#include "config.h"
#include "validator/val_utils.h"
#include "validator/validator.h"
#include "validator/val_kentry.h"
#include "validator/val_sigcrypt.h"
#include "validator/val_anchor.h"
#include "validator/val_nsec.h"
#include "validator/val_neg.h"
#include "services/cache/rrset.h"
#include "services/cache/dns.h"
#include "util/data/msgreply.h"
#include "util/data/packed_rrset.h"
#include "util/data/dname.h"
#include "util/net_help.h"
#include "util/module.h"
#include "util/regional.h"
#include "util/config_file.h"
#include "sldns/wire2str.h"
#include "sldns/parseutil.h"
#define MAX_DS_MATCH_FAILURES 4
enum val_classification
val_classify_response(uint16_t query_flags, struct query_info* origqinf,
struct query_info* qinf, struct reply_info* rep, size_t skip)
{
int rcode = (int)FLAGS_GET_RCODE(rep->flags);
size_t i;
if(rcode == LDNS_RCODE_NXDOMAIN && rep->an_numrrsets == 0)
return VAL_CLASS_NAMEERROR;
if(!(query_flags&BIT_RD) && rep->an_numrrsets == 0 &&
rcode == LDNS_RCODE_NOERROR) {
int saw_ns = 0;
for(i=0; i<rep->ns_numrrsets; i++) {
if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA)
return VAL_CLASS_NODATA;
if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DS)
return VAL_CLASS_REFERRAL;
if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS)
saw_ns = 1;
}
return saw_ns?VAL_CLASS_REFERRAL:VAL_CLASS_NODATA;
}
if(!(query_flags&BIT_RD) && rep->ns_numrrsets == 0 &&
rep->an_numrrsets == 1 && rcode == LDNS_RCODE_NOERROR &&
ntohs(rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_NS &&
query_dname_compare(rep->rrsets[0]->rk.dname,
origqinf->qname) != 0)
return VAL_CLASS_REFERRAL;
if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN)
return VAL_CLASS_UNKNOWN;
if(skip>0 && rep->an_numrrsets <= skip)
return VAL_CLASS_CNAMENOANSWER;
if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0)
return VAL_CLASS_NODATA;
if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY)
return VAL_CLASS_ANY;
if(qinf->qtype == LDNS_RR_TYPE_DNAME) {
for(i=skip; i<rep->an_numrrsets; i++) {
if(rcode == LDNS_RCODE_NOERROR &&
ntohs(rep->rrsets[i]->rk.type)
== LDNS_RR_TYPE_DNAME &&
query_dname_compare(qinf->qname,
rep->rrsets[i]->rk.dname) == 0) {
return VAL_CLASS_POSITIVE;
}
if(ntohs(rep->rrsets[i]->rk.type)
== LDNS_RR_TYPE_CNAME)
return VAL_CLASS_CNAME;
}
log_dns_msg("validator: error. failed to classify response message: ",
qinf, rep);
return VAL_CLASS_UNKNOWN;
}
for(i=skip; i<rep->an_numrrsets; i++) {
if(rcode == LDNS_RCODE_NOERROR &&
ntohs(rep->rrsets[i]->rk.type) == qinf->qtype)
return VAL_CLASS_POSITIVE;
if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME)
return VAL_CLASS_CNAME;
}
log_dns_msg("validator: error. failed to classify response message: ",
qinf, rep);
return VAL_CLASS_UNKNOWN;
}
static void
rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen)
{
if(len < 21) {
*sname = NULL;
*slen = 0;
return;
}
data += 20;
len -= 20;
*slen = dname_valid(data, len);
if(!*slen) {
*sname = NULL;
return;
}
*sname = data;
}
void
val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
size_t* slen)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
if(d->rrsig_count == 0) {
*sname = NULL;
*slen = 0;
return;
}
rrsig_get_signer(d->rr_data[d->count], d->rr_len[d->count],
sname, slen);
}
static void
val_find_best_signer(struct ub_packed_rrset_key* rrset,
struct query_info* qinf, uint8_t** signer_name, size_t* signer_len,
int* matchcount)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
uint8_t* sign;
size_t i;
int m;
for(i=d->count; i<d->count+d->rrsig_count; i++) {
sign = d->rr_data[i]+2+18;
if(d->rr_len[i] > 2+19 &&
dname_subdomain_c(qinf->qname, sign)) {
(void)dname_lab_cmp(qinf->qname,
dname_count_labels(qinf->qname),
sign, dname_count_labels(sign), &m);
if(m > *matchcount) {
*matchcount = m;
*signer_name = sign;
(void)dname_count_size_labels(*signer_name,
signer_len);
}
}
}
}
static int
cname_under_previous_dname(struct reply_info* rep, size_t cname_idx,
size_t* ret)
{
size_t i;
for(i=0; i<cname_idx; i++) {
if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DNAME &&
dname_strict_subdomain_c(rep->rrsets[cname_idx]->
rk.dname, rep->rrsets[i]->rk.dname)) {
*ret = i;
return 1;
}
}
*ret = 0;
return 0;
}
void
val_find_signer(enum val_classification subtype, struct query_info* qinf,
struct reply_info* rep, size_t skip, uint8_t** signer_name,
size_t* signer_len)
{
size_t i;
if(subtype == VAL_CLASS_POSITIVE) {
for(i=skip; i<rep->an_numrrsets; i++) {
if(query_dname_compare(qinf->qname,
rep->rrsets[i]->rk.dname) == 0) {
val_find_rrset_signer(rep->rrsets[i],
signer_name, signer_len);
if(*signer_name == NULL &&
qinf->qtype == LDNS_RR_TYPE_CNAME &&
ntohs(rep->rrsets[i]->rk.type) ==
LDNS_RR_TYPE_CNAME && i > skip &&
ntohs(rep->rrsets[i-1]->rk.type) ==
LDNS_RR_TYPE_DNAME &&
dname_strict_subdomain_c(rep->rrsets[i]->rk.dname, rep->rrsets[i-1]->rk.dname)) {
val_find_rrset_signer(rep->rrsets[i-1],
signer_name, signer_len);
}
return;
}
}
*signer_name = NULL;
*signer_len = 0;
} else if(subtype == VAL_CLASS_CNAME) {
size_t j;
for(i=skip; i<rep->an_numrrsets; i++) {
val_find_rrset_signer(rep->rrsets[i],
signer_name, signer_len);
if(*signer_name)
return;
if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME
&& cname_under_previous_dname(rep, i, &j)) {
val_find_rrset_signer(rep->rrsets[j],
signer_name, signer_len);
return;
}
if(ntohs(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_DNAME)
break;
}
*signer_name = NULL;
*signer_len = 0;
} else if(subtype == VAL_CLASS_NAMEERROR
|| subtype == VAL_CLASS_NODATA) {
for(i=rep->an_numrrsets; i<
rep->an_numrrsets+rep->ns_numrrsets; i++) {
if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
|| ntohs(rep->rrsets[i]->rk.type) ==
LDNS_RR_TYPE_NSEC3) {
val_find_rrset_signer(rep->rrsets[i],
signer_name, signer_len);
return;
}
}
} else if(subtype == VAL_CLASS_CNAMENOANSWER) {
int matchcount = 0;
*signer_name = NULL;
*signer_len = 0;
for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->
ns_numrrsets; i++) {
if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC
|| ntohs(rep->rrsets[i]->rk.type) ==
LDNS_RR_TYPE_NSEC3) {
val_find_best_signer(rep->rrsets[i], qinf,
signer_name, signer_len, &matchcount);
}
}
} else if(subtype == VAL_CLASS_ANY) {
for(i=skip; i<rep->an_numrrsets; i++) {
if(query_dname_compare(qinf->qname,
rep->rrsets[i]->rk.dname) == 0) {
val_find_rrset_signer(rep->rrsets[i],
signer_name, signer_len);
if(*signer_name)
return;
}
}
if(skip < rep->an_numrrsets &&
ntohs(rep->rrsets[skip]->rk.type) ==
LDNS_RR_TYPE_DNAME) {
val_find_rrset_signer(rep->rrsets[skip],
signer_name, signer_len);
if(*signer_name)
return;
}
*signer_name = NULL;
*signer_len = 0;
} else if(subtype == VAL_CLASS_REFERRAL) {
if(skip < rep->rrset_count) {
val_find_rrset_signer(rep->rrsets[skip],
signer_name, signer_len);
return;
}
*signer_name = NULL;
*signer_len = 0;
} else {
verbose(VERB_QUERY, "find_signer: could not find signer name"
" for unknown type response");
*signer_name = NULL;
*signer_len = 0;
}
}
static size_t
rrset_get_count(struct ub_packed_rrset_key* rrset)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
if(!d) return 0;
return d->count;
}
static uint32_t
rrset_get_ttl(struct ub_packed_rrset_key* rrset)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
if(!d) return 0;
return d->ttl;
}
static enum sec_status
val_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
uint8_t* sigalg, char** reason, sldns_ede_code *reason_bogus,
sldns_pkt_section section, struct module_qstate* qstate,
int *verified, char* reasonbuf, size_t reasonlen)
{
enum sec_status sec;
struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
entry.data;
if(d->security == sec_status_secure) {
log_nametypeclass(VERB_ALGO, "verify rrset cached",
rrset->rk.dname, ntohs(rrset->rk.type),
ntohs(rrset->rk.rrset_class));
*verified = 0;
return d->security;
}
rrset_check_sec_status(env->rrset_cache, rrset, *env->now);
if(d->security == sec_status_secure) {
log_nametypeclass(VERB_ALGO, "verify rrset from cache",
rrset->rk.dname, ntohs(rrset->rk.type),
ntohs(rrset->rk.rrset_class));
*verified = 0;
return d->security;
}
log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname,
ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class));
sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason,
reason_bogus, section, qstate, verified, reasonbuf, reasonlen);
verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec));
regional_free_all(env->scratch);
if(sec > d->security) {
d->security = sec;
if(sec == sec_status_secure)
d->trust = rrset_trust_validated;
else if(sec == sec_status_bogus) {
size_t i;
d->ttl = ve->bogus_ttl;
for(i=0; i<d->count+d->rrsig_count; i++)
d->rr_ttl[i] = ve->bogus_ttl;
lock_basic_lock(&ve->bogus_lock);
ve->num_rrset_bogus++;
lock_basic_unlock(&ve->bogus_lock);
}
rrset_update_sec_status(env->rrset_cache, rrset, *env->now);
}
return sec;
}
enum sec_status
val_verify_rrset_entry(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey,
char** reason, sldns_ede_code *reason_bogus,
sldns_pkt_section section, struct module_qstate* qstate,
int* verified, char* reasonbuf, size_t reasonlen)
{
struct ub_packed_rrset_key dnskey;
struct key_entry_data* kd = (struct key_entry_data*)kkey->entry.data;
enum sec_status sec;
dnskey.rk.type = htons(kd->rrset_type);
dnskey.rk.rrset_class = htons(kkey->key_class);
dnskey.rk.flags = 0;
dnskey.rk.dname = kkey->name;
dnskey.rk.dname_len = kkey->namelen;
dnskey.entry.key = &dnskey;
dnskey.entry.data = kd->rrset_data;
sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason,
reason_bogus, section, qstate, verified, reasonbuf, reasonlen);
return sec;
}
static enum sec_status
verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* dnskey_rrset,
struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason,
sldns_ede_code *reason_bogus, struct module_qstate* qstate,
int *nonechecked, char* reasonbuf, size_t reasonlen)
{
enum sec_status sec = sec_status_bogus;
size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0;
num = rrset_get_count(dnskey_rrset);
*nonechecked = 0;
for(i=0; i<num; i++) {
if(ds_get_key_algo(ds_rrset, ds_idx)
!= dnskey_get_algo(dnskey_rrset, i)
|| dnskey_calc_keytag(dnskey_rrset, i)
!= ds_get_keytag(ds_rrset, ds_idx)) {
continue;
}
numchecked++;
verbose(VERB_ALGO, "attempt DS match algo %d keytag %d",
ds_get_key_algo(ds_rrset, ds_idx),
ds_get_keytag(ds_rrset, ds_idx));
if(!ds_digest_match_dnskey(env, dnskey_rrset, i, ds_rrset,
ds_idx)) {
verbose(VERB_ALGO, "DS match attempt failed");
if(numchecked > numhashok + MAX_DS_MATCH_FAILURES) {
verbose(VERB_ALGO, "DS match attempt reached "
"MAX_DS_MATCH_FAILURES (%d); bogus",
MAX_DS_MATCH_FAILURES);
return sec_status_bogus;
}
continue;
}
numhashok++;
if(!dnskey_size_is_supported(dnskey_rrset, i)) {
verbose(VERB_ALGO, "DS okay but that DNSKEY size is not supported");
numsizesupp++;
continue;
}
verbose(VERB_ALGO, "DS match digest ok, trying signature");
sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset,
i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate);
if(sec == sec_status_secure) {
return sec;
}
}
if(numsizesupp != 0 || sec == sec_status_indeterminate) {
return sec_status_insecure;
}
if(numchecked == 0) {
algo_needs_reason(ds_get_key_algo(ds_rrset, ds_idx),
reason, "no keys have a DS", reasonbuf, reasonlen);
*nonechecked = 1;
} else if(numhashok == 0) {
*reason = "DS hash mismatches key";
} else if(!*reason) {
*reason = "keyset not secured by DNSKEY that matches DS";
}
return sec_status_bogus;
}
int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset)
{
size_t i, num = rrset_get_count(ds_rrset);
int d, digest_algo = 0;
for(i=0; i<num; i++) {
if(!ds_digest_algo_is_supported(ds_rrset, i) ||
!ds_key_algo_is_supported(ds_rrset, i)) {
continue;
}
d = ds_get_digest_algo(ds_rrset, i);
if(d > digest_algo)
digest_algo = d;
}
return digest_algo;
}
enum sec_status
val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* dnskey_rrset,
struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
sldns_ede_code *reason_bogus, struct module_qstate* qstate,
char* reasonbuf, size_t reasonlen)
{
int has_useful_ds = 0, digest_algo, alg, has_algo_refusal = 0,
nonechecked, has_checked_ds = 0;
struct algo_needs needs;
size_t i, num;
enum sec_status sec;
if(dnskey_rrset->rk.dname_len != ds_rrset->rk.dname_len ||
query_dname_compare(dnskey_rrset->rk.dname, ds_rrset->rk.dname)
!= 0) {
verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
"by name");
*reason = "DNSKEY RRset did not match DS RRset by name";
return sec_status_bogus;
}
if(sigalg) {
digest_algo = val_favorite_ds_algo(ds_rrset);
algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg);
} else {
digest_algo = -1;
}
num = rrset_get_count(ds_rrset);
for(i=0; i<num; i++) {
if(!ds_digest_algo_is_supported(ds_rrset, i) ||
!ds_key_algo_is_supported(ds_rrset, i) ||
(sigalg && (ds_get_digest_algo(ds_rrset, i) != digest_algo))) {
continue;
}
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
ds_rrset, i, reason, reason_bogus, qstate,
&nonechecked, reasonbuf, reasonlen);
if(sec == sec_status_insecure) {
has_algo_refusal = 1;
continue;
}
if(!nonechecked)
has_checked_ds = 1;
has_useful_ds = 1;
if(sec == sec_status_secure) {
if(!sigalg || algo_needs_set_secure(&needs,
(uint8_t)ds_get_key_algo(ds_rrset, i))) {
verbose(VERB_ALGO, "DS matched DNSKEY.");
if(!dnskeyset_size_is_supported(dnskey_rrset)) {
verbose(VERB_ALGO, "DS works, but dnskeyset contain keys that are unsupported, treat as insecure");
return sec_status_insecure;
}
return sec_status_secure;
}
} else if(sigalg && sec == sec_status_bogus) {
algo_needs_set_bogus(&needs,
(uint8_t)ds_get_key_algo(ds_rrset, i));
}
}
if(has_algo_refusal && !has_checked_ds) {
verbose(VERB_ALGO, "No supported DS records were found -- "
"treating as insecure.");
return sec_status_insecure;
}
if(!has_useful_ds) {
verbose(VERB_ALGO, "No usable DS records were found -- "
"treating as insecure.");
return sec_status_insecure;
}
verbose(VERB_QUERY, "Failed to match any usable DS to a DNSKEY.");
if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
algo_needs_reason(alg, reason, "missing verification of "
"DNSKEY signature", reasonbuf, reasonlen);
}
return sec_status_bogus;
}
struct key_entry_key*
val_verify_new_DNSKEYs(struct regional* region, struct module_env* env,
struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
sldns_ede_code *reason_bogus, struct module_qstate* qstate,
char* reasonbuf, size_t reasonlen)
{
uint8_t sigalg[ALGO_NEEDS_MAX+1];
enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve,
dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason,
reason_bogus, qstate, reasonbuf, reasonlen);
if(sec == sec_status_secure) {
return key_entry_create_rrset(region,
ds_rrset->rk.dname, ds_rrset->rk.dname_len,
ntohs(ds_rrset->rk.rrset_class), dnskey_rrset,
downprot?sigalg:NULL, LDNS_EDE_NONE, NULL,
*env->now);
} else if(sec == sec_status_insecure) {
return key_entry_create_null(region, ds_rrset->rk.dname,
ds_rrset->rk.dname_len,
ntohs(ds_rrset->rk.rrset_class),
rrset_get_ttl(ds_rrset), *reason_bogus, *reason,
*env->now);
}
return key_entry_create_bad(region, ds_rrset->rk.dname,
ds_rrset->rk.dname_len, ntohs(ds_rrset->rk.rrset_class),
BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now);
}
enum sec_status
val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* dnskey_rrset,
struct ub_packed_rrset_key* ta_ds,
struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
sldns_ede_code *reason_bogus, struct module_qstate* qstate,
char* reasonbuf, size_t reasonlen)
{
int has_useful_ta = 0, digest_algo = 0, alg, has_algo_refusal = 0,
nonechecked, has_checked_ds = 0;
struct algo_needs needs;
size_t i, num;
enum sec_status sec;
if(ta_ds && (dnskey_rrset->rk.dname_len != ta_ds->rk.dname_len ||
query_dname_compare(dnskey_rrset->rk.dname, ta_ds->rk.dname)
!= 0)) {
verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset "
"by name");
*reason = "DNSKEY RRset did not match DS RRset by name";
if(reason_bogus)
*reason_bogus = LDNS_EDE_DNSKEY_MISSING;
return sec_status_bogus;
}
if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len
|| query_dname_compare(dnskey_rrset->rk.dname, ta_dnskey->rk.dname)
!= 0)) {
verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset "
"by name");
*reason = "DNSKEY RRset did not match anchor RRset by name";
if(reason_bogus)
*reason_bogus = LDNS_EDE_DNSKEY_MISSING;
return sec_status_bogus;
}
if(ta_ds)
digest_algo = val_favorite_ds_algo(ta_ds);
if(sigalg) {
if(ta_ds)
algo_needs_init_ds(&needs, ta_ds, digest_algo, sigalg);
else memset(&needs, 0, sizeof(needs));
if(ta_dnskey)
algo_needs_init_dnskey_add(&needs, ta_dnskey, sigalg);
}
if(ta_ds) {
num = rrset_get_count(ta_ds);
for(i=0; i<num; i++) {
if(!ds_digest_algo_is_supported(ta_ds, i) ||
!ds_key_algo_is_supported(ta_ds, i) ||
ds_get_digest_algo(ta_ds, i) != digest_algo)
continue;
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
ta_ds, i, reason, reason_bogus, qstate, &nonechecked,
reasonbuf, reasonlen);
if(sec == sec_status_insecure) {
has_algo_refusal = 1;
continue;
}
if(!nonechecked)
has_checked_ds = 1;
has_useful_ta = 1;
if(sec == sec_status_secure) {
if(!sigalg || algo_needs_set_secure(&needs,
(uint8_t)ds_get_key_algo(ta_ds, i))) {
verbose(VERB_ALGO, "DS matched DNSKEY.");
if(!dnskeyset_size_is_supported(dnskey_rrset)) {
verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
return sec_status_insecure;
}
return sec_status_secure;
}
} else if(sigalg && sec == sec_status_bogus) {
algo_needs_set_bogus(&needs,
(uint8_t)ds_get_key_algo(ta_ds, i));
}
}
}
if(ta_dnskey) {
num = rrset_get_count(ta_dnskey);
for(i=0; i<num; i++) {
if(!dnskey_algo_is_supported(ta_dnskey, i))
continue;
if(!dnskey_size_is_supported(ta_dnskey, i))
continue;
has_useful_ta = 1;
sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
ta_dnskey, i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate);
if(sec == sec_status_secure) {
if(!sigalg || algo_needs_set_secure(&needs,
(uint8_t)dnskey_get_algo(ta_dnskey, i))) {
verbose(VERB_ALGO, "anchor matched DNSKEY.");
if(!dnskeyset_size_is_supported(dnskey_rrset)) {
verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
return sec_status_insecure;
}
return sec_status_secure;
}
} else if(sigalg && sec == sec_status_bogus) {
algo_needs_set_bogus(&needs,
(uint8_t)dnskey_get_algo(ta_dnskey, i));
}
}
}
if(has_algo_refusal && !has_checked_ds) {
verbose(VERB_ALGO, "No supported trust anchors were found -- "
"treating as insecure.");
return sec_status_insecure;
}
if(!has_useful_ta) {
verbose(VERB_ALGO, "No usable trust anchors were found -- "
"treating as insecure.");
return sec_status_insecure;
}
verbose(VERB_QUERY, "Failed to match any usable anchor to a DNSKEY.");
if(sigalg && (alg=algo_needs_missing(&needs)) != 0) {
algo_needs_reason(alg, reason, "missing verification of "
"DNSKEY signature", reasonbuf, reasonlen);
}
return sec_status_bogus;
}
struct key_entry_key*
val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env,
struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
struct ub_packed_rrset_key* ta_ds_rrset,
struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
char** reason, sldns_ede_code *reason_bogus,
struct module_qstate* qstate, char* reasonbuf, size_t reasonlen)
{
uint8_t sigalg[ALGO_NEEDS_MAX+1];
enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve,
dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset,
downprot?sigalg:NULL, reason, reason_bogus, qstate,
reasonbuf, reasonlen);
if(sec == sec_status_secure) {
return key_entry_create_rrset(region,
dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len,
ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset,
downprot?sigalg:NULL, LDNS_EDE_NONE, NULL, *env->now);
} else if(sec == sec_status_insecure) {
return key_entry_create_null(region, dnskey_rrset->rk.dname,
dnskey_rrset->rk.dname_len,
ntohs(dnskey_rrset->rk.rrset_class),
rrset_get_ttl(dnskey_rrset), *reason_bogus, *reason,
*env->now);
}
return key_entry_create_bad(region, dnskey_rrset->rk.dname,
dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class),
BOGUS_KEY_TTL, *reason_bogus, *reason, *env->now);
}
int
val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
{
size_t i;
for(i=0; i<rrset_get_count(ds_rrset); i++) {
if(ds_digest_algo_is_supported(ds_rrset, i) &&
ds_key_algo_is_supported(ds_rrset, i))
return 1;
}
if(verbosity < VERB_ALGO)
return 0;
if(rrset_get_count(ds_rrset) == 0)
verbose(VERB_ALGO, "DS is not usable");
else {
sldns_lookup_table *lt;
char herr[64], aerr[64];
lt = sldns_lookup_by_id(sldns_hashes,
(int)ds_get_digest_algo(ds_rrset, 0));
if(lt) snprintf(herr, sizeof(herr), "%s", lt->name);
else snprintf(herr, sizeof(herr), "%d",
(int)ds_get_digest_algo(ds_rrset, 0));
lt = sldns_lookup_by_id(sldns_algorithms,
(int)ds_get_key_algo(ds_rrset, 0));
if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name);
else snprintf(aerr, sizeof(aerr), "%d",
(int)ds_get_key_algo(ds_rrset, 0));
verbose(VERB_ALGO, "DS unsupported, hash %s %s, "
"key algorithm %s %s", herr,
(ds_digest_algo_is_supported(ds_rrset, 0)?
"(supported)":"(unsupported)"), aerr,
(ds_key_algo_is_supported(ds_rrset, 0)?
"(supported)":"(unsupported)"));
}
return 0;
}
static uint8_t
rrsig_get_labcount(struct packed_rrset_data* d, size_t sig)
{
if(d->rr_len[sig] < 2+4)
return 0;
return d->rr_data[sig][2+3];
}
int
val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc,
size_t* wc_len)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
entry.data;
uint8_t labcount;
int labdiff;
uint8_t* wn;
size_t i, wl;
if(d->rrsig_count == 0) {
return 1;
}
labcount = rrsig_get_labcount(d, d->count + 0);
for(i=1; i<d->rrsig_count; i++) {
if(labcount != rrsig_get_labcount(d, d->count + i)) {
return 0;
}
}
wn = rrset->rk.dname;
wl = rrset->rk.dname_len;
if(dname_is_wild(wn)) {
wn += 2;
wl -= 2;
}
labdiff = (dname_count_labels(wn) - 1) - (int)labcount;
if(labdiff > 0) {
*wc = wn;
dname_remove_labels(wc, &wl, labdiff);
*wc_len = wl;
return 1;
}
return 1;
}
int
val_chase_cname(struct query_info* qchase, struct reply_info* rep,
size_t* cname_skip) {
size_t i;
for(i = *cname_skip; i < rep->an_numrrsets; i++) {
if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME &&
query_dname_compare(qchase->qname, rep->rrsets[i]->
rk.dname) == 0) {
qchase->qname = NULL;
get_cname_target(rep->rrsets[i], &qchase->qname,
&qchase->qname_len);
if(!qchase->qname)
return 0;
(*cname_skip) = i+1;
return 1;
}
}
return 0;
}
static int
rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
entry.data;
size_t i;
for(i = d->count; i< d->count+d->rrsig_count; i++) {
if(d->rr_len[i] > 2+18+len) {
if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18))
continue;
if(query_dname_compare(name, d->rr_data[i]+2+18) == 0)
{
return 1;
}
}
}
return 0;
}
void
val_fill_reply(struct reply_info* chase, struct reply_info* orig,
size_t skip, uint8_t* name, size_t len, uint8_t* signer)
{
size_t i, j;
int seen_dname = 0;
chase->rrset_count = 0;
chase->an_numrrsets = 0;
chase->ns_numrrsets = 0;
chase->ar_numrrsets = 0;
for(i=skip; i<orig->an_numrrsets; i++) {
if(!signer) {
if(query_dname_compare(name,
orig->rrsets[i]->rk.dname) == 0)
chase->rrsets[chase->an_numrrsets++] =
orig->rrsets[i];
} else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) ==
LDNS_RR_TYPE_CNAME) {
chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
seen_dname = 0;
} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
if(ntohs(orig->rrsets[i]->rk.type) ==
LDNS_RR_TYPE_DNAME) {
seen_dname = 1;
}
} else if(ntohs(orig->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME
&& ((struct packed_rrset_data*)orig->rrsets[i]->
entry.data)->rrsig_count == 0 &&
cname_under_previous_dname(orig, i, &j) &&
rrset_has_signer(orig->rrsets[j], name, len)) {
chase->rrsets[chase->an_numrrsets++] = orig->rrsets[j];
chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
}
}
for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets;
i<orig->an_numrrsets+orig->ns_numrrsets;
i++) {
if(!signer) {
if(query_dname_compare(name,
orig->rrsets[i]->rk.dname) == 0)
chase->rrsets[chase->an_numrrsets+
chase->ns_numrrsets++] = orig->rrsets[i];
} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
chase->rrsets[chase->an_numrrsets+
chase->ns_numrrsets++] = orig->rrsets[i];
}
}
for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)?
skip:orig->an_numrrsets+orig->ns_numrrsets;
i<orig->rrset_count; i++) {
if(!signer) {
if(query_dname_compare(name,
orig->rrsets[i]->rk.dname) == 0)
chase->rrsets[chase->an_numrrsets
+orig->ns_numrrsets+chase->ar_numrrsets++]
= orig->rrsets[i];
} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
chase->ar_numrrsets++] = orig->rrsets[i];
}
}
chase->rrset_count = chase->an_numrrsets + chase->ns_numrrsets +
chase->ar_numrrsets;
}
void val_reply_remove_auth(struct reply_info* rep, size_t index)
{
log_assert(index < rep->rrset_count);
log_assert(index >= rep->an_numrrsets);
log_assert(index < rep->an_numrrsets+rep->ns_numrrsets);
memmove(rep->rrsets+index, rep->rrsets+index+1,
sizeof(struct ub_packed_rrset_key*)*
(rep->rrset_count - index - 1));
rep->ns_numrrsets--;
rep->rrset_count--;
}
void
val_check_nonsecure(struct module_env* env, struct reply_info* rep)
{
size_t i;
for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
->security != sec_status_secure) {
if(rep->an_numrrsets != 0 &&
ntohs(rep->rrsets[i]->rk.type)
== LDNS_RR_TYPE_NS) {
verbose(VERB_ALGO, "truncate to minimal");
rep->ar_numrrsets = 0;
rep->rrset_count = rep->an_numrrsets +
rep->ns_numrrsets;
memmove(rep->rrsets+i, rep->rrsets+i+1,
sizeof(struct ub_packed_rrset_key*)*
(rep->rrset_count - i - 1));
rep->ns_numrrsets--;
rep->rrset_count--;
i--;
return;
}
log_nametypeclass(VERB_QUERY, "message is bogus, "
"non secure rrset",
rep->rrsets[i]->rk.dname,
ntohs(rep->rrsets[i]->rk.type),
ntohs(rep->rrsets[i]->rk.rrset_class));
rep->security = sec_status_bogus;
return;
}
}
if(!env->cfg->val_clean_additional)
return;
for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
->security != sec_status_secure) {
memmove(rep->rrsets+i, rep->rrsets+i+1,
sizeof(struct ub_packed_rrset_key*)*
(rep->rrset_count - i - 1));
rep->ar_numrrsets--;
rep->rrset_count--;
i--;
}
}
}
static int
check_no_anchor(struct val_anchors* anchors, uint8_t* nm, size_t l, uint16_t c)
{
struct trust_anchor* ta;
if((ta=anchors_lookup(anchors, nm, l, c))) {
lock_basic_unlock(&ta->lock);
}
return !ta;
}
void
val_mark_indeterminate(struct reply_info* rep, struct val_anchors* anchors,
struct rrset_cache* r, struct module_env* env)
{
size_t i;
struct packed_rrset_data* d;
for(i=0; i<rep->rrset_count; i++) {
d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
if(d->security == sec_status_unchecked &&
check_no_anchor(anchors, rep->rrsets[i]->rk.dname,
rep->rrsets[i]->rk.dname_len,
ntohs(rep->rrsets[i]->rk.rrset_class)))
{
d->security = sec_status_indeterminate;
rrset_update_sec_status(r, rep->rrsets[i], *env->now);
}
}
}
void
val_mark_insecure(struct reply_info* rep, uint8_t* kname,
struct rrset_cache* r, struct module_env* env)
{
size_t i;
struct packed_rrset_data* d;
for(i=0; i<rep->rrset_count; i++) {
d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
if(d->security == sec_status_unchecked &&
dname_subdomain_c(rep->rrsets[i]->rk.dname, kname)) {
d->security = sec_status_insecure;
rrset_update_sec_status(r, rep->rrsets[i], *env->now);
}
}
}
size_t
val_next_unchecked(struct reply_info* rep, size_t skip)
{
size_t i;
struct packed_rrset_data* d;
for(i=skip+1; i<rep->rrset_count; i++) {
d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
if(d->security == sec_status_unchecked) {
return i;
}
}
return rep->rrset_count;
}
const char*
val_classification_to_string(enum val_classification subtype)
{
switch(subtype) {
case VAL_CLASS_UNTYPED: return "untyped";
case VAL_CLASS_UNKNOWN: return "unknown";
case VAL_CLASS_POSITIVE: return "positive";
case VAL_CLASS_CNAME: return "cname";
case VAL_CLASS_NODATA: return "nodata";
case VAL_CLASS_NAMEERROR: return "nameerror";
case VAL_CLASS_CNAMENOANSWER: return "cnamenoanswer";
case VAL_CLASS_REFERRAL: return "referral";
case VAL_CLASS_ANY: return "qtype_any";
default:
return "bad_val_classification";
}
}
static void
sock_list_logentry(enum verbosity_value v, const char* s, struct sock_list* p)
{
if(p->len)
log_addr(v, s, &p->addr, p->len);
else verbose(v, "%s cache", s);
}
void val_blacklist(struct sock_list** blacklist, struct regional* region,
struct sock_list* origin, int cross)
{
if(verbosity >= VERB_ALGO) {
struct sock_list* p;
for(p=*blacklist; p; p=p->next)
sock_list_logentry(VERB_ALGO, "blacklist", p);
if(!origin)
verbose(VERB_ALGO, "blacklist add: cache");
for(p=origin; p; p=p->next)
sock_list_logentry(VERB_ALGO, "blacklist add", p);
}
if(!origin) {
if(!*blacklist)
sock_list_insert(blacklist, NULL, 0, region);
} else if(!cross)
sock_list_prepend(blacklist, origin);
else sock_list_merge(blacklist, region, origin);
}
int val_has_signed_nsecs(struct reply_info* rep, char** reason)
{
size_t i, num_nsec = 0, num_nsec3 = 0;
struct packed_rrset_data* d;
for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC))
num_nsec++;
else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3))
num_nsec3++;
else continue;
d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
if(d && d->rrsig_count != 0) {
return 1;
}
}
if(num_nsec == 0 && num_nsec3 == 0)
*reason = "no DNSSEC records";
else if(num_nsec != 0)
*reason = "no signatures over NSECs";
else *reason = "no signatures over NSEC3s";
return 0;
}
struct dns_msg*
val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c,
struct regional* region, uint8_t* topname)
{
struct dns_msg* msg;
struct query_info qinfo;
struct ub_packed_rrset_key *rrset = rrset_cache_lookup(
env->rrset_cache, nm, nmlen, LDNS_RR_TYPE_DS, c, 0,
*env->now, 0);
if(rrset) {
struct ub_packed_rrset_key* copy = packed_rrset_copy_region(
rrset, region, *env->now);
lock_rw_unlock(&rrset->entry.lock);
if(!copy)
return NULL;
msg = dns_msg_create(nm, nmlen, LDNS_RR_TYPE_DS, c, region, 1);
if(!msg)
return NULL;
msg->rep->rrsets[0] = copy;
msg->rep->rrset_count++;
msg->rep->an_numrrsets++;
return msg;
}
qinfo.qname = nm;
qinfo.qname_len = nmlen;
qinfo.qtype = LDNS_RR_TYPE_DS;
qinfo.qclass = c;
qinfo.local_alias = NULL;
msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache,
env->scratch_buffer, *env->now, 0, topname, env->cfg);
return msg;
}
