1 /* 2 * validator/val_utils.c - validator utility functions. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 */ 41 #include "config.h" 42 #include "validator/val_utils.h" 43 #include "validator/validator.h" 44 #include "validator/val_kentry.h" 45 #include "validator/val_sigcrypt.h" 46 #include "validator/val_anchor.h" 47 #include "validator/val_nsec.h" 48 #include "validator/val_neg.h" 49 #include "services/cache/rrset.h" 50 #include "services/cache/dns.h" 51 #include "util/data/msgreply.h" 52 #include "util/data/packed_rrset.h" 53 #include "util/data/dname.h" 54 #include "util/net_help.h" 55 #include "util/module.h" 56 #include "util/regional.h" 57 #include "sldns/wire2str.h" 58 #include "sldns/parseutil.h" 59 60 enum val_classification 61 val_classify_response(uint16_t query_flags, struct query_info* origqinf, 62 struct query_info* qinf, struct reply_info* rep, size_t skip) 63 { 64 int rcode = (int)FLAGS_GET_RCODE(rep->flags); 65 size_t i; 66 67 /* Normal Name Error's are easy to detect -- but don't mistake a CNAME 68 * chain ending in NXDOMAIN. */ 69 if(rcode == LDNS_RCODE_NXDOMAIN && rep->an_numrrsets == 0) 70 return VAL_CLASS_NAMEERROR; 71 72 /* check for referral: nonRD query and it looks like a nodata */ 73 if(!(query_flags&BIT_RD) && rep->an_numrrsets == 0 && 74 rcode == LDNS_RCODE_NOERROR) { 75 /* SOA record in auth indicates it is NODATA instead. 76 * All validation requiring NODATA messages have SOA in 77 * authority section. */ 78 /* uses fact that answer section is empty */ 79 int saw_ns = 0; 80 for(i=0; i<rep->ns_numrrsets; i++) { 81 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA) 82 return VAL_CLASS_NODATA; 83 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DS) 84 return VAL_CLASS_REFERRAL; 85 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS) 86 saw_ns = 1; 87 } 88 return saw_ns?VAL_CLASS_REFERRAL:VAL_CLASS_NODATA; 89 } 90 /* root referral where NS set is in the answer section */ 91 if(!(query_flags&BIT_RD) && rep->ns_numrrsets == 0 && 92 rep->an_numrrsets == 1 && rcode == LDNS_RCODE_NOERROR && 93 ntohs(rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_NS && 94 query_dname_compare(rep->rrsets[0]->rk.dname, 95 origqinf->qname) != 0) 96 return VAL_CLASS_REFERRAL; 97 98 /* dump bad messages */ 99 if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN) 100 return VAL_CLASS_UNKNOWN; 101 /* next check if the skip into the answer section shows no answer */ 102 if(skip>0 && rep->an_numrrsets <= skip) 103 return VAL_CLASS_CNAMENOANSWER; 104 105 /* Next is NODATA */ 106 if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0) 107 return VAL_CLASS_NODATA; 108 109 /* We distinguish between CNAME response and other positive/negative 110 * responses because CNAME answers require extra processing. */ 111 112 /* We distinguish between ANY and CNAME or POSITIVE because 113 * ANY responses are validated differently. */ 114 if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY) 115 return VAL_CLASS_ANY; 116 117 /* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless 118 * qtype=CNAME, this will yield a CNAME response. */ 119 for(i=skip; i<rep->an_numrrsets; i++) { 120 if(rcode == LDNS_RCODE_NOERROR && 121 ntohs(rep->rrsets[i]->rk.type) == qinf->qtype) 122 return VAL_CLASS_POSITIVE; 123 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME) 124 return VAL_CLASS_CNAME; 125 } 126 log_dns_msg("validator: error. failed to classify response message: ", 127 qinf, rep); 128 return VAL_CLASS_UNKNOWN; 129 } 130 131 /** Get signer name from RRSIG */ 132 static void 133 rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen) 134 { 135 /* RRSIG rdata is not allowed to be compressed, it is stored 136 * uncompressed in memory as well, so return a ptr to the name */ 137 if(len < 21) { 138 /* too short RRSig: 139 * short, byte, byte, long, long, long, short, "." is 140 * 2 1 1 4 4 4 2 1 = 19 141 * and a skip of 18 bytes to the name. 142 * +2 for the rdatalen is 21 bytes len for root label */ 143 *sname = NULL; 144 *slen = 0; 145 return; 146 } 147 data += 20; /* skip the fixed size bits */ 148 len -= 20; 149 *slen = dname_valid(data, len); 150 if(!*slen) { 151 /* bad dname in this rrsig. */ 152 *sname = NULL; 153 return; 154 } 155 *sname = data; 156 } 157 158 void 159 val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname, 160 size_t* slen) 161 { 162 struct packed_rrset_data* d = (struct packed_rrset_data*) 163 rrset->entry.data; 164 /* return signer for first signature, or NULL */ 165 if(d->rrsig_count == 0) { 166 *sname = NULL; 167 *slen = 0; 168 return; 169 } 170 /* get rrsig signer name out of the signature */ 171 rrsig_get_signer(d->rr_data[d->count], d->rr_len[d->count], 172 sname, slen); 173 } 174 175 /** 176 * Find best signer name in this set of rrsigs. 177 * @param rrset: which rrsigs to look through. 178 * @param qinf: the query name that needs validation. 179 * @param signer_name: the best signer_name. Updated if a better one is found. 180 * @param signer_len: length of signer name. 181 * @param matchcount: count of current best name (starts at 0 for no match). 182 * Updated if match is improved. 183 */ 184 static void 185 val_find_best_signer(struct ub_packed_rrset_key* rrset, 186 struct query_info* qinf, uint8_t** signer_name, size_t* signer_len, 187 int* matchcount) 188 { 189 struct packed_rrset_data* d = (struct packed_rrset_data*) 190 rrset->entry.data; 191 uint8_t* sign; 192 size_t i; 193 int m; 194 for(i=d->count; i<d->count+d->rrsig_count; i++) { 195 sign = d->rr_data[i]+2+18; 196 /* look at signatures that are valid (long enough), 197 * and have a signer name that is a superdomain of qname, 198 * and then check the number of labels in the shared topdomain 199 * improve the match if possible */ 200 if(d->rr_len[i] > 2+19 && /* rdata, sig + root label*/ 201 dname_subdomain_c(qinf->qname, sign)) { 202 (void)dname_lab_cmp(qinf->qname, 203 dname_count_labels(qinf->qname), 204 sign, dname_count_labels(sign), &m); 205 if(m > *matchcount) { 206 *matchcount = m; 207 *signer_name = sign; 208 (void)dname_count_size_labels(*signer_name, 209 signer_len); 210 } 211 } 212 } 213 } 214 215 void 216 val_find_signer(enum val_classification subtype, struct query_info* qinf, 217 struct reply_info* rep, size_t skip, uint8_t** signer_name, 218 size_t* signer_len) 219 { 220 size_t i; 221 222 if(subtype == VAL_CLASS_POSITIVE || subtype == VAL_CLASS_ANY) { 223 /* check for the answer rrset */ 224 for(i=skip; i<rep->an_numrrsets; i++) { 225 if(query_dname_compare(qinf->qname, 226 rep->rrsets[i]->rk.dname) == 0) { 227 val_find_rrset_signer(rep->rrsets[i], 228 signer_name, signer_len); 229 return; 230 } 231 } 232 *signer_name = NULL; 233 *signer_len = 0; 234 } else if(subtype == VAL_CLASS_CNAME) { 235 /* check for the first signed cname/dname rrset */ 236 for(i=skip; i<rep->an_numrrsets; i++) { 237 val_find_rrset_signer(rep->rrsets[i], 238 signer_name, signer_len); 239 if(*signer_name) 240 return; 241 if(ntohs(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_DNAME) 242 break; /* only check CNAME after a DNAME */ 243 } 244 *signer_name = NULL; 245 *signer_len = 0; 246 } else if(subtype == VAL_CLASS_NAMEERROR 247 || subtype == VAL_CLASS_NODATA) { 248 /*Check to see if the AUTH section NSEC record(s) have rrsigs*/ 249 for(i=rep->an_numrrsets; i< 250 rep->an_numrrsets+rep->ns_numrrsets; i++) { 251 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC 252 || ntohs(rep->rrsets[i]->rk.type) == 253 LDNS_RR_TYPE_NSEC3) { 254 val_find_rrset_signer(rep->rrsets[i], 255 signer_name, signer_len); 256 return; 257 } 258 } 259 } else if(subtype == VAL_CLASS_CNAMENOANSWER) { 260 /* find closest superdomain signer name in authority section 261 * NSEC and NSEC3s */ 262 int matchcount = 0; 263 *signer_name = NULL; 264 *signer_len = 0; 265 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep-> 266 ns_numrrsets; i++) { 267 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC 268 || ntohs(rep->rrsets[i]->rk.type) == 269 LDNS_RR_TYPE_NSEC3) { 270 val_find_best_signer(rep->rrsets[i], qinf, 271 signer_name, signer_len, &matchcount); 272 } 273 } 274 } else if(subtype == VAL_CLASS_REFERRAL) { 275 /* find keys for the item at skip */ 276 if(skip < rep->rrset_count) { 277 val_find_rrset_signer(rep->rrsets[skip], 278 signer_name, signer_len); 279 return; 280 } 281 *signer_name = NULL; 282 *signer_len = 0; 283 } else { 284 verbose(VERB_QUERY, "find_signer: could not find signer name" 285 " for unknown type response"); 286 *signer_name = NULL; 287 *signer_len = 0; 288 } 289 } 290 291 /** return number of rrs in an rrset */ 292 static size_t 293 rrset_get_count(struct ub_packed_rrset_key* rrset) 294 { 295 struct packed_rrset_data* d = (struct packed_rrset_data*) 296 rrset->entry.data; 297 if(!d) return 0; 298 return d->count; 299 } 300 301 /** return TTL of rrset */ 302 static uint32_t 303 rrset_get_ttl(struct ub_packed_rrset_key* rrset) 304 { 305 struct packed_rrset_data* d = (struct packed_rrset_data*) 306 rrset->entry.data; 307 if(!d) return 0; 308 return d->ttl; 309 } 310 311 enum sec_status 312 val_verify_rrset(struct module_env* env, struct val_env* ve, 313 struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys, 314 uint8_t* sigalg, char** reason) 315 { 316 enum sec_status sec; 317 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 318 entry.data; 319 if(d->security == sec_status_secure) { 320 /* re-verify all other statuses, because keyset may change*/ 321 log_nametypeclass(VERB_ALGO, "verify rrset cached", 322 rrset->rk.dname, ntohs(rrset->rk.type), 323 ntohs(rrset->rk.rrset_class)); 324 return d->security; 325 } 326 /* check in the cache if verification has already been done */ 327 rrset_check_sec_status(env->rrset_cache, rrset, *env->now); 328 if(d->security == sec_status_secure) { 329 log_nametypeclass(VERB_ALGO, "verify rrset from cache", 330 rrset->rk.dname, ntohs(rrset->rk.type), 331 ntohs(rrset->rk.rrset_class)); 332 return d->security; 333 } 334 log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname, 335 ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class)); 336 sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason); 337 verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec)); 338 regional_free_all(env->scratch); 339 340 /* update rrset security status 341 * only improves security status 342 * and bogus is set only once, even if we rechecked the status */ 343 if(sec > d->security) { 344 d->security = sec; 345 if(sec == sec_status_secure) 346 d->trust = rrset_trust_validated; 347 else if(sec == sec_status_bogus) { 348 size_t i; 349 /* update ttl for rrset to fixed value. */ 350 d->ttl = ve->bogus_ttl; 351 for(i=0; i<d->count+d->rrsig_count; i++) 352 d->rr_ttl[i] = ve->bogus_ttl; 353 /* leave RR specific TTL: not used for determine 354 * if RRset timed out and clients see proper value. */ 355 lock_basic_lock(&ve->bogus_lock); 356 ve->num_rrset_bogus++; 357 lock_basic_unlock(&ve->bogus_lock); 358 } 359 /* if status updated - store in cache for reuse */ 360 rrset_update_sec_status(env->rrset_cache, rrset, *env->now); 361 } 362 363 return sec; 364 } 365 366 enum sec_status 367 val_verify_rrset_entry(struct module_env* env, struct val_env* ve, 368 struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey, 369 char** reason) 370 { 371 /* temporary dnskey rrset-key */ 372 struct ub_packed_rrset_key dnskey; 373 struct key_entry_data* kd = (struct key_entry_data*)kkey->entry.data; 374 enum sec_status sec; 375 dnskey.rk.type = htons(kd->rrset_type); 376 dnskey.rk.rrset_class = htons(kkey->key_class); 377 dnskey.rk.flags = 0; 378 dnskey.rk.dname = kkey->name; 379 dnskey.rk.dname_len = kkey->namelen; 380 dnskey.entry.key = &dnskey; 381 dnskey.entry.data = kd->rrset_data; 382 sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason); 383 return sec; 384 } 385 386 /** verify that a DS RR hashes to a key and that key signs the set */ 387 static enum sec_status 388 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve, 389 struct ub_packed_rrset_key* dnskey_rrset, 390 struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason) 391 { 392 enum sec_status sec = sec_status_bogus; 393 size_t i, num, numchecked = 0, numhashok = 0; 394 num = rrset_get_count(dnskey_rrset); 395 for(i=0; i<num; i++) { 396 /* Skip DNSKEYs that don't match the basic criteria. */ 397 if(ds_get_key_algo(ds_rrset, ds_idx) 398 != dnskey_get_algo(dnskey_rrset, i) 399 || dnskey_calc_keytag(dnskey_rrset, i) 400 != ds_get_keytag(ds_rrset, ds_idx)) { 401 continue; 402 } 403 numchecked++; 404 verbose(VERB_ALGO, "attempt DS match algo %d keytag %d", 405 ds_get_key_algo(ds_rrset, ds_idx), 406 ds_get_keytag(ds_rrset, ds_idx)); 407 408 /* Convert the candidate DNSKEY into a hash using the 409 * same DS hash algorithm. */ 410 if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset, 411 ds_idx)) { 412 verbose(VERB_ALGO, "DS match attempt failed"); 413 continue; 414 } 415 numhashok++; 416 verbose(VERB_ALGO, "DS match digest ok, trying signature"); 417 418 /* Otherwise, we have a match! Make sure that the DNSKEY 419 * verifies *with this key* */ 420 sec = dnskey_verify_rrset(env, ve, dnskey_rrset, 421 dnskey_rrset, i, reason); 422 if(sec == sec_status_secure) { 423 return sec; 424 } 425 /* If it didn't validate with the DNSKEY, try the next one! */ 426 } 427 if(numchecked == 0) 428 algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx), 429 reason, "no keys have a DS"); 430 else if(numhashok == 0) 431 *reason = "DS hash mismatches key"; 432 else if(!*reason) 433 *reason = "keyset not secured by DNSKEY that matches DS"; 434 return sec_status_bogus; 435 } 436 437 int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset) 438 { 439 size_t i, num = rrset_get_count(ds_rrset); 440 int d, digest_algo = 0; /* DS digest algo 0 is not used. */ 441 /* find favorite algo, for now, highest number supported */ 442 for(i=0; i<num; i++) { 443 if(!ds_digest_algo_is_supported(ds_rrset, i) || 444 !ds_key_algo_is_supported(ds_rrset, i)) { 445 continue; 446 } 447 d = ds_get_digest_algo(ds_rrset, i); 448 if(d > digest_algo) 449 digest_algo = d; 450 } 451 return digest_algo; 452 } 453 454 enum sec_status 455 val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, 456 struct ub_packed_rrset_key* dnskey_rrset, 457 struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason) 458 { 459 /* as long as this is false, we can consider this DS rrset to be 460 * equivalent to no DS rrset. */ 461 int has_useful_ds = 0, digest_algo, alg; 462 struct algo_needs needs; 463 size_t i, num; 464 enum sec_status sec; 465 466 if(dnskey_rrset->rk.dname_len != ds_rrset->rk.dname_len || 467 query_dname_compare(dnskey_rrset->rk.dname, ds_rrset->rk.dname) 468 != 0) { 469 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset " 470 "by name"); 471 *reason = "DNSKEY RRset did not match DS RRset by name"; 472 return sec_status_bogus; 473 } 474 475 digest_algo = val_favorite_ds_algo(ds_rrset); 476 if(sigalg) 477 algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg); 478 num = rrset_get_count(ds_rrset); 479 for(i=0; i<num; i++) { 480 /* Check to see if we can understand this DS. 481 * And check it is the strongest digest */ 482 if(!ds_digest_algo_is_supported(ds_rrset, i) || 483 !ds_key_algo_is_supported(ds_rrset, i) || 484 ds_get_digest_algo(ds_rrset, i) != digest_algo) { 485 continue; 486 } 487 488 /* Once we see a single DS with a known digestID and 489 * algorithm, we cannot return INSECURE (with a 490 * "null" KeyEntry). */ 491 has_useful_ds = 1; 492 493 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 494 ds_rrset, i, reason); 495 if(sec == sec_status_secure) { 496 if(!sigalg || algo_needs_set_secure(&needs, 497 (uint8_t)ds_get_key_algo(ds_rrset, i))) { 498 verbose(VERB_ALGO, "DS matched DNSKEY."); 499 return sec_status_secure; 500 } 501 } else if(sigalg && sec == sec_status_bogus) { 502 algo_needs_set_bogus(&needs, 503 (uint8_t)ds_get_key_algo(ds_rrset, i)); 504 } 505 } 506 507 /* None of the DS's worked out. */ 508 509 /* If no DSs were understandable, then this is OK. */ 510 if(!has_useful_ds) { 511 verbose(VERB_ALGO, "No usable DS records were found -- " 512 "treating as insecure."); 513 return sec_status_insecure; 514 } 515 /* If any were understandable, then it is bad. */ 516 verbose(VERB_QUERY, "Failed to match any usable DS to a DNSKEY."); 517 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { 518 algo_needs_reason(env, alg, reason, "missing verification of " 519 "DNSKEY signature"); 520 } 521 return sec_status_bogus; 522 } 523 524 struct key_entry_key* 525 val_verify_new_DNSKEYs(struct regional* region, struct module_env* env, 526 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 527 struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason) 528 { 529 uint8_t sigalg[ALGO_NEEDS_MAX+1]; 530 enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve, 531 dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason); 532 533 if(sec == sec_status_secure) { 534 return key_entry_create_rrset(region, 535 ds_rrset->rk.dname, ds_rrset->rk.dname_len, 536 ntohs(ds_rrset->rk.rrset_class), dnskey_rrset, 537 downprot?sigalg:NULL, *env->now); 538 } else if(sec == sec_status_insecure) { 539 return key_entry_create_null(region, ds_rrset->rk.dname, 540 ds_rrset->rk.dname_len, 541 ntohs(ds_rrset->rk.rrset_class), 542 rrset_get_ttl(ds_rrset), *env->now); 543 } 544 return key_entry_create_bad(region, ds_rrset->rk.dname, 545 ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class), 546 BOGUS_KEY_TTL, *env->now); 547 } 548 549 enum sec_status 550 val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, 551 struct ub_packed_rrset_key* dnskey_rrset, 552 struct ub_packed_rrset_key* ta_ds, 553 struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason) 554 { 555 /* as long as this is false, we can consider this anchor to be 556 * equivalent to no anchor. */ 557 int has_useful_ta = 0, digest_algo = 0, alg; 558 struct algo_needs needs; 559 size_t i, num; 560 enum sec_status sec; 561 562 if(ta_ds && (dnskey_rrset->rk.dname_len != ta_ds->rk.dname_len || 563 query_dname_compare(dnskey_rrset->rk.dname, ta_ds->rk.dname) 564 != 0)) { 565 verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset " 566 "by name"); 567 *reason = "DNSKEY RRset did not match DS RRset by name"; 568 return sec_status_bogus; 569 } 570 if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len 571 || query_dname_compare(dnskey_rrset->rk.dname, ta_dnskey->rk.dname) 572 != 0)) { 573 verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset " 574 "by name"); 575 *reason = "DNSKEY RRset did not match anchor RRset by name"; 576 return sec_status_bogus; 577 } 578 579 if(ta_ds) 580 digest_algo = val_favorite_ds_algo(ta_ds); 581 if(sigalg) { 582 if(ta_ds) 583 algo_needs_init_ds(&needs, ta_ds, digest_algo, sigalg); 584 else memset(&needs, 0, sizeof(needs)); 585 if(ta_dnskey) 586 algo_needs_init_dnskey_add(&needs, ta_dnskey, sigalg); 587 } 588 if(ta_ds) { 589 num = rrset_get_count(ta_ds); 590 for(i=0; i<num; i++) { 591 /* Check to see if we can understand this DS. 592 * And check it is the strongest digest */ 593 if(!ds_digest_algo_is_supported(ta_ds, i) || 594 !ds_key_algo_is_supported(ta_ds, i) || 595 ds_get_digest_algo(ta_ds, i) != digest_algo) 596 continue; 597 598 /* Once we see a single DS with a known digestID and 599 * algorithm, we cannot return INSECURE (with a 600 * "null" KeyEntry). */ 601 has_useful_ta = 1; 602 603 sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 604 ta_ds, i, reason); 605 if(sec == sec_status_secure) { 606 if(!sigalg || algo_needs_set_secure(&needs, 607 (uint8_t)ds_get_key_algo(ta_ds, i))) { 608 verbose(VERB_ALGO, "DS matched DNSKEY."); 609 return sec_status_secure; 610 } 611 } else if(sigalg && sec == sec_status_bogus) { 612 algo_needs_set_bogus(&needs, 613 (uint8_t)ds_get_key_algo(ta_ds, i)); 614 } 615 } 616 } 617 618 /* None of the DS's worked out: check the DNSKEYs. */ 619 if(ta_dnskey) { 620 num = rrset_get_count(ta_dnskey); 621 for(i=0; i<num; i++) { 622 /* Check to see if we can understand this DNSKEY */ 623 if(!dnskey_algo_is_supported(ta_dnskey, i)) 624 continue; 625 626 /* we saw a useful TA */ 627 has_useful_ta = 1; 628 629 sec = dnskey_verify_rrset(env, ve, dnskey_rrset, 630 ta_dnskey, i, reason); 631 if(sec == sec_status_secure) { 632 if(!sigalg || algo_needs_set_secure(&needs, 633 (uint8_t)dnskey_get_algo(ta_dnskey, i))) { 634 verbose(VERB_ALGO, "anchor matched DNSKEY."); 635 return sec_status_secure; 636 } 637 } else if(sigalg && sec == sec_status_bogus) { 638 algo_needs_set_bogus(&needs, 639 (uint8_t)dnskey_get_algo(ta_dnskey, i)); 640 } 641 } 642 } 643 644 /* If no DSs were understandable, then this is OK. */ 645 if(!has_useful_ta) { 646 verbose(VERB_ALGO, "No usable trust anchors were found -- " 647 "treating as insecure."); 648 return sec_status_insecure; 649 } 650 /* If any were understandable, then it is bad. */ 651 verbose(VERB_QUERY, "Failed to match any usable anchor to a DNSKEY."); 652 if(sigalg && (alg=algo_needs_missing(&needs)) != 0) { 653 algo_needs_reason(env, alg, reason, "missing verification of " 654 "DNSKEY signature"); 655 } 656 return sec_status_bogus; 657 } 658 659 struct key_entry_key* 660 val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env, 661 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 662 struct ub_packed_rrset_key* ta_ds_rrset, 663 struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot, 664 char** reason) 665 { 666 uint8_t sigalg[ALGO_NEEDS_MAX+1]; 667 enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, 668 dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset, 669 downprot?sigalg:NULL, reason); 670 671 if(sec == sec_status_secure) { 672 return key_entry_create_rrset(region, 673 dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len, 674 ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset, 675 downprot?sigalg:NULL, *env->now); 676 } else if(sec == sec_status_insecure) { 677 return key_entry_create_null(region, dnskey_rrset->rk.dname, 678 dnskey_rrset->rk.dname_len, 679 ntohs(dnskey_rrset->rk.rrset_class), 680 rrset_get_ttl(dnskey_rrset), *env->now); 681 } 682 return key_entry_create_bad(region, dnskey_rrset->rk.dname, 683 dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class), 684 BOGUS_KEY_TTL, *env->now); 685 } 686 687 int 688 val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset) 689 { 690 size_t i; 691 for(i=0; i<rrset_get_count(ds_rrset); i++) { 692 if(ds_digest_algo_is_supported(ds_rrset, i) && 693 ds_key_algo_is_supported(ds_rrset, i)) 694 return 1; 695 } 696 if(verbosity < VERB_ALGO) 697 return 0; 698 if(rrset_get_count(ds_rrset) == 0) 699 verbose(VERB_ALGO, "DS is not usable"); 700 else { 701 /* report usability for the first DS RR */ 702 sldns_lookup_table *lt; 703 char herr[64], aerr[64]; 704 lt = sldns_lookup_by_id(sldns_hashes, 705 (int)ds_get_digest_algo(ds_rrset, i)); 706 if(lt) snprintf(herr, sizeof(herr), "%s", lt->name); 707 else snprintf(herr, sizeof(herr), "%d", 708 (int)ds_get_digest_algo(ds_rrset, i)); 709 lt = sldns_lookup_by_id(sldns_algorithms, 710 (int)ds_get_key_algo(ds_rrset, i)); 711 if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name); 712 else snprintf(aerr, sizeof(aerr), "%d", 713 (int)ds_get_key_algo(ds_rrset, i)); 714 verbose(VERB_ALGO, "DS unsupported, hash %s %s, " 715 "key algorithm %s %s", herr, 716 (ds_digest_algo_is_supported(ds_rrset, 0)? 717 "(supported)":"(unsupported)"), aerr, 718 (ds_key_algo_is_supported(ds_rrset, 0)? 719 "(supported)":"(unsupported)")); 720 } 721 return 0; 722 } 723 724 /** get label count for a signature */ 725 static uint8_t 726 rrsig_get_labcount(struct packed_rrset_data* d, size_t sig) 727 { 728 if(d->rr_len[sig] < 2+4) 729 return 0; /* bad sig length */ 730 return d->rr_data[sig][2+3]; 731 } 732 733 int 734 val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc) 735 { 736 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 737 entry.data; 738 uint8_t labcount; 739 int labdiff; 740 uint8_t* wn; 741 size_t i, wl; 742 if(d->rrsig_count == 0) { 743 return 1; 744 } 745 labcount = rrsig_get_labcount(d, d->count + 0); 746 /* check rest of signatures identical */ 747 for(i=1; i<d->rrsig_count; i++) { 748 if(labcount != rrsig_get_labcount(d, d->count + i)) { 749 return 0; 750 } 751 } 752 /* OK the rrsigs check out */ 753 /* if the RRSIG label count is shorter than the number of actual 754 * labels, then this rrset was synthesized from a wildcard. 755 * Note that the RRSIG label count doesn't count the root label. */ 756 wn = rrset->rk.dname; 757 wl = rrset->rk.dname_len; 758 /* skip a leading wildcard label in the dname (RFC4035 2.2) */ 759 if(dname_is_wild(wn)) { 760 wn += 2; 761 wl -= 2; 762 } 763 labdiff = (dname_count_labels(wn) - 1) - (int)labcount; 764 if(labdiff > 0) { 765 *wc = wn; 766 dname_remove_labels(wc, &wl, labdiff); 767 return 1; 768 } 769 return 1; 770 } 771 772 int 773 val_chase_cname(struct query_info* qchase, struct reply_info* rep, 774 size_t* cname_skip) { 775 size_t i; 776 /* skip any DNAMEs, go to the CNAME for next part */ 777 for(i = *cname_skip; i < rep->an_numrrsets; i++) { 778 if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME && 779 query_dname_compare(qchase->qname, rep->rrsets[i]-> 780 rk.dname) == 0) { 781 qchase->qname = NULL; 782 get_cname_target(rep->rrsets[i], &qchase->qname, 783 &qchase->qname_len); 784 if(!qchase->qname) 785 return 0; /* bad CNAME rdata */ 786 (*cname_skip) = i+1; 787 return 1; 788 } 789 } 790 return 0; /* CNAME classified but no matching CNAME ?! */ 791 } 792 793 /** see if rrset has signer name as one of the rrsig signers */ 794 static int 795 rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len) 796 { 797 struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> 798 entry.data; 799 size_t i; 800 for(i = d->count; i< d->count+d->rrsig_count; i++) { 801 if(d->rr_len[i] > 2+18+len) { 802 /* at least rdatalen + signature + signame (+1 sig)*/ 803 if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18)) 804 continue; 805 if(query_dname_compare(name, d->rr_data[i]+2+18) == 0) 806 { 807 return 1; 808 } 809 } 810 } 811 return 0; 812 } 813 814 void 815 val_fill_reply(struct reply_info* chase, struct reply_info* orig, 816 size_t skip, uint8_t* name, size_t len, uint8_t* signer) 817 { 818 size_t i; 819 int seen_dname = 0; 820 chase->rrset_count = 0; 821 chase->an_numrrsets = 0; 822 chase->ns_numrrsets = 0; 823 chase->ar_numrrsets = 0; 824 /* ANSWER section */ 825 for(i=skip; i<orig->an_numrrsets; i++) { 826 if(!signer) { 827 if(query_dname_compare(name, 828 orig->rrsets[i]->rk.dname) == 0) 829 chase->rrsets[chase->an_numrrsets++] = 830 orig->rrsets[i]; 831 } else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) == 832 LDNS_RR_TYPE_CNAME) { 833 chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i]; 834 seen_dname = 0; 835 } else if(rrset_has_signer(orig->rrsets[i], name, len)) { 836 chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i]; 837 if(ntohs(orig->rrsets[i]->rk.type) == 838 LDNS_RR_TYPE_DNAME) { 839 seen_dname = 1; 840 } 841 } 842 } 843 /* AUTHORITY section */ 844 for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets; 845 i<orig->an_numrrsets+orig->ns_numrrsets; 846 i++) { 847 if(!signer) { 848 if(query_dname_compare(name, 849 orig->rrsets[i]->rk.dname) == 0) 850 chase->rrsets[chase->an_numrrsets+ 851 chase->ns_numrrsets++] = orig->rrsets[i]; 852 } else if(rrset_has_signer(orig->rrsets[i], name, len)) { 853 chase->rrsets[chase->an_numrrsets+ 854 chase->ns_numrrsets++] = orig->rrsets[i]; 855 } 856 } 857 /* ADDITIONAL section */ 858 for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)? 859 skip:orig->an_numrrsets+orig->ns_numrrsets; 860 i<orig->rrset_count; i++) { 861 if(!signer) { 862 if(query_dname_compare(name, 863 orig->rrsets[i]->rk.dname) == 0) 864 chase->rrsets[chase->an_numrrsets 865 +orig->ns_numrrsets+chase->ar_numrrsets++] 866 = orig->rrsets[i]; 867 } else if(rrset_has_signer(orig->rrsets[i], name, len)) { 868 chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+ 869 chase->ar_numrrsets++] = orig->rrsets[i]; 870 } 871 } 872 chase->rrset_count = chase->an_numrrsets + chase->ns_numrrsets + 873 chase->ar_numrrsets; 874 } 875 876 void val_reply_remove_auth(struct reply_info* rep, size_t index) 877 { 878 log_assert(index < rep->rrset_count); 879 log_assert(index >= rep->an_numrrsets); 880 log_assert(index < rep->an_numrrsets+rep->ns_numrrsets); 881 memmove(rep->rrsets+index, rep->rrsets+index+1, 882 sizeof(struct ub_packed_rrset_key*)* 883 (rep->rrset_count - index - 1)); 884 rep->ns_numrrsets--; 885 rep->rrset_count--; 886 } 887 888 void 889 val_check_nonsecure(struct val_env* ve, struct reply_info* rep) 890 { 891 size_t i; 892 /* authority */ 893 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) { 894 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data) 895 ->security != sec_status_secure) { 896 /* because we want to return the authentic original 897 * message when presented with CD-flagged queries, 898 * we need to preserve AUTHORITY section data. 899 * However, this rrset is not signed or signed 900 * with the wrong keys. Validation has tried to 901 * verify this rrset with the keysets of import. 902 * But this rrset did not verify. 903 * Therefore the message is bogus. 904 */ 905 906 /* check if authority consists of only an NS record 907 * which is bad, and there is an answer section with 908 * data. In that case, delete NS and additional to 909 * be lenient and make a minimal response */ 910 if(rep->an_numrrsets != 0 && rep->ns_numrrsets == 1 && 911 ntohs(rep->rrsets[i]->rk.type) 912 == LDNS_RR_TYPE_NS) { 913 verbose(VERB_ALGO, "truncate to minimal"); 914 rep->ns_numrrsets = 0; 915 rep->ar_numrrsets = 0; 916 rep->rrset_count = rep->an_numrrsets; 917 return; 918 } 919 920 log_nametypeclass(VERB_QUERY, "message is bogus, " 921 "non secure rrset", 922 rep->rrsets[i]->rk.dname, 923 ntohs(rep->rrsets[i]->rk.type), 924 ntohs(rep->rrsets[i]->rk.rrset_class)); 925 rep->security = sec_status_bogus; 926 return; 927 } 928 } 929 /* additional */ 930 if(!ve->clean_additional) 931 return; 932 for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) { 933 if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data) 934 ->security != sec_status_secure) { 935 /* This does not cause message invalidation. It was 936 * simply unsigned data in the additional. The 937 * RRSIG must have been truncated off the message. 938 * 939 * However, we do not want to return possible bogus 940 * data to clients that rely on this service for 941 * their authentication. 942 */ 943 /* remove this unneeded additional rrset */ 944 memmove(rep->rrsets+i, rep->rrsets+i+1, 945 sizeof(struct ub_packed_rrset_key*)* 946 (rep->rrset_count - i - 1)); 947 rep->ar_numrrsets--; 948 rep->rrset_count--; 949 i--; 950 } 951 } 952 } 953 954 /** check no anchor and unlock */ 955 static int 956 check_no_anchor(struct val_anchors* anchors, uint8_t* nm, size_t l, uint16_t c) 957 { 958 struct trust_anchor* ta; 959 if((ta=anchors_lookup(anchors, nm, l, c))) { 960 lock_basic_unlock(&ta->lock); 961 } 962 return !ta; 963 } 964 965 void 966 val_mark_indeterminate(struct reply_info* rep, struct val_anchors* anchors, 967 struct rrset_cache* r, struct module_env* env) 968 { 969 size_t i; 970 struct packed_rrset_data* d; 971 for(i=0; i<rep->rrset_count; i++) { 972 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 973 if(d->security == sec_status_unchecked && 974 check_no_anchor(anchors, rep->rrsets[i]->rk.dname, 975 rep->rrsets[i]->rk.dname_len, 976 ntohs(rep->rrsets[i]->rk.rrset_class))) 977 { 978 /* mark as indeterminate */ 979 d->security = sec_status_indeterminate; 980 rrset_update_sec_status(r, rep->rrsets[i], *env->now); 981 } 982 } 983 } 984 985 void 986 val_mark_insecure(struct reply_info* rep, uint8_t* kname, 987 struct rrset_cache* r, struct module_env* env) 988 { 989 size_t i; 990 struct packed_rrset_data* d; 991 for(i=0; i<rep->rrset_count; i++) { 992 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 993 if(d->security == sec_status_unchecked && 994 dname_subdomain_c(rep->rrsets[i]->rk.dname, kname)) { 995 /* mark as insecure */ 996 d->security = sec_status_insecure; 997 rrset_update_sec_status(r, rep->rrsets[i], *env->now); 998 } 999 } 1000 } 1001 1002 size_t 1003 val_next_unchecked(struct reply_info* rep, size_t skip) 1004 { 1005 size_t i; 1006 struct packed_rrset_data* d; 1007 for(i=skip+1; i<rep->rrset_count; i++) { 1008 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1009 if(d->security == sec_status_unchecked) { 1010 return i; 1011 } 1012 } 1013 return rep->rrset_count; 1014 } 1015 1016 const char* 1017 val_classification_to_string(enum val_classification subtype) 1018 { 1019 switch(subtype) { 1020 case VAL_CLASS_UNTYPED: return "untyped"; 1021 case VAL_CLASS_UNKNOWN: return "unknown"; 1022 case VAL_CLASS_POSITIVE: return "positive"; 1023 case VAL_CLASS_CNAME: return "cname"; 1024 case VAL_CLASS_NODATA: return "nodata"; 1025 case VAL_CLASS_NAMEERROR: return "nameerror"; 1026 case VAL_CLASS_CNAMENOANSWER: return "cnamenoanswer"; 1027 case VAL_CLASS_REFERRAL: return "referral"; 1028 case VAL_CLASS_ANY: return "qtype_any"; 1029 default: 1030 return "bad_val_classification"; 1031 } 1032 } 1033 1034 /** log a sock_list entry */ 1035 static void 1036 sock_list_logentry(enum verbosity_value v, const char* s, struct sock_list* p) 1037 { 1038 if(p->len) 1039 log_addr(v, s, &p->addr, p->len); 1040 else verbose(v, "%s cache", s); 1041 } 1042 1043 void val_blacklist(struct sock_list** blacklist, struct regional* region, 1044 struct sock_list* origin, int cross) 1045 { 1046 /* debug printout */ 1047 if(verbosity >= VERB_ALGO) { 1048 struct sock_list* p; 1049 for(p=*blacklist; p; p=p->next) 1050 sock_list_logentry(VERB_ALGO, "blacklist", p); 1051 if(!origin) 1052 verbose(VERB_ALGO, "blacklist add: cache"); 1053 for(p=origin; p; p=p->next) 1054 sock_list_logentry(VERB_ALGO, "blacklist add", p); 1055 } 1056 /* blacklist the IPs or the cache */ 1057 if(!origin) { 1058 /* only add if nothing there. anything else also stops cache*/ 1059 if(!*blacklist) 1060 sock_list_insert(blacklist, NULL, 0, region); 1061 } else if(!cross) 1062 sock_list_prepend(blacklist, origin); 1063 else sock_list_merge(blacklist, region, origin); 1064 } 1065 1066 int val_has_signed_nsecs(struct reply_info* rep, char** reason) 1067 { 1068 size_t i, num_nsec = 0, num_nsec3 = 0; 1069 struct packed_rrset_data* d; 1070 for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) { 1071 if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC)) 1072 num_nsec++; 1073 else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3)) 1074 num_nsec3++; 1075 else continue; 1076 d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data; 1077 if(d && d->rrsig_count != 0) { 1078 return 1; 1079 } 1080 } 1081 if(num_nsec == 0 && num_nsec3 == 0) 1082 *reason = "no DNSSEC records"; 1083 else if(num_nsec != 0) 1084 *reason = "no signatures over NSECs"; 1085 else *reason = "no signatures over NSEC3s"; 1086 return 0; 1087 } 1088 1089 struct dns_msg* 1090 val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c, 1091 struct regional* region, uint8_t* topname) 1092 { 1093 struct dns_msg* msg; 1094 struct query_info qinfo; 1095 struct ub_packed_rrset_key *rrset = rrset_cache_lookup( 1096 env->rrset_cache, nm, nmlen, LDNS_RR_TYPE_DS, c, 0, 1097 *env->now, 0); 1098 if(rrset) { 1099 /* DS rrset exists. Return it to the validator immediately*/ 1100 struct ub_packed_rrset_key* copy = packed_rrset_copy_region( 1101 rrset, region, *env->now); 1102 lock_rw_unlock(&rrset->entry.lock); 1103 if(!copy) 1104 return NULL; 1105 msg = dns_msg_create(nm, nmlen, LDNS_RR_TYPE_DS, c, region, 1); 1106 if(!msg) 1107 return NULL; 1108 msg->rep->rrsets[0] = copy; 1109 msg->rep->rrset_count++; 1110 msg->rep->an_numrrsets++; 1111 return msg; 1112 } 1113 /* lookup in rrset and negative cache for NSEC/NSEC3 */ 1114 qinfo.qname = nm; 1115 qinfo.qname_len = nmlen; 1116 qinfo.qtype = LDNS_RR_TYPE_DS; 1117 qinfo.qclass = c; 1118 /* do not add SOA to reply message, it is going to be used internal */ 1119 msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache, 1120 env->scratch_buffer, *env->now, 0, topname); 1121 return msg; 1122 } 1123