1 /*
2 * Part of DNS zone file validator `validns`.
3 *
4 * Copyright 2011-2014 Anton Berezin <tobez@tobez.org>
5 * Modified BSD license.
6 * (See LICENSE file in the distribution.)
7 *
8 */
9
10 #include <ctype.h>
11 #include <sys/types.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include <netinet/in.h>
15 #include <arpa/inet.h>
16
17 #include "common.h"
18 #include "textparse.h"
19 #include "mempool.h"
20 #include "carp.h"
21 #include "rr.h"
22 #include "base32hex.h"
23
nsec3_parse(char * name,long ttl,int type,char * s)24 static struct rr* nsec3_parse(char *name, long ttl, int type, char *s)
25 {
26 struct rr_nsec3 *rr = getmem(sizeof(*rr));
27 struct rr *ret_rr;
28 struct binary_data bitmap;
29 int i;
30 int opt_out = 0;
31 char *str_type = NULL;
32 int ltype;
33
34 i = extract_integer(&s, "hash algorithm");
35 if (i < 0)
36 return NULL;
37 if (i > 255)
38 return bitch("bad hash algorithm value");
39 if (i != 1)
40 return bitch("unrecognized or unsupported hash algorithm");
41 rr->hash_algorithm = i;
42
43 i = extract_integer(&s, "flags");
44 if (i < 0)
45 return NULL;
46 if (i > 255)
47 return bitch("bad flags value");
48
49 if (!(i == 0 || i == 1))
50 return bitch("unsupported flags value");
51 if (i == 1)
52 opt_out = 1;
53 rr->flags = i;
54
55 i = extract_integer(&s, "iterations");
56 if (i < 0)
57 return NULL;
58 if (i > 2500)
59 return bitch("bad iterations value");
60 rr->iterations = i;
61 /* TODO validate iteration count according to key size,
62 * as per http://tools.ietf.org/html/rfc5155#section-10.3 */
63
64 if (*s == '-') {
65 rr->salt.length = 0;
66 rr->salt.data = NULL;
67 s++;
68 if (*s && !isspace(*s) && *s != ';' && *s != ')')
69 return bitch("salt is not valid");
70 s = skip_white_space(s);
71 } else {
72 rr->salt = extract_hex_binary_data(&s, "salt", EXTRACT_DONT_EAT_WHITESPACE);
73 if (rr->salt.length <= 0)
74 return NULL;
75 if (rr->salt.length > 255)
76 return bitch("salt is too long");
77 }
78
79 rr->next_hashed_owner = extract_base32hex_binary_data(&s, "next hashed owner");
80 if (rr->next_hashed_owner.length != 20) {
81 return bitch("next hashed owner does not have the right size");
82 }
83
84 bitmap = new_set();
85 while (s && *s) {
86 str_type = extract_label(&s, "type list", "temporary");
87 if (!str_type) return NULL;
88 ltype = str2rdtype(str_type, NULL);
89 if (ltype < 0)
90 return NULL;
91 add_bit_to_set(&bitmap, ltype);
92 }
93 if (!s)
94 return NULL;
95 rr->type_bitmap = compressed_set(&bitmap);
96
97 rr->corresponding_name = NULL;
98 rr->next_nsec3 = NULL;
99
100 if (!remember_nsec3(name, rr))
101 return NULL;
102
103 ret_rr = store_record(type, name, ttl, rr);
104 if (ret_rr) {
105 G.nsec3_present = 1;
106 G.dnssec_active = 1;
107 G.stats.nsec3_count++;
108 if (opt_out) {
109 G.nsec3_opt_out_present = 1;
110 }
111 if (ret_rr && !nsec3param)
112 nsec3param = ret_rr;
113 }
114 return ret_rr;
115 }
116
nsec3_human(struct rr * rrv)117 static char* nsec3_human(struct rr *rrv)
118 {
119 RRCAST(nsec3);
120 char ss[1024];
121 char *s = ss;
122 int l;
123 int i;
124
125 l = snprintf(s, 1024, "%u %u %u ", rr->hash_algorithm, rr->flags, rr->iterations);
126 s += l;
127 if (rr->salt.length) {
128 for (i = 0; i < rr->salt.length; i++) {
129 l = snprintf(s, 1024-(s-ss), "%02X", (unsigned char)rr->salt.data[i]);
130 s += l;
131 }
132 } else {
133 sprintf(s, "-");
134 }
135 return quickstrdup_temp(ss);
136 }
137
nsec3_wirerdata(struct rr * rrv)138 static struct binary_data nsec3_wirerdata(struct rr *rrv)
139 {
140 RRCAST(nsec3);
141
142 return compose_binary_data("112bbd", 1,
143 rr->hash_algorithm, rr->flags,
144 rr->iterations, rr->salt,
145 rr->next_hashed_owner, rr->type_bitmap);
146 }
147
148 struct rr_nsec3 *first_nsec3 = NULL;
149 struct rr_nsec3 *latest_nsec3 = NULL;
150
nsec3_validate(struct rr * rrv)151 void* nsec3_validate(struct rr *rrv)
152 {
153 RRCAST(nsec3);
154
155 if (!first_nsec3) {
156 first_nsec3 = rr;
157 }
158 if (latest_nsec3) {
159 if (memcmp(latest_nsec3->next_hashed_owner.data, rr->this_hashed_name.data, 20) != 0) {
160 char *expected_name = quickstrdup_temp(rr->rr.rr_set->named_rr->name);
161 /* guaranteed to have same length, I think */
162 encode_base32hex(expected_name, 32, latest_nsec3->next_hashed_owner.data, 20);
163 if (rr == first_nsec3) {
164 moan(latest_nsec3->rr.file_name, latest_nsec3->rr.line,
165 "broken NSEC3 chain, expected %s, but nothing found",
166 expected_name);
167 } else {
168 moan(latest_nsec3->rr.file_name, latest_nsec3->rr.line,
169 "broken NSEC3 chain, expected %s, but found %s",
170 expected_name,
171 rr->rr.rr_set->named_rr->name);
172 }
173 if (rr != first_nsec3)
174 latest_nsec3->next_nsec3 = rr;
175 latest_nsec3 = rr;
176 return NULL;
177 }
178 if (rr != first_nsec3)
179 latest_nsec3->next_nsec3 = rr;
180 }
181 latest_nsec3 = rr;
182 return rr;
183 }
184
185 struct rr_methods nsec3_methods = { nsec3_parse, nsec3_human, nsec3_wirerdata, NULL, nsec3_validate };
186