diff --git a/SOURCES/dnsmasq-2.90-CVE-2023-50387-CVE-2023-50868.patch b/SOURCES/dnsmasq-2.90-CVE-2023-50387-CVE-2023-50868.patch new file mode 100644 index 0000000..5874392 --- /dev/null +++ b/SOURCES/dnsmasq-2.90-CVE-2023-50387-CVE-2023-50868.patch @@ -0,0 +1,2091 @@ +commit b2298dec2a9d3c1e7fe495460c14b34b1cf655cf +Author: Tomas Korbar +Date: Tue Feb 20 13:39:09 2024 +0100 + + Fix CVE 2023-50387 and CVE 2023-50868 + + Add limits on the resources used to do DNSSEC validation. + DNSSEC introduces a potential CPU DoS, because a crafted domain + can force a validator to a large number of cryptographic + operations whilst attempting to do validation. When using TCP + transport a DNSKEY RRset contain thousands of members and any + RRset can have thousands of signatures. The potential number + of signature validations to follow the RFC for validation + for one RRset is the cross product of the keys and signatures, + so millions. In practice, the actual numbers are much lower, + so attacks can be mitigated by limiting the amount of + cryptographic "work" to a much lower amount. The actual + limits are number a signature validation fails per RRset(20), + number of signature validations and hash computations + per query(200), number of sub-queries to fetch DS and DNSKEY + RRsets per query(40), and the number of iterations in a + NSEC3 record(150). These values are sensible, but there is, as yet, + no standardisation on the values for a "conforming" domain, so a + new option --dnssec-limit is provided should they need to be altered. + The algorithm to validate DS records has also been altered to reduce + the maximum work from cross product of the number of DS records and + number of DNSKEYs to the cross product of the number of DS records + and supported DS digest types. As the number of DS digest types + is in single figures, this reduces the exposure. + + Credit is due to Elias Heftrig, Haya Schulmann, Niklas Vogel, + and Michael Waidner from the German National Research Center for + Applied Cybersecurity ATHENE for finding this vulnerability. + + CVE 2023-50387 and CVE 2023-50868 apply. + Note that the is a security vulnerablity only when DNSSEC validation + is enabled. + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index aaab1f5..8bb81b6 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -793,6 +793,15 @@ Authenticated Data bit correctly in all cases is not technically possible. If th + when using this option, then the cache should be disabled using --cache-size=0. In most cases, enabling DNSSEC validation + within dnsmasq is a better option. See --dnssec for details. + .TP ++.B --dnssec-limits=[,.......] ++Override the default resource limits applied to DNSSEC validation. Cryptographic operations are expensive and crafted domains ++can DoS a DNSSEC validator by forcing it to do hundreds of thousands of such operations. To avoid this, the dnsmasq validation code ++applies limits on how much work will be expended in validation. If any of the limits are exceeded, the validation will fail and the ++domain treated as BOGUS. There are four limits, in order(default values in parens): number a signature validation fails per RRset(20), number of signature validations and ++hash computations per query(200), number of sub-queries to fetch DS and DNSKEY RRsets per query(40), and the number of iterations in a NSEC3 record(150). ++The maximum values reached during validation are stored, and dumped as part of the stats generated by SIGUSR1. Supplying a limit value of 0 leaves the default in place, so ++\fB--dnssec-limits=0,0,20\fP sets the number of sub-queries to 20 whilst leaving the other limits at default values. ++.TP + .B --dnssec-debug + Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries, + and don't convert replies which do not validate to responses with +diff --git a/src/cache.c b/src/cache.c +index 4dbfdb4..7dc7646 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -714,7 +714,18 @@ void cache_end_insert(void) + if (daemon->pipe_to_parent != -1) + { + ssize_t m = -1; ++ ++ read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0); ++ ++#ifdef HAVE_DNSSEC ++ /* Sneak out possibly updated crypto HWM values. */ ++ m = daemon->metrics[METRIC_CRYPTO_HWM]; + read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0); ++ m = daemon->metrics[METRIC_SIG_FAIL_HWM]; ++ read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0); ++ m = daemon->metrics[METRIC_WORK_HWM]; ++ read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0); ++#endif + } + + new_chain = NULL; +@@ -733,7 +744,7 @@ int cache_recv_insert(time_t now, int fd) + + cache_start_insert(); + +- while(1) ++ while (1) + { + + if (!read_write(fd, (unsigned char *)&m, sizeof(m), 1)) +@@ -741,6 +752,21 @@ int cache_recv_insert(time_t now, int fd) + + if (m == -1) + { ++#ifdef HAVE_DNSSEC ++ /* Sneak in possibly updated crypto HWM. */ ++ if (!read_write(fd, (unsigned char *)&m, sizeof(m), 1)) ++ return 0; ++ if (m > daemon->metrics[METRIC_CRYPTO_HWM]) ++ daemon->metrics[METRIC_CRYPTO_HWM] = m; ++ if (!read_write(fd, (unsigned char *)&m, sizeof(m), 1)) ++ return 0; ++ if (m > daemon->metrics[METRIC_SIG_FAIL_HWM]) ++ daemon->metrics[METRIC_SIG_FAIL_HWM] = m; ++ if (!read_write(fd, (unsigned char *)&m, sizeof(m), 1)) ++ return 0; ++ if (m > daemon->metrics[METRIC_WORK_HWM]) ++ daemon->metrics[METRIC_WORK_HWM] = m; ++#endif + cache_end_insert(); + return 1; + } +@@ -1681,6 +1707,11 @@ void dump_cache(time_t now) + #ifdef HAVE_AUTH + my_syslog(LOG_INFO, _("queries for authoritative zones %u"), daemon->metrics[METRIC_DNS_AUTH_ANSWERED]); + #endif ++#ifdef HAVE_DNSSEC ++ my_syslog(LOG_INFO, _("DNSSEC per-query subqueries HWM %u"), daemon->metrics[METRIC_WORK_HWM]); ++ my_syslog(LOG_INFO, _("DNSSEC per-query crypto work HWM %u"), daemon->metrics[METRIC_CRYPTO_HWM]); ++ my_syslog(LOG_INFO, _("DNSSEC per-RRSet signature fails HWM %u"), daemon->metrics[METRIC_SIG_FAIL_HWM]); ++#endif + + blockdata_report(); + +diff --git a/src/config.h b/src/config.h +index 9a70036..388bdf0 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -22,7 +22,10 @@ + #define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ + #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */ + #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ +-#define DNSSEC_WORK 50 /* Max number of queries to validate one question */ ++#define DNSSEC_LIMIT_WORK 40 /* Max number of queries to validate one question */ ++#define DNSSEC_LIMIT_SIG_FAIL 20 /* Number of signature that can fail to validate in one answer */ ++#define DNSSEC_LIMIT_CRYPTO 200 /* max no. of crypto operations to validate one query. */ ++#define DNSSEC_LIMIT_NSEC3_ITERS 150 /* Max. number if iterations allowed in NSEC3 record. */ + #define TIMEOUT 10 /* drop UDP queries after TIMEOUT seconds */ + #define FORWARD_TEST 50 /* try all servers every 50 queries */ + #define FORWARD_TIME 20 /* or 20 seconds */ +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index c62c3d0..6fa2593 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -663,15 +663,30 @@ struct hostsfile { + + + /* DNSSEC status values. */ +-#define STAT_SECURE 1 +-#define STAT_INSECURE 2 +-#define STAT_BOGUS 3 +-#define STAT_NEED_DS 4 +-#define STAT_NEED_KEY 5 +-#define STAT_TRUNCATED 6 +-#define STAT_SECURE_WILDCARD 7 +-#define STAT_OK 8 +-#define STAT_ABANDONED 9 ++#define STAT_SECURE 0x10000 ++#define STAT_INSECURE 0x20000 ++#define STAT_BOGUS 0x30000 ++#define STAT_NEED_DS 0x40000 ++#define STAT_NEED_KEY 0x50000 ++#define STAT_TRUNCATED 0x60000 ++#define STAT_SECURE_WILDCARD 0x70000 ++#define STAT_OK 0x80000 ++#define STAT_ABANDONED 0x90000 ++ ++#define DNSSEC_FAIL_NYV 0x0001 /* key not yet valid */ ++#define DNSSEC_FAIL_EXP 0x0002 /* key expired */ ++#define DNSSEC_FAIL_INDET 0x0004 /* indetermined */ ++#define DNSSEC_FAIL_NOKEYSUP 0x0008 /* no supported key algo. */ ++#define DNSSEC_FAIL_NOSIG 0x0010 /* No RRsigs */ ++#define DNSSEC_FAIL_NOZONE 0x0020 /* No Zone bit set */ ++#define DNSSEC_FAIL_NONSEC 0x0040 /* No NSEC */ ++#define DNSSEC_FAIL_NODSSUP 0x0080 /* no supported DS algo. */ ++#define DNSSEC_FAIL_NOKEY 0x0100 /* no DNSKEY */ ++#define DNSSEC_FAIL_NSEC3_ITERS 0x0200 /* too many iterations in NSEC3 */ ++#define DNSSEC_FAIL_BADPACKET 0x0400 /* bad packet */ ++#define DNSSEC_FAIL_WORK 0x0800 /* too much crypto */ ++ ++#define STAT_ISEQUAL(a, b) (((a) & 0xffff0000) == (b)) + + #define FREC_NOREBIND 1 + #define FREC_CHECKING_DISABLED 2 +@@ -704,7 +719,7 @@ struct frec { + time_t time; + unsigned char *hash[HASH_SIZE]; + #ifdef HAVE_DNSSEC +- int class, work_counter; ++ int class, work_counter, validate_counter; + struct blockdata *stash; /* Saved reply, whilst we validate */ + size_t stash_len; + struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */ +@@ -741,6 +756,12 @@ struct frec { + #define LEASE_HAVE_HWADDR 128 /* Have set hwaddress */ + #define LEASE_EXP_CHANGED 256 /* Lease expiry time changed */ + ++#define LIMIT_SIG_FAIL 0 ++#define LIMIT_CRYPTO 1 ++#define LIMIT_WORK 2 ++#define LIMIT_NSEC3_ITERS 3 ++#define LIMIT_MAX 4 ++ + struct dhcp_lease { + int clid_len; /* length of client identifier */ + unsigned char *clid; /* clientid */ +@@ -1127,6 +1148,7 @@ extern struct daemon { + int rr_status_sz; + int dnssec_no_time_check; + int back_to_the_future; ++ int limit[LIMIT_MAX]; + #endif + struct frec *frec_list; + struct frec_src *free_frec_src; +@@ -1280,10 +1302,12 @@ int in_zone(struct auth_zone *zone, char *name, char **cut); + + /* dnssec.c */ + size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int type, int edns_pktsz); +-int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class); +-int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class); ++int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, ++ char *keyname, int class, int *validate_count); ++int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, ++ char *keyname, int class, int *validate_count); + int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, +- int check_unsigned, int *neganswer, int *nons, int *nsec_ttl); ++ int check_unsigned, int *neganswer, int *nons, int *nsec_ttl, int *validate_count); + int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen); + size_t filter_rrsigs(struct dns_header *header, size_t plen); + int setup_timestamp(void); +@@ -1680,7 +1704,7 @@ int do_poll(int timeout); + + /* rrfilter.c */ + size_t rrfilter(struct dns_header *header, size_t plen, int mode); +-u16 *rrfilter_desc(int type); ++short *rrfilter_desc(int type); + int expand_workspace(unsigned char ***wkspc, int *szp, int new); + + /* edns0.c */ +diff --git a/src/dnssec.c b/src/dnssec.c +index 3ee1e9e..e465bbd 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1,5 +1,5 @@ + /* dnssec.c is Copyright (c) 2012 Giovanni Bajo +- and Copyright (c) 2012-2020 Simon Kelley ++ and Copyright (c) 2012-2023 Simon Kelley + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -215,14 +215,6 @@ static int is_check_date(unsigned long curtime) + return !daemon->dnssec_no_time_check; + } + +-/* Check whether today/now is between date_start and date_end */ +-static int check_date_range(unsigned long curtime, u32 date_start, u32 date_end) +-{ +- /* We must explicitly check against wanted values, because of SERIAL_UNDEF */ +- return serial_compare_32(curtime, date_start) == SERIAL_GT +- && serial_compare_32(curtime, date_end) == SERIAL_LT; +-} +- + /* Return bytes of canonicalised rrdata one by one. + Init state->ip with the RR, and state->end with the end of same. + Init state->op to NULL. +@@ -233,7 +225,7 @@ static int check_date_range(unsigned long curtime, u32 date_start, u32 date_end) + On returning 0, the end has been reached. + */ + struct rdata_state { +- u16 *desc; ++ short *desc; + size_t c; + unsigned char *end, *ip, *op; + char *buff; +@@ -254,7 +246,7 @@ static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state + { + d = *(state->desc); + +- if (d == (u16)-1) ++ if (d == -1) + { + /* all the bytes to the end. */ + if ((state->c = state->end - state->ip) != 0) +@@ -302,7 +294,7 @@ static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state + + /* Bubble sort the RRset into the canonical order. */ + +-static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx, ++static int sort_rrset(struct dns_header *header, size_t plen, short *rr_desc, int rrsetidx, + unsigned char **rrset, char *buff1, char *buff2) + { + int swap, i, j; +@@ -339,7 +331,7 @@ static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int + is the identity function and we can compare + the RRs directly. If not we compare the + canonicalised RRs one byte at a time. */ +- if (*rr_desc == (u16)-1) ++ if (*rr_desc == -1) + { + int rdmin = rdlen1 > rdlen2 ? rdlen2 : rdlen1; + int cmp = memcmp(state1.ip, state2.ip, rdmin); +@@ -507,12 +499,24 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int + return 1; + } + ++int dec_counter(int *counter, char *message) ++{ ++ if ((*counter)-- == 0) ++ { ++ my_syslog(LOG_WARNING, "limit exceeded: %s", message ? message : _("per-query crypto work")); ++ return 1; ++ } ++ ++ return 0; ++} ++ + /* Validate a single RRset (class, type, name) in the supplied DNS reply + Return code: + STAT_SECURE if it validates. + STAT_SECURE_WILDCARD if it validates and is the result of wildcard expansion. + (In this case *wildcard_out points to the "body" of the wildcard within name.) + STAT_BOGUS signature is wrong, bad packet. ++ STAT_ABANDONED validation abandoned do to excess resource usage. + STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname) + STAT_NEED_DS need DS to complete validation (name is returned in keyname) + +@@ -527,14 +531,15 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int + */ + static int validate_rrset(time_t now, struct dns_header *header, size_t plen, int class, int type, int sigidx, int rrsetidx, + char *name, char *keyname, char **wildcard_out, struct blockdata *key, int keylen, +- int algo_in, int keytag_in, unsigned long *ttl_out) ++ int algo_in, int keytag_in, unsigned long *ttl_out, int *validate_counter) + { + unsigned char *p; +- int rdlen, j, name_labels, algo, labels, key_tag; ++ int rdlen, j, name_labels, algo, labels, key_tag, sig_fail_cnt; + struct crec *crecp = NULL; +- u16 *rr_desc = rrfilter_desc(type); ++ short *rr_desc = rrfilter_desc(type); + u32 sig_expiration, sig_inception; +- ++ int failflags = DNSSEC_FAIL_NOSIG | DNSSEC_FAIL_NYV | DNSSEC_FAIL_EXP | DNSSEC_FAIL_NOKEYSUP; ++ + unsigned long curtime = time(0); + int time_check = is_check_date(curtime); + +@@ -549,7 +554,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + rrsetidx = sort_rrset(header, plen, rr_desc, rrsetidx, rrset, daemon->workspacename, keyname); + + /* Now try all the sigs to try and find one which validates */ +- for (j = 0; j limit[LIMIT_SIG_FAIL], j = 0; j name_labels || +- !(hash = hash_find(algo_digest_name(algo))) || ++ if (!time_check) ++ failflags &= ~(DNSSEC_FAIL_NYV | DNSSEC_FAIL_EXP); ++ else ++ { ++ /* We must explicitly check against wanted values, because of SERIAL_UNDEF */ ++ if (serial_compare_32(curtime, sig_inception) == SERIAL_LT) ++ continue; ++ else ++ failflags &= ~DNSSEC_FAIL_NYV; ++ ++ if (serial_compare_32(curtime, sig_expiration) == SERIAL_GT) ++ continue; ++ else ++ failflags &= ~DNSSEC_FAIL_EXP; ++ } ++ ++ if (!(hash = hash_find(algo_digest_name(algo)))) ++ continue; ++ else ++ failflags &= ~DNSSEC_FAIL_NOKEYSUP; ++ ++ if (labels > name_labels || + !hash_init(hash, &ctx, &digest)) + continue; +- ++ + /* OK, we have the signature record, see if the relevant DNSKEY is in the cache. */ + if (!key && !(crecp = cache_find_by_name(NULL, keyname, now, F_DNSKEY))) + return STAT_NEED_KEY; +@@ -657,7 +683,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + + If canonicalisation is not needed, a simple insertion into the hash works. + */ +- if (*rr_desc == (u16)-1) ++ if (*rr_desc == -1) + { + len = htons(rdlen); + hash->update(ctx, 2, (unsigned char *)&len); +@@ -710,13 +736,19 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + + /* namebuff used for workspace above, restore to leave unchanged on exit */ + p = (unsigned char*)(rrset[0]); +- extract_name(header, plen, &p, name, 1, 0); ++ if (!extract_name(header, plen, &p, name, 1, 0)) ++ return STAT_BOGUS; + + if (key) + { +- if (algo_in == algo && keytag_in == key_tag && +- verify(key, keylen, sig, sig_len, digest, hash->digest_size, algo)) +- return STAT_SECURE; ++ if (algo_in == algo && keytag_in == key_tag) ++ { ++ if (dec_counter(validate_counter, NULL)) ++ return STAT_ABANDONED; ++ ++ if (verify(key, keylen, sig, sig_len, digest, hash->digest_size, algo)) ++ return STAT_SECURE; ++ } + } + else + { +@@ -724,13 +756,27 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + for (; crecp; crecp = cache_find_by_name(crecp, keyname, now, F_DNSKEY)) + if (crecp->addr.key.algo == algo && + crecp->addr.key.keytag == key_tag && +- crecp->uid == (unsigned int)class && +- verify(crecp->addr.key.keydata, crecp->addr.key.keylen, sig, sig_len, digest, hash->digest_size, algo)) +- return (labels < name_labels) ? STAT_SECURE_WILDCARD : STAT_SECURE; ++ crecp->uid == (unsigned int)class) ++ { ++ if (dec_counter(validate_counter, NULL)) ++ return STAT_ABANDONED; ++ ++ if (verify(crecp->addr.key.keydata, crecp->addr.key.keylen, sig, sig_len, digest, hash->digest_size, algo)) ++ return (labels < name_labels) ? STAT_SECURE_WILDCARD : STAT_SECURE; ++ ++ /* An attacker can waste a lot of our CPU by setting up a giant DNSKEY RRSET full of failing ++ keys, all of which we have to try. Since many failing keys is not likely for ++ a legitimate domain, set a limit on how many can fail. */ ++ if ((daemon->limit[LIMIT_SIG_FAIL] - (sig_fail_cnt + 1)) > (int)daemon->metrics[METRIC_SIG_FAIL_HWM]) ++ daemon->metrics[METRIC_SIG_FAIL_HWM] = daemon->limit[LIMIT_SIG_FAIL] - (sig_fail_cnt + 1); ++ if (dec_counter(&sig_fail_cnt, _("per-RRSet signature fails"))) ++ return STAT_ABANDONED; ++ } + } + } + +- return STAT_BOGUS; ++ /* If we reach this point, no verifying key was found */ ++ return STAT_BOGUS | failflags | DNSSEC_FAIL_NOKEY; + } + + +@@ -740,38 +786,45 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + STAT_OK Done, key(s) in cache. + STAT_BOGUS No DNSKEYs found, which can be validated with DS, + or self-sign for DNSKEY RRset is not valid, bad packet. ++ STAT_ABANDONED resource exhaustion. + STAT_NEED_DS DS records to validate a key not found, name in keyname +- STAT_NEED_KEY DNSKEY records to validate a key not found, name in keyname + */ +-int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) ++int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, ++ char *keyname, int class, int *validate_counter) + { +- unsigned char *psave, *p = (unsigned char *)(header+1); ++ unsigned char *psave, *p = (unsigned char *)(header+1), *keyaddr; + struct crec *crecp, *recp1; +- int rc, j, qtype, qclass, rdlen, flags, algo, valid, keytag; ++ int rc, j, qtype, qclass, rdlen, flags, algo, keytag, sigcnt, rrcnt; + unsigned long ttl, sig_ttl; +- struct blockdata *key; + union all_addr a; ++ int failflags = DNSSEC_FAIL_NODSSUP | DNSSEC_FAIL_NOZONE; ++ char valid_digest[255]; ++ static unsigned char **cached_digest; ++ static size_t cached_digest_size = 0; + +- if (ntohs(header->qdcount) != 1 || +- RCODE(header) == SERVFAIL || RCODE(header) == REFUSED || +- !extract_name(header, plen, &p, name, 1, 4)) +- return STAT_BOGUS; ++ if (ntohs(header->qdcount) != 1 || RCODE(header) != NOERROR || !extract_name(header, plen, &p, name, 1, 4)) ++ return STAT_BOGUS | DNSSEC_FAIL_NOKEY; + + GETSHORT(qtype, p); + GETSHORT(qclass, p); + +- if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0) +- return STAT_BOGUS; ++ if (qtype != T_DNSKEY || qclass != class || ++ !explore_rrset(header, plen, class, T_DNSKEY, name, keyname, &sigcnt, &rrcnt) || ++ rrcnt == 0) ++ return STAT_BOGUS | DNSSEC_FAIL_NOKEY; + ++ if (sigcnt == 0) ++ return STAT_BOGUS | DNSSEC_FAIL_NOSIG; ++ + /* See if we have cached a DS record which validates this key */ + if (!(crecp = cache_find_by_name(NULL, name, now, F_DS))) + { + strcpy(keyname, name); + return STAT_NEED_DS; + } +- ++ + /* NOTE, we need to find ONE DNSKEY which matches the DS */ +- for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--) ++ for (j = ntohs(header->ancount); j != 0; j--) + { + /* Ensure we have type, class TTL and length */ + if (!(rc = extract_name(header, plen, &p, name, 0, 10))) +@@ -782,7 +835,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + GETLONG(ttl, p); + GETSHORT(rdlen, p); + +- if (!CHECK_LEN(header, p, plen, rdlen) || rdlen < 4) ++ if (!CHECK_LEN(header, p, plen, rdlen)) + return STAT_BOGUS; /* bad packet */ + + if (qclass != class || qtype != T_DNSKEY || rc == 2) +@@ -790,172 +843,230 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch + p += rdlen; + continue; + } +- ++ ++ if (rdlen < 5) ++ return STAT_BOGUS; /* min 1 byte key! */ ++ + psave = p; + + GETSHORT(flags, p); + if (*p++ != 3) +- return STAT_BOGUS; +- algo = *p++; +- keytag = dnskey_keytag(algo, flags, p, rdlen - 4); +- key = NULL; +- +- /* key must have zone key flag set */ +- if (flags & 0x100) +- key = blockdata_alloc((char*)p, rdlen - 4); +- +- p = psave; +- +- if (!ADD_RDLEN(header, p, plen, rdlen)) + { +- if (key) +- blockdata_free(key); +- return STAT_BOGUS; /* bad packet */ ++ p = psave + rdlen; ++ continue; + } ++ algo = *p++; ++ keyaddr = p; ++ keytag = dnskey_keytag(algo, flags, keyaddr, rdlen - 4); ++ ++ p = psave + rdlen; + +- /* No zone key flag or malloc failure */ +- if (!key) ++ /* key must have zone key flag set */ ++ if (!(flags & 0x100)) + continue; + ++ failflags &= ~DNSSEC_FAIL_NOZONE; ++ ++ /* clear digest cache. */ ++ memset(valid_digest, 0, sizeof(valid_digest)); ++ + for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS)) + { + void *ctx; + unsigned char *digest, *ds_digest; + const struct nettle_hash *hash; +- int sigcnt, rrcnt; ++ int wire_len; ++ ++ if ((recp1->flags & F_NEG) || ++ recp1->addr.ds.algo != algo || ++ recp1->addr.ds.keytag != keytag || ++ recp1->uid != (unsigned int)class) ++ continue; ++ ++ if (!(hash = hash_find(ds_digest_name(recp1->addr.ds.digest)))) ++ continue; ++ ++ failflags &= ~DNSSEC_FAIL_NODSSUP; ++ ++ if (recp1->addr.ds.keylen != (int)hash->digest_size || ++ !(ds_digest = blockdata_retrieve(recp1->addr.ds.keydata, recp1->addr.ds.keylen, NULL))) ++ continue; + +- if (recp1->addr.ds.algo == algo && +- recp1->addr.ds.keytag == keytag && +- recp1->uid == (unsigned int)class && +- (hash = hash_find(ds_digest_name(recp1->addr.ds.digest))) && +- hash_init(hash, &ctx, &digest)) +- ++ if (valid_digest[recp1->addr.ds.digest]) ++ digest = cached_digest[recp1->addr.ds.digest]; ++ else + { +- int wire_len = to_wire(name); ++ /* computing a hash is a unit of crypto work. */ ++ if (dec_counter(validate_counter, NULL)) ++ return STAT_ABANDONED; ++ ++ if (!hash_init(hash, &ctx, &digest)) ++ continue; ++ ++ wire_len = to_wire(name); + + /* Note that digest may be different between DSs, so +- we can't move this outside the loop. */ ++ we can't move this outside the loop. We keep ++ copies of each digest we make for this key, ++ so maximum digest work is O(keys x digests_types) ++ rather then O(keys x DSs) */ + hash->update(ctx, (unsigned int)wire_len, (unsigned char *)name); + hash->update(ctx, (unsigned int)rdlen, psave); + hash->digest(ctx, hash->digest_size, digest); + + from_wire(name); +- +- if (!(recp1->flags & F_NEG) && +- recp1->addr.ds.keylen == (int)hash->digest_size && +- (ds_digest = blockdata_retrieve(recp1->addr.ds.keydata, recp1->addr.ds.keylen, NULL)) && +- memcmp(ds_digest, digest, recp1->addr.ds.keylen) == 0 && +- explore_rrset(header, plen, class, T_DNSKEY, name, keyname, &sigcnt, &rrcnt) && +- sigcnt != 0 && rrcnt != 0 && +- validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name, keyname, +- NULL, key, rdlen - 4, algo, keytag, &sig_ttl) == STAT_SECURE) ++ ++ if (recp1->addr.ds.digest >= cached_digest_size) + { +- valid = 1; +- break; ++ unsigned char **new; ++ ++ /* whine_malloc zeros memory */ ++ if ((new = whine_malloc((recp1->addr.ds.digest + 5) * sizeof(unsigned char *)))) ++ { ++ if (cached_digest_size != 0) ++ { ++ memcpy(new, cached_digest, cached_digest_size * sizeof(unsigned char *)); ++ free(cached_digest); ++ } ++ ++ cached_digest_size = recp1->addr.ds.digest + 5; ++ cached_digest = new; ++ } ++ } ++ ++ if (recp1->addr.ds.digest < cached_digest_size) ++ { ++ if (!cached_digest[recp1->addr.ds.digest]) ++ cached_digest[recp1->addr.ds.digest] = whine_malloc(recp1->addr.ds.keylen); ++ ++ if (cached_digest[recp1->addr.ds.digest]) ++ { ++ memcpy(cached_digest[recp1->addr.ds.digest], digest, recp1->addr.ds.keylen); ++ valid_digest[recp1->addr.ds.digest] = 1; ++ } + } + } +- } +- blockdata_free(key); +- } +- +- if (valid) +- { +- /* DNSKEY RRset determined to be OK, now cache it. */ +- cache_start_insert(); +- +- p = skip_questions(header, plen); +- +- for (j = ntohs(header->ancount); j != 0; j--) +- { +- /* Ensure we have type, class TTL and length */ +- if (!(rc = extract_name(header, plen, &p, name, 0, 10))) +- return STAT_BOGUS; /* bad packet */ + +- GETSHORT(qtype, p); +- GETSHORT(qclass, p); +- GETLONG(ttl, p); +- GETSHORT(rdlen, p); +- +- /* TTL may be limited by sig. */ +- if (sig_ttl < ttl) +- ttl = sig_ttl; +- +- if (!CHECK_LEN(header, p, plen, rdlen)) +- return STAT_BOGUS; /* bad packet */ +- +- if (qclass == class && rc == 1) ++ if (memcmp(ds_digest, digest, recp1->addr.ds.keylen) == 0) + { +- psave = p; ++ /* Found the key validated by a DS record. ++ Now check the self-sig for the entire key RRset using that key. ++ Note that validate_rrset() will never return STAT_NEED_KEY here, ++ since we supply the key it will use as an argument. */ ++ struct blockdata *key; ++ ++ if (!(key = blockdata_alloc((char *)keyaddr, rdlen - 4))) ++ break; ++ ++ rc = validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name, keyname, ++ NULL, key, rdlen - 4, algo, keytag, &sig_ttl, validate_counter); ++ ++ blockdata_free(key); ++ ++ if (STAT_ISEQUAL(rc, STAT_ABANDONED)) ++ return rc; + +- if (qtype == T_DNSKEY) ++ /* can't validate KEY RRset with this key, see if there's another that ++ will, which is validated by another DS. */ ++ if (!STAT_ISEQUAL(rc, STAT_SECURE)) ++ break; ++ ++ /* DNSKEY RRset determined to be OK, now cache it. */ ++ cache_start_insert(); ++ ++ p = skip_questions(header, plen); ++ ++ for (j = ntohs(header->ancount); j != 0; j--) + { +- if (rdlen < 4) ++ /* Ensure we have type, class TTL and length */ ++ if (!(rc = extract_name(header, plen, &p, name, 0, 10))) + return STAT_BOGUS; /* bad packet */ + +- GETSHORT(flags, p); +- if (*p++ != 3) +- return STAT_BOGUS; +- algo = *p++; +- keytag = dnskey_keytag(algo, flags, p, rdlen - 4); ++ GETSHORT(qtype, p); ++ GETSHORT(qclass, p); ++ GETLONG(ttl, p); ++ GETSHORT(rdlen, p); + +- if ((key = blockdata_alloc((char*)p, rdlen - 4))) +- { +- a.key.keylen = rdlen - 4; +- a.key.keydata = key; +- a.key.algo = algo; +- a.key.keytag = keytag; +- a.key.flags = flags; +- +- if (!cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DNSKEY | F_DNSSECOK)) +- { +- blockdata_free(key); +- return STAT_BOGUS; +- } +- else +- { +- a.log.keytag = keytag; +- a.log.algo = algo; +- if (algo_digest_name(algo)) +- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu"); +- else +- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)"); +- } +- } ++ /* TTL may be limited by sig. */ ++ if (sig_ttl < ttl) ++ ttl = sig_ttl; ++ ++ if (!CHECK_LEN(header, p, plen, rdlen)) ++ return STAT_BOGUS; /* bad packet */ ++ ++ psave = p; ++ ++ if (qclass == class && rc == 1 && qtype == T_DNSKEY) ++ { ++ if (rdlen < 4) ++ return STAT_BOGUS; /* min 1 byte key! */ ++ ++ GETSHORT(flags, p); ++ if (*p++ == 3) ++ { ++ algo = *p++; ++ keytag = dnskey_keytag(algo, flags, p, rdlen - 4); ++ ++ if (!(key = blockdata_alloc((char*)p, rdlen - 4))) ++ return STAT_BOGUS; ++ ++ a.key.keylen = rdlen - 4; ++ a.key.keydata = key; ++ a.key.algo = algo; ++ a.key.keytag = keytag; ++ a.key.flags = flags; ++ ++ if (!cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DNSKEY | F_DNSSECOK)) ++ { ++ blockdata_free(key); ++ return STAT_BOGUS; ++ } ++ ++ a.log.keytag = keytag; ++ a.log.algo = algo; ++ if (algo_digest_name(algo)) ++ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu"); ++ else ++ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)"); ++ } ++ } ++ ++ p = psave + rdlen; + } +- +- p = psave; ++ ++ /* commit cache insert. */ ++ cache_end_insert(); ++ return STAT_OK; + } +- +- if (!ADD_RDLEN(header, p, plen, rdlen)) +- return STAT_BOGUS; /* bad packet */ + } +- +- /* commit cache insert. */ +- cache_end_insert(); +- return STAT_OK; + } +- ++ + log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DNSKEY"); +- return STAT_BOGUS; ++ return STAT_BOGUS | failflags; + } + + /* The DNS packet is expected to contain the answer to a DS query +- Put all DSs in the answer which are valid into the cache. ++ Put all DSs in the answer which are valid and have hash and signature algos ++ we support into the cache. + Also handles replies which prove that there's no DS at this location, + either because the zone is unsigned or this isn't a zone cut. These are + cached too. ++ If none of the DS's are for supported algos, treat the answer as if ++ it's a proof of no DS at this location. RFC4035 para 5.2. + return codes: + STAT_OK At least one valid DS found and in cache. + STAT_BOGUS no DS in reply or not signed, fails validation, bad packet. + STAT_NEED_KEY DNSKEY records to validate a DS not found, name in keyname + STAT_NEED_DS DS record needed. ++ STAT_ABANDONED resource exhaustion. + */ + +-int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) ++int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, ++ char *keyname, int class, int *validate_counter) + { + unsigned char *p = (unsigned char *)(header+1); +- int qtype, qclass, rc, i, neganswer, nons, neg_ttl = 0; +- int aclass, atype, rdlen; ++ int qtype, qclass, rc, i, neganswer = 0, nons = 0, servfail = 0, neg_ttl = 0, found_supported = 0; ++ int aclass, atype, rdlen, flags; + unsigned long ttl; + union all_addr a; + +@@ -967,38 +1078,51 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + GETSHORT(qclass, p); + + if (qtype != T_DS || qclass != class) +- rc = STAT_BOGUS; ++ return STAT_BOGUS; ++ ++ /* A SERVFAIL answer has been seen to a DS query not at start of authority, ++ so treat it as such and continue to search for a DS or proof of no existence ++ further down the tree. */ ++ if (RCODE(header) == SERVFAIL) ++ servfail = neganswer = nons = 1; + else +- rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons, &neg_ttl); +- +- if (rc == STAT_INSECURE) + { +- my_syslog(LOG_WARNING, _("Insecure DS reply received for %s, check domain configuration and upstream DNS server DNSSEC support"), name); +- rc = STAT_BOGUS; +- } ++ rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons, &neg_ttl, validate_counter); + +- p = (unsigned char *)(header+1); +- extract_name(header, plen, &p, name, 1, 4); +- p += 4; /* qtype, qclass */ ++ if (STAT_ISEQUAL(rc, STAT_INSECURE)) ++ { ++ my_syslog(LOG_WARNING, _("Insecure DS reply received for %s, check domain configuration and upstream DNS server DNSSEC support"), name); ++ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS - not secure"); ++ return STAT_BOGUS | DNSSEC_FAIL_INDET; ++ } ++ ++ p = (unsigned char *)(header+1); ++ if (!extract_name(header, plen, &p, name, 1, 4)) ++ return STAT_BOGUS; ++ ++ p += 4; /* qtype, qclass */ ++ ++ /* If the key needed to validate the DS is on the same domain as the DS, we'll ++ loop getting nowhere. Stop that now. This can happen of the DS answer comes ++ from the DS's zone, and not the parent zone. */ ++ if (STAT_ISEQUAL(rc, STAT_NEED_KEY) && hostname_isequal(name, keyname)) ++ { ++ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS"); ++ return STAT_BOGUS; ++ } + +- /* If the key needed to validate the DS is on the same domain as the DS, we'll +- loop getting nowhere. Stop that now. This can happen of the DS answer comes +- from the DS's zone, and not the parent zone. */ +- if (rc == STAT_BOGUS || (rc == STAT_NEED_KEY && hostname_isequal(name, keyname))) +- { +- log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS"); +- return STAT_BOGUS; ++ if (!STAT_ISEQUAL(rc, STAT_SECURE)) ++ return rc; + } + +- if (rc != STAT_SECURE) +- return rc; +- + if (!neganswer) + { + cache_start_insert(); + + for (i = 0; i < ntohs(header->ancount); i++) + { ++ unsigned char *psave; ++ + if (!(rc = extract_name(header, plen, &p, name, 0, 10))) + return STAT_BOGUS; /* bad packet */ + +@@ -1009,28 +1133,37 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + + if (!CHECK_LEN(header, p, plen, rdlen)) + return STAT_BOGUS; /* bad packet */ ++ ++ psave = p; + + if (aclass == class && atype == T_DS && rc == 1) + { + int algo, digest, keytag; +- unsigned char *psave = p; + struct blockdata *key; + +- if (rdlen < 4) +- return STAT_BOGUS; /* bad packet */ ++ if (rdlen < 5) ++ return STAT_BOGUS; /* min 1 byte digest! */ + + GETSHORT(keytag, p); + algo = *p++; + digest = *p++; + +- if ((key = blockdata_alloc((char*)p, rdlen - 4))) ++ if (!ds_digest_name(digest) || !algo_digest_name(algo)) ++ { ++ a.log.keytag = keytag; ++ a.log.algo = algo; ++ a.log.digest = digest; ++ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS for keytag %hu, algo %hu, digest %hu (not supported)"); ++ neg_ttl = ttl; ++ } ++ else if ((key = blockdata_alloc((char*)p, rdlen - 4))) + { + a.ds.digest = digest; + a.ds.keydata = key; + a.ds.algo = algo; + a.ds.keytag = keytag; + a.ds.keylen = rdlen - 4; +- ++ + if (!cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DS | F_DNSSECOK)) + { + blockdata_free(key); +@@ -1041,26 +1174,26 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + a.log.keytag = keytag; + a.log.algo = algo; + a.log.digest = digest; +- if (ds_digest_name(digest) && algo_digest_name(algo)) +- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu"); +- else +- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu (not supported)"); ++ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS for keytag %hu, algo %hu, digest %hu"); ++ found_supported = 1; + } + } +- +- p = psave; + } +- if (!ADD_RDLEN(header, p, plen, rdlen)) +- return STAT_BOGUS; /* bad packet */ ++ ++ p = psave + rdlen; + } + + cache_end_insert(); + ++ /* Fall through if no supported algo DS found. */ ++ if (found_supported) ++ return STAT_OK; + } +- else ++ ++ flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK; ++ ++ if (neganswer) + { +- int flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK; +- + if (RCODE(header) == NXDOMAIN) + flags |= F_NXDOMAIN; + +@@ -1068,17 +1201,19 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char + to store presence/absence of NS. */ + if (nons) + flags &= ~F_DNSSECOK; +- +- cache_start_insert(); +- +- /* Use TTL from NSEC for negative cache entries */ +- if (!cache_insert(name, NULL, class, now, neg_ttl, flags)) +- return STAT_BOGUS; +- +- cache_end_insert(); +- +- log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, nons ? "no DS/cut" : "no DS"); + } ++ ++ cache_start_insert(); ++ ++ /* Use TTL from NSEC for negative cache entries */ ++ if (!cache_insert(name, NULL, class, now, neg_ttl, flags)) ++ return STAT_BOGUS; ++ ++ cache_end_insert(); ++ ++ if (neganswer) ++ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, ++ servfail ? "SERVFAIL" : (nons ? "no DS/cut" : "no DS")); + + return STAT_OK; + } +@@ -1148,6 +1283,7 @@ static int hostname_cmp(const char *a, const char *b) + } + } + ++/* returns 0 on success, or DNSSEC_FAIL_* value on failure. */ + static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, unsigned char **labels, int nsec_count, + char *workspace1_in, char *workspace2, char *name, int type, int *nons) + { +@@ -1167,12 +1303,12 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + + p = nsecs[i]; + if (!extract_name(header, plen, &p, workspace1, 1, 10)) +- return 0; ++ return DNSSEC_FAIL_BADPACKET; + p += 8; /* class, type, TTL */ + GETSHORT(rdlen, p); + psave = p; +- if (!extract_name(header, plen, &p, workspace2, 1, 10)) +- return 0; ++ if (!extract_name(header, plen, &p, workspace2, 1, 0)) ++ return DNSSEC_FAIL_BADPACKET; + + /* If NSEC comes from wildcard expansion, use original wildcard + as name for computation. */ +@@ -1200,12 +1336,13 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + { + /* 4035 para 5.4. Last sentence */ + if (type == T_NSEC || type == T_RRSIG) +- return 1; ++ return 0; + + /* NSEC with the same name as the RR we're testing, check + that the type in question doesn't appear in the type map */ + rdlen -= p - psave; +- /* rdlen is now length of type map, and p points to it */ ++ /* rdlen is now length of type map, and p points to it ++ packet checked to be as long as rdlen implies in prove_non_existence() */ + + /* If we can prove that there's no NS record, return that information. */ + if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) != 0) +@@ -1216,25 +1353,25 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + /* A CNAME answer would also be valid, so if there's a CNAME is should + have been returned. */ + if ((p[2] & (0x80 >> T_CNAME)) != 0) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + /* If the SOA bit is set for a DS record, then we have the + DS from the wrong side of the delegation. For the root DS, + this is expected. */ + if (name_labels != 0 && type == T_DS && (p[2] & (0x80 >> T_SOA)) != 0) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + } + + while (rdlen >= 2) + { + if (!CHECK_LEN(header, p, plen, rdlen)) +- return 0; ++ return DNSSEC_FAIL_BADPACKET; + + if (p[0] == type >> 8) + { + /* Does the NSEC say our type exists? */ + if (offset < p[1] && (p[offset+2] & mask) != 0) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + break; /* finished checking */ + } +@@ -1243,24 +1380,24 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + p += p[1]; + } + +- return 1; ++ return 0; + } + else if (rc == -1) + { + /* Normal case, name falls between NSEC name and next domain name, + wrap around case, name falls between NSEC name (rc == -1) and end */ + if (hostname_cmp(workspace2, name) >= 0 || hostname_cmp(workspace1, workspace2) >= 0) +- return 1; ++ return 0; + } + else + { + /* wrap around case, name falls between start and next domain name */ + if (hostname_cmp(workspace1, workspace2) >= 0 && hostname_cmp(workspace2, name) >=0 ) +- return 1; ++ return 0; + } + } + +- return 0; ++ return DNSSEC_FAIL_NONSEC; + } + + /* return digest length, or zero on error */ +@@ -1334,23 +1471,23 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige + for (i = 0; i < nsec_count; i++) + if ((p = nsecs[i])) + { +- if (!extract_name(header, plen, &p, workspace1, 1, 0) || ++ if (!extract_name(header, plen, &p, workspace1, 1, 10) || + !(base32_len = base32_decode(workspace1, (unsigned char *)workspace2))) + return 0; + + p += 8; /* class, type, TTL */ + GETSHORT(rdlen, p); ++ + psave = p; ++ ++ /* packet checked to be as long as implied by rdlen, salt_len and hash_len in prove_non_existence() */ + p++; /* algo */ + flags = *p++; /* flags */ + p += 2; /* iterations */ + salt_len = *p++; /* salt_len */ + p += salt_len; /* salt */ + hash_len = *p++; /* p now points to next hashed name */ +- +- if (!CHECK_LEN(header, p, plen, hash_len)) +- return 0; +- ++ + if (digest_len == base32_len && hash_len == base32_len) + { + int rc = memcmp(workspace2, digest, digest_len); +@@ -1358,7 +1495,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige + if (rc == 0) + { + /* We found an NSEC3 whose hashed name exactly matches the query, so +- we just need to check the type map. p points to the RR data for the record. */ ++ we just need to check the type map. p points to the RR data for the record. ++ Note we have packet length up to rdlen bytes checked. */ + + int offset = (type & 0xff) >> 3; + int mask = 0x80 >> (type & 0x07); +@@ -1366,15 +1504,12 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige + p += hash_len; /* skip next-domain hash */ + rdlen -= p - psave; + +- if (!CHECK_LEN(header, p, plen, rdlen)) +- return 0; +- + if (rdlen >= 2 && p[0] == 0) + { + /* If we can prove that there's no NS record, return that information. */ + if (nons && (p[2] & (0x80 >> T_NS)) != 0) + *nons = 0; +- ++ + /* A CNAME answer would also be valid, so if there's a CNAME is should + have been returned. */ + if ((p[2] & (0x80 >> T_CNAME)) != 0) +@@ -1433,8 +1568,9 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige + return 0; + } + +-static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, +- char *workspace1, char *workspace2, char *name, int type, char *wildname, int *nons) ++/* returns 0 on success, or DNSSEC_FAIL_* value on failure. */ ++static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, char *workspace1, ++ char *workspace2, char *name, int type, char *wildname, int *nons, int *validate_counter) + { + unsigned char *salt, *p, *digest; + int digest_len, i, iterations, salt_len, base32_len, algo = 0; +@@ -1454,7 +1590,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + for (i = 0; i < nsec_count; i++) + { + if (!(p = skip_name(nsecs[i], header, plen, 15))) +- return 0; /* bad packet */ ++ return DNSSEC_FAIL_BADPACKET; /* bad packet */ + + p += 10; /* type, class, TTL, rdlen */ + algo = *p++; +@@ -1465,23 +1601,18 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + + /* No usable NSEC3s */ + if (i == nsec_count) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + p++; /* flags */ + + GETSHORT (iterations, p); +- /* Upper-bound iterations, to avoid DoS. +- Strictly, there are lower bounds for small keys, but +- since we don't have key size info here, at least limit +- to the largest bound, for 4096-bit keys. RFC 5155 10.3 */ +- if (iterations > 2500) +- return 0; ++ /* Upper-bound iterations, to avoid DoS. RFC 9276 refers. */ ++ if (iterations > daemon->limit[LIMIT_NSEC3_ITERS]) ++ return DNSSEC_FAIL_NSEC3_ITERS; + + salt_len = *p++; + salt = p; +- if (!CHECK_LEN(header, salt, plen, salt_len)) +- return 0; /* bad packet */ +- ++ + /* Now prune so we only have NSEC3 records with same iterations, salt and algo */ + for (i = 0; i < nsec_count; i++) + { +@@ -1491,7 +1622,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + nsecs[i] = NULL; /* Speculative, will be restored if OK. */ + + if (!(p = skip_name(nsec3p, header, plen, 15))) +- return 0; /* bad packet */ ++ return DNSSEC_FAIL_BADPACKET; /* bad packet */ + + p += 10; /* type, class, TTL, rdlen */ + +@@ -1511,9 +1642,6 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + if (salt_len != *p++) + continue; + +- if (!CHECK_LEN(header, p, plen, salt_len)) +- return 0; /* bad packet */ +- + if (memcmp(p, salt, salt_len) != 0) + continue; + +@@ -1521,11 +1649,14 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + nsecs[i] = nsec3p; + } + ++ if (dec_counter(validate_counter, NULL)) ++ return DNSSEC_FAIL_WORK; ++ + if ((digest_len = hash_name(name, &digest, hash, salt, salt_len, iterations)) == 0) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, nons, count_labels(name))) +- return 1; ++ return 0; + + /* Can't find an NSEC3 which covers the name directly, we need the "closest encloser NSEC3" + or an answer inferred from a wildcard record. */ +@@ -1540,15 +1671,20 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + if (wildname && hostname_isequal(closest_encloser, wildname)) + break; + ++ if (dec_counter(validate_counter, NULL)) ++ return DNSSEC_FAIL_WORK; ++ + if ((digest_len = hash_name(closest_encloser, &digest, hash, salt, salt_len, iterations)) == 0) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + for (i = 0; i < nsec_count; i++) + if ((p = nsecs[i])) + { +- if (!extract_name(header, plen, &p, workspace1, 1, 0) || +- !(base32_len = base32_decode(workspace1, (unsigned char *)workspace2))) +- return 0; ++ if (!extract_name(header, plen, &p, workspace1, 1, 0)) ++ return DNSSEC_FAIL_BADPACKET; ++ ++ if (!(base32_len = base32_decode(workspace1, (unsigned char *)workspace2))) ++ return DNSSEC_FAIL_NONSEC; + + if (digest_len == base32_len && + memcmp(digest, workspace2, digest_len) == 0) +@@ -1563,35 +1699,43 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + while ((closest_encloser = strchr(closest_encloser, '.'))); + + if (!closest_encloser || !next_closest) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + /* Look for NSEC3 that proves the non-existence of the next-closest encloser */ ++ if (dec_counter(validate_counter, NULL)) ++ return DNSSEC_FAIL_WORK; ++ + if ((digest_len = hash_name(next_closest, &digest, hash, salt, salt_len, iterations)) == 0) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL, 1)) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + /* Finally, check that there's no seat of wildcard synthesis */ + if (!wildname) + { + if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + wildcard--; + *wildcard = '*'; + ++ if (dec_counter(validate_counter, NULL)) ++ return DNSSEC_FAIL_WORK; ++ + if ((digest_len = hash_name(wildcard, &digest, hash, salt, salt_len, iterations)) == 0) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL, 1)) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + } + +- return 1; ++ return 0; + } + +-static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons, int *nsec_ttl) ++/* returns 0 on success, or DNSSEC_FAIL_* value on failure. */ ++static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, ++ char *wildname, int *nons, int *nsec_ttl, int *validate_counter) + { + static unsigned char **nsecset = NULL, **rrsig_labels = NULL; + static int nsecset_sz = 0, rrsig_labels_sz = 0; +@@ -1603,7 +1747,7 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key + + /* Move to NS section */ + if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen))) +- return 0; ++ return DNSSEC_FAIL_BADPACKET; + + auth_start = p; + +@@ -1612,13 +1756,16 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key + unsigned char *pstart = p; + + if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10)) +- return 0; ++ return DNSSEC_FAIL_BADPACKET; + + GETSHORT(type, p); + GETSHORT(class, p); + GETLONG(ttl, p); + GETSHORT(rdlen, p); +- ++ ++ if (!CHECK_LEN(header, p, plen, rdlen)) ++ return DNSSEC_FAIL_BADPACKET; ++ + if (class == qclass && (type == T_NSEC || type == T_NSEC3)) + { + if (nsec_ttl) +@@ -1631,12 +1778,12 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key + + /* No mixed NSECing 'round here, thankyouverymuch */ + if (type_found != 0 && type_found != type) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + type_found = type; + + if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found)) +- return 0; ++ return DNSSEC_FAIL_BADPACKET; + + if (type == T_NSEC) + { +@@ -1651,30 +1798,33 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key + int res, j, rdlen1, type1, class1; + + if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz, nsecs_found)) +- return 0; ++ return DNSSEC_FAIL_BADPACKET; + + rrsig_labels[nsecs_found] = NULL; + + for (j = ntohs(header->nscount); j != 0; j--) + { +- if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10))) +- return 0; ++ unsigned char *psav; + ++ if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10))) ++ return DNSSEC_FAIL_BADPACKET; ++ + GETSHORT(type1, p1); + GETSHORT(class1, p1); + p1 += 4; /* TTL */ + GETSHORT(rdlen1, p1); + ++ psav = p1; ++ + if (!CHECK_LEN(header, p1, plen, rdlen1)) +- return 0; ++ return DNSSEC_FAIL_BADPACKET; + + if (res == 1 && class1 == qclass && type1 == T_RRSIG) + { + int type_covered; +- unsigned char *psav = p1; +- ++ + if (rdlen1 < 18) +- return 0; /* bad packet */ ++ return DNSSEC_FAIL_BADPACKET; /* bad packet */ + + GETSHORT(type_covered, p1); + +@@ -1686,33 +1836,56 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key + if (!rrsig_labels[nsecs_found]) + rrsig_labels[nsecs_found] = p1; + else if (*rrsig_labels[nsecs_found] != *p1) /* algo */ +- return 0; +- } +- p1 = psav; ++ return DNSSEC_FAIL_NONSEC; ++ } + } + +- if (!ADD_RDLEN(header, p1, plen, rdlen1)) +- return 0; ++ p1 = psav + rdlen1; + } + + /* Must have found at least one sig. */ + if (!rrsig_labels[nsecs_found]) +- return 0; ++ return DNSSEC_FAIL_NONSEC; ++ } ++ else if (type == T_NSEC3) ++ { ++ /* Decode the packet structure enough to check that rdlen is big enough ++ to contain everything other than the type bitmap. ++ (packet checked to be long enough to contain rdlen above) ++ We don't need to do any further length checks in check_nes3_coverage() ++ or prove_non_existence_nsec3() */ ++ ++ int salt_len, hash_len; ++ unsigned char *psav = p; ++ ++ if (rdlen < 5) ++ return DNSSEC_FAIL_BADPACKET; ++ ++ p += 4; /* algo, flags, iterations */ ++ salt_len = *p++; /* salt_len */ ++ if (rdlen < (6 + salt_len)) ++ return DNSSEC_FAIL_BADPACKET; /* check up to hash_length */ ++ ++ p += salt_len; /* salt */ ++ hash_len = *p++; ++ if (rdlen < (6 + salt_len + hash_len)) ++ return DNSSEC_FAIL_BADPACKET; /* check to end of next hashed name */ ++ ++ p = psav; + } + + nsecset[nsecs_found++] = pstart; + } + +- if (!ADD_RDLEN(header, p, plen, rdlen)) +- return 0; ++ p += rdlen; + } + + if (type_found == T_NSEC) + return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); + else if (type_found == T_NSEC3) +- return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons); ++ return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons, validate_counter); + else +- return 0; ++ return DNSSEC_FAIL_NONSEC; + } + + /* Check signing status of name. +@@ -1807,16 +1980,17 @@ static int zone_status(char *name, int class, char *keyname, time_t now) + STAT_BOGUS signature is wrong, bad packet, no validation where there should be. + STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname, class in *class) + STAT_NEED_DS need DS to complete validation (name is returned in keyname) ++ STAT_ABANDONED resource exhaustion. + + daemon->rr_status points to a char array which corressponds to the RRs in the +- answer and auth sections. This is set to 1 for each RR which is validated, and 0 for any which aren't. ++ answer and auth sections. This is set to >1 for each RR which is validated, and 0 for any which aren't. + + When validating replies to DS records, we're only interested in the NSEC{3} RRs in the auth section. + Other RRs in that section missing sigs will not cause am INSECURE reply. We determine this mode +- is the nons argument is non-NULL. ++ if the nons argument is non-NULL. + */ + int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, +- int *class, int check_unsigned, int *neganswer, int *nons, int *nsec_ttl) ++ int *class, int check_unsigned, int *neganswer, int *nons, int *nsec_ttl, int *validate_counter) + { + static unsigned char **targets = NULL; + static int target_sz = 0; +@@ -1825,7 +1999,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + int type1, class1, rdlen1 = 0, type2, class2, rdlen2, qclass, qtype, targetidx; + int i, j, rc = STAT_INSECURE; + int secure = STAT_SECURE; +- ++ int rc_nsec; + /* extend rr_status if necessary */ + if (daemon->rr_status_sz < ntohs(header->ancount) + ntohs(header->nscount)) + { +@@ -1854,7 +2028,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + + /* Find all the targets we're looking for answers to. + The zeroth array element is for the query, subsequent ones +- for CNAME targets, unless the query is for a CNAME. */ ++ for CNAME targets, unless the query is for a CNAME or ANY. */ + + if (!expand_workspace(&targets, &target_sz, 0)) + return STAT_BOGUS; +@@ -1873,7 +2047,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + if (qtype == T_RRSIG) + return STAT_INSECURE; + +- if (qtype != T_CNAME) ++ if (qtype != T_CNAME && qtype != T_ANY) + for (j = ntohs(header->ancount); j != 0; j--) + { + if (!(p1 = skip_name(p1, header, plen, 10))) +@@ -1947,7 +2121,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + { + /* NSEC and NSEC3 records must be signed. We make this assumption elsewhere. */ + if (type1 == T_NSEC || type1 == T_NSEC3) +- rc = STAT_INSECURE; ++ return STAT_BOGUS | DNSSEC_FAIL_NOSIG; + else if (nons && i >= ntohs(header->ancount)) + /* If we're validating a DS reply, rather than looking for the value of AD bit, + we only care that NSEC and NSEC3 RRs in the auth section are signed. +@@ -1959,15 +2133,16 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + if (check_unsigned && i < ntohs(header->ancount)) + { + rc = zone_status(name, class1, keyname, now); +- if (rc == STAT_SECURE) +- rc = STAT_BOGUS; ++ if (STAT_ISEQUAL(rc, STAT_SECURE)) ++ rc = STAT_BOGUS | DNSSEC_FAIL_NOSIG; ++ + if (class) + *class = class1; /* Class for NEED_DS or NEED_KEY */ + } + else + rc = STAT_INSECURE; + +- if (rc != STAT_INSECURE) ++ if (!STAT_ISEQUAL(rc, STAT_INSECURE)) + return rc; + } + } +@@ -1978,7 +2153,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + strcpy(daemon->workspacename, keyname); + rc = zone_status(daemon->workspacename, class1, keyname, now); + +- if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS) ++ if (STAT_ISEQUAL(rc, STAT_BOGUS) || STAT_ISEQUAL(rc, STAT_NEED_KEY) || STAT_ISEQUAL(rc, STAT_NEED_DS)) + { + if (class) + *class = class1; /* Class for NEED_DS or NEED_KEY */ +@@ -1986,13 +2161,13 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + } + + /* Zone is insecure, don't need to validate RRset */ +- if (rc == STAT_SECURE) ++ if (STAT_ISEQUAL(rc, STAT_SECURE)) + { + unsigned long sig_ttl; + rc = validate_rrset(now, header, plen, class1, type1, sigcnt, +- rrcnt, name, keyname, &wildname, NULL, 0, 0, 0, &sig_ttl); ++ rrcnt, name, keyname, &wildname, NULL, 0, 0, 0, &sig_ttl, validate_counter); + +- if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS) ++ if (STAT_ISEQUAL(rc, STAT_BOGUS) || STAT_ISEQUAL(rc, STAT_NEED_KEY) || STAT_ISEQUAL(rc, STAT_NEED_DS) || STAT_ISEQUAL(rc, STAT_ABANDONED)) + { + if (class) + *class = class1; /* Class for DS or DNSKEY */ +@@ -2025,50 +2200,53 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch + Note that we may not yet have validated the NSEC/NSEC3 RRsets. + That's not a problem since if the RRsets later fail + we'll return BOGUS then. */ +- if (rc == STAT_SECURE_WILDCARD && +- !prove_non_existence(header, plen, keyname, name, type1, class1, wildname, NULL, NULL)) +- return STAT_BOGUS; ++ if (STAT_ISEQUAL(rc, STAT_SECURE_WILDCARD) && ++ ((rc_nsec = prove_non_existence(header, plen, keyname, name, type1, class1, wildname, NULL, NULL, validate_counter))) != 0) ++ return (rc_nsec & DNSSEC_FAIL_WORK) ? STAT_ABANDONED : (STAT_BOGUS | rc_nsec); + + rc = STAT_SECURE; + } + } + } + +- if (rc == STAT_INSECURE) ++ if (STAT_ISEQUAL(rc, STAT_INSECURE)) + secure = STAT_INSECURE; + } + + /* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */ +- if (secure == STAT_SECURE) +- for (j = 0; j flags |= FREC_AD_QUESTION; + #ifdef HAVE_DNSSEC +- forward->work_counter = DNSSEC_WORK; ++ forward->work_counter = daemon->limit[LIMIT_WORK]; ++ forward->validate_counter = daemon->limit[LIMIT_CRYPTO]; + if (do_bit) + forward->flags |= FREC_DO_QUESTION; + #endif +@@ -865,6 +866,7 @@ void reply_query(int fd, time_t now) + serveraddr.in6.sin6_flowinfo = 0; + + header = (struct dns_header *)daemon->packet; ++ size_t plen; + + if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR)) + return; +@@ -909,7 +911,6 @@ void reply_query(int fd, time_t now) + /* for broken servers, attempt to send to another one. */ + { + unsigned char *pheader; +- size_t plen; + int is_sign; + + #ifdef HAVE_DNSSEC +@@ -1048,34 +1049,40 @@ void reply_query(int fd, time_t now) + */ + if (header->hb3 & HB3_TC) + status = STAT_TRUNCATED; +- ++ ++ struct frec *orig; ++ int log_resource = 0; ++ ++ + while (1) + { + /* As soon as anything returns BOGUS, we stop and unwind, to do otherwise + would invite infinite loops, since the answers to DNSKEY and DS queries + will not be cached, so they'll be repeated. */ ++ /* Find the original query that started it all.... */ ++ for (orig = forward; orig->dependent; orig = orig->dependent); ++ + if (status != STAT_BOGUS && status != STAT_TRUNCATED && status != STAT_ABANDONED) + { + if (forward->flags & FREC_DNSKEY_QUERY) +- status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); ++ status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class, &orig->validate_counter); + else if (forward->flags & FREC_DS_QUERY) +- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); ++ status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class, &orig->validate_counter); + else + status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, + !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC), +- NULL, NULL, NULL); +-#ifdef HAVE_DUMPFILE +- if (status == STAT_BOGUS) +- dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_BOGUS : DUMP_BOGUS, +- header, (size_t)n, &serveraddr, NULL); +-#endif ++ NULL, NULL, NULL, &orig->validate_counter); + } ++ status = status & 0xffff0000; ++ ++ if (status == STAT_ABANDONED) ++ log_resource = 1; + + /* Can't validate, as we're missing key data. Put this + answer aside, whilst we get that. */ + if (status == STAT_NEED_DS || status == STAT_NEED_KEY) + { +- struct frec *new, *orig; ++ struct frec *new; + + /* Free any saved query */ + if (forward->stash) +@@ -1086,13 +1093,13 @@ void reply_query(int fd, time_t now) + return; + forward->stash_len = n; + +- /* Find the original query that started it all.... */ +- for (orig = forward; orig->dependent; orig = orig->dependent); +- + /* Make sure we don't expire and free the orig frec during the + allocation of a new one. */ +- if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, orig))) ++ if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, orig))) { + status = STAT_ABANDONED; ++ my_syslog(LOG_WARNING, _("limit exceeded: per-query subqueries")); ++ log_resource = 1; ++ } + else + { + int querytype, fd, type = SERV_DO_DNSSEC; +@@ -1180,7 +1187,20 @@ void reply_query(int fd, time_t now) + } + return; + } +- ++ if (log_resource) ++ { ++ /* Log the actual validation that made us barf. */ ++ unsigned char *p = (unsigned char *)(header+1); ++ if (extract_name(header, plen, &p, daemon->namebuff, 0, 4) == 1) ++ my_syslog(LOG_WARNING, _("validation of %s failed: resource limit exceeded."), ++ daemon->namebuff[0] ? daemon->namebuff : "."); ++ } ++#ifdef HAVE_DUMPFILE ++ if (status == STAT_BOGUS) ++ dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_BOGUS : DUMP_BOGUS, ++ header, (size_t)n, &serveraddr, NULL); ++#endif ++ + /* Validated original answer, all done. */ + if (!forward->dependent) + break; +@@ -1216,6 +1236,11 @@ void reply_query(int fd, time_t now) + domain = daemon->namebuff; + + log_query(F_SECSTAT, domain, NULL, result); ++ if ((daemon->limit[LIMIT_CRYPTO] - orig->validate_counter) > (int)daemon->metrics[METRIC_CRYPTO_HWM]) ++ daemon->metrics[METRIC_CRYPTO_HWM] = daemon->limit[LIMIT_CRYPTO] - orig->validate_counter; ++ if ((daemon->limit[LIMIT_WORK] - orig->work_counter) > (int)daemon->metrics[METRIC_WORK_HWM]) ++ daemon->metrics[METRIC_WORK_HWM] = daemon->limit[LIMIT_WORK] - orig->work_counter; ++ + } + + if (status == STAT_SECURE) +@@ -1622,7 +1647,7 @@ void receive_query(struct listener *listen, time_t now) + /* Recurse up the key hierarchy */ + static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, + int class, char *name, char *keyname, struct server *server, +- int have_mark, unsigned int mark, int *keycount) ++ int have_mark, unsigned int mark, int *keycount, int *validatecount) + { + int new_status; + unsigned char *packet = NULL; +@@ -1639,19 +1664,35 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si + struct server *firstsendto = NULL; + + /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */ +- if (--(*keycount) == 0) +- new_status = STAT_ABANDONED; +- else if (status == STAT_NEED_KEY) +- new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class); ++ if (status == STAT_NEED_KEY) ++ new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class, validatecount); + else if (status == STAT_NEED_DS) +- new_status = dnssec_validate_ds(now, header, n, name, keyname, class); ++ new_status = dnssec_validate_ds(now, header, n, name, keyname, class, validatecount); + else + new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, + !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC), +- NULL, NULL, NULL); +- +- if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY) ++ NULL, NULL, NULL, validatecount); ++ new_status = new_status & 0xffff0000; ++ ++ if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY && new_status != STAT_ABANDONED) + break; ++ ++ if ((*keycount)-- == 0) ++ { ++ my_syslog(LOG_WARNING, _("limit exceeded: per-query subqueries")); ++ new_status = STAT_ABANDONED; ++ } ++ ++ if (new_status == STAT_ABANDONED) ++ { ++ /* Log the actual validation that made us barf. */ ++ unsigned char *p = (unsigned char *)(header+1); ++ if (extract_name(header, n, &p, daemon->namebuff, 0, 4) == 1) ++ my_syslog(LOG_WARNING, _("validation of %s failed: resource limit exceeded."), ++ daemon->namebuff[0] ? daemon->namebuff : "."); ++ break; ++ } ++ + + /* Can't validate because we need a key/DS whose name now in keyname. + Make query for same, and recurse to validate */ +@@ -1668,7 +1709,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si + new_status = STAT_ABANDONED; + break; + } +- ++ + m = dnssec_generate_query(new_header, ((unsigned char *) new_header) + 65536, keyname, class, + new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, server->edns_pktsz); + +@@ -1763,7 +1804,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si + server->flags |= SERV_GOT_TCP; + + m = (c1 << 8) | c2; +- new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount); ++ new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount, validatecount); + break; + } + +@@ -2085,9 +2126,10 @@ unsigned char *tcp_request(int confd, time_t now, + #ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled && (last_server->flags & SERV_DO_DNSSEC)) + { +- int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */ ++ int keycount = daemon->limit[LIMIT_WORK]; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */ ++ int validatecount = daemon->limit[LIMIT_CRYPTO]; + int status = tcp_key_recurse(now, STAT_OK, header, m, 0, daemon->namebuff, daemon->keyname, +- last_server, have_mark, mark, &keycount); ++ last_server, have_mark, mark, &keycount, &validatecount); + char *result, *domain = "result"; + + if (status == STAT_ABANDONED) +@@ -2102,6 +2144,12 @@ unsigned char *tcp_request(int confd, time_t now, + domain = daemon->namebuff; + + log_query(F_SECSTAT, domain, NULL, result); ++ ++ if ((daemon->limit[LIMIT_CRYPTO] - validatecount) > (int)daemon->metrics[METRIC_CRYPTO_HWM]) ++ daemon->metrics[METRIC_CRYPTO_HWM] = daemon->limit[LIMIT_CRYPTO] - validatecount; ++ ++ if ((daemon->limit[LIMIT_WORK] - keycount) > (int)daemon->metrics[METRIC_WORK_HWM]) ++ daemon->metrics[METRIC_WORK_HWM] = daemon->limit[LIMIT_WORK] - keycount; + + if (status == STAT_BOGUS) + { +diff --git a/src/metrics.c b/src/metrics.c +index fac5b00..f32f426 100644 +--- a/src/metrics.c ++++ b/src/metrics.c +@@ -37,6 +37,9 @@ const char * metric_names[] = { + "leases_pruned_4", + "leases_allocated_6", + "leases_pruned_6", ++ "dnssec_max_crypto_use", ++ "dnssec_max_sig_fail", ++ "dnssec_max_work" + }; + + const char* get_metric_name(int i) { +diff --git a/src/metrics.h b/src/metrics.h +index cecf8c8..ee0b93a 100644 +--- a/src/metrics.h ++++ b/src/metrics.h +@@ -36,6 +36,9 @@ enum { + METRIC_LEASES_PRUNED_4, + METRIC_LEASES_ALLOCATED_6, + METRIC_LEASES_PRUNED_6, ++ METRIC_CRYPTO_HWM, ++ METRIC_SIG_FAIL_HWM, ++ METRIC_WORK_HWM, + + __METRIC_MAX, + }; +diff --git a/src/option.c b/src/option.c +index 25680c0..8b40332 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -170,6 +170,7 @@ struct myoption { + #define LOPT_PXE_VENDOR 361 + #define LOPT_DYNHOST 362 + #define LOPT_LOG_DEBUG 363 ++#define LOPT_DNSSEC_LIMITS 364 + + #ifdef HAVE_GETOPT_LONG + static const struct option opts[] = +@@ -330,6 +331,7 @@ static const struct myoption opts[] = + { "dnssec-check-unsigned", 2, 0, LOPT_DNSSEC_CHECK }, + { "dnssec-no-timecheck", 0, 0, LOPT_DNSSEC_TIME }, + { "dnssec-timestamp", 1, 0, LOPT_DNSSEC_STAMP }, ++ { "dnssec-limits", 1, 0, LOPT_DNSSEC_LIMITS }, + { "dhcp-relay", 1, 0, LOPT_RELAY }, + { "ra-param", 1, 0, LOPT_RA_PARAM }, + { "quiet-dhcp", 0, 0, LOPT_QUIET_DHCP }, +@@ -513,6 +515,7 @@ static struct { + { LOPT_DNSSEC_CHECK, ARG_DUP, NULL, gettext_noop("Ensure answers without DNSSEC are in unsigned zones."), NULL }, + { LOPT_DNSSEC_TIME, OPT_DNSSEC_TIME, NULL, gettext_noop("Don't check DNSSEC signature timestamps until first cache-reload"), NULL }, + { LOPT_DNSSEC_STAMP, ARG_ONE, "", gettext_noop("Timestamp file to verify system clock for DNSSEC"), NULL }, ++ { LOPT_DNSSEC_LIMITS, ARG_ONE, ",..", gettext_noop("Set resource limits for DNSSEC validation"), NULL }, + { LOPT_RA_PARAM, ARG_DUP, ",[mtu:||off,][,][,]", gettext_noop("Set MTU, priority, resend-interval and router-lifetime"), NULL }, + { LOPT_QUIET_DHCP, OPT_QUIET_DHCP, NULL, gettext_noop("Do not log routine DHCP."), NULL }, + { LOPT_QUIET_DHCP6, OPT_QUIET_DHCP6, NULL, gettext_noop("Do not log routine DHCPv6."), NULL }, +@@ -4524,6 +4527,24 @@ err: + } + + #ifdef HAVE_DNSSEC ++ case LOPT_DNSSEC_LIMITS: ++ { ++ int lim, val; ++ ++ for (lim = LIMIT_SIG_FAIL; arg && lim < LIMIT_MAX ; lim++, arg = comma) ++ { ++ comma = split(arg); ++ ++ if (!atoi_check(arg, &val)) ++ ret_err(gen_err); ++ ++ if (val != 0) ++ daemon->limit[lim] = val; ++ } ++ ++ break; ++ } ++ + case LOPT_DNSSEC_STAMP: /* --dnssec-timestamp */ + daemon->timestamp_file = opt_string_alloc(arg); + break; +@@ -5084,6 +5105,12 @@ void read_opts(int argc, char **argv, char *compile_opts) + daemon->soa_refresh = SOA_REFRESH; + daemon->soa_retry = SOA_RETRY; + daemon->soa_expiry = SOA_EXPIRY; ++#ifdef HAVE_DNSSEC ++ daemon->limit[LIMIT_SIG_FAIL] = DNSSEC_LIMIT_SIG_FAIL; ++ daemon->limit[LIMIT_CRYPTO] = DNSSEC_LIMIT_CRYPTO; ++ daemon->limit[LIMIT_WORK] = DNSSEC_LIMIT_WORK; ++ daemon->limit[LIMIT_NSEC3_ITERS] = DNSSEC_LIMIT_NSEC3_ITERS; ++#endif + + #ifndef NO_ID + add_txt("version.bind", "dnsmasq-" VERSION, 0 ); +diff --git a/src/rrfilter.c b/src/rrfilter.c +index 58c6d8f..32ef34a 100644 +--- a/src/rrfilter.c ++++ b/src/rrfilter.c +@@ -136,9 +136,9 @@ static int check_rrs(unsigned char *p, struct dns_header *header, size_t plen, i + + if (class == C_IN) + { +- u16 *d; ++ short *d; + +- for (pp = p, d = rrfilter_desc(type); *d != (u16)-1; d++) ++ for (pp = p, d = rrfilter_desc(type); *d != -1; d++) + { + if (*d != 0) + pp += *d; +@@ -266,7 +266,7 @@ size_t rrfilter(struct dns_header *header, size_t plen, int mode) + } + + /* This is used in the DNSSEC code too, hence it's exported */ +-u16 *rrfilter_desc(int type) ++short *rrfilter_desc(int type) + { + /* List of RRtypes which include domains in the data. + 0 -> domain +@@ -277,7 +277,7 @@ u16 *rrfilter_desc(int type) + anything which needs no mangling. + */ + +- static u16 rr_desc[] = ++ static short rr_desc[] = + { + T_NS, 0, -1, + T_MD, 0, -1, +@@ -302,10 +302,10 @@ u16 *rrfilter_desc(int type) + 0, -1 /* wildcard/catchall */ + }; + +- u16 *p = rr_desc; ++ short *p = rr_desc; + + while (*p != type && *p != 0) +- while (*p++ != (u16)-1); ++ while (*p++ != -1); + + return p+1; + } diff --git a/SPECS/dnsmasq.spec b/SPECS/dnsmasq.spec index f7397bb..8fd63a4 100644 --- a/SPECS/dnsmasq.spec +++ b/SPECS/dnsmasq.spec @@ -20,7 +20,7 @@ Name: dnsmasq Version: 2.85 -Release: 14%{?extraversion:.%{extraversion}}%{?dist} +Release: 14%{?extraversion:.%{extraversion}}%{?dist}.1 Summary: A lightweight DHCP/caching DNS server License: GPLv2 or GPLv3 @@ -69,6 +69,8 @@ Patch13: dnsmasq-2.87-log-root-writeable.patch Patch14: dnsmasq-2.85-domain-blocklist-speedup.patch # https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=9bbf098a970c9e5fa251939208e25fb21064d1be Patch15: dnsmasq-2.87-coverity-forward-cache.patch +# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=214a046f47b9f7dd56f5eef3a8678ccbd6e973b7 +Patch16: dnsmasq-2.90-CVE-2023-50387-CVE-2023-50868.patch # This is workaround to nettle bug #1549190 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190 @@ -212,6 +214,11 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf %{_mandir}/man1/dhcp_* %changelog +* Tue Feb 20 2024 Tomas Korbar - 2.85-14.1 +- Fix CVE 2023-50387 and CVE 2023-50868 +- Resolves: RHEL-25674 +- Resolves: RHEL-25638 + * Fri Jul 28 2023 Petr Menšík - 2.85-14 - Backport Coverity fix to hide detected issue (#2156789)