summaryrefslogtreecommitdiff
path: root/usr.sbin/unbound/validator/val_nsec.h
blob: 34f7f63b40efec601f87b6c188e2ee0e3cd3c48c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
/*
 * validator/val_nsec.h - validator NSEC denial of existance functions.
 *
 * Copyright (c) 2007, NLnet Labs. All rights reserved.
 *
 * This software is open source.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 
 * Redistributions of source code must retain the above copyright notice,
 * this list of conditions and the following disclaimer.
 * 
 * Redistributions in binary form must reproduce the above copyright notice,
 * this list of conditions and the following disclaimer in the documentation
 * and/or other materials provided with the distribution.
 * 
 * Neither the name of the NLNET LABS nor the names of its contributors may
 * be used to endorse or promote products derived from this software without
 * specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

/**
 * \file
 *
 * This file contains helper functions for the validator module.
 * The functions help with NSEC checking, the different NSEC proofs
 * for denial of existance, and proofs for presence of types.
 */

#ifndef VALIDATOR_VAL_NSEC_H
#define VALIDATOR_VAL_NSEC_H
#include "util/data/packed_rrset.h"
struct val_env;
struct module_env;
struct ub_packed_rrset_key;
struct reply_info;
struct query_info;
struct key_entry_key;

/**
 * Check DS absence.
 * There is a NODATA reply to a DS that needs checking.
 * NSECs can prove this is not a delegation point, or sucessfully prove
 * that there is no DS. Or this fails.
 *
 * @param env: module env for rrsig verification routines.
 * @param ve: validator env for rrsig verification routines.
 * @param qinfo: the DS queried for.
 * @param rep: reply received.
 * @param kkey: key entry to use for verification of signatures.
 * @param proof_ttl: if secure, the TTL of how long this proof lasts.
 * @param reason: string explaining why bogus.
 * @return security status.
 *	SECURE: proved absence of DS.
 *	INSECURE: proved that this was not a delegation point.
 *	BOGUS: crypto bad, or no absence of DS proven. 
 *	UNCHECKED: there was no way to prove anything (no NSECs, unknown algo).
 */
enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env,
	struct val_env* ve, struct query_info* qinfo, 
	struct reply_info* rep, struct key_entry_key* kkey,
	uint32_t* proof_ttl, char** reason);

/** 
 * nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
 * @param bitmap: pointer to the bitmap part of wireformat rdata.
 * @param len: length of the bitmap, in bytes.
 * @param type: the type (in host order) to check for.
 * @return true if the type bit was set in the bitmap. false if not, or
 * 	if the bitmap was malformed in some way.
 */
int nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type);

/**
 * Check if type is present in the NSEC typemap
 * @param nsec: the nsec RRset.
 *	If there are multiple RRs, then each must have the same typemap,
 *	since the typemap represents the types at this domain node.
 * @param type: type to check for, host order.
 * @return true if present
 */
int nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type);

/**
 * Determine if a NSEC proves the NOERROR/NODATA conditions. This will also
 * handle the empty non-terminal (ENT) case and partially handle the
 * wildcard case. If the ownername of 'nsec' is a wildcard, the validator
 * must still be provided proof that qname did not directly exist and that
 * the wildcard is, in fact, *.closest_encloser.
 *
 * @param nsec: the nsec record to check against.
 * @param qinfo: the query info.
 * @param wc: if the nodata is proven for a wildcard match, the wildcard
 * 	closest encloser is returned, else NULL (wc is unchanged).
 * 	This closest encloser must then match the nameerror given for the
 * 	nextcloser of qname.
 * @return true if NSEC proves this.
 */
int nsec_proves_nodata(struct ub_packed_rrset_key* nsec, 
	struct query_info* qinfo, uint8_t** wc);

/**
 * Determine if the given NSEC proves a NameError (NXDOMAIN) for a given
 * qname.
 *
 * @param nsec: the nsec to check
 * @param qname: what was queried.
 * @return true if proven.
 */
int val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, 
	uint8_t* qname);

/**
 * Determine if the given NSEC proves a positive wildcard response.
 * @param nsec: the nsec to check
 * @param qinf: what was queried.
 * @param wc: wildcard (without *. label)
 * @return true if proven.
 */
int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec, 
	struct query_info* qinf, uint8_t* wc);

/**
 * Determine closest encloser of a query name and the NSEC that covers it
 * (and thus disproved it). 
 * A name error must have been proven already, otherwise this will be invalid.
 * @param qname: the name queried for.
 * @param nsec: the nsec RRset.
 * @return closest encloser dname or NULL on error (bad nsec RRset).
 */
uint8_t* nsec_closest_encloser(uint8_t* qname, 
	struct ub_packed_rrset_key* nsec);

/**
 * Determine if the given NSEC proves that a wildcard match does not exist.
 *
 * @param nsec: the nsec RRset.
 * @param qname: the name queried for.
 * @param qnamelen: length of qname.
 * @return true if proven.
 */
int val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname, 
	size_t qnamelen);

/**
 * Determine the DLV result, what to do with NSEC DLV reply.
 * @param qinfo: what was queried for.
 * @param rep: the nonpositive reply.
 * @param nm: dlv lookup name, to adjust for new lookup name (if needed).
 * @param nm_len: length of lookup name.
 * @return 0 on error, 1 if a higher point is found.
 * 	If the higher point is above the dlv repo anchor, the qname does 
 * 	not exist.
 */
int val_nsec_check_dlv(struct query_info* qinfo,
	struct reply_info* rep, uint8_t** nm, size_t* nm_len);

/**
 * Determine if an nsec proves an insecure delegation towards the qname.
 * @param nsec: nsec rrset.
 * @param qinfo: what was queries for.
 * @return 0 if not, 1 if an NSEC that signals an insecure delegation to
 * 	the qname.
 */
int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec,
        struct query_info* qinfo);

#endif /* VALIDATOR_VAL_NSEC_H */