blob: a0fb67ec8e2edc9e88e89154cb6c2dbf3d8458d1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
-- SPDX-License-Identifier: GPL-3.0-or-later
local M = {}
M.layer = {}
local ffi = require('ffi')
function M.layer.finish(state, req, pkt)
if pkt == nil then return end
-- fast filter by the length of the first QNAME label
if pkt.wire[5] == 0 then return state end -- QDCOUNT % 256 == 0, in case we produced that
local label_len = pkt.wire[12]
if label_len ~= 29 and label_len ~= 30 then
return state end
-- end of hot path
local qtype = pkt:qtype()
if not (qtype == kres.type.A or qtype == kres.type.AAAA) then
return state end
if bit.band(state, kres.FAIL) ~= 0 then
return state end
-- check the label name
local qry = req:resolved()
local qname = kres.dname2str(qry:name()):lower()
local sentype, keytag
if label_len == 29 then
sentype = true
keytag = qname:match('^root%-key%-sentinel%-is%-ta%-(%x+)%.')
elseif label_len == 30 then
sentype = false
keytag = qname:match('^root%-key%-sentinel%-not%-ta%-(%x+)%.')
end
if not keytag then return state end
if req.rank ~= ffi.C.KR_RANK_SECURE or req.answer:cd() then
if verbose() then
log('[ta_sentinel] name+type OK but not AD+CD conditions')
end
return state
end
-- check keytag from the label
keytag = tonumber(keytag)
if not keytag or math.floor(keytag) ~= keytag then
return state end -- pattern did not match, exit
if keytag < 0 or keytag > 0xffff then
return state end -- invalid keytag?!, exit
if verbose() then
log('[ta_sentinel] key tag: ' .. keytag .. ', sentinel: ' .. tostring(sentype))
end
local found = false
local ds_set = ffi.C.kr_ta_get(kres.context().trust_anchors, '\0')
if ds_set ~= nil then
for i = 0, ds_set:rdcount() - 1 do
-- Find the key tag in rdata and compare
-- https://tools.ietf.org/html/rfc4034#section-5.1
local rdata = ds_set:rdata_pt(i)
local tag = rdata.data[0] * 256 + rdata.data[1]
if tag == keytag then
found = true
end
end
end
if verbose() then
log('[ta_sentinel] matching trusted TA found: ' .. tostring(found))
if not found then -- print matching TAs in *other* states than Valid
for i = 1, #(trust_anchors.keysets['\0'] or {}) do
local key = trust_anchors.keysets['\0'][i]
if key.key_tag == keytag and key.state ~= 'Valid' then
log('[ta_sentinel] matching UNtrusted TA found in state: '
.. key.state)
end
end
end
end
if sentype ~= found then -- expected key is not there, or unexpected key is there
pkt:clear_payload()
pkt:rcode(kres.rcode.SERVFAIL)
pkt:ad(false)
end
return state -- do not break resolution process
end
return M
|
