, "NSEC RRset for the "
223 				"referral did not verify.");
224 			return sec_status_bogus;
225 		}
226 		sec = val_nsec_proves_no_ds(nsec, qinfo);
227 		if(sec == sec_status_bogus) {
228 			/* something was wrong. */
229 			*reason = "NSEC does not prove absence of DS";
230 			*reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
231 			return sec;
232 		} else if(sec == sec_status_insecure) {
233 			/* this wasn't a delegation point. */
234 			return sec;
235 		} else if(sec == sec_status_secure) {
236 			/* this proved no DS. */
237 			*proof_ttl = ub_packed_rrset_ttl(nsec);
238 			return sec;
239 		}
240 		/* if unchecked, fall through to next proof */
241 	}
242 
243 	/* Otherwise, there is no NSEC at qname. This could be an ENT.
244 	 * (ENT=empty non terminal). If not, this is broken. */
245 
246 	/* verify NSEC rrsets in auth section */
247 	for(i=rep->an_numrrsets; i < rep->an_numrrsets+rep->ns_numrrsets;
248 		i++) {
249 		if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
250 			continue;
251 		if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason,
252 			reason_bogus, qstate)) {
253 			verbose(VERB_ALGO, "NSEC for empty non-terminal "
254 				"did not verify.");
255 			*reason = "NSEC for empty non-terminal "
256 				"did not verify.";
257 			return sec_status_bogus;
258 		}
259 		if(nsec_proves_nodata(rep->rrsets[i], qinfo, &wc)) {
260 			verbose(VERB_ALGO, "NSEC for empty non-terminal "
261 				"proved no DS.");
262 			*proof_ttl = rrset_get_ttl(rep->rrsets[i]);
263 			if(wc && dname_is_wild(rep->rrsets[i]->rk.dname))
264 				wc_nsec = rep->rrsets[i];
265 			valid_nsec = 1;
266 		}
267 		if(val_nsec_proves_name_error(rep->rrsets[i], qinfo->qname)) {
268 			ce = nsec_closest_encloser(qinfo->qname,
269 				rep->rrsets[i]);
270 		}
271 	}
272 	if(wc && !ce)
273 		valid_nsec = 0;
274 	else if(wc && ce) {
275 		/* ce and wc must match */
276 		if(query_dname_compare(wc, ce) != 0)
277 			valid_nsec = 0;
278 		else if(!wc_nsec)
279 			valid_nsec = 0;
280 	}
281 	if(valid_nsec) {
282 		if(wc) {
283 			/* check if this is a delegation */
284 			*reason = "NSEC for wildcard does not prove absence of DS";
285 			return val_nsec_proves_no_ds(wc_nsec, qinfo);
286 		}
287 		/* valid nsec proves empty nonterminal */
288 		return sec_status_insecure;
289 	}
290 
291 	/* NSEC proof did not conclusively point to DS or no DS */
292 	return sec_status_unchecked;
293 }
294 
295 int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
296 	struct query_info* qinfo, uint8_t** wc)
297 {
298 	log_assert(wc);
299 	if(query_dname_compare(nsec->rk.dname, qinfo->qname) != 0) {
300 		uint8_t* nm;
301 		size_t ln;
302 
303 		/* empty-non-terminal checking.
304 		 * Done before wildcard, because this is an exact match,
305 		 * and would prevent a wildcard from matching. */
306 
307 		/* If the nsec is proving that qname is an ENT, the nsec owner
308 		 * will be less than qname, and the next name will be a child
309 		 * domain of the qname. */
310 		if(!nsec_get_next(nsec, &nm, &ln))
311 			return 0; /* bad nsec */
312 		if(dname_strict_subdomain_c(nm, qinfo->qname) &&
313 			dname_canonical_compare(nsec->rk.dname,
314 				qinfo->qname) < 0) {
315 			return 1; /* proves ENT */
316 		}
317 
318 		/* wildcard checking. */
319 
320 		/* If this is a wildcard NSEC, make sure that a) it was
321 		 * possible to have generated qname from the wildcard and
322 		 * b) the type map does not contain qtype. Note that this
323 		 * does NOT prove that this wildcard was the applicable
324 		 * wildcard. */
325 		if(dname_is_wild(nsec->rk.dname)) {
326 			/* the purported closest encloser. */
327 			uint8_t* ce = nsec->rk.dname;
328 			size_t ce_len = nsec->rk.dname_len;
329 			dname_remove_label(&ce, &ce_len);
330 
331 			/* The qname must be a strict subdomain of the
332 			 * closest encloser, for the wildcard to apply
333 			 */
334 			if(dname_strict_subdomain_c(qinfo->qname, ce)) {
335 				/* here we have a matching NSEC for the qname,
336 				 * perform matching NSEC checks */
337 				if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) {
338 				   /* should have gotten the wildcard CNAME */
339 					return 0;
340 				}
341 				if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
342 				   !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
343 				   /* wrong parentside (wildcard) NSEC used */
344 					return 0;
345 				}
346 				if(nsec_has_type(nsec, qinfo->qtype)) {
347 					return 0;
348 				}
349 				*wc = ce;
350 				return 1;
351 			}
352 		} else {
353 			/* See if the next owner name covers a wildcard
354 			 * empty non-terminal. */
355 			while (dname_canonical_compare(nsec->rk.dname, nm) < 0) {
356 				/* wildcard does not apply if qname below
357 				 * the name that exists under the '*' */
358 				if (dname_subdomain_c(qinfo->qname, nm))
359 					break;
360 				/* but if it is a wildcard and qname is below
361 				 * it, then the wildcard applies. The wildcard
362 				 * is an empty nonterminal. nodata proven. */
363 				if (dname_is_wild(nm)) {
364 					size_t ce_len = ln;
365 					uint8_t* ce = nm;
366 					dname_remove_label(&ce, &ce_len);
367 					if(dname_strict_subdomain_c(qinfo->qname, ce)) {
368 						*wc = ce;
369 						return 1;
370 					}
371 				}
372 				dname_remove_label(&nm, &ln);
373 			}
374 		}
375 
376 		/* Otherwise, this NSEC does not prove ENT and is not a
377 		 * wildcard, so it does not prove NODATA. */
378 		return 0;
379 	}
380 
381 	/* If the qtype exists, then we should have gotten it. */
382 	if(nsec_has_type(nsec, qinfo->qtype)) {
383 		return 0;
384 	}
385 
386 	/* if the name is a CNAME node, then we should have gotten the CNAME*/
387 	if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) {
388 		return 0;
389 	}
390 
391 	/* If an NS set exists at this name, and NOT a SOA (so this is a
392 	 * zone cut, not a zone apex), then we should have gotten a
393 	 * referral (or we just got the wrong NSEC).
394 	 * The reverse of this check is used when qtype is DS, since that
395 	 * must use the NSEC from above the zone cut. */
396 	if(qinfo->qtype != LDNS_RR_TYPE_DS &&
397 		nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
398 		!nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
399 		return 0;
400 	} else if(qinfo->qtype == LDNS_RR_TYPE_DS &&
401 		nsec_has_type(nsec, LDNS_RR_TYPE_SOA) &&
402 		!dname_is_root(qinfo->qname)) {
403 		return 0;
404 	}
405 
406 	return 1;
407 }
408 
409 int
410 val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, uint8_t* qname)
411 {
412 	uint8_t* owner = nsec->rk.dname;
413 	uint8_t* next;
414 	size_t nlen;
415 	if(!nsec_get_next(nsec, &next, &nlen))
416 		return 0;
417 
418 	/* If NSEC owner == qname, then this NSEC proves that qname exists. */
419 	if(query_dname_compare(qname, owner) == 0) {
420 		return 0;
421 	}
422 
423 	/* If NSEC is a parent of qname, we need to check the type map
424 	 * If the parent name has a DNAME or is a delegation point, then
425 	 * this NSEC is being misused. */
426 	if(dname_subdomain_c(qname, owner) &&
427 		(nsec_has_type(nsec, LDNS_RR_TYPE_DNAME) ||
428 		(nsec_has_type(nsec, LDNS_RR_TYPE_NS)
429 			&& !nsec_has_type(nsec, LDNS_RR_TYPE_SOA))
430 		)) {
431 		return 0;
432 	}
433 
434 	if(query_dname_compare(owner, next) == 0) {
435 		/* this nsec is the only nsec */
436 		/* zone.name NSEC zone.name, disproves everything else */
437 		/* but only for subdomains of that zone */
438 		if(dname_strict_subdomain_c(qname, next))
439 			return 1;
440 	}
441 	else if(dname_canonical_compare(owner, next) > 0) {
442 		/* this is the last nsec, ....(bigger) NSEC zonename(smaller) */
443 		/* the names after the last (owner) name do not exist
444 		 * there are no names before the zone name in the zone
445 		 * but the qname must be a subdomain of the zone name(next). */
446 		if(dname_canonical_compare(owner, qname) < 0 &&
447 			dname_strict_subdomain_c(qname, next))
448 			return 1;
449 	} else {
450 		/* regular NSEC, (smaller) NSEC (larger) */
451 		if(dname_canonical_compare(owner, qname) < 0 &&
452 		   dname_canonical_compare(qname, next) < 0) {
453 			return 1;
454 		}
455 	}
456 	return 0;
457 }
458 
459 int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec,
460 	struct query_info* qinfo)
461 {
462 	if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
463 		!nsec_has_type(nsec, LDNS_RR_TYPE_DS) &&
464 		!nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
465 		/* see if nsec signals an insecure delegation */
466 		if(qinfo->qtype == LDNS_RR_TYPE_DS) {
467 			/* if type is DS and qname is equal to nsec, then it
468 			 * is an exact match nsec, result not insecure */
469 			if(dname_strict_subdomain_c(qinfo->qname,
470 				nsec->rk.dname))
471 				return 1;
472 		} else {
473 			if(dname_subdomain_c(qinfo->qname, nsec->rk.dname))
474 				return 1;
475 		}
476 	}
477 	return 0;
478 }
479 
480 uint8_t*
481 nsec_closest_encloser(uint8_t* qname, struct ub_packed_rrset_key* nsec)
482 {
483 	uint8_t* next;
484 	size_t nlen;
485 	uint8_t* common1, *common2;
486 	if(!nsec_get_next(nsec, &next, &nlen))
487 		return NULL;
488 	/* longest common with owner or next name */
489 	common1 = dname_get_shared_topdomain(nsec->rk.dname, qname);
490 	common2 = dname_get_shared_topdomain(next, qname);
491 	if(dname_count_labels(common1) > dname_count_labels(common2))
492 		return common1;
493 	return common2;
494 }
495 
496 int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec,
497 	struct query_info* qinf, uint8_t* wc)
498 {
499 	uint8_t* ce;
500 	/*  1) prove that qname doesn't exist and
501 	 *  2) that the correct wildcard was used
502 	 *  nsec has been verified already. */
503 	if(!val_nsec_proves_name_error(nsec, qinf->qname))
504 		return 0;
505 	/* check wildcard name */
506 	ce = nsec_closest_encloser(qinf->qname, nsec);
507 	if(!ce)
508 		return 0;
509 	if(query_dname_compare(wc, ce) != 0) {
510 		return 0;
511 	}
512 	return 1;
513 }
514 
515 int
516 val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
517 	size_t qnamelen)
518 {
519 	/* Determine if a NSEC record proves the non-existence of a
520 	 * wildcard that could have produced qname. */
521 	int labs;
522 	uint8_t* ce = nsec_closest_encloser(qname, nsec);
523 	uint8_t* strip;
524 	size_t striplen;
525 	uint8_t buf[LDNS_MAX_DOMAINLEN+3];
526 	if(!ce)
527 		return 0;
528 	/* we can subtract the closest encloser count - since that is the
529 	 * largest shared topdomain with owner and next NSEC name,
530 	 * because the NSEC is no proof for names shorter than the owner
531 	 * and next names. */
532 	labs = dname_count_labels(qname) - dname_count_labels(ce);
533 
534 	if(labs > 0) {
535 		/* i is number of labels to strip off qname, prepend * wild */
536 		strip = qname;
537 		striplen = qnamelen;
538 		dname_remove_labels(&strip, &striplen, labs);
539 		if(striplen > LDNS_MAX_DOMAINLEN-2)
540 			return 0; /* too long to prepend wildcard */
541 		buf[0] = 1;
542 		buf[1] = (uint8_t)'*';
543 		memmove(buf+2, strip, striplen);
544 		if(val_nsec_proves_name_error(nsec, buf)) {
545 			return 1;
546 		}
547 	}
548 	return 0;
549 }
550