summaryrefslogtreecommitdiffstats
path: root/modules/ta_sentinel/ta_sentinel.lua
blob: a0fb67ec8e2edc9e88e89154cb6c2dbf3d8458d1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
-- SPDX-License-Identifier: GPL-3.0-or-later
local M = {}
M.layer = {}
local ffi = require('ffi')

function M.layer.finish(state, req, pkt)
	if pkt == nil then return end
	-- fast filter by the length of the first QNAME label
	if pkt.wire[5] == 0 then return state end -- QDCOUNT % 256 == 0, in case we produced that
	local label_len = pkt.wire[12]
	if label_len ~= 29 and label_len ~= 30 then
		return state end
	-- end of hot path

	local qtype = pkt:qtype()
	if not (qtype == kres.type.A or qtype == kres.type.AAAA) then
		return state end
	if bit.band(state, kres.FAIL) ~= 0 then
		return state end

	-- check the label name
	local qry = req:resolved()
	local qname = kres.dname2str(qry:name()):lower()
	local sentype, keytag
	if label_len == 29 then
		sentype = true
		keytag = qname:match('^root%-key%-sentinel%-is%-ta%-(%x+)%.')
	elseif label_len == 30 then
		sentype = false
		keytag = qname:match('^root%-key%-sentinel%-not%-ta%-(%x+)%.')
	end
	if not keytag then return state end

	if req.rank ~= ffi.C.KR_RANK_SECURE or req.answer:cd() then
		if verbose() then
			log('[ta_sentinel] name+type OK but not AD+CD conditions')
		end
		return state
	end

	-- check keytag from the label
	keytag = tonumber(keytag)
	if not keytag or math.floor(keytag) ~= keytag then
		return state end -- pattern did not match, exit
	if keytag < 0 or keytag > 0xffff then
		return state end -- invalid keytag?!, exit

	if verbose() then
		log('[ta_sentinel] key tag: ' .. keytag .. ', sentinel: ' .. tostring(sentype))
	end

	local found = false
	local ds_set = ffi.C.kr_ta_get(kres.context().trust_anchors, '\0')
	if ds_set ~= nil then
		for i = 0, ds_set:rdcount() - 1 do
			-- Find the key tag in rdata and compare
			-- https://tools.ietf.org/html/rfc4034#section-5.1
			local rdata = ds_set:rdata_pt(i)
			local tag = rdata.data[0] * 256 + rdata.data[1]
			if tag == keytag then
				found = true
			end
		end
	end
	if verbose() then
		log('[ta_sentinel] matching trusted TA found: ' .. tostring(found))
		if not found then -- print matching TAs in *other* states than Valid
			for i = 1, #(trust_anchors.keysets['\0'] or {}) do
				local key = trust_anchors.keysets['\0'][i]
				if key.key_tag == keytag and key.state ~= 'Valid' then
					log('[ta_sentinel] matching UNtrusted TA found in state: '
						.. key.state)
				end
			end
		end
	end

	if sentype ~= found then -- expected key is not there, or unexpected key is there
		pkt:clear_payload()
		pkt:rcode(kres.rcode.SERVFAIL)
		pkt:ad(false)
	end
	return state -- do not break resolution process
end

return M