pdns/validate.hh

   1 /*
   2  * This file is part of PowerDNS or dnsdist.
   3  * Copyright -- PowerDNS.COM B.V. and its contributors
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of version 2 of the GNU General Public License as
   7  * published by the Free Software Foundation.
   8  *
   9  * In addition, for the avoidance of any doubt, permission is granted to
  10  * link this program with OpenSSL and to (re)distribute the binaries
  11  * produced as the result of such linking.
  12  *
  13  * This program is distributed in the hope that it will be useful,
  14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  * GNU General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with this program; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21  */
  22 #pragma once
  23
  24 #include "dnsparser.hh"
  25 #include "dnsname.hh"
  26 #include <vector>
  27 #include "namespaces.hh"
  28 #include "dnsrecords.hh"
  29 #include "dnssecinfra.hh"
  30 #include "logger.hh"
  31
  32 extern time_t g_signatureInceptionSkew;
  33 extern uint16_t g_maxNSEC3Iterations;
  34 extern uint16_t g_maxRRSIGsPerRecordToConsider;
  35 extern uint16_t g_maxNSEC3sPerRecordToConsider;
  36 extern uint16_t g_maxDNSKEYsToConsider;
  37 extern uint16_t g_maxDSsToConsider;
  38
  39 // 4033 5
  40 enum class vState : uint8_t { Indeterminate, Insecure, Secure, NTA, TA, BogusNoValidDNSKEY, BogusInvalidDenial, BogusUnableToGetDSs, BogusUnableToGetDNSKEYs, BogusSelfSignedDS, BogusNoRRSIG, BogusNoValidRRSIG, BogusMissingNegativeIndication, BogusSignatureNotYetValid, BogusSignatureExpired, BogusUnsupportedDNSKEYAlgo, BogusUnsupportedDSDigestType, BogusNoZoneKeyBitSet, BogusRevokedDNSKEY, BogusInvalidDNSKEYProtocol };
  41 const std::string& vStateToString(vState state);
  42 inline bool vStateIsBogus(vState state)
  43 {
  44   return state >= vState::BogusNoValidDNSKEY;
  45 }
  46
  47 // NSEC(3) results
  48 enum class dState : uint8_t { NODENIAL, INCONCLUSIVE, NXDOMAIN, NXQTYPE, ENT, INSECURE, OPTOUT};
  49
  50 std::ostream& operator<<(std::ostream &, vState);
  51 std::ostream& operator<<(std::ostream &, dState);
  52
  53 class DNSRecordOracle
  54 {
  55 public:
  56   virtual ~DNSRecordOracle() = default;
  57   DNSRecordOracle(const DNSRecordOracle&) = default;
  58   DNSRecordOracle(DNSRecordOracle&&) = default;
  59   DNSRecordOracle& operator=(const DNSRecordOracle&) = default;
  60   DNSRecordOracle& operator=(DNSRecordOracle&&) = default;
  61   virtual std::vector<DNSRecord> get(const DNSName& qname, uint16_t qtype) = 0;
  62 };
  63
  64
  65 struct ContentSigPair
  66 {
  67   sortedRecords_t records;
  68   vector<shared_ptr<const RRSIGRecordContent>> signatures;
  69   // ponder adding a validate method that accepts a key
  70 };
  71 using cspmap_t = map<pair<DNSName, uint16_t>, ContentSigPair>;
  72 using dsmap_t = std::set<DSRecordContent>;
  73
  74 struct sharedDNSKeyRecordContentCompare
  75 {
  76   bool operator() (const shared_ptr<const DNSKEYRecordContent>& lhs, const shared_ptr<const DNSKEYRecordContent>& rhs) const
  77   {
  78     return *lhs < *rhs;
  79   }
  80 };
  81
  82 using skeyset_t = set<shared_ptr<const DNSKEYRecordContent>, sharedDNSKeyRecordContentCompare>;
  83
  84 namespace pdns::validation
  85 {
  86 using Nsec3HashesCache = std::map<std::tuple<DNSName, std::string, uint16_t>, std::string>;
  87
  88 struct ValidationContext
  89 {
  90   Nsec3HashesCache d_nsec3Cache;
  91   unsigned int d_validationsCounter{0};
  92   unsigned int d_nsec3IterationsRemainingQuota{0};
  93   bool d_limitHit{false};
  94 };
  95
  96 class TooManySEC3IterationsException : public std::runtime_error
  97 {
  98 public:
  99   TooManySEC3IterationsException(): std::runtime_error("Too many NSEC3 hash computations per query")
 100   {
 101   }
 102 };
 103
 104 }
 105
 106 vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t& toSign, const vector<shared_ptr<const RRSIGRecordContent> >& signatures, const skeyset_t& keys, const OptLog& log, pdns::validation::ValidationContext& context, bool validateAllSigs=true);
 107 bool isCoveredByNSEC(const DNSName& name, const DNSName& begin, const DNSName& next);
 108 bool isCoveredByNSEC3Hash(const std::string& hash, const std::string& beginHash, const std::string& nextHash);
 109 bool isCoveredByNSEC3Hash(const DNSName& name, const DNSName& beginHash, const DNSName& nextHash);
 110 bool getTrustAnchor(const map<DNSName,dsmap_t>& anchors, const DNSName& zone, dsmap_t &res);
 111 bool haveNegativeTrustAnchor(const map<DNSName,std::string>& negAnchors, const DNSName& zone, std::string& reason);
 112 vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector<shared_ptr<const RRSIGRecordContent> >& sigs, skeyset_t& validkeys, const OptLog&, pdns::validation::ValidationContext& context);
 113 dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, uint16_t qtype, bool referralToUnsigned, bool wantsNoDataProof, pdns::validation::ValidationContext& context, const OptLog& log = std::nullopt, bool needWildcardProof=true, unsigned int wildcardLabelsCount=0);
 114 bool isSupportedDS(const DSRecordContent& dsRecordContent, const OptLog&);
 115 DNSName getSigner(const std::vector<std::shared_ptr<const RRSIGRecordContent> >& signatures);
 116 bool denialProvesNoDelegation(const DNSName& zone, const std::vector<DNSRecord>& dsrecords, pdns::validation::ValidationContext& context);
 117 bool isRRSIGNotExpired(time_t now, const RRSIGRecordContent& sig);
 118 bool isRRSIGIncepted(time_t now, const RRSIGRecordContent& sig);
 119 bool isWildcardExpanded(unsigned int labelCount, const RRSIGRecordContent& sign);
 120 bool isWildcardExpandedOntoItself(const DNSName& owner, unsigned int labelCount, const RRSIGRecordContent& sign);
 121 void updateDNSSECValidationState(vState& state, vState stateUpdate);
 122
 123 dState matchesNSEC(const DNSName& name, uint16_t qtype, const DNSName& nsecOwner, const NSECRecordContent& nsec, const std::vector<std::shared_ptr<const RRSIGRecordContent>>& signatures, const OptLog&);
 124
 125 bool isNSEC3AncestorDelegation(const DNSName& signer, const DNSName& owner, const NSEC3RecordContent& nsec3);
 126 DNSName getNSECOwnerName(const DNSName& initialOwner, const std::vector<std::shared_ptr<const RRSIGRecordContent> >& signatures);
 127 DNSName getClosestEncloserFromNSEC(const DNSName& name, const DNSName& owner, const DNSName& next);
 128 [[nodiscard]] uint64_t getNSEC3DenialProofWorstCaseIterationsCount(uint8_t maxLabels, uint16_t iterations, size_t saltLength);
 129 [[nodiscard]] std::string getHashFromNSEC3(const DNSName& qname, uint16_t iterations, const std::string& salt, pdns::validation::ValidationContext& context);
 130
 131 template <typename NSEC> bool isTypeDenied(const NSEC& nsec, const QType& type)
 132 {
 133   if (nsec.isSet(type.getCode())) {
 134     return false;
 135   }
 136
 137   /* RFC 6840 section 4.3 */
 138   if (nsec.isSet(QType::CNAME)) {
 139     return false;
 140   }
 141
 142   return true;
 143 }