1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
|
/*
* validator/val_nsec.c - validator NSEC denial of existance functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
* This software is open source.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/**
* \file
*
* This file contains helper functions for the validator module.
* The functions help with NSEC checking, the different NSEC proofs
* for denial of existance, and proofs for presence of types.
*/
#include "config.h"
#include <ldns/packet.h>
#include "validator/val_nsec.h"
#include "validator/val_utils.h"
#include "util/data/msgreply.h"
#include "util/data/dname.h"
#include "util/net_help.h"
#include "util/module.h"
#include "services/cache/rrset.h"
/** get ttl of rrset */
static uint32_t
rrset_get_ttl(struct ub_packed_rrset_key* k)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
return d->ttl;
}
int
nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type)
{
/* Check type present in NSEC typemap with bitmap arg */
/* bitmasks for determining type-lowerbits presence */
uint8_t masks[8] = {0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01};
uint8_t type_window = type>>8;
uint8_t type_low = type&0xff;
uint8_t win, winlen;
/* read each of the type bitmap windows and see if the searched
* type is amongst it */
while(len > 0) {
if(len < 3) /* bad window, at least window# winlen bitmap */
return 0;
win = *bitmap++;
winlen = *bitmap++;
len -= 2;
if(len < winlen || winlen < 1 || winlen > 32)
return 0; /* bad window length */
if(win == type_window) {
/* search window bitmap for the correct byte */
/* mybyte is 0 if we need the first byte */
size_t mybyte = type_low>>3;
if(winlen <= mybyte)
return 0; /* window too short */
return (int)(bitmap[mybyte] & masks[type_low&0x7]);
} else {
/* not the window we are looking for */
bitmap += winlen;
len -= winlen;
}
}
/* end of bitmap reached, no type found */
return 0;
}
int
nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)nsec->
entry.data;
size_t len;
if(!d || d->count == 0 || d->rr_len[0] < 2+1)
return 0;
len = dname_valid(d->rr_data[0]+2, d->rr_len[0]-2);
if(!len)
return 0;
return nsecbitmap_has_type_rdata(d->rr_data[0]+2+len,
d->rr_len[0]-2-len, type);
}
/**
* Get next owner name from nsec record
* @param nsec: the nsec RRset.
* If there are multiple RRs, then this will only return one of them.
* @param nm: the next name is returned.
* @param ln: length of nm is returned.
* @return false on a bad NSEC RR (too short, malformed dname).
*/
static int
nsec_get_next(struct ub_packed_rrset_key* nsec, uint8_t** nm, size_t* ln)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)nsec->
entry.data;
if(!d || d->count == 0 || d->rr_len[0] < 2+1) {
*nm = 0;
*ln = 0;
return 0;
}
*nm = d->rr_data[0]+2;
*ln = dname_valid(*nm, d->rr_len[0]-2);
if(!*ln) {
*nm = 0;
*ln = 0;
return 0;
}
return 1;
}
/**
* For an NSEC that matches the DS queried for, check absence of DS type.
*
* @param nsec: NSEC for proof, must be trusted.
* @param qinfo: what is queried for.
* @return if secure the nsec proves that no DS is present, or
* insecure if it proves it is not a delegation point.
* or bogus if something was wrong.
*/
static enum sec_status
val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
struct query_info* qinfo)
{
log_assert(qinfo->qtype == LDNS_RR_TYPE_DS);
log_assert(ntohs(nsec->rk.type) == LDNS_RR_TYPE_NSEC);
if(nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && qinfo->qname_len != 1) {
/* SOA present means that this is the NSEC from the child,
* not the parent (so it is the wrong one). */
return sec_status_bogus;
}
if(nsec_has_type(nsec, LDNS_RR_TYPE_DS)) {
/* DS present means that there should have been a positive
* response to the DS query, so there is something wrong. */
return sec_status_bogus;
}
if(!nsec_has_type(nsec, LDNS_RR_TYPE_NS)) {
/* If there is no NS at this point at all, then this
* doesn't prove anything one way or the other. */
return sec_status_insecure;
}
/* Otherwise, this proves no DS. */
return sec_status_secure;
}
/** check security status from cache or verify rrset, returns true if secure */
static int
nsec_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
char** reason)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
nsec->entry.data;
if(d->security == sec_status_secure)
return 1;
rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
if(d->security == sec_status_secure)
return 1;
d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
if(d->security == sec_status_secure) {
rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
return 1;
}
return 0;
}
enum sec_status
val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
struct query_info* qinfo, struct reply_info* rep,
struct key_entry_key* kkey, uint32_t* proof_ttl, char** reason)
{
struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
qinfo->qclass);
enum sec_status sec;
size_t i;
uint8_t* wc = NULL, *ce = NULL;
int valid_nsec = 0;
struct ub_packed_rrset_key* wc_nsec = NULL;
/* If we have a NSEC at the same name, it must prove one
* of two things
* --
* 1) this is a delegation point and there is no DS
* 2) this is not a delegation point */
if(nsec) {
if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) {
verbose(VERB_ALGO, "NSEC RRset for the "
"referral did not verify.");
return sec_status_bogus;
}
sec = val_nsec_proves_no_ds(nsec, qinfo);
if(sec == sec_status_bogus) {
/* something was wrong. */
*reason = "NSEC does not prove absence of DS";
return sec;
} else if(sec == sec_status_insecure) {
/* this wasn't a delegation point. */
return sec;
} else if(sec == sec_status_secure) {
/* this proved no DS. */
*proof_ttl = ub_packed_rrset_ttl(nsec);
return sec;
}
/* if unchecked, fall through to next proof */
}
/* Otherwise, there is no NSEC at qname. This could be an ENT.
* (ENT=empty non terminal). If not, this is broken. */
/* verify NSEC rrsets in auth section */
for(i=rep->an_numrrsets; i < rep->an_numrrsets+rep->ns_numrrsets;
i++) {
if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
continue;
if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) {
verbose(VERB_ALGO, "NSEC for empty non-terminal "
"did not verify.");
return sec_status_bogus;
}
if(nsec_proves_nodata(rep->rrsets[i], qinfo, &wc)) {
verbose(VERB_ALGO, "NSEC for empty non-terminal "
"proved no DS.");
*proof_ttl = rrset_get_ttl(rep->rrsets[i]);
if(wc && dname_is_wild(rep->rrsets[i]->rk.dname))
wc_nsec = rep->rrsets[i];
valid_nsec = 1;
}
if(val_nsec_proves_name_error(rep->rrsets[i], qinfo->qname)) {
ce = nsec_closest_encloser(qinfo->qname,
rep->rrsets[i]);
}
}
if(wc && !ce)
valid_nsec = 0;
else if(wc && ce) {
/* ce and wc must match */
if(query_dname_compare(wc, ce) != 0)
valid_nsec = 0;
else if(!wc_nsec)
valid_nsec = 0;
}
if(valid_nsec) {
if(wc) {
/* check if this is a delegation */
*reason = "NSEC for wildcard does not prove absence of DS";
return val_nsec_proves_no_ds(wc_nsec, qinfo);
}
/* valid nsec proves empty nonterminal */
return sec_status_insecure;
}
/* NSEC proof did not conlusively point to DS or no DS */
return sec_status_unchecked;
}
int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
struct query_info* qinfo, uint8_t** wc)
{
log_assert(wc);
if(query_dname_compare(nsec->rk.dname, qinfo->qname) != 0) {
uint8_t* nm;
size_t ln;
/* empty-non-terminal checking.
* Done before wildcard, because this is an exact match,
* and would prevent a wildcard from matching. */
/* If the nsec is proving that qname is an ENT, the nsec owner
* will be less than qname, and the next name will be a child
* domain of the qname. */
if(!nsec_get_next(nsec, &nm, &ln))
return 0; /* bad nsec */
if(dname_strict_subdomain_c(nm, qinfo->qname) &&
dname_canonical_compare(nsec->rk.dname,
qinfo->qname) < 0) {
return 1; /* proves ENT */
}
/* wildcard checking. */
/* If this is a wildcard NSEC, make sure that a) it was
* possible to have generated qname from the wildcard and
* b) the type map does not contain qtype. Note that this
* does NOT prove that this wildcard was the applicable
* wildcard. */
if(dname_is_wild(nsec->rk.dname)) {
/* the purported closest encloser. */
uint8_t* ce = nsec->rk.dname;
size_t ce_len = nsec->rk.dname_len;
dname_remove_label(&ce, &ce_len);
/* The qname must be a strict subdomain of the
* closest encloser, for the wildcard to apply
*/
if(dname_strict_subdomain_c(qinfo->qname, ce)) {
/* here we have a matching NSEC for the qname,
* perform matching NSEC checks */
if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) {
/* should have gotten the wildcard CNAME */
return 0;
}
if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
!nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
/* wrong parentside (wildcard) NSEC used */
return 0;
}
if(nsec_has_type(nsec, qinfo->qtype)) {
return 0;
}
*wc = ce;
return 1;
}
}
/* Otherwise, this NSEC does not prove ENT and is not a
* wildcard, so it does not prove NODATA. */
return 0;
}
/* If the qtype exists, then we should have gotten it. */
if(nsec_has_type(nsec, qinfo->qtype)) {
return 0;
}
/* if the name is a CNAME node, then we should have gotten the CNAME*/
if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) {
return 0;
}
/* If an NS set exists at this name, and NOT a SOA (so this is a
* zone cut, not a zone apex), then we should have gotten a
* referral (or we just got the wrong NSEC).
* The reverse of this check is used when qtype is DS, since that
* must use the NSEC from above the zone cut. */
if(qinfo->qtype != LDNS_RR_TYPE_DS &&
nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
!nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
return 0;
} else if(qinfo->qtype == LDNS_RR_TYPE_DS &&
nsec_has_type(nsec, LDNS_RR_TYPE_SOA &&
!dname_is_root(qinfo->qname))) {
return 0;
}
return 1;
}
int
val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, uint8_t* qname)
{
uint8_t* owner = nsec->rk.dname;
uint8_t* next;
size_t nlen;
if(!nsec_get_next(nsec, &next, &nlen))
return 0;
/* If NSEC owner == qname, then this NSEC proves that qname exists. */
if(query_dname_compare(qname, owner) == 0) {
return 0;
}
/* If NSEC is a parent of qname, we need to check the type map
* If the parent name has a DNAME or is a delegation point, then
* this NSEC is being misused. */
if(dname_subdomain_c(qname, owner) &&
(nsec_has_type(nsec, LDNS_RR_TYPE_DNAME) ||
(nsec_has_type(nsec, LDNS_RR_TYPE_NS)
&& !nsec_has_type(nsec, LDNS_RR_TYPE_SOA))
)) {
return 0;
}
if(query_dname_compare(owner, next) == 0) {
/* this nsec is the only nsec */
/* zone.name NSEC zone.name, disproves everything else */
/* but only for subdomains of that zone */
if(dname_strict_subdomain_c(qname, next))
return 1;
}
else if(dname_canonical_compare(owner, next) > 0) {
/* this is the last nsec, ....(bigger) NSEC zonename(smaller) */
/* the names after the last (owner) name do not exist
* there are no names before the zone name in the zone
* but the qname must be a subdomain of the zone name(next). */
if(dname_canonical_compare(owner, qname) < 0 &&
dname_strict_subdomain_c(qname, next))
return 1;
} else {
/* regular NSEC, (smaller) NSEC (larger) */
if(dname_canonical_compare(owner, qname) < 0 &&
dname_canonical_compare(qname, next) < 0) {
return 1;
}
}
return 0;
}
int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec,
struct query_info* qinfo)
{
if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
!nsec_has_type(nsec, LDNS_RR_TYPE_DS) &&
!nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
/* see if nsec signals an insecure delegation */
if(qinfo->qtype == LDNS_RR_TYPE_DS) {
/* if type is DS and qname is equal to nsec, then it
* is an exact match nsec, result not insecure */
if(dname_strict_subdomain_c(qinfo->qname,
nsec->rk.dname))
return 1;
} else {
if(dname_subdomain_c(qinfo->qname, nsec->rk.dname))
return 1;
}
}
return 0;
}
uint8_t*
nsec_closest_encloser(uint8_t* qname, struct ub_packed_rrset_key* nsec)
{
uint8_t* next;
size_t nlen;
uint8_t* common1, *common2;
if(!nsec_get_next(nsec, &next, &nlen))
return NULL;
/* longest common with owner or next name */
common1 = dname_get_shared_topdomain(nsec->rk.dname, qname);
common2 = dname_get_shared_topdomain(next, qname);
if(dname_count_labels(common1) > dname_count_labels(common2))
return common1;
return common2;
}
int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec,
struct query_info* qinf, uint8_t* wc)
{
uint8_t* ce;
/* 1) prove that qname doesn't exist and
* 2) that the correct wildcard was used
* nsec has been verified already. */
if(!val_nsec_proves_name_error(nsec, qinf->qname))
return 0;
/* check wildcard name */
ce = nsec_closest_encloser(qinf->qname, nsec);
if(!ce)
return 0;
if(query_dname_compare(wc, ce) != 0) {
return 0;
}
return 1;
}
int
val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
size_t qnamelen)
{
/* Determine if a NSEC record proves the non-existence of a
* wildcard that could have produced qname. */
int labs;
int i;
uint8_t* ce = nsec_closest_encloser(qname, nsec);
uint8_t* strip;
size_t striplen;
uint8_t buf[LDNS_MAX_DOMAINLEN+3];
if(!ce)
return 0;
/* we can subtract the closest encloser count - since that is the
* largest shared topdomain with owner and next NSEC name,
* because the NSEC is no proof for names shorter than the owner
* and next names. */
labs = dname_count_labels(qname) - dname_count_labels(ce);
for(i=labs; i>0; i--) {
/* i is number of labels to strip off qname, prepend * wild */
strip = qname;
striplen = qnamelen;
dname_remove_labels(&strip, &striplen, i);
if(striplen > LDNS_MAX_DOMAINLEN-2)
continue; /* too long to prepend wildcard */
buf[0] = 1;
buf[1] = (uint8_t)'*';
memmove(buf+2, strip, striplen);
if(val_nsec_proves_name_error(nsec, buf)) {
return 1;
}
}
return 0;
}
/**
* Find shared topdomain that exists
*/
static void
dlv_topdomain(struct ub_packed_rrset_key* nsec, uint8_t* qname,
uint8_t** nm, size_t* nm_len)
{
/* make sure reply is part of nm */
/* take shared topdomain with left of NSEC. */
/* because, if empty nonterminal, then right is subdomain of qname.
* and any shared topdomain would be empty nonterminals.
*
* If nxdomain, then the right is bigger, and could have an
* interesting shared topdomain, but if it does have one, it is
* an empty nonterminal. An empty nonterminal shared with the left
* one. */
int n;
uint8_t* common = dname_get_shared_topdomain(qname, nsec->rk.dname);
n = dname_count_labels(*nm) - dname_count_labels(common);
dname_remove_labels(nm, nm_len, n);
}
int val_nsec_check_dlv(struct query_info* qinfo,
struct reply_info* rep, uint8_t** nm, size_t* nm_len)
{
uint8_t* next;
size_t i, nlen;
int c;
/* we should now have a NOERROR/NODATA or NXDOMAIN message */
if(rep->an_numrrsets != 0) {
return 0;
}
/* is this NOERROR ? */
if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
/* it can be a plain NSEC match - go up one more level. */
/* or its an empty nonterminal - go up to nonempty level */
for(i=0; i<rep->ns_numrrsets; i++) {
if(htons(rep->rrsets[i]->rk.type)!=LDNS_RR_TYPE_NSEC ||
!nsec_get_next(rep->rrsets[i], &next, &nlen))
continue;
c = dname_canonical_compare(
rep->rrsets[i]->rk.dname, qinfo->qname);
if(c == 0) {
/* plain match */
if(nsec_has_type(rep->rrsets[i],
LDNS_RR_TYPE_DLV))
return 0;
dname_remove_label(nm, nm_len);
return 1;
} else if(c < 0 &&
dname_strict_subdomain_c(next, qinfo->qname)) {
/* ENT */
dlv_topdomain(rep->rrsets[i], qinfo->qname,
nm, nm_len);
return 1;
}
}
return 0;
}
/* is this NXDOMAIN ? */
if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN) {
/* find the qname denial NSEC record. It can tell us
* a closest encloser name; or that we not need bother */
for(i=0; i<rep->ns_numrrsets; i++) {
if(htons(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_NSEC)
continue;
if(val_nsec_proves_name_error(rep->rrsets[i],
qinfo->qname)) {
log_nametypeclass(VERB_ALGO, "topdomain on",
rep->rrsets[i]->rk.dname,
ntohs(rep->rrsets[i]->rk.type), 0);
dlv_topdomain(rep->rrsets[i], qinfo->qname,
nm, nm_len);
return 1;
}
}
return 0;
}
return 0;
}
|
Swift