From 35efdf3c3b2f2b9fff51e811c00736bbef12fceb Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Mon, 5 Feb 2024 05:36:05 +0000 Subject: [PATCH] Support returning verified RRs from multiple zones at once. --- src/lib.rs | 127 ++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 106 insertions(+), 21 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 740879d..af11329 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -664,13 +664,23 @@ where T: IntoIterator, I: Iterator + Clone { /// Given a set of arbitrary records, this attempts to validate DNSSEC data from the [`root_hints`] /// through to any supported non-DNSSEC record types. /// -/// All records which could be validated are returned. +/// All records which could be validated are returned, though if an error is found validating any +/// contained record, only `Err` will be returned. pub fn verify_rr_stream<'a>(inp: &'a [RR]) -> Result, ValidationError> { let mut zone = "."; let mut res = Vec::new(); - let mut next_ds_set = None; - 'next_zone: while zone == "." || next_ds_set.is_some() { + let mut pending_ds_sets = Vec::with_capacity(1); + 'next_zone: while zone == "." || !pending_ds_sets.is_empty() { let mut found_unsupported_alg = false; + let next_ds_set; + if let Some((next_zone, ds_set)) = pending_ds_sets.pop() { + next_ds_set = Some(ds_set); + zone = next_zone; + } else { + debug_assert_eq!(zone, "."); + next_ds_set = None; + } + for rrsig in inp.iter() .filter_map(|rr| if let RR::RRSig(sig) = rr { Some(sig) } else { None }) .filter(|rrsig| rrsig.name.0 == zone && rrsig.ty == DnsKey::TYPE) @@ -686,19 +696,11 @@ pub fn verify_rr_stream<'a>(inp: &'a [RR]) -> Result, ValidationErro verify_dnskey_rrsig(rrsig, next_ds_set.clone().unwrap(), dnskeys.clone().collect()) }; if dnskeys_verified.is_ok() { - let mut last_validated_type = None; - next_ds_set = None; for rrsig in inp.iter() .filter_map(|rr| if let RR::RRSig(sig) = rr { Some(sig) } else { None }) .filter(move |rrsig| rrsig.key_name.0 == zone && rrsig.name.0 != zone) { if !rrsig.name.ends_with(zone) { return Err(ValidationError::Invalid); } - if last_validated_type == Some(rrsig.ty) { - // If we just validated all the RRs for this type, go ahead and skip it. We - // may end up double-validating some RR Sets if there's multiple RRSigs for - // the same sets interwoven with other RRSets, but that's okay. - continue; - } let signed_records = inp.iter() .filter(|rr| rr.name() == &rrsig.name && rr.ty() == rrsig.ty); verify_rrsig(rrsig, dnskeys.clone(), signed_records.clone().collect())?; @@ -706,19 +708,23 @@ pub fn verify_rr_stream<'a>(inp: &'a [RR]) -> Result, ValidationErro // RRSigs shouldn't cover child `DnsKey`s or other `RRSig`s RRSig::TYPE|DnsKey::TYPE => return Err(ValidationError::Invalid), DS::TYPE => { - next_ds_set = Some(signed_records.filter_map(|rr| - if let RR::DS(ds) = rr { Some(ds) } - else { debug_assert!(false, "We already filtered by type"); None })); - zone = &rrsig.name; + if !pending_ds_sets.iter().any(|(pending_zone, _)| pending_zone == &rrsig.name.0) { + pending_ds_sets.push(( + &rrsig.name, + signed_records.filter_map(|rr| + if let RR::DS(ds) = rr { Some(ds) } + else { debug_assert!(false, "We already filtered by type"); None }) + )); + } }, _ => { - for record in signed_records { res.push(record); } - last_validated_type = Some(rrsig.ty); + for record in signed_records { + if !res.contains(&record) { res.push(record); } + } }, } } - if next_ds_set.is_none() { break 'next_zone; } - else { continue 'next_zone; } + continue 'next_zone; } else if dnskeys_verified == Err(ValidationError::UnsupportedAlgorithm) { // There may be redundant signatures by different keys, where one we don't supprt // and another we do. Ignore ones we don't support, but if there are no more, @@ -840,8 +846,52 @@ mod tests { (txt_resp, txt_rrsig) } + fn matcorallo_dnskey() -> (Vec, Vec) { + let com_dnskeys = com_dnskey().0; + let mut matcorallo_ds = vec![DS { + name: "matcorallo.com.".try_into().unwrap(), key_tag: 24930, alg: 13, digest_type: 2, + digest: Vec::from_hex("693E990CBB1CE1095E387092D3C04BCE907C008891F32A88D41D3ECB129E5E23").unwrap(), + }]; + let ds_rrsig = RRSig { + name: "matcorallo.com.".try_into().unwrap(), ty: DS::TYPE, alg: 13, labels: 2, orig_ttl: 86400, + expiration: 1707628636, inception: 1707019636, key_tag: 4534, key_name: "com.".try_into().unwrap(), + signature: base64::decode("l9b+DhtnJSIzR6y4Bwx+0L9kep77UNCBoTg74RTSL6oMrQd8w4OobHxzwDyXqnLfyxVP18V+AnQp4DdJ2nUW1g==").unwrap(), + }; + verify_rrsig(&ds_rrsig, &com_dnskeys, matcorallo_ds.iter().collect()).unwrap(); + let dnskeys = vec![DnsKey { + name: "matcorallo.com.".try_into().unwrap(), flags: 257, protocol: 3, alg: 13, + pubkey: base64::decode("pfO3ow3SrKhLS7AMEi3b5W9P28nCOB9vryxfSXhqMcXFP1x9V4xAt0/JLr0zNodsqRD/8d9Yhu4Wf3hnSlaavw==").unwrap(), + }, DnsKey { + name: "matcorallo.com.".try_into().unwrap(), flags: 256, protocol: 3, alg: 13, + pubkey: base64::decode("OO6LQTV1mnRsFgn6YQoyeo/SDqS3eajfVv8WGQVnuSYO/bTS9St1tJiox2fgU6wRWDU3chhjz1Pj0unKUAQKig==").unwrap(), + }]; + let dnskey_rrsig = RRSig { + name: "matcorallo.com.".try_into().unwrap(), ty: DnsKey::TYPE, alg: 13, labels: 2, orig_ttl: 604800, + expiration: 1708309135, inception: 1707094135, key_tag: 24930, key_name: "matcorallo.com.".try_into().unwrap(), + signature: base64::decode("2MKg3bTn9zf4ThwCoKRFadqD6l1D6SuLksRieKxFC0QQnzUOCRgZSK2/IlT0DMEoM0+mGrJZo7UG79UILMGUyg==").unwrap(), + }; + verify_dnskey_rrsig(&dnskey_rrsig, &matcorallo_ds, dnskeys.iter().collect()).unwrap(); + let rrs = vec![matcorallo_ds.pop().unwrap().into(), ds_rrsig.into(), + dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()]; + (dnskeys, rrs) + } + + fn matcorallo_txt_record() -> (Txt, RRSig) { + let txt_resp = Txt { + name: "txt_test.matcorallo.com.".try_into().unwrap(), + data: "dnssec_prover_test".to_owned().into_bytes(), + }; + let txt_rrsig = RRSig { + name: "txt_test.matcorallo.com.".try_into().unwrap(), + ty: Txt::TYPE, alg: 13, labels: 3, orig_ttl: 30, expiration: 1708319203, + inception: 1707104203, key_tag: 34530, key_name: "matcorallo.com.".try_into().unwrap(), + signature: base64::decode("4vaE5Jex2VvIT39JpuMNT7Ds7O0OfzTik5f8WcRRxO0IJnGAO16syAsNUkNkNqsMYknnjHDF0lI4agszgzdpsw==").unwrap(), + }; + (txt_resp, txt_rrsig) + } + #[test] - fn check_txt_record() { + fn check_txt_record_a() { let dnskeys = mattcorallo_dnskey().0; let (txt, txt_rrsig) = mattcorallo_txt_record(); let txt_resp = [txt]; @@ -849,7 +899,7 @@ mod tests { } #[test] - fn check_txt_proof() { + fn check_single_txt_proof() { let mut rr_stream = Vec::new(); for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); } for rr in com_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); } @@ -867,6 +917,41 @@ mod tests { } else { panic!(); } } + #[test] + fn check_txt_record_b() { + let dnskeys = matcorallo_dnskey().0; + let (txt, txt_rrsig) = matcorallo_txt_record(); + let txt_resp = [txt]; + verify_rrsig(&txt_rrsig, &dnskeys, txt_resp.iter().collect()).unwrap(); + } + + #[test] + fn check_double_txt_proof() { + let mut rr_stream = Vec::new(); + for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); } + for rr in com_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); } + for rr in mattcorallo_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); } + let (txt, txt_rrsig) = mattcorallo_txt_record(); + for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); } + for rr in matcorallo_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); } + let (txt, txt_rrsig) = matcorallo_txt_record(); + for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); } + + let mut rrs = parse_rr_stream(&rr_stream).unwrap(); + rrs.shuffle(&mut rand::rngs::OsRng); + let mut verified_rrs = verify_rr_stream(&rrs).unwrap(); + verified_rrs.sort(); + assert_eq!(verified_rrs.len(), 2); + if let RR::Txt(txt) = &verified_rrs[0] { + assert_eq!(txt.name.0, "matt.user._bitcoin-payment.mattcorallo.com."); + assert_eq!(txt.data, b"bitcoin:?b12=lno1qsgqmqvgm96frzdg8m0gc6nzeqffvzsqzrxqy32afmr3jn9ggkwg3egfwch2hy0l6jut6vfd8vpsc3h89l6u3dm4q2d6nuamav3w27xvdmv3lpgklhg7l5teypqz9l53hj7zvuaenh34xqsz2sa967yzqkylfu9xtcd5ymcmfp32h083e805y7jfd236w9afhavqqvl8uyma7x77yun4ehe9pnhu2gekjguexmxpqjcr2j822xr7q34p078gzslf9wpwz5y57alxu99s0z2ql0kfqvwhzycqq45ehh58xnfpuek80hw6spvwrvttjrrq9pphh0dpydh06qqspp5uq4gpyt6n9mwexde44qv7lstzzq60nr40ff38u27un6y53aypmx0p4qruk2tf9mjwqlhxak4znvna5y"); + } else { panic!(); } + if let RR::Txt(txt) = &verified_rrs[1] { + assert_eq!(txt.name.0, "txt_test.matcorallo.com."); + assert_eq!(txt.data, b"dnssec_prover_test"); + } else { panic!(); } + } + #[test] fn rfc9102_parse_test() { // Note that this is the `AuthenticationChain` field only, and ignores the -- 2.39.5