xref: /freebsd/contrib/unbound/validator/val_utils.h (revision b64c5a0ace59af62eff52bfe110a521dc73c937b)
1 /*
2  * validator/val_utils.h - validator utility functions.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  */
41 
42 #ifndef VALIDATOR_VAL_UTILS_H
43 #define VALIDATOR_VAL_UTILS_H
44 #include "util/data/packed_rrset.h"
45 #include "sldns/pkthdr.h"
46 #include "sldns/rrdef.h"
47 struct query_info;
48 struct reply_info;
49 struct val_env;
50 struct module_env;
51 struct module_qstate;
52 struct ub_packed_rrset_key;
53 struct key_entry_key;
54 struct regional;
55 struct val_anchors;
56 struct rrset_cache;
57 struct sock_list;
58 
59 /**
60  * Response classifications for the validator. The different types of proofs.
61  */
62 enum val_classification {
63 	/** Not subtyped yet. */
64 	VAL_CLASS_UNTYPED = 0,
65 	/** Not a recognized subtype. */
66 	VAL_CLASS_UNKNOWN,
67 	/** A positive, direct, response */
68 	VAL_CLASS_POSITIVE,
69 	/** A positive response, with a CNAME/DNAME chain. */
70 	VAL_CLASS_CNAME,
71 	/** A NOERROR/NODATA response. */
72 	VAL_CLASS_NODATA,
73 	/** A NXDOMAIN response. */
74 	VAL_CLASS_NAMEERROR,
75 	/** A CNAME/DNAME chain, and the offset is at the end of it,
76 	 * but there is no answer here, it can be NAMEERROR or NODATA. */
77 	VAL_CLASS_CNAMENOANSWER,
78 	/** A referral, from cache with a nonRD query. */
79 	VAL_CLASS_REFERRAL,
80 	/** A response to a qtype=ANY query. */
81 	VAL_CLASS_ANY
82 };
83 
84 /**
85  * Given a response, classify ANSWER responses into a subtype.
86  * @param query_flags: query flags for the original query.
87  * @param origqinf: query info. The original query name.
88  * @param qinf: query info. The chased query name.
89  * @param rep: response. The original response.
90  * @param skip: offset into the original response answer section.
91  * @return A subtype, all values possible except UNTYPED .
92  * 	Once CNAME type is returned you can increase skip.
93  * 	Then, another CNAME type, CNAME_NOANSWER or POSITIVE are possible.
94  */
95 enum val_classification val_classify_response(uint16_t query_flags,
96 	struct query_info* origqinf, struct query_info* qinf,
97 	struct reply_info* rep, size_t skip);
98 
99 /**
100  * Given a response, determine the name of the "signer". This is primarily
101  * to determine if the response is, in fact, signed at all, and, if so, what
102  * is the name of the most pertinent keyset.
103  *
104  * @param subtype: the type from classify.
105  * @param qinf: query, the chased query name.
106  * @param rep: response to that, original response.
107  * @param cname_skip: how many answer rrsets have been skipped due to CNAME
108  * 	chains being chased around.
109  * @param signer_name:  signer name, if the response is signed
110  * 	(even partially), or null if the response isn't signed.
111  * @param signer_len: length of signer_name of 0 if signer_name is NULL.
112  */
113 void val_find_signer(enum val_classification subtype,
114 	struct query_info* qinf, struct reply_info* rep,
115 	size_t cname_skip, uint8_t** signer_name, size_t* signer_len);
116 
117 /**
118  * Verify RRset with keys from a keyset.
119  * @param env: module environment (scratch buffer)
120  * @param ve: validator environment (verification settings)
121  * @param rrset: what to verify
122  * @param kkey: key_entry to verify with.
123  * @param reason: reason of failure. Fixed string or alloced in scratch.
124  * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
125  * @param section: section of packet where this rrset comes from.
126  * @param qstate: qstate with region.
127  * @param verified: if not NULL, the number of RRSIG validations is returned.
128  * @param reasonbuf: buffer to use for fail reason string print.
129  * @param reasonlen: length of reasonbuf.
130  * @return security status of verification.
131  */
132 enum sec_status val_verify_rrset_entry(struct module_env* env,
133 	struct val_env* ve, struct ub_packed_rrset_key* rrset,
134 	struct key_entry_key* kkey, char** reason, sldns_ede_code *reason_bogus,
135 	sldns_pkt_section section, struct module_qstate* qstate,
136 	int* verified, char* reasonbuf, size_t reasonlen);
137 
138 /**
139  * Verify DNSKEYs with DS rrset. Like val_verify_new_DNSKEYs but
140  * returns a sec_status instead of a key_entry.
141  * @param env: module environment (scratch buffer)
142  * @param ve: validator environment (verification settings)
143  * @param dnskey_rrset: DNSKEY rrset to verify
144  * @param ds_rrset: DS rrset to verify with.
145  * @param sigalg: if nonNULL provide downgrade protection otherwise one
146  *   algorithm is enough.  The list of signalled algorithms is returned,
147  *   must have enough space for ALGO_NEEDS_MAX+1.
148  * @param reason: reason of failure. Fixed string or alloced in scratch.
149  * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
150  * @param qstate: qstate with region.
151  * @param reasonbuf: buffer to use for fail reason string print.
152  * @param reasonlen: length of reasonbuf.
153  * @return: sec_status_secure if a DS matches.
154  *     sec_status_insecure if end of trust (i.e., unknown algorithms).
155  *     sec_status_bogus if it fails.
156  */
157 enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env,
158     struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
159     struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
160     sldns_ede_code *reason_bogus, struct module_qstate* qstate,
161     char* reasonbuf, size_t reasonlen);
162 
163 /**
164  * Verify DNSKEYs with DS and DNSKEY rrset.  Like val_verify_DNSKEY_with_DS
165  * but for a trust anchor.
166  * @param env: module environment (scratch buffer)
167  * @param ve: validator environment (verification settings)
168  * @param dnskey_rrset: DNSKEY rrset to verify
169  * @param ta_ds: DS rrset to verify with.
170  * @param ta_dnskey: DNSKEY rrset to verify with.
171  * @param sigalg: if nonNULL provide downgrade protection otherwise one
172  *   algorithm is enough.  The list of signalled algorithms is returned,
173  *   must have enough space for ALGO_NEEDS_MAX+1.
174  * @param reason: reason of failure. Fixed string or alloced in scratch.
175  * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
176  * @param qstate: qstate with region.
177  * @param reasonbuf: buffer to use for fail reason string print.
178  * @param reasonlen: length of reasonbuf.
179  * @return: sec_status_secure if a DS matches.
180  *     sec_status_insecure if end of trust (i.e., unknown algorithms).
181  *     sec_status_bogus if it fails.
182  */
183 enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env,
184     struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
185     struct ub_packed_rrset_key* ta_ds,
186     struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
187     sldns_ede_code *reason_bogus, struct module_qstate* qstate,
188     char* reasonbuf, size_t reasonlen);
189 
190 /**
191  * Verify new DNSKEYs with DS rrset. The DS contains hash values that should
192  * match the DNSKEY keys.
193  * match the DS to a DNSKEY and verify the DNSKEY rrset with that key.
194  *
195  * @param region: where to allocate key entry result.
196  * @param env: module environment (scratch buffer)
197  * @param ve: validator environment (verification settings)
198  * @param dnskey_rrset: DNSKEY rrset to verify
199  * @param ds_rrset: DS rrset to verify with.
200  * @param downprot: if true provide downgrade protection otherwise one
201  *   algorithm is enough.
202  * @param reason: reason of failure. Fixed string or alloced in scratch.
203  * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
204  * @param qstate: qstate with region.
205  * @param reasonbuf: buffer to use for fail reason string print.
206  * @param reasonlen: length of reasonbuf.
207  * @return a KeyEntry. This will either contain the now trusted
208  *         dnskey_rrset, a "null" key entry indicating that this DS
209  *         rrset/DNSKEY pair indicate an secure end to the island of trust
210  *         (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey
211  *         rrset fails to verify. Note that the "null" response should
212  *         generally only occur in a private algorithm scenario: normally
213  *         this sort of thing is checked before fetching the matching DNSKEY
214  *         rrset.
215  *         if downprot is set, a key entry with an algo list is made.
216  */
217 struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region,
218     struct module_env* env, struct val_env* ve,
219     struct ub_packed_rrset_key* dnskey_rrset,
220     struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
221     sldns_ede_code *reason_bogus, struct module_qstate* qstate,
222     char* reasonbuf, size_t reasonlen);
223 
224 /**
225  * Verify rrset with trust anchor: DS and DNSKEY rrset.
226  *
227  * @param region: where to allocate key entry result.
228  * @param env: module environment (scratch buffer)
229  * @param ve: validator environment (verification settings)
230  * @param dnskey_rrset: DNSKEY rrset to verify
231  * @param ta_ds_rrset: DS rrset to verify with.
232  * @param ta_dnskey_rrset: the DNSKEY rrset to verify with.
233  * @param downprot: if true provide downgrade protection otherwise one
234  *   algorithm is enough.
235  * @param reason: reason of failure. Fixed string or alloced in scratch.
236  * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
237  * @param qstate: qstate with region.
238  * @param reasonbuf: buffer to use for fail reason string print.
239  * @param reasonlen: length of reasonbuf.
240  * @return a KeyEntry. This will either contain the now trusted
241  *         dnskey_rrset, a "null" key entry indicating that this DS
242  *         rrset/DNSKEY pair indicate an secure end to the island of trust
243  *         (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey
244  *         rrset fails to verify. Note that the "null" response should
245  *         generally only occur in a private algorithm scenario: normally
246  *         this sort of thing is checked before fetching the matching DNSKEY
247  *         rrset.
248  *         if downprot is set, a key entry with an algo list is made.
249  */
250 struct key_entry_key* val_verify_new_DNSKEYs_with_ta(struct regional* region,
251     struct module_env* env, struct val_env* ve,
252     struct ub_packed_rrset_key* dnskey_rrset,
253     struct ub_packed_rrset_key* ta_ds_rrset,
254     struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
255     char** reason, sldns_ede_code *reason_bogus, struct module_qstate* qstate,
256     char* reasonbuf, size_t reasonlen);
257 
258 /**
259  * Determine if DS rrset is usable for validator or not.
260  * Returns true if the algorithms for key and DShash are supported,
261  * for at least one RR.
262  *
263  * @param ds_rrset: the newly received DS rrset.
264  * @return true or false if not usable.
265  */
266 int val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset);
267 
268 /**
269  * Determine by looking at a signed RRset whether or not the RRset name was
270  * the result of a wildcard expansion. If so, return the name of the
271  * generating wildcard.
272  *
273  * @param rrset The rrset to check.
274  * @param wc: the wildcard name, if the rrset was synthesized from a wildcard.
275  *         unchanged if not.  The wildcard name, without "*." in front, is
276  *         returned. This is a pointer into the rrset owner name.
277  * @param wc_len: the length of the returned wildcard name.
278  * @return false if the signatures are inconsistent in indicating the
279  * 	wildcard status; possible spoofing of wildcard response for other
280  * 	responses is being tried. We lost the status which rrsig was verified
281  * 	after the verification routine finished, so we simply check if
282  * 	the signatures are consistent; inserting a fake signature is a denial
283  * 	of service; but in that you could also have removed the real
284  * 	signature anyway.
285  */
286 int val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc,
287 	size_t* wc_len);
288 
289 /**
290  * Chase the cname to the next query name.
291  * @param qchase: the current query name, updated to next target.
292  * @param rep: original message reply to look at CNAMEs.
293  * @param cname_skip: the skip into the answer section. Updated to skip
294  * 	DNAME and CNAME to the next part of the answer.
295  * @return false on error (bad rdata).
296  */
297 int val_chase_cname(struct query_info* qchase, struct reply_info* rep,
298 	size_t* cname_skip);
299 
300 /**
301  * Fill up the chased reply with the content from the original reply;
302  * as pointers to those rrsets. Select the part after the cname_skip into
303  * the answer section, NS and AR sections that are signed with same signer.
304  *
305  * @param chase: chased reply, filled up.
306  * @param orig: original reply.
307  * @param cname_skip: which part of the answer section to skip.
308  * 	The skipped part contains CNAME(and DNAME)s that have been chased.
309  * @param name: the signer name to look for.
310  * @param len: length of name.
311  * @param signer: signer name or NULL if an unsigned RRset is considered.
312  *	If NULL, rrsets with the lookup name are copied over.
313  */
314 void val_fill_reply(struct reply_info* chase, struct reply_info* orig,
315 	size_t cname_skip, uint8_t* name, size_t len, uint8_t* signer);
316 
317 /**
318  * Remove rrset with index from reply, from the authority section.
319  * @param rep: reply to remove it from.
320  * @param index: rrset to remove, must be in the authority section.
321  */
322 void val_reply_remove_auth(struct reply_info* rep, size_t index);
323 
324 /**
325  * Remove all unsigned or non-secure status rrsets from NS and AR sections.
326  * So that unsigned data does not get let through to clients, when we have
327  * found the data to be secure.
328  *
329  * @param env: environment with cleaning options.
330  * @param rep: reply to dump all nonsecure stuff out of.
331  */
332 void val_check_nonsecure(struct module_env* env, struct reply_info* rep);
333 
334 /**
335  * Mark all unchecked rrset entries not below a trust anchor as indeterminate.
336  * Only security==unchecked rrsets are updated.
337  * @param rep: the reply with rrsets.
338  * @param anchors: the trust anchors.
339  * @param r: rrset cache to store updated security status into.
340  * @param env: module environment
341  */
342 void val_mark_indeterminate(struct reply_info* rep,
343 	struct val_anchors* anchors, struct rrset_cache* r,
344 	struct module_env* env);
345 
346 /**
347  * Mark all unchecked rrset entries below a NULL key entry as insecure.
348  * Only security==unchecked rrsets are updated.
349  * @param rep: the reply with rrsets.
350  * @param kname: end of secure space name.
351  * @param r: rrset cache to store updated security status into.
352  * @param env: module environment
353  */
354 void val_mark_insecure(struct reply_info* rep, uint8_t* kname,
355 	struct rrset_cache* r, struct module_env* env);
356 
357 /**
358  * Find next unchecked rrset position, return it for skip.
359  * @param rep: the original reply to look into.
360  * @param skip: the skip now.
361  * @return new skip, which may be at the rep->rrset_count position to signal
362  * 	there are no unchecked items.
363  */
364 size_t val_next_unchecked(struct reply_info* rep, size_t skip);
365 
366 /**
367  * Find the signer name for an RRset.
368  * @param rrset: the rrset.
369  * @param sname: signer name is returned or NULL if not signed.
370  * @param slen: length of sname (or 0).
371  */
372 void val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
373 	size_t* slen);
374 
375 /**
376  * Get string to denote the classification result.
377  * @param subtype: from classification function.
378  * @return static string to describe the classification.
379  */
380 const char* val_classification_to_string(enum val_classification subtype);
381 
382 /**
383  * Add existing list to blacklist.
384  * @param blacklist: the blacklist with result
385  * @param region: the region where blacklist is allocated.
386  *	Allocation failures are logged.
387  * @param origin: origin list to add, if NULL, a cache-entry is added to
388  *   the blacklist to stop cache from being used.
389  * @param cross: if true this is a cross-qstate copy, and the 'origin'
390  *   list is not allocated in the same region as the blacklist.
391  */
392 void val_blacklist(struct sock_list** blacklist, struct regional* region,
393 	struct sock_list* origin, int cross);
394 
395 /**
396  * check if has dnssec info, and if it has signed nsecs. gives error reason.
397  * @param rep: reply to check.
398  * @param reason: returned on fail.
399  * @return false if message has no signed nsecs.  Can not prove negatives.
400  */
401 int val_has_signed_nsecs(struct reply_info* rep, char** reason);
402 
403 /**
404  * Return algo number for favorite (best) algorithm that we support in DS.
405  * @param ds_rrset: the DSes in this rrset are inspected and best algo chosen.
406  * @return algo number or 0 if none supported. 0 is unused as algo number.
407  */
408 int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset);
409 
410 /**
411  * Find DS denial message in cache.  Saves new qstate allocation and allows
412  * the validator to use partial content which is not enough to construct a
413  * message for network (or user) consumption.  Without SOA for example,
414  * which is a common occurrence in the unbound code since the referrals contain
415  * NSEC/NSEC3 rrs without the SOA element, thus do not allow synthesis of a
416  * full negative reply, but do allow synthesis of sufficient proof.
417  * @param env: query env with caches and time.
418  * @param nm: name of DS record sought.
419  * @param nmlen: length of name.
420  * @param c: class of DS RR.
421  * @param region: where to allocate result.
422  * @param topname: name of the key that is currently in use, that will get
423  *	used to validate the result, and thus no higher entries from the
424  *	negative cache need to be examined.
425  * @return a dns_msg on success. NULL on failure.
426  */
427 struct dns_msg* val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen,
428 	uint16_t c, struct regional* region, uint8_t* topname);
429 
430 #endif /* VALIDATOR_VAL_UTILS_H */
431