val_nsec.c (266114) | val_nsec.c (292206) |
---|---|
1/* | 1/* |
2 * validator/val_nsec.c - validator NSEC denial of existance functions. | 2 * validator/val_nsec.c - validator NSEC denial of existence functions. |
3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: --- 22 unchanged lines hidden (view full) --- 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions help with NSEC checking, the different NSEC proofs | 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: --- 22 unchanged lines hidden (view full) --- 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * The functions help with NSEC checking, the different NSEC proofs |
41 * for denial of existance, and proofs for presence of types. | 41 * for denial of existence, and proofs for presence of types. |
42 */ 43#include "config.h" 44#include "validator/val_nsec.h" 45#include "validator/val_utils.h" 46#include "util/data/msgreply.h" 47#include "util/data/dname.h" 48#include "util/net_help.h" 49#include "util/module.h" --- 224 unchanged lines hidden (view full) --- 274 /* check if this is a delegation */ 275 *reason = "NSEC for wildcard does not prove absence of DS"; 276 return val_nsec_proves_no_ds(wc_nsec, qinfo); 277 } 278 /* valid nsec proves empty nonterminal */ 279 return sec_status_insecure; 280 } 281 | 42 */ 43#include "config.h" 44#include "validator/val_nsec.h" 45#include "validator/val_utils.h" 46#include "util/data/msgreply.h" 47#include "util/data/dname.h" 48#include "util/net_help.h" 49#include "util/module.h" --- 224 unchanged lines hidden (view full) --- 274 /* check if this is a delegation */ 275 *reason = "NSEC for wildcard does not prove absence of DS"; 276 return val_nsec_proves_no_ds(wc_nsec, qinfo); 277 } 278 /* valid nsec proves empty nonterminal */ 279 return sec_status_insecure; 280 } 281 |
282 /* NSEC proof did not conlusively point to DS or no DS */ | 282 /* NSEC proof did not conclusively point to DS or no DS */ |
283 return sec_status_unchecked; 284} 285 286int nsec_proves_nodata(struct ub_packed_rrset_key* nsec, 287 struct query_info* qinfo, uint8_t** wc) 288{ 289 log_assert(wc); 290 if(query_dname_compare(nsec->rk.dname, qinfo->qname) != 0) { --- 44 unchanged lines hidden (view full) --- 335 return 0; 336 } 337 if(nsec_has_type(nsec, qinfo->qtype)) { 338 return 0; 339 } 340 *wc = ce; 341 return 1; 342 } | 283 return sec_status_unchecked; 284} 285 286int nsec_proves_nodata(struct ub_packed_rrset_key* nsec, 287 struct query_info* qinfo, uint8_t** wc) 288{ 289 log_assert(wc); 290 if(query_dname_compare(nsec->rk.dname, qinfo->qname) != 0) { --- 44 unchanged lines hidden (view full) --- 335 return 0; 336 } 337 if(nsec_has_type(nsec, qinfo->qtype)) { 338 return 0; 339 } 340 *wc = ce; 341 return 1; 342 } |
343 } else { 344 /* See if the next owner name covers a wildcard 345 * empty non-terminal. */ 346 while (dname_strict_subdomain_c(nm, nsec->rk.dname)) { 347 /* wildcard does not apply if qname below 348 * the name that exists under the '*' */ 349 if (dname_subdomain_c(qinfo->qname, nm)) 350 break; 351 /* but if it is a wildcard and qname is below 352 * it, then the wildcard applies. The wildcard 353 * is an empty nonterminal. nodata proven. */ 354 if (dname_is_wild(nm)) { 355 size_t ce_len = ln; 356 uint8_t* ce = nm; 357 dname_remove_label(&ce, &ce_len); 358 if(dname_strict_subdomain_c(qinfo->qname, ce)) { 359 *wc = ce; 360 return 1; 361 } 362 } 363 dname_remove_label(&nm, &ln); 364 } |
|
343 } 344 345 /* Otherwise, this NSEC does not prove ENT and is not a 346 * wildcard, so it does not prove NODATA. */ 347 return 0; 348 } 349 350 /* If the qtype exists, then we should have gotten it. */ --- 252 unchanged lines hidden --- | 365 } 366 367 /* Otherwise, this NSEC does not prove ENT and is not a 368 * wildcard, so it does not prove NODATA. */ 369 return 0; 370 } 371 372 /* If the qtype exists, then we should have gotten it. */ --- 252 unchanged lines hidden --- |