]>
Commit | Line | Data |
---|---|---|
6644c1c7 MT |
1 | From 97e618a0e3f29465acc689d87288596b006f197e Mon Sep 17 00:00:00 2001 |
2 | From: Simon Kelley <simon@thekelleys.org.uk> | |
3 | Date: Wed, 7 Jan 2015 21:55:43 +0000 | |
d54a2ce4 | 4 | Subject: [PATCH 26/78] DNSSEC: do top-down search for limit of secure |
6644c1c7 MT |
5 | delegation. |
6 | ||
7 | --- | |
8 | CHANGELOG | 9 ++ | |
9 | src/dnsmasq.h | 11 +- | |
10 | src/dnssec.c | 91 +++++++++------- | |
11 | src/forward.c | 327 +++++++++++++++++++++++++++++++++------------------------- | |
12 | 4 files changed, 260 insertions(+), 178 deletions(-) | |
13 | ||
14 | diff --git a/CHANGELOG b/CHANGELOG | |
15 | index 2b6356bcfb02..e8bf80f81baa 100644 | |
16 | --- a/CHANGELOG | |
17 | +++ b/CHANGELOG | |
18 | @@ -31,7 +31,16 @@ version 2.73 | |
19 | request for certain domains, before the correct answer can | |
20 | arrive. Thanks to Glen Huang for the patch. | |
21 | ||
22 | + Revisit the part of DNSSEC validation which determines if an | |
23 | + unsigned answer is legit, or is in some part of the DNS | |
24 | + tree which should be signed. Dnsmasq now works from the | |
25 | + DNS root downward looking for the limit of signed | |
26 | + delegations, rather than working bottom up. This is | |
27 | + both more correct, and less likely to trip over broken | |
28 | + nameservers in the unsigned parts of the DNS tree | |
29 | + which don't respond well to DNSSEC queries. | |
30 | ||
31 | + | |
32 | version 2.72 | |
33 | Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. | |
34 | ||
35 | diff --git a/src/dnsmasq.h b/src/dnsmasq.h | |
36 | index 7bc982ddf73c..2f4597294a56 100644 | |
37 | --- a/src/dnsmasq.h | |
38 | +++ b/src/dnsmasq.h | |
39 | @@ -569,8 +569,9 @@ struct hostsfile { | |
40 | #define STAT_SECURE_WILDCARD 7 | |
41 | #define STAT_NO_SIG 8 | |
42 | #define STAT_NO_DS 9 | |
43 | -#define STAT_NEED_DS_NEG 10 | |
44 | -#define STAT_CHASE_CNAME 11 | |
45 | +#define STAT_NO_NS 10 | |
46 | +#define STAT_NEED_DS_NEG 11 | |
47 | +#define STAT_CHASE_CNAME 12 | |
48 | ||
49 | #define FREC_NOREBIND 1 | |
50 | #define FREC_CHECKING_DISABLED 2 | |
51 | @@ -604,7 +605,9 @@ struct frec { | |
52 | #ifdef HAVE_DNSSEC | |
53 | int class, work_counter; | |
54 | struct blockdata *stash; /* Saved reply, whilst we validate */ | |
55 | - size_t stash_len; | |
56 | + struct blockdata *orig_domain; /* domain of original query, whilst | |
57 | + we're seeing is if in unsigned domain */ | |
58 | + size_t stash_len, name_start, name_len; | |
59 | struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */ | |
60 | struct frec *blocking_query; /* Query which is blocking us. */ | |
61 | #endif | |
62 | @@ -1126,7 +1129,7 @@ int in_zone(struct auth_zone *zone, char *name, char **cut); | |
63 | size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, int class, int type, union mysockaddr *addr); | |
64 | int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t n, char *name, char *keyname, int class); | |
65 | int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class); | |
66 | -int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer); | |
67 | +int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer, int *nons); | |
68 | int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname); | |
69 | int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen); | |
70 | size_t filter_rrsigs(struct dns_header *header, size_t plen); | |
71 | diff --git a/src/dnssec.c b/src/dnssec.c | |
72 | index 026794b077e5..8f27677628b2 100644 | |
73 | --- a/src/dnssec.c | |
74 | +++ b/src/dnssec.c | |
75 | @@ -875,8 +875,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in | |
76 | /* The DNS packet is expected to contain the answer to a DNSKEY query. | |
77 | Put all DNSKEYs in the answer which are valid into the cache. | |
78 | return codes: | |
79 | - STAT_INSECURE No DNSKEYs in reply. | |
80 | - STAT_SECURE At least one valid DNSKEY found and in cache. | |
81 | + STAT_SECURE At least one valid DNSKEY found and in cache. | |
82 | STAT_BOGUS No DNSKEYs found, which can be validated with DS, | |
83 | or self-sign for DNSKEY RRset is not valid, bad packet. | |
84 | STAT_NEED_DS DS records to validate a key not found, name in keyname | |
85 | @@ -896,11 +895,8 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch | |
86 | GETSHORT(qtype, p); | |
87 | GETSHORT(qclass, p); | |
88 | ||
89 | - if (qtype != T_DNSKEY || qclass != class) | |
90 | + if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0) | |
91 | return STAT_BOGUS; | |
92 | - | |
93 | - if (ntohs(header->ancount) == 0) | |
94 | - return STAT_INSECURE; | |
95 | ||
96 | /* See if we have cached a DS record which validates this key */ | |
97 | if (!(crecp = cache_find_by_name(NULL, name, now, F_DS))) | |
98 | @@ -1103,17 +1099,17 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch | |
99 | /* The DNS packet is expected to contain the answer to a DS query | |
100 | Put all DSs in the answer which are valid into the cache. | |
101 | return codes: | |
102 | - STAT_INSECURE no DS in reply or not signed. | |
103 | STAT_SECURE At least one valid DS found and in cache. | |
104 | STAT_NO_DS It's proved there's no DS here. | |
105 | - STAT_BOGUS At least one DS found, which fails validation, bad packet. | |
106 | + STAT_NO_NS It's proved there's no DS _or_ NS here. | |
107 | + STAT_BOGUS no DS in reply or not signed, fails validation, bad packet. | |
108 | STAT_NEED_DNSKEY DNSKEY records to validate a DS not found, name in keyname | |
109 | */ | |
110 | ||
111 | int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) | |
112 | { | |
113 | unsigned char *p = (unsigned char *)(header+1); | |
114 | - int qtype, qclass, val, i, neganswer; | |
115 | + int qtype, qclass, val, i, neganswer, nons; | |
116 | ||
117 | if (ntohs(header->qdcount) != 1 || | |
118 | !(p = skip_name(p, header, plen, 4))) | |
119 | @@ -1125,32 +1121,39 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char | |
120 | if (qtype != T_DS || qclass != class) | |
121 | val = STAT_BOGUS; | |
122 | else | |
123 | - val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, &neganswer); | |
124 | - | |
125 | - if (val == STAT_NO_SIG) | |
126 | - val = STAT_INSECURE; | |
127 | + val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, &neganswer, &nons); | |
128 | + /* Note dnssec_validate_reply() will have cached positive answers */ | |
129 | + | |
130 | + if (val == STAT_NO_SIG || val == STAT_INSECURE) | |
131 | + val = STAT_BOGUS; | |
132 | ||
133 | p = (unsigned char *)(header+1); | |
134 | extract_name(header, plen, &p, name, 1, 4); | |
135 | p += 4; /* qtype, qclass */ | |
136 | ||
137 | if (!(p = skip_section(p, ntohs(header->ancount), header, plen))) | |
138 | - return STAT_BOGUS; | |
139 | + val = STAT_BOGUS; | |
140 | ||
141 | if (val == STAT_BOGUS) | |
142 | - log_query(F_UPSTREAM, name, NULL, "BOGUS DS"); | |
143 | - | |
144 | - if ((val == STAT_SECURE || val == STAT_INSECURE) && neganswer) | |
145 | { | |
146 | - int rdlen, flags = F_FORWARD | F_DS | F_NEG; | |
147 | + log_query(F_UPSTREAM, name, NULL, "BOGUS DS"); | |
148 | + return STAT_BOGUS; | |
149 | + } | |
150 | + | |
151 | + /* By here, the answer is proved secure, and a positive answer has been cached. */ | |
152 | + if (val == STAT_SECURE && neganswer) | |
153 | + { | |
154 | + int rdlen, flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK; | |
155 | unsigned long ttl, minttl = ULONG_MAX; | |
156 | struct all_addr a; | |
157 | ||
158 | if (RCODE(header) == NXDOMAIN) | |
159 | flags |= F_NXDOMAIN; | |
160 | ||
161 | - if (val == STAT_SECURE) | |
162 | - flags |= F_DNSSECOK; | |
163 | + /* We only cache validated DS records, DNSSECOK flag hijacked | |
164 | + to store presence/absence of NS. */ | |
165 | + if (nons) | |
166 | + flags &= ~F_DNSSECOK; | |
167 | ||
168 | for (i = ntohs(header->nscount); i != 0; i--) | |
169 | { | |
170 | @@ -1196,10 +1199,12 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char | |
171 | a.addr.dnssec.class = class; | |
172 | cache_insert(name, &a, now, ttl, flags); | |
173 | ||
174 | - cache_end_insert(); | |
175 | + cache_end_insert(); | |
176 | + | |
177 | + log_query(F_UPSTREAM, name, NULL, nons ? "no delegation" : "no DS"); | |
178 | } | |
179 | ||
180 | - return (val == STAT_SECURE) ? STAT_NO_DS : STAT_INSECURE; | |
181 | + return nons ? STAT_NO_NS : STAT_NO_DS; | |
182 | } | |
183 | ||
184 | return val; | |
185 | @@ -1323,12 +1328,15 @@ static int find_nsec_records(struct dns_header *header, size_t plen, unsigned ch | |
186 | } | |
187 | ||
188 | static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, | |
189 | - char *workspace1, char *workspace2, char *name, int type) | |
190 | + char *workspace1, char *workspace2, char *name, int type, int *nons) | |
191 | { | |
192 | int i, rc, rdlen; | |
193 | unsigned char *p, *psave; | |
194 | int offset = (type & 0xff) >> 3; | |
195 | int mask = 0x80 >> (type & 0x07); | |
196 | + | |
197 | + if (nons) | |
198 | + *nons = 0; | |
199 | ||
200 | /* Find NSEC record that proves name doesn't exist */ | |
201 | for (i = 0; i < nsec_count; i++) | |
202 | @@ -1355,6 +1363,10 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi | |
203 | rdlen -= p - psave; | |
204 | /* rdlen is now length of type map, and p points to it */ | |
205 | ||
206 | + /* If we can prove that there's no NS record, return that information. */ | |
207 | + if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) == 0) | |
208 | + *nons = 1; | |
209 | + | |
210 | while (rdlen >= 2) | |
211 | { | |
212 | if (!CHECK_LEN(header, p, plen, rdlen)) | |
213 | @@ -1456,7 +1468,7 @@ static int base32_decode(char *in, unsigned char *out) | |
214 | } | |
215 | ||
216 | static int check_nsec3_coverage(struct dns_header *header, size_t plen, int digest_len, unsigned char *digest, int type, | |
217 | - char *workspace1, char *workspace2, unsigned char **nsecs, int nsec_count) | |
218 | + char *workspace1, char *workspace2, unsigned char **nsecs, int nsec_count, int *nons) | |
219 | { | |
220 | int i, hash_len, salt_len, base32_len, rdlen; | |
221 | unsigned char *p, *psave; | |
222 | @@ -1497,6 +1509,10 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige | |
223 | if (!CHECK_LEN(header, p, plen, rdlen)) | |
224 | return 0; | |
225 | ||
226 | + /* If we can prove that there's no NS record, return that information. */ | |
227 | + if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) == 0) | |
228 | + *nons = 1; | |
229 | + | |
230 | while (rdlen >= 2) | |
231 | { | |
232 | if (p[0] == type >> 8) | |
233 | @@ -1533,13 +1549,16 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige | |
234 | } | |
235 | ||
236 | static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, | |
237 | - char *workspace1, char *workspace2, char *name, int type, char *wildname) | |
238 | + char *workspace1, char *workspace2, char *name, int type, char *wildname, int *nons) | |
239 | { | |
240 | unsigned char *salt, *p, *digest; | |
241 | int digest_len, i, iterations, salt_len, base32_len, algo = 0; | |
242 | struct nettle_hash const *hash; | |
243 | char *closest_encloser, *next_closest, *wildcard; | |
244 | - | |
245 | + | |
246 | + if (nons) | |
247 | + *nons = 0; | |
248 | + | |
249 | /* Look though the NSEC3 records to find the first one with | |
250 | an algorithm we support (currently only algo == 1). | |
251 | ||
252 | @@ -1612,7 +1631,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns | |
253 | if ((digest_len = hash_name(name, &digest, hash, salt, salt_len, iterations)) == 0) | |
254 | return STAT_BOGUS; | |
255 | ||
256 | - if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count)) | |
257 | + if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, nons)) | |
258 | return STAT_SECURE; | |
259 | ||
260 | /* Can't find an NSEC3 which covers the name directly, we need the "closest encloser NSEC3" | |
261 | @@ -1657,7 +1676,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns | |
262 | if ((digest_len = hash_name(next_closest, &digest, hash, salt, salt_len, iterations)) == 0) | |
263 | return STAT_BOGUS; | |
264 | ||
265 | - if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count)) | |
266 | + if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL)) | |
267 | return STAT_BOGUS; | |
268 | ||
269 | /* Finally, check that there's no seat of wildcard synthesis */ | |
270 | @@ -1672,7 +1691,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns | |
271 | if ((digest_len = hash_name(wildcard, &digest, hash, salt, salt_len, iterations)) == 0) | |
272 | return STAT_BOGUS; | |
273 | ||
274 | - if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count)) | |
275 | + if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL)) | |
276 | return STAT_BOGUS; | |
277 | } | |
278 | ||
279 | @@ -1681,7 +1700,8 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns | |
280 | ||
281 | /* Validate all the RRsets in the answer and authority sections of the reply (4035:3.2.3) */ | |
282 | /* Returns are the same as validate_rrset, plus the class if the missing key is in *class */ | |
283 | -int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer) | |
284 | +int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, | |
285 | + int *class, int *neganswer, int *nons) | |
286 | { | |
287 | unsigned char *ans_start, *qname, *p1, *p2, **nsecs; | |
288 | int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype; | |
289 | @@ -1811,10 +1831,11 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch | |
290 | return STAT_BOGUS; /* No NSECs or bad packet */ | |
291 | ||
292 | if (nsec_type == T_NSEC) | |
293 | - rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1); | |
294 | + rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, NULL); | |
295 | else | |
296 | - rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, wildname); | |
297 | - | |
298 | + rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, | |
299 | + keyname, name, type1, wildname, NULL); | |
300 | + | |
301 | if (rc != STAT_SECURE) | |
302 | return rc; | |
303 | } | |
304 | @@ -1937,9 +1958,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch | |
305 | return STAT_BOGUS; | |
306 | ||
307 | if (nsec_type == T_NSEC) | |
308 | - return prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype); | |
309 | + return prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, nons); | |
310 | else | |
311 | - return prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL); | |
312 | + return prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL, nons); | |
313 | } | |
314 | ||
315 | /* Chase the CNAME chain in the packet until the first record which _doesn't validate. | |
316 | diff --git a/src/forward.c b/src/forward.c | |
317 | index f28c7d51f708..ee8d7b52d5e5 100644 | |
318 | --- a/src/forward.c | |
319 | +++ b/src/forward.c | |
320 | @@ -26,8 +26,9 @@ static void free_frec(struct frec *f); | |
321 | #ifdef HAVE_DNSSEC | |
322 | static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, | |
323 | int class, char *name, char *keyname, struct server *server, int *keycount); | |
324 | -static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class); | |
325 | -static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname); | |
326 | +static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname); | |
327 | +static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen, | |
328 | + char *name, char *keyname); | |
329 | #endif | |
330 | ||
331 | ||
332 | @@ -815,18 +816,22 @@ void reply_query(int fd, int family, time_t now) | |
333 | else if (forward->flags & FREC_DS_QUERY) | |
334 | { | |
335 | status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); | |
336 | - if (status == STAT_NO_DS) | |
337 | - status = STAT_INSECURE; | |
338 | + if (status == STAT_NO_DS || status == STAT_NO_NS) | |
339 | + status = STAT_BOGUS; | |
340 | } | |
341 | else if (forward->flags & FREC_CHECK_NOSIGN) | |
342 | - status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class); | |
343 | + { | |
344 | + status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); | |
345 | + if (status != STAT_NEED_KEY) | |
346 | + status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname); | |
347 | + } | |
348 | else | |
349 | { | |
350 | - status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL); | |
351 | + status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL); | |
352 | if (status == STAT_NO_SIG) | |
353 | { | |
354 | if (option_bool(OPT_DNSSEC_NO_SIGN)) | |
355 | - status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname); | |
356 | + status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); | |
357 | else | |
358 | status = STAT_INSECURE; | |
359 | } | |
360 | @@ -861,6 +866,7 @@ void reply_query(int fd, int family, time_t now) | |
361 | new->blocking_query = NULL; | |
362 | new->sentto = server; | |
363 | new->rfd4 = NULL; | |
364 | + new->orig_domain = NULL; | |
365 | #ifdef HAVE_IPV6 | |
366 | new->rfd6 = NULL; | |
367 | #endif | |
368 | @@ -889,7 +895,9 @@ void reply_query(int fd, int family, time_t now) | |
369 | new->new_id = get_id(); | |
370 | header->id = htons(new->new_id); | |
371 | /* Save query for retransmission */ | |
372 | - new->stash = blockdata_alloc((char *)header, nn); | |
373 | + if (!(new->stash = blockdata_alloc((char *)header, nn))) | |
374 | + return; | |
375 | + | |
376 | new->stash_len = nn; | |
377 | ||
378 | /* Don't resend this. */ | |
379 | @@ -946,18 +954,22 @@ void reply_query(int fd, int family, time_t now) | |
380 | else if (forward->flags & FREC_DS_QUERY) | |
381 | { | |
382 | status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); | |
383 | - if (status == STAT_NO_DS) | |
384 | - status = STAT_INSECURE; | |
385 | + if (status == STAT_NO_DS || status == STAT_NO_NS) | |
386 | + status = STAT_BOGUS; | |
387 | } | |
388 | else if (forward->flags & FREC_CHECK_NOSIGN) | |
389 | - status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class); | |
390 | + { | |
391 | + status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); | |
392 | + if (status != STAT_NEED_KEY) | |
393 | + status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname); | |
394 | + } | |
395 | else | |
396 | { | |
397 | - status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL); | |
398 | + status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL); | |
399 | if (status == STAT_NO_SIG) | |
400 | { | |
401 | if (option_bool(OPT_DNSSEC_NO_SIGN)) | |
402 | - status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname); | |
403 | + status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); | |
404 | else | |
405 | status = STAT_INSECURE; | |
406 | } | |
407 | @@ -1319,70 +1331,80 @@ void receive_query(struct listener *listen, time_t now) | |
408 | /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS | |
409 | and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or | |
410 | STAT_NEED_DS_NEG and keyname if we need to do the query. */ | |
411 | -static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname) | |
412 | +static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen, | |
413 | + char *name, char *keyname) | |
414 | { | |
415 | - struct crec *crecp; | |
416 | - char *name_start = name; | |
417 | int status = dnssec_chase_cname(now, header, plen, name, keyname); | |
418 | ||
419 | if (status != STAT_INSECURE) | |
420 | return status; | |
421 | ||
422 | + /* Store the domain we're trying to check. */ | |
423 | + forward->name_start = strlen(name); | |
424 | + forward->name_len = forward->name_start + 1; | |
425 | + if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len))) | |
426 | + return STAT_BOGUS; | |
427 | + | |
428 | + return do_check_sign(forward, 0, now, name, keyname); | |
429 | +} | |
430 | + | |
431 | +/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */ | |
432 | +static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname) | |
433 | +{ | |
434 | + /* get domain we're checking back from blockdata store, it's stored on the original query. */ | |
435 | + while (forward->dependent) | |
436 | + forward = forward->dependent; | |
437 | + | |
438 | + blockdata_retrieve(forward->orig_domain, forward->name_len, name); | |
439 | + | |
440 | while (1) | |
441 | { | |
442 | - crecp = cache_find_by_name(NULL, name_start, now, F_DS); | |
443 | - | |
444 | - if (crecp && (crecp->flags & F_DNSSECOK)) | |
445 | - return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS; | |
446 | - | |
447 | - if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.'))) | |
448 | + char *p; | |
449 | + | |
450 | + if (status == 0) | |
451 | { | |
452 | - name_start++; /* chop a label off and try again */ | |
453 | - continue; | |
454 | + struct crec *crecp; | |
455 | + | |
456 | + /* Haven't received answer, see if in cache */ | |
457 | + if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS))) | |
458 | + { | |
459 | + /* put name of DS record we're missing into keyname */ | |
460 | + strcpy(keyname, &name[forward->name_start]); | |
461 | + /* and wait for reply to arrive */ | |
462 | + return STAT_NEED_DS_NEG; | |
463 | + } | |
464 | + | |
465 | + /* F_DNSSECOK misused in DS cache records to non-existance of NS record */ | |
466 | + if (!(crecp->flags & F_NEG)) | |
467 | + status = STAT_SECURE; | |
468 | + else if (crecp->flags & F_DNSSECOK) | |
469 | + status = STAT_NO_DS; | |
470 | + else | |
471 | + status = STAT_NO_NS; | |
472 | } | |
473 | + | |
474 | + /* Have entered non-signed part of DNS tree. */ | |
475 | + if (status == STAT_NO_DS) | |
476 | + return STAT_INSECURE; | |
477 | ||
478 | - /* Reached the root */ | |
479 | - if (!name_start) | |
480 | + if (status == STAT_BOGUS) | |
481 | return STAT_BOGUS; | |
482 | ||
483 | - strcpy(keyname, name_start); | |
484 | - return STAT_NEED_DS_NEG; | |
485 | - } | |
486 | -} | |
487 | - | |
488 | -/* Got answer to DS query from send_check_sign, check for proven non-existence, or make the next DS query to try. */ | |
489 | -static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) | |
490 | - | |
491 | -{ | |
492 | - char *name_start; | |
493 | - unsigned char *p; | |
494 | - int status; | |
495 | + /* There's a proven DS record, or we're within a zone, where there doesn't need | |
496 | + to be a DS record. Add a name and try again. | |
497 | + If we've already tried the whole name, then fail */ | |
498 | ||
499 | - /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a | |
500 | - suitable NSEC reply to DS queries. */ | |
501 | - if (RCODE(header) != SERVFAIL) | |
502 | - { | |
503 | - status = dnssec_validate_ds(now, header, plen, name, keyname, class); | |
504 | + if (forward->name_start == 0) | |
505 | + return STAT_BOGUS; | |
506 | ||
507 | - if (status != STAT_INSECURE) | |
508 | - { | |
509 | - if (status == STAT_NO_DS) | |
510 | - status = STAT_INSECURE; | |
511 | - return status; | |
512 | - } | |
513 | - } | |
514 | - | |
515 | - p = (unsigned char *)(header+1); | |
516 | - | |
517 | - if (extract_name(header, plen, &p, name, 1, 4) && | |
518 | - (name_start = strchr(name, '.'))) | |
519 | - { | |
520 | - name_start++; /* chop a label off and try again */ | |
521 | - strcpy(keyname, name_start); | |
522 | - return STAT_NEED_DS_NEG; | |
523 | + for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--); | |
524 | + | |
525 | + if (p != name) | |
526 | + p++; | |
527 | + | |
528 | + forward->name_start = p - name; | |
529 | + status = 0; /* force to cache when we iterate. */ | |
530 | } | |
531 | - | |
532 | - return STAT_BOGUS; | |
533 | } | |
534 | ||
535 | /* Move toward the root, until we find a signed non-existance of a DS, in which case | |
536 | @@ -1395,8 +1417,10 @@ static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s | |
537 | unsigned char *packet, *payload; | |
538 | u16 *length; | |
539 | unsigned char *p = (unsigned char *)(header+1); | |
540 | - int status; | |
541 | - char *name_start = name; | |
542 | + int status, name_len; | |
543 | + struct blockdata *block; | |
544 | + | |
545 | + char *name_start; | |
546 | ||
547 | /* Get first insecure entry in CNAME chain */ | |
548 | status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount); | |
549 | @@ -1409,95 +1433,113 @@ static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s | |
550 | payload = &packet[2]; | |
551 | header = (struct dns_header *)payload; | |
552 | length = (u16 *)packet; | |
553 | + | |
554 | + /* Stash the name away, since the buffer will be trashed when we recurse */ | |
555 | + name_len = strlen(name) + 1; | |
556 | + name_start = name + name_len - 1; | |
557 | ||
558 | + if (!(block = blockdata_alloc(name, name_len))) | |
559 | + { | |
560 | + free(packet); | |
561 | + return STAT_BOGUS; | |
562 | + } | |
563 | + | |
564 | while (1) | |
565 | { | |
566 | - unsigned char *newhash, hash[HASH_SIZE]; | |
567 | unsigned char c1, c2; | |
568 | - struct crec *crecp = cache_find_by_name(NULL, name_start, now, F_DS); | |
569 | - | |
570 | + struct crec *crecp; | |
571 | + | |
572 | if (--(*keycount) == 0) | |
573 | { | |
574 | free(packet); | |
575 | + blockdata_free(block); | |
576 | return STAT_BOGUS; | |
577 | } | |
578 | - | |
579 | - if (crecp && (crecp->flags & F_DNSSECOK)) | |
580 | - { | |
581 | - free(packet); | |
582 | - return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS; | |
583 | - } | |
584 | ||
585 | - /* If we have cached insecurely that a DS doesn't exist, | |
586 | - ise that is a hit for where to start looking for the secure one */ | |
587 | - if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.'))) | |
588 | - { | |
589 | - name_start++; /* chop a label off and try again */ | |
590 | - continue; | |
591 | - } | |
592 | - | |
593 | - /* reached the root */ | |
594 | - if (!name_start) | |
595 | - { | |
596 | - free(packet); | |
597 | - return STAT_BOGUS; | |
598 | + while (crecp = cache_find_by_name(NULL, name_start, now, F_DS)) | |
599 | + { | |
600 | + if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK)) | |
601 | + { | |
602 | + /* Found a secure denial of DS - delegation is indeed insecure */ | |
603 | + free(packet); | |
604 | + blockdata_free(block); | |
605 | + return STAT_INSECURE; | |
606 | + } | |
607 | + | |
608 | + /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation. | |
609 | + Add another label and continue. */ | |
610 | + | |
611 | + if (name_start == name) | |
612 | + { | |
613 | + free(packet); | |
614 | + blockdata_free(block); | |
615 | + return STAT_BOGUS; /* run out of labels */ | |
616 | + } | |
617 | + | |
618 | + name_start -= 2; | |
619 | + while (*name_start != '.' && name_start != name) | |
620 | + name_start--; | |
621 | + if (name_start != name) | |
622 | + name_start++; | |
623 | } | |
624 | + | |
625 | + /* Can't find it in the cache, have to send a query */ | |
626 | ||
627 | m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr); | |
628 | ||
629 | - /* We rely on the question section coming back unchanged, ensure it is with the hash. */ | |
630 | - if ((newhash = hash_questions(header, (unsigned int)m, name))) | |
631 | - { | |
632 | - memcpy(hash, newhash, HASH_SIZE); | |
633 | + *length = htons(m); | |
634 | ||
635 | - *length = htons(m); | |
636 | + if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) && | |
637 | + read_write(server->tcpfd, &c1, 1, 1) && | |
638 | + read_write(server->tcpfd, &c2, 1, 1) && | |
639 | + read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) | |
640 | + { | |
641 | + m = (c1 << 8) | c2; | |
642 | + | |
643 | + /* Note this trashes all three name workspaces */ | |
644 | + status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount); | |
645 | ||
646 | - if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) && | |
647 | - read_write(server->tcpfd, &c1, 1, 1) && | |
648 | - read_write(server->tcpfd, &c2, 1, 1) && | |
649 | - read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) | |
650 | + if (status == STAT_NO_DS) | |
651 | { | |
652 | - m = (c1 << 8) | c2; | |
653 | - | |
654 | - newhash = hash_questions(header, (unsigned int)m, name); | |
655 | - if (newhash && memcmp(hash, newhash, HASH_SIZE) == 0) | |
656 | - { | |
657 | - /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a | |
658 | - suitable NSEC reply to DS queries. */ | |
659 | - if (RCODE(header) == SERVFAIL) | |
660 | - status = STAT_INSECURE; | |
661 | - else | |
662 | - /* Note this trashes all three name workspaces */ | |
663 | - status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount); | |
664 | - | |
665 | - /* We've found a DS which proves the bit of the DNS where the | |
666 | - original query is, is unsigned, so the answer is OK, | |
667 | - if unvalidated. */ | |
668 | - if (status == STAT_NO_DS) | |
669 | - { | |
670 | - free(packet); | |
671 | - return STAT_INSECURE; | |
672 | - } | |
673 | - | |
674 | - /* No DS, not got to DNSSEC-land yet, go up. */ | |
675 | - if (status == STAT_INSECURE) | |
676 | - { | |
677 | - p = (unsigned char *)(header+1); | |
678 | - | |
679 | - if (extract_name(header, plen, &p, name, 1, 4) && | |
680 | - (name_start = strchr(name, '.'))) | |
681 | - { | |
682 | - name_start++; /* chop a label off and try again */ | |
683 | - continue; | |
684 | - } | |
685 | - } | |
686 | - } | |
687 | + /* Found a secure denial of DS - delegation is indeed insecure */ | |
688 | + free(packet); | |
689 | + blockdata_free(block); | |
690 | + return STAT_INSECURE; | |
691 | + } | |
692 | + | |
693 | + if (status == STAT_BOGUS) | |
694 | + { | |
695 | + free(packet); | |
696 | + blockdata_free(block); | |
697 | + return STAT_BOGUS; | |
698 | + } | |
699 | + | |
700 | + /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation. | |
701 | + Add another label and continue. */ | |
702 | + | |
703 | + /* Get name we're checking back. */ | |
704 | + blockdata_retrieve(block, name_len, name); | |
705 | + | |
706 | + if (name_start == name) | |
707 | + { | |
708 | + free(packet); | |
709 | + blockdata_free(block); | |
710 | + return STAT_BOGUS; /* run out of labels */ | |
711 | } | |
712 | + | |
713 | + name_start -= 2; | |
714 | + while (*name_start != '.' && name_start != name) | |
715 | + name_start--; | |
716 | + if (name_start != name) | |
717 | + name_start++; | |
718 | + } | |
719 | + else | |
720 | + { | |
721 | + /* IO failure */ | |
722 | + free(packet); | |
723 | + blockdata_free(block); | |
724 | + return STAT_BOGUS; /* run out of labels */ | |
725 | } | |
726 | - | |
727 | - free(packet); | |
728 | - | |
729 | - return STAT_BOGUS; | |
730 | } | |
731 | } | |
732 | ||
733 | @@ -1516,14 +1558,14 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si | |
734 | else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG) | |
735 | { | |
736 | new_status = dnssec_validate_ds(now, header, n, name, keyname, class); | |
737 | - if (status == STAT_NEED_DS && new_status == STAT_NO_DS) | |
738 | - new_status = STAT_INSECURE; | |
739 | + if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS)) | |
740 | + new_status = STAT_BOGUS; | |
741 | } | |
742 | else if (status == STAT_CHASE_CNAME) | |
743 | new_status = dnssec_chase_cname(now, header, n, name, keyname); | |
744 | else | |
745 | { | |
746 | - new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL); | |
747 | + new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL); | |
748 | ||
749 | if (new_status == STAT_NO_SIG) | |
750 | { | |
751 | @@ -1576,14 +1618,14 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si | |
752 | else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG) | |
753 | { | |
754 | new_status = dnssec_validate_ds(now, header, n, name, keyname, class); | |
755 | - if (status == STAT_NEED_DS && new_status == STAT_NO_DS) | |
756 | - new_status = STAT_INSECURE; /* Validated no DS */ | |
757 | + if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS)) | |
758 | + new_status = STAT_BOGUS; /* Validated no DS */ | |
759 | } | |
760 | else if (status == STAT_CHASE_CNAME) | |
761 | new_status = dnssec_chase_cname(now, header, n, name, keyname); | |
762 | else | |
763 | { | |
764 | - new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL); | |
765 | + new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL); | |
766 | ||
767 | if (new_status == STAT_NO_SIG) | |
768 | { | |
769 | @@ -1961,6 +2003,7 @@ static struct frec *allocate_frec(time_t now) | |
770 | f->dependent = NULL; | |
771 | f->blocking_query = NULL; | |
772 | f->stash = NULL; | |
773 | + f->orig_domain = NULL; | |
774 | #endif | |
775 | daemon->frec_list = f; | |
776 | } | |
777 | @@ -2029,6 +2072,12 @@ static void free_frec(struct frec *f) | |
778 | f->stash = NULL; | |
779 | } | |
780 | ||
781 | + if (f->orig_domain) | |
782 | + { | |
783 | + blockdata_free(f->orig_domain); | |
784 | + f->orig_domain = NULL; | |
785 | + } | |
786 | + | |
787 | /* Anything we're waiting on is pointless now, too */ | |
788 | if (f->blocking_query) | |
789 | free_frec(f->blocking_query); | |
790 | -- | |
791 | 2.1.0 | |
792 |