73 static void process_ds_response(struct module_qstate* qstate, 
245 val_new_getmsg(struct module_qstate* qstate, struct val_qstate* vq)
247 	if(!qstate->return_msg || qstate->return_rcode != LDNS_RCODE_NOERROR) {
250 		vq->orig_msg = (struct dns_msg*)regional_alloc(qstate->region,
254 		vq->orig_msg->qinfo = qstate->qinfo;
256 			qstate->region, sizeof(struct reply_info));
260 		vq->orig_msg->rep->flags = (uint16_t)(qstate->return_rcode&0xf)
261 			|BIT_QR|BIT_RA|(qstate->query_flags|(BIT_CD|BIT_RD));
265 		vq->orig_msg = qstate->return_msg;
267 	vq->qchase = qstate->qinfo;
269 	vq->chase_reply = regional_alloc_init(qstate->region, 
276 	vq->chase_reply->rrsets = regional_alloc_init(qstate->region,
287 val_new(struct module_qstate* qstate, int id)
290 		qstate->region, sizeof(*vq));
291 	log_assert(!qstate->minfo[id]);
295 	qstate->minfo[id] = vq;
297 	return val_new_getmsg(qstate, vq);
318  * @param qstate: query state
323 val_error(struct module_qstate* qstate, int id)
325 	qstate->ext_state[id] = module_error;
326 	qstate->return_rcode = LDNS_RCODE_SERVFAIL;
336  * @param qstate: query state.
343 needs_validation(struct module_qstate* qstate, int ret_rc, 
357 	if(qstate->query_flags & BIT_CD) {
362 	if(qstate->is_valrec) {
383 	if(qstate->qinfo.qtype == LDNS_RR_TYPE_RRSIG &&
413  * @param qstate: query state that is the parent.
422  * @param detached: true if this qstate should not attach to the subquery
426 generate_request(struct module_qstate* qstate, int id, uint8_t* name, 
430 	struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id];
443 	fptr_ok(fptr_whitelist_modenv_detect_cycle(qstate->env->detect_cycle));
444 	if((*qstate->env->detect_cycle)(qstate, &ask,
453 			qstate->env->add_sub));
454 		if(!(*qstate->env->add_sub)(qstate, &ask, 
462 			qstate->env->attach_sub));
463 		if(!(*qstate->env->attach_sub)(qstate, &ask, 
476 	qstate->ext_state[id] = module_wait_subquery;
483  * @param qstate: query state.
489 generate_keytag_query(struct module_qstate* qstate, int id,
503 	enum module_ext_state ext_state = qstate->ext_state[id];
519 	if(!(keytagdname = (uint8_t*)regional_alloc_init(qstate->region,
527 	if(!generate_request(qstate, id, keytagdname, dnamebuf_len,
535 	qstate->ext_state[id] = ext_state;
570  * @param qstate: query state.
577 prime_trust_anchor(struct module_qstate* qstate, struct val_qstate* vq,
581 	int ret = generate_request(qstate, id, toprime->name, toprime->namelen,
584 	if(newq && qstate->env->cfg->trust_anchor_signaling &&
585 		!generate_keytag_query(qstate, id, toprime)) {
599 	vq->trust_anchor_name = regional_alloc_init(qstate->region,
620  * @param qstate: query state.
633 validate_msg_signatures(struct module_qstate* qstate, struct val_qstate* vq,
678 			&reason_bogus, LDNS_SECTION_ANSWER, qstate, &verified);
685 			errinf_ede(qstate, reason, reason_bogus);
687 				errinf(qstate, "for CNAME");
689 				errinf(qstate, "for DNAME");
690 			errinf_origin(qstate, qstate->reply_origin);
722 			&reason_bogus, LDNS_SECTION_AUTHORITY, qstate,
730 			errinf_ede(qstate, reason, reason_bogus);
731 			errinf_origin(qstate, qstate->reply_origin);
732 			errinf_rrset(qstate, s);
768 				&reason, NULL, LDNS_SECTION_ADDITIONAL, qstate,
791 	struct module_qstate* qstate = (struct module_qstate*)arg;
793 	mesh_run(qstate->env->mesh, qstate->mesh_info, module_event_pass,
799 validate_suspend_setup_timer(struct module_qstate* qstate,
808 		errinf(qstate, "max validation suspends reached, "
814 	qstate->ext_state[id] = module_wait_reply;
817 			qstate->env->worker_base,
818 			validate_suspend_timer_cb, qstate);
832 	if(qstate->env->mesh->all.count >= qstate->env->mesh->max_reply_states)
834 	else if(qstate->env->mesh->all.count >= qstate->env->mesh->max_reply_states/2)
836 	else if(qstate->env->mesh->all.count >= qstate->env->mesh->max_reply_states/4)
847 	usec = base + ub_random_max(qstate->env->rnd, usec-base);
953  * @param qstate: query state for the region.
962 	struct key_entry_key* kkey, struct module_qstate* qstate,
1025 		nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
1072  * @param qstate: query state for the region.
1081 	struct key_entry_key* kkey, struct module_qstate* qstate,
1139 		nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
1186  * @param qstate: query state for the region.
1196 	struct module_qstate* qstate, struct val_qstate* vq,
1238 		nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
1261 			qstate, vq, nsec3_calculations, suspend);
1277 			qstate, vq, nsec3_calculations, suspend);
1347  * @param qstate: query state for the region.
1356 	struct key_entry_key* kkey, struct module_qstate* qstate,
1424 		nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
1474  * @param qstate: query state for the region.
1483 	struct key_entry_key* kkey, struct module_qstate* qstate,
1558 		nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
1604  * @param qstate: query state for the region.
1613 	struct key_entry_key* kkey, struct module_qstate* qstate,
1695 		nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
1745  * @param qstate: query state.
1753 processInit(struct module_qstate* qstate, struct val_qstate* vq, 
1760 		qstate->query_flags, &qstate->qinfo, &vq->qchase, 
1764 		return val_error(qstate, id);
1799 	val_mark_indeterminate(vq->chase_reply, qstate->env->anchors, 
1800 		qstate->env->rrset_cache, qstate->env);
1804 	anchor = anchors_lookup(qstate->env->anchors, 
1829 		anchor = anchors_lookup(qstate->env->anchors, 
1841 		qstate->qinfo.qtype == LDNS_RR_TYPE_DNSKEY &&
1842 		query_dname_compare(lookup_name, qstate->qinfo.qname) == 0) {
1861 		vq->qchase.qclass, qstate->region, *qstate->env->now);
1880 				qstate->env->rrset_cache, qstate->env);
1888 		if(!prime_trust_anchor(qstate, vq, id, anchor)) {
1890 			return val_error(qstate, id);
1908 			qstate->env->rrset_cache, qstate->env);
1916 		errinf_dname(qstate, "key for validation", vq->key_entry->name);
1917 		errinf_ede(qstate, "is marked as invalid", ede);
1918 		errinf(qstate, "because of a previous");
1919 		errinf(qstate, key_entry_get_reason(vq->key_entry));
1941  * @param qstate: query state.
1948 processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
1963 		if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 
1967 			return val_error(qstate, id);
1995 			errinf_ede(qstate, "no signatures", LDNS_EDE_RRSIGS_MISSING);
1996 			errinf_origin(qstate, qstate->reply_origin);
2036 		if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 
2040 			return val_error(qstate, id);
2062 			process_ds_response(qstate, vq, id, LDNS_RCODE_NOERROR,
2066 				if(!validate_suspend_setup_timer(qstate, vq,
2068 					return val_error(qstate, id);
2073 		} else if(!qstate->blacklist && !vq->chain_blacklist &&
2074 			(msg=val_find_DS(qstate->env, target_key_name, 
2075 			target_key_len, vq->qchase.qclass, qstate->region,
2078 			process_ds_response(qstate, vq, id, LDNS_RCODE_NOERROR,
2082 				if(!validate_suspend_setup_timer(qstate, vq,
2084 					return val_error(qstate, id);
2089 		if(!generate_request(qstate, id, target_key_name, 
2093 			return val_error(qstate, id);
2099 	if(!generate_request(qstate, id, vq->ds_rrset->rk.dname, 
2103 		return val_error(qstate, id);
2117  * @param qstate: query state.
2125 processValidate(struct module_qstate* qstate, struct val_qstate* vq, 
2133 		return val_error(qstate, id);
2145 			qstate->env->rrset_cache, qstate->env);
2147 			qstate->env->cfg->val_log_level >= 2);
2158 		errinf_ede(qstate, "while building chain of trust",
2162 				qstate->env->cfg->val_log_level >= 2);
2173 		errinf_ede(qstate, "no signatures", LDNS_EDE_RRSIGS_MISSING);
2174 		errinf_origin(qstate, qstate->reply_origin);
2179 	subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
2186 	if(!validate_msg_signatures(qstate, vq, qstate->env, ve,
2189 			if(!validate_suspend_setup_timer(qstate, vq,
2191 				return val_error(qstate, id);
2209 			qstate->errinf = NULL;
2221 			validate_positive_response(qstate->env, ve,
2223 				qstate, vq, &nsec3_calculations, &suspend);
2225 				if(!validate_suspend_setup_timer(qstate,
2227 					return val_error(qstate, id);
2237 			validate_nodata_response(qstate->env, ve,
2239 				qstate, vq, &nsec3_calculations, &suspend);
2241 				if(!validate_suspend_setup_timer(qstate,
2243 					return val_error(qstate, id);
2254 			validate_nameerror_response(qstate->env, ve, 
2256 				qstate, vq, &nsec3_calculations, &suspend);
2258 				if(!validate_suspend_setup_timer(qstate,
2260 					return val_error(qstate, id);
2272 			validate_cname_response(qstate->env, ve,
2274 				qstate, vq, &nsec3_calculations, &suspend);
2276 				if(!validate_suspend_setup_timer(qstate,
2278 					return val_error(qstate, id);
2289 			validate_cname_noanswer_response(qstate->env, ve,
2291 				qstate, vq, &nsec3_calculations, &suspend);
2293 				if(!validate_suspend_setup_timer(qstate,
2295 					return val_error(qstate, id);
2314 			validate_any_response(qstate->env, ve, &vq->qchase,
2315 				vq->chase_reply, vq->key_entry, qstate, vq,
2318 				if(!validate_suspend_setup_timer(qstate,
2320 					return val_error(qstate, id);
2334 			errinf(qstate, "wildcard");
2335 		else errinf(qstate, val_classification_to_string(subtype));
2336 		errinf(qstate, "proof failed");
2337 		errinf_origin(qstate, qstate->reply_origin);
2346  * @param qstate: query state.
2354 processFinished(struct module_qstate* qstate, struct val_qstate* vq, 
2358 		qstate->query_flags, &qstate->qinfo, &vq->qchase, 
2415 		val_check_nonsecure(qstate->env, vq->orig_msg->rep);
2418 				&qstate->qinfo);
2419 			if(!qstate->no_cache_store) {
2420 				val_neg_addreply(qstate->env->neg_cache,
2433 			val_blacklist(&qstate->blacklist, qstate->region, 
2434 				qstate->reply_origin, 0);
2435 			qstate->reply_origin = NULL;
2436 			qstate->errinf = NULL;
2439 			qstate->ext_state[id] = module_restart_next;
2447 			vq->orig_msg->rep->ttl + qstate->env->cfg->serve_expired_ttl;
2448 		if((qstate->env->cfg->val_log_level >= 1 ||
2449 			qstate->env->cfg->log_servfail) &&
2450 			!qstate->env->cfg->val_log_squelch) {
2451 			if(qstate->env->cfg->val_log_level < 2 &&
2452 				!qstate->env->cfg->log_servfail)
2454 					&qstate->qinfo);
2456 				char* err_str = errinf_to_str_bogus(qstate,
2457 					qstate->region);
2471 		if(qstate->env->cfg->val_permissive_mode)
2476 		qstate->env->cfg->root_key_sentinel &&
2477 		(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
2478 		qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA)) {
2481 		if(*qstate->qinfo.qname == strlen(SENTINEL_IS) +
2483 			dname_lab_startswith(qstate->qinfo.qname, SENTINEL_IS,
2486 				!anchor_has_keytag(qstate->env->anchors,
2491 		} else if(*qstate->qinfo.qname == strlen(SENTINEL_NOT) +
2493 			dname_lab_startswith(qstate->qinfo.qname, SENTINEL_NOT,
2496 				anchor_has_keytag(qstate->env->anchors,
2505 	update_reason_bogus(vq->orig_msg->rep, errinf_to_reason_bogus(qstate));
2507 	if(qstate->query_flags&BIT_RD) {
2510 		if(!qstate->no_cache_store) {
2511 			if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo,
2512 				vq->orig_msg->rep, 0, qstate->prefetch_leeway, 0, NULL,
2513 				qstate->query_flags, qstate->qstarttime)) {
2520 		if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo,
2522 			qstate->query_flags, qstate->qstarttime)) {
2526 	qstate->return_rcode = LDNS_RCODE_NOERROR;
2527 	qstate->return_msg = vq->orig_msg;
2528 	qstate->ext_state[id] = module_finished;
2536  * @param qstate: query state.
2542 val_handle(struct module_qstate* qstate, struct val_qstate* vq, 
2551 				cont = processInit(qstate, vq, ve, id);
2554 				cont = processFindKey(qstate, vq, id);
2557 				cont = processValidate(qstate, vq, ve, id);
2560 				cont = processFinished(qstate, vq, ve, id);
2572 val_operate(struct module_qstate* qstate, enum module_ev event, int id,
2575 	struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
2576 	struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id];
2578 		"event:%s", id, strextstate(qstate->ext_state[id]), 
2581 		&qstate->qinfo);
2582 	if(vq && qstate->qinfo.qname != vq->qchase.qname) 
2591 		qstate->ext_state[id] = module_wait_module;
2598 		if(!needs_validation(qstate, qstate->return_rcode, 
2599 			qstate->return_msg)) {
2601 			if(qstate->return_msg)
2602 				qstate->return_msg->rep->security =
2604 			qstate->ext_state[id] = module_finished;
2607 		if(already_validated(qstate->return_msg)) {
2608 			qstate->ext_state[id] = module_finished;
2613 		if(qstate->qinfo.qclass == LDNS_RR_CLASS_ANY) {
2615 			if(qstate->return_msg) {
2616 				qstate->return_msg->rep->security =
2618 				update_reason_bogus(qstate->return_msg->rep, LDNS_EDE_DNSSEC_BOGUS);
2620 			qstate->ext_state[id] = module_finished;
2624 		qstate->ext_state[id] = module_error; /* override this */
2626 			vq = val_new(qstate, id);
2629 				qstate->ext_state[id] = module_error;
2633 			if(!val_new_getmsg(qstate, vq)) {
2635 				qstate->ext_state[id] = module_error;
2639 		val_handle(qstate, vq, ve, id);
2643 		qstate->ext_state[id] = module_error; /* override this */
2645 		val_handle(qstate, vq, ve, id);
2649 	qstate->ext_state[id] = module_error;
2657  * 	(this rrset is allocated in the wrong region, not the qstate).
2659  * @param qstate: qstate that needs key.
2668 	struct trust_anchor* ta, struct module_qstate* qstate, int id)
2670 	struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
2675 	int downprot = qstate->env->cfg->harden_algo_downgrade;
2683 		if(qstate->env->cfg->harden_dnssec_stripped) {
2684 			errinf_ede(qstate, reason, reason_bogus);
2685 			kkey = key_entry_create_bad(qstate->region, ta->name,
2688 				*qstate->env->now);
2689 		} else 	kkey = key_entry_create_null(qstate->region, ta->name,
2692 				*qstate->env->now);
2700 	kkey = val_verify_new_DNSKEYs_with_ta(qstate->region, qstate->env, ve, 
2702 		&reason, &reason_bogus, qstate);
2720 		if(qstate->env->cfg->harden_dnssec_stripped) {
2721 			errinf_ede(qstate, reason, reason_bogus);
2722 			kkey = key_entry_create_bad(qstate->region, ta->name,
2725 				*qstate->env->now);
2726 		} else 	kkey = key_entry_create_null(qstate->region, ta->name,
2729 				*qstate->env->now);
2746  * @param qstate: query state that is validating and asked for a DS.
2763 ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
2767 	struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
2778 		errinf(qstate, rc);
2781 		errinf_ede(qstate, reason, reason_bogus);
2796 			errinf_ede(qstate, reason, reason_bogus);
2801 		sec = val_verify_rrset_entry(qstate->env, ve, ds,
2802 			vq->key_entry, &reason, &reason_bogus, LDNS_SECTION_ANSWER, qstate, &verified);
2806 			errinf_ede(qstate, reason, reason_bogus);
2815 			*ke = key_entry_create_null(qstate->region,
2819 				*qstate->env->now);
2825 		*ke = key_entry_create_rrset(qstate->region,
2827 			NULL, LDNS_EDE_NONE, NULL, *qstate->env->now);
2840 			errinf_ede(qstate, reason, reason_bogus);
2851 			qstate->env, ve, qinfo, msg->rep, vq->key_entry, 
2852 			&proof_ttl, &reason, &reason_bogus, qstate);
2857 				*ke = key_entry_create_null(qstate->region, 
2861 					*qstate->env->now);
2871 				errinf(qstate, reason);
2879 		if(!nsec3_cache_table_init(&vq->nsec3_cache_table, qstate->region)) {
2883 			errinf_ede(qstate, reason, 0);
2886 		sec = nsec3_prove_nods(qstate->env, ve, 
2889 			&reason_bogus, qstate, &vq->nsec3_cache_table);
2898 				*ke = key_entry_create_null(qstate->region, 
2902 					*qstate->env->now);
2912 				errinf_ede(qstate, reason, reason_bogus);
2926 		errinf_ede(qstate, reason, reason_bogus);
2940 			errinf_ede(qstate, reason, reason_bogus);
2951 			errinf_ede(qstate, reason, reason_bogus);
2954 		sec = val_verify_rrset_entry(qstate->env, ve, cname,
2956 			LDNS_SECTION_ANSWER, qstate, &verified);
2964 		errinf(qstate, "CNAME in DS response was not secure.");
2965 		errinf_ede(qstate, reason, reason_bogus);
2970 		errinf(qstate, "no DS and");
2977 			errinf(qstate, rc);
2978 		} else	errinf(qstate, val_classification_to_string(subtype));
2979 		errinf(qstate, "message fails to prove that");
2983 	*ke = key_entry_create_bad(qstate->region, qinfo->qname,
2985 		reason_bogus, reason, *qstate->env->now);
2996  * @param qstate: query state that is validating and asked for a DS.
3007 process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,
3011 	struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
3017 	ret = ds_response_to_ke(qstate, vq, id, rcode, msg, qinfo, &dske);
3036 		vq->empty_DS_name = regional_alloc_init(qstate->region,
3049 		vq->ds_rrset = key_entry_get_rrset(dske, qstate->region);
3061 		val_blacklist(&vq->chain_blacklist, qstate->region, origin, 1);
3062 		qstate->errinf = NULL;
3066 			errinf_origin(qstate, origin);
3067 			errinf_dname(qstate, "for DS", qinfo->qname);
3086  * @param qstate: query state that is validating and asked for a DNSKEY.
3095 process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
3099 	struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
3115 			val_blacklist(&vq->chain_blacklist, qstate->region,
3117 			qstate->errinf = NULL;
3123 		vq->key_entry = key_entry_create_bad(qstate->region,
3126 			*qstate->env->now);
3131 		errinf_ede(qstate, reason, reason_bogus);
3132 		errinf_origin(qstate, origin);
3133 		errinf_dname(qstate, "for key", qinfo->qname);
3143 	downprot = qstate->env->cfg->harden_algo_downgrade;
3144 	vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
3145 		ve, dnskey, vq->ds_rrset, downprot, &reason, &reason_bogus, qstate);
3158 					qstate->region, origin, 1);
3159 				qstate->errinf = NULL;
3166 			errinf_ede(qstate, reason, reason_bogus);
3167 			errinf_origin(qstate, origin);
3168 			errinf_dname(qstate, "for key", qinfo->qname);
3175 	qstate->errinf = NULL;
3179 		qstate->env->cfg->val_log_level >= 2);
3189  * @param qstate: query state that is validating and primed a trust anchor.
3197 process_prime_response(struct module_qstate* qstate, struct val_qstate* vq,
3200 	struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
3202 	struct trust_anchor* ta = anchor_find(qstate->env->anchors, 
3222 		if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset,
3223 			qstate)) {
3230 	vq->key_entry = primeResponseToKE(dnskey_rrset, ta, qstate, id);
3235 			val_blacklist(&vq->chain_blacklist, qstate->region, 
3237 			qstate->errinf = NULL;
3244 		errinf_origin(qstate, origin);
3245 		errinf_dname(qstate, "for trust anchor", ta->name);
3248 			qstate->env->cfg->val_log_level >= 2);
3256 	/* the qstate will be reactivated after inform_super is done */
3262  * @param qstate: query state that finished.
3264  * @param super: the qstate to inform.
3267 val_inform_super(struct module_qstate* qstate, int id,
3272 		&qstate->qinfo);
3280 		process_prime_response(super, vq, id, qstate->return_rcode,
3281 			qstate->return_msg, qstate->reply_origin);
3284 	if(qstate->qinfo.qtype == LDNS_RR_TYPE_DS) {
3286 		process_ds_response(super, vq, id, qstate->return_rcode,
3287 			qstate->return_msg, &qstate->qinfo,
3288 			qstate->reply_origin, &suspend);
3292 		 * the super qstate whilst the RRs are allocated (and pointed
3293 		 * to) in this sub qstate. */
3303 				qstate->return_msg, super->region);
3306 	} else if(qstate->qinfo.qtype == LDNS_RR_TYPE_DNSKEY) {
3307 		process_dnskey_response(super, vq, id, qstate->return_rcode,
3308 			qstate->return_msg, &qstate->qinfo,
3309 			qstate->reply_origin);
3316 val_clear(struct module_qstate* qstate, int id)
3319 	if(!qstate)
3321 	vq = (struct val_qstate*)qstate->minfo[id];
3328 	qstate->minfo[id] = NULL;

Indexes created Fri Jun 14 05:58:36 MDT 2024