xref: /freebsd/contrib/unbound/validator/val_nsec.h (revision db33c6f3ae9d1231087710068ee4ea5398aacca7)
1 /*
2  * validator/val_nsec.h - validator NSEC denial of existence functions.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * The functions help with NSEC checking, the different NSEC proofs
41  * for denial of existence, and proofs for presence of types.
42  */
43 
44 #ifndef VALIDATOR_VAL_NSEC_H
45 #define VALIDATOR_VAL_NSEC_H
46 #include "util/data/packed_rrset.h"
47 #include "sldns/rrdef.h"
48 struct val_env;
49 struct module_env;
50 struct module_qstate;
51 struct ub_packed_rrset_key;
52 struct reply_info;
53 struct query_info;
54 struct key_entry_key;
55 
56 /**
57  * Check DS absence.
58  * There is a NODATA reply to a DS that needs checking.
59  * NSECs can prove this is not a delegation point, or successfully prove
60  * that there is no DS. Or this fails.
61  *
62  * @param env: module env for rrsig verification routines.
63  * @param ve: validator env for rrsig verification routines.
64  * @param qinfo: the DS queried for.
65  * @param rep: reply received.
66  * @param kkey: key entry to use for verification of signatures.
67  * @param proof_ttl: if secure, the TTL of how long this proof lasts.
68  * @param reason: string explaining why bogus.
69  * @param reason_bogus: relevant EDE code for validation failure.
70  * @param qstate: qstate with region.
71  * @param reasonbuf: buffer to use for fail reason string print.
72  * @param reasonlen: length of reasonbuf.
73  * @return security status.
74  *	SECURE: proved absence of DS.
75  *	INSECURE: proved that this was not a delegation point.
76  *	BOGUS: crypto bad, or no absence of DS proven.
77  *	UNCHECKED: there was no way to prove anything (no NSECs, unknown algo).
78  */
79 enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env,
80 	struct val_env* ve, struct query_info* qinfo,
81 	struct reply_info* rep, struct key_entry_key* kkey,
82 	time_t* proof_ttl, char** reason, sldns_ede_code* reason_bogus,
83 	struct module_qstate* qstate, char* reasonbuf, size_t reasonlen);
84 
85 /**
86  * nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
87  * @param bitmap: pointer to the bitmap part of wireformat rdata.
88  * @param len: length of the bitmap, in bytes.
89  * @param type: the type (in host order) to check for.
90  * @return true if the type bit was set in the bitmap. false if not, or
91  * 	if the bitmap was malformed in some way.
92  */
93 int nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type);
94 
95 /**
96  * Check if type is present in the NSEC typemap
97  * @param nsec: the nsec RRset.
98  *	If there are multiple RRs, then each must have the same typemap,
99  *	since the typemap represents the types at this domain node.
100  * @param type: type to check for, host order.
101  * @return true if present
102  */
103 int nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type);
104 
105 /**
106  * Determine if a NSEC proves the NOERROR/NODATA conditions. This will also
107  * handle the empty non-terminal (ENT) case and partially handle the
108  * wildcard case. If the ownername of 'nsec' is a wildcard, the validator
109  * must still be provided proof that qname did not directly exist and that
110  * the wildcard is, in fact, *.closest_encloser.
111  *
112  * @param nsec: the nsec record to check against.
113  * @param qinfo: the query info.
114  * @param wc: if the nodata is proven for a wildcard match, the wildcard
115  * 	closest encloser is returned, else NULL (wc is unchanged).
116  * 	This closest encloser must then match the nameerror given for the
117  * 	nextcloser of qname.
118  * @return true if NSEC proves this.
119  */
120 int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
121 	struct query_info* qinfo, uint8_t** wc);
122 
123 /**
124  * Determine if the given NSEC proves a NameError (NXDOMAIN) for a given
125  * qname.
126  *
127  * @param nsec: the nsec to check
128  * @param qname: what was queried.
129  * @return true if proven.
130  */
131 int val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec,
132 	uint8_t* qname);
133 
134 /**
135  * Determine if the given NSEC proves a positive wildcard response.
136  * @param nsec: the nsec to check
137  * @param qinf: what was queried.
138  * @param wc: wildcard (without *. label)
139  * @return true if proven.
140  */
141 int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec,
142 	struct query_info* qinf, uint8_t* wc);
143 
144 /**
145  * Determine closest encloser of a query name and the NSEC that covers it
146  * (and thus disproved it).
147  * A name error must have been proven already, otherwise this will be invalid.
148  * @param qname: the name queried for.
149  * @param nsec: the nsec RRset.
150  * @return closest encloser dname or NULL on error (bad nsec RRset).
151  */
152 uint8_t* nsec_closest_encloser(uint8_t* qname,
153 	struct ub_packed_rrset_key* nsec);
154 
155 /**
156  * Determine if the given NSEC proves that a wildcard match does not exist.
157  *
158  * @param nsec: the nsec RRset.
159  * @param qname: the name queried for.
160  * @param qnamelen: length of qname.
161  * @return true if proven.
162  */
163 int val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
164 	size_t qnamelen);
165 
166 /**
167  * Determine if an nsec proves an insecure delegation towards the qname.
168  * @param nsec: nsec rrset.
169  * @param qinfo: what was queries for.
170  * @return 0 if not, 1 if an NSEC that signals an insecure delegation to
171  * 	the qname.
172  */
173 int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec,
174         struct query_info* qinfo);
175 
176 #endif /* VALIDATOR_VAL_NSEC_H */
177