mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-23 10:06:25 +01:00
17d15b2511
MFC after: 3 weeks
771 lines
22 KiB
C
771 lines
22 KiB
C
/*
|
|
* securechasetrace.c
|
|
* Where all the hard work concerning secure tracing is done
|
|
*
|
|
* (c) 2005, 2006 NLnet Labs
|
|
*
|
|
* See the file LICENSE for the license
|
|
*
|
|
*/
|
|
|
|
#include "drill.h"
|
|
#include <ldns/ldns.h>
|
|
|
|
#define SELF "[S]" /* self sig ok */
|
|
#define TRUST "[T]" /* chain from parent */
|
|
#define BOGUS "[B]" /* bogus */
|
|
#define UNSIGNED "[U]" /* no relevant dnssec data found */
|
|
|
|
#if 0
|
|
/* See if there is a key/ds in trusted that matches
|
|
* a ds in *ds.
|
|
*/
|
|
static ldns_rr_list *
|
|
ds_key_match(ldns_rr_list *ds, ldns_rr_list *trusted)
|
|
{
|
|
size_t i, j;
|
|
bool match;
|
|
ldns_rr *rr_i, *rr_j;
|
|
ldns_rr_list *keys;
|
|
|
|
if (!trusted || !ds) {
|
|
return NULL;
|
|
}
|
|
|
|
match = false;
|
|
keys = ldns_rr_list_new();
|
|
if (!keys) {
|
|
return NULL;
|
|
}
|
|
|
|
if (!ds || !trusted) {
|
|
return NULL;
|
|
}
|
|
|
|
for (i = 0; i < ldns_rr_list_rr_count(trusted); i++) {
|
|
rr_i = ldns_rr_list_rr(trusted, i);
|
|
for (j = 0; j < ldns_rr_list_rr_count(ds); j++) {
|
|
|
|
rr_j = ldns_rr_list_rr(ds, j);
|
|
if (ldns_rr_compare_ds(rr_i, rr_j)) {
|
|
match = true;
|
|
/* only allow unique RRs to match */
|
|
ldns_rr_set_push_rr(keys, rr_i);
|
|
}
|
|
}
|
|
}
|
|
if (match) {
|
|
return keys;
|
|
} else {
|
|
return NULL;
|
|
}
|
|
}
|
|
#endif
|
|
|
|
ldns_pkt *
|
|
get_dnssec_pkt(ldns_resolver *r, ldns_rdf *name, ldns_rr_type t)
|
|
{
|
|
ldns_pkt *p = NULL;
|
|
p = ldns_resolver_query(r, name, t, LDNS_RR_CLASS_IN, 0);
|
|
if (!p) {
|
|
return NULL;
|
|
} else {
|
|
if (verbosity >= 5) {
|
|
ldns_pkt_print(stdout, p);
|
|
}
|
|
return p;
|
|
}
|
|
}
|
|
|
|
#ifdef HAVE_SSL
|
|
/*
|
|
* retrieve keys for this zone
|
|
*/
|
|
static ldns_pkt_type
|
|
get_key(ldns_pkt *p, ldns_rdf *apexname, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
|
|
{
|
|
return get_dnssec_rr(p, apexname, LDNS_RR_TYPE_DNSKEY, rrlist, opt_sig);
|
|
}
|
|
|
|
/*
|
|
* check to see if we can find a DS rrset here which we can then follow
|
|
*/
|
|
static ldns_pkt_type
|
|
get_ds(ldns_pkt *p, ldns_rdf *ownername, ldns_rr_list **rrlist, ldns_rr_list **opt_sig)
|
|
{
|
|
return get_dnssec_rr(p, ownername, LDNS_RR_TYPE_DS, rrlist, opt_sig);
|
|
}
|
|
#endif /* HAVE_SSL */
|
|
|
|
void
|
|
remove_resolver_nameservers(ldns_resolver *res)
|
|
{
|
|
ldns_rdf *pop;
|
|
|
|
/* remove the old nameserver from the resolver */
|
|
while((pop = ldns_resolver_pop_nameserver(res))) {
|
|
ldns_rdf_deep_free(pop);
|
|
}
|
|
|
|
}
|
|
|
|
void
|
|
show_current_nameservers(FILE *out, ldns_resolver *res)
|
|
{
|
|
size_t i;
|
|
fprintf(out, "Current nameservers for resolver object:\n");
|
|
for (i = 0; i < ldns_resolver_nameserver_count(res); i++) {
|
|
ldns_rdf_print(out, ldns_resolver_nameservers(res)[i]);
|
|
fprintf(out, "\n");
|
|
}
|
|
}
|
|
|
|
/*ldns_pkt **/
|
|
#ifdef HAVE_SSL
|
|
int
|
|
do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
|
|
ldns_rr_class c, ldns_rr_list *trusted_keys, ldns_rdf *start_name
|
|
)
|
|
{
|
|
ldns_resolver *res;
|
|
ldns_pkt *p, *local_p;
|
|
ldns_rr_list *new_nss;
|
|
ldns_rr_list *ns_addr;
|
|
ldns_rdf *pop;
|
|
ldns_rdf **labels = NULL;
|
|
ldns_status status, st;
|
|
ssize_t i;
|
|
size_t j;
|
|
size_t k;
|
|
size_t l;
|
|
uint8_t labels_count = 0;
|
|
|
|
/* dnssec */
|
|
ldns_rr_list *key_list;
|
|
ldns_rr_list *key_sig_list;
|
|
ldns_rr_list *ds_list;
|
|
ldns_rr_list *ds_sig_list;
|
|
ldns_rr_list *correct_key_list;
|
|
ldns_rr_list *trusted_ds_rrs;
|
|
bool new_keys_trusted = false;
|
|
ldns_rr_list *current_correct_keys;
|
|
ldns_rr_list *dataset;
|
|
|
|
ldns_rr_list *nsec_rrs = NULL;
|
|
ldns_rr_list *nsec_rr_sigs = NULL;
|
|
|
|
/* empty non-terminal check */
|
|
bool ent;
|
|
ldns_rr *nsecrr; /* The nsec that proofs the non-terminal */
|
|
ldns_rdf *hashed_name; /* The query hashed with nsec3 params */
|
|
ldns_rdf *label0; /* The first label of an nsec3 owner name */
|
|
|
|
/* glue handling */
|
|
ldns_rr_list *new_ns_addr;
|
|
ldns_rr_list *old_ns_addr;
|
|
ldns_rr *ns_rr;
|
|
|
|
int result = 0;
|
|
|
|
/* printing niceness */
|
|
const ldns_rr_descriptor *descriptor;
|
|
|
|
descriptor = ldns_rr_descript(t);
|
|
|
|
new_nss = NULL;
|
|
ns_addr = NULL;
|
|
key_list = NULL;
|
|
ds_list = NULL;
|
|
|
|
p = NULL;
|
|
local_p = NULL;
|
|
res = ldns_resolver_new();
|
|
key_sig_list = NULL;
|
|
ds_sig_list = NULL;
|
|
|
|
if (!res) {
|
|
error("Memory allocation failed");
|
|
result = -1;
|
|
return result;
|
|
}
|
|
|
|
correct_key_list = ldns_rr_list_new();
|
|
if (!correct_key_list) {
|
|
error("Memory allocation failed");
|
|
result = -1;
|
|
return result;
|
|
}
|
|
|
|
trusted_ds_rrs = ldns_rr_list_new();
|
|
if (!trusted_ds_rrs) {
|
|
error("Memory allocation failed");
|
|
result = -1;
|
|
return result;
|
|
}
|
|
/* Add all preset trusted DS signatures to the list of trusted DS RRs. */
|
|
for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
|
|
ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
|
|
if (ldns_rr_get_type(one_rr) == LDNS_RR_TYPE_DS) {
|
|
ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
|
|
}
|
|
}
|
|
|
|
/* transfer some properties of local_res to res */
|
|
ldns_resolver_set_ip6(res,
|
|
ldns_resolver_ip6(local_res));
|
|
ldns_resolver_set_port(res,
|
|
ldns_resolver_port(local_res));
|
|
ldns_resolver_set_debug(res,
|
|
ldns_resolver_debug(local_res));
|
|
ldns_resolver_set_fail(res,
|
|
ldns_resolver_fail(local_res));
|
|
ldns_resolver_set_usevc(res,
|
|
ldns_resolver_usevc(local_res));
|
|
ldns_resolver_set_random(res,
|
|
ldns_resolver_random(local_res));
|
|
ldns_resolver_set_source(res,
|
|
ldns_resolver_source(local_res));
|
|
ldns_resolver_set_recursive(local_res, true);
|
|
|
|
ldns_resolver_set_recursive(res, false);
|
|
ldns_resolver_set_dnssec_cd(res, false);
|
|
ldns_resolver_set_dnssec(res, true);
|
|
|
|
/* setup the root nameserver in the new resolver */
|
|
status = ldns_resolver_push_nameserver_rr_list(res, global_dns_root);
|
|
if (status != LDNS_STATUS_OK) {
|
|
printf("ERRRRR: %s\n", ldns_get_errorstr_by_id(status));
|
|
ldns_rr_list_print(stdout, global_dns_root);
|
|
result = status;
|
|
goto done;
|
|
}
|
|
labels_count = ldns_dname_label_count(name);
|
|
if (start_name) {
|
|
if (ldns_dname_is_subdomain(name, start_name)) {
|
|
labels_count -= ldns_dname_label_count(start_name);
|
|
} else {
|
|
fprintf(stderr, "Error; ");
|
|
ldns_rdf_print(stderr, name);
|
|
fprintf(stderr, " is not a subdomain of ");
|
|
ldns_rdf_print(stderr, start_name);
|
|
fprintf(stderr, "\n");
|
|
goto done;
|
|
}
|
|
}
|
|
labels = LDNS_XMALLOC(ldns_rdf*, labels_count + 2);
|
|
if (!labels) {
|
|
goto done;
|
|
}
|
|
labels[0] = ldns_dname_new_frm_str(LDNS_ROOT_LABEL_STR);
|
|
labels[1] = ldns_rdf_clone(name);
|
|
for(i = 2 ; i < (ssize_t)labels_count + 2; i++) {
|
|
labels[i] = ldns_dname_left_chop(labels[i - 1]);
|
|
}
|
|
|
|
/* get the nameserver for the label
|
|
* ask: dnskey and ds for the label
|
|
*/
|
|
for(i = (ssize_t)labels_count + 1; i > 0; i--) {
|
|
status = ldns_resolver_send(&local_p, res, labels[i], LDNS_RR_TYPE_NS, c, 0);
|
|
|
|
if (verbosity >= 5) {
|
|
ldns_pkt_print(stdout, local_p);
|
|
}
|
|
|
|
new_nss = ldns_pkt_rr_list_by_type(local_p,
|
|
LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER);
|
|
if (!new_nss) {
|
|
/* if it's a delegation, servers put them in the auth section */
|
|
new_nss = ldns_pkt_rr_list_by_type(local_p,
|
|
LDNS_RR_TYPE_NS, LDNS_SECTION_AUTHORITY);
|
|
}
|
|
|
|
/* if this is the final step there might not be nameserver records
|
|
of course if the data is in the apex, there are, so cover both
|
|
cases */
|
|
if (new_nss || i > 1) {
|
|
for(j = 0; j < ldns_rr_list_rr_count(new_nss); j++) {
|
|
ns_rr = ldns_rr_list_rr(new_nss, j);
|
|
pop = ldns_rr_rdf(ns_rr, 0);
|
|
if (!pop) {
|
|
printf("nopo\n");
|
|
break;
|
|
}
|
|
/* retrieve it's addresses */
|
|
/* trust glue? */
|
|
new_ns_addr = NULL;
|
|
if (ldns_dname_is_subdomain(pop, labels[i])) {
|
|
new_ns_addr = ldns_pkt_rr_list_by_name_and_type(local_p, pop, LDNS_RR_TYPE_A, LDNS_SECTION_ADDITIONAL);
|
|
}
|
|
if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
|
|
new_ns_addr = ldns_get_rr_list_addr_by_name(res, pop, c, 0);
|
|
}
|
|
if (!new_ns_addr || ldns_rr_list_rr_count(new_ns_addr) == 0) {
|
|
new_ns_addr = ldns_get_rr_list_addr_by_name(local_res, pop, c, 0);
|
|
}
|
|
|
|
if (new_ns_addr) {
|
|
old_ns_addr = ns_addr;
|
|
ns_addr = ldns_rr_list_cat_clone(ns_addr, new_ns_addr);
|
|
ldns_rr_list_deep_free(old_ns_addr);
|
|
}
|
|
ldns_rr_list_deep_free(new_ns_addr);
|
|
}
|
|
ldns_rr_list_deep_free(new_nss);
|
|
|
|
if (ns_addr) {
|
|
remove_resolver_nameservers(res);
|
|
|
|
if (ldns_resolver_push_nameserver_rr_list(res, ns_addr) !=
|
|
LDNS_STATUS_OK) {
|
|
error("Error adding new nameservers");
|
|
ldns_pkt_free(local_p);
|
|
goto done;
|
|
}
|
|
ldns_rr_list_deep_free(ns_addr);
|
|
} else {
|
|
status = ldns_verify_denial(local_p, labels[i], LDNS_RR_TYPE_NS, &nsec_rrs, &nsec_rr_sigs);
|
|
|
|
/* verify the nsec3 themselves*/
|
|
if (verbosity >= 4) {
|
|
printf("NSEC(3) Records to verify:\n");
|
|
ldns_rr_list_print(stdout, nsec_rrs);
|
|
printf("With signatures:\n");
|
|
ldns_rr_list_print(stdout, nsec_rr_sigs);
|
|
printf("correct keys:\n");
|
|
ldns_rr_list_print(stdout, correct_key_list);
|
|
}
|
|
|
|
if (status == LDNS_STATUS_OK) {
|
|
if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
|
|
fprintf(stdout, "%s ", TRUST);
|
|
fprintf(stdout, "Existence denied: ");
|
|
ldns_rdf_print(stdout, labels[i]);
|
|
/*
|
|
if (descriptor && descriptor->_name) {
|
|
printf(" %s", descriptor->_name);
|
|
} else {
|
|
printf(" TYPE%u", t);
|
|
}
|
|
*/ fprintf(stdout, " NS\n");
|
|
} else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
|
|
fprintf(stdout, "%s ", SELF);
|
|
fprintf(stdout, "Existence denied: ");
|
|
ldns_rdf_print(stdout, labels[i]);
|
|
/*
|
|
if (descriptor && descriptor->_name) {
|
|
printf(" %s", descriptor->_name);
|
|
} else {
|
|
printf(" TYPE%u", t);
|
|
}
|
|
*/
|
|
fprintf(stdout, " NS\n");
|
|
} else {
|
|
fprintf(stdout, "%s ", BOGUS);
|
|
result = 1;
|
|
printf(";; Error verifying denial of existence for name ");
|
|
ldns_rdf_print(stdout, labels[i]);
|
|
/*
|
|
printf(" type ");
|
|
if (descriptor && descriptor->_name) {
|
|
printf("%s", descriptor->_name);
|
|
} else {
|
|
printf("TYPE%u", t);
|
|
}
|
|
*/ printf("NS: %s\n", ldns_get_errorstr_by_id(st));
|
|
}
|
|
} else {
|
|
fprintf(stdout, "%s ", BOGUS);
|
|
result = 1;
|
|
printf(";; Error verifying denial of existence for name ");
|
|
ldns_rdf_print(stdout, labels[i]);
|
|
printf("NS: %s\n", ldns_get_errorstr_by_id(status));
|
|
}
|
|
|
|
/* there might be an empty non-terminal, in which case we need to continue */
|
|
ent = false;
|
|
for (j = 0; j < ldns_rr_list_rr_count(nsec_rrs); j++) {
|
|
nsecrr = ldns_rr_list_rr(nsec_rrs, j);
|
|
/* For NSEC when the next name is a subdomain of the question */
|
|
if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC &&
|
|
ldns_dname_is_subdomain(ldns_rr_rdf(nsecrr, 0), labels[i])) {
|
|
ent = true;
|
|
|
|
/* For NSEC3, the hash matches the name and the type bitmap is empty*/
|
|
} else if (ldns_rr_get_type(nsecrr) == LDNS_RR_TYPE_NSEC3) {
|
|
hashed_name = ldns_nsec3_hash_name_frm_nsec3(nsecrr, labels[i]);
|
|
label0 = ldns_dname_label(ldns_rr_owner(nsecrr), 0);
|
|
if (hashed_name && label0 &&
|
|
ldns_dname_compare(hashed_name, label0) == 0 &&
|
|
ldns_nsec3_bitmap(nsecrr) == NULL) {
|
|
ent = true;
|
|
}
|
|
if (label0) {
|
|
LDNS_FREE(label0);
|
|
}
|
|
if (hashed_name) {
|
|
LDNS_FREE(hashed_name);
|
|
}
|
|
}
|
|
}
|
|
if (!ent) {
|
|
ldns_rr_list_deep_free(nsec_rrs);
|
|
ldns_rr_list_deep_free(nsec_rr_sigs);
|
|
ldns_pkt_free(local_p);
|
|
goto done;
|
|
} else {
|
|
printf(";; There is an empty non-terminal here, continue\n");
|
|
continue;
|
|
}
|
|
}
|
|
|
|
if (ldns_resolver_nameserver_count(res) == 0) {
|
|
error("No nameservers found for this node");
|
|
goto done;
|
|
}
|
|
}
|
|
ldns_pkt_free(local_p);
|
|
|
|
fprintf(stdout, ";; Domain: ");
|
|
ldns_rdf_print(stdout, labels[i]);
|
|
fprintf(stdout, "\n");
|
|
|
|
/* retrieve keys for current domain, and verify them
|
|
if they match an already trusted DS, or if one of the
|
|
keys used to sign these is trusted, add the keys to
|
|
the trusted list */
|
|
p = get_dnssec_pkt(res, labels[i], LDNS_RR_TYPE_DNSKEY);
|
|
(void) get_key(p, labels[i], &key_list, &key_sig_list);
|
|
if (key_sig_list) {
|
|
if (key_list) {
|
|
current_correct_keys = ldns_rr_list_new();
|
|
if ((st = ldns_verify(key_list, key_sig_list, key_list, current_correct_keys)) ==
|
|
LDNS_STATUS_OK) {
|
|
/* add all signed keys (don't just add current_correct, you'd miss
|
|
* the zsk's then */
|
|
for (j = 0; j < ldns_rr_list_rr_count(key_list); j++) {
|
|
ldns_rr_list_push_rr(correct_key_list, ldns_rr_clone(ldns_rr_list_rr(key_list, j)));
|
|
}
|
|
|
|
/* check whether these keys were signed
|
|
* by a trusted keys. if so, these
|
|
* keys are also trusted */
|
|
new_keys_trusted = false;
|
|
for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
|
|
for (j = 0; j < ldns_rr_list_rr_count(trusted_ds_rrs); j++) {
|
|
if (ldns_rr_compare_ds(ldns_rr_list_rr(current_correct_keys, k),
|
|
ldns_rr_list_rr(trusted_ds_rrs, j))) {
|
|
new_keys_trusted = true;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* also all keys are trusted if one of the current correct keys is trusted */
|
|
for (k = 0; k < ldns_rr_list_rr_count(current_correct_keys); k++) {
|
|
for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
|
|
if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, k),
|
|
ldns_rr_list_rr(trusted_keys, j)) == 0) {
|
|
new_keys_trusted = true;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
if (new_keys_trusted) {
|
|
ldns_rr_list_push_rr_list(trusted_keys, key_list);
|
|
print_rr_list_abbr(stdout, key_list, TRUST);
|
|
ldns_rr_list_free(key_list);
|
|
key_list = NULL;
|
|
} else {
|
|
if (verbosity >= 2) {
|
|
printf(";; Signature ok but no chain to a trusted key or ds record\n");
|
|
}
|
|
print_rr_list_abbr(stdout, key_list, SELF);
|
|
ldns_rr_list_deep_free(key_list);
|
|
key_list = NULL;
|
|
}
|
|
} else {
|
|
print_rr_list_abbr(stdout, key_list, BOGUS);
|
|
result = 2;
|
|
ldns_rr_list_deep_free(key_list);
|
|
key_list = NULL;
|
|
}
|
|
ldns_rr_list_free(current_correct_keys);
|
|
current_correct_keys = NULL;
|
|
} else {
|
|
printf(";; No DNSKEY record found for ");
|
|
ldns_rdf_print(stdout, labels[i]);
|
|
printf("\n");
|
|
}
|
|
}
|
|
|
|
ldns_pkt_free(p);
|
|
ldns_rr_list_deep_free(key_sig_list);
|
|
key_sig_list = NULL;
|
|
|
|
/* check the DS records for the next child domain */
|
|
if (i > 1) {
|
|
p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
|
|
(void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
|
|
if (!ds_list) {
|
|
ldns_pkt_free(p);
|
|
if (ds_sig_list) {
|
|
ldns_rr_list_deep_free(ds_sig_list);
|
|
}
|
|
p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
|
|
(void) get_ds(p, NULL, &ds_list, &ds_sig_list);
|
|
}
|
|
if (ds_sig_list) {
|
|
if (ds_list) {
|
|
if (verbosity >= 4) {
|
|
printf("VERIFYING:\n");
|
|
printf("DS LIST:\n");
|
|
ldns_rr_list_print(stdout, ds_list);
|
|
printf("SIGS:\n");
|
|
ldns_rr_list_print(stdout, ds_sig_list);
|
|
printf("KEYS:\n");
|
|
ldns_rr_list_print(stdout, correct_key_list);
|
|
}
|
|
|
|
current_correct_keys = ldns_rr_list_new();
|
|
|
|
if ((st = ldns_verify(ds_list, ds_sig_list, correct_key_list, current_correct_keys)) ==
|
|
LDNS_STATUS_OK) {
|
|
/* if the ds is signed by a trusted key and a key from correct keys
|
|
matches that ds, add that key to the trusted keys */
|
|
new_keys_trusted = false;
|
|
if (verbosity >= 2) {
|
|
printf("Checking if signing key is trusted:\n");
|
|
}
|
|
for (j = 0; j < ldns_rr_list_rr_count(current_correct_keys); j++) {
|
|
if (verbosity >= 2) {
|
|
printf("New key: ");
|
|
ldns_rr_print(stdout, ldns_rr_list_rr(current_correct_keys, j));
|
|
}
|
|
for (k = 0; k < ldns_rr_list_rr_count(trusted_keys); k++) {
|
|
if (verbosity >= 2) {
|
|
printf("\tTrusted key: ");
|
|
ldns_rr_print(stdout, ldns_rr_list_rr(trusted_keys, k));
|
|
}
|
|
if (ldns_rr_compare(ldns_rr_list_rr(current_correct_keys, j),
|
|
ldns_rr_list_rr(trusted_keys, k)) == 0) {
|
|
if (verbosity >= 2) {
|
|
printf("Key is now trusted!\n");
|
|
}
|
|
for (l = 0; l < ldns_rr_list_rr_count(ds_list); l++) {
|
|
ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(ldns_rr_list_rr(ds_list, l)));
|
|
new_keys_trusted = true;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
if (new_keys_trusted) {
|
|
print_rr_list_abbr(stdout, ds_list, TRUST);
|
|
} else {
|
|
print_rr_list_abbr(stdout, ds_list, SELF);
|
|
}
|
|
} else {
|
|
result = 3;
|
|
print_rr_list_abbr(stdout, ds_list, BOGUS);
|
|
}
|
|
|
|
ldns_rr_list_free(current_correct_keys);
|
|
current_correct_keys = NULL;
|
|
} else {
|
|
/* wait apparently there were no keys either, go back to the ds packet */
|
|
ldns_pkt_free(p);
|
|
ldns_rr_list_deep_free(ds_sig_list);
|
|
p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
|
|
(void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
|
|
|
|
status = ldns_verify_denial(p, labels[i-1], LDNS_RR_TYPE_DS, &nsec_rrs, &nsec_rr_sigs);
|
|
|
|
if (verbosity >= 4) {
|
|
printf("NSEC(3) Records to verify:\n");
|
|
ldns_rr_list_print(stdout, nsec_rrs);
|
|
printf("With signatures:\n");
|
|
ldns_rr_list_print(stdout, nsec_rr_sigs);
|
|
printf("correct keys:\n");
|
|
ldns_rr_list_print(stdout, correct_key_list);
|
|
}
|
|
|
|
if (status == LDNS_STATUS_OK) {
|
|
if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
|
|
fprintf(stdout, "%s ", TRUST);
|
|
fprintf(stdout, "Existence denied: ");
|
|
ldns_rdf_print(stdout, labels[i-1]);
|
|
printf(" DS");
|
|
fprintf(stdout, "\n");
|
|
} else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
|
|
fprintf(stdout, "%s ", SELF);
|
|
fprintf(stdout, "Existence denied: ");
|
|
ldns_rdf_print(stdout, labels[i-1]);
|
|
printf(" DS");
|
|
fprintf(stdout, "\n");
|
|
} else {
|
|
result = 4;
|
|
fprintf(stdout, "%s ", BOGUS);
|
|
printf("Error verifying denial of existence for ");
|
|
ldns_rdf_print(stdout, labels[i-1]);
|
|
printf(" DS");
|
|
printf(": %s\n", ldns_get_errorstr_by_id(st));
|
|
}
|
|
|
|
|
|
} else {
|
|
if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
|
|
printf(";; No DS for ");
|
|
ldns_rdf_print(stdout, labels[i - 1]);
|
|
} else {
|
|
printf("[B] Unable to verify denial of existence for ");
|
|
ldns_rdf_print(stdout, labels[i - 1]);
|
|
printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
|
|
}
|
|
}
|
|
if (verbosity >= 2) {
|
|
printf(";; No ds record for delegation\n");
|
|
}
|
|
}
|
|
}
|
|
ldns_rr_list_deep_free(ds_list);
|
|
ldns_pkt_free(p);
|
|
} else {
|
|
/* if this is the last label, just verify the data and stop */
|
|
p = get_dnssec_pkt(res, labels[i], t);
|
|
(void) get_dnssec_rr(p, labels[i], t, &dataset, &key_sig_list);
|
|
if (dataset && ldns_rr_list_rr_count(dataset) > 0) {
|
|
if (key_sig_list && ldns_rr_list_rr_count(key_sig_list) > 0) {
|
|
|
|
/* If this is a wildcard, you must be able to deny exact match */
|
|
if ((st = ldns_verify(dataset, key_sig_list, trusted_keys, NULL)) == LDNS_STATUS_OK) {
|
|
fprintf(stdout, "%s ", TRUST);
|
|
ldns_rr_list_print(stdout, dataset);
|
|
} else if ((st = ldns_verify(dataset, key_sig_list, correct_key_list, NULL)) == LDNS_STATUS_OK) {
|
|
fprintf(stdout, "%s ", SELF);
|
|
ldns_rr_list_print(stdout, dataset);
|
|
} else {
|
|
result = 5;
|
|
fprintf(stdout, "%s ", BOGUS);
|
|
ldns_rr_list_print(stdout, dataset);
|
|
printf(";; Error: %s\n", ldns_get_errorstr_by_id(st));
|
|
}
|
|
} else {
|
|
fprintf(stdout, "%s ", UNSIGNED);
|
|
ldns_rr_list_print(stdout, dataset);
|
|
}
|
|
ldns_rr_list_deep_free(dataset);
|
|
} else {
|
|
status = ldns_verify_denial(p, name, t, &nsec_rrs, &nsec_rr_sigs);
|
|
if (status == LDNS_STATUS_OK) {
|
|
/* verify the nsec3 themselves*/
|
|
if (verbosity >= 5) {
|
|
printf("NSEC(3) Records to verify:\n");
|
|
ldns_rr_list_print(stdout, nsec_rrs);
|
|
printf("With signatures:\n");
|
|
ldns_rr_list_print(stdout, nsec_rr_sigs);
|
|
printf("correct keys:\n");
|
|
ldns_rr_list_print(stdout, correct_key_list);
|
|
/*
|
|
printf("trusted keys at %p:\n", trusted_keys);
|
|
ldns_rr_list_print(stdout, trusted_keys);
|
|
*/ }
|
|
|
|
if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, trusted_keys, NULL)) == LDNS_STATUS_OK) {
|
|
fprintf(stdout, "%s ", TRUST);
|
|
fprintf(stdout, "Existence denied: ");
|
|
ldns_rdf_print(stdout, name);
|
|
if (descriptor && descriptor->_name) {
|
|
printf(" %s", descriptor->_name);
|
|
} else {
|
|
printf(" TYPE%u", t);
|
|
}
|
|
fprintf(stdout, "\n");
|
|
} else if ((st = ldns_verify(nsec_rrs, nsec_rr_sigs, correct_key_list, NULL)) == LDNS_STATUS_OK) {
|
|
fprintf(stdout, "%s ", SELF);
|
|
fprintf(stdout, "Existence denied: ");
|
|
ldns_rdf_print(stdout, name);
|
|
if (descriptor && descriptor->_name) {
|
|
printf(" %s", descriptor->_name);
|
|
} else {
|
|
printf(" TYPE%u", t);
|
|
}
|
|
fprintf(stdout, "\n");
|
|
} else {
|
|
result = 6;
|
|
fprintf(stdout, "%s ", BOGUS);
|
|
printf("Error verifying denial of existence for ");
|
|
ldns_rdf_print(stdout, name);
|
|
printf(" type ");
|
|
if (descriptor && descriptor->_name) {
|
|
printf("%s", descriptor->_name);
|
|
} else {
|
|
printf("TYPE%u", t);
|
|
}
|
|
printf(": %s\n", ldns_get_errorstr_by_id(st));
|
|
}
|
|
|
|
ldns_rr_list_deep_free(nsec_rrs);
|
|
ldns_rr_list_deep_free(nsec_rr_sigs);
|
|
} else {
|
|
/*
|
|
*/
|
|
if (status == LDNS_STATUS_CRYPTO_NO_RRSIG) {
|
|
printf("%s ", UNSIGNED);
|
|
printf("No data found for: ");
|
|
ldns_rdf_print(stdout, name);
|
|
printf(" type ");
|
|
if (descriptor && descriptor->_name) {
|
|
printf("%s", descriptor->_name);
|
|
} else {
|
|
printf("TYPE%u", t);
|
|
}
|
|
printf("\n");
|
|
} else {
|
|
printf("[B] Unable to verify denial of existence for ");
|
|
ldns_rdf_print(stdout, name);
|
|
printf(" type ");
|
|
if (descriptor && descriptor->_name) {
|
|
printf("%s", descriptor->_name);
|
|
} else {
|
|
printf("TYPE%u", t);
|
|
}
|
|
printf("\n");
|
|
}
|
|
|
|
}
|
|
}
|
|
ldns_pkt_free(p);
|
|
}
|
|
|
|
new_nss = NULL;
|
|
ns_addr = NULL;
|
|
ldns_rr_list_deep_free(key_list);
|
|
key_list = NULL;
|
|
ldns_rr_list_deep_free(key_sig_list);
|
|
key_sig_list = NULL;
|
|
ds_list = NULL;
|
|
ldns_rr_list_deep_free(ds_sig_list);
|
|
ds_sig_list = NULL;
|
|
}
|
|
printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
|
|
/* verbose mode?
|
|
printf("Trusted keys:\n");
|
|
ldns_rr_list_print(stdout, trusted_keys);
|
|
printf("trusted dss:\n");
|
|
ldns_rr_list_print(stdout, trusted_ds_rrs);
|
|
*/
|
|
|
|
done:
|
|
ldns_rr_list_deep_free(trusted_ds_rrs);
|
|
ldns_rr_list_deep_free(correct_key_list);
|
|
ldns_resolver_deep_free(res);
|
|
if (labels) {
|
|
for(i = 0 ; i < (ssize_t)labels_count + 2; i++) {
|
|
ldns_rdf_deep_free(labels[i]);
|
|
}
|
|
LDNS_FREE(labels);
|
|
}
|
|
return result;
|
|
}
|
|
#endif /* HAVE_SSL */
|