1 /* 2 * validator/val_utils.h - validator utility functions. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 */ 41 42 #ifndef VALIDATOR_VAL_UTILS_H 43 #define VALIDATOR_VAL_UTILS_H 44 #include "util/data/packed_rrset.h" 45 #include "sldns/pkthdr.h" 46 #include "sldns/rrdef.h" 47 struct query_info; 48 struct reply_info; 49 struct val_env; 50 struct module_env; 51 struct module_qstate; 52 struct ub_packed_rrset_key; 53 struct key_entry_key; 54 struct regional; 55 struct val_anchors; 56 struct rrset_cache; 57 struct sock_list; 58 59 /** 60 * Response classifications for the validator. The different types of proofs. 61 */ 62 enum val_classification { 63 /** Not subtyped yet. */ 64 VAL_CLASS_UNTYPED = 0, 65 /** Not a recognized subtype. */ 66 VAL_CLASS_UNKNOWN, 67 /** A positive, direct, response */ 68 VAL_CLASS_POSITIVE, 69 /** A positive response, with a CNAME/DNAME chain. */ 70 VAL_CLASS_CNAME, 71 /** A NOERROR/NODATA response. */ 72 VAL_CLASS_NODATA, 73 /** A NXDOMAIN response. */ 74 VAL_CLASS_NAMEERROR, 75 /** A CNAME/DNAME chain, and the offset is at the end of it, 76 * but there is no answer here, it can be NAMEERROR or NODATA. */ 77 VAL_CLASS_CNAMENOANSWER, 78 /** A referral, from cache with a nonRD query. */ 79 VAL_CLASS_REFERRAL, 80 /** A response to a qtype=ANY query. */ 81 VAL_CLASS_ANY 82 }; 83 84 /** 85 * Given a response, classify ANSWER responses into a subtype. 86 * @param query_flags: query flags for the original query. 87 * @param origqinf: query info. The original query name. 88 * @param qinf: query info. The chased query name. 89 * @param rep: response. The original response. 90 * @param skip: offset into the original response answer section. 91 * @return A subtype, all values possible except UNTYPED . 92 * Once CNAME type is returned you can increase skip. 93 * Then, another CNAME type, CNAME_NOANSWER or POSITIVE are possible. 94 */ 95 enum val_classification val_classify_response(uint16_t query_flags, 96 struct query_info* origqinf, struct query_info* qinf, 97 struct reply_info* rep, size_t skip); 98 99 /** 100 * Given a response, determine the name of the "signer". This is primarily 101 * to determine if the response is, in fact, signed at all, and, if so, what 102 * is the name of the most pertinent keyset. 103 * 104 * @param subtype: the type from classify. 105 * @param qinf: query, the chased query name. 106 * @param rep: response to that, original response. 107 * @param cname_skip: how many answer rrsets have been skipped due to CNAME 108 * chains being chased around. 109 * @param signer_name: signer name, if the response is signed 110 * (even partially), or null if the response isn't signed. 111 * @param signer_len: length of signer_name of 0 if signer_name is NULL. 112 */ 113 void val_find_signer(enum val_classification subtype, 114 struct query_info* qinf, struct reply_info* rep, 115 size_t cname_skip, uint8_t** signer_name, size_t* signer_len); 116 117 /** 118 * Verify RRset with keys from a keyset. 119 * @param env: module environment (scratch buffer) 120 * @param ve: validator environment (verification settings) 121 * @param rrset: what to verify 122 * @param kkey: key_entry to verify with. 123 * @param reason: reason of failure. Fixed string or alloced in scratch. 124 * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. 125 * @param section: section of packet where this rrset comes from. 126 * @param qstate: qstate with region. 127 * @param verified: if not NULL, the number of RRSIG validations is returned. 128 * @param reasonbuf: buffer to use for fail reason string print. 129 * @param reasonlen: length of reasonbuf. 130 * @return security status of verification. 131 */ 132 enum sec_status val_verify_rrset_entry(struct module_env* env, 133 struct val_env* ve, struct ub_packed_rrset_key* rrset, 134 struct key_entry_key* kkey, char** reason, sldns_ede_code *reason_bogus, 135 sldns_pkt_section section, struct module_qstate* qstate, 136 int* verified, char* reasonbuf, size_t reasonlen); 137 138 /** 139 * Verify DNSKEYs with DS rrset. Like val_verify_new_DNSKEYs but 140 * returns a sec_status instead of a key_entry. 141 * @param env: module environment (scratch buffer) 142 * @param ve: validator environment (verification settings) 143 * @param dnskey_rrset: DNSKEY rrset to verify 144 * @param ds_rrset: DS rrset to verify with. 145 * @param sigalg: if nonNULL provide downgrade protection otherwise one 146 * algorithm is enough. The list of signalled algorithms is returned, 147 * must have enough space for ALGO_NEEDS_MAX+1. 148 * @param reason: reason of failure. Fixed string or alloced in scratch. 149 * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. 150 * @param qstate: qstate with region. 151 * @param reasonbuf: buffer to use for fail reason string print. 152 * @param reasonlen: length of reasonbuf. 153 * @return: sec_status_secure if a DS matches. 154 * sec_status_insecure if end of trust (i.e., unknown algorithms). 155 * sec_status_bogus if it fails. 156 */ 157 enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env, 158 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 159 struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason, 160 sldns_ede_code *reason_bogus, struct module_qstate* qstate, 161 char* reasonbuf, size_t reasonlen); 162 163 /** 164 * Verify DNSKEYs with DS and DNSKEY rrset. Like val_verify_DNSKEY_with_DS 165 * but for a trust anchor. 166 * @param env: module environment (scratch buffer) 167 * @param ve: validator environment (verification settings) 168 * @param dnskey_rrset: DNSKEY rrset to verify 169 * @param ta_ds: DS rrset to verify with. 170 * @param ta_dnskey: DNSKEY rrset to verify with. 171 * @param sigalg: if nonNULL provide downgrade protection otherwise one 172 * algorithm is enough. The list of signalled algorithms is returned, 173 * must have enough space for ALGO_NEEDS_MAX+1. 174 * @param reason: reason of failure. Fixed string or alloced in scratch. 175 * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. 176 * @param qstate: qstate with region. 177 * @param reasonbuf: buffer to use for fail reason string print. 178 * @param reasonlen: length of reasonbuf. 179 * @return: sec_status_secure if a DS matches. 180 * sec_status_insecure if end of trust (i.e., unknown algorithms). 181 * sec_status_bogus if it fails. 182 */ 183 enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env, 184 struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 185 struct ub_packed_rrset_key* ta_ds, 186 struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason, 187 sldns_ede_code *reason_bogus, struct module_qstate* qstate, 188 char* reasonbuf, size_t reasonlen); 189 190 /** 191 * Verify new DNSKEYs with DS rrset. The DS contains hash values that should 192 * match the DNSKEY keys. 193 * match the DS to a DNSKEY and verify the DNSKEY rrset with that key. 194 * 195 * @param region: where to allocate key entry result. 196 * @param env: module environment (scratch buffer) 197 * @param ve: validator environment (verification settings) 198 * @param dnskey_rrset: DNSKEY rrset to verify 199 * @param ds_rrset: DS rrset to verify with. 200 * @param downprot: if true provide downgrade protection otherwise one 201 * algorithm is enough. 202 * @param reason: reason of failure. Fixed string or alloced in scratch. 203 * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. 204 * @param qstate: qstate with region. 205 * @param reasonbuf: buffer to use for fail reason string print. 206 * @param reasonlen: length of reasonbuf. 207 * @return a KeyEntry. This will either contain the now trusted 208 * dnskey_rrset, a "null" key entry indicating that this DS 209 * rrset/DNSKEY pair indicate an secure end to the island of trust 210 * (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey 211 * rrset fails to verify. Note that the "null" response should 212 * generally only occur in a private algorithm scenario: normally 213 * this sort of thing is checked before fetching the matching DNSKEY 214 * rrset. 215 * if downprot is set, a key entry with an algo list is made. 216 */ 217 struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region, 218 struct module_env* env, struct val_env* ve, 219 struct ub_packed_rrset_key* dnskey_rrset, 220 struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason, 221 sldns_ede_code *reason_bogus, struct module_qstate* qstate, 222 char* reasonbuf, size_t reasonlen); 223 224 /** 225 * Verify rrset with trust anchor: DS and DNSKEY rrset. 226 * 227 * @param region: where to allocate key entry result. 228 * @param env: module environment (scratch buffer) 229 * @param ve: validator environment (verification settings) 230 * @param dnskey_rrset: DNSKEY rrset to verify 231 * @param ta_ds_rrset: DS rrset to verify with. 232 * @param ta_dnskey_rrset: the DNSKEY rrset to verify with. 233 * @param downprot: if true provide downgrade protection otherwise one 234 * algorithm is enough. 235 * @param reason: reason of failure. Fixed string or alloced in scratch. 236 * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. 237 * @param qstate: qstate with region. 238 * @param reasonbuf: buffer to use for fail reason string print. 239 * @param reasonlen: length of reasonbuf. 240 * @return a KeyEntry. This will either contain the now trusted 241 * dnskey_rrset, a "null" key entry indicating that this DS 242 * rrset/DNSKEY pair indicate an secure end to the island of trust 243 * (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey 244 * rrset fails to verify. Note that the "null" response should 245 * generally only occur in a private algorithm scenario: normally 246 * this sort of thing is checked before fetching the matching DNSKEY 247 * rrset. 248 * if downprot is set, a key entry with an algo list is made. 249 */ 250 struct key_entry_key* val_verify_new_DNSKEYs_with_ta(struct regional* region, 251 struct module_env* env, struct val_env* ve, 252 struct ub_packed_rrset_key* dnskey_rrset, 253 struct ub_packed_rrset_key* ta_ds_rrset, 254 struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot, 255 char** reason, sldns_ede_code *reason_bogus, struct module_qstate* qstate, 256 char* reasonbuf, size_t reasonlen); 257 258 /** 259 * Determine if DS rrset is usable for validator or not. 260 * Returns true if the algorithms for key and DShash are supported, 261 * for at least one RR. 262 * 263 * @param ds_rrset: the newly received DS rrset. 264 * @return true or false if not usable. 265 */ 266 int val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset); 267 268 /** 269 * Determine by looking at a signed RRset whether or not the RRset name was 270 * the result of a wildcard expansion. If so, return the name of the 271 * generating wildcard. 272 * 273 * @param rrset The rrset to check. 274 * @param wc: the wildcard name, if the rrset was synthesized from a wildcard. 275 * unchanged if not. The wildcard name, without "*." in front, is 276 * returned. This is a pointer into the rrset owner name. 277 * @param wc_len: the length of the returned wildcard name. 278 * @return false if the signatures are inconsistent in indicating the 279 * wildcard status; possible spoofing of wildcard response for other 280 * responses is being tried. We lost the status which rrsig was verified 281 * after the verification routine finished, so we simply check if 282 * the signatures are consistent; inserting a fake signature is a denial 283 * of service; but in that you could also have removed the real 284 * signature anyway. 285 */ 286 int val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc, 287 size_t* wc_len); 288 289 /** 290 * Chase the cname to the next query name. 291 * @param qchase: the current query name, updated to next target. 292 * @param rep: original message reply to look at CNAMEs. 293 * @param cname_skip: the skip into the answer section. Updated to skip 294 * DNAME and CNAME to the next part of the answer. 295 * @return false on error (bad rdata). 296 */ 297 int val_chase_cname(struct query_info* qchase, struct reply_info* rep, 298 size_t* cname_skip); 299 300 /** 301 * Fill up the chased reply with the content from the original reply; 302 * as pointers to those rrsets. Select the part after the cname_skip into 303 * the answer section, NS and AR sections that are signed with same signer. 304 * 305 * @param chase: chased reply, filled up. 306 * @param orig: original reply. 307 * @param cname_skip: which part of the answer section to skip. 308 * The skipped part contains CNAME(and DNAME)s that have been chased. 309 * @param name: the signer name to look for. 310 * @param len: length of name. 311 * @param signer: signer name or NULL if an unsigned RRset is considered. 312 * If NULL, rrsets with the lookup name are copied over. 313 */ 314 void val_fill_reply(struct reply_info* chase, struct reply_info* orig, 315 size_t cname_skip, uint8_t* name, size_t len, uint8_t* signer); 316 317 /** 318 * Remove rrset with index from reply, from the authority section. 319 * @param rep: reply to remove it from. 320 * @param index: rrset to remove, must be in the authority section. 321 */ 322 void val_reply_remove_auth(struct reply_info* rep, size_t index); 323 324 /** 325 * Remove all unsigned or non-secure status rrsets from NS and AR sections. 326 * So that unsigned data does not get let through to clients, when we have 327 * found the data to be secure. 328 * 329 * @param env: environment with cleaning options. 330 * @param rep: reply to dump all nonsecure stuff out of. 331 */ 332 void val_check_nonsecure(struct module_env* env, struct reply_info* rep); 333 334 /** 335 * Mark all unchecked rrset entries not below a trust anchor as indeterminate. 336 * Only security==unchecked rrsets are updated. 337 * @param rep: the reply with rrsets. 338 * @param anchors: the trust anchors. 339 * @param r: rrset cache to store updated security status into. 340 * @param env: module environment 341 */ 342 void val_mark_indeterminate(struct reply_info* rep, 343 struct val_anchors* anchors, struct rrset_cache* r, 344 struct module_env* env); 345 346 /** 347 * Mark all unchecked rrset entries below a NULL key entry as insecure. 348 * Only security==unchecked rrsets are updated. 349 * @param rep: the reply with rrsets. 350 * @param kname: end of secure space name. 351 * @param r: rrset cache to store updated security status into. 352 * @param env: module environment 353 */ 354 void val_mark_insecure(struct reply_info* rep, uint8_t* kname, 355 struct rrset_cache* r, struct module_env* env); 356 357 /** 358 * Find next unchecked rrset position, return it for skip. 359 * @param rep: the original reply to look into. 360 * @param skip: the skip now. 361 * @return new skip, which may be at the rep->rrset_count position to signal 362 * there are no unchecked items. 363 */ 364 size_t val_next_unchecked(struct reply_info* rep, size_t skip); 365 366 /** 367 * Find the signer name for an RRset. 368 * @param rrset: the rrset. 369 * @param sname: signer name is returned or NULL if not signed. 370 * @param slen: length of sname (or 0). 371 */ 372 void val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname, 373 size_t* slen); 374 375 /** 376 * Get string to denote the classification result. 377 * @param subtype: from classification function. 378 * @return static string to describe the classification. 379 */ 380 const char* val_classification_to_string(enum val_classification subtype); 381 382 /** 383 * Add existing list to blacklist. 384 * @param blacklist: the blacklist with result 385 * @param region: the region where blacklist is allocated. 386 * Allocation failures are logged. 387 * @param origin: origin list to add, if NULL, a cache-entry is added to 388 * the blacklist to stop cache from being used. 389 * @param cross: if true this is a cross-qstate copy, and the 'origin' 390 * list is not allocated in the same region as the blacklist. 391 */ 392 void val_blacklist(struct sock_list** blacklist, struct regional* region, 393 struct sock_list* origin, int cross); 394 395 /** 396 * check if has dnssec info, and if it has signed nsecs. gives error reason. 397 * @param rep: reply to check. 398 * @param reason: returned on fail. 399 * @return false if message has no signed nsecs. Can not prove negatives. 400 */ 401 int val_has_signed_nsecs(struct reply_info* rep, char** reason); 402 403 /** 404 * Return algo number for favorite (best) algorithm that we support in DS. 405 * @param ds_rrset: the DSes in this rrset are inspected and best algo chosen. 406 * @return algo number or 0 if none supported. 0 is unused as algo number. 407 */ 408 int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset); 409 410 /** 411 * Find DS denial message in cache. Saves new qstate allocation and allows 412 * the validator to use partial content which is not enough to construct a 413 * message for network (or user) consumption. Without SOA for example, 414 * which is a common occurrence in the unbound code since the referrals contain 415 * NSEC/NSEC3 rrs without the SOA element, thus do not allow synthesis of a 416 * full negative reply, but do allow synthesis of sufficient proof. 417 * @param env: query env with caches and time. 418 * @param nm: name of DS record sought. 419 * @param nmlen: length of name. 420 * @param c: class of DS RR. 421 * @param region: where to allocate result. 422 * @param topname: name of the key that is currently in use, that will get 423 * used to validate the result, and thus no higher entries from the 424 * negative cache need to be examined. 425 * @return a dns_msg on success. NULL on failure. 426 */ 427 struct dns_msg* val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, 428 uint16_t c, struct regional* region, uint8_t* topname); 429 430 #endif /* VALIDATOR_VAL_UTILS_H */ 431