]> git.ipfire.org Git - ipfire-2.x.git/blob - src/patches/dnsmasq/0026-DNSSEC-do-top-down-search-for-limit-of-secure-delega.patch
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
[ipfire-2.x.git] / src / patches / dnsmasq / 0026-DNSSEC-do-top-down-search-for-limit-of-secure-delega.patch
1 From 97e618a0e3f29465acc689d87288596b006f197e Mon Sep 17 00:00:00 2001
2 From: Simon Kelley <simon@thekelleys.org.uk>
3 Date: Wed, 7 Jan 2015 21:55:43 +0000
4 Subject: [PATCH 26/98] DNSSEC: do top-down search for limit of secure
5 delegation.
6
7 ---
8 CHANGELOG | 9 ++
9 src/dnsmasq.h | 11 +-
10 src/dnssec.c | 91 +++++++++-------
11 src/forward.c | 327 +++++++++++++++++++++++++++++++++-------------------------
12 4 files changed, 260 insertions(+), 178 deletions(-)
13
14 diff --git a/CHANGELOG b/CHANGELOG
15 index 2b6356bcfb02..e8bf80f81baa 100644
16 --- a/CHANGELOG
17 +++ b/CHANGELOG
18 @@ -31,7 +31,16 @@ version 2.73
19 request for certain domains, before the correct answer can
20 arrive. Thanks to Glen Huang for the patch.
21
22 + Revisit the part of DNSSEC validation which determines if an
23 + unsigned answer is legit, or is in some part of the DNS
24 + tree which should be signed. Dnsmasq now works from the
25 + DNS root downward looking for the limit of signed
26 + delegations, rather than working bottom up. This is
27 + both more correct, and less likely to trip over broken
28 + nameservers in the unsigned parts of the DNS tree
29 + which don't respond well to DNSSEC queries.
30
31 +
32 version 2.72
33 Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
34
35 diff --git a/src/dnsmasq.h b/src/dnsmasq.h
36 index 7bc982ddf73c..2f4597294a56 100644
37 --- a/src/dnsmasq.h
38 +++ b/src/dnsmasq.h
39 @@ -569,8 +569,9 @@ struct hostsfile {
40 #define STAT_SECURE_WILDCARD 7
41 #define STAT_NO_SIG 8
42 #define STAT_NO_DS 9
43 -#define STAT_NEED_DS_NEG 10
44 -#define STAT_CHASE_CNAME 11
45 +#define STAT_NO_NS 10
46 +#define STAT_NEED_DS_NEG 11
47 +#define STAT_CHASE_CNAME 12
48
49 #define FREC_NOREBIND 1
50 #define FREC_CHECKING_DISABLED 2
51 @@ -604,7 +605,9 @@ struct frec {
52 #ifdef HAVE_DNSSEC
53 int class, work_counter;
54 struct blockdata *stash; /* Saved reply, whilst we validate */
55 - size_t stash_len;
56 + struct blockdata *orig_domain; /* domain of original query, whilst
57 + we're seeing is if in unsigned domain */
58 + size_t stash_len, name_start, name_len;
59 struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */
60 struct frec *blocking_query; /* Query which is blocking us. */
61 #endif
62 @@ -1126,7 +1129,7 @@ int in_zone(struct auth_zone *zone, char *name, char **cut);
63 size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, int class, int type, union mysockaddr *addr);
64 int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t n, char *name, char *keyname, int class);
65 int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
66 -int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer);
67 +int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer, int *nons);
68 int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname);
69 int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen);
70 size_t filter_rrsigs(struct dns_header *header, size_t plen);
71 diff --git a/src/dnssec.c b/src/dnssec.c
72 index 026794b077e5..8f27677628b2 100644
73 --- a/src/dnssec.c
74 +++ b/src/dnssec.c
75 @@ -875,8 +875,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
76 /* The DNS packet is expected to contain the answer to a DNSKEY query.
77 Put all DNSKEYs in the answer which are valid into the cache.
78 return codes:
79 - STAT_INSECURE No DNSKEYs in reply.
80 - STAT_SECURE At least one valid DNSKEY found and in cache.
81 + STAT_SECURE At least one valid DNSKEY found and in cache.
82 STAT_BOGUS No DNSKEYs found, which can be validated with DS,
83 or self-sign for DNSKEY RRset is not valid, bad packet.
84 STAT_NEED_DS DS records to validate a key not found, name in keyname
85 @@ -896,11 +895,8 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
86 GETSHORT(qtype, p);
87 GETSHORT(qclass, p);
88
89 - if (qtype != T_DNSKEY || qclass != class)
90 + if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0)
91 return STAT_BOGUS;
92 -
93 - if (ntohs(header->ancount) == 0)
94 - return STAT_INSECURE;
95
96 /* See if we have cached a DS record which validates this key */
97 if (!(crecp = cache_find_by_name(NULL, name, now, F_DS)))
98 @@ -1103,17 +1099,17 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
99 /* The DNS packet is expected to contain the answer to a DS query
100 Put all DSs in the answer which are valid into the cache.
101 return codes:
102 - STAT_INSECURE no DS in reply or not signed.
103 STAT_SECURE At least one valid DS found and in cache.
104 STAT_NO_DS It's proved there's no DS here.
105 - STAT_BOGUS At least one DS found, which fails validation, bad packet.
106 + STAT_NO_NS It's proved there's no DS _or_ NS here.
107 + STAT_BOGUS no DS in reply or not signed, fails validation, bad packet.
108 STAT_NEED_DNSKEY DNSKEY records to validate a DS not found, name in keyname
109 */
110
111 int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
112 {
113 unsigned char *p = (unsigned char *)(header+1);
114 - int qtype, qclass, val, i, neganswer;
115 + int qtype, qclass, val, i, neganswer, nons;
116
117 if (ntohs(header->qdcount) != 1 ||
118 !(p = skip_name(p, header, plen, 4)))
119 @@ -1125,32 +1121,39 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
120 if (qtype != T_DS || qclass != class)
121 val = STAT_BOGUS;
122 else
123 - val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, &neganswer);
124 -
125 - if (val == STAT_NO_SIG)
126 - val = STAT_INSECURE;
127 + val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, &neganswer, &nons);
128 + /* Note dnssec_validate_reply() will have cached positive answers */
129 +
130 + if (val == STAT_NO_SIG || val == STAT_INSECURE)
131 + val = STAT_BOGUS;
132
133 p = (unsigned char *)(header+1);
134 extract_name(header, plen, &p, name, 1, 4);
135 p += 4; /* qtype, qclass */
136
137 if (!(p = skip_section(p, ntohs(header->ancount), header, plen)))
138 - return STAT_BOGUS;
139 + val = STAT_BOGUS;
140
141 if (val == STAT_BOGUS)
142 - log_query(F_UPSTREAM, name, NULL, "BOGUS DS");
143 -
144 - if ((val == STAT_SECURE || val == STAT_INSECURE) && neganswer)
145 {
146 - int rdlen, flags = F_FORWARD | F_DS | F_NEG;
147 + log_query(F_UPSTREAM, name, NULL, "BOGUS DS");
148 + return STAT_BOGUS;
149 + }
150 +
151 + /* By here, the answer is proved secure, and a positive answer has been cached. */
152 + if (val == STAT_SECURE && neganswer)
153 + {
154 + int rdlen, flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK;
155 unsigned long ttl, minttl = ULONG_MAX;
156 struct all_addr a;
157
158 if (RCODE(header) == NXDOMAIN)
159 flags |= F_NXDOMAIN;
160
161 - if (val == STAT_SECURE)
162 - flags |= F_DNSSECOK;
163 + /* We only cache validated DS records, DNSSECOK flag hijacked
164 + to store presence/absence of NS. */
165 + if (nons)
166 + flags &= ~F_DNSSECOK;
167
168 for (i = ntohs(header->nscount); i != 0; i--)
169 {
170 @@ -1196,10 +1199,12 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
171 a.addr.dnssec.class = class;
172 cache_insert(name, &a, now, ttl, flags);
173
174 - cache_end_insert();
175 + cache_end_insert();
176 +
177 + log_query(F_UPSTREAM, name, NULL, nons ? "no delegation" : "no DS");
178 }
179
180 - return (val == STAT_SECURE) ? STAT_NO_DS : STAT_INSECURE;
181 + return nons ? STAT_NO_NS : STAT_NO_DS;
182 }
183
184 return val;
185 @@ -1323,12 +1328,15 @@ static int find_nsec_records(struct dns_header *header, size_t plen, unsigned ch
186 }
187
188 static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count,
189 - char *workspace1, char *workspace2, char *name, int type)
190 + char *workspace1, char *workspace2, char *name, int type, int *nons)
191 {
192 int i, rc, rdlen;
193 unsigned char *p, *psave;
194 int offset = (type & 0xff) >> 3;
195 int mask = 0x80 >> (type & 0x07);
196 +
197 + if (nons)
198 + *nons = 0;
199
200 /* Find NSEC record that proves name doesn't exist */
201 for (i = 0; i < nsec_count; i++)
202 @@ -1355,6 +1363,10 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
203 rdlen -= p - psave;
204 /* rdlen is now length of type map, and p points to it */
205
206 + /* If we can prove that there's no NS record, return that information. */
207 + if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) == 0)
208 + *nons = 1;
209 +
210 while (rdlen >= 2)
211 {
212 if (!CHECK_LEN(header, p, plen, rdlen))
213 @@ -1456,7 +1468,7 @@ static int base32_decode(char *in, unsigned char *out)
214 }
215
216 static int check_nsec3_coverage(struct dns_header *header, size_t plen, int digest_len, unsigned char *digest, int type,
217 - char *workspace1, char *workspace2, unsigned char **nsecs, int nsec_count)
218 + char *workspace1, char *workspace2, unsigned char **nsecs, int nsec_count, int *nons)
219 {
220 int i, hash_len, salt_len, base32_len, rdlen;
221 unsigned char *p, *psave;
222 @@ -1497,6 +1509,10 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
223 if (!CHECK_LEN(header, p, plen, rdlen))
224 return 0;
225
226 + /* If we can prove that there's no NS record, return that information. */
227 + if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) == 0)
228 + *nons = 1;
229 +
230 while (rdlen >= 2)
231 {
232 if (p[0] == type >> 8)
233 @@ -1533,13 +1549,16 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
234 }
235
236 static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count,
237 - char *workspace1, char *workspace2, char *name, int type, char *wildname)
238 + char *workspace1, char *workspace2, char *name, int type, char *wildname, int *nons)
239 {
240 unsigned char *salt, *p, *digest;
241 int digest_len, i, iterations, salt_len, base32_len, algo = 0;
242 struct nettle_hash const *hash;
243 char *closest_encloser, *next_closest, *wildcard;
244 -
245 +
246 + if (nons)
247 + *nons = 0;
248 +
249 /* Look though the NSEC3 records to find the first one with
250 an algorithm we support (currently only algo == 1).
251
252 @@ -1612,7 +1631,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
253 if ((digest_len = hash_name(name, &digest, hash, salt, salt_len, iterations)) == 0)
254 return STAT_BOGUS;
255
256 - if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count))
257 + if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, nons))
258 return STAT_SECURE;
259
260 /* Can't find an NSEC3 which covers the name directly, we need the "closest encloser NSEC3"
261 @@ -1657,7 +1676,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
262 if ((digest_len = hash_name(next_closest, &digest, hash, salt, salt_len, iterations)) == 0)
263 return STAT_BOGUS;
264
265 - if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count))
266 + if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL))
267 return STAT_BOGUS;
268
269 /* Finally, check that there's no seat of wildcard synthesis */
270 @@ -1672,7 +1691,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
271 if ((digest_len = hash_name(wildcard, &digest, hash, salt, salt_len, iterations)) == 0)
272 return STAT_BOGUS;
273
274 - if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count))
275 + if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL))
276 return STAT_BOGUS;
277 }
278
279 @@ -1681,7 +1700,8 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
280
281 /* Validate all the RRsets in the answer and authority sections of the reply (4035:3.2.3) */
282 /* Returns are the same as validate_rrset, plus the class if the missing key is in *class */
283 -int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer)
284 +int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname,
285 + int *class, int *neganswer, int *nons)
286 {
287 unsigned char *ans_start, *qname, *p1, *p2, **nsecs;
288 int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype;
289 @@ -1811,10 +1831,11 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
290 return STAT_BOGUS; /* No NSECs or bad packet */
291
292 if (nsec_type == T_NSEC)
293 - rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1);
294 + rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, NULL);
295 else
296 - rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, type1, wildname);
297 -
298 + rc = prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename,
299 + keyname, name, type1, wildname, NULL);
300 +
301 if (rc != STAT_SECURE)
302 return rc;
303 }
304 @@ -1937,9 +1958,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
305 return STAT_BOGUS;
306
307 if (nsec_type == T_NSEC)
308 - return prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype);
309 + return prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, nons);
310 else
311 - return prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL);
312 + return prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, NULL, nons);
313 }
314
315 /* Chase the CNAME chain in the packet until the first record which _doesn't validate.
316 diff --git a/src/forward.c b/src/forward.c
317 index f28c7d51f708..ee8d7b52d5e5 100644
318 --- a/src/forward.c
319 +++ b/src/forward.c
320 @@ -26,8 +26,9 @@ static void free_frec(struct frec *f);
321 #ifdef HAVE_DNSSEC
322 static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
323 int class, char *name, char *keyname, struct server *server, int *keycount);
324 -static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
325 -static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname);
326 +static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname);
327 +static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
328 + char *name, char *keyname);
329 #endif
330
331
332 @@ -815,18 +816,22 @@ void reply_query(int fd, int family, time_t now)
333 else if (forward->flags & FREC_DS_QUERY)
334 {
335 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
336 - if (status == STAT_NO_DS)
337 - status = STAT_INSECURE;
338 + if (status == STAT_NO_DS || status == STAT_NO_NS)
339 + status = STAT_BOGUS;
340 }
341 else if (forward->flags & FREC_CHECK_NOSIGN)
342 - status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
343 + {
344 + status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
345 + if (status != STAT_NEED_KEY)
346 + status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
347 + }
348 else
349 {
350 - status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL);
351 + status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
352 if (status == STAT_NO_SIG)
353 {
354 if (option_bool(OPT_DNSSEC_NO_SIGN))
355 - status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname);
356 + status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
357 else
358 status = STAT_INSECURE;
359 }
360 @@ -861,6 +866,7 @@ void reply_query(int fd, int family, time_t now)
361 new->blocking_query = NULL;
362 new->sentto = server;
363 new->rfd4 = NULL;
364 + new->orig_domain = NULL;
365 #ifdef HAVE_IPV6
366 new->rfd6 = NULL;
367 #endif
368 @@ -889,7 +895,9 @@ void reply_query(int fd, int family, time_t now)
369 new->new_id = get_id();
370 header->id = htons(new->new_id);
371 /* Save query for retransmission */
372 - new->stash = blockdata_alloc((char *)header, nn);
373 + if (!(new->stash = blockdata_alloc((char *)header, nn)))
374 + return;
375 +
376 new->stash_len = nn;
377
378 /* Don't resend this. */
379 @@ -946,18 +954,22 @@ void reply_query(int fd, int family, time_t now)
380 else if (forward->flags & FREC_DS_QUERY)
381 {
382 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
383 - if (status == STAT_NO_DS)
384 - status = STAT_INSECURE;
385 + if (status == STAT_NO_DS || status == STAT_NO_NS)
386 + status = STAT_BOGUS;
387 }
388 else if (forward->flags & FREC_CHECK_NOSIGN)
389 - status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
390 + {
391 + status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
392 + if (status != STAT_NEED_KEY)
393 + status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
394 + }
395 else
396 {
397 - status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL);
398 + status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
399 if (status == STAT_NO_SIG)
400 {
401 if (option_bool(OPT_DNSSEC_NO_SIGN))
402 - status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname);
403 + status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
404 else
405 status = STAT_INSECURE;
406 }
407 @@ -1319,70 +1331,80 @@ void receive_query(struct listener *listen, time_t now)
408 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
409 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
410 STAT_NEED_DS_NEG and keyname if we need to do the query. */
411 -static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname)
412 +static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
413 + char *name, char *keyname)
414 {
415 - struct crec *crecp;
416 - char *name_start = name;
417 int status = dnssec_chase_cname(now, header, plen, name, keyname);
418
419 if (status != STAT_INSECURE)
420 return status;
421
422 + /* Store the domain we're trying to check. */
423 + forward->name_start = strlen(name);
424 + forward->name_len = forward->name_start + 1;
425 + if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len)))
426 + return STAT_BOGUS;
427 +
428 + return do_check_sign(forward, 0, now, name, keyname);
429 +}
430 +
431 +/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
432 +static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname)
433 +{
434 + /* get domain we're checking back from blockdata store, it's stored on the original query. */
435 + while (forward->dependent)
436 + forward = forward->dependent;
437 +
438 + blockdata_retrieve(forward->orig_domain, forward->name_len, name);
439 +
440 while (1)
441 {
442 - crecp = cache_find_by_name(NULL, name_start, now, F_DS);
443 -
444 - if (crecp && (crecp->flags & F_DNSSECOK))
445 - return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS;
446 -
447 - if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.')))
448 + char *p;
449 +
450 + if (status == 0)
451 {
452 - name_start++; /* chop a label off and try again */
453 - continue;
454 + struct crec *crecp;
455 +
456 + /* Haven't received answer, see if in cache */
457 + if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS)))
458 + {
459 + /* put name of DS record we're missing into keyname */
460 + strcpy(keyname, &name[forward->name_start]);
461 + /* and wait for reply to arrive */
462 + return STAT_NEED_DS_NEG;
463 + }
464 +
465 + /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
466 + if (!(crecp->flags & F_NEG))
467 + status = STAT_SECURE;
468 + else if (crecp->flags & F_DNSSECOK)
469 + status = STAT_NO_DS;
470 + else
471 + status = STAT_NO_NS;
472 }
473 +
474 + /* Have entered non-signed part of DNS tree. */
475 + if (status == STAT_NO_DS)
476 + return STAT_INSECURE;
477
478 - /* Reached the root */
479 - if (!name_start)
480 + if (status == STAT_BOGUS)
481 return STAT_BOGUS;
482
483 - strcpy(keyname, name_start);
484 - return STAT_NEED_DS_NEG;
485 - }
486 -}
487 -
488 -/* Got answer to DS query from send_check_sign, check for proven non-existence, or make the next DS query to try. */
489 -static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
490 -
491 -{
492 - char *name_start;
493 - unsigned char *p;
494 - int status;
495 + /* There's a proven DS record, or we're within a zone, where there doesn't need
496 + to be a DS record. Add a name and try again.
497 + If we've already tried the whole name, then fail */
498
499 - /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a
500 - suitable NSEC reply to DS queries. */
501 - if (RCODE(header) != SERVFAIL)
502 - {
503 - status = dnssec_validate_ds(now, header, plen, name, keyname, class);
504 + if (forward->name_start == 0)
505 + return STAT_BOGUS;
506
507 - if (status != STAT_INSECURE)
508 - {
509 - if (status == STAT_NO_DS)
510 - status = STAT_INSECURE;
511 - return status;
512 - }
513 - }
514 -
515 - p = (unsigned char *)(header+1);
516 -
517 - if (extract_name(header, plen, &p, name, 1, 4) &&
518 - (name_start = strchr(name, '.')))
519 - {
520 - name_start++; /* chop a label off and try again */
521 - strcpy(keyname, name_start);
522 - return STAT_NEED_DS_NEG;
523 + for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--);
524 +
525 + if (p != name)
526 + p++;
527 +
528 + forward->name_start = p - name;
529 + status = 0; /* force to cache when we iterate. */
530 }
531 -
532 - return STAT_BOGUS;
533 }
534
535 /* Move toward the root, until we find a signed non-existance of a DS, in which case
536 @@ -1395,8 +1417,10 @@ static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s
537 unsigned char *packet, *payload;
538 u16 *length;
539 unsigned char *p = (unsigned char *)(header+1);
540 - int status;
541 - char *name_start = name;
542 + int status, name_len;
543 + struct blockdata *block;
544 +
545 + char *name_start;
546
547 /* Get first insecure entry in CNAME chain */
548 status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
549 @@ -1409,95 +1433,113 @@ static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s
550 payload = &packet[2];
551 header = (struct dns_header *)payload;
552 length = (u16 *)packet;
553 +
554 + /* Stash the name away, since the buffer will be trashed when we recurse */
555 + name_len = strlen(name) + 1;
556 + name_start = name + name_len - 1;
557
558 + if (!(block = blockdata_alloc(name, name_len)))
559 + {
560 + free(packet);
561 + return STAT_BOGUS;
562 + }
563 +
564 while (1)
565 {
566 - unsigned char *newhash, hash[HASH_SIZE];
567 unsigned char c1, c2;
568 - struct crec *crecp = cache_find_by_name(NULL, name_start, now, F_DS);
569 -
570 + struct crec *crecp;
571 +
572 if (--(*keycount) == 0)
573 {
574 free(packet);
575 + blockdata_free(block);
576 return STAT_BOGUS;
577 }
578 -
579 - if (crecp && (crecp->flags & F_DNSSECOK))
580 - {
581 - free(packet);
582 - return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS;
583 - }
584
585 - /* If we have cached insecurely that a DS doesn't exist,
586 - ise that is a hit for where to start looking for the secure one */
587 - if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.')))
588 - {
589 - name_start++; /* chop a label off and try again */
590 - continue;
591 - }
592 -
593 - /* reached the root */
594 - if (!name_start)
595 - {
596 - free(packet);
597 - return STAT_BOGUS;
598 + while (crecp = cache_find_by_name(NULL, name_start, now, F_DS))
599 + {
600 + if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))
601 + {
602 + /* Found a secure denial of DS - delegation is indeed insecure */
603 + free(packet);
604 + blockdata_free(block);
605 + return STAT_INSECURE;
606 + }
607 +
608 + /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
609 + Add another label and continue. */
610 +
611 + if (name_start == name)
612 + {
613 + free(packet);
614 + blockdata_free(block);
615 + return STAT_BOGUS; /* run out of labels */
616 + }
617 +
618 + name_start -= 2;
619 + while (*name_start != '.' && name_start != name)
620 + name_start--;
621 + if (name_start != name)
622 + name_start++;
623 }
624 +
625 + /* Can't find it in the cache, have to send a query */
626
627 m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr);
628
629 - /* We rely on the question section coming back unchanged, ensure it is with the hash. */
630 - if ((newhash = hash_questions(header, (unsigned int)m, name)))
631 - {
632 - memcpy(hash, newhash, HASH_SIZE);
633 + *length = htons(m);
634
635 - *length = htons(m);
636 + if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
637 + read_write(server->tcpfd, &c1, 1, 1) &&
638 + read_write(server->tcpfd, &c2, 1, 1) &&
639 + read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
640 + {
641 + m = (c1 << 8) | c2;
642 +
643 + /* Note this trashes all three name workspaces */
644 + status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
645
646 - if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
647 - read_write(server->tcpfd, &c1, 1, 1) &&
648 - read_write(server->tcpfd, &c2, 1, 1) &&
649 - read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
650 + if (status == STAT_NO_DS)
651 {
652 - m = (c1 << 8) | c2;
653 -
654 - newhash = hash_questions(header, (unsigned int)m, name);
655 - if (newhash && memcmp(hash, newhash, HASH_SIZE) == 0)
656 - {
657 - /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a
658 - suitable NSEC reply to DS queries. */
659 - if (RCODE(header) == SERVFAIL)
660 - status = STAT_INSECURE;
661 - else
662 - /* Note this trashes all three name workspaces */
663 - status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
664 -
665 - /* We've found a DS which proves the bit of the DNS where the
666 - original query is, is unsigned, so the answer is OK,
667 - if unvalidated. */
668 - if (status == STAT_NO_DS)
669 - {
670 - free(packet);
671 - return STAT_INSECURE;
672 - }
673 -
674 - /* No DS, not got to DNSSEC-land yet, go up. */
675 - if (status == STAT_INSECURE)
676 - {
677 - p = (unsigned char *)(header+1);
678 -
679 - if (extract_name(header, plen, &p, name, 1, 4) &&
680 - (name_start = strchr(name, '.')))
681 - {
682 - name_start++; /* chop a label off and try again */
683 - continue;
684 - }
685 - }
686 - }
687 + /* Found a secure denial of DS - delegation is indeed insecure */
688 + free(packet);
689 + blockdata_free(block);
690 + return STAT_INSECURE;
691 + }
692 +
693 + if (status == STAT_BOGUS)
694 + {
695 + free(packet);
696 + blockdata_free(block);
697 + return STAT_BOGUS;
698 + }
699 +
700 + /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
701 + Add another label and continue. */
702 +
703 + /* Get name we're checking back. */
704 + blockdata_retrieve(block, name_len, name);
705 +
706 + if (name_start == name)
707 + {
708 + free(packet);
709 + blockdata_free(block);
710 + return STAT_BOGUS; /* run out of labels */
711 }
712 +
713 + name_start -= 2;
714 + while (*name_start != '.' && name_start != name)
715 + name_start--;
716 + if (name_start != name)
717 + name_start++;
718 + }
719 + else
720 + {
721 + /* IO failure */
722 + free(packet);
723 + blockdata_free(block);
724 + return STAT_BOGUS; /* run out of labels */
725 }
726 -
727 - free(packet);
728 -
729 - return STAT_BOGUS;
730 }
731 }
732
733 @@ -1516,14 +1558,14 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
734 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
735 {
736 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
737 - if (status == STAT_NEED_DS && new_status == STAT_NO_DS)
738 - new_status = STAT_INSECURE;
739 + if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
740 + new_status = STAT_BOGUS;
741 }
742 else if (status == STAT_CHASE_CNAME)
743 new_status = dnssec_chase_cname(now, header, n, name, keyname);
744 else
745 {
746 - new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL);
747 + new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
748
749 if (new_status == STAT_NO_SIG)
750 {
751 @@ -1576,14 +1618,14 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
752 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
753 {
754 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
755 - if (status == STAT_NEED_DS && new_status == STAT_NO_DS)
756 - new_status = STAT_INSECURE; /* Validated no DS */
757 + if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
758 + new_status = STAT_BOGUS; /* Validated no DS */
759 }
760 else if (status == STAT_CHASE_CNAME)
761 new_status = dnssec_chase_cname(now, header, n, name, keyname);
762 else
763 {
764 - new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL);
765 + new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
766
767 if (new_status == STAT_NO_SIG)
768 {
769 @@ -1961,6 +2003,7 @@ static struct frec *allocate_frec(time_t now)
770 f->dependent = NULL;
771 f->blocking_query = NULL;
772 f->stash = NULL;
773 + f->orig_domain = NULL;
774 #endif
775 daemon->frec_list = f;
776 }
777 @@ -2029,6 +2072,12 @@ static void free_frec(struct frec *f)
778 f->stash = NULL;
779 }
780
781 + if (f->orig_domain)
782 + {
783 + blockdata_free(f->orig_domain);
784 + f->orig_domain = NULL;
785 + }
786 +
787 /* Anything we're waiting on is pointless now, too */
788 if (f->blocking_query)
789 free_frec(f->blocking_query);
790 --
791 2.1.0
792
IPFire 2.x development tree