1/*
2 * validator/val_utils.h - validator utility functions.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file contains helper functions for the validator module.
40 */
41
42#ifndef VALIDATOR_VAL_UTILS_H
43#define VALIDATOR_VAL_UTILS_H
44#include "util/data/packed_rrset.h"
45#include "sldns/pkthdr.h"
46#include "sldns/rrdef.h"
47struct query_info;
48struct reply_info;
49struct val_env;
50struct module_env;
51struct module_qstate;
52struct ub_packed_rrset_key;
53struct key_entry_key;
54struct regional;
55struct val_anchors;
56struct rrset_cache;
57struct sock_list;
58
59/**
60 * Response classifications for the validator. The different types of proofs.
61 */
62enum val_classification {
63	/** Not subtyped yet. */
64	VAL_CLASS_UNTYPED = 0,
65	/** Not a recognized subtype. */
66	VAL_CLASS_UNKNOWN,
67	/** A positive, direct, response */
68	VAL_CLASS_POSITIVE,
69	/** A positive response, with a CNAME/DNAME chain. */
70	VAL_CLASS_CNAME,
71	/** A NOERROR/NODATA response. */
72	VAL_CLASS_NODATA,
73	/** A NXDOMAIN response. */
74	VAL_CLASS_NAMEERROR,
75	/** A CNAME/DNAME chain, and the offset is at the end of it,
76	 * but there is no answer here, it can be NAMEERROR or NODATA. */
77	VAL_CLASS_CNAMENOANSWER,
78	/** A referral, from cache with a nonRD query. */
79	VAL_CLASS_REFERRAL,
80	/** A response to a qtype=ANY query. */
81	VAL_CLASS_ANY
82};
83
84/**
85 * Given a response, classify ANSWER responses into a subtype.
86 * @param query_flags: query flags for the original query.
87 * @param origqinf: query info. The original query name.
88 * @param qinf: query info. The chased query name.
89 * @param rep: response. The original response.
90 * @param skip: offset into the original response answer section.
91 * @return A subtype, all values possible except UNTYPED .
92 * 	Once CNAME type is returned you can increase skip.
93 * 	Then, another CNAME type, CNAME_NOANSWER or POSITIVE are possible.
94 */
95enum val_classification val_classify_response(uint16_t query_flags,
96	struct query_info* origqinf, struct query_info* qinf,
97	struct reply_info* rep, size_t skip);
98
99/**
100 * Given a response, determine the name of the "signer". This is primarily
101 * to determine if the response is, in fact, signed at all, and, if so, what
102 * is the name of the most pertinent keyset.
103 *
104 * @param subtype: the type from classify.
105 * @param qinf: query, the chased query name.
106 * @param rep: response to that, original response.
107 * @param cname_skip: how many answer rrsets have been skipped due to CNAME
108 * 	chains being chased around.
109 * @param signer_name:  signer name, if the response is signed
110 * 	(even partially), or null if the response isn't signed.
111 * @param signer_len: length of signer_name of 0 if signer_name is NULL.
112 */
113void val_find_signer(enum val_classification subtype,
114	struct query_info* qinf, struct reply_info* rep,
115	size_t cname_skip, uint8_t** signer_name, size_t* signer_len);
116
117/**
118 * Verify RRset with keys from a keyset.
119 * @param env: module environment (scratch buffer)
120 * @param ve: validator environment (verification settings)
121 * @param rrset: what to verify
122 * @param kkey: key_entry to verify with.
123 * @param reason: reason of failure. Fixed string or alloced in scratch.
124 * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
125 * @param section: section of packet where this rrset comes from.
126 * @param qstate: qstate with region.
127 * @param verified: if not NULL, the number of RRSIG validations is returned.
128 * @return security status of verification.
129 */
130enum sec_status val_verify_rrset_entry(struct module_env* env,
131	struct val_env* ve, struct ub_packed_rrset_key* rrset,
132	struct key_entry_key* kkey, char** reason, sldns_ede_code *reason_bogus,
133	sldns_pkt_section section, struct module_qstate* qstate,
134	int* verified);
135
136/**
137 * Verify DNSKEYs with DS rrset. Like val_verify_new_DNSKEYs but
138 * returns a sec_status instead of a key_entry.
139 * @param env: module environment (scratch buffer)
140 * @param ve: validator environment (verification settings)
141 * @param dnskey_rrset: DNSKEY rrset to verify
142 * @param ds_rrset: DS rrset to verify with.
143 * @param sigalg: if nonNULL provide downgrade protection otherwise one
144 *   algorithm is enough.  The list of signalled algorithms is returned,
145 *   must have enough space for ALGO_NEEDS_MAX+1.
146 * @param reason: reason of failure. Fixed string or alloced in scratch.
147 * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
148 * @param qstate: qstate with region.
149 * @return: sec_status_secure if a DS matches.
150 *     sec_status_insecure if end of trust (i.e., unknown algorithms).
151 *     sec_status_bogus if it fails.
152 */
153enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env,
154    struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
155    struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
156    sldns_ede_code *reason_bogus, struct module_qstate* qstate);
157
158/**
159 * Verify DNSKEYs with DS and DNSKEY rrset.  Like val_verify_DNSKEY_with_DS
160 * but for a trust anchor.
161 * @param env: module environment (scratch buffer)
162 * @param ve: validator environment (verification settings)
163 * @param dnskey_rrset: DNSKEY rrset to verify
164 * @param ta_ds: DS rrset to verify with.
165 * @param ta_dnskey: DNSKEY rrset to verify with.
166 * @param sigalg: if nonNULL provide downgrade protection otherwise one
167 *   algorithm is enough.  The list of signalled algorithms is returned,
168 *   must have enough space for ALGO_NEEDS_MAX+1.
169 * @param reason: reason of failure. Fixed string or alloced in scratch.
170* @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
171 * @param qstate: qstate with region.
172 * @return: sec_status_secure if a DS matches.
173 *     sec_status_insecure if end of trust (i.e., unknown algorithms).
174 *     sec_status_bogus if it fails.
175 */
176enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env,
177    struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset,
178    struct ub_packed_rrset_key* ta_ds,
179    struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
180    sldns_ede_code *reason_bogus, struct module_qstate* qstate);
181
182/**
183 * Verify new DNSKEYs with DS rrset. The DS contains hash values that should
184 * match the DNSKEY keys.
185 * match the DS to a DNSKEY and verify the DNSKEY rrset with that key.
186 *
187 * @param region: where to allocate key entry result.
188 * @param env: module environment (scratch buffer)
189 * @param ve: validator environment (verification settings)
190 * @param dnskey_rrset: DNSKEY rrset to verify
191 * @param ds_rrset: DS rrset to verify with.
192 * @param downprot: if true provide downgrade protection otherwise one
193 *   algorithm is enough.
194 * @param reason: reason of failure. Fixed string or alloced in scratch.
195 * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
196 * @param qstate: qstate with region.
197 * @return a KeyEntry. This will either contain the now trusted
198 *         dnskey_rrset, a "null" key entry indicating that this DS
199 *         rrset/DNSKEY pair indicate an secure end to the island of trust
200 *         (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey
201 *         rrset fails to verify. Note that the "null" response should
202 *         generally only occur in a private algorithm scenario: normally
203 *         this sort of thing is checked before fetching the matching DNSKEY
204 *         rrset.
205 *         if downprot is set, a key entry with an algo list is made.
206 */
207struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region,
208    struct module_env* env, struct val_env* ve,
209    struct ub_packed_rrset_key* dnskey_rrset,
210    struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
211    sldns_ede_code *reason_bogus, struct module_qstate* qstate);
212
213/**
214 * Verify rrset with trust anchor: DS and DNSKEY rrset.
215 *
216 * @param region: where to allocate key entry result.
217 * @param env: module environment (scratch buffer)
218 * @param ve: validator environment (verification settings)
219 * @param dnskey_rrset: DNSKEY rrset to verify
220 * @param ta_ds_rrset: DS rrset to verify with.
221 * @param ta_dnskey_rrset: the DNSKEY rrset to verify with.
222 * @param downprot: if true provide downgrade protection otherwise one
223 *   algorithm is enough.
224 * @param reason: reason of failure. Fixed string or alloced in scratch.
225 * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure.
226 * @param qstate: qstate with region.
227 * @return a KeyEntry. This will either contain the now trusted
228 *         dnskey_rrset, a "null" key entry indicating that this DS
229 *         rrset/DNSKEY pair indicate an secure end to the island of trust
230 *         (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey
231 *         rrset fails to verify. Note that the "null" response should
232 *         generally only occur in a private algorithm scenario: normally
233 *         this sort of thing is checked before fetching the matching DNSKEY
234 *         rrset.
235 *         if downprot is set, a key entry with an algo list is made.
236 */
237struct key_entry_key* val_verify_new_DNSKEYs_with_ta(struct regional* region,
238    struct module_env* env, struct val_env* ve,
239    struct ub_packed_rrset_key* dnskey_rrset,
240    struct ub_packed_rrset_key* ta_ds_rrset,
241    struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
242    char** reason, sldns_ede_code *reason_bogus, struct module_qstate* qstate);
243
244/**
245 * Determine if DS rrset is usable for validator or not.
246 * Returns true if the algorithms for key and DShash are supported,
247 * for at least one RR.
248 *
249 * @param ds_rrset: the newly received DS rrset.
250 * @return true or false if not usable.
251 */
252int val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset);
253
254/**
255 * Determine by looking at a signed RRset whether or not the RRset name was
256 * the result of a wildcard expansion. If so, return the name of the
257 * generating wildcard.
258 *
259 * @param rrset The rrset to check.
260 * @param wc: the wildcard name, if the rrset was synthesized from a wildcard.
261 *         unchanged if not.  The wildcard name, without "*." in front, is
262 *         returned. This is a pointer into the rrset owner name.
263 * @param wc_len: the length of the returned wildcard name.
264 * @return false if the signatures are inconsistent in indicating the
265 * 	wildcard status; possible spoofing of wildcard response for other
266 * 	responses is being tried. We lost the status which rrsig was verified
267 * 	after the verification routine finished, so we simply check if
268 * 	the signatures are consistent; inserting a fake signature is a denial
269 * 	of service; but in that you could also have removed the real
270 * 	signature anyway.
271 */
272int val_rrset_wildcard(struct ub_packed_rrset_key* rrset, uint8_t** wc,
273	size_t* wc_len);
274
275/**
276 * Chase the cname to the next query name.
277 * @param qchase: the current query name, updated to next target.
278 * @param rep: original message reply to look at CNAMEs.
279 * @param cname_skip: the skip into the answer section. Updated to skip
280 * 	DNAME and CNAME to the next part of the answer.
281 * @return false on error (bad rdata).
282 */
283int val_chase_cname(struct query_info* qchase, struct reply_info* rep,
284	size_t* cname_skip);
285
286/**
287 * Fill up the chased reply with the content from the original reply;
288 * as pointers to those rrsets. Select the part after the cname_skip into
289 * the answer section, NS and AR sections that are signed with same signer.
290 *
291 * @param chase: chased reply, filled up.
292 * @param orig: original reply.
293 * @param cname_skip: which part of the answer section to skip.
294 * 	The skipped part contains CNAME(and DNAME)s that have been chased.
295 * @param name: the signer name to look for.
296 * @param len: length of name.
297 * @param signer: signer name or NULL if an unsigned RRset is considered.
298 *	If NULL, rrsets with the lookup name are copied over.
299 */
300void val_fill_reply(struct reply_info* chase, struct reply_info* orig,
301	size_t cname_skip, uint8_t* name, size_t len, uint8_t* signer);
302
303/**
304 * Remove rrset with index from reply, from the authority section.
305 * @param rep: reply to remove it from.
306 * @param index: rrset to remove, must be in the authority section.
307 */
308void val_reply_remove_auth(struct reply_info* rep, size_t index);
309
310/**
311 * Remove all unsigned or non-secure status rrsets from NS and AR sections.
312 * So that unsigned data does not get let through to clients, when we have
313 * found the data to be secure.
314 *
315 * @param env: environment with cleaning options.
316 * @param rep: reply to dump all nonsecure stuff out of.
317 */
318void val_check_nonsecure(struct module_env* env, struct reply_info* rep);
319
320/**
321 * Mark all unchecked rrset entries not below a trust anchor as indeterminate.
322 * Only security==unchecked rrsets are updated.
323 * @param rep: the reply with rrsets.
324 * @param anchors: the trust anchors.
325 * @param r: rrset cache to store updated security status into.
326 * @param env: module environment
327 */
328void val_mark_indeterminate(struct reply_info* rep,
329	struct val_anchors* anchors, struct rrset_cache* r,
330	struct module_env* env);
331
332/**
333 * Mark all unchecked rrset entries below a NULL key entry as insecure.
334 * Only security==unchecked rrsets are updated.
335 * @param rep: the reply with rrsets.
336 * @param kname: end of secure space name.
337 * @param r: rrset cache to store updated security status into.
338 * @param env: module environment
339 */
340void val_mark_insecure(struct reply_info* rep, uint8_t* kname,
341	struct rrset_cache* r, struct module_env* env);
342
343/**
344 * Find next unchecked rrset position, return it for skip.
345 * @param rep: the original reply to look into.
346 * @param skip: the skip now.
347 * @return new skip, which may be at the rep->rrset_count position to signal
348 * 	there are no unchecked items.
349 */
350size_t val_next_unchecked(struct reply_info* rep, size_t skip);
351
352/**
353 * Find the signer name for an RRset.
354 * @param rrset: the rrset.
355 * @param sname: signer name is returned or NULL if not signed.
356 * @param slen: length of sname (or 0).
357 */
358void val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
359	size_t* slen);
360
361/**
362 * Get string to denote the classification result.
363 * @param subtype: from classification function.
364 * @return static string to describe the classification.
365 */
366const char* val_classification_to_string(enum val_classification subtype);
367
368/**
369 * Add existing list to blacklist.
370 * @param blacklist: the blacklist with result
371 * @param region: the region where blacklist is allocated.
372 *	Allocation failures are logged.
373 * @param origin: origin list to add, if NULL, a cache-entry is added to
374 *   the blacklist to stop cache from being used.
375 * @param cross: if true this is a cross-qstate copy, and the 'origin'
376 *   list is not allocated in the same region as the blacklist.
377 */
378void val_blacklist(struct sock_list** blacklist, struct regional* region,
379	struct sock_list* origin, int cross);
380
381/**
382 * check if has dnssec info, and if it has signed nsecs. gives error reason.
383 * @param rep: reply to check.
384 * @param reason: returned on fail.
385 * @return false if message has no signed nsecs.  Can not prove negatives.
386 */
387int val_has_signed_nsecs(struct reply_info* rep, char** reason);
388
389/**
390 * Return algo number for favorite (best) algorithm that we support in DS.
391 * @param ds_rrset: the DSes in this rrset are inspected and best algo chosen.
392 * @return algo number or 0 if none supported. 0 is unused as algo number.
393 */
394int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset);
395
396/**
397 * Find DS denial message in cache.  Saves new qstate allocation and allows
398 * the validator to use partial content which is not enough to construct a
399 * message for network (or user) consumption.  Without SOA for example,
400 * which is a common occurrence in the unbound code since the referrals contain
401 * NSEC/NSEC3 rrs without the SOA element, thus do not allow synthesis of a
402 * full negative reply, but do allow synthesis of sufficient proof.
403 * @param env: query env with caches and time.
404 * @param nm: name of DS record sought.
405 * @param nmlen: length of name.
406 * @param c: class of DS RR.
407 * @param region: where to allocate result.
408 * @param topname: name of the key that is currently in use, that will get
409 *	used to validate the result, and thus no higher entries from the
410 *	negative cache need to be examined.
411 * @return a dns_msg on success. NULL on failure.
412 */
413struct dns_msg* val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen,
414	uint16_t c, struct regional* region, uint8_t* topname);
415
416#endif /* VALIDATOR_VAL_UTILS_H */
417