#include "config.h"
#include <ctype.h>
#include "validator/val_nsec3.h"
#include "validator/val_secalgo.h"
#include "validator/validator.h"
#include "validator/val_kentry.h"
#include "services/cache/rrset.h"
#include "util/regional.h"
#include "util/rbtree.h"
#include "util/module.h"
#include "util/net_help.h"
#include "util/data/packed_rrset.h"
#include "util/data/dname.h"
#include "util/data/msgreply.h"
#include "validator/val_nsec.h"
#include "sldns/sbuffer.h"
#include "util/config_file.h"
#define MAX_NSEC3_CALCULATIONS 8
#define MAX_NSEC3_ERRORS -1
int sldns_b32_ntop_extended_hex(uint8_t const *src, size_t srclength,
char *target, size_t targsize);
int sldns_b32_pton_extended_hex(char const *src, size_t hashed_owner_str_len,
uint8_t *target, size_t targsize);
struct ce_response {
uint8_t* ce;
size_t ce_len;
struct ub_packed_rrset_key* ce_rrset;
int ce_rr;
struct ub_packed_rrset_key* nc_rrset;
int nc_rr;
};
struct nsec3_filter {
uint8_t* zone;
size_t zone_len;
struct ub_packed_rrset_key** list;
size_t num;
uint16_t fclass;
};
static size_t
rrset_get_count(struct ub_packed_rrset_key* rrset)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
if(!d) return 0;
return d->count;
}
static int
nsec3_unknown_flags(struct ub_packed_rrset_key* rrset, int r)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
log_assert(d && r < (int)d->count);
if(d->rr_len[r] < 2+2)
return 0;
return (int)(d->rr_data[r][2+1] & NSEC3_UNKNOWN_FLAGS);
}
int
nsec3_has_optout(struct ub_packed_rrset_key* rrset, int r)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
log_assert(d && r < (int)d->count);
if(d->rr_len[r] < 2+2)
return 0;
return (int)(d->rr_data[r][2+1] & NSEC3_OPTOUT);
}
static int
nsec3_get_algo(struct ub_packed_rrset_key* rrset, int r)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
log_assert(d && r < (int)d->count);
if(d->rr_len[r] < 2+1)
return 0;
return (int)(d->rr_data[r][2+0]);
}
static int
nsec3_known_algo(struct ub_packed_rrset_key* rrset, int r)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
log_assert(d && r < (int)d->count);
if(d->rr_len[r] < 2+1)
return 0;
switch(d->rr_data[r][2+0]) {
case NSEC3_HASH_SHA1:
return 1;
}
return 0;
}
static size_t
nsec3_get_iter(struct ub_packed_rrset_key* rrset, int r)
{
uint16_t i;
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
log_assert(d && r < (int)d->count);
if(d->rr_len[r] < 2+4)
return 0;
memmove(&i, d->rr_data[r]+2+2, sizeof(i));
i = ntohs(i);
return (size_t)i;
}
static int
nsec3_get_salt(struct ub_packed_rrset_key* rrset, int r,
uint8_t** salt, size_t* saltlen)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
log_assert(d && r < (int)d->count);
if(d->rr_len[r] < 2+5) {
*salt = 0;
*saltlen = 0;
return 0;
}
*saltlen = (size_t)d->rr_data[r][2+4];
if(d->rr_len[r] < 2+5+(size_t)*saltlen) {
*salt = 0;
*saltlen = 0;
return 0;
}
*salt = d->rr_data[r]+2+5;
return 1;
}
int nsec3_get_params(struct ub_packed_rrset_key* rrset, int r,
int* algo, size_t* iter, uint8_t** salt, size_t* saltlen)
{
if(!nsec3_known_algo(rrset, r) || nsec3_unknown_flags(rrset, r))
return 0;
if(!nsec3_get_salt(rrset, r, salt, saltlen))
return 0;
*algo = nsec3_get_algo(rrset, r);
*iter = nsec3_get_iter(rrset, r);
return 1;
}
int
nsec3_get_nextowner(struct ub_packed_rrset_key* rrset, int r,
uint8_t** next, size_t* nextlen)
{
size_t saltlen;
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
log_assert(d && r < (int)d->count);
if(d->rr_len[r] < 2+5) {
*next = 0;
*nextlen = 0;
return 0;
}
saltlen = (size_t)d->rr_data[r][2+4];
if(d->rr_len[r] < 2+5+saltlen+1) {
*next = 0;
*nextlen = 0;
return 0;
}
*nextlen = (size_t)d->rr_data[r][2+5+saltlen];
if(d->rr_len[r] < 2+5+saltlen+1+*nextlen) {
*next = 0;
*nextlen = 0;
return 0;
}
*next = d->rr_data[r]+2+5+saltlen+1;
return 1;
}
size_t nsec3_hash_to_b32(uint8_t* hash, size_t hashlen, uint8_t* zone,
size_t zonelen, uint8_t* buf, size_t max)
{
int ret;
if(max < hashlen*2+1)
return 0;
ret = sldns_b32_ntop_extended_hex(hash, hashlen, (char*)buf+1, max-1);
if(ret < 1)
return 0;
buf[0] = (uint8_t)ret;
ret++;
if(max - ret < zonelen)
return 0;
memmove(buf+ret, zone, zonelen);
return zonelen+(size_t)ret;
}
size_t nsec3_get_nextowner_b32(struct ub_packed_rrset_key* rrset, int r,
uint8_t* buf, size_t max)
{
uint8_t* nm, *zone;
size_t nmlen, zonelen;
if(!nsec3_get_nextowner(rrset, r, &nm, &nmlen))
return 0;
zone = rrset->rk.dname;
zonelen = rrset->rk.dname_len;
dname_remove_label(&zone, &zonelen);
return nsec3_hash_to_b32(nm, nmlen, zone, zonelen, buf, max);
}
int
nsec3_has_type(struct ub_packed_rrset_key* rrset, int r, uint16_t type)
{
uint8_t* bitmap;
size_t bitlen, skiplen;
struct packed_rrset_data* d = (struct packed_rrset_data*)
rrset->entry.data;
log_assert(d && r < (int)d->count);
skiplen = 2+4;
if(d->rr_len[r] < skiplen+1)
return 0;
skiplen += 1+(size_t)d->rr_data[r][skiplen];
if(d->rr_len[r] < skiplen+1)
return 0;
skiplen += 1+(size_t)d->rr_data[r][skiplen];
if(d->rr_len[r] < skiplen)
return 0;
bitlen = d->rr_len[r] - skiplen;
bitmap = d->rr_data[r]+skiplen;
return nsecbitmap_has_type_rdata(bitmap, bitlen, type);
}
static struct ub_packed_rrset_key*
filter_next(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum)
{
size_t i;
int r;
uint8_t* nm;
size_t nmlen;
if(!filter->zone)
return NULL;
for(i=*rrsetnum; i<filter->num; i++) {
if(ntohs(filter->list[i]->rk.type) != LDNS_RR_TYPE_NSEC3 ||
ntohs(filter->list[i]->rk.rrset_class) !=
filter->fclass)
continue;
nm = filter->list[i]->rk.dname;
nmlen = filter->list[i]->rk.dname_len;
dname_remove_label(&nm, &nmlen);
if(query_dname_compare(nm, filter->zone) != 0)
continue;
if(i == *rrsetnum)
r = (*rrnum) + 1;
else r = 0;
for(; r < (int)rrset_get_count(filter->list[i]); r++) {
if(nsec3_unknown_flags(filter->list[i], r) ||
!nsec3_known_algo(filter->list[i], r))
continue;
*rrsetnum = i;
*rrnum = r;
return filter->list[i];
}
}
return NULL;
}
static struct ub_packed_rrset_key*
filter_first(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum)
{
*rrsetnum = 0;
*rrnum = -1;
return filter_next(filter, rrsetnum, rrnum);
}
static int
nsec3_rrset_has_known(struct ub_packed_rrset_key* s)
{
int r;
for(r=0; r < (int)rrset_get_count(s); r++) {
if(!nsec3_unknown_flags(s, r) && nsec3_known_algo(s, r))
return 1;
}
return 0;
}
static void
filter_init(struct nsec3_filter* filter, struct ub_packed_rrset_key** list,
size_t num, struct query_info* qinfo)
{
size_t i;
uint8_t* nm;
size_t nmlen;
filter->zone = NULL;
filter->zone_len = 0;
filter->list = list;
filter->num = num;
filter->fclass = qinfo->qclass;
for(i=0; i<num; i++) {
if(ntohs(list[i]->rk.type) != LDNS_RR_TYPE_NSEC3 ||
ntohs(list[i]->rk.rrset_class) != qinfo->qclass)
continue;
if(!nsec3_rrset_has_known(list[i]))
continue;
nm = list[i]->rk.dname;
nmlen = list[i]->rk.dname_len;
dname_remove_label(&nm, &nmlen);
if(dname_subdomain_c(qinfo->qname, nm) && (!filter->zone ||
dname_subdomain_c(nm, filter->zone))) {
if(qinfo->qtype == LDNS_RR_TYPE_DS &&
query_dname_compare(qinfo->qname, nm) == 0 &&
!dname_is_root(qinfo->qname))
continue;
filter->zone = nm;
filter->zone_len = nmlen;
}
}
}
static size_t
get_max_iter(struct val_env* ve, size_t bits)
{
int i;
log_assert(ve->nsec3_keyiter_count > 0);
for(i=0; i<ve->nsec3_keyiter_count; i++) {
if(bits <= ve->nsec3_keysize[i])
return ve->nsec3_maxiter[i];
}
return ve->nsec3_maxiter[ve->nsec3_keyiter_count-1];
}
static int
nsec3_iteration_count_high(struct val_env* ve, struct nsec3_filter* filter,
struct key_entry_key* kkey)
{
size_t rrsetnum;
int rrnum;
struct ub_packed_rrset_key* rrset;
size_t bits = key_entry_keysize(kkey);
size_t max_iter = get_max_iter(ve, bits);
verbose(VERB_ALGO, "nsec3: keysize %d bits, max iterations %d",
(int)bits, (int)max_iter);
for(rrset=filter_first(filter, &rrsetnum, &rrnum); rrset;
rrset=filter_next(filter, &rrsetnum, &rrnum)) {
if(nsec3_get_iter(rrset, rrnum) > max_iter)
return 1;
}
return 0;
}
int
nsec3_hash_cmp(const void* c1, const void* c2)
{
struct nsec3_cached_hash* h1 = (struct nsec3_cached_hash*)c1;
struct nsec3_cached_hash* h2 = (struct nsec3_cached_hash*)c2;
uint8_t* s1, *s2;
size_t s1len, s2len;
int c = query_dname_compare(h1->dname, h2->dname);
if(c != 0)
return c;
if(nsec3_get_algo(h1->nsec3, h1->rr) !=
nsec3_get_algo(h2->nsec3, h2->rr)) {
if(nsec3_get_algo(h1->nsec3, h1->rr) <
nsec3_get_algo(h2->nsec3, h2->rr))
return -1;
return 1;
}
if(nsec3_get_iter(h1->nsec3, h1->rr) !=
nsec3_get_iter(h2->nsec3, h2->rr)) {
if(nsec3_get_iter(h1->nsec3, h1->rr) <
nsec3_get_iter(h2->nsec3, h2->rr))
return -1;
return 1;
}
(void)nsec3_get_salt(h1->nsec3, h1->rr, &s1, &s1len);
(void)nsec3_get_salt(h2->nsec3, h2->rr, &s2, &s2len);
if(s1len == 0 && s2len == 0)
return 0;
if(!s1) return -1;
if(!s2) return 1;
if(s1len != s2len) {
if(s1len < s2len)
return -1;
return 1;
}
return memcmp(s1, s2, s1len);
}
int
nsec3_cache_table_init(struct nsec3_cache_table* ct, struct regional* region)
{
if(ct->ct) return 1;
ct->ct = (rbtree_type*)regional_alloc(region, sizeof(*ct->ct));
if(!ct->ct) return 0;
ct->region = region;
rbtree_init(ct->ct, &nsec3_hash_cmp);
return 1;
}
size_t
nsec3_get_hashed(sldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo,
size_t iter, uint8_t* salt, size_t saltlen, uint8_t* res, size_t max)
{
size_t i, hash_len;
sldns_buffer_clear(buf);
sldns_buffer_write(buf, nm, nmlen);
query_dname_tolower(sldns_buffer_begin(buf));
if(saltlen != 0)
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
hash_len = nsec3_hash_algo_size_supported(algo);
if(hash_len == 0) {
log_err("nsec3 hash of unknown algo %d", algo);
return 0;
}
if(hash_len > max)
return 0;
if(!secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
sldns_buffer_limit(buf), (unsigned char*)res))
return 0;
for(i=0; i<iter; i++) {
sldns_buffer_clear(buf);
sldns_buffer_write(buf, res, hash_len);
if(saltlen != 0)
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
if(!secalgo_nsec3_hash(algo,
(unsigned char*)sldns_buffer_begin(buf),
sldns_buffer_limit(buf), (unsigned char*)res))
return 0;
}
return hash_len;
}
static int
nsec3_calc_hash(struct regional* region, sldns_buffer* buf,
struct nsec3_cached_hash* c)
{
int algo = nsec3_get_algo(c->nsec3, c->rr);
size_t iter = nsec3_get_iter(c->nsec3, c->rr);
uint8_t* salt;
size_t saltlen, i;
if(!nsec3_get_salt(c->nsec3, c->rr, &salt, &saltlen))
return -1;
sldns_buffer_clear(buf);
sldns_buffer_write(buf, c->dname, c->dname_len);
query_dname_tolower(sldns_buffer_begin(buf));
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
c->hash_len = nsec3_hash_algo_size_supported(algo);
if(c->hash_len == 0) {
log_err("nsec3 hash of unknown algo %d", algo);
return -1;
}
c->hash = (uint8_t*)regional_alloc(region, c->hash_len);
if(!c->hash)
return 0;
(void)secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
sldns_buffer_limit(buf), (unsigned char*)c->hash);
for(i=0; i<iter; i++) {
sldns_buffer_clear(buf);
sldns_buffer_write(buf, c->hash, c->hash_len);
sldns_buffer_write(buf, salt, saltlen);
sldns_buffer_flip(buf);
(void)secalgo_nsec3_hash(algo,
(unsigned char*)sldns_buffer_begin(buf),
sldns_buffer_limit(buf), (unsigned char*)c->hash);
}
return 1;
}
static int
nsec3_calc_b32(struct regional* region, sldns_buffer* buf,
struct nsec3_cached_hash* c)
{
int r;
sldns_buffer_clear(buf);
r = sldns_b32_ntop_extended_hex(c->hash, c->hash_len,
(char*)sldns_buffer_begin(buf), sldns_buffer_limit(buf));
if(r < 1) {
log_err("b32_ntop_extended_hex: error in encoding: %d", r);
return 0;
}
c->b32_len = (size_t)r;
c->b32 = regional_alloc_init(region, sldns_buffer_begin(buf),
c->b32_len);
if(!c->b32)
return 0;
return 1;
}
int
nsec3_hash_name(rbtree_type* table, struct regional* region, sldns_buffer* buf,
struct ub_packed_rrset_key* nsec3, int rr, uint8_t* dname,
size_t dname_len, struct nsec3_cached_hash** hash)
{
struct nsec3_cached_hash* c;
struct nsec3_cached_hash looki;
#ifdef UNBOUND_DEBUG
rbnode_type* n;
#endif
int r;
looki.node.key = &looki;
looki.nsec3 = nsec3;
looki.rr = rr;
looki.dname = dname;
looki.dname_len = dname_len;
c = (struct nsec3_cached_hash*)rbtree_search(table, &looki);
if(c) {
*hash = c;
return 2;
}
c = (struct nsec3_cached_hash*)regional_alloc(region, sizeof(*c));
if(!c) return 0;
c->node.key = c;
c->nsec3 = nsec3;
c->rr = rr;
c->dname = dname;
c->dname_len = dname_len;
r = nsec3_calc_hash(region, buf, c);
if(r != 1)
return r;
r = nsec3_calc_b32(region, buf, c);
if(r != 1)
return r;
#ifdef UNBOUND_DEBUG
n =
#else
(void)
#endif
rbtree_insert(table, &c->node);
log_assert(n);
*hash = c;
return 1;
}
static int
label_compare_lower(uint8_t* lab1, uint8_t* lab2, size_t lablen)
{
size_t i;
for(i=0; i<lablen; i++) {
if(tolower((unsigned char)*lab1) != tolower((unsigned char)*lab2)) {
if(tolower((unsigned char)*lab1) < tolower((unsigned char)*lab2))
return -1;
return 1;
}
lab1++;
lab2++;
}
return 0;
}
static int
nsec3_hash_matches_owner(struct nsec3_filter* flt,
struct nsec3_cached_hash* hash, struct ub_packed_rrset_key* s)
{
uint8_t* nm = s->rk.dname;
if(!hash) return 0;
if(hash->b32_len != 0 && (size_t)nm[0] == hash->b32_len &&
label_compare_lower(nm+1, hash->b32, hash->b32_len) == 0 &&
query_dname_compare(nm+(size_t)nm[0]+1, flt->zone) == 0) {
return 1;
}
return 0;
}
static int
find_matching_nsec3(struct module_env* env, struct nsec3_filter* flt,
struct nsec3_cache_table* ct, uint8_t* nm, size_t nmlen,
struct ub_packed_rrset_key** rrset, int* rr,
int* calculations)
{
size_t i_rs;
int i_rr;
struct ub_packed_rrset_key* s;
struct nsec3_cached_hash* hash = NULL;
int r;
int calc_errors = 0;
for(s=filter_first(flt, &i_rs, &i_rr); s;
s=filter_next(flt, &i_rs, &i_rr)) {
if(*calculations >= MAX_NSEC3_CALCULATIONS) {
if(calc_errors == *calculations) {
*calculations = MAX_NSEC3_ERRORS;
}
break;
}
r = nsec3_hash_name(ct->ct, ct->region, env->scratch_buffer,
s, i_rr, nm, nmlen, &hash);
if(r == 0) {
log_err("nsec3: malloc failure");
break;
} else if(r < 0) {
calc_errors++;
(*calculations)++;
continue;
} else {
if(r == 1) (*calculations)++;
if(nsec3_hash_matches_owner(flt, hash, s)) {
*rrset = s;
*rr = i_rr;
return 1;
}
}
}
*rrset = NULL;
*rr = 0;
return 0;
}
int
nsec3_covers(uint8_t* zone, struct nsec3_cached_hash* hash,
struct ub_packed_rrset_key* rrset, int rr, sldns_buffer* buf)
{
uint8_t* next, *owner;
size_t nextlen;
int len;
if(!nsec3_get_nextowner(rrset, rr, &next, &nextlen))
return 0;
if(!hash) return 0;
if(nextlen != hash->hash_len || hash->hash_len==0||hash->b32_len==0||
(size_t)*rrset->rk.dname != hash->b32_len ||
query_dname_compare(rrset->rk.dname+1+
(size_t)*rrset->rk.dname, zone) != 0)
return 0;
if(label_compare_lower(rrset->rk.dname+1, hash->b32,
hash->b32_len) < 0 &&
memcmp(hash->hash, next, nextlen) < 0)
return 1;
sldns_buffer_clear(buf);
owner = sldns_buffer_begin(buf);
len = sldns_b32_pton_extended_hex((char*)rrset->rk.dname+1,
hash->b32_len, owner, sldns_buffer_limit(buf));
if(len<1)
return 0;
if((size_t)len != hash->hash_len || (size_t)len != nextlen)
return 0;
if(memcmp(next, owner, nextlen) <= 0 &&
( memcmp(hash->hash, owner, nextlen) > 0 ||
memcmp(hash->hash, next, nextlen) < 0)) {
return 1;
}
return 0;
}
static int
find_covering_nsec3(struct module_env* env, struct nsec3_filter* flt,
struct nsec3_cache_table* ct, uint8_t* nm, size_t nmlen,
struct ub_packed_rrset_key** rrset, int* rr,
int* calculations)
{
size_t i_rs;
int i_rr;
struct ub_packed_rrset_key* s;
struct nsec3_cached_hash* hash = NULL;
int r;
int calc_errors = 0;
for(s=filter_first(flt, &i_rs, &i_rr); s;
s=filter_next(flt, &i_rs, &i_rr)) {
if(*calculations >= MAX_NSEC3_CALCULATIONS) {
if(calc_errors == *calculations) {
*calculations = MAX_NSEC3_ERRORS;
}
break;
}
r = nsec3_hash_name(ct->ct, ct->region, env->scratch_buffer,
s, i_rr, nm, nmlen, &hash);
if(r == 0) {
log_err("nsec3: malloc failure");
break;
} else if(r < 0) {
calc_errors++;
(*calculations)++;
continue;
} else {
if(r == 1) (*calculations)++;
if(nsec3_covers(flt->zone, hash, s, i_rr,
env->scratch_buffer)) {
*rrset = s;
*rr = i_rr;
return 1;
}
}
}
*rrset = NULL;
*rr = 0;
return 0;
}
static int
nsec3_find_closest_encloser(struct module_env* env, struct nsec3_filter* flt,
struct nsec3_cache_table* ct, struct query_info* qinfo,
struct ce_response* ce, int* calculations)
{
uint8_t* nm = qinfo->qname;
size_t nmlen = qinfo->qname_len;
while(dname_subdomain_c(nm, flt->zone)) {
if(*calculations >= MAX_NSEC3_CALCULATIONS ||
*calculations == MAX_NSEC3_ERRORS) {
return 0;
}
if(find_matching_nsec3(env, flt, ct, nm, nmlen,
&ce->ce_rrset, &ce->ce_rr, calculations)) {
ce->ce = nm;
ce->ce_len = nmlen;
return 1;
}
dname_remove_label(&nm, &nmlen);
}
return 0;
}
static void
next_closer(uint8_t* qname, size_t qnamelen, uint8_t* ce,
uint8_t** nm, size_t* nmlen)
{
int strip = dname_count_labels(qname) - dname_count_labels(ce) -1;
*nm = qname;
*nmlen = qnamelen;
if(strip>0)
dname_remove_labels(nm, nmlen, strip);
}
static enum sec_status
nsec3_prove_closest_encloser(struct module_env* env, struct nsec3_filter* flt,
struct nsec3_cache_table* ct, struct query_info* qinfo,
int prove_does_not_exist, struct ce_response* ce, int* calculations)
{
uint8_t* nc;
size_t nc_len;
memset(ce, 0, sizeof(*ce));
if(!nsec3_find_closest_encloser(env, flt, ct, qinfo, ce, calculations)) {
if(*calculations == MAX_NSEC3_ERRORS) {
verbose(VERB_ALGO, "nsec3 proveClosestEncloser: could "
"not find a candidate for the closest "
"encloser; all attempted hash calculations "
"were erroneous; bogus");
return sec_status_bogus;
} else if(*calculations >= MAX_NSEC3_CALCULATIONS) {
verbose(VERB_ALGO, "nsec3 proveClosestEncloser: could "
"not find a candidate for the closest "
"encloser; reached MAX_NSEC3_CALCULATIONS "
"(%d); unchecked still",
MAX_NSEC3_CALCULATIONS);
return sec_status_unchecked;
}
verbose(VERB_ALGO, "nsec3 proveClosestEncloser: could "
"not find a candidate for the closest encloser.");
return sec_status_bogus;
}
log_nametypeclass(VERB_ALGO, "ce candidate", ce->ce, 0, 0);
if(query_dname_compare(ce->ce, qinfo->qname) == 0) {
if(prove_does_not_exist) {
verbose(VERB_ALGO, "nsec3 proveClosestEncloser: "
"proved that qname existed, bad");
return sec_status_bogus;
}
return sec_status_secure;
}
if(nsec3_has_type(ce->ce_rrset, ce->ce_rr, LDNS_RR_TYPE_NS) &&
!nsec3_has_type(ce->ce_rrset, ce->ce_rr, LDNS_RR_TYPE_SOA)) {
if(!nsec3_has_type(ce->ce_rrset, ce->ce_rr, LDNS_RR_TYPE_DS)) {
verbose(VERB_ALGO, "nsec3 proveClosestEncloser: "
"closest encloser is insecure delegation");
return sec_status_insecure;
}
verbose(VERB_ALGO, "nsec3 proveClosestEncloser: closest "
"encloser was a delegation, bad");
return sec_status_bogus;
}
if(nsec3_has_type(ce->ce_rrset, ce->ce_rr, LDNS_RR_TYPE_DNAME)) {
verbose(VERB_ALGO, "nsec3 proveClosestEncloser: closest "
"encloser was a DNAME, bad");
return sec_status_bogus;
}
next_closer(qinfo->qname, qinfo->qname_len, ce->ce, &nc, &nc_len);
if(!find_covering_nsec3(env, flt, ct, nc, nc_len,
&ce->nc_rrset, &ce->nc_rr, calculations)) {
if(*calculations == MAX_NSEC3_ERRORS) {
verbose(VERB_ALGO, "nsec3: Could not find proof that the "
"candidate encloser was the closest encloser; "
"all attempted hash calculations were "
"erroneous; bogus");
return sec_status_bogus;
} else if(*calculations >= MAX_NSEC3_CALCULATIONS) {
verbose(VERB_ALGO, "nsec3: Could not find proof that the "
"candidate encloser was the closest encloser; "
"reached MAX_NSEC3_CALCULATIONS (%d); "
"unchecked still",
MAX_NSEC3_CALCULATIONS);
return sec_status_unchecked;
}
verbose(VERB_ALGO, "nsec3: Could not find proof that the "
"candidate encloser was the closest encloser");
return sec_status_bogus;
}
return sec_status_secure;
}
static uint8_t*
nsec3_ce_wildcard(struct regional* region, uint8_t* ce, size_t celen,
size_t* len)
{
uint8_t* nm;
if(celen > LDNS_MAX_DOMAINLEN - 2)
return 0;
nm = (uint8_t*)regional_alloc(region, celen+2);
if(!nm) {
log_err("nsec3 wildcard: out of memory");
return 0;
}
nm[0] = 1;
nm[1] = (uint8_t)'*';
memmove(nm+2, ce, celen);
*len = celen+2;
return nm;
}
static enum sec_status
nsec3_do_prove_nameerror(struct module_env* env, struct nsec3_filter* flt,
struct nsec3_cache_table* ct, struct query_info* qinfo, int* calc)
{
struct ce_response ce;
uint8_t* wc;
size_t wclen;
struct ub_packed_rrset_key* wc_rrset;
int wc_rr;
enum sec_status sec;
sec = nsec3_prove_closest_encloser(env, flt, ct, qinfo, 1, &ce, calc);
if(sec != sec_status_secure) {
if(sec == sec_status_bogus)
verbose(VERB_ALGO, "nsec3 nameerror proof: failed "
"to prove a closest encloser");
else if(sec == sec_status_unchecked)
verbose(VERB_ALGO, "nsec3 nameerror proof: will "
"continue proving closest encloser after "
"suspend");
else verbose(VERB_ALGO, "nsec3 nameerror proof: closest "
"nsec3 is an insecure delegation");
return sec;
}
log_nametypeclass(VERB_ALGO, "nsec3 nameerror: proven ce=", ce.ce,0,0);
log_assert(ce.ce);
wc = nsec3_ce_wildcard(ct->region, ce.ce, ce.ce_len, &wclen);
if(!wc) {
verbose(VERB_ALGO, "nsec3 nameerror proof: could not prove "
"that the applicable wildcard did not exist.");
return sec_status_bogus;
}
if(!find_covering_nsec3(env, flt, ct, wc, wclen, &wc_rrset, &wc_rr, calc)) {
if(*calc == MAX_NSEC3_ERRORS) {
verbose(VERB_ALGO, "nsec3 nameerror proof: could not prove "
"that the applicable wildcard did not exist; "
"all attempted hash calculations were "
"erroneous; bogus");
return sec_status_bogus;
} else if(*calc >= MAX_NSEC3_CALCULATIONS) {
verbose(VERB_ALGO, "nsec3 nameerror proof: could not prove "
"that the applicable wildcard did not exist; "
"reached MAX_NSEC3_CALCULATIONS (%d); "
"unchecked still",
MAX_NSEC3_CALCULATIONS);
return sec_status_unchecked;
}
verbose(VERB_ALGO, "nsec3 nameerror proof: could not prove "
"that the applicable wildcard did not exist.");
return sec_status_bogus;
}
if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
verbose(VERB_ALGO, "nsec3 nameerror proof: nc has optout");
return sec_status_insecure;
}
return sec_status_secure;
}
enum sec_status
nsec3_prove_nameerror(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey,
struct nsec3_cache_table* ct, int* calc)
{
struct nsec3_filter flt;
if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
return sec_status_bogus;
filter_init(&flt, list, num, qinfo);
if(!flt.zone)
return sec_status_bogus;
if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure;
log_nametypeclass(VERB_ALGO, "start nsec3 nameerror proof, zone",
flt.zone, 0, 0);
return nsec3_do_prove_nameerror(env, &flt, ct, qinfo, calc);
}
static enum sec_status
nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
struct nsec3_cache_table* ct, struct query_info* qinfo,
int* calc)
{
struct ce_response ce;
uint8_t* wc;
size_t wclen;
struct ub_packed_rrset_key* rrset;
int rr;
enum sec_status sec;
if(find_matching_nsec3(env, flt, ct, qinfo->qname, qinfo->qname_len,
&rrset, &rr, calc)) {
if(nsec3_has_type(rrset, rr, qinfo->qtype)) {
verbose(VERB_ALGO, "proveNodata: Matching NSEC3 "
"proved that type existed, bogus");
return sec_status_bogus;
} else if(nsec3_has_type(rrset, rr, LDNS_RR_TYPE_CNAME)) {
verbose(VERB_ALGO, "proveNodata: Matching NSEC3 "
"proved that a CNAME existed, bogus");
return sec_status_bogus;
}
if(qinfo->qtype == LDNS_RR_TYPE_DS && qinfo->qname_len != 1
&& nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA) &&
!dname_is_root(qinfo->qname)) {
verbose(VERB_ALGO, "proveNodata: apex NSEC3 "
"abused for no DS proof, bogus");
return sec_status_bogus;
} else if(qinfo->qtype != LDNS_RR_TYPE_DS &&
nsec3_has_type(rrset, rr, LDNS_RR_TYPE_NS) &&
!nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA)) {
if(!nsec3_has_type(rrset, rr, LDNS_RR_TYPE_DS)) {
verbose(VERB_ALGO, "proveNodata: matching "
"NSEC3 is insecure delegation");
return sec_status_insecure;
}
verbose(VERB_ALGO, "proveNodata: matching "
"NSEC3 is a delegation, bogus");
return sec_status_bogus;
}
return sec_status_secure;
}
if(*calc == MAX_NSEC3_ERRORS) {
verbose(VERB_ALGO, "proveNodata: all attempted hash "
"calculations were erroneous while finding a matching "
"NSEC3, bogus");
return sec_status_bogus;
} else if(*calc >= MAX_NSEC3_CALCULATIONS) {
verbose(VERB_ALGO, "proveNodata: reached "
"MAX_NSEC3_CALCULATIONS (%d) while finding a "
"matching NSEC3; unchecked still",
MAX_NSEC3_CALCULATIONS);
return sec_status_unchecked;
}
sec = nsec3_prove_closest_encloser(env, flt, ct, qinfo, 1, &ce, calc);
if(sec == sec_status_bogus) {
verbose(VERB_ALGO, "proveNodata: did not match qname, "
"nor found a proven closest encloser.");
return sec_status_bogus;
} else if(sec==sec_status_insecure && qinfo->qtype!=LDNS_RR_TYPE_DS){
verbose(VERB_ALGO, "proveNodata: closest nsec3 is insecure "
"delegation.");
return sec_status_insecure;
} else if(sec==sec_status_unchecked) {
return sec_status_unchecked;
}
log_assert(ce.ce);
wc = nsec3_ce_wildcard(ct->region, ce.ce, ce.ce_len, &wclen);
if(wc && find_matching_nsec3(env, flt, ct, wc, wclen, &rrset, &rr,
calc)) {
if(nsec3_has_type(rrset, rr, qinfo->qtype)) {
verbose(VERB_ALGO, "nsec3 nodata proof: matching "
"wildcard had qtype, bogus");
return sec_status_bogus;
} else if(nsec3_has_type(rrset, rr, LDNS_RR_TYPE_CNAME)) {
verbose(VERB_ALGO, "nsec3 nodata proof: matching "
"wildcard had a CNAME, bogus");
return sec_status_bogus;
}
if(qinfo->qtype == LDNS_RR_TYPE_DS && qinfo->qname_len != 1
&& nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA)) {
verbose(VERB_ALGO, "nsec3 nodata proof: matching "
"wildcard for no DS proof has a SOA, bogus");
return sec_status_bogus;
} else if(qinfo->qtype != LDNS_RR_TYPE_DS &&
nsec3_has_type(rrset, rr, LDNS_RR_TYPE_NS) &&
!nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA)) {
verbose(VERB_ALGO, "nsec3 nodata proof: matching "
"wildcard is a delegation, bogus");
return sec_status_bogus;
}
if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
verbose(VERB_ALGO, "nsec3 nodata proof: matching "
"wildcard is in optout range, insecure");
return sec_status_insecure;
}
return sec_status_secure;
}
if(*calc == MAX_NSEC3_ERRORS) {
verbose(VERB_ALGO, "nsec3 nodata proof: all attempted hash "
"calculations were erroneous while matching "
"wildcard, bogus");
return sec_status_bogus;
} else if(*calc >= MAX_NSEC3_CALCULATIONS) {
verbose(VERB_ALGO, "nsec3 nodata proof: reached "
"MAX_NSEC3_CALCULATIONS (%d) while matching "
"wildcard, unchecked still",
MAX_NSEC3_CALCULATIONS);
return sec_status_unchecked;
}
if(!ce.nc_rrset) {
verbose(VERB_ALGO, "nsec3 nodata proof: no next closer nsec3");
return sec_status_bogus;
}
log_assert(ce.nc_rrset);
if(!nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
if(qinfo->qtype == LDNS_RR_TYPE_DS)
verbose(VERB_ALGO, "proveNodata: covering NSEC3 was not "
"opt-out in an opt-out DS NOERROR/NODATA case.");
else verbose(VERB_ALGO, "proveNodata: could not find matching "
"NSEC3, nor matching wildcard, nor optout NSEC3 "
"-- no more options, bogus.");
return sec_status_bogus;
}
return sec_status_insecure;
}
enum sec_status
nsec3_prove_nodata(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey,
struct nsec3_cache_table* ct, int* calc)
{
struct nsec3_filter flt;
if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
return sec_status_bogus;
filter_init(&flt, list, num, qinfo);
if(!flt.zone)
return sec_status_bogus;
if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure;
return nsec3_do_prove_nodata(env, &flt, ct, qinfo, calc);
}
enum sec_status
nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey, uint8_t* wc,
struct nsec3_cache_table* ct, int* calc)
{
struct nsec3_filter flt;
struct ce_response ce;
uint8_t* nc;
size_t nc_len;
size_t wclen;
(void)dname_count_size_labels(wc, &wclen);
if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
return sec_status_bogus;
filter_init(&flt, list, num, qinfo);
if(!flt.zone)
return sec_status_bogus;
if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure;
memset(&ce, 0, sizeof(ce));
ce.ce = wc;
ce.ce_len = wclen;
next_closer(qinfo->qname, qinfo->qname_len, ce.ce, &nc, &nc_len);
if(!find_covering_nsec3(env, &flt, ct, nc, nc_len,
&ce.nc_rrset, &ce.nc_rr, calc)) {
if(*calc == MAX_NSEC3_ERRORS) {
verbose(VERB_ALGO, "proveWildcard: did not find a "
"covering NSEC3 that covered the next closer "
"name; all attempted hash calculations were "
"erroneous; bogus");
return sec_status_bogus;
} else if(*calc >= MAX_NSEC3_CALCULATIONS) {
verbose(VERB_ALGO, "proveWildcard: did not find a "
"covering NSEC3 that covered the next closer "
"name; reached MAX_NSEC3_CALCULATIONS "
"(%d); unchecked still",
MAX_NSEC3_CALCULATIONS);
return sec_status_unchecked;
}
verbose(VERB_ALGO, "proveWildcard: did not find a covering "
"NSEC3 that covered the next closer name.");
return sec_status_bogus;
}
if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
verbose(VERB_ALGO, "proveWildcard: NSEC3 optout");
return sec_status_insecure;
}
return sec_status_secure;
}
static int
list_is_secure(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct key_entry_key* kkey, char** reason, sldns_ede_code *reason_bogus,
struct module_qstate* qstate, char* reasonbuf, size_t reasonlen)
{
struct packed_rrset_data* d;
size_t i;
int verified = 0;
for(i=0; i<num; i++) {
d = (struct packed_rrset_data*)list[i]->entry.data;
if(list[i]->rk.type != htons(LDNS_RR_TYPE_NSEC3))
continue;
if(d->security == sec_status_secure)
continue;
rrset_check_sec_status(env->rrset_cache, list[i], *env->now);
if(d->security == sec_status_secure)
continue;
d->security = val_verify_rrset_entry(env, ve, list[i], kkey,
reason, reason_bogus, LDNS_SECTION_AUTHORITY, qstate,
&verified, reasonbuf, reasonlen);
if(d->security != sec_status_secure) {
verbose(VERB_ALGO, "NSEC3 did not verify");
return 0;
}
rrset_update_sec_status(env->rrset_cache, list[i], *env->now);
}
return 1;
}
enum sec_status
nsec3_prove_nods(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey, char** reason,
sldns_ede_code* reason_bogus, struct module_qstate* qstate,
struct nsec3_cache_table* ct, char* reasonbuf, size_t reasonlen)
{
struct nsec3_filter flt;
struct ce_response ce;
struct ub_packed_rrset_key* rrset;
int rr;
int calc = 0;
enum sec_status sec;
log_assert(qinfo->qtype == LDNS_RR_TYPE_DS);
if(!list || num == 0 || !kkey || !key_entry_isgood(kkey)) {
*reason = "no valid NSEC3s";
return sec_status_bogus;
}
if(!list_is_secure(env, ve, list, num, kkey, reason, reason_bogus,
qstate, reasonbuf, reasonlen)) {
*reason = "not all NSEC3 records secure";
return sec_status_bogus;
}
filter_init(&flt, list, num, qinfo);
if(!flt.zone) {
*reason = "no NSEC3 records";
return sec_status_bogus;
}
if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure;
if(find_matching_nsec3(env, &flt, ct, qinfo->qname, qinfo->qname_len,
&rrset, &rr, &calc)) {
if(nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA) &&
qinfo->qname_len != 1) {
verbose(VERB_ALGO, "nsec3 provenods: NSEC3 is from"
" child zone, bogus");
*reason = "NSEC3 from child zone";
return sec_status_bogus;
} else if(nsec3_has_type(rrset, rr, LDNS_RR_TYPE_DS)) {
verbose(VERB_ALGO, "nsec3 provenods: NSEC3 has qtype"
" DS, bogus");
*reason = "NSEC3 has DS in bitmap";
return sec_status_bogus;
}
if(!nsec3_has_type(rrset, rr, LDNS_RR_TYPE_NS))
return sec_status_indeterminate;
return sec_status_secure;
}
if(calc == MAX_NSEC3_ERRORS) {
verbose(VERB_ALGO, "nsec3 provenods: all attempted hash "
"calculations were erroneous while finding a matching "
"NSEC3, bogus");
return sec_status_bogus;
} else if(calc >= MAX_NSEC3_CALCULATIONS) {
verbose(VERB_ALGO, "nsec3 provenods: reached "
"MAX_NSEC3_CALCULATIONS (%d) while finding a "
"matching NSEC3, unchecked still",
MAX_NSEC3_CALCULATIONS);
return sec_status_unchecked;
}
sec = nsec3_prove_closest_encloser(env, &flt, ct, qinfo, 1, &ce, &calc);
if(sec == sec_status_unchecked) {
return sec_status_unchecked;
} else if(sec != sec_status_secure) {
verbose(VERB_ALGO, "nsec3 provenods: did not match qname, "
"nor found a proven closest encloser.");
*reason = "no NSEC3 closest encloser";
return sec_status_bogus;
}
if(!ce.nc_rrset) {
verbose(VERB_ALGO, "nsec3 nods proof: no next closer nsec3");
*reason = "no NSEC3 next closer";
return sec_status_bogus;
}
log_assert(ce.nc_rrset);
if(!nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
verbose(VERB_ALGO, "nsec3 provenods: covering NSEC3 was not "
"opt-out in an opt-out DS NOERROR/NODATA case.");
*reason = "covering NSEC3 was not opt-out in an opt-out "
"DS NOERROR/NODATA case";
return sec_status_bogus;
}
return sec_status_insecure;
}
enum sec_status
nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey, int* nodata,
struct nsec3_cache_table* ct, int* calc)
{
enum sec_status sec, secnx;
struct nsec3_filter flt;
*nodata = 0;
if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
return sec_status_bogus;
filter_init(&flt, list, num, qinfo);
if(!flt.zone)
return sec_status_bogus;
if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure;
secnx = nsec3_do_prove_nameerror(env, &flt, ct, qinfo, calc);
if(secnx==sec_status_secure)
return sec_status_secure;
else if(secnx == sec_status_unchecked)
return sec_status_unchecked;
sec = nsec3_do_prove_nodata(env, &flt, ct, qinfo, calc);
if(sec==sec_status_secure) {
*nodata = 1;
} else if(sec == sec_status_insecure) {
*nodata = 1;
} else if(secnx == sec_status_insecure) {
sec = sec_status_insecure;
} else if(sec == sec_status_unchecked) {
return sec_status_unchecked;
}
return sec;
}
