1238106Sdes/* 2294190Sdes * validator/val_nsec.h - validator NSEC denial of existence functions. 3238106Sdes * 4238106Sdes * Copyright (c) 2007, NLnet Labs. All rights reserved. 5238106Sdes * 6238106Sdes * This software is open source. 7238106Sdes * 8238106Sdes * Redistribution and use in source and binary forms, with or without 9238106Sdes * modification, are permitted provided that the following conditions 10238106Sdes * are met: 11238106Sdes * 12238106Sdes * Redistributions of source code must retain the above copyright notice, 13238106Sdes * this list of conditions and the following disclaimer. 14238106Sdes * 15238106Sdes * Redistributions in binary form must reproduce the above copyright notice, 16238106Sdes * this list of conditions and the following disclaimer in the documentation 17238106Sdes * and/or other materials provided with the distribution. 18238106Sdes * 19238106Sdes * Neither the name of the NLNET LABS nor the names of its contributors may 20238106Sdes * be used to endorse or promote products derived from this software without 21238106Sdes * specific prior written permission. 22238106Sdes * 23238106Sdes * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24269257Sdes * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25269257Sdes * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26269257Sdes * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27269257Sdes * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28269257Sdes * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29269257Sdes * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30269257Sdes * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31269257Sdes * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32269257Sdes * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33269257Sdes * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34238106Sdes */ 35238106Sdes 36238106Sdes/** 37238106Sdes * \file 38238106Sdes * 39238106Sdes * This file contains helper functions for the validator module. 40238106Sdes * The functions help with NSEC checking, the different NSEC proofs 41294190Sdes * for denial of existence, and proofs for presence of types. 42238106Sdes */ 43238106Sdes 44238106Sdes#ifndef VALIDATOR_VAL_NSEC_H 45238106Sdes#define VALIDATOR_VAL_NSEC_H 46238106Sdes#include "util/data/packed_rrset.h" 47238106Sdesstruct val_env; 48238106Sdesstruct module_env; 49238106Sdesstruct ub_packed_rrset_key; 50238106Sdesstruct reply_info; 51238106Sdesstruct query_info; 52238106Sdesstruct key_entry_key; 53238106Sdes 54238106Sdes/** 55238106Sdes * Check DS absence. 56238106Sdes * There is a NODATA reply to a DS that needs checking. 57294190Sdes * NSECs can prove this is not a delegation point, or successfully prove 58238106Sdes * that there is no DS. Or this fails. 59238106Sdes * 60238106Sdes * @param env: module env for rrsig verification routines. 61238106Sdes * @param ve: validator env for rrsig verification routines. 62238106Sdes * @param qinfo: the DS queried for. 63238106Sdes * @param rep: reply received. 64238106Sdes * @param kkey: key entry to use for verification of signatures. 65238106Sdes * @param proof_ttl: if secure, the TTL of how long this proof lasts. 66238106Sdes * @param reason: string explaining why bogus. 67238106Sdes * @return security status. 68238106Sdes * SECURE: proved absence of DS. 69238106Sdes * INSECURE: proved that this was not a delegation point. 70238106Sdes * BOGUS: crypto bad, or no absence of DS proven. 71238106Sdes * UNCHECKED: there was no way to prove anything (no NSECs, unknown algo). 72238106Sdes */ 73238106Sdesenum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env, 74238106Sdes struct val_env* ve, struct query_info* qinfo, 75238106Sdes struct reply_info* rep, struct key_entry_key* kkey, 76269257Sdes time_t* proof_ttl, char** reason); 77238106Sdes 78238106Sdes/** 79238106Sdes * nsec typemap check, takes an NSEC-type bitmap as argument, checks for type. 80238106Sdes * @param bitmap: pointer to the bitmap part of wireformat rdata. 81238106Sdes * @param len: length of the bitmap, in bytes. 82238106Sdes * @param type: the type (in host order) to check for. 83238106Sdes * @return true if the type bit was set in the bitmap. false if not, or 84238106Sdes * if the bitmap was malformed in some way. 85238106Sdes */ 86238106Sdesint nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type); 87238106Sdes 88238106Sdes/** 89238106Sdes * Check if type is present in the NSEC typemap 90238106Sdes * @param nsec: the nsec RRset. 91238106Sdes * If there are multiple RRs, then each must have the same typemap, 92238106Sdes * since the typemap represents the types at this domain node. 93238106Sdes * @param type: type to check for, host order. 94238106Sdes * @return true if present 95238106Sdes */ 96238106Sdesint nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type); 97238106Sdes 98238106Sdes/** 99238106Sdes * Determine if a NSEC proves the NOERROR/NODATA conditions. This will also 100238106Sdes * handle the empty non-terminal (ENT) case and partially handle the 101238106Sdes * wildcard case. If the ownername of 'nsec' is a wildcard, the validator 102238106Sdes * must still be provided proof that qname did not directly exist and that 103238106Sdes * the wildcard is, in fact, *.closest_encloser. 104238106Sdes * 105238106Sdes * @param nsec: the nsec record to check against. 106238106Sdes * @param qinfo: the query info. 107238106Sdes * @param wc: if the nodata is proven for a wildcard match, the wildcard 108238106Sdes * closest encloser is returned, else NULL (wc is unchanged). 109238106Sdes * This closest encloser must then match the nameerror given for the 110238106Sdes * nextcloser of qname. 111238106Sdes * @return true if NSEC proves this. 112238106Sdes */ 113238106Sdesint nsec_proves_nodata(struct ub_packed_rrset_key* nsec, 114238106Sdes struct query_info* qinfo, uint8_t** wc); 115238106Sdes 116238106Sdes/** 117238106Sdes * Determine if the given NSEC proves a NameError (NXDOMAIN) for a given 118238106Sdes * qname. 119238106Sdes * 120238106Sdes * @param nsec: the nsec to check 121238106Sdes * @param qname: what was queried. 122238106Sdes * @return true if proven. 123238106Sdes */ 124238106Sdesint val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, 125238106Sdes uint8_t* qname); 126238106Sdes 127238106Sdes/** 128238106Sdes * Determine if the given NSEC proves a positive wildcard response. 129238106Sdes * @param nsec: the nsec to check 130238106Sdes * @param qinf: what was queried. 131238106Sdes * @param wc: wildcard (without *. label) 132238106Sdes * @return true if proven. 133238106Sdes */ 134238106Sdesint val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec, 135238106Sdes struct query_info* qinf, uint8_t* wc); 136238106Sdes 137238106Sdes/** 138238106Sdes * Determine closest encloser of a query name and the NSEC that covers it 139238106Sdes * (and thus disproved it). 140238106Sdes * A name error must have been proven already, otherwise this will be invalid. 141238106Sdes * @param qname: the name queried for. 142238106Sdes * @param nsec: the nsec RRset. 143238106Sdes * @return closest encloser dname or NULL on error (bad nsec RRset). 144238106Sdes */ 145238106Sdesuint8_t* nsec_closest_encloser(uint8_t* qname, 146238106Sdes struct ub_packed_rrset_key* nsec); 147238106Sdes 148238106Sdes/** 149238106Sdes * Determine if the given NSEC proves that a wildcard match does not exist. 150238106Sdes * 151238106Sdes * @param nsec: the nsec RRset. 152238106Sdes * @param qname: the name queried for. 153238106Sdes * @param qnamelen: length of qname. 154238106Sdes * @return true if proven. 155238106Sdes */ 156238106Sdesint val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname, 157238106Sdes size_t qnamelen); 158238106Sdes 159238106Sdes/** 160238106Sdes * Determine the DLV result, what to do with NSEC DLV reply. 161238106Sdes * @param qinfo: what was queried for. 162238106Sdes * @param rep: the nonpositive reply. 163238106Sdes * @param nm: dlv lookup name, to adjust for new lookup name (if needed). 164238106Sdes * @param nm_len: length of lookup name. 165238106Sdes * @return 0 on error, 1 if a higher point is found. 166238106Sdes * If the higher point is above the dlv repo anchor, the qname does 167238106Sdes * not exist. 168238106Sdes */ 169238106Sdesint val_nsec_check_dlv(struct query_info* qinfo, 170238106Sdes struct reply_info* rep, uint8_t** nm, size_t* nm_len); 171238106Sdes 172238106Sdes/** 173238106Sdes * Determine if an nsec proves an insecure delegation towards the qname. 174238106Sdes * @param nsec: nsec rrset. 175238106Sdes * @param qinfo: what was queries for. 176238106Sdes * @return 0 if not, 1 if an NSEC that signals an insecure delegation to 177238106Sdes * the qname. 178238106Sdes */ 179238106Sdesint val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec, 180238106Sdes struct query_info* qinfo); 181238106Sdes 182238106Sdes#endif /* VALIDATOR_VAL_NSEC_H */ 183