1/*
2 * validator/val_nsec.c - validator NSEC denial of existence functions.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file contains helper functions for the validator module.
40 * The functions help with NSEC checking, the different NSEC proofs
41 * for denial of existence, and proofs for presence of types.
42 */
43#include "config.h"
44#include "validator/val_nsec.h"
45#include "validator/val_utils.h"
46#include "util/data/msgreply.h"
47#include "util/data/dname.h"
48#include "util/net_help.h"
49#include "util/module.h"
50#include "services/cache/rrset.h"
51
52/** get ttl of rrset */
53static uint32_t
54rrset_get_ttl(struct ub_packed_rrset_key* k)
55{
56	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
57	return d->ttl;
58}
59
60int
61nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type)
62{
63	/* Check type present in NSEC typemap with bitmap arg */
64	/* bitmasks for determining type-lowerbits presence */
65	uint8_t masks[8] = {0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01};
66	uint8_t type_window = type>>8;
67	uint8_t type_low = type&0xff;
68	uint8_t win, winlen;
69	/* read each of the type bitmap windows and see if the searched
70	 * type is amongst it */
71	while(len > 0) {
72		if(len < 3) /* bad window, at least window# winlen bitmap */
73			return 0;
74		win = *bitmap++;
75		winlen = *bitmap++;
76		len -= 2;
77		if(len < winlen || winlen < 1 || winlen > 32)
78			return 0;	/* bad window length */
79		if(win == type_window) {
80			/* search window bitmap for the correct byte */
81			/* mybyte is 0 if we need the first byte */
82			size_t mybyte = type_low>>3;
83			if(winlen <= mybyte)
84				return 0; /* window too short */
85			return (int)(bitmap[mybyte] & masks[type_low&0x7]);
86		} else {
87			/* not the window we are looking for */
88			bitmap += winlen;
89			len -= winlen;
90		}
91	}
92	/* end of bitmap reached, no type found */
93	return 0;
94}
95
96int
97nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type)
98{
99	struct packed_rrset_data* d = (struct packed_rrset_data*)nsec->
100		entry.data;
101	size_t len;
102	if(!d || d->count == 0 || d->rr_len[0] < 2+1)
103		return 0;
104	len = dname_valid(d->rr_data[0]+2, d->rr_len[0]-2);
105	if(!len)
106		return 0;
107	return nsecbitmap_has_type_rdata(d->rr_data[0]+2+len,
108		d->rr_len[0]-2-len, type);
109}
110
111/**
112 * Get next owner name from nsec record
113 * @param nsec: the nsec RRset.
114 *	If there are multiple RRs, then this will only return one of them.
115 * @param nm: the next name is returned.
116 * @param ln: length of nm is returned.
117 * @return false on a bad NSEC RR (too short, malformed dname).
118 */
119static int
120nsec_get_next(struct ub_packed_rrset_key* nsec, uint8_t** nm, size_t* ln)
121{
122	struct packed_rrset_data* d = (struct packed_rrset_data*)nsec->
123		entry.data;
124	if(!d || d->count == 0 || d->rr_len[0] < 2+1) {
125		*nm = 0;
126		*ln = 0;
127		return 0;
128	}
129	*nm = d->rr_data[0]+2;
130	*ln = dname_valid(*nm, d->rr_len[0]-2);
131	if(!*ln) {
132		*nm = 0;
133		*ln = 0;
134		return 0;
135	}
136	return 1;
137}
138
139/**
140 * For an NSEC that matches the DS queried for, check absence of DS type.
141 *
142 * @param nsec: NSEC for proof, must be trusted.
143 * @param qinfo: what is queried for.
144 * @return if secure the nsec proves that no DS is present, or
145 *	insecure if it proves it is not a delegation point.
146 *	or bogus if something was wrong.
147 */
148static enum sec_status
149val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
150	struct query_info* qinfo)
151{
152	log_assert(qinfo->qtype == LDNS_RR_TYPE_DS);
153	log_assert(ntohs(nsec->rk.type) == LDNS_RR_TYPE_NSEC);
154
155	if(nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && qinfo->qname_len != 1) {
156		/* SOA present means that this is the NSEC from the child,
157		 * not the parent (so it is the wrong one). */
158		return sec_status_bogus;
159	}
160	if(nsec_has_type(nsec, LDNS_RR_TYPE_DS)) {
161		/* DS present means that there should have been a positive
162		 * response to the DS query, so there is something wrong. */
163		return sec_status_bogus;
164	}
165
166	if(!nsec_has_type(nsec, LDNS_RR_TYPE_NS)) {
167		/* If there is no NS at this point at all, then this
168		 * doesn't prove anything one way or the other. */
169		return sec_status_insecure;
170	}
171	/* Otherwise, this proves no DS. */
172	return sec_status_secure;
173}
174
175/** check security status from cache or verify rrset, returns true if secure */
176static int
177nsec_verify_rrset(struct module_env* env, struct val_env* ve,
178	struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
179	char** reason, struct module_qstate* qstate)
180{
181	struct packed_rrset_data* d = (struct packed_rrset_data*)
182		nsec->entry.data;
183	if(d->security == sec_status_secure)
184		return 1;
185	rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
186	if(d->security == sec_status_secure)
187		return 1;
188	d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason,
189		LDNS_SECTION_AUTHORITY, qstate);
190	if(d->security == sec_status_secure) {
191		rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
192		return 1;
193	}
194	return 0;
195}
196
197enum sec_status
198val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
199	struct query_info* qinfo, struct reply_info* rep,
200	struct key_entry_key* kkey, time_t* proof_ttl, char** reason,
201	struct module_qstate* qstate)
202{
203	struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
204		rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
205		qinfo->qclass);
206	enum sec_status sec;
207	size_t i;
208	uint8_t* wc = NULL, *ce = NULL;
209	int valid_nsec = 0;
210	struct ub_packed_rrset_key* wc_nsec = NULL;
211
212	/* If we have a NSEC at the same name, it must prove one
213	 * of two things
214	 * --
215	 * 1) this is a delegation point and there is no DS
216	 * 2) this is not a delegation point */
217	if(nsec) {
218		if(!nsec_verify_rrset(env, ve, nsec, kkey, reason, qstate)) {
219			verbose(VERB_ALGO, "NSEC RRset for the "
220				"referral did not verify.");
221			return sec_status_bogus;
222		}
223		sec = val_nsec_proves_no_ds(nsec, qinfo);
224		if(sec == sec_status_bogus) {
225			/* something was wrong. */
226			*reason = "NSEC does not prove absence of DS";
227			return sec;
228		} else if(sec == sec_status_insecure) {
229			/* this wasn't a delegation point. */
230			return sec;
231		} else if(sec == sec_status_secure) {
232			/* this proved no DS. */
233			*proof_ttl = ub_packed_rrset_ttl(nsec);
234			return sec;
235		}
236		/* if unchecked, fall through to next proof */
237	}
238
239	/* Otherwise, there is no NSEC at qname. This could be an ENT.
240	 * (ENT=empty non terminal). If not, this is broken. */
241
242	/* verify NSEC rrsets in auth section */
243	for(i=rep->an_numrrsets; i < rep->an_numrrsets+rep->ns_numrrsets;
244		i++) {
245		if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
246			continue;
247		if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason,
248			qstate)) {
249			verbose(VERB_ALGO, "NSEC for empty non-terminal "
250				"did not verify.");
251			return sec_status_bogus;
252		}
253		if(nsec_proves_nodata(rep->rrsets[i], qinfo, &wc)) {
254			verbose(VERB_ALGO, "NSEC for empty non-terminal "
255				"proved no DS.");
256			*proof_ttl = rrset_get_ttl(rep->rrsets[i]);
257			if(wc && dname_is_wild(rep->rrsets[i]->rk.dname))
258				wc_nsec = rep->rrsets[i];
259			valid_nsec = 1;
260		}
261		if(val_nsec_proves_name_error(rep->rrsets[i], qinfo->qname)) {
262			ce = nsec_closest_encloser(qinfo->qname,
263				rep->rrsets[i]);
264		}
265	}
266	if(wc && !ce)
267		valid_nsec = 0;
268	else if(wc && ce) {
269		/* ce and wc must match */
270		if(query_dname_compare(wc, ce) != 0)
271			valid_nsec = 0;
272		else if(!wc_nsec)
273			valid_nsec = 0;
274	}
275	if(valid_nsec) {
276		if(wc) {
277			/* check if this is a delegation */
278			*reason = "NSEC for wildcard does not prove absence of DS";
279			return val_nsec_proves_no_ds(wc_nsec, qinfo);
280		}
281		/* valid nsec proves empty nonterminal */
282		return sec_status_insecure;
283	}
284
285	/* NSEC proof did not conclusively point to DS or no DS */
286	return sec_status_unchecked;
287}
288
289int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
290	struct query_info* qinfo, uint8_t** wc)
291{
292	log_assert(wc);
293	if(query_dname_compare(nsec->rk.dname, qinfo->qname) != 0) {
294		uint8_t* nm;
295		size_t ln;
296
297		/* empty-non-terminal checking.
298		 * Done before wildcard, because this is an exact match,
299		 * and would prevent a wildcard from matching. */
300
301		/* If the nsec is proving that qname is an ENT, the nsec owner
302		 * will be less than qname, and the next name will be a child
303		 * domain of the qname. */
304		if(!nsec_get_next(nsec, &nm, &ln))
305			return 0; /* bad nsec */
306		if(dname_strict_subdomain_c(nm, qinfo->qname) &&
307			dname_canonical_compare(nsec->rk.dname,
308				qinfo->qname) < 0) {
309			return 1; /* proves ENT */
310		}
311
312		/* wildcard checking. */
313
314		/* If this is a wildcard NSEC, make sure that a) it was
315		 * possible to have generated qname from the wildcard and
316		 * b) the type map does not contain qtype. Note that this
317		 * does NOT prove that this wildcard was the applicable
318		 * wildcard. */
319		if(dname_is_wild(nsec->rk.dname)) {
320			/* the purported closest encloser. */
321			uint8_t* ce = nsec->rk.dname;
322			size_t ce_len = nsec->rk.dname_len;
323			dname_remove_label(&ce, &ce_len);
324
325			/* The qname must be a strict subdomain of the
326			 * closest encloser, for the wildcard to apply
327			 */
328			if(dname_strict_subdomain_c(qinfo->qname, ce)) {
329				/* here we have a matching NSEC for the qname,
330				 * perform matching NSEC checks */
331				if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) {
332				   /* should have gotten the wildcard CNAME */
333					return 0;
334				}
335				if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
336				   !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
337				   /* wrong parentside (wildcard) NSEC used */
338					return 0;
339				}
340				if(nsec_has_type(nsec, qinfo->qtype)) {
341					return 0;
342				}
343				*wc = ce;
344				return 1;
345			}
346		} else {
347			/* See if the next owner name covers a wildcard
348			 * empty non-terminal. */
349			while (dname_canonical_compare(nsec->rk.dname, nm) < 0) {
350				/* wildcard does not apply if qname below
351				 * the name that exists under the '*' */
352				if (dname_subdomain_c(qinfo->qname, nm))
353					break;
354				/* but if it is a wildcard and qname is below
355				 * it, then the wildcard applies. The wildcard
356				 * is an empty nonterminal. nodata proven. */
357				if (dname_is_wild(nm)) {
358					size_t ce_len = ln;
359					uint8_t* ce = nm;
360					dname_remove_label(&ce, &ce_len);
361					if(dname_strict_subdomain_c(qinfo->qname, ce)) {
362						*wc = ce;
363						return 1;
364					}
365				}
366				dname_remove_label(&nm, &ln);
367			}
368		}
369
370		/* Otherwise, this NSEC does not prove ENT and is not a
371		 * wildcard, so it does not prove NODATA. */
372		return 0;
373	}
374
375	/* If the qtype exists, then we should have gotten it. */
376	if(nsec_has_type(nsec, qinfo->qtype)) {
377		return 0;
378	}
379
380	/* if the name is a CNAME node, then we should have gotten the CNAME*/
381	if(nsec_has_type(nsec, LDNS_RR_TYPE_CNAME)) {
382		return 0;
383	}
384
385	/* If an NS set exists at this name, and NOT a SOA (so this is a
386	 * zone cut, not a zone apex), then we should have gotten a
387	 * referral (or we just got the wrong NSEC).
388	 * The reverse of this check is used when qtype is DS, since that
389	 * must use the NSEC from above the zone cut. */
390	if(qinfo->qtype != LDNS_RR_TYPE_DS &&
391		nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
392		!nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
393		return 0;
394	} else if(qinfo->qtype == LDNS_RR_TYPE_DS &&
395		nsec_has_type(nsec, LDNS_RR_TYPE_SOA) &&
396		!dname_is_root(qinfo->qname)) {
397		return 0;
398	}
399
400	return 1;
401}
402
403int
404val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, uint8_t* qname)
405{
406	uint8_t* owner = nsec->rk.dname;
407	uint8_t* next;
408	size_t nlen;
409	if(!nsec_get_next(nsec, &next, &nlen))
410		return 0;
411
412	/* If NSEC owner == qname, then this NSEC proves that qname exists. */
413	if(query_dname_compare(qname, owner) == 0) {
414		return 0;
415	}
416
417	/* If NSEC is a parent of qname, we need to check the type map
418	 * If the parent name has a DNAME or is a delegation point, then
419	 * this NSEC is being misused. */
420	if(dname_subdomain_c(qname, owner) &&
421		(nsec_has_type(nsec, LDNS_RR_TYPE_DNAME) ||
422		(nsec_has_type(nsec, LDNS_RR_TYPE_NS)
423			&& !nsec_has_type(nsec, LDNS_RR_TYPE_SOA))
424		)) {
425		return 0;
426	}
427
428	if(query_dname_compare(owner, next) == 0) {
429		/* this nsec is the only nsec */
430		/* zone.name NSEC zone.name, disproves everything else */
431		/* but only for subdomains of that zone */
432		if(dname_strict_subdomain_c(qname, next))
433			return 1;
434	}
435	else if(dname_canonical_compare(owner, next) > 0) {
436		/* this is the last nsec, ....(bigger) NSEC zonename(smaller) */
437		/* the names after the last (owner) name do not exist
438		 * there are no names before the zone name in the zone
439		 * but the qname must be a subdomain of the zone name(next). */
440		if(dname_canonical_compare(owner, qname) < 0 &&
441			dname_strict_subdomain_c(qname, next))
442			return 1;
443	} else {
444		/* regular NSEC, (smaller) NSEC (larger) */
445		if(dname_canonical_compare(owner, qname) < 0 &&
446		   dname_canonical_compare(qname, next) < 0) {
447			return 1;
448		}
449	}
450	return 0;
451}
452
453int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec,
454	struct query_info* qinfo)
455{
456	if(nsec_has_type(nsec, LDNS_RR_TYPE_NS) &&
457		!nsec_has_type(nsec, LDNS_RR_TYPE_DS) &&
458		!nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
459		/* see if nsec signals an insecure delegation */
460		if(qinfo->qtype == LDNS_RR_TYPE_DS) {
461			/* if type is DS and qname is equal to nsec, then it
462			 * is an exact match nsec, result not insecure */
463			if(dname_strict_subdomain_c(qinfo->qname,
464				nsec->rk.dname))
465				return 1;
466		} else {
467			if(dname_subdomain_c(qinfo->qname, nsec->rk.dname))
468				return 1;
469		}
470	}
471	return 0;
472}
473
474uint8_t*
475nsec_closest_encloser(uint8_t* qname, struct ub_packed_rrset_key* nsec)
476{
477	uint8_t* next;
478	size_t nlen;
479	uint8_t* common1, *common2;
480	if(!nsec_get_next(nsec, &next, &nlen))
481		return NULL;
482	/* longest common with owner or next name */
483	common1 = dname_get_shared_topdomain(nsec->rk.dname, qname);
484	common2 = dname_get_shared_topdomain(next, qname);
485	if(dname_count_labels(common1) > dname_count_labels(common2))
486		return common1;
487	return common2;
488}
489
490int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec,
491	struct query_info* qinf, uint8_t* wc)
492{
493	uint8_t* ce;
494	/*  1) prove that qname doesn't exist and
495	 *  2) that the correct wildcard was used
496	 *  nsec has been verified already. */
497	if(!val_nsec_proves_name_error(nsec, qinf->qname))
498		return 0;
499	/* check wildcard name */
500	ce = nsec_closest_encloser(qinf->qname, nsec);
501	if(!ce)
502		return 0;
503	if(query_dname_compare(wc, ce) != 0) {
504		return 0;
505	}
506	return 1;
507}
508
509int
510val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
511	size_t qnamelen)
512{
513	/* Determine if a NSEC record proves the non-existence of a
514	 * wildcard that could have produced qname. */
515	int labs;
516	uint8_t* ce = nsec_closest_encloser(qname, nsec);
517	uint8_t* strip;
518	size_t striplen;
519	uint8_t buf[LDNS_MAX_DOMAINLEN+3];
520	if(!ce)
521		return 0;
522	/* we can subtract the closest encloser count - since that is the
523	 * largest shared topdomain with owner and next NSEC name,
524	 * because the NSEC is no proof for names shorter than the owner
525	 * and next names. */
526	labs = dname_count_labels(qname) - dname_count_labels(ce);
527
528	if(labs > 0) {
529		/* i is number of labels to strip off qname, prepend * wild */
530		strip = qname;
531		striplen = qnamelen;
532		dname_remove_labels(&strip, &striplen, labs);
533		if(striplen > LDNS_MAX_DOMAINLEN-2)
534			return 0; /* too long to prepend wildcard */
535		buf[0] = 1;
536		buf[1] = (uint8_t)'*';
537		memmove(buf+2, strip, striplen);
538		if(val_nsec_proves_name_error(nsec, buf)) {
539			return 1;
540		}
541	}
542	return 0;
543}
544