Merge branch 'update'

Author: ibauersachs

README.md

@@ -5,6 +5,7 @@ A DNSSEC validating stub resolver for Java.
 [![Build Status](https://travis-ci.org/ibauersachs/dnssecjava.svg?branch=master)](https://travis-ci.org/ibauersachs/dnssecjava)
 [![Coverage Status](https://coveralls.io/repos/ibauersachs/dnssecjava/badge.svg)](https://coveralls.io/r/ibauersachs/dnssecjava)
 [![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.jitsi/dnssecjava/badge.svg)](http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.jitsi%22%20AND%20a%3A%22dnssecjava%22)
+[![Javadocs](http://javadoc.io/badge/org.jitsi/dnssecjava.svg)](https://javadoc.io/doc/org.jitsi/dnssecjava)
 
 Is this library safe to use?
 ---------------------------
@@ -28,6 +29,12 @@ The Unbound prototype was stripped from all unnecessary parts, heavily
 modified, complemented with more than 300 unit test and found bugs were fixed.
 
 ### Released versions
+* 1.2.0:
+  - Fix CVE-2017-15105
+  - Add config option `org.jitsi.dnssec.harden_algo_downgrade`
+  - Fix handling of ENT in NSEC3 zones
+  - Fix returning YXDOMAIN RCode
+  - Requires dnsjava 2.1.9 for proper (EC)DSA signature validation
 * 1.1.3:
   - Replace jmockit with PowerMockito due to ever changing API (and there's a Debian package for PowerMockito)
   - Use fixed versions for the dependencies

pom.xml

@@ -3,9 +3,9 @@
     <groupId>org.jitsi</groupId>
     <artifactId>dnssecjava</artifactId>
     <packaging>bundle</packaging>
-    <version>1.1.4-SNAPSHOT</version>
+    <version>1.2.0</version>
     <name>dnssecjava</name>
-    <url>https://jitsi.org/dnssec</url>
+    <url>https://github.com/ibauersachs/dnssecjava</url>
 
     <properties>
         <powermock.version>1.6.6</powermock.version>
@@ -18,7 +18,7 @@
         <dependency>
             <groupId>dnsjava</groupId>
             <artifactId>dnsjava</artifactId>
-            <version>2.1.7</version>
+            <version>2.1.9</version>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
@@ -58,7 +58,7 @@
         <dependency>
             <groupId>joda-time</groupId>
             <artifactId>joda-time</artifactId>
-            <version>2.9.6</version>
+            <version>2.10.2</version>
             <scope>test</scope>
         </dependency>
     </dependencies>
@@ -107,7 +107,6 @@
                             <failsOnError>true</failsOnError>
                             <maxAllowedViolations>0</maxAllowedViolations>
                             <failOnViolation>true</failOnViolation>
-                            <linkXRef>false</linkXRef>
                             <consoleOutput>true</consoleOutput>
                         </configuration>
                     </execution>
@@ -116,7 +115,7 @@
             <plugin>
                 <groupId>org.jacoco</groupId>
                 <artifactId>jacoco-maven-plugin</artifactId>
-                <version>0.7.5.201505241946</version>
+                <version>0.8.4</version>
                 <executions>
                     <execution>
                         <id>prepare-agent</id>
@@ -137,42 +136,6 @@
                 <version>2.5.3</version>
             </plugin>
         </plugins>
-        <pluginManagement>
-            <plugins>
-                <!--This plugin's configuration is used to store Eclipse m2e settings
-                    only. It has no influence on the Maven build itself. -->
-                <plugin>
-                    <groupId>org.eclipse.m2e</groupId>
-                    <artifactId>lifecycle-mapping</artifactId>
-                    <version>1.0.0</version>
-                    <configuration>
-                        <lifecycleMappingMetadata>
-                            <pluginExecutions>
-                                <pluginExecution>
-                                    <pluginExecutionFilter>
-                                        <groupId>
-                                            org.apache.maven.plugins
-                                        </groupId>
-                                        <artifactId>
-                                            maven-checkstyle-plugin
-                                        </artifactId>
-                                        <versionRange>
-                                            [2.11,)
-                                        </versionRange>
-                                        <goals>
-                                            <goal>check</goal>
-                                        </goals>
-                                    </pluginExecutionFilter>
-                                    <action>
-                                        <ignore />
-                                    </action>
-                                </pluginExecution>
-                            </pluginExecutions>
-                        </lifecycleMappingMetadata>
-                    </configuration>
-                </plugin>
-            </plugins>
-        </pluginManagement>
     </build>
     <organization>
         <name>jitsi.org</name>
@@ -182,7 +145,7 @@
         <url>https://github.com/ibauersachs/dnssecjava</url>
         <connection>scm:git:https://github.com/ibauersachs/dnssecjava.git</connection>
         <developerConnection>scm:git:https://github.com/ibauersachs/dnssecjava.git</developerConnection>
-        <tag>HEAD</tag>
+        <tag>dnssecjava-1.2.0</tag>
     </scm>
     <description>A DNSSEC validating stub resolver for Java.</description>
     <licenses>

src/main/java/org/jitsi/dnssec/SRRset.java

@@ -56,6 +56,7 @@
  */
 public class SRRset extends RRset {
     private SecurityStatus securityStatus;
+    private Name ownerName;
 
     /** Create a new, blank SRRset. */
     public SRRset() {
@@ -114,4 +115,17 @@ public Name getSignerName() {
 
         return null;
     }
+
+    @Override
+    public Name getName() {
+        return this.ownerName == null ? super.getName() : this.ownerName;
+    }
+
+    /**
+     * Set the name of the records.
+     * @param ownerName the {@link Name} to override the original name with.
+     */
+    public void setName(Name ownerName) {
+        this.ownerName = ownerName;
+    }
 }

src/main/java/org/jitsi/dnssec/validator/DnsSecVerifier.java

@@ -44,6 +44,7 @@
 import java.util.Iterator;
 import java.util.List;
 
+import org.jitsi.dnssec.SRRset;
 import org.jitsi.dnssec.SecurityStatus;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -52,6 +53,7 @@
 import org.xbill.DNS.DNSSEC.DNSSECException;
 import org.xbill.DNS.RRSIGRecord;
 import org.xbill.DNS.RRset;
+import org.xbill.DNS.Type;
 
 /**
  * A class for performing basic DNSSEC verification. The DNSJAVA package
@@ -112,8 +114,8 @@ private List<DNSKEYRecord> findKey(RRset dnskeyRrset, RRSIGRecord signature) {
      *         could not be completed (usually because the public key was not
      *         available).
      */
-    private SecurityStatus verifySignature(RRset rrset, RRSIGRecord sigrec,
-            RRset keyRrset) {
+    private SecurityStatus verifySignature(SRRset rrset, RRSIGRecord sigrec,
+                                           RRset keyRrset) {
         List<DNSKEYRecord> keys = this.findKey(keyRrset, sigrec);
         if (keys == null) {
             logger.trace("could not find appropriate key");
@@ -130,10 +132,11 @@ private SecurityStatus verifySignature(RRset rrset, RRSIGRecord sigrec,
                 }
 
                 DNSSEC.verify(rrset, sigrec, key);
+                ValUtils.setCanonicalNsecOwner(rrset, sigrec);
                 return SecurityStatus.SECURE;
             }
             catch (DNSSECException e) {
-                logger.error("Failed to validate RRset", e);
+                logger.error("Failed to validate RRset {}/{}", rrset.getName(), Type.string(rrset.getType()), e);
                 status = SecurityStatus.BOGUS;
             }
         }
@@ -151,7 +154,7 @@ private SecurityStatus verifySignature(RRset rrset, RRSIGRecord sigrec,
      * @return SecurityStatus.SECURE if the rrest verified positively,
      *         SecurityStatus.BOGUS otherwise.
      */
-    public SecurityStatus verify(RRset rrset, RRset keyRrset) {
+    public SecurityStatus verify(SRRset rrset, RRset keyRrset) {
         Iterator<?> i = rrset.sigs();
         if (!i.hasNext()) {
             logger.info("RRset failed to verify due to lack of signatures");

src/main/java/org/jitsi/dnssec/validator/ValUtils.java

@@ -90,6 +90,34 @@ public ValUtils() {
         this.verifier = new DnsSecVerifier();
     }
 
+    /**
+     * Set the owner name of NSEC RRsets to the canonical name, i.e. the name
+     * that is <b>not</b> expanded from a wildcard label.
+     * @param set The RRset to canonicalize.
+     * @param sig The signature that validated this RRset.
+     */
+    public static void setCanonicalNsecOwner(SRRset set, RRSIGRecord sig) {
+        if (set.getType() != Type.NSEC) {
+            return;
+        }
+
+        Record nsec = set.first();
+        int fqdnLabelCount = nsec.getName().labels() - 1; // don't count the root label
+        if (nsec.getName().isWild()) {
+            --fqdnLabelCount; // don't count the wildcard label
+        }
+
+        if (sig.getLabels() == fqdnLabelCount) {
+            set.setName(nsec.getName());
+        }
+        else if (sig.getLabels() < fqdnLabelCount) {
+            set.setName(nsec.getName().wild(sig.getSigner().labels() - sig.getLabels()));
+        }
+        else {
+            throw new IllegalArgumentException("invalid nsec record");
+        }
+    }
+
     /**
      * Initialize the module. The recognized configuration value are
      * <ul>
@@ -445,13 +473,14 @@ public static boolean strictSubdomain(Name domain1, Name domain2) {
      * {@link NSECRecord#getNext()}).
      * 
      * @param domain The name for which the closest encloser is queried.
-     * @param nsec The covering {@link NSECRecord} to check.
+     * @param owner The beginning of the covering {@link Name} to check. 
+     * @param next The end of the covering {@link Name} to check.
      * @return The closest encloser name of <code>domain</code> as defined by
-     *         <code>nsec</code>.
+     *         {@code owner} and {@code next}.
      */
-    public static Name closestEncloser(Name domain, NSECRecord nsec) {
-        Name n1 = longestCommonName(domain, nsec.getName());
-        Name n2 = longestCommonName(domain, nsec.getNext());
+    public static Name closestEncloser(Name domain, Name owner, Name next) {
+        Name n1 = longestCommonName(domain, owner);
+        Name n2 = longestCommonName(domain, next);
 
         return (n1.labels() > n2.labels()) ? n1 : n2;
     }
@@ -462,28 +491,29 @@ public static Name closestEncloser(Name domain, NSECRecord nsec) {
      * 
      * @param domain The name for which the wildcard closest encloser is
      *            demanded.
+     * @param set The RRset containing {@code nsec} to check.
      * @param nsec The covering NSEC that defines the encloser.
      * @return The wildcard closest encloser name of <code>domain</code> as
      *         defined by <code>nsec</code>.
      * @throws NameTooLongException If adding the wildcard label to the closest
      *             encloser results in an invalid name.
      */
-    public static Name nsecWildcard(Name domain, NSECRecord nsec) throws NameTooLongException {
-        Name origin = closestEncloser(domain, nsec);
+    public static Name nsecWildcard(Name domain, SRRset set, NSECRecord nsec) throws NameTooLongException {
+        Name origin = closestEncloser(domain, set.getName(), nsec.getNext());
         return Name.concatenate(WILDCARD, origin);
     }
 
     /**
      * Determine if the given NSEC proves a NameError (NXDOMAIN) for a given
      * qname.
      * 
+     * @param set The RRset that contains the NSEC.
      * @param nsec The NSEC to check.
      * @param qname The qname to check against.
-     * @param signerName The signer of the NSEC RRset.
      * @return true if the NSEC proves the condition.
      */
-    public static boolean nsecProvesNameError(NSECRecord nsec, Name qname, Name signerName) {
-        Name owner = nsec.getName();
+    public static boolean nsecProvesNameError(SRRset set, NSECRecord nsec, Name qname) {
+        Name owner = set.getName();
         Name next = nsec.getNext();
 
         // If NSEC owner == qname, then this NSEC proves that qname exists.
@@ -492,7 +522,7 @@ public static boolean nsecProvesNameError(NSECRecord nsec, Name qname, Name sign
         }
 
         // deny overreaching NSECs
-        if (!next.subdomain(signerName)) {
+        if (!next.subdomain(set.getSignerName())) {
             return false;
         }
 
@@ -539,29 +569,25 @@ else if (owner.compareTo(next) > 0) {
      * Determine if a NSEC record proves the non-existence of a wildcard that
      * could have produced qname.
      * 
-     * @param nsec The nsec to check.
+     * @param set The RRset of the NSEC record.
+     * @param nsec The nsec record to check.
      * @param qname The qname to check against.
-     * @param signerName The signer of the NSEC RRset.
      * @return true if the NSEC proves the condition.
      */
-    public static boolean nsecProvesNoWC(NSECRecord nsec, Name qname, Name signerName) {
-        int qnameLabels = qname.labels();
-        Name ce = closestEncloser(qname, nsec);
-        int ceLabels = ce.labels();
-
-        for (int i = qnameLabels - ceLabels; i > 0; i--) {
-            Name wcName = qname.wild(i);
-            if (nsecProvesNameError(nsec, wcName, signerName)) {
-                return true;
-            }
+    public static boolean nsecProvesNoWC(SRRset set, NSECRecord nsec, Name qname) {
+        Name ce = closestEncloser(qname, set.getName(), nsec.getNext());
+        int labelsToStrip = qname.labels() - ce.labels();
+        if (labelsToStrip > 0) {
+            Name wcName = qname.wild(labelsToStrip);
+            return nsecProvesNameError(set, nsec, wcName);
         }
 
         return false;
     }
 
     /**
      * Container for responses of
-     * {@link ValUtils#nsecProvesNodata(NSECRecord, Name, int)}.
+     * {@link ValUtils#nsecProvesNodata(SRRset, NSECRecord, Name, int)}.
      */
     public static class NsecProvesNodataResponse {
         boolean result;
@@ -575,22 +601,23 @@ public static class NsecProvesNodataResponse {
      * must still be provided proof that qname did not directly exist and that
      * the wildcard is, in fact, *.closest_encloser.
      * 
+     * @param set The RRset of the NSEC record.
      * @param nsec The NSEC to check
      * @param qname The query name to check against.
      * @param qtype The query type to check against.
      * @return true if the NSEC proves the condition.
      */
-    public static NsecProvesNodataResponse nsecProvesNodata(NSECRecord nsec, Name qname, int qtype) {
+    public static NsecProvesNodataResponse nsecProvesNodata(SRRset set, NSECRecord nsec, Name qname, int qtype) {
         NsecProvesNodataResponse result = new NsecProvesNodataResponse();
-        if (!nsec.getName().equals(qname)) {
+        if (!set.getName().equals(qname)) {
             // empty-non-terminal checking.
             // Done before wildcard, because this is an exact match,
             // and would prevent a wildcard from matching.
 
             // If the nsec is proving that qname is an ENT, the nsec owner will
             // be less than qname, and the next name will be a child domain of
             // the qname.
-            if (strictSubdomain(nsec.getNext(), qname) && nsec.getName().compareTo(qname) < 0) {
+            if (strictSubdomain(nsec.getNext(), qname) && set.getName().compareTo(qname) < 0) {
                 result.result = true;
                 return result;
             }
@@ -600,9 +627,9 @@ public static NsecProvesNodataResponse nsecProvesNodata(NSECRecord nsec, Name qn
             // have generated qname from the wildcard and b) the type map does
             // not contain qtype. Note that this does NOT prove that this
             // wildcard was the applicable wildcard.
-            if (nsec.getName().isWild()) {
+            if (set.getName().isWild()) {
                 // the is the purported closest encloser.
-                Name ce = new Name(nsec.getName(), 1);
+                Name ce = new Name(set.getName(), 1);
 
                 // The qname must be a strict subdomain of the closest encloser,
                 // and the qtype must be absent from the type map.
@@ -720,16 +747,16 @@ public JustifiedSecStatus nsecProvesNodataDsReply(Message request, SMessage resp
             }
 
             NSECRecord nsec = (NSECRecord)set.first();
-            ndp = ValUtils.nsecProvesNodata(nsec, qname, Type.DS);
+            ndp = ValUtils.nsecProvesNodata(set, nsec, qname, Type.DS);
             if (ndp.result) {
                 hasValidNSEC = true;
                 if (ndp.wc != null && nsec.getName().isWild()) {
                     wcNsec = nsec;
                 }
             }
 
-            if (ValUtils.nsecProvesNameError(nsec, qname, set.getSignerName())) {
-                ce = closestEncloser(qname, nsec);
+            if (ValUtils.nsecProvesNameError(set, nsec, qname)) {
+                ce = closestEncloser(qname, set.getName(), nsec.getNext());
             }
         }