[apple/network_cmds.git] / unbound / validator / val_nsec.h

/*
 * validator/val_nsec.h - validator NSEC denial of existance functions.
 *
 * Copyright (c) 2007, NLnet Labs. All rights reserved.
 *
 * This software is open source.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 
 * Redistributions of source code must retain the above copyright notice,
 * this list of conditions and the following disclaimer.
 * 
 * Redistributions in binary form must reproduce the above copyright notice,
 * this list of conditions and the following disclaimer in the documentation
 * and/or other materials provided with the distribution.
 * 
 * Neither the name of the NLNET LABS nor the names of its contributors may
 * be used to endorse or promote products derived from this software without
 * specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/**
 * \file
 *
 * This file contains helper functions for the validator module.
 * The functions help with NSEC checking, the different NSEC proofs
 * for denial of existance, and proofs for presence of types.
 */

#ifndef VALIDATOR_VAL_NSEC_H
#define VALIDATOR_VAL_NSEC_H
#include "util/data/packed_rrset.h"
struct val_env;
struct module_env;
struct ub_packed_rrset_key;
struct reply_info;
struct query_info;
struct key_entry_key;

/**
 * Check DS absence.
 * There is a NODATA reply to a DS that needs checking.
 * NSECs can prove this is not a delegation point, or sucessfully prove
 * that there is no DS. Or this fails.
 *
 * @param env: module env for rrsig verification routines.
 * @param ve: validator env for rrsig verification routines.
 * @param qinfo: the DS queried for.
 * @param rep: reply received.
 * @param kkey: key entry to use for verification of signatures.
 * @param proof_ttl: if secure, the TTL of how long this proof lasts.
 * @param reason: string explaining why bogus.
 * @return security status.
 *	SECURE: proved absence of DS.
 *	INSECURE: proved that this was not a delegation point.
 *	BOGUS: crypto bad, or no absence of DS proven. 
 *	UNCHECKED: there was no way to prove anything (no NSECs, unknown algo).
 */
enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env,
	struct val_env* ve, struct query_info* qinfo, 
	struct reply_info* rep, struct key_entry_key* kkey,
	time_t* proof_ttl, char** reason);

/** 
 * nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
 * @param bitmap: pointer to the bitmap part of wireformat rdata.
 * @param len: length of the bitmap, in bytes.
 * @param type: the type (in host order) to check for.
 * @return true if the type bit was set in the bitmap. false if not, or
 * 	if the bitmap was malformed in some way.
 */
int nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type);

/**
 * Check if type is present in the NSEC typemap
 * @param nsec: the nsec RRset.
 *	If there are multiple RRs, then each must have the same typemap,
 *	since the typemap represents the types at this domain node.
 * @param type: type to check for, host order.
 * @return true if present
 */
int nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type);

/**
 * Determine if a NSEC proves the NOERROR/NODATA conditions. This will also
 * handle the empty non-terminal (ENT) case and partially handle the
 * wildcard case. If the ownername of 'nsec' is a wildcard, the validator
 * must still be provided proof that qname did not directly exist and that
 * the wildcard is, in fact, *.closest_encloser.
 *
 * @param nsec: the nsec record to check against.
 * @param qinfo: the query info.
 * @param wc: if the nodata is proven for a wildcard match, the wildcard
 * 	closest encloser is returned, else NULL (wc is unchanged).
 * 	This closest encloser must then match the nameerror given for the
 * 	nextcloser of qname.
 * @return true if NSEC proves this.
 */
int nsec_proves_nodata(struct ub_packed_rrset_key* nsec, 
	struct query_info* qinfo, uint8_t** wc);

/**
 * Determine if the given NSEC proves a NameError (NXDOMAIN) for a given
 * qname.
 *
 * @param nsec: the nsec to check
 * @param qname: what was queried.
 * @return true if proven.
 */
int val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, 
	uint8_t* qname);

/**
 * Determine if the given NSEC proves a positive wildcard response.
 * @param nsec: the nsec to check
 * @param qinf: what was queried.
 * @param wc: wildcard (without *. label)
 * @return true if proven.
 */
int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec, 
	struct query_info* qinf, uint8_t* wc);

/**
 * Determine closest encloser of a query name and the NSEC that covers it
 * (and thus disproved it). 
 * A name error must have been proven already, otherwise this will be invalid.
 * @param qname: the name queried for.
 * @param nsec: the nsec RRset.
 * @return closest encloser dname or NULL on error (bad nsec RRset).
 */
uint8_t* nsec_closest_encloser(uint8_t* qname, 
	struct ub_packed_rrset_key* nsec);

/**
 * Determine if the given NSEC proves that a wildcard match does not exist.
 *
 * @param nsec: the nsec RRset.
 * @param qname: the name queried for.
 * @param qnamelen: length of qname.
 * @return true if proven.
 */
int val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname, 
	size_t qnamelen);

/**
 * Determine the DLV result, what to do with NSEC DLV reply.
 * @param qinfo: what was queried for.
 * @param rep: the nonpositive reply.
 * @param nm: dlv lookup name, to adjust for new lookup name (if needed).
 * @param nm_len: length of lookup name.
 * @return 0 on error, 1 if a higher point is found.
 * 	If the higher point is above the dlv repo anchor, the qname does 
 * 	not exist.
 */
int val_nsec_check_dlv(struct query_info* qinfo,
	struct reply_info* rep, uint8_t** nm, size_t* nm_len);

/**
 * Determine if an nsec proves an insecure delegation towards the qname.
 * @param nsec: nsec rrset.
 * @param qinfo: what was queries for.
 * @return 0 if not, 1 if an NSEC that signals an insecure delegation to
 * 	the qname.
 */
int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec,
        struct query_info* qinfo);

#endif /* VALIDATOR_VAL_NSEC_H */
Commit	Line	Data
89c4ed63 A	1	/*
	2	* validator/val_nsec.h - validator NSEC denial of existance functions.
	3	*
	4	* Copyright (c) 2007, NLnet Labs. All rights reserved.
	5	*
	6	* This software is open source.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* Redistributions of source code must retain the above copyright notice,
	13	* this list of conditions and the following disclaimer.
	14	*
	15	* Redistributions in binary form must reproduce the above copyright notice,
	16	* this list of conditions and the following disclaimer in the documentation
	17	* and/or other materials provided with the distribution.
	18	*
	19	* Neither the name of the NLNET LABS nor the names of its contributors may
	20	* be used to endorse or promote products derived from this software without
	21	* specific prior written permission.
	22	*
	23	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	24	* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	25	* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
	26	* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
	27	* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	28	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
	29	* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
	30	* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
	31	* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
	32	* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
	33	* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	34	*/
	35
	36	/**
	37	* \file
	38	*
	39	* This file contains helper functions for the validator module.
	40	* The functions help with NSEC checking, the different NSEC proofs
	41	* for denial of existance, and proofs for presence of types.
	42	*/
	43
	44	#ifndef VALIDATOR_VAL_NSEC_H
	45	#define VALIDATOR_VAL_NSEC_H
	46	#include "util/data/packed_rrset.h"
	47	struct val_env;
	48	struct module_env;
	49	struct ub_packed_rrset_key;
	50	struct reply_info;
	51	struct query_info;
	52	struct key_entry_key;
	53
	54	/**
	55	* Check DS absence.
	56	* There is a NODATA reply to a DS that needs checking.
	57	* NSECs can prove this is not a delegation point, or sucessfully prove
	58	* that there is no DS. Or this fails.
	59	*
	60	* @param env: module env for rrsig verification routines.
	61	* @param ve: validator env for rrsig verification routines.
	62	* @param qinfo: the DS queried for.
	63	* @param rep: reply received.
	64	* @param kkey: key entry to use for verification of signatures.
65	* @param proof_ttl: if secure, the TTL of how long this proof lasts.
66	* @param reason: string explaining why bogus.
67	* @return security status.
68	* SECURE: proved absence of DS.
69	* INSECURE: proved that this was not a delegation point.
70	* BOGUS: crypto bad, or no absence of DS proven.
71	* UNCHECKED: there was no way to prove anything (no NSECs, unknown algo).
72	*/
73	enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env,
74	struct val_env* ve, struct query_info* qinfo,
75	struct reply_info* rep, struct key_entry_key* kkey,
76	time_t* proof_ttl, char** reason);
77
78	/**
79	* nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
80	* @param bitmap: pointer to the bitmap part of wireformat rdata.
81	* @param len: length of the bitmap, in bytes.
82	* @param type: the type (in host order) to check for.
83	* @return true if the type bit was set in the bitmap. false if not, or
84	* if the bitmap was malformed in some way.
85	*/
86	int nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type);
87
88	/**
89	* Check if type is present in the NSEC typemap
90	* @param nsec: the nsec RRset.
91	* If there are multiple RRs, then each must have the same typemap,
92	* since the typemap represents the types at this domain node.
93	* @param type: type to check for, host order.
94	* @return true if present
95	*/
96	int nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type);
97
98	/**
99	* Determine if a NSEC proves the NOERROR/NODATA conditions. This will also
100	* handle the empty non-terminal (ENT) case and partially handle the
101	* wildcard case. If the ownername of 'nsec' is a wildcard, the validator
102	* must still be provided proof that qname did not directly exist and that
103	* the wildcard is, in fact, *.closest_encloser.
104	*
105	* @param nsec: the nsec record to check against.
106	* @param qinfo: the query info.
107	* @param wc: if the nodata is proven for a wildcard match, the wildcard
108	* closest encloser is returned, else NULL (wc is unchanged).
109	* This closest encloser must then match the nameerror given for the
110	* nextcloser of qname.
111	* @return true if NSEC proves this.
112	*/
113	int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
114	struct query_info* qinfo, uint8_t** wc);
115
116	/**
117	* Determine if the given NSEC proves a NameError (NXDOMAIN) for a given
118	* qname.
119	*
120	* @param nsec: the nsec to check
121	* @param qname: what was queried.
122	* @return true if proven.
123	*/
124	int val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec,
125	uint8_t* qname);
126
127	/**
128	* Determine if the given NSEC proves a positive wildcard response.
129	* @param nsec: the nsec to check
130	* @param qinf: what was queried.
131	* @param wc: wildcard (without *. label)
132	* @return true if proven.
133	*/
134	int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec,
135	struct query_info* qinf, uint8_t* wc);
136
137	/**
138	* Determine closest encloser of a query name and the NSEC that covers it
139	* (and thus disproved it).
140	* A name error must have been proven already, otherwise this will be invalid.
141	* @param qname: the name queried for.
142	* @param nsec: the nsec RRset.
143	* @return closest encloser dname or NULL on error (bad nsec RRset).
144	*/
145	uint8_t* nsec_closest_encloser(uint8_t* qname,
146	struct ub_packed_rrset_key* nsec);
147
148	/**
149	* Determine if the given NSEC proves that a wildcard match does not exist.
150	*
151	* @param nsec: the nsec RRset.
152	* @param qname: the name queried for.
153	* @param qnamelen: length of qname.
154	* @return true if proven.
155	*/
156	int val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
157	size_t qnamelen);
158
159	/**
160	* Determine the DLV result, what to do with NSEC DLV reply.
161	* @param qinfo: what was queried for.
162	* @param rep: the nonpositive reply.
163	* @param nm: dlv lookup name, to adjust for new lookup name (if needed).
164	* @param nm_len: length of lookup name.
165	* @return 0 on error, 1 if a higher point is found.
166	* If the higher point is above the dlv repo anchor, the qname does
167	* not exist.
168	*/
169	int val_nsec_check_dlv(struct query_info* qinfo,
170	struct reply_info* rep, uint8_t** nm, size_t* nm_len);
171
172	/**
173	* Determine if an nsec proves an insecure delegation towards the qname.
174	* @param nsec: nsec rrset.
175	* @param qinfo: what was queries for.
176	* @return 0 if not, 1 if an NSEC that signals an insecure delegation to
177	* the qname.
178	*/
179	int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec,
180	struct query_info* qinfo);
181
182	#endif /* VALIDATOR_VAL_NSEC_H */