Add option to disable algo downgrade prevention

.travis.yml

@@ -1,3 +1,6 @@
+branches:
+  only:
+    - master
 language: java
 after_success:
 - mvn clean test jacoco:report coveralls:report

README.md

@@ -145,11 +145,18 @@ The file from which the trust anchor should be loaded. There is no default.
 It must be formatted like a DNS zone master file. It can only contain DS
 or DNSKEY records.
 
-### org.jitsi.dnssec.digest_preference
+### org.jitsi.dnssec.digest\_preference
 Defines the preferred DS record digest algorithm if a zone has registered
 multiple DS records. The list is comma-separated, highest preference first.
 
 If this property is not specified, the DS record with the highest [digest ID]
 (http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml) is chosen.
 To stay compliant with the RFCs, the mandatory digest IDs must be listed in
-this property. The GOST digest is not (yet) implemented.
+this property.
+
+The GOST digest is not (yet) implemented.
+
+### org.jitsi.dnssec.harden\_algo\_downgrade
+Prevent algorithm downgrade when multiple algorithms are advertised in a zones
+DS records. If `false`, allows any algorithm to validate the zone.
+Default is `true`.

src/main/java/org/jitsi/dnssec/validator/ValUtils.java

@@ -73,13 +73,15 @@
  */
 public class ValUtils {
     public static final String DIGEST_PREFERENCE = "org.jitsi.dnssec.digest_preference";
+    public static final String DIGEST_HARDEN_DOWNGRADE = "org.jitsi.dnssec.harden_algo_downgrade";
 
     private static final Logger logger = LoggerFactory.getLogger(ValUtils.class);
     private static final Name WILDCARD = Name.fromConstantString("*");
 
     /** A local copy of the verifier object. */
     private DnsSecVerifier verifier;
     private int[] digestPreference = null;
+    private boolean digestHardenDowngrade = true;
 
     /**
      * Creates a new instance of this class.
@@ -89,8 +91,11 @@ public ValUtils() {
     }
 
     /**
-     * Initialize the module. The only recognized configuration value is
-     * {@link #DIGEST_PREFERENCE}.
+     * Initialize the module. The recognized configuration value are
+     * <ul>
+     *     <li>{@link #DIGEST_PREFERENCE}</li>
+     *     <li>{@link #DIGEST_HARDEN_DOWNGRADE}</li>
+     * </ul>.
      * 
      * @param config The configuration data for this module.
      */
@@ -106,6 +111,8 @@ public void init(Properties config) {
                 }
             }
         }
+
+        this.digestHardenDowngrade = Boolean.parseBoolean(config.getProperty(DIGEST_HARDEN_DOWNGRADE));
     }
 
     /**
@@ -198,7 +205,7 @@ public KeyEntry verifyNewDNSKEYs(SRRset dnskeyRrset, SRRset dsRrset, long badKey
         int favoriteDigestID = this.favoriteDSDigestID(dsRrset);
         for (Iterator<?> i = dsRrset.rrs(); i.hasNext();) {
             DSRecord ds = (DSRecord)i.next();
-            if (ds.getDigestID() != favoriteDigestID) {
+            if (this.digestHardenDowngrade && ds.getDigestID() != favoriteDigestID) {
                 continue;
             }
 

src/test/java/org/jitsi/dnssec/unbound/rpl/Rpl.java

@@ -27,4 +27,5 @@ public class Rpl {
     public Map<Integer, Check> checks;
     public TreeMap<Integer, Integer> nsec3iterations;
     public String digestPreference;
+    public boolean hardenAlgoDowngrade;
 }

src/test/java/org/jitsi/dnssec/unbound/rpl/RplParser.java

@@ -129,6 +129,9 @@ else if (line.matches("\\s*val-nsec3-keysize-iterations:.*")) {
                     else if (line.matches("\\s*val-digest-preference:.*")) {
                         rpl.digestPreference = line.substring(line.indexOf("\"") + 1, line.length() - 1);
                     }
+                    else if (line.matches("\\s*harden-algo-downgrade:.*")) {
+                        rpl.hardenAlgoDowngrade = !"no".equalsIgnoreCase(line.split(":")[1].trim());
+                    }
                     else if (line.startsWith("CONFIG_END")) {
                         state = ParseState.Zero;
                     }

src/test/java/org/jitsi/dnssec/unbound/rpl/UnboundTests.java

@@ -27,6 +27,7 @@
 
 import org.jitsi.dnssec.SRRset;
 import org.jitsi.dnssec.TestBase;
+import org.jitsi.dnssec.validator.ValUtils;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.powermock.core.classloader.annotations.PrepareForTest;
@@ -58,9 +59,11 @@ public void runUnboundTest() throws ParseException, IOException {
         }
 
         if (rpl.digestPreference != null) {
-            config.put("org.jitsi.dnssec.digest_preference", rpl.digestPreference);
+            config.put(ValUtils.DIGEST_PREFERENCE, rpl.digestPreference);
         }
 
+        config.put(ValUtils.DIGEST_HARDEN_DOWNGRADE, Boolean.toString(rpl.hardenAlgoDowngrade));
+
         for (Message m : rpl.replays) {
             add(stripAdditional(m));
             for (RRset set : m.getSectionRRsets(Section.AUTHORITY)) {
@@ -172,8 +175,8 @@ else if (s.getType() == Type.DNAME) {
 
         for (Check c : rpl.checks.values()) {
             Message s = resolver.send(c.query);
-            assertEquals(c.response.getHeader().getFlag(Flags.AD), s.getHeader().getFlag(Flags.AD));
-            assertEquals(Rcode.string(c.response.getRcode()), Rcode.string(s.getRcode()));
+            assertEquals("AD Flag must match", c.response.getHeader().getFlag(Flags.AD), s.getHeader().getFlag(Flags.AD));
+            assertEquals("RCode must match", Rcode.string(c.response.getRcode()), Rcode.string(s.getRcode()));
         }
     }
 
@@ -471,6 +474,11 @@ public void val_ds_sha2_downgrade_override() throws ParseException, IOException
         runUnboundTest();
     }
 
+    @Test
+    public void val_ds_sha2_lenient() throws ParseException, IOException {
+        runUnboundTest();
+    }
+
     @Test
     public void val_entds() throws ParseException, IOException {
         runUnboundTest();

src/test/resources/unbound/val_ds_gost_downgrade.rpl

@@ -4,6 +4,10 @@ server:
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: "no"
+	fake-sha1: yes
+	trust-anchor-signaling: no
+	harden-algo-downgrade: yes
 
 stub-zone:
 	name: "."
@@ -231,7 +235,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA SERVFAIL
+REPLY QR RD RA DO SERVFAIL
 SECTION QUESTION
 www.sub.example.com. IN A
 SECTION ANSWER

src/test/resources/unbound/val_ds_sha2.rpl

@@ -4,6 +4,10 @@ server:
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: "no"
+	fake-dsa: yes
+	fake-sha1: yes
+	trust-anchor-signaling: no
 
 stub-zone:
 	name: "."
@@ -188,7 +192,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA AD DO NOERROR
 SECTION QUESTION
 www.sub.example.com. IN A
 SECTION ANSWER

src/test/resources/unbound/val_ds_sha2_downgrade.rpl

@@ -4,6 +4,11 @@ server:
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: "no"
+	fake-dsa: yes
+	fake-sha1: yes
+	trust-anchor-signaling: no
+	harden-algo-downgrade: yes
 
 stub-zone:
 	name: "."
@@ -211,7 +216,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA SERVFAIL
+REPLY QR RD RA DO SERVFAIL
 SECTION QUESTION
 www.sub.example.com. IN A
 SECTION ANSWER